Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The Prototype Still Works; Insider Threat Paper; More Keylogging; Translation

Published: 2004-08-26
Last Updated: 2004-08-26 20:51:29 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
The Prototype Still Works After nearly 35 years of continuous service (the first node on the ARPANET was connected on September 2nd, 1969 - anybody throwing a party one week from today?) the experimental prototype network still works. I say "prototype" in reference to a quote that I heard a friend of mine say at DARPA a few years ago concerning the Internet, "Perhaps now it is time to quit experimenting with the prototype and build the real thing." How true! Especially when you consider that today's Internet is largely built on protocols developed in the 1970s. As I tell my students in various SANS classes, we've got to start thinking toward the future and push hard for secure replacements for all of the Internet protocols, including infamous ones like TCP/IP. In 35 years when the 'net is 70, will we still be using SMTP, FTP, telnet, and countless other "ancient" protocols?


Insider Threat Paper The CERT Coordination Center recently published an excellent paper on the insider threat facing banks and other financial institutions. This one is worth a read: http://www.cert.org/archive/pdf/bankfin040820.pdf


More Keylogging We had yet another report of keystroke logging, most likely by a Russian group. The keylogger sends data to an FTP site located in the 216.55.169.0 netblock. This block is assigned to an ISP in San Diego and they've been notified. Check your netflows for activity to this block and investigate if you find anything. Many of the keyloggers we are seeing are using FTP to transfer the captured data, so a simple Snort alert looking for outbound FTP connections or FTP commands might provide an early warning about a hijacked box.


Enough Translations, Thanks! We really appreciate all of the people who sent in translations for what was found in Joe's computer (Follow the Bouncing Malware, part II, http://isc.sans.org/diary.php?date=2004-08-23 .) I think that we've got it nailed down now as:


"Hara Hara Mahadev !!!

tum agar badshah hai to hum eespeek ka yekka!"


Hara Hara Mahadev is a war cry used by Maratha Warriors of old days from the state of Maharashtra in India. One can equate that to the Ranger's Warcry ("Rangers Lead the Way!")


Literally translated, the second line means, "If you are King then I am Ace of Spades."


Thanks, BSD Guy for the translation that makes the most sense.




Marcus H. Sachs

Handler on Duty

Keywords:
0 comment(s)
Diary Archives