| Related sites for http://www.dshield.org/ |
| ConciseMail Email hosting soloutions for businesses and individuals | | Keller,_Bill University of Sussex at Brighton - Formal foundations and computational properties of formalisms in computational linguistics, application of machine learning techniques to problems in language learni | | ALT_2001 The Twelfth International Conference on Algorithmic Learning Theory. Washington D.C., November 25-28, 2001 (November 25, 2001) | | DigiCrypto,_Inc_ Smart card solutions for Internet security and software copyright protection applications. | | Myer Colorizes identifiers and constants to show their marginal cost to the program's coupling and cohesion metrics. [Open source, GPL] | | Approximate_Query_Answering_(AQUA) A project for exploratory data analysis, aiming to improve responses for large database queries. Through Bell Labs. | | Seattle_Area_Pick_User_Group_(SAPUG) Serves the greater Puget Sound region in Washington State, USA as a meeting place for everyone with an interest in MultiValue/Pick databases. Offers networking dinner meetings, training classes and t | | BuildExec Generates installation sequences for PHP applications, using a web control panel. | | Bibliography_of_SOM_papers A collection of works that have been based on the Self-Organizing Map (SOM) method developed by Kohonen | | City_University,_London School of Informatics. Comprises: Department of Computing, Department of Information Science, Centre for Software Reliability, Centre for Human-Computer Interface Design, Centre for Measurement and I | | University_of_Sofia_St__Kliment_Ohridski Faculty of Mathematics and Informatics. Departments: Computing Systems; Foundations of Computer Science; Information Technologies; Education in Mathematics and Informatics; Laboratory for Information | | Netjukebox Web-based Winamp/httpQ media jukebox offering a number of features including the ability to play music and video from any computer in a network. Features real-time MP3/OGG streaming from different aud | | esna_-_Domino_Hosting esna is a leader in Domino Hosting, Domino Solutions & Domino Consulting providing complete Domino Hosting solutions. | | Happy_Greetings Web-based photo albums specifically for sharing baby photos. | | SubDomain_gr Provides a free URL redirection service. | | MVtools Offers the source code for MVtools, MultiValue/Pick database system building software. This set of over 350 Pick/BASIC programs can be used as a full 4GL development environment, or as a subroutine l | | Definitive_XML_Schema__Author\'s_Site Information about the book Definitive XML Schema by Priscilla Walmsley. Includes errata and downloadable schema examples. | | t3D_com Offers design, graphics, and animation services. | | Max_Gore Web design, database interaction, video editing, and animation. | | Lightsmedia_com Services offered include: designs using Dreamweaver and Flash, hosting, e-commerce, domain name registration, search engine submission, and marketing. |
|
DShield; Cooperative Network Security Community - Internet Security - dshield _uacct = "UA-174118-1";urchinTracker();sans.org(Portal)GIACMy DSHIELDHow To Submit Logsport/ip lookup/search:Internet Storm Center Today's Internet Threat Level: GREENHandler on Duty: Pedro Bueno Diary Trends Reports About Presentations Top 10 Contact INFOCon Links XML Handler's Diary: When the Hackers Hack Back;World Bank Cyber Intrusions;Fake Microsoft ...08:00 UTCphpbb and sql errorsWe want your logs. Click here to find out more.Today´s DiarypreviousIf you have more information or corrections regarding our diary, click here to contact us. When the Hackers Hack Back Published: 2008-10-10,Last Updated: 2008-10-11 01:59:46 UTCby Marcus Sachs (Version: 3)2 comment(s)digg_url = 'http://isc.sans.org/diary.html?storyid=5156&rss';digg_title = 'When the Hackers Hack Back';digg_skin='compact';digg_topic = 'security'; Richard, one of our readers, sent us a very interesting note today. He was investigating a network in Germany that was known to be a source of evil, and decided to launch an nmap scan as an exploratory measure. We do not advocate scanning somebody else's network, even you find that the other network is irritating and disfunctional. Better to work with that network's upstream ISP to see if they can assist in taming the out of control network owners.
Here are Richard's comments. Do not try this from your own corporate network The results may be hazardous to your job.
On the evening of October 7th, I Nmapped a /24 out of Germany that was a known source of malware and general nefarious activities. I saw the usual ports open 22, 53, 80 on most of the machines I scanned.
After the scan had stopped I closed the command prompt and began to read some late night email. I just happened to glance at my router and saw the receive lights were almost solid green. I opened my web browser and try to get out to the public network and could not, I suspected something was happening and it was.
The machines I had scanned were launching as DDoS against my IP address and had basically shut me off from the rest of the world. I turned the interface down and went to bed thinking it might clear up after a while.
I checked at 3:00 am, and 5:30 am and the attack was still on.
I logged into my router to look at some logs and could see that the machines were still pumping junk down the wire so I called my upstream and they were of no help at all. It took two hours on the phone before I realized that they were not going to be able to help me so here is what I did:
Thinking that whoever wrote the [attack] script was bright enough to include resource conservation into their code I figured if I remove all physical connection to the ISP at my house, the script would eventually sense that there no longer was a live host at the other end and it would stop. I wish I had tried this first instead of wasting my time on the phone with my useless ISP. It worked and we were back up after about ten minutes of being uncabled.
