Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Another IE Exploit makes the rounds...

Published: 2006-09-02
Last Updated: 2006-09-04 19:01:50 UTC
by Joel Esler (Version: 2)
0 comment(s)
We received a report from Gilbert Sebenste, a reader of ISC, (thanks!) of a new IE bug.  Discovered Monday (or rather, published on Monday), and has been apparently assigned CVE number 2006-4446,  that the bug only affects IE 6.0 SP1, according to Bugtraq.

So, we've said it before, and we'll say it again.  Yes, sometimes it's not practical to switch off of IE, but where you can...  do.  Diversify I say!  Even though Mac users aren't affected, use your Safari, Firefox, Opera... 

Windows users..  check out Firefox, Opera, and whatever other nice browsers you can throw out there.  (I'm a Mac/*nix/*bsd user, so I am not familiar with all the Windows offerings)  IE is riddled with countless holes and bugs, so, try and use something else.

Reader Ottmar followed up on this article with a suggestion for folks that just can't follow the advise above and want to try and make the best of the situation with using IE. With respect to this specific issue and other ActiveX based vulnerabilities in IE, the following Microsoft article explains how to modify the registry to kill ActiveX controls from running. Since this does involve modifying the registry, user beware! Without further ado, the Microsoft article can be found here.

----------------
Joel Esler
jesler{at}isc.sans.org

Keywords:
0 comment(s)

UDP Port 47290

Published: 2006-09-04
Last Updated: 2006-09-04 16:28:16 UTC
by Brian Granier (Version: 2)
0 comment(s)

In reviewing recent DShield graphs I noticed a sharp and large increase in UDP port 47290 traffic. A quick review of Google and a few other resources left me with no logical conclusion as to the source.



I send this diary out as a call for packets or for any information that might lead to understanding where this traffic uptick comes from. Since this traffic started on 8/28/06, it is interesting to note that the number of reported packets is 226,660 records. The numbers of sources for this traffic is 134,673. The number of targets is 43. So it's possible we are looking at traffic reported from just one subscriber who sends logs into DShield. Nonetheless, this is a rather interesting and sudden increase and it would be useful to know where this is coming from.

Update: We looked further into this and discovered that 99.99% of this traffic is destined for a single target. This makes the call for packets a fairly moot point.

Keywords:
0 comment(s)

Media sanitization

Published: 2006-09-02
Last Updated: 2006-09-02 16:58:04 UTC
by Brian Granier (Version: 1)
0 comment(s)
Conventional wisdom tells us that deleting data is an insufficient means of protecting your sensitive information from being obtained from discarded media. However, recently upon reviewing an NIST publication from last month, I ran across an interesting paragraph that reads as follows:

Advancing technology has created a situation that has altered previously held best practices regading magnetic disk type storage media. Basically the change in track density and the related changes in the storage medium have created a situation where the acts of clearing and purging the media have converged. That is, for ATA disk drives manufactured after 2001 (over 15 GB) clearing by overwriting the media once is adequate to protect the media from both keyboard and laboratory attack.

This is a signficant change in stance from the often quoted U.S. Department of Defense 5220.22-M disk erasing standard that suggests a minimum of 3 overwrites and a verify is necesarry to properly sanitize data. Now before rushing out and changing all of your purging applications to single pass only, please notice the quoted paragraph from the NIST article is fairly specific about a type of hard drive, size and manufacture date. Nonetheless, this points to what we will hopefully see as a trend as time passes that it will hopefully require less passes to properly sanitize our media.

As a related issue, let's talk a moment about the last time your media sanitization policies were updated. Do they take into account media sources other than hard drives? It is becoming increasingly more difficult to contain and identify all sources where data is stored, but a thorough security program should consider all of these devices in their protection and sanitization routines. Examples of often overlooked devices include cell phones, PDAs, USB thumb drives and digital cameras. Appendix A of the NIST article mentioned above provides a fairly good list of places where data is stored along with the recommended action for sanitizing or destroying them.

Related to the topic of considering other places where sensitive data is stored electronically, reader Cornelius from Australia offers this recent article from The Sydney Morning Herald: http://www.smh.com.au/news/phones--pdas/secrets-spill-from-secondhand-mobiles/2006/08/31/1156817011704.html
Keywords:
0 comment(s)
Diary Archives