Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2013-08-27 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

NY Times DNS Compromised

Published: 2013-08-27
Last Updated: 2013-08-27 21:09:58 UTC
by Tony Carothers (Version: 1)
3 comment(s)

The website for the New York Times was taken offline today by way of an attack on their DNS.  Shown below is the summary Dr. J whipped up:

The normal NYTimes.com name servers are

;; AUTHORITY SECTION:
nytimes.com.            172800  IN      NS      dns.ewr1.nytimes.com.
nytimes.com.            172800  IN      NS      dns.sea1.nytimes.com.

but one .com name server still answers with:

;; AUTHORITY SECTION:
nytimes.com.            172800  IN      NS      ns27.boxsecured.com.
nytimes.com.            172800  IN      NS      ns28.boxsecured.com.

;; ADDITIONAL SECTION:
ns27.boxsecured.com.    172800  IN      A       212.1.211.126
ns28.boxsecured.com.    172800  IN      A       212.1.211.141

and returns an IP in that subnet

nytimes.com.
212.1.211.121

Connecting to this server results in:

HTTP/1.1 200 OK
Date: Tue, 27 Aug 2013 20:55:33 GMT
Server: Apache
X-Powered-By: PHP/5.3.26
Content-Length: 14
Content-Type: text/html

Hacked by SEA
Connection closed by foreign host

Keywords:
3 comment(s)

Microsoft Releases Revisions to 4 Existing Updates

Published: 2013-08-27
Last Updated: 2013-08-27 20:49:12 UTC
by Tony Carothers (Version: 1)
1 comment(s)

Four patches have undergone signficant revision according to Microsoft.  The following patches were updated today by Microsoft, and are set to roll in the automatic updates:

MS13-057 - Critical

 - https://technet.microsoft.com/security/bulletin/MS13-057
 - Reason for Revision: V3.0 (August 27, 2013): Bulletin revised to
   rerelease security update 2803821 for Windows XP,
   Windows Server 2003, Windows Vista, and Windows Server 2008;
   security update 2834902 for Windows XP and Windows Server 2003;
   security update 2834903 for Windows XP; security update 2834904
   for Windows XP and Windows Server 2003; and security update
   2834905 for Windows XP. Windows XP, Windows Server 2003,
   Windows Vista, and Windows Server 2008 customers should install
   the rereleased updates. See the Update FAQ for more information.
 - Originally posted: July 9, 2013
 - Updated: August 27, 2013
 - Bulletin Severity Rating: Critical
 - Version: 3.0

MS13-061 - Critical

 - https://technet.microsoft.com/security/bulletin/MS13-061
 - Reason for Revision: V3.0 (August 27, 2013): Rereleased bulletin
   to announce the reoffering of the 2874216 update for Microsoft
   Exchange Server 2013 Cumulative Update 1 and Microsoft Exchange
   Server 2013 Cumulative Update 2. See the Update FAQ for details.
 - Originally posted: August 13, 2013
 - Updated: August 27, 2013
 - Bulletin Severity Rating: Critical
 - Version: 3.0

* MS13-jul

 - https://technet.microsoft.com/security/bulletin/ms13-jul
 - Reason for Revision: V3.0 (August 27, 2013): For MS13-057,
   bulletin revised to rerelease security update 2803821 for
   Windows XP, Windows Server 2003, Windows Vista, and
   Windows Server 2008; security update 2834902 for Windows XP and
   Windows Server 2003; security update 2834903 for Windows XP;
   security update 2834904 for Windows XP and Windows Server 2003;
   and security update 2834905 for Windows XP. Windows XP,
   Windows Server 2003, Windows Vista, and Windows Server 2008
   customers should install the rereleased updates that apply to
   their systems. See the bulletin for details.
 - Originally posted: July 9, 2013
 - Updated: August 27, 2013
 - Version: 3.0

* MS13-aug

 - https://technet.microsoft.com/security/bulletin/ms13-aug
 - Reason for Revision: V3.0 (August 27, 2013): For MS13-061,
   bulletin revised to announce the reoffering of the 2874216
   update for Microsoft Exchange Server 2013 Cumulative Update 1
   and Microsoft Exchange Server 2013 Cumulative Update 2.
   See the bulletin for details
 - Originally posted: August 13, 2013
 - Updated: August 27, 2013
 - Version: 3.0

Thanx goes out to Dave for sharing this update, things are rolling out already.

Keywords:
1 comment(s)

Patch Management Guidance from NIST

Published: 2013-08-27
Last Updated: 2013-08-27 17:24:08 UTC
by Tony Carothers (Version: 1)
1 comment(s)

The National Institute of Standards and Technology (NIST) released a new version of guidance around Patch Management last week, NIST SP800-40.  The latest release takes a broader look at enterprise patch management than the previous version, so well worth the read.  

Patch Management is clearly called out as a "Quick Win" in Critical Control #3 "Secure Configurations for Hardware and Software".  Additionally, Patch Management is something that is required by many of the cyber security standards currently in use, such as CIP and DIACAP, and is often a finding associated with audits of said standards.  The document not only talks about patch management in the enterprise, it also talks about risks associated with enterprise patching solutions being used today.

Section 3.3 is of particular interest to anyone who is faced with the challenges of unique environments which contain numerous non-standard deployments, such as out of office hosts, appliances, and virtualizations of systems.  Section 4 is an excellent summary of Enterprise Patch Management technologies, the approach for implementing this technology in the enterprise, and guidance for ongoing operations.

One comment that is constant throughout is testing.  It is quite clear that the authors intended to highlight the need for testing in all aspects of enterprise patch management.

tony d0t carothers --gmail

Keywords:
1 comment(s)
ISC StormCast for Tuesday, August 27th 2013 http://isc.sans.edu/podcastdetail.html?id=3500
Diary Archives