Just to make sure I was correct I went through a second run of this and the exact same thing happened. From this I have learned two things, have a good relationship with your upstrreams and be careful what you do late at night.
UPDATE 1
Reader Neal sent us some technical tips on how he gets around the problem Richard pointed out above.
After I scan something, or if I suspect I gave out my IP address to someone hostile (email, IRC, etc.), then I immediately change my address BEFORE they have a chance to scan back.
There are a couple of different ways to change your IP address...
Modem: hang up and call back. If your ISP has a phone pool, then you're hopefully on a new address. (Then again, hopefully you're not scanning some /24 from a modem...)
Cable modem: I love this -- the networked DHCP address is actually NOT tied to your account. Your cable modem has a MAC address and non-routable DHCP address that is tied to your account. All you need to do is change your routable network address:
1. Login to your external firewall (you do have an external firewall, like a Linksys or Dlink, right?). Change the WAN MAC address. However, do NOT commit the change yet! If you reset it now, then you will be unable to connect to your cable modem...
2. Login to your cable modem and click on the reboot/restart button. This causes it to forget the firewall's MAC address.
3. While the cable modem is shutting down/rebooting, commit the new WAN MAC address to your firewall.
When the cable modem comes up, it will learn the new WAN MAC address from your firewall. This new MAC address will be assigned a new, routable IP address from the cable modem ISP. You now have a totally new external IP address. Total offline time should be around 15 seconds. (I've got it scripted!)
DSL modem: I don't have one, but I'm told it is a similar approach to cable modems or telephone modems (depending on your ISP).
If you have a T1 or T3 or static IP address? You're screwed. I recommend playing from a cable modem or DSL where you can change your address.
UPDATE 2
Reader Melvin sent us these comments:
The local DSL-providers require customers to "register" their MAC-address (either over the telephone, or over the web), in order to limit their customers to the agreed-upon "two" IP-addresses for a "residential" account, i.e., two computers, or your main computer and a "spare".
So, if you want to change your IP-address, you first have to tell the DSL-provider what the "new" IP-address will be.
Then, execute the NMAP from your current IP-address, and then login to your hardware firewall applicance, and change its "WAN" MAC-address to the "new" value, and restart the appliance. The DSL modem does not need to be restarted.
However, the local TELCO also offers an "all-in-one" applicance: wireless-G router, hardware firewall, and 4-port wired router, as an incentive to new customers. It's much more difficult to change the MAC-address on that appliance.
Heaven help anybody (on dial-up or not) who is the next person to be assigned your "old" IP-address that is being attacked by the "hack-back" people -- you've screwed their network-connectivity, for a while.
Marcus H. Sachs
Director, SANS Internet Storm CenterKeywords: 2 comment(s)digg_url = 'http://isc.sans.org/diary.html?storyid=5156&rss';digg_title = 'When the Hackers Hack Back';digg_skin='compact';digg_topic = 'security'; World Bank Cyber Intrusions Published: 2008-10-10,Last Updated: 2008-10-10 20:27:54 UTCby Marcus Sachs (Version: 1)0 comment(s)digg_url = 'http://isc.sans.org/diary.html?storyid=5161&rss';digg_title = 'World Bank Cyber Intrusions';digg_skin='compact';digg_topic = 'security'; Several readers wrote us today pointing out the Fox News story about cyber attacks against the World Bank. There are a lot of details in the Fox News report, but no other independent confirmation of the story. A recent update to the online story says this:
UPDATE: After FOX News published its story, a World Bank spokesman issued the following statement:
"The Fox News story is wrong and is riddled with falsehoods and errors. The story cites misinformation from unattributed sources and leaked emails that are taken out of context.
"Like other public and private institutions, the World Bank has repeatedly experienced hacking attacks on its computer systems and is constantly updating its security to defeat these. But at no point has a hacking attack accessed sensitive information in the World Bank's Treasury, procurement, anti-corruption or human resources departments."
If you are aware of any other reports (not based on or pointing to the original Fox News story) please let us know via our contact page.
Marcus Sachs
Director, SANS Internet Storm Center
Keywords: 0 comment(s)digg_url = 'http://isc.sans.org/diary.html?storyid=5161&rss';digg_title = 'World Bank Cyber Intrusions';digg_skin='compact';digg_topic = 'security'; Fake Microsoft Update Email Published: 2008-10-10,Last Updated: 2008-10-10 12:44:54 UTCby Marcus Sachs (Version: 1)1 comment(s)digg_url = 'http://isc.sans.org/diary.html?storyid=5159&rss';digg_title = 'Fake Microsoft Update Email';digg_skin='compact';digg_topic = 'security'; Several readers have alerted us to a fake Microsoft email circulating with a malicious attachment. If you are blocking executables at your email servers, there should not be a problem. The email looks like this, but might vary a bit:
Subject: Security Update for OS Microsoft Windows
From: "Microsoft Official Update Center" <securityassurance@microsoft.com>
Dear Microsoft Customer,
Please notice that Microsoft company has recently issued a Security Update for OS
Microsoft Windows. The update applies to the following OS versions: Microsoft
Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows
XP, Microsoft Windows Vista.
