Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2008-01-24 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MS08-001 updated

Published: 2008-01-24
Last Updated: 2008-01-24 18:50:26 UTC
by Toby Kohlenberg (Version: 1)
0 comment(s)

Microsoft updated MS08-001 to include Small Business Server 2003 SP2 as vulnerable. They also added to the FAQ to clarify that the MS Detection and Deployment tools will detect this and correctly patch it.

http://www.microsoft.com/technet/security/Bulletin/MS08-001.mspx

 

Keywords:
0 comment(s)

Drive-by Pharming and attacks against network infrastructure

Published: 2008-01-24
Last Updated: 2008-01-24 02:11:21 UTC
by Toby Kohlenberg (Version: 1)
1 comment(s)

Symantec posted a blog entry about attackers using vulnerabilities in web browsers (CSRF and XSS from our interpretation of the article) to reconfigure home routers/firewalls to change their DNS  servers to enable MITM attacks. They report having seen a number of delivery methods for the attacks including email, and compromised or malicious websites.

The full article is here: http://www.symantec.com/enterprise/security_response/weblog/2008/01/driveby_pharming_in_the_wild.html

Heise.de also has an article about the issue (links to the Symantec post) for those of you who prefer reading german: http://www.heise.de/newsticker/meldung/102281

There are a number of moderately effective mitigations that you can use to prevent this (per Symantec)-

  • change your default password on the router
  • turn off UPnP if you don't have an explicit, serious need for it
  • try using one of the less common RFC 1918 address range

And of course make sure that you are using up to date AV and firewall and IDS and everything else on your internal systems.

One of my fellow handlers pointed out that the most interesting and significant part of this issue is that it marks a change in targeting by attackers. The move from compromising the end-host to targeting the home routers & firewalls (or other infrastructure) has ugly implications about the way we are currently defending our systems.  Ideally a man in the middle attack should always be noticeable, but we all know that people tend to click "accept" way too quickly most of the time.

Keywords:
1 comment(s)
Diary Archives