Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New Exploits and Vulnerabilities; tcp/445 Wrap-up; 40 Million Credit Cards; HP .gif; Geek Wall Art

Published: 2005-06-24
Last Updated: 2005-06-25 11:18:00 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

New Exploits and Vulnerabilities

published another exploit for a recent Microsoft vulnerability. Also, the added two new exploits to the Framework. published a new vulnerability in RealPlayer that allows for remote code execution. Not to be left out, published a vulnerability in their VPN 3000 Concentrator.

tcp/445 Wrap-up.

Based on Handler Mike Poor's request, several readers sent us their thoughts on the recent spike in tcp/445 traffic. The general consensus seems to be that there was no wide-spread Internet attack or scans. Others postulated that some locations might have been victims of "routine" scans on ports that are listed in the monthly Microsoft security advisories. Another thought was that what Symantec (and later the US-CERT and Gartner) reported was really based on increased bot activity. Regardless, we did not see any significant increases in the DShield database on tcp/445 but will continue to monitor the situation. (One footnote, a reader suggested that DShield might show a temporary rise as sensors begin to monitor tcp/445 at the request of the Internet Storm Center. Let's see what happens.)

40 Million Credit Card Thoughts

If you recall, last Friday a big story hit the wires about the exposure of 40 million credit card accounts at the Tucson office of
, a company that processes transactions on behalf of merchants and financial institutions. According to news reports, "only" 200 thousand or so accounts were actually exported by an automated tool that had access to the entire 40 million accounts. We received several notes from readers offering ideas about what happened and I'd like to dig a little deeper into one of the emails sent our way.

Dr. Neal Krawetz of
said on Saturday (June 18th) that he felt the compromise at CardSystems was just the most recent in a sudden increase of financial exploit reports. In the last five months he says there have been seven large compromises that we know of:

- February 2005: Bank of America lost tapes containing data for 1.2
million federal employees

- May 2005: Time Warner lost information for 600,000 employees; Insiders
at Bank of America and Sumitomo bank compromise accounts

- June 2005: Hackers gained access to about 600 customers at Equifax
Canada; CitiFinancial blamed UPS for losing backup data; and the
most recent CardSystems compromise

Prior to February, the few compromises made public were not as large and not clustered within a few months. Are these recent attacks related to increased activities of one group or gang? Or are they all coming to light because of new laws that require reporting? Or both?

Dr. Krawetz went on to say that, "at first I was thinking, 'Wow, Sarbanes/Oxley really has people reporting fraud! Wonder what wasn't reported publicly before SOX?' Now I'm wondering if these are all happening at the same time due to an organized group that found a massive weakness in the financial community..."

He continues, "Phishers and spammers generally start with a low attack volume. As they become comfortable, they increase volume and frequency. That seems to match the current pattern with these major financial compromises. Systems and processes are very similar among the financial community, leading to a homogeneous system where one attack vector will likely succeed in compromising many systems. This is why phishers target a variety of similar companies, and spammers offer an assortment of scams."

Finally he offers a conspiracy theory: "Is this the result of a few very professional (and very quiet) groups with a taste for very large compromises (Wow, what a conspiracy theory!) or a few groups that share a common knowledge? I find it hard to believe that 7 events in 5 months (or 6 events in the last 2
months) is coincidence, and copycats generally don't have the needed skill."

We still don't know "who done it" but we have some ideas. It's definitely not an adolescent script kiddie. It's also not a group that hangs out on IRC or other semi-public forums. This group understands OPSEC and is keeping their activities under close guard. I imagine that they are a bit miffed that they got caught and are taking extreme measures to prevent future detection.

Have you noticed the dramatic drop in Internet worms and viruses (except for the bots) in the past year? We have, and so have many other security experts. This is unnerving in that most of the current security protection tools are optimized for 1990s-style attacks. New attack methods slice right through firewalls, intrusion detection systems, and host-based defenses like anti virus software. We are beginning a new chapter in Internet history and I don't like the way this one is starting.

HP .gif

A reader asked if we knew what the purpose of the image at was for. He has a machine that requests that image every 30 seconds or so. We think it might be some HP software calling home to mama, but are curious if others are seeing this and have any ideas. If you do, please send them using our contact form at .

Geek Wall Art

One of our readers noted that the walls around his work area are devoid of art. He asked if perhaps the Internet Storm Center readers could suggest something to cover up the cracks in the plaster. So what is hanging on your server room (or cubicle) walls? Anything cool or unique? Let us know and we'll publish a list of the good ones later this weekend if the Internet doesn't crash. Matrix posters and SANS Roadmap charts don't count. We know that everybody has those. :)

Marcus H. Sachs

Director, SANS Internet Storm Center

Handler of the Day

0 comment(s)
Diary Archives