Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-11-14 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Miscellaneous items

Published: 2007-11-14
Last Updated: 2007-11-14 23:38:36 UTC
by Kyle Haugsness (Version: 1)
0 comment(s)

Nothing really major happening today, so here are couple of quick items:

  • Many security fixes released by Apple today for OS X and Safari on Windows.
  • There is more fallout from the salesforce.com breach.  This time phishing emails were sent to recipients from the supposed "Canadian Revenue Service" (Canada tax agency).
  • There is a fake Microsoft Security Update bulletin going around that looks pretty real.  They seem to be customized with the recipient's full name.  There is a link to malicious EXE files proclaiming to be the patch installer.
Keywords:
0 comment(s)

New version of cvtwin, now with HTTP upload

Published: 2007-11-14
Last Updated: 2007-11-14 04:11:12 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
First of all: if you are currently submitting data to DShield, and everything works right: Don't touch it ;-)

Historically, data was submitted to DShield via e-mail. I choose this method way back (Nov. 2000) as it provided easy load balancing and queuing in case the main database server was under heavy load. Initially, we only had a Linux client, and of course its trivial to send e-mail from almost any linux host. The first client was actually a 1 line shell script.

I think e-mail its still a good idea, but we are having more and more issues getting e-mail to us. In particular our Windows client, cvtwin, uses an external simple command line client which isn't always that easy to configure as ISPs block port 25 and require users to log in to mail servers.

So earlier today, Wayne, our "cvtwin guy", added a new function: It will now submit data via HTTP as well as SMTP. I think in particular in Windows scenarios this makes a lot of sense. Most of our windows users are home users. They run some kind of logging software on a work station and submit logs collected by this software. These systems are used for web browsing and usually have unobstructed access to port 80.

So if you have issues running CVTWIN because you are not able to send mail, give the new version a try. And again: If it works, don't touch it ;-)

More details about CVTWIN: Windows Clients
Changelog (use for now for documentation of the http feature)

This is an experimental release at this point. Please report issues to info@dshield.org.

Keywords:
0 comment(s)
Diary Archives