Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

WHO Declares Flu A(H1N1) a Pandemic

Published: 2009-06-11
Last Updated: 2009-06-12 03:13:59 UTC
by Rick Wanner (Version: 1)
0 comment(s)

Several media outlets are reporting that the World Health Organization (WHO) has officially declared the A(H1N1) flu outbreak a pandemic. 

More information is available at the following sites:

http://www.nytimes.com/2009/06/12/world/12who.html?em

http://www.who.int/csr/disease/swineflu/en/index.html

www.euro.who.int/influenza/AH1N1/20090611_11

The April diary on this issue can be found here.

The SANS Leadership Lab Pandemic Planning page is also worth a look.

 From a security point of view we can expect a new rash of bogus domains, phishing and malware attacks.  So as usual be diligent.

 

-- Rick Wanner rwanner at isc dot sans dot org

0 comment(s)

Firefox 3.0.11 is available

Published: 2009-06-11
Last Updated: 2009-06-11 23:07:13 UTC
by Rick Wanner (Version: 1)
0 comment(s)

One thing is for sure!  Our ISC readers love their Firefox. 

We have received a number of emails telling us that Firefox version 3.0.11 is now in the update pipeline.  Firefox 3.0.11 provides a number of fixes  for security vulnerabilities. 

Release notes are available here.

 

-- Rick Wanner - rwanner at isc dot sans dot org

Keywords: firefox
0 comment(s)

Dshield Web Honeypot going beta

Published: 2009-06-11
Last Updated: 2009-06-11 17:16:16 UTC
by Jason Lam (Version: 1)
4 comment(s)

We started the Dshield Web Honeypot project roughly one year ago. The goal of this project is to replicate what Dshield had done for the community on the web application side. We are not trying to detect targeted attacks but fast scanning and replicating threats that has potential to affect the whole community quickly.

Similar to the original Dshield project, we rely on volunteers to feed us logs. In the case of web logs, it is not easy to collect detailed log (eg. HTTP header, HTTP body) by using the web server logs alone,  this is why we have a PHP + Apache based client component for volunteer to install as their log collector (or honeypot). We are announcing today that the client software for this project is turning beta. Special thanks to the volunteers on this project

For this project to be successful, we need your support in sending us logs. The honeypot client software can be downloaded from the Dshield portal under My Information (login first).

For the impatient, here are the high level instruction.

The installation start off with downloading and untar'ing the code into a directory. Run the config.php under /lib to configure the client. Then run the update-client.php to ensure you have the latest copy of all the code. This process should be followed by running of the update-template.php, which updates all the web pages in the honeypot. After that, it's a matter of configuring the Apache virtual host (sample config under /docs) and it should be all set.

Once you are submitting web logs, the Dshield main portal page should let you view all the logs you are submitting (1 hr time delay). Let us know how this is working out for you.

-------------------------------------------------
Jason Lam  -  http://twitter.com/jasonlam_sec

4 comment(s)

MIR-ROR Motile Incident Response - Respond Objectively Remediate

Published: 2009-06-11
Last Updated: 2009-06-11 12:19:48 UTC
by Rick Wanner (Version: 1)
0 comment(s)

Anybody who reads my diaries has long since figured out that I am a big fan of the Sysinternals tools.  So when long-time reader, regular contributor, and full time Uber-Dork Russ McRee from HolisticInfoSec.org pointed me at a new incident response tool based on the Sysinternals tools it immediately piqued my interest.. 

The tool is MIR-ROR - Motile Incident Response - Respond Objectively Remediate. MIR-ROR is a live response tool for Windows machines based on Sysinternals tools and other useful tools originally put together by Microsoft Forensics guru Troy Larson and now being maintained by HolisticInfosec.org. More info about MIR-ROR can be found on the HolisticInfoSec Blog and reviewed in the ISSA Journal Toolsmith series. The tool itself can be found at Codeplex.

I haven't had a chance to review MIR-ROR myself, so I would appreciate any of you who have spent any time with MIR-ROR to please provide your opinions via our contact page.  I will summarize as the day goes on.

 

-- Rick Wanner - rwanner at isc dot sans dot org

0 comment(s)
Diary Archives