The Glider

As a number of readers have reported, Microsoft released a few non-security updates on Tuesday via Windows Update/Automatic Updates. Most of our readers will recognize that the 4th Tuesday of the month is when Microsoft usually releases non-security updates. From the results of a couple of computers here in my office, the updates involve the .NET Framework versions 3.x and 2.x. As with all updates, please remember to test the update in your respective environment prior to wholesale deployment. More information on the .NET Framework update available at KB982524.

Scott Fendley ISC Handler (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

On monday, Apple released iOS 4 to the masses. Among numerous security fixes, one other feature that caught my interest was the availability of IPv6. The iPhone was one of a few holdouts in the mobile phone world that did not yet support IPv6. In some ways, the iPhone and similar devices is just why people feel we may need IPv6. Features like VoIP calling (e.g. Apple's new Facetime protocol) can work with NAT, but may possibly work better if the device has a globally routable IP address which may not be available in IPv4.
Screenshot of iOS 4 beta versions showed a new configuration setting for IPv6, allowing users to turn IPv6 support on and off. The final version as delivered to customers on Monday, no longer has this switch. Instead, IPv6 support is always turned on. In order to be functional, it does need to be connected to an IPv6 capable network.
In my tests, Iconnected the iPhone's WiFi network to my home network, which supports IPv6 and uses a router that advertises itself via IPv6 router advertisements. The iPhone did pick up an IPv6 address. The IPv6 address selected by the iPhone was derived from the MAC address (EUI-64). Ipersonally would have preferred a privacy enhanced address.
iOS 4 does not appear to support any tunneling protocols. It will only use IPv6 in a dual stack configuration. I am going to update this diary as I get to experiment more with it.
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

In other news, Opera Software released version 10.54 of their web browser on June 21st. One of the vulnerabilities corrected in this release involves the font handling flaw discussed in the advisory at http://www.opera.com/support/kb/view/954/. In addition, Opera corrected several other critical vulnerabilities which will be disclosed in the future. If you prefer to use the Opera web browser to the other mainstream alternates, it is recommended that you apply the update in the near future. More information is available in the release notes.
Thanks to Frank who noted the update a short while ago.
Scott Fendley --ISC Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Earlier today, Mozilla released the newest version of Firefox.
Firefox 3.6.4corrects 7 vulnerabilities which range from critical issues such as denial of service or arbitrary code execution bugs along with a few lower level issues. The full list of vulnerabilities corrected is located in the release notes. In addition, this release of Firefox provides much better handling of plugin crashes. Should a plugin crash or freeze while viewing a website, Firefox now allows the plugin to crash without taking down the entire browser. This is a very useful feature for those of us who keep many many tabs or windows open during the course of the day and get very irritated when you open that one website that has some odd flash or quicktime media that causes the plugin to abnormally end. YAY!
Firefox 3.5.10 also was released and corrects for 9 vulnerabilities of which 6 are rated as critical. The 3.5.x tree of Firefox will continue to receive security updates for 2 more months, so it is time to prepare to jump to 3.6.x very soon. More details on the security issues are listed in the release notes.
Thanks to all of our readers who were on top of these releases tonight and alerted us of them.
Scott Fendley --ISC Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

If you visited the Lenovo support site over the last few days, you may want to check out this link that Jim sent in. Lenovo Support Website Loads Malicious IFrame, Infects Visitors With Trojan
Christopher Carboni - Handler On Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

One of the reasons that I love going to conferences is that it really makes me think. Being around some of the best minds in information security. talking to people, listening to thier views and re-evaluating my own opinions based on any new information is a big takeaway for me.



For those who were not at SANSFire this year and didn't otherwise follow the Handler's annual State of the Internet Panel, one of the questions asked of the panel was (and I'm paraphrasing because I can't remember the exact word for word question) Every year we hear a prediction that this will be the year that mobile malware becomes wide spread. Do you think that will happen this year?



I remember giving some answer along the lines of Well, we've already had a few examples and one of the other Handlers cited the malware infested apps that became available (breifly) from the iTunes Store. The panel concluded and we all went about our business but something was nagging me. Something just didn't feel right.



I started talking to a few friends discussing mobile security and then looked at my own devices.



How would I really know if there was malware on my smart phone?



Malware authors have become increasingly good at hiding the presence of malware on infected systems and I didn't have anti virus on my phone, a problem which has since been corrected. But given the problems with signature based AV protection, do I really have confidence that I'm protected?



How do we really know that mobile malware is not widespread right now?



