Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Encryption of "data at rest" in servers

Published: 2015-09-01
Last Updated: 2015-09-01 00:12:39 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)

Over in the SANS ISC discussion forum, a couple of readers have started a good discussion https://isc.sans.edu/forums/Encryption+at+rest+what+am+I+missing/959 about which threats we actually aim to mitigate if we follow the HIPAA/HITECH (and other) recommendations to encrypt "data at rest" that is stored on a server in a data center. Yes, it helps against outright theft of the physical server, but - like many recent prominent data breaches suggest - it doesn't help all that much if the attacker comes in over the network and has acquired admin privileges, or if the attack exploits a SQL injection vulnerability in a web application.

There are types of encryption (mainly field or file level) that also can help against these eventualities, but they are usually more complicated and expensive, and not often applied. If you are interested in "data at rest" encryption for servers, please join the mentioned discussion in the Forum.

0 comment(s)

Gift card from Marriott?

Published: 2015-09-01
Last Updated: 2015-09-01 00:01:45 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)

Always nice when the spammers are so forthcoming to send their latest crud directly to our SANS ISC honeypot account. The current incarnation

Subject: Re: Your complimentary 3-night stay giftcard (Expires 09
From: "Marriott Gift Card" marriottgiftcard@summerallstar.review

came from

Received: from summerallstar.review (50.22.145.13-static.reverse.softlayer.com [50.22.145.13])

which kinda figures, Softlayer is among the cloud computing providers whose "get a virtual server FREE for one month" is an offering that scammers can't resist. The "Marriott" email said:

Marriott Special Gift Card:
=======================================================
Expires 09/15/15
Notification: #2595319
=======================================================

ALERT: Your Marriott-Gift Card will expire 09/15/15.

Please claim your gift-card at the link below:
http://seespecial.summerallstar[dot]review

This gift-card is only good for one-person to claim
at once with participation required. Please respect the
rules of the special-giftpromo.

=======================================================
Expires 09/15/15
Notification: #2595319
=======================================================

End-GiftCard Notification


.review ? How lovely! Let's use the opportunity to again *thank* ICANN for their moronic money grab, and all the shiny new useless "top level domains" that honest users and corporations now have to avoid and block. The lesson learned a couple years ago, when ".biz" and ".info" came online, should have been enough to know that the new cyber real estate would primarily get occupied by crooks. But here we are. I guess ICANN and most domain name pimps don't mind where their revenue stream comes from. But I digress.

Clicking on the link results in a rather unimaginative website, hosted on http://lucky-survey.com-hu3[dot]info, shown on the picture below.

It doesn't (seem to - as far as I could tell) push any malware, but asks a couple of dumb questions, and then offers a prize. Ahem. Sort of a prize:

Somewhere along the way, it seems like the connection to "Marriott" got lost. Which is maybe all the better...

Keywords: spam
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Automating Metrics using RTIR REST API
2 days ago by Tom (0 comments)

Test File: PDF With Embedded DOC Dropping EICAR
3 days ago by DidierStevens (4 comments)

PDF + maldoc1 = maldoc2
4 days ago by DidierStevens (2 comments)

Actor that tried Neutrino exploit kit now back to Angler
5 days ago by Brad Duncan (2 comments)

Dropbox Phishing via Compromised Wordpress Site
6 days ago by Johannes (1 comment)

Detecting file changes on Microsoft systems with FCIV
4 decades ago by Xme (6 comments)

View All Diaries →

Latest Discussions

dshield blocklist poisoning
created 1 day ago by ktsaou (0 replies)

Which dshield block list should I be using?
created 1 week ago by Anonymous (0 replies)

Encryption at rest, what am I missing?
created 3 weeks ago by CT (5 replies)

MS-ISAC ADVISORY NUMBER:2015-088 Mac OSX zero day
created 3 weeks ago by GeorgeMarkham (1 reply)

Archived .vbe attachments in malspam
created 3 weeks ago by Brad Duncan (0 replies)

View All Forums →

Latest News

View All News →