Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-08-03 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

(Update #Last : 23:00GMT) Cisco! Pancho!; MetaMetasploit?; BrightStor Exploits/Scanner; It Takes a Village...; Mystery; GHH

Published: 2005-08-03
Last Updated: 2005-08-03 22:53:56 UTC
by Tom Liston (Version: 1)
0 comment(s)
Prologue: There isn't going to be a "Bouncing Malware" installment today. I've been mighty busy over the last week or so (anyone want to come help me sand the peeling stain off my deck?) and I've not had time to work on one. Soon. I promise.



Cisco CCO Password Issue


Ever have one of those days? Looks like Cisco is having one of those months... It appears that something has happened to compromise the passwords for their Cisco Connection Online service. What exactly happened? Cisco isn't saying.


Attempting to log into CCO brings up the following terse message:

IMPORTANT NOTICE:
* Cisco has determined that Cisco.com password protection has been
compromised.
* As a precautionary measure, Cisco has reset your password. To receive
your new password, send a blank e-mail, from the account which you entered
upon registration, to cco-locksmith@cisco.com. Account details with a new
random password will be e-mailed to you.
* If you do not receive your new password within five minutes, please
contact the Technical Support Center.
* This incident does not appear to be due to a weakness in Cisco products
or technologies.


<crude_sarcasm> Note: I do, indeed, know what caused this issue, but I've been enjoined from disclosing it until next year's Black Hat. </crude_sarcasm>


Gotta love that last bullet point... It reinforces that old security maxim: All the technology in the world won't save you from doing something dumb.


Update: A tip o' the always stylish Handler-On-Duty propeller beanie goes out to Scott who wondered whether Cisco is having Pancho check for differences in the "From:" and "Reply-To:" addresses on messages to cco-locksmith@cisco.com before sending out a password. He is...


Follow the Bouncing... uh... ummm... Vulnerability?


Yesterday, we reported that there was a recently announced vulnerability in (can you say "ironic"?) Metasploit.


When we reported it, it was a vulnerability.


Then it wasn't....


Seems that the issue wasn't in Metasploit itself, but could be triggered if a vulnerable third-party terminal program was used along with Metasploit.


In keeping with Liston's Third Law ("The amount of Irony in the universe is a constant"), another real vulnerability popped up to take its place. It seems as though there is an issue in MSFWeb (the Metasploit Framework Web interface) that could allow for unauthorized access. Either run "msfupdate" or wait for version 2.5.0. (Thanks Gilles!)

ARCserve BrightStor Exploits/Scanner


Bringing forward this note from an early update to yesterday's diary 'cause it's important...:



If you haven't already patched your BrightStor ARCserve Backup
software, now would be a really good time. At least three different
exploit codes and the code for a scanner have now been released.
Links to patches can be found in
. Here is how CA rates this
vulnerability:



Threat Assessment

Overall Risk: High
Impact: Critical
Popularity: Medium
Simplicity: Medium

If you don't think the kiddies are jumpin' on this one,
the spike in port 6070 activity.


(Thanks Lorna!)

It Takes a Village...



Just yesterday, I received a canned message from a vendor:



Hey,
I'm updating my address book. Please take a moment to update your latest
contact information. Your information is stored in my personal address
book and will not be shared with anyone else. Plaxo is free, if you'd like
to give it a try."



This was followed by a listing of my contact information that he'd
sent to Plaxo and a link where I could sign up for his wonderful free
service too.



No, I'd rather not, thank you.



Over the past few years, I've noticed the rising tide of online "communities." And like some sort of unholy sludge, they've increasingly been floating across the Internet and seeping their way into my inbox.



Stop it.



Stop it now.



Both Plaxo and the recently discovered (for me) sms.ac entice users to "import and invite" their contacts. They make it easy, giving the clueless noobs step-by-step instructions on how to upload the contents of their contact lists.



Don't.



Just don't.



If you happen to have someone's contact information, that person gave that contact information to you. If they wanted their information given to Plaxo or sms.ac, they would give it to them. Do you go around posting your friend's phone numbers on bathroom walls? Do you walk up to strangers on the street and give them Aunt Mildred's P.O. Box? How about your teenage daughter's IM identity?



Needless to say, Mr. Vendor (and his boss) got a quick phone call from me, wherein I pointed out my belief that some village somewhere must be missing its idiot.



Don't follow in his footsteps. Your village needs you...

...Workin' On Mysteries Without Any Clues...


Not as strange and mysterious as what you might find in the back of a '60 Chevy:



11001111.101110.11111000.11101010



but interesting none-the-less.



(w/apologies to Mr. Seger)


Google Hack Honeypot


Interesting concept. Check it out
.



--------------------------------------------------------------------------

Tom Liston - Intelguardians Network Intelligence, LLC

http://www.intelguardians.com
Keywords:
0 comment(s)
Diary Archives