BotNets and Security Awareness in Academia; Potpourri of MS04-028 Scanning Tools from MS

Published: 2004-10-16
Last Updated: 2004-10-17 09:11:03 UTC
by Scott Fendley (Version: 1)
0 comment(s)
BotNets and Security Awareness in Academia
For those in Academia (or similarly open networks), I urge you to pay attention to your networks. As Deb mentioned several days ago, and many of the handlers have noted since, botnets are continuing to grow more wide spread. The types of exploits used to gain access do change as we go along, and the complexity of the files used, rootkits deployed, etc etc has also increased. The particular variation of BotNet, I have seen on my campus seems to have used the LSASS vulnerability to gain access to the computers. Many of the tool names seem to be different depending on who and where things are being exploited. As a guess, I would suspect that a framework has been built that any reasonably computer literate user can easily change a few settings, and compile/pack/deploy their own unique set of tools. Several of the handlers are still working on writing a more complete article of the details that will be posted later.
Yeah...I know none of this is news, but it has made me wonder what more can I do beyond intrustion detection,updating AV, firewalling and quarantining off computers that are not patched or otherwise insecure, and whatever remediation seems wise for any particular situation. The one thing I have realized for my campus is that things are not seeming to get any better security wise. The reason...we are not causing our userbase to be more aware of proper security procedures. The technologies the hackers are using have continued to work but we have failed to change from a reactive stance to a proactive one despite expenditures for the above security devices, staff, and initiatives.
This month is Cyber Security Awareness month, so what have you done on your campus to promote Security. I have heard of one University that purchased a number of toothbrushes that had slogans to the effect of "You don't share your toothbrush, why share your passwords?" Such gimics are very good ways for security professionals to start making our students/faculty/staff actually think about what they are doing and raise the amount of awareness. But probably most of us had never thought of such things.
At the Educause conference this week, participants will receive a CD of Security Awareness Resources that was compiled through the efforts of many organizations. If you are in academia and are not at the conference, please make sure that you catch those at your organization bring you a copy of the CD and start considering how you can raise the awareness of your campus. For more details about the CD, please see the following from the Educause security mailing list:
http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0410&L=security&T=0&F=&S=&P=7202




Potpourri of MS04-028 Scanning Tools from MS



This week, MS released several new or updated tools to help get a handle on the MS04-028 GDI vulnerability from last month. One of the handlers provided a list of them today to include into the diary. As with the previous tools issued by MS, these tools do not appear to detect the existence of third-party software that may have included the DLLs. However, this is a starting point for many corporate technicians to roll out. I would still recommend using the ISC's GDI Scan tools available at
http://isc.sans.org/gdiscan.php in conjunction to these tools to provide the best coverage as possible.


* Enterprise Update Scanning Tool for Bulletin MS04-028

http://www.microsoft.com/downloads/details.aspx?FamilyID=70e1c04d-47e2-4ea6-a638-11ab6ad9bd6e&DisplayLang=en

This tool is a command line scanning tool built for the sole purpose of
helping customers determine systems that may need security updates provided
with the MS04-028 bulletin
http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx . Users of
this tool should have experience in deploying software to corporate
environments and with using command line tools. More information on this
tool can be found in the Knowledge Base article 886988 (KB886988)

How to obtain and use the MS04-028 Enterprise Update Scanning Tool in
environments that do not use Systems Management Server
http://support.microsoft.com/?id=886988
* SMS MS04-028 Update Scan Tool

http://www.microsoft.com/downloads/details.aspx?FamilyID=c4745685-9521-4b63-a338-0b3e2dcbf2bb&DisplayLang=en

This tool is a scan tool built for the sole purpose of helping customers
determine SMS client computers that may need security updates provided with
the MS04-028 bulletin. Like MBSA, this tool also has the instructions for
SMS to locate each applicable update and download it from Microsoft.
* Enterprise Logon Scripts

Logon and Group Policy scripts are powerful, flexible tools that system
administrators can use to provide users with a consistent, predictable, and
secure computing experience.
http://www.microsoft.com/downloads/details.aspx?FamilyID=3533b6bb-7ac7-4f42-825f-b122474d9a89&DisplayLang=en
* Sample Scripts for verifying client configuration for VPN Quarantine

http://www.microsoft.com/downloads/details.aspx?FamilyID=a290f2ee-0b55-491e-bc4c-8161671b2462&DisplayLang=en
---

Scott Fendley

Handler on Duty
Keywords:
0 comment(s)

Comments


Diary Archives