Wednesday and no scheduled meetings. Time to play catch-up!
Here’s the list for today:
Communicating outside your (security) culture – It’s not an easy task to explain risk to someone who doesn’t already know about it.
A little while back I was talking with my six year old, and said six year old asked me “What is risk?”. I realized I didn’t have an answer that was one or two sentences. In fact, I didn’t have an answer that I thought would really get the idea across, though after going through several tries I think I got the idea across. The hardest part was finding a common frame of reference to build on. And yes, I was a bit dismayed that I didn’t have one or two sentences to communicate an idea that is a basic part of Information Security to someone who didn’t know anything about it.
Evaluating malware from a network perspective – Good find, process, and reporting.
Today while looking through my HIPS log like a good sec analyst, I see an interesting event logged on one of the hosts. The file c:windowssystem32wbemunsecapp32.exe (MD5: 60f8ea044b96b7ae8c1a55571d7e2c70) tried to contact 211.22.66.246 on port 7654. Google searching for the file name produced little help beyond this (the fact that AhnLab’s AV engine didn’t detect this one leads me to believe it’s a relatively new variant)
RSA public keys are not private – I’ve never thought of RSA as being insecure until now.
RSA is an extremely malleable primitive and can hardly be called “encryption” in the traditional sense of block ciphers. (If you disagree, try to imagine how AES could be vulnerable to full plaintext exposure to anyone who can submit a message and get a return value of “ok” or “decryption incorrect” based only on the first couple bits.) When I am reviewing a system and see the signing operation described as “RSA-encrypt the signature with the private key,” I know I’ll be finding some kind of flaw in that area of the implementation.
wsus 3 released – Never used it but I’ll have to give it a try.
WSUS 3.0 has been released. I’m bouncing this link over where I found it, The Sean Blog, since he made a nice list of the pertinent downloads. If you don’t know WSUS or don’t use it and don’t do anything special for Windows patch management, you should really look into WSUS. It does one set of tasks and does it very well.
VNC ‘scans’ with windows size of 55808 – I haven’t seen it…have you?
One of our readers wrote in with the following:
“Over the last couple days I’ve noticed a different type of 5900/TCP (VNC?) portscan/attack. Port 5900 scans are not new, but this one is triggering a TCP Window size 55808 filter on our IPS. The filter is patterned after: Reference: CERT Incident http://www.cert.org/current/archive/2003/06/25/archive.html
Most of the source hosts are EDU’s in the US and Taiwan.”
Is this really such an issue, something you should be concerned about when performing IR or conducting an investigation? Let me add some perspective…not long ago, I examined a worm that had infected several systems, and it created an entry for itself in the RunOnce key; the entry was prepended with a “*”. Does anyone get the significance of that?