Please notice, that present update applies to high-priority updates category. In
order to help protect your computer against security threats and performance
problems, we strongly recommend you to install this update.
Since public distribution of this Update through the official website
http://www.microsoft.com would have result in efficient creation of a malicious
software, we made a decision to issue an experimental private version of an update
for all Microsoft Windows OS users.
As your computer is set to receive notifications when new updates are available, you
have received this notice.
In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.
If nothing changes after you have run the file, probably in the settings of your OS
you have an indication to run all the updates at a background routine. In that case,
at this point the upgrade of your OS will be finished.
We apologize for any inconvenience this back order may be causing you.
Thank you,
Steve Lipner
Director of Security Assurance
Microsoft Corp.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
3L0SDPQYESHKTVB7P898LE266163YL
9LZQ6AU3LYK9JFM85HDX4S5FG0PEUY5HXP0
31Q8WAOREI4H0A7OF4UDTOG8HAXPAZMV91DI6B8XJEQ0636ND3XAWTCOOSNLIGHUN
ZSDHKKLZ099I6Y03BO91DGUTQMMFT0CWMCZQ4G0R0EYMNN199IEG0PKA6CE3ZPAB6
EJ4UN52NIIB4VF78224S7BCNFH3NP9V91T66QV0RKA2KOG0RA0EUM5VY17P41G016
I2YU34EL9XJQGS7C5GMDU4FJUIC3M3ZIAU6==
-----END PGP SIGNATURE-----
Notice the legitimate signature block and PGP signature. Sorry, Steve, I guess you are a popular guy!
Marcus H. Sachs
Director, SANS Internet Storm CenterKeywords: Microsoft phishing updates 1 comment(s)digg_url = 'http://isc.sans.org/diary.html?storyid=5159&rss';digg_title = 'Fake Microsoft Update Email';digg_skin='compact';digg_topic = 'security'; Day 10 - Identification: Using Your Help Desk to Identify Security Incidents Published: 2008-10-10,Last Updated: 2008-10-10 02:03:10 UTCby Marcus Sachs (Version: 1)0 comment(s)digg_url = 'http://isc.sans.org/diary.html?storyid=5153&rss';digg_title = 'Day 10 - Identification: Using Your Help Desk to Identify Security Incidents';digg_skin='compact';digg_topic = 'security'; For the tenth day of Cyber Security Awareness Month we remind our readers that one of the best ways to identify problems in your network is to let your employee or customer help desk be the equivalent of a "human intrusion detection system". When they get more than two or three calls about the same problem, the help desk should be notifying the security team about what is going on. It might not be an incident that needs handling, but it's definitely an event that deserves watching.
Do you have a good relationship with your help desk staff? Do you include them in your security planning and preparation, especially as potential sources of information about the security posture of your networks? What steps have you taken to train your organization's help desk to recognize emerging security incidents?
Send us your ideas and comments via our contact form and we'll add them to this diary throughout the day.
Marcus H. Sachs
Director, SANS Internet Storm CenterKeywords: Awareness2008 0 comment(s)digg_url = 'http://isc.sans.org/diary.html?storyid=5153&rss';digg_title = 'Day 10 - Identification: Using Your Help Desk to Identify Security Incidents';digg_skin='compact';digg_topic = 'security'; previousIf you have more information or corrections regarding our diary, click here to contact us.Diary ArchiveDateAuthorTitle2008-10-10Marcus SachsDay 10 - Identification: Using Your Help Desk to Identify Security Incidents2008-10-10Marcus SachsWhen the Hackers Hack Back2008-10-10Marcus SachsFake Microsoft Update Email2008-10-10Marcus SachsWorld Bank Cyber Intrusions2008-10-09Bojan ZdrnjaWatch that .htaccess file on your web site2008-10-08Johannes UllrichDomaincontrol (GoDaddy) Nameservers DNS Poisoning 2008-10-07Kyle HaugsnessCogent peering problems2008-10-07Kyle HaugsnessDay 7 - Identification: Host-based Intrusion Detection Systems2008-10-07Kyle HaugsnessGood reading and a malware challenge2008-10-06Jim ClausingNovell eDirectory advisoryComplete ArchiveSearch Diaries:PollWhat activities are you having for Cyber Security Awareness Month?We are having a plethora of activities.We are updating our IT Security webpage.We are conducting training classes.We are sending email tips.We are having a guest speaker.We are having games and prizes.We aren't planning anything.None.see resultsTrends more detailsWorld Map Privacy Policy: privacy.html - Web Contact: info@dshield.orgreport bugs please include debug info (opens new window) This work is licensed under a Creative Commons Attribution-Noncommercial 3.0 United States License. |
|
