Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Wildfire Scams

Published: 2007-10-26
Last Updated: 2007-10-27 18:23:03 UTC
by Johannes Ullrich (Version: 2)
0 comment(s)

As with any disaster in the past, we expect some scams related to the California wildfires. So far, we are happy to report that we see almost no activity. But if you come across something, please let us know!

Basic tips:

  • only donate to charities you know.
  • do not respond to donation requests that you may receive via e-mail.
  • If in doubt, make your donation via mail or phone using a well published phone number.
  • The IRS operates a registry of charities

Our best wishes are with the victims of the fire.



UPDATE:  We are starting to see hunderds of domain registers about the California Wildfires.  Keep a watchful eye out for spam related to these "suspicious" domains.


Joel Esler

0 comment(s)

Cyber Security Awareness Tip #26 ? Safe File Transfer

Published: 2007-10-26
Last Updated: 2007-10-27 15:30:56 UTC
by Mark Hofman (Version: 1)
0 comment(s)

The Internet has provided us with a convenient method to share information with each other and one thing we all do is to move files around.  Whether they be documents attached to emails, music, movies or programs we install, it is all about files, files, files.  So how do you safely transfer files from one location to another?  We're talking important stuff, the super secret info that your business relies on in order to stay afloat or information that keeps the country safe, but things you need to share with others in order to function. 

We've had plenty of examples over the last year or so on what not to do, especially with backup tapes and credit card numbers.  So we need some tips on what people should do or should not do.  I'll kick it off.


  • Have a policy on how information can be exchanged between organizations
  • Encrypt sensitive information on backups, removable media or in emails
  • Use SFTP or SCP to transfer files
  • Set up a secure file exchange facility within the corporate infrastructure to securely exchange files with others. 

    1. "Use secure thumb drives. They don't cost that much more.
    2. Use strong passwords.
    3. Store the password and data separately.
    4. Don't e-mail the password with the data.
    5. When sending data by courier make sure they are trust worthy, we have had customers send data that just never made it to us.
    6. Password protect all storage devices, including cell phones they can hold a lot of data now a days." (Paul)


  • Allow services such as the free file transferring facilities to be used by staff.
  • Put the information on a CD and then leave it in the kiosk computer at the airport.

 Send us some good tips on what to do (bad ones are acceptable as well, but have to be amusing)



Mark H - Shearwater


0 comment(s)

Request for info, IPs, exploit examples on PDF mailto documents

Published: 2007-10-26
Last Updated: 2007-10-27 02:38:10 UTC
by Adrien de Beaupre (Version: 3)
0 comment(s)

Hi all,

we are looking for examples of the PDFs being sent out, snort signatures, the IP addresses sending them out, the IP addresses they download malware from, and examples of the malware.

Please upload here:

Adrien de Beaupré
Bell Canada

UPDATE:  Thanks all for the examples for the pdf's.  Please be sure and submit some IP addresses for the controllers, if you have anymore.   I've been told that Snort rules have been created by Sourcefire's VRT team.  They are subscription only.

Joel Esler

0 comment(s)

URL Update to Internet Explorer URL Handling Vulnerability

Published: 2007-10-26
Last Updated: 2007-10-26 13:56:46 UTC
by Johannes Ullrich (Version: 2)
0 comment(s)

Earlier this month, Microsoft published KB943521. This article acknowledged that third party software had to validate URLs before passing them to Internet Explorer, as Internet Explorer will not validate them. Today, Microsoft published an update to the advisory, suggesting limited exploitation of this vulnerability.

Thanks to Chris and Gilbert to alert us of the update! Let us know if you see an exploit in the wild, or if you encounter any 3rd party applications which are not protecting Internet Explorer.

Update: unlike noted earlier, Microsoft is working on a patch for this problem. (thanks Nate for pointing this out)

Links: msrc-blog-october-25th-update-to-security-advisory-943521.aspx


0 comment(s)
Diary Archives