Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Malicious CD ROMs mailed to banks

Published: 2009-08-26
Last Updated: 2009-08-27 18:45:23 UTC
by Johannes Ullrich (Version: 2)
3 comment(s)

Update: We go an email and phone call from Brent Huston with Microsolved. This mailing was part of an authorized pen test. Nothing to worry about (right now), but the best practices to deal with such issues still apply.

-----

The National Credit Union Administration (NCUA) published an interesting advisory here:

http://www.ncua.gov/news/press_releases/2009/MR09-0825a.htm

Member credit unions evidently are reporting receiving letters which include two CDs. The letters claim to originate form the NCUA and advertises the CDs as training materials. However, it appears that the letter is a fake and the CDs include malware.

We have not heard about this scheme affecting any other targets, but please let us know if you see something like this. Malware delivery via USPS has certainly been suggested before.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: CDRom malware NCUA USPS
3 comment(s)

Cisco over-the-air-provisioning skyjacking exploit

Published: 2009-08-26
Last Updated: 2009-08-26 02:40:26 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Cisco issued a security advisory for its  1100 and 1200 Series access lightweight points. The advisory is based on work done by wifi IDS firm AirMagnet. The problem is pretty common and basic: How do you establish a secure connection over an insecure medium in order to configure a device. A new device will not have any encryption keys installed yet. We first need to establish some basic configuration options in order to enable encryption and exchange keys.

This is of course in particular tricky over wireless as you do not control the medium. Cisco uses an Over-The-Air-Provisioning (OTAP) protocol that uses multicast data to find a controller. During this initialization phase, a rogue controller could respond and send a bad configuration to the access point, disabling the device.

It should not be possible to setup a rogue access point using the actual networks encryption keys, as they are not known to the attacker. But it is a first step to possibly get a foothold in an environment.

Cisco provides an advisory here: http://tools.cisco.com/security/center/viewAlert.x?alertId=18919 . The quick summary: Establish basic configuration options like encryption keys and preferred controller lists before deploying the device.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: cisco skyjacking wifi
1 comment(s)

WSUS 3.0 SP2 released

Published: 2009-08-26
Last Updated: 2009-08-26 02:33:28 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Microsoft released SP2 for it latest and greatest version of Windows Server Update Services (WSUS).

You can find a more detailed description of the update here: http://support.microsoft.com/kb/972455

The most important feature is probably the integration with up and coming versions of Windows like 2008 R2 and Windows 7. Without WSUS support, it would be hard for many organizations to deploy these new Windows versions.

One improvement that caught my attention:

"Stability and reliability fixes are included for the WSUS server, such as support for IPV6 addresses that are longer than 40 characters."

At first, if you think about it, an IPv6 address can have up to 39 characters if you represent it as 2001:0db8:1111:2222:3333:4444:5555:6666 (8*2 digits + 7 colons). However, it is also possible to add a netmask like /128 or /64, which will exceed the size limit of 40 characters. I find little issues like this to be typical gotchas in organizations converting to IPv6.

There are no critical "must install today" features as far as I can tell in this release. Test it carefully and deploy once ready.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

1 comment(s)
Diary Archives