Please take a moment and answer the poll that I've posted and if you have some creative ways you're protecting your mobile devices, send them in and I'll post them.
While 130 people is not a statistically large sample we do have some interesting preliminary results.
Of 130 people, only 15 are scanning for malware.
Of those 15, 3 (20%) have detected malware.
If you extrapolate that percentage out to the entire sample, 23 people who responded who do not scan would be infected with malware.
For now, I'm filing that under Things that make you go Hmmmmm.
Christopher Carboni - Handler On Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

A number of readers (and myself included) have received an email claiming to be from GoDaddy. The email is grammatically correct, and appears quite genuine. The subject is GoDaddy.com Order Confirmation and interestingly the images within the HTML are pulled from imagesak.godaddy.com, excepting one which came from hxxp://img.securepaynet.net/bbimage.aspx?pl=somecodeandmyemailaddress. The links in the emails I have seen point to hxxp://dextersss-com-ua.1gb.ua/zzx.htm among others. The phishing site and IP address and domain registration are in the Ukraine.
Thanks to Christopher and Dwight!
Cheers,

Adrien de Beaupr

EWA-Canada.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Happy Father's Day to all of the dads out there!
Here's something you can give dear old dad on his special day - sit down with him and walk him through some pointers on how to keep his computer and his personal information safe. If you are over at dad's today spending some time, be sure to give his computer a good tune up while you are there.
Below are some ideas for things to pass along. You might have to do a few of these things for him or perhaps teach him the steps if he's interested, If you've got other tips that would be useful for your dad, please use the comment feature at the bottom to add to the list.
Dad's Computer

1. Keep it updated, which means the operating system, any programs he has installed, and most importantly his antivirus software. Turn on the auto-update feature and let his computer take care of updating itself automatically. Be sure to reboot if it asks you to.

2. Uninstall any software that dad does not use. Old programs often have security problems, and if dad's not going to use an application anymore, why not free up the space on his hard drive while at the same time making his computer more secure?

3. Make sure that his screen-saver requires a password to reactivate. Too often (particularly in shared environments with family members or office mates) a creative friend might send embarrassing emails from dad's computer or might accidentally download malicious software.

4. If dad has a laptop, be sure that the built-in disk encryption feature is running. This will protect him should his laptop be stolen. Also, invest in a cable lock so that his laptop can be physically secured while he's temporarily away from the computer. Laptops can be stolen in just a few seconds.



Dad's Websites

5. Warn dad to be careful with what he puts on social networking sites about himself, his friends, and his co-workers. Remember once on the Internet, always on the Internet, especially photographs.

6. Show him how to use website passwords that are complex but easy for him to remember. Tell him that if possible, use a passphrase rather than a password something like Thisismybankpassw0rd is much harder to crack or guess than 75yt*$AS (20 characters versus 8 characters.)

7. Remind dad to pay close attention to where he is online. Many phishing sites appear to be legitimate but if he looks closely at the address bar he may see that he are not really at his bank or site that he thought he was going to. Think twice before entering any personal information at a new web site does this company really need to know the things it is asking for?



Dad's Personal Information

8. Be very careful with peer-to-peer (P2P) or file-sharing programs. They should never be used on office computers, and if dad has them at home pay close attention to which parts of his hard drives are shared to others by these programs. Under no circumstances should he put office information on his personal computer, especially if he uses P2P software at home to share files with his friends.

9. If dad uses reply to all in emails, remind him to check each of the email addresses to make sure he know where his email is going. Also, tell him to BE VERY CAREFUL if he replies to a posting from a listserver or online group his reply may go to the entire group rather than just the person he thought he was writing back to.

10. Dad should know who to call or contact if he thinks he has become a victim of online crime. Events happen fast online and he often will not have much time to call for help before it is too late. In addition, show him how to keep a backup copy of all of his personal information (passwords, credit card numbers, bank account information, emergency phone numbers, etc.) on a physical piece of paper that is locked in a fireproof container.

Marcus H. Sachs

Director, SANSInternet Storm Center (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

In January, I posted a diary on how to configure a basic DNS Sinkhole using BIND. Last week, during the SANSFire conference, I did a talk on DNS Sinkhole and made an ISO available for download. It is a ready to install DNS Sinkhole server for those who would like to test and/or deploy one in their network as an internal forwarder. I also indicated that inserting a DNS sinkhole in a network is like putting a NIDS/NIPS inline with potentially several thousand signatures (DNS domains). After you loaded your DNS sinkhole list, it hijacks the clients DNS requests to known malicious sites responding with an IP address you control instead of its true address. It could also be used to enforce corporate policies (hacking, adults, gaming, social, etc) with the creation of separate sinkhole lists.
However, for maximum efficiency, it is important to only allow the DNS Sinkhole server to forward outbound requests (block all other outbound DNS request form internal servers/clients) otherwise, there are known cases where malware has been coded with its own DNS server/changer to evaded detection. Handler Bojan Zdrnja posted a diary here regarding this type of evasion.
The installation document is located in the rel_note directory of the CD and is available online here. This document provides all the information needed to install and configure the server. There are two ISO available for download:
- a 32-bit version can be downloaded here

