Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2009-04-26 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Pandemic Preparation - Swine Flu

Published: 2009-04-26
Last Updated: 2009-04-29 22:46:24 UTC
by Johannes Ullrich (Version: 3)
3 comment(s)

The current WHO phase of pandemic alert is 5/6 ( 2200 UTC 29/04/2009)

Lots of news about the Swine Flu outbreak in Mexico. Right now, cases are reported in the US, Canada, New Zealand, Hong Kong and Spain. We have covered pendemic preparedness before, so let me just list a few pointers and a couple highlights:

- don't count on locking up your NOC staff in the NOC. They want to be home with family. Be ready to operate in "lights out" mode remotely with minimal or no staff.

- everybody will try to do the same thing. Cell phone data connectivity and broadband internet connections may be overloaded at times. Panic breeds inefficiency.

- don't panic. Try to find news reports and don't fall for the hype some news media will spread to attract viewers. Stick to reputable sources (www.cdc.gov and such comes to mind).

So far, about 80 people died from it. The best number I could find for people infected stated that "more then 1000 had symptoms". Most of the infections in the US happened to children in high school and all of them appear to be fine so far.

Stephen Northcut maintains a nice page with links to news reports and such: http://www.sans.edu/resources/leadershiplab/pandemic_watch2009.php

 Quick update with some reader input:

- travel to / from Mexico is still unrestricted, but discouraged. Many airlines will waive rebooking fees.
- Texas announced that it may put restrictions for travel out of Texas in place if more cases are found in Texas.

Travel restrictions are probably the most likely impact in the short term. Make sure to double check any travel plans.

Another update:  several readers have suggested to be on the lookout for phishing domains being established in anticipation of an outbreak.  We'll do the same and will publish a future diary "naming names" if we need to.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute     follow johullrich on twitter

3 comment(s)

Odd DNS Resolution for Google via OpenDNS

Published: 2009-04-26
Last Updated: 2009-04-27 14:23:15 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

We had a report from one of our readers (Deoscoidy) from Puerto Rico had issues reading Google earlier today. Instead of being directed to Google, he got redirected to an error page hosted with the free web service provider atspace.com. Pages like this are known to be used for malware. Shortly after he reported it, the problem fixed itself for him. I have only been able to reproduce part of the problem so far.

He found out that the redirect was in part due to the name resolution done by OpenDNS. It looks like as an OpenDNS user you receive a different response for "www.google.com" vs. resolving it directly:

With OpenDNS (dig @208.67.222.222 www.google.com)

;; ANSWER SECTION:
www.google.com.        30    IN    CNAME    google.navigation.opendns.com.
google.navigation.opendns.com. 30 IN    A    208.69.32.231
google.navigation.opendns.com. 30 IN    A    208.69.32.230

Without OpenDNS (dig www.google.com)

;; ANSWER SECTION:
www.google.com.        336708    IN    CNAME    www.l.google.com.
www.l.google.com.    148    IN    A    74.125.93.104
www.l.google.com.    148    IN    A    74.125.93.147
www.l.google.com.    148    IN    A    74.125.93.99
www.l.google.com.    148    IN    A    74.125.93.103

 

208.69.32.0/21 is owned by OpenDNS. So the information returned by OpenDNS is not necessarily malicious, and may just be part of Googles intricate load balancing scheme (you will likely get very different IP addresses if you run the second query).

The response returned from these servers looks like an authentic response from Google. However, maybe some of the country level redirection had been broken earlier. Right now, everything seems to be fine. If you experience similar issues, please let us know.

Update

Chris and Nicholas confirm that OpenDNS has been doing this "MiM" on Google for a while now. A user may disable this "feature", but will lose the malware protection provided by OpenDNS as a result.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute     Twitter: johullrich

Keywords: google opendns
2 comment(s)
Diary Archives