Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

It's been 10 years

Published: 2009-12-28
Last Updated: 2009-12-28 20:51:44 UTC
by Joel Esler (Version: 2)
2 comment(s)

The Internet Storm Center directly traces it's roots back to the year 1999.  A SANS Project called the Consensus Internet Database was created as part of the infamous Y2K effort. On March 22, 2001, intrusion detection sensors around the globe logged an increase in the number of probes to port 53, the port that supports the Domain Name Service. Over a period of a few hours, more and more probes to port 53 were arriving - first from dozens and then from hundreds of attacking machines.

Within an hour of the first report, several analysts, all of whom were fully qualified as SANS GIAC certified intrusion detection experts back then called "Track 3", now named "503", agreed that a global security incident was underway. They immediately sent a notice to a global community of technically savvy security practitioners asking them to check their systems to see whether they had experienced an attack. Within three hours a system administrator in the Netherlands responded that some of his machines had been infected, and he sent the first copy of the worm code to the analysts.

The analysts determined what damage the worm did and how it did it, and then they developed a computer program to determine which computers had been infected. They tested the program in multiple sites and they also let the FBI know of the attack. Just fourteen hours after the spike in port 53 traffic was first noticed, the analysts were able to send an alert to 200,000 people warning them of the attack in progress, telling them where to get the program to check their machines, and advising what to do to avoid the worm.

The Li0n worm event demonstrated what the community acting together can do to respond to broad-based malicious attacks. Most importantly, it demonstrated the value of sharing intrusion detection logs in real time. Only in the regional and global aggregates was the attack obvious. The technology, people, and networks that found the Li0n worm were all part of the SANS Institute's Consensus Incident Database (CID) project that had been monitoring global Internet traffic. CID's contribution the night of March 22 was sufficient to earn it a new title: the SANS Internet Storm Center. Today the Internet Storm Center gathers millions of intrusion detection log entries every day, from sensors covering over 500,000 IP addresses in over 50 countries. It is rapidly expanding in a quest to do a better job of finding new storms faster, identifying the sites that are used for attacks, and providing authoritative data on the types of attacks that are being mounted against computers in various industries and regions around the globe. The Internet Storm Center is a free service to the Internet community.

The work is supported by the SANS Institute from tuition paid by students attending SANS security education programs. Volunteer incident handlers donate their valuable time to analyze detects and anomalies, and post a daily diary of their analysis and thoughts on the Storm Center web site.

What we would like to hear from you, the readers is, in the past 10 years.  What are the memorable moments?  What are the highs and lows of the past ten years (information security/ISC wise)?  Rather a 'decade in review'.  What we are going to is put these all together and on January 1st of 2010, we'll post a diary showing these.  The past 10 years in review, submitted by you, the readers, whom without -- The Internet Storm Center, would not function.

Please give us feedback via the Contact link at the top of the page on http://isc.sans.org.

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

Keywords:
2 comment(s)

How this weekend's attempted Terrorist attack relates to IT.

Published: 2009-12-28
Last Updated: 2009-12-28 16:08:41 UTC
by Joel Esler (Version: 4)
5 comment(s)

In case you were spending time with your family this weekend and not watching the news, there was an attempted Terrorist attack on a flight from Amsterdam to Detroit, USA on December 25th.  From what I understand this "terrorist" was on the flight, and as the plane was getting ready to land, tried to ignite something in his lap to catch the plane on fire, or cause it to explode.  (DHS is looking into which one it was supposed to be).

As a result, the US Gov't (and several foreign Gov'ts) stepped up security.  Adding more Air Marshalls, increasing security screening at checkpoints, explosive sniffing dogs, and not allowing people to use PED's during portions of the flight.  (PED = Portable Electronic Devices).

So, how does this relate to Information Security?