- a 64-bit version can be downloaded here
The script to load the sinkhole list is located in the /root/scripts directory and is called sinkhole_parser.sh. This script contains a menu to download from 3 lists (Malware Domain Blocklist, ZeuS tracker and Malware Threat Center SRI). Any of these lists can be commented out in the script. They are merged, parsed and duplicates are removed to create a single list of 20,000+ sites. The sites are saved in a file in /var/named/site_specific_sinkhole.conf which can be loaded via the script in the DNS Sinkhole (server support either Bind or PowerDNS, see the release notes for configuration). I may add to the script other lists later.
Warning: If you are using any of the above lists, there is always the possibility that a site that you do business with may have been added to the sinkhole list because it has been detected serving malware.
There are various ways to capture the sinkhole data such as setting up a web server, IDS alerts, netflow, etc to find which clients were redirected to the sinkhole for signs of system compromise.


-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Based on an analysis of the logs for my SSH honeypot, it appears that this latest spate of SSH brute force attacks are using keyboard-interactive authentication, rather than the standard password authentication.



2010-05-21 19:29:11+0000 203.185.xxx.xxx trying auth password

2010-05-23 19:31:57+0000 200.175.xxx.xxx trying auth password

2010-05-25 01:02:57+0000 122.155.xxx.xxx trying auth password

2010-05-25 01:09:06+0000 75.156.xxx.xxx trying auth none

2010-05-25 01:09:07+0000 75.156.xxx.xxx trying auth password

2010-05-25 05:08:07+0000 68.40.xxx.xxx trying auth password

2010-05-29 14:39:51+0000 122.226.xxx.xxx trying auth password

2010-06-02 06:27:31+0000 217.25.xxx.xxx trying auth password

2010-06-03 11:32:22+0000 62.83.xxx.xxx trying auth none

2010-06-03 11:32:24+0000 62.83.xxx.xxx trying auth password

2010-06-11 08:44:52+0000 222.173.xxx.xxx trying auth password

2010-06-11 15:42:46+0000 220.163.xxx.xxx trying auth password

2010-06-13 22:14:15+0000 67.228.xxx.xxx trying auth password

2010-06-15 01:21:39+0000 211.254.xxx.xxx trying auth password

2010-06-15 02:09:01+0000 202.98.xxx.xxx trying auth password

2010-06-15 19:53:49+0000 89.128.xxx.xxx trying auth none

2010-06-15 19:53:51+0000 89.128.xxx.xxx trying auth password

2010-06-15 20:10:45+0000 89.133.xxx.xxx trying auth password

2010-06-16 18:20:54+0000 165.98.xxx.xxx trying auth keyboard-interactive

2010-06-16 18:33:35+0000 64.122.xxx.xxx trying auth keyboard-interactive

2010-06-16 19:05:53+0000 59.124.xxx.xxx trying auth password

2010-06-16 19:06:47+0000 220.73.xxx.xxx trying auth keyboard-interactive

2010-06-16 19:28:54+0000 219.159.xxx.xxx trying auth keyboard-interactive

2010-06-16 19:47:52+0000 80.94.xxx.xxx trying auth keyboard-interactive

2010-06-16 19:57:57+0000 203.15.xxx.xxx trying auth keyboard-interactive

2010-06-16 20:18:00+0000 119.161.xxx.xxx trying auth keyboard-interactive

2010-06-16 20:27:40+0000 82.91.xxx.xxx trying auth keyboard-interactive

2010-06-16 20:47:02+0000 190.12.xxx.xxx trying auth keyboard-interactive

2010-06-16 21:27:00+0000 200.40.xxx.xxx trying auth keyboard-interactive

2010-06-17 16:59:36+0000 210.82.xxx.xxx trying auth password



Understand: If you have disabled password authentication in your ssh_config by uncommenting the line:



PasswordAuthentication no



that *WILL NOT* protect you against this latest round of attacks.



In order to disable keyboard-interactive logins, you must also uncomment the line:



ChallengeResponseAuthentication no



NOTE: DO NOT DO THIS unless you understand what you're doing and know that it will not break anything (I don't want a bunch of emails saying I got in trouble because I did what Liston said...)



To test if your server is configured correctly, log in using the command line version of ssh with the -v option. That will spit out a whole bunch of debugging information. The important line is this:



debug1: Authentications that can continue: publickey,password,keyboard-interactive



If you see something like that, then you're not only vulnerable to standard password brute force attacks, but this newer keyboard-interactive attack as well.



Tom Liston

Handler - SANS Internet Storm Center

Senior Security Analyst - InGuardians, Inc. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.