Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC StormCast for Thursday, April 17th 2014 http://isc.sans.edu/podcastdetail.html?id=3939

Heartbleed CRL Activity Spike Found

Published: 2014-04-16
Last Updated: 2014-04-17 01:40:50 UTC
by Alex Stanford (Version: 1)
4 comment(s)

It looks like, as I had suspected, the CRL activity numbers we have been seeing did not reflect the real volume caused by the OpenSSL Heartbleed bug.

This evening I noticed a massive spike in the amount of revocations being reported by this CRL: http://crl.globalsign.com/gs/gsorganizationvalg2.crl

The spike is so large that we initially thought it was a mistake, but we have since confirmed that it's real! We're talking about over 50,000 unique revocations from a single CRL:

This is by an order of magnitude the largest spike in revocation activity seen in years, according to our current data.

We have set up a new page for everyone to monitor the activity as well as see how we are obtaining this data. The page can be found at https://isc.sans.edu/crls.html.

How will you use this page in your projects or general analysis? We'd love to hear some ideas.

If you know of other CRLs that we can add, please let us know in the comments! Additionally, if you would like to see an API call added so that you can automatically query us for this information, please let us know so that we are aware of the demand.

On a side note, we can see a clear upward trend in revocations over the past 3 or 4 years:

What do you attribute this consistent growth in revocations to? What do you think caused the previous spikes?

-- 
Alex Stanford - GIAC GWEB,
Research Operations Manager,
SANS Internet Storm Center

Keywords:
4 comment(s)

WinXP and/or Win2003 hanged systems because of SC Forefront Endpoint Protection faulty update

Published: 2014-04-16
Last Updated: 2014-04-16 17:48:19 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
0 comment(s)

Reader Philipp reported today a bug affecting his remaining Windows XP machines and Windows 2003 servers. Seems to be that all Windows XP and Windows 2003 machines with SC Forefront Endpoint Protection definition update 1.171.1.0 and later are affected. You might want to test definition update 1.171.64.0, as we have received reports stating that it fixes the problem. However, we have not seen yet any official statement from Microsoft regarding this issue.

If you disable Forefront because it's not letting your machine work, please place other controls that minimize the associated risk. Otherwise, your computers could be so easily hacked.

We also receive questions on which AV is the best. Since the answer is it depends on the company and the information security assets, you might want to check the Magic Quadrant for Endpoint Protection from Gartner Group and try to find yourself what is the best answer for your company. If you want to read the entire file, you can have it from Mcafee or Computerlinks.

We will update this diary if more information becomes available.

More information available at:

Manuel Humberto Santander Pelaez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

Keywords:
0 comment(s)

Oracle Critical Patch Update for April 2014

Published: 2014-04-16
Last Updated: 2014-04-16 13:07:05 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Oracle released its quarterly Criticical Patch Update (CPU) yesterday [1]. As usual, the number of patches is quite intimidating. But remember these 104 fixes apply across the entire Oracle product range.

Some of the highlights:

CVE-2014-2406: A bug in Oracle's Database which allows a remotely authenticated user to gain control over the database.

37 new patches for Java SE, 35 of which allow remote execution as the user running the Java Applet (according to Oracle: "The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows)".

4 of the Java vulnerabilities have a base CVSS score of 10 indicating not only full remote code execution but also easy exploitability.

[1] http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: oracle patch
0 comment(s)
ISC StormCast for Wednesday, April 16th 2014 http://isc.sans.edu/podcastdetail.html?id=3937
New Feature: Monitoring Certification Revocation Lists https://isc.sans.edu/crls.html

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Heartbleed CRL Activity Spike Found
published 16 hours ago by Alex Stanford (4 comments)

WinXP and/or Win2003 hanged systems because of SC Forefront Endpoint Protection faulty update
published 22 hours ago by Manuel Humberto Santander Pelaacuteez (0 comments)

Oracle Critical Patch Update for April 2014
published 1 day ago by Dr. J (0 comments)

Looking for malicious traffic in electrical SCADA networks - part 1
published 1 day ago by Manuel Humberto Santander Pelaacuteez (0 comments)

INFOCon Green: Heartbleed - on the mend
published 3 days ago by Kevin Shortt (8 comments)

Reverse Heartbleed Testing
published 4 days ago by Kevin Shortt (3 comments)

Interested in a Heartbleed Challenge?
published 5 days ago by Guy (0 comments)

Heartbleed Fix Available for Download for Cisco Products
published 5 days ago by Guy (0 comments)

The Other Side of Heartbleed - Client Vulnerabilities
published 6 days ago by Rob VandenBrink (3 comments)

How to talk to your kids (or manager) about "Heartbleed"
published 6 days ago by Dr. J (6 comments)

Brace Yourselves (and your Users / Clients) for Heartbleed SPAM
published 1 week ago by Rob VandenBrink (1 comment)

All things not Heartbleed
published 1 week ago by Rob VandenBrink (1 comment)

View All Diaries →

Latest Discussions

Script kiddie scan
created 5 days ago by Anonymous (0 replies)

Russia and DoS
created 1 month ago by Peter P (0 replies)

Suspiciously quiet on DNS scan activity
created 1 month ago by Thomas (1 reply)

Outbound 6000/TCP traffic to multiple Chinese IPs?
created 1 month ago by SniffingShadow (4 replies)

principle for designing a pen test testing workbencg
created 2 months ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →