Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Mailbag grab

Published: 2006-08-31
Last Updated: 2006-08-31 23:55:04 UTC
by Swa Frantzen (Version: 3)
0 comment(s)

Security book online

Ryan sent us a link to an on-line book:

Security Engineering: A Guide to Building Dependable Distributed Systems
by Ross Anderson
http://www.cl.cam.ac.uk/~rja14/book.html

But I guess you'll need to come back in a few days before you can get in and download it.
It is a good book well worth reading and I for one really like the attitude of the author.

RFC 1918

Jon send as traffic to and from 10.x.y.z going over the Internet. It reminded us to filter that traffic away on your borders. There is no good such IP addresses (and any other mentioned in RFC 1918) can do out there. Dropping the traffic in ingress/egress filters is the right thing to do (also for the ISPs involved).

MS06-040

We got a few contacts from Canada, and some clarification regarding the MS06-040 bots might be needed:
  • This is not an isolated issue. Several entities in various geographic locations are being hit.
  • This is not the only such bots. There are many similar bots and it is not trivial to tell them apart unless you actually have the malware and the time to analyse it in detail.
  • In most countries, the Internet is global: packets do not stop for customs or immigration ;-). Since most botnet herders are in it for the money so far, they don't really care about countries either.

Old school virus

Symantec has a writeup  of  what they call a new worm. The virus copies itself to removable storage.  Nice to see an old school virus for a change in this bot infected world.

A good reminder to keep the Anti-Virus software scanning removable media as they are loaded.

Blocked traffic

John wrote it to say he saw attempted traffic from a netblock we suggested to block a while ago that looked like it was trying to hammer him with DNS. We don't know what's going on, but it's one of those indications to continue to block them or at least carefully watch what they are up to.

--
Swa Frantzen -- Section 66


Keywords: mailbag
0 comment(s)
Diary Archives