No more Bagel, Bagle, Beagle
I knew this was coming but did not realize they were this close to implementation.
US-CERT, the U.S. Computer Emergency Readiness Team, will begin issuing uniform names for computer viruses, worms and other malicious code next month, as part of a program called the Common Malware Enumeration initiative.
http://www.eweek.com/article2/0,1895,1862266,00.asp
To malware fighters, researchers, and many others this will be a very good thing.
There will be some issues but it will make my job easier.
Patch Mozilla ASAP
http://www.informationweek.com/story/showArticle.jhtml?articleID=171200310
Cisco IOS Firewall vulnerability update.
http://www.cisco.com/en/US/products/products_security_advisory09186a00805117cb.shtml#software
Revision 1.1
2005-September-22
Added 12.2SG, 12.2SEC, and 12.2SXF releases to Software Version and Fixes
Hurricane Rita Scams ALREADY!
Sadly, Hurricane Rita charity scams have already started. Several handlers at the ISC, including Tom Liston and Johannes Ullrich, are working with others, such as US-CERT, on coming up with lists of scam sites.
Watch the diary over the next few days for such a list. Also, if you find a bogus-looking "charity", feel free to report it to us at handlers-rita@sans.org or to US-CERT at soc@us-cert.gov.
Also, you may want to check out our collaborative reporting system to help sort out bogus sites posing as hurricane charities.
Update
Due to an initiative born from the 'mwp' list, a number of domain name registrars, anti-phishing, anti-spam groups and national CERTS are working together to have these sites closed down as fast as possible.
The RedCross has set up a special email address for reporting suspicious sites fraudalert@usa.redcross.org
Also, here is a current list of the RedCross's official donation sites:
http://www.redcross.org/sponsors/donationsites/official_donation_sites.html
You can of course just go to
http://www.redcross.org as the starting page if you wish to give to the
American Red Cross. That is probably the safest method.
FinCen NOT hacked
The "FinCEN QuikNews" system, a subscriber-based e-mail service that is part of the Financial Crimes Enforcement Network's public website and is hosted externally, appears to have been compromised this morning. We are investigating this incident. This system resides outside FinCEN's security perimeter and is not connected to any other FinCEN systems. Bank Secrecy Act data, and all other sensitive information maintained by FinCEN, was in no way, shape or form compromised by this incident.
To read the rest goto http://www.fincen.gov/quiknews_statement.pdf
Korean Mozilla and Thunderbird Distro Site Woes
Update: According to information we've received (thanks, Roel!), Korean versions of Mozilla and Thunderbird distributed through **official** Mozilla FTP sites were also infected. So, if you use Korean Mozilla or Thunderbird, and downloaded the latest versions of thunderbird or mozilla, you may have been compromised. I suggest a good file integrity check, and perhaps a reinstall of your operating system and apps. Thanks again, Roel, for the clarification.
Speaking of Said Upgrades Firefox 1.0.7
The latest version of Firefox is available, including some important security fixes. Get it here. This one fixes a few big security issues, including MFSA 2005-57, IDN heap overrun using soft-hyphens.
New Handler: Mohammed Haron
Mohammed is currently working for Intel Corp. in Penang, Malaysia. His duties at Intel include a wide array of security responsibilities from IDS to Forensics. He holds a GIAC GSEC and GCIA certification, and has been a local mentor for both.
His interest in security got jump-started by a group of Brazilian hackers defacing his perosnal web site (gr33tz to P3dr0).
Winners of Bonus Points from Yesterday?s FTBM
Yesterday, Tom Liston posted his latest Follow the Bouncing Malware. In it, he posed a question for extra credit, namely:
"Those of you with taped, horn-rimmed glasses who were in the AV club in Jr. High will note that the numbers assigned to o(0) look strangely familiar. [They were 4d5a] They're the hex equivalents of the "magic values" that begin every program on the PC (extra-credit: anyone know what they stand for?)."
We had several readers point out the answer, but the first was Frank Knobbe:
"Actually, it is every MSDOS program. Every Portable Executable (PE) file starts with a header. The first two bytes is a 'magic' that identifies the file as an MSDOS executable. The magic is 0x5A4D which is MZ in ASCII. MZ are the initials of Mark Zbikowski, one of the original architects of MS-DOS. :)"
Tom described this as the ultimate in vanity-license-plate equivalents for geeks. Indeed it is. And, I might point out that the file encryption solution built into modern Windows systems is called?.
Signing out?
Edward Frank Skoudis
Intelguardians, www.intelguardians.com
Wi-Fi Worm Rumors
Hurricane Katrina Follow-UP
Got this message from some fine folks at DHS:
"In responding to recent natural disasters and state of emergencies due to Hurricane Katrina, and now Rita, the DHS US-CERT in collaboration with the Control Systems Security Center (CSSC) has released a Hurricane Katrina Control System Assistance Informational Paper. The US CERT Control Systems Security Center (CSSC) has placed this informational bulletin here. Please go to this site and click on the link under reports for "Hurricane Katrina Control Systems Assistance (PDF)."
This paper describes how to get physical and electronic operations back on-line in a time of crisis.
Comments