#1) Stepping up the security that didn't work in the first place

It's not enough to ramp up the security that obviously didn't work.  This suspect was able to get on board, with some type of incendiary device.  (Notice I said "Incendiary device", not PED.  I don't know why Gov't regulators and Airlines insist on punishing things like DVD players and iPhones, (etc) when something bad happens.)  In the normal reactionary mode, you would say "how did 'x' device get on board the plane and why didn't we catch it?"  Obviously, it's impossible to look for everything that people will invent to circumvent security policy, it's impossible to make your air travel 100% safe.  Anytime you have that many people that want to do that many bad things, there is a way that the "Bad guys" will find a way to do something "Bad".  It's inevitable.  The answer is compensating controls.  Ramping up more of the same isn't going to do it.  But doing additional things that are different that focus on different areas will help.  You can't lock down port 80 because there are too many attack vectors.  But you can force people through a proxy and keep them from doing bad things using tools like Websense, (etc).  But all of that doesn't matter if you allow external proxies and can SSH out of the network.  If you lock down one area, you have to lock down them all.  At the end of the day, how much trust do you have in your users?  Some, none?

#2) Playing the Blame Game.

Oh, it was PED's.  Oh, it was because we let the suspect out of their seat to retrieve something from the overhead bin.  Oh, it's because this person is running a non-standard configuration of IIS.  Oh, it's because this person is running Firefox instead of IE.  Stop blaming and fix the problem.  Don't sit in a meeting and say "Oh, well, it's because he was running that evil Mozilla and not our precious IE, that's how we got hacked!"  Don't blame the tool, blame the person for not patching the tool.  How can you get Firefox to update?  How can you keep people from installing it in the first place?  It's not about placing blame, it's about finding what went wrong and fixing the problem in a way that YOU CAN CONTROL.  Not allowing people to get up during a flight isn't going to work, because people are going to NEED to get up on a flight.  Not allowing people to use their iPods on flights isn't going to work, because people are going to do it anyway.  The big question is, what is the device the guy had and tried to ignite, and how did it get on the plane?

#3) Incorrect allowances.

In the words of the comedian Louis Black "...you can't bring a lighter on board the plane, but you can bring matches.  You can bring matches..  That's what is wrong with this country, your brain can't cope with that kind of logic."  We don't allow you to bring a lighter on board, to you know, ignite things with, but you can bring matches on board.  I know I'll catch flack from the Smokers who are reading this, and I understand, but listen..  you can't smoke on a plane anyway.  There is no need for anyone to have anything that ignites past security.  "So how do we smoke in the airport", well..  1) Don't.  2) Quit, (Yes, you can do it, I did) or 3) I am sure we can figure out some kind of electronic ignition device that we place in the smoking rooms in the airports.  All of today's modern technology, and we can't figure out how to NOT let people carry something that causes FLAME on a plane.  Allowing people to bypass one security control by compensating with an equally damaging one kinda defeats the purpose doesn't it?  You don't allow people to run Firefox, but you allow them to run Safari.  You don't allow people to run OSX because you "can't control it" (yes I've heard this), but you allow people to run Linux.  Poor examples, and I welcome more if you'd like, but you get my point.

From my armchair quarterbacking spot, how did the flame get on the plane?  How did the device get on the plane?  What was the device?  

From Reuters:  Information on the explosive device:

"The device consisted of a six-inch (15-cm) packet of powder and a syringe containing a liquid, which were sewn into the suspect's underwear, according to media reports."

 

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

 

Keywords:
5 comment(s)
It seems the Blackberry problem may have been localized. All clear as far as I can tell.

Microsoft puts up a blurb on their website about the IIS 0day.

Published: 2009-12-28
Last Updated: 2009-12-28 15:36:57 UTC
by Joel Esler (Version: 3)
0 comment(s)

Microsoft has put up a response on their security blog concerning the IIS "0day".  They say that only installations in a specific "non-default" and "unsafe configuration" are vulnerable to the condition.  Also they note that if the administrator had not altered the default configuration and followed best practices in the securing of the webserver, then this exploit wouldn't work.

Unfortunately, we know that doesn't always wind up being the case.  Read more of their blog post here.

Check out Patrick's Post here.

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

Keywords:
0 comment(s)
8 Basic Rules to Implement Secure File Uploads http://jbu.me/48 (inspired by IIS ; bug)
Diary Archives