Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Solaris Kernel memory leak in named pipes

Published: 2007-10-03
Last Updated: 2007-10-03 20:47:59 UTC
by William Stearns (Version: 2)
0 comment(s)

There's a bug reported in Solaris kernels' handling of named pipes.  An unchecked function parameter allows an attacker to use up large amounts of memory.

More details about the vulnerability and patch can be found at the following:

0 comment(s)

DHS 'Spam' List

Published: 2007-10-03
Last Updated: 2007-10-03 20:26:37 UTC
by Marcus Sachs (Version: 3)
0 comment(s)

The US Department of Homeland Security sends out a daily Open Source Intelligence Report to a subscription list of hundreds, perhaps thousands of recipients.  This morning a reader replied to the list address with a request for a change and his note got re-sent to all of the list subscribers.  In the next hour or so, dozens of readers have replied, creating a mini-DDoS of sorts to the subscriber's inboxes.  This points out an important point - if you maintain a broadcast mailing list make sure that the address will not reflect email from sources other than the owner of the list.  Otherwise, you will become a training example for SANS.

While this is not a Cyber Security Awareness tip, it comes mighty close.

(DHS has been notified.)

Update #1

As of 1920UTC, about six hours into this event, over 275 emails were sent.  Nearly one-half were either pleas to stop sending more replies or people demanding to be unsubscribed (in spite of the fact that unsubscribe instructions are at the bottom of the DHS daily reports.)  Many of the posts were humorous, some offered jobs, at least one was a "vote for me" political advertisement, and many more offered their names and contact information in case somebody was looking to connect with their sector or region.  While 275 is not even close to the millions of emails that get sent on a typical commercial spam run, it is a large number for a "flash crowd" or whatever this may eventually be called.  It also revealed a nice cross-section of who subscribes to DHS daily publications and consider themselves part of the defensive security community.  Most definitely do not have the Jack Bauer (character from the series "24") mentality of total seriousness and no-joking attitude.

We did a bit of investigating and this does not look like a typical Mailman or MajorDomo listserve administered by DHS.  Instead, it appears to be an email address on a Lotus Domino Release 7.0.2FP1 server hosted by a government contractor that reflects email to a list of thousands of subscribers.  It's not clear why a single email got reflected today and not in the many previous months this service has been available.  Quite likely an email administrator either clicked a box last night, rebuilt the system, migrated it to a new server, or did something that un-set a setting designed to prevent this type of event.  Regardless, the situation is still not fixed.  As this diary is being written another email just came through.   Sigh....

Update #2

The pain the past few minutes the CSC server has started spewing "attachment blocking notifications" in response to the emails sent in that had MIME formatted content.  So now we brace for another round of spew.

A reader sent us an interesting idea - all it takes now is some wise-acre (or a BadGuy™) to send a zero-day PDF or Word attachment to the nearly 300 names now available and nail a few dozen gullible security professionals.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 comment(s)

Cyber Security Awareness Tip #3: Getting the Boss Involved

Published: 2007-10-03
Last Updated: 2007-10-03 19:51:24 UTC
by William Stearns (Version: 5)
0 comment(s)

Readers, October 3rd's topic for Cyber Security Awareness Month is "Getting the Boss Involved."  Let us know how you do it - what methods, techniques, ideas, or approaches have you used that work?  As most of us know, a good security awareness program will not work unless the leadership is involved.  So pass along your thoughts via our contact form and we'll post them as updates to this diary.

- Think "Big Picture"!  When you're presenting an idea, cover how this will help the business.  Will it reduce costs?  Secure the systems?  Reduce the change of breaches or lawsuits?

- Show your bosses that you can not only handle technical concepts but business ones as well.

- "We have had a rash of viruses due to the managers not allowing us to properly secure our systems. We started keeping track of the time it took us to correct the problem + the lost time of the employee because their computer was down and presented this to the "suits."  We also used some of the statics on the cost of a security breach. This fixed our problem!"

Do you notice a pattern already?  Present the issue by highlighting aspects that are important to the listener

- As part of our security awareness and training plan, we do an annual executive security briefing. We keep this brief and non-technical, but highlight the positives we can claim from the previous year and describe our approach to addressing problems that we might see in the next year.
- We do a full staff review of security standards (including the boss(es)) and have the boss sign off on the annual audit certification letters.

- If you're trying to share a sense of urgency about a problem: ""Don't give the boss horror stories about what could happen, give him real stories of what has happened to other people." --Alan Paller

Thanks to Ismael, Robert, Guy, and John for the contributions.


0 comment(s)
Diary Archives