SANS ISC: Symantec AV linked to Verisign certificate problem, DUGallery, False Weather Alerts, more phishing

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Verisign Certificate Expiration linked to Symantec AV issue

Today, a Verisign root certificate included with Internet Explorer expired. As a result, Verisign's certificate revocation list server was not able to handle all the requests from clients attempting to contact it as a result of the expiration.

Verisign, apparently to lower the load on its server, now resolves this server to non-routable 10/8 IP addresses 50% of the time.

Some applications, most notably Norton Antivirus, use this server to verify certificates. In the case of Norton Antivirus, it is used to verify its signature file.

As 50% of the time, users will not be able to contact Verisigns certificate revocation list, Norton Antivirus will stall.

Workarounds:

Verisign set the TTL of its DNS records rather short. So if you try after one minute again, you will likely get a valid IP address. If this is not an option, edit your hosts file and insert one of these IPs for 'crl.verisign.net':
198.49.161.200, 198.49.161.205, 198.49.161.206, 64.94.110.11.

However, this is not recommended as a long term solution, as these IPs may
change at any time.
http://slashdot.org/article.pl?sid=04/01/08/1849245&mode=thread&tid=126&tid=128&tid=172&tid=95

http://www.verisign.com/support/vendors/exp-gsid-ssl.html?sl=070807


Web Defacements

At least one web-defacement crew appears to use Google to find sites with
vulnerable versions of 'DUGallery' installed. Recently, a number of issues
regarding this product where posted to Bugtraq. As of this writing, no
updates are available.

http://seclists.org/lists/bugtraq/2003/Dec/0246.html

False Weather Alerts

A user reported that the "Weatherbug" application he is using is displaying
false weather alerts. We have not identified the source of the false alerts. According to the report we received, corrections followed shortly after the false warnings had been received.

Phishing sites of the day

We did receive reports about spam advertising a fake Citibank site.

-----------

Johannes Ullrich, SANS Institute, jullrich_AT_sans.orgI will be teaching next: Intrusion Detection In-Depth - SANS Las Vegas Spring 2020