Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

How to hack

Published: 2015-09-01
Last Updated: 2015-09-01 13:08:00 UTC
by Daniel Wesemann (Version: 1)
4 comment(s)


While looking for something else, I discovered that Google (of course) knows what people are trying to hack lately:

Agreed, this information is not overly useful.  These hacks are basically on the opposite end of the threat scale from the over-hyped "Advanced Persistent Threat" (APT).  Let's call it the "Basic Sporadic Annoyance" (BSA), just to come up with a new acronym :).

The BSAs still tell us though what "average" wannabe hackers seem to be interested in breaking into, namely: websites, online games, wifi and phones.  Cars, pacemakers, fridges and power plants are not on the list, suggesting that these targets are apparently not yet "popular" enough.

Being fully aware of the "filter bubble" we had several people try the same search, and they largely got the same result. Looks like Facebook really IS currently the main wannabe hacker target.  But Facebook don't need to worry all that much. Because if you just type "How to h", then the suggestions reveal that other problems are even more prominent than "hacking Facebook":

If your results (of the "how to hack" query, not the latter one) differ significantly, please share in the comments below.  Updated to add: Thanks, we have enough samples now :)

Keywords: autocomplete Google
4 comment(s)
ISC StormCast for Tuesday, September 1st 2015

Encryption of "data at rest" in servers

Published: 2015-09-01
Last Updated: 2015-09-01 00:12:39 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)

Over in the SANS ISC discussion forum, a couple of readers have started a good discussion about which threats we actually aim to mitigate if we follow the HIPAA/HITECH (and other) recommendations to encrypt "data at rest" that is stored on a server in a data center. Yes, it helps against outright theft of the physical server, but - like many recent prominent data breaches suggest - it doesn't help all that much if the attacker comes in over the network and has acquired admin privileges, or if the attack exploits a SQL injection vulnerability in a web application.

There are types of encryption (mainly field or file level) that also can help against these eventualities, but they are usually more complicated and expensive, and not often applied. If you are interested in "data at rest" encryption for servers, please join the mentioned discussion in the Forum.

0 comment(s)

Gift card from Marriott?

Published: 2015-09-01
Last Updated: 2015-09-01 00:01:45 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)

Always nice when the spammers are so forthcoming to send their latest crud directly to our SANS ISC honeypot account. The current incarnation

Subject: Re: Your complimentary 3-night stay giftcard (Expires 09
From: "Marriott Gift Card"

came from

Received: from ( [])

which kinda figures, Softlayer is among the cloud computing providers whose "get a virtual server FREE for one month" is an offering that scammers can't resist. The "Marriott" email said:

Marriott Special Gift Card:
Expires 09/15/15
Notification: #2595319

ALERT: Your Marriott-Gift Card will expire 09/15/15.

Please claim your gift-card at the link below:

This gift-card is only good for one-person to claim
at once with participation required. Please respect the
rules of the special-giftpromo.

Expires 09/15/15
Notification: #2595319

End-GiftCard Notification

.review ? How lovely! Let's use the opportunity to again *thank* ICANN for their moronic money grab, and all the shiny new useless "top level domains" that honest users and corporations now have to avoid and block. The lesson learned a couple years ago, when ".biz" and ".info" came online, should have been enough to know that the new cyber real estate would primarily get occupied by crooks. But here we are. I guess ICANN and most domain name pimps don't mind where their revenue stream comes from. But I digress.

Clicking on the link results in a rather unimaginative website, hosted on[dot]info, shown on the picture below.

It doesn't (seem to - as far as I could tell) push any malware, but asks a couple of dumb questions, and then offers a prize. Ahem. Sort of a prize:

Somewhere along the way, it seems like the connection to "Marriott" got lost. Which is maybe all the better...

Keywords: spam
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Automating Metrics using RTIR REST API
3 days ago by Tom (0 comments)

Test File: PDF With Embedded DOC Dropping EICAR
3 days ago by DidierStevens (4 comments)

PDF + maldoc1 = maldoc2
5 days ago by DidierStevens (2 comments)

Actor that tried Neutrino exploit kit now back to Angler
6 days ago by Brad Duncan (2 comments)

Dropbox Phishing via Compromised Wordpress Site
6 days ago by Johannes (1 comment)

Detecting file changes on Microsoft systems with FCIV
4 decades ago by Xme (10 comments)

View All Diaries →

Latest Discussions

Hardening OS X Yosemite
created 4 hours ago by Xme (0 replies)

dshield blocklist poisoning
created 1 day ago by ktsaou (0 replies)

Which dshield block list should I be using?
created 1 week ago by Anonymous (0 replies)

Encryption at rest, what am I missing?
created 3 weeks ago by CT (7 replies)

MS-ISAC ADVISORY NUMBER:2015-088 Mac OSX zero day
created 3 weeks ago by GeorgeMarkham (1 reply)

View All Forums →

Latest News

View All News →