The Glider

Yes this is a pet peeve of mine. I am not going to out the various security companies that do this but when I get SPAM from a security company I often report them to their ISP for AUP violation and attempt to educate the SPAMMER who sent the SPAM.



I recently replied to one of the many such SPAMs I received.



They were advertising a Security Risk Management Summit taking place in Washington, DC.

I asked how they got my email address and was told they buy their lists from various sources. I explained that by buying those lists they were feeding the spam support system. They didnt respond to that comment so either they already knew and dont care or felt it was justifiable.



I recommended that they ONLY use doubly opted-in lists. (Ones that you opt-in to and get an verification email sent to you to ensure someone else didnt opt you in).



They did provide an opt-out option and when confronted stated that they were can-spam compliant. If youre a security company and you send me SPAM expect me to respond and request termination of your service for AUP violation!





(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

From:
http://www.news.com.au/breaking-news/firing-dispatcher-for-facebook-drug-joke-was-right-wisconsin-council-claims/story-e6frfku0-1225870794794



A CITY council in Wisconsin defended its decision to fire a Police and Fire Department dispatcher who joked about drug addiction on her Facebook page.



The arbitrator said the dispatcher could come back after a 30 day suspension but the police chief appears to believe her joke was so inappropriate and an embarrassment to the city.

Personally this seems a bit extreme, however social networking users should be aware investigating face book pages of employees is becoming more common.





(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

SecurityFocus has published Bugtraq ID39077 vulnerability for Java SE and Java for Business , which allows attackers to remote execute code context of the user running the affected application.
Read the publication here: http://www.securityfocus.com/bid/39077
There is a great blog explaning the technical details. Read it here (by Peter Vreugdenhil): http://bit.ly/aM1J01
The solution is to update java to a non-vulnerable version. Please read http://www.securityfocus.com/bid/39077/infoat bottom of the page.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

There are two public broadcast TV stations at Colombia. We received a report that a e-mail is out there claiming to be from one of the stations and announcing they have the video of Fidel Castro's funeral:


The URL points to a UK server and downloads a nasty little malware done in Visual Basic that changes Windows parameters and recolects info from your computer. The trojan used to upload the malware is located on the same directory:

We encourage Web server admins to keep updated security patch and avoid default configurations on web servers that could allow attackers to upload these kind of files to your webserver. This backdoor is pure php and, as you can see, has a lot of useful options.
Please keep in mind also that clicking URL links inside e-mail is dangerous. Always go to the web server typing yourself the URL.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

-- Rick Wanner - rwanner at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

One of the big events of the year for digital forensics practitioners and incident responders is coming up quickly. The SANS Digital Forensics and incident Response Summit takes place in Washington, DC on July 8th and 9th, 2010.
Judging by the reviews from people who attended last year's summit if you have an interest in digital forensics or incident response this is the must attend event of the year.
More info is available over at the SANSForensics Blog.
The detailed agenda available from the event page at sans.org.
Even if you can't make it, or you need to be convinced of the value, you can always check out the presentations from the 2008 and 2009 versions of the summit.

-- Rick Wanner - rwanner at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

-- Rick Wanner - rwanner at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Just in case you were at AusCERT this week and missed the delegate message from IBM.
From the it can happen to the best of them department...IBMaccidentally distributes Malware at AusCERT

-- Rick Wanner - rwanner at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Write in from Andy (thanks Andy!) asking today ifhttp://putty.very.rulez.org/ is a legit site to download putty (the popular tool to connect from a Windows box to Unix boxes via Telnet/SSH, etc.).
How did Andy find this site you ask? Well, if you go to Google and type in Putty you'll notice that the above URL is SEO'ed ABOVE the actual putty.org website.
So far, when I downloaded both versions (from the above site, and from putty.org) the md5's match up, so right now, they are legit copies. I'm not accusing rulez.org of doing anything inappropriate, don't get that impression. I'm just using an abundance of caution, heck, they may be a legit mirror. But as far as I can tell, they aren't on the authorized mirrors list, found here.
So, we prefer that you get your PuTTY downloads from the correct site. Putty.org. Which, if you click on the download link, it will redirect you to here.
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Which is the actual download link.
Thanks Andy for writing in and staying vigilant about watching those URL's!
UPDATE: A write in reminds us that using gpg to verify the packages is preferred. I agree.

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Several versions of Bind were updated with patches this morning. The patches, according to the release notes found here, read as follows:
Named could return SERVFAIL for negative responses from unsigned zones.
So if you are running Bind, be sure and update here.

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.