Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-01-16 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

How do you deploy?

Published: 2006-01-16
Last Updated: 2006-01-16 23:57:36 UTC
by Tony Carothers (Version: 1)
0 comment(s)

Last night a question was put to us, "I wonder how many people use vendor-loads (on new machines) versus reformat/reload?"  Therefore, in the interest of science (and general curiosity) I thought I would throw the question out for discussion today.  Feel free to let us know via the "Contact" link at the top of this page how you, or your organization, choose to deploy.

/-- UPDATE --/

We have received a number of responses to this question, and the majority has been of the 'reformat/reload' variety.  One of our readers, Ian, submitted some excellent thoughts I would like to share:

 "Experience has shown that vendor loaded machines are regularly unstable, sluggish and overflowing with bloat-ware and needless applications not to mention Windows features which most users will NEVER use!  EVERY instance of clean installation has resulted in a stable, fast (in comparison) machine plus space saving on the hard-drive.  Feedback is always positive... On older machines, people who had considered forking out thousands on the latest and greatest have reconsidered and saved their hard earned coins a little longer.

Dare I question Pros and Cons?  I do...  Pros: Nothing beats the familiarity and intimacy of a custom install... every file is accounted for and required, a blessing if trouble shooting is required in the future.  Cons: Time, it can be time consuming performing a reformat/clean install depending on configuration but long term those hours appreciate to savings in the event of a catastrophe - A worthwhile trade off."  (Thank you Ian, have a safe trip)

Another point submitted by a reader, who wished to remain anonymous, is that when calling a vendor for support, they often require their tools be loaded, or worse, left intact via an install from their recovery CD's.

/-- FINAL WORD --/

The final tally is an overwhelming 'reformat/reload' with some interesting thoughts on how to go about it.  I will consolidate some of those thoughts, and add them to this write-up later in the week. 

Many thanx go out to everybody who wrote in today.  Thank you.

Keywords:
0 comment(s)

Veritas Exploit on the web

Published: 2006-01-16
Last Updated: 2006-01-16 23:43:34 UTC
by Tony Carothers (Version: 1)
0 comment(s)

FrSIRT has notified the ISC that a new exploit has been released utilizing the Stack Overflow vulnerability in Veritas Netbackup Enterprise Server.  As a reminder, a specifically crafted packet, sent to the Volume Manager via port 13701, will cause a stack overflow, allowing the attacker to run code of her/his choosing.  Authentication by the attacker is not needed to take advantage of this vulnerability.  

The vulnerability that this exploit takes advantage of is ~60 days old.  The downside of this exploit is that, in one pass, an attacker would have the ability to create a disaster, and then destroy a company's ability to recover from said disaster.

The security packs that address this vulnerability, Symantec Advisory #SYM05-024, can be found here. 

Thanx again to FrSIRT for providing the update.

Keywords:
0 comment(s)

Two-factor authentication Defense Mechanisms

Published: 2006-01-16
Last Updated: 2006-01-16 20:34:51 UTC
by Tony Carothers (Version: 1)
0 comment(s)

With the growing use of two-factor authentication, users are finding it increasingly difficult to safely transport and, especially, store one of the more common devices used in this endeavor; the Smart Card.  A device the size and shape of a common credit card, this is different from standard credit cards in that it has an embedded chip for the storage of information, particularly user information and certificates.  Recent discussions brought about the point that an individual might be wise to protect the Smart Card with the same degree of protection as the other piece of two-factor authentication, the PIN.  

Both devices, at a minimum, require protection from the greatest threat posed to date, and that is electromagnetic psychotronic hacking form mind control carriers (MCCs).  In previous articles it was established that psychotronic hacking can be used to decrypt and read brain waves, so the process of hacking a Smart Card would be child's play for MCCs. 

*PIN Protection unit (PPU)
http://zapatopi.net/afdb/

*Smart Card protection unit (SCPU)
http://www.rpi-polymath.com/ducttape/RFIDWallet.php

The regular practice, and combined use, of the PPU and SCPU will result in a little known heightened state of personal security, commonly referred to as Infosystems Defcon 10T (ID-10T)

Keywords:
0 comment(s)

WMF Generator

Published: 2006-01-16
Last Updated: 2006-01-16 17:14:37 UTC
by Tony Carothers (Version: 1)
0 comment(s)

We received notification last night that a working exploit "MS Windows Metafile (WMF) Remote File Download Exploit Generator" has been released to the public.  The code takes advantage of the "Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution", MS# MS06-001.  The exploit code will generate a .wmf that downloads and executes a specified URL.  The sad part to this story is that we have a set of 'plug & play' source code for evil-doers to spread their wares with.  And only 10 days after a patch has been released. 

 Additionally, as noted by reader Juha-Matti Laurio, we can expect to see variants coming very soon.  The group responsible for this release is well-known for this.

Keywords:
0 comment(s)

Windows Vista security patches

Published: 2006-01-16
Last Updated: 2006-01-16 01:31:48 UTC
by William Stearns (Version: 1)
0 comment(s)
        Microsoft has released a security update for the in-testing Windows Vista.  The update addresses the WMF vulnerability covered earlier this month for released windows versions.
(Thanks to EWeek for the link.)
        -- Bill Stearns
Keywords:
0 comment(s)
Diary Archives