Good Always Comes Out of Bad

Published: 2008-06-28
Last Updated: 2008-06-28 20:12:37 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)

In the past couple of days, reports have surfaced on the hijacking of the domains for ICANN and IANA attributed to the group NetDevilz.  According to news articles, an ICANN spokesman stated they were unaware of the events.  The total time for the redirection before the entry was corrected was about twenty minutes.  However it will take 24 to 48 hours after the correction to ensure all the DNS entries are updated.  In that time, users were redirected to a site that stated the follow:

“You think that you control the domains but you don’t! Everybody knows wrong. We control the domains including ICANN! Don’t you believe us? haha :) (Lovable Turkish hackers group)”

What triggered the changing of the DNS entries has not been disclosed that I have found.  Dancho Danchevs blog shows an email address listed in the updated records and note the email address in the entry called "foricann1230@gmail.com" as well as the date they were updated as June 26.  Regardless of how it happened (though I'm sure everyone would like to know) there is a big concern here.  Nothing on the internet is safe and if this can happen to these folks, it can happen to anyone. 

It is events such as this that make me more determined to stay a hard nose when it comes to security and protecting the
organization I am supporting.  These events actually do have good that comes out of them.  I always print out these articles and do a screenshot of the article and save it to a file with the url of where I got it.  I can then add them to a presentation and also use them as pass arounds during a presentation or simply highly key points and discuss them with the group.  It is very useful to show to management that the threat is real and we can't let our guard down.  As managers and users alike, they don't understand security, the threats, how they work and the dangers that are lurking on the Internet.  It's hard for management to understand why your security officer sounds like a paranoid lunatic and wants more money for security:>)  Doing this has really helped me to get their attention and to justify the funding to help plus up weak points in our security posture. 

So, take advantage of events that have high publicity such as these, include them in reports to your management and use them to help educate people.  Even though the bad guys may gained an inch, let use it against them to gain a mile in the world of security. We can do this by learning from it and working to use it to increasing awareness and move our own security posture forward. 
 

Keywords:
0 comment(s)

Another Call for Packets - Port 502

Published: 2008-06-28
Last Updated: 2008-06-28 20:12:07 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)

Usually, I don't have two calls for packets on a shift, but this one definately bears looking into and hopefully finding an answer.  There is an increase on port 502, when you look at the targets, that started today.  Till today, life has been pretty quiet on that port.  Port 502 is a known port when dealing with SCADA systems.  According to an article on SCADA Honeynets, "Modbus TCP on port 502 is a widely used, standard SCADA protocol in PLC’s and other field devices that monitor sensors and control instruments." 

If you have packets, logs or ideas on this increase, please send them into us.

Keywords:
0 comment(s)

Call for Packets - Port 19905

Published: 2008-06-28
Last Updated: 2008-06-28 17:24:17 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)

One of the things I like to check while on duty are the Trend reports which focus on changes in port activity.  While looking at this today, I noticed a sharp increase in both the source and targets for port 19905.  Generally target increases don't bother me too much and can be attributed to different things.  But with the sources and targets increasing over the past few days for this port, it has me curious.  An increase in both sources and targets can be an indicator of an infection of some sort.  If you have any ideas for this or any packet captures, please send them our way. 

 

 

Keywords:
0 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives