Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-07-30 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Who needs .info/.biz, anyway ? ; Cisco IPV6 vuln ; NIST minimum security requirements

Published: 2005-07-30
Last Updated: 2005-07-30 21:26:40 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)

Who needs .info/.biz, anyway ?



After spending a couple of hours following up on a malware incident late Friday night, I have come to the conclusion that ICANN could do us all a tremendous favor by pulling the .info and .biz Top Level Domains (TLDs). It strongly looks to me as if 98% of all domains underneath these two TLDs belong to nefarious web sites in one of the countries-where-ISPs-ignore-all-complaints (CWIIAC).



Some companies have started to zapp all access to .biz and .info, and to white-list those that the users really need (www.mta.info being near the top of this list if your shop is near NYC). If you are not white-listing yet, here's a couple URLs which, in my personal opinion, you might want to consider adding to your blacklist:


*.komforochka.info
*.dlyasvobornyx.biz
*.all-answers.info
*.iframeprofit.biz
*.total-search.info
*.our-counter.biz

While you're at it, you might want to check your logs for access going to hXXp://195.225.176.25. This site is a particular "friend" of mine, it has been around since February or so, and is of course located in one of the CWIIAC. Currently, the site is serving up IE exploits from hXXp://195.225.176.25/user.scripts/u217/dir38500256.cgi, but I wont be surprised if this URL has already been shifted by now. The site itself and the exploits it contains will likely stay, though, as long as Ukraine is among the CWIIAC.



Time Zone & DST



As one more proof that sysadmins do not need additional time zone confusion, Johannes Ullrich has checked the submissions to DShield. Most of the submissions that can be verified are right on time - those that aren't, though, are not off by measly minutes, they are off by n*60 minutes, hence entire Timezones. See http://isc.sans.org/timeshiftgraph.php for a glimpse of pure timezone joy.

Cisco IPV6 Vulnerability



Cisco have updated their advisory today, see http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml . The advisory stresses that the problem cannot be exploited from more than one hop away, but I'm not quite sure I would bet too much on that one if my routers had IPv6 turned on. Carefully checking the list of vulnerable IOS releases and patching if necessary sure sounds like the better strategy than to wait until somebody shows that the attack also works across "one hop" for disconcertingly large values of "one".

NIST Minimum Security Requirements Paper



NIST have put a draft paper on minimum security requirements for federal information systems on the web a couple of days ago: http://www.csrc.nist.gov/publications/drafts/FIPS-200-ipd-07-13-2005.pdf
While not everything in the paper is equally useful, I quite like the section titled "Specifications for Minimum Security Requirements", starting on page 2. A brief but encompassing paragraph touches on 17 areas of importance to Information Security, ranging from (AC) Access Control to (SI) System and Information Integrity. If you're drafting an information security budget or program for next year at the moment, glancing through this list might help you to get your priorities straight.
---------------

Daniel Wesemann

EMail: echo "ebojfm/jtdAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
Keywords:
0 comment(s)
Diary Archives