ISC Feature of the Week: Handler Diaries

Published: 2012-02-22
Last Updated: 2012-02-22 21:48:50 UTC
by Adam Swanger (Version: 1)
0 comment(s)


Internet Storm Center features daily handler diaries with summarizing and analyzing new threats to networks and internet security events. Diaries range from 0day vulnerability announcements to the latest software update releases. If it's security related, we'll probably put up a diary about it!

The ISC homepage always displays the last 24 hours of diaries. The top and bottom of every diary, wherever it is listed, contains a previous/next navigation link that will iterate through all the diaries in order. You can click the title to view the full diary page.

What's in a Diary?

A Diary title is always an active link so you can right-click and copy to send to a friend or co-worker you think would be interested in the information. Alternatively, there is a "Share" menu to the right of the title if you want to publicly share on any number of social networking sites!!

Under the title you will see the original published date and the last updated date if any changes have been logged to the diary. Below that you will see the name of the handler that authored the diary and version number. The "Rate this diary" is currently disabled but should be back soon.

The number of comments displays how many comments have been added and is a link that will take you straight to the comments section below the diary. You can leave a comment if you are logged to your ISC/DShield account. Not logged in? No worries, just click the link, login and you should be brought right back to leave your comment. The Alias will default to what you have set in Your Information but you can change it to whatever you want. Every comment is vetted by the handlers and inappropriate or blatant ads are removed.

The diary content will vary. It can contain anything from just a few lines of text, sometimes with web links, to a full tutorial with illustrated graphics. A handler will have their own custom signature at the end of every diary posted. If an announcement is short and doesn't require a lot of detail, a handler may post a "oneliner" which is highlighted with a different background/border and generally just one sentence.

A Keywords list follows the diary content. This is a individually linked list that will take you to a page displaying a table of all the diaries that contain that same keyword, along with the date published and author.

How can I find past dairies?

 The easiest way to find past diaries is to search for keywords as explained here ALL the diaries can be listed by date on the Diary Archives page This is useful if you know the general timeframe or title text of a specific diary or just want to skim titles as an entire month is shown at once.

The site footer always contains some of the most recent Diary Archives in the center as well as a link to all the archives page. The homepage also lists some more of the most recent diaries as well as a link to the Diary Archives page There is also a link to the archives after every comment section on the diary page. 

How can I get these diaries you speak of?

Well, you can make your default browser page so you don't miss anything.

You can also receive full or title only diaries by subscribing in your favorite RSS reader. The links can be found here 


Let us know in the section below if you have suggestion or feeback about our diaries or send us any questions or comments in the contact form at


Adam Swanger, Web Developer (GWEB)

Internet Storm Center (

Keywords: ISC feature
0 comment(s)

Apache 2.4 Features

Published: 2012-02-22
Last Updated: 2012-02-22 13:59:08 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

The Apache Foundation released version 2.4.1 of its popular web server, including a number of interesting changes [1]. Among the features, I would like to highlight some of the security relevant changes:

- more granular logging. Logging is always a tedious and often overlooked security component. Apache 2.4 will allow for log levels to be configured on a per-directory level.

- various changes to timeouts. We had a number of tools over the last few years that attacked web servers by exhausting connections. The new timeout changes may help with that, but over all, I don't think there is a simple fix for this problem.

- changes to the proxy configuration. Some use apache not just as a web server, but as a proxy to restrict access to resources, or as a load balancer. This can help with security, but in the past, bugs in Apache's implementation of these features has caused problems. 

- Apache now includes a "mod_session" that will have Apache take care of sessions. This includes support for encrypted sessions, and support for session based authentication. Really have to see how this will all work in more detail. It appears that headers will be used to add data to sessions. This could be a new opportunity to exploit http response splitting. Note that the session information may be stored on the client, not just the server. Unencrypted sessions on the client could pose interesting security issues.

- mod_ssl has been improved to allow it to check for invalid client certificates via OCSP.

Version 2.4.1 is now available for download. I recommend you start testing it, but hold off on using it in production until some of the features have been debugged.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: apache
0 comment(s)
ISC StormCast for Wednesday, February 22nd 2012

How to test OS X Mountain Lion's Gatekeeper in Lion

Published: 2012-02-22
Last Updated: 2012-02-22 02:16:20 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

While I started working on comparing various OS X hardening guides (see the prior diary from a couple of days ago), Apple announced one important new security feature in OS X 10.8 (Mountain Lion). The new operating system to be released this summer will include a white listing system based on iOS. iOS has received a lot of criticism for its closed nature, but so far, I have to admit it has worked pretty well. We have heard very little about iOS malware while Android malware appears to start steal the show from Windows malware (it got a while to go, but all the news lately appears to be about Android malware).

iOS uses a pretty simple and effective security model to fight malware: Whitelisting. All software installed on an iOS device has to be digitally signed. In order to be digitally signed, the software has to be reviewed by Apple. Only software that uses standard Apple vetted APIs is considered trustworthy to be signed, making it difficult to sneak in malicious code. If malicious software slips through, it can be recalled later. 

Over the last few years, the opposite model, blocklisting ("Anti Malware") has failed spectacularly. Even many desktop users now use third party whitelisting software which is usually more granular then what Apple proposes.

Apple's approach allows for essentially three different "settings":

- Only allow Apple approved software (pretty much what iOS does)
- allow Apple approved software, but also allow software signed with specific additional certificates (you could use this to sign your own software. Kind of like accepting the certificate from an iOS developer for testing)
- allow all software (pretty much "unlocked" in iOS terms)

There are some specific limitations to Apple's approach:

- the signatures are only tested during install. If malicious software passes the install, it will not be inspected further.
- only executables are checked. A malicious PDF may still cause havoc, even if it may no longer be able to then download and install additional malware

The best part in my opinion is that the functionality was already pushed out to systems as part of the last OS X update (10.7.3). So you can already experiment with the feature and see how well it works (or doesn't work). I am running it now for a while off and on and so far, haven't experienced any ill effects, aside from it blocking me once or twice from installing software. Each time, I just disabled it temporarily (which could be considered a weakness).

The command line utility spctl can be used to enable or disable the feature. spctl --enable will enable it, spctl --disable disable it. You need to be root to run the utility.



Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: apple lion spctl
2 comment(s)


What's this all about ..?
password reveal .
<a hreaf="">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
<a hreaf=""> public bathroom near me</a>
<a hreaf=""> nearest public toilet to me</a>
<a hreaf=""> public bathroom near me</a>
<a hreaf=""> public bathroom near me</a>
<a hreaf=""> nearest public toilet to me</a>
<a hreaf=""> public bathroom near me</a>
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
Enter corthrthmment here...

Diary Archives