Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Domains being registered about the Haiti Earthquakes already

Published: 2010-01-13
Last Updated: 2010-01-14 00:20:27 UTC
by Joel Esler (Version: 3)
0 comment(s)

While we, at the ISC, do not assume that the domains being registered are malicious in nature in any way, we always take note of domains being registered near a disaster.  Simply from people parking the domains.

However, inevitably, some of these domains wind up being malicious in nature, and while we don't assume that all of them will be, it does happen, and it's unfortunate that spammers and phishers prey on people attempting to provide relief for those in need.  Especially during such a devastating disaster as this was.

As I said, we are already seeing a bunch of domains being parked in relation to the Haiti disaster, and we are going to attempt to keep an eye on them all to warn our readers of anything possibly misaligned. 

Some tips from the FBI:  http://www.fbi.gov/pressrel/pressrel10/earthquake011310.htm

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

 

Keywords:
0 comment(s)

Sun Java JRE 6 Update 18 Released

Published: 2010-01-13
Last Updated: 2010-01-13 22:45:15 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

This release contains fixes for 358 bugs. You can see the release notes for this version here. You can download the update here.

Note: "This feature release does not contain any new fixes for security vulnerabilities to its previous release, Java SE 6 Update 17. Users who have Java SE 6 Update 17 have the latest security fixes and do not need to upgrade to this release to be current on security fixes."

Thanks Jack for the info.

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Keywords: Java JRE 6
0 comment(s)

SMS Donations Advertised via Twitter

Published: 2010-01-13
Last Updated: 2010-01-13 16:51:46 UTC
by Johannes Ullrich (Version: 3)
3 comment(s)

[Update] Both short codes in use right now, 501501 and 90999 are tracing back to registered twitter accounts and I consider them authentic at this point. 90999 is associated with the red cross (@redcross), 501501 is associated with Wyclef Jean (@wyclef). Please keep alerting us if you see other short codes being used.

----

We all like the convenience and speed of SMS messaging. As a result, a number of companies set up services to allow donations to be send via SMS message. The approach is pretty simple. You text a message identifying your cause (e.g. "HAITI") to a special short code configured by the recipient. A "short code" is a 5 or 6 digit number configured to receive your message pretty much like a regular phone number.

These short codes are frequently advertised via twitter in messages like "SMS x to yyyyyy to donate to cause z". One thing that doesn't fit into the twitter message is that the cost of the donation will be billed to your phone bill. Typically $5 or $10. Legitimate providers of this service appear to limit you to one donation per day.

However, there is no easy way for you to identify who you send the money too. I would suggest to be very careful with this form of donation and only to use the number if you receive it from the organization directly. Please avoid sending money "blindly" just because a friend "RT" it.

Two legitimate operators of this service appear to be:

http://www.mgive.com
http://mobilegivinginsider.com

The Red Cross uses a verified twitter account ( @redcross ) for updates.

Here are some of the messages we saw on twitter in connection with the Haiti earthquake:

Text "Yele" to ***** to donate $5 4 HAITI
Text "HAITI" to "*****" & ur donation of $10 will go 2 the Red Cross 2 help w/relief efforts in #Haiti

 (I replaced the SMS number with stars)

 

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

3 comment(s)

Adobe Reader and Acrobat patches are available

Published: 2010-01-13
Last Updated: 2010-01-13 14:49:58 UTC
by Joel Esler (Version: 2)
0 comment(s)

If you are running Adobe Reader and/or Acrobat version 9.2 and earlier, you need to patch again!

Adobe, yesterday, published their advisory, along with all the patches for this month's patch cycle.  The release (according to the patch notes) is for Adobe Reader and Acrobat <=9.2 for Windows, Macintosh, and UNIX.

They also advise that if you are running 8.1.7, that you should upgrade to the current version as well.

For the full notes, please see Adobe's webpage at: http://www.adobe.com/support/security/bulletins/apsb10-02.html

Also please see Johannes's diary from yesterday concerning the patches as well: https://isc.sans.org/diary.html?storyid=7963

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

Keywords:
0 comment(s)

Google's response to being attacked by China

Published: 2010-01-13
Last Updated: 2010-01-13 02:08:09 UTC
by Joel Esler (Version: 1)
3 comment(s)

Today a blog post was put on the Official Google Blog talking about the attack against them from China, and their responses, and possible recourses on a business side.  There are two posts, and they make for an interesting read, so be sure and check them out.

Post #1 -- http://googleblog.blogspot.com/2010/01/new-approach-to-china.html

Post #2 -- http://googleenterprise.blogspot.com/2010/01/keeping-your-data-safe.html

The hacks were a result, basically, of a technique called "targeted phishing" or "spearphishing".  One of our other handlers, Maarten, wrote an excellent diary about it last year.  Check it out here.

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

Keywords:
3 comment(s)
Diary Archives