General: August 2005 Archives
Brian Tucker's last post to his blog was that he was about to deploy roughly 8000 clients with ITMU.
What happened with his install that we have not heard from him since :o !
There is a thread over at Broadband Reports saying that an exploit targeting earlier versions of Firefox is being served up by ad banners seen on sites like theonion.com.
I saw this link over at TaoSecurity. It is an account of Distributed Denial of Service attacks on a gambling site and the efforts to stop them.
Earlier today SANS spread some information that the zotob worm uses null sessions and null sessions could be enabled in Windows 2003 with Exchange and SQL. They said that this allowed risk of infection.
This went against their earlier advice that Windows 2003 was not vulnerable. As a result, we declared emergency downtime for tonight to patch the Windows 2003 servers. (The 2000 servers had been done during emergency downtime on Sunday).
Well, as it turns out we have a correction. Microsoft has updated their bulletin and pointed it out to SANS that even if NULL sessions were enabled on 2003, it is not like a 2000 null session. Account credentials with local logon permissions is necessary.
In the "heat of battle," sometimes people get information wrong, even the experts. I do think next time, I'll remember that the ISC Handlers aren't necessarily Windows Security Experts. And if I have a question about the best course of action, I'll at least try to contact my Microsoft TAM.
The good news is all the servers are patched a day earlier than they would have been otherwise. The bad news is some users will complain about the emergency downtime. I feel like I've lost some credibility. But hey, I made a decision with the best available information at that time. And having downtime on monday at 8pm instead of tuesday at 8pm isn't a big deal in the grand scheme of things.
In the diary today, SANS continues to warn that patching is needed. And they raise the alert level to yellow.
Infocon Yellow; Windows and Backup Exec exploits are out, where are the exploits, NIST drafts, Snort signaturesInfocon: Yellow
Due to a number of very well working Windows exploits for this weeks patch set, and the zero-day Veritas exploit, we decided to turn the infocon to yellow.
Advice: Use the weekend to patch ALL WINDOWS SYSTEMS. It may be worthwhile to consider accelerated deployment of the patches even to critical systems if the weekend is slow anyway. Backup Exec should be firewalled or disabled at this point.
Note: Consider unprotected internet facing machines infected at this point if they do not have this weeks patches applied. Patch and handle them with extra care.
Windows and Backup Exec exploits are out
In case you're waiting to see whether it's worth updating either Windows or Veritas' Backup Exec, now's the time to do so. Live exploits are out for both.
Specifically, MS05-039 appears to have 3 live exploits out for it already, and Backup Exec has at least one exploit out.
We've said it already, but it's worth repeating - get those patches in soon...
There is one important indicator SANS has not considered in its warning. I will be out of the office Tuesday-Friday next week. Historically this often means major internet worm.
They also brought up an important point. Just because some of these vulnerabilities may make for a worm doesn't mean we are going to see one. It is much more profitable for a bad guy to quietly compromise 100,000 systems than it is to release a major worm. Fame isn't the motivating force any more, money is.
From a History Channel Press Release:
THE MAN WHO PREDICTED 9/11 (WORLD PREMIERE Sunday, September 11 at 8pm ET/PT)
In 2001, Rick Rescorla was the 62-year-old head of security at the Morgan Stanley Bank situated high up in the South Tower at the World Trade Center. For 6 years Rescorla was convinced that terrorists would use jet planes to try and destroy the World Trade Center. Long before September 11th, he developed an evacuation plan for the bank, unpopular amongst some city whiz kids who worked there who thought he was mad. His evacuation plan however ultimately saved 2,700 lives.
Rescorla's evacuation plan was put into effect after the first jet hit the North Tower. When the second jet hit the South Tower, he averted panic and organized a rapid evacuation of Morgan Stanley staff. Rescorla sang Cornish folk songs to calm nerves while thousands trooped down the stair wells. Rescorla went back inside to help those injured and trapped get out. He was still inside when the building collapsed. His body was never found.
THE MAN WHO PREDICTED 9/11 tells Rescorla's extraordinary story from his English childhood, to his heroics in Vietnam to his work as a/the security officer at the World Trade Center where he became convinced that an attack was imminent. It follows the dramatic timeline of what happened to Rick between 8:45 a.m. when the first plane hit Tower 1 and 9:58 a.m. when Tower 2 -- and 500,000 tons of steel and concrete -- collapsed on top of him. It features
interviews with his biographer, Pulitzer Prize winning author James Stewart, his wife Susan, many of the men and women whose lives he saved that day, and footage of Rescorla making his predictions.
Executive Producer for The History Channel is Marc Etkind. Produced forThe History Channel by Testimony Productions.
Article in the Washington Post today on the difficulty of keeping patched. It points out that it is pretty easy now days to keep your operating system patched (he must not use linux) but the applications are still rather difficult. If you're lucky they tell you when there is a new version available, but often you must to a download the full install instead of the patch, and then run the gauntlet of declining annoying add-ons and desktop icons. With aim, every time I upgrade, I need to decline weatherbug, their IE toolbar, and a desktop icon.
From the ISC Diary:
They have created a webform for people to use to submit malicious urls. The submitted site will be checked, and if malicious it will be added to a database of known attackers. The site will also be monitored for changes.
Is this going to be a poor man's antivirus system or a poor man's websense? I guess its hard to remember that some people have to scrape by without the appropriate commercial tools. Blacklists are always reactive. At least in this case false positives should be avoidable.
Its really kind of ludicrous the way news.com bends over backwards to write complementary articles about mozilla/firefox/netscape.
Apparently this time they have polled the industry and we are all weeping with joy now that mozilla has a commercial entity. Apparently that was the only thing holding back widespread corporate adoption of mozilla.
Yeah right.
The SANS ISC Diary reports new buffer overflows in ARCserve
New Buffer overflows on BrightStor ARCserve Backup and BrightStor Enterprise Backup application agent code used on Windows platforms.
The security update can be downloaded from:
BrightStor ARCserve Backup r11.1 for Windows: http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO70767
BrightStor ARCserve Backup r11.0 for Windows: http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO70769
BrightStor ARCserve Backup v9.01 for Windows: http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO70770
BrightStor Enterprise Backup v10.5 for Windows: http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO70774
BrightStor Enterprise Backup v10.0 for Windows: http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO70773
