Today´s DiaryIf you have more information or corrections regarding our diary, click here to contact us.
Published: 2009-09-08,
4 comment(s)
acebook
witter
Last Updated: 2009-09-09 11:54:16 UTC by Guy Bruneau (Version: 3) We have received a report from Tyler that a vulnerability affecting Microsoft SMB2 can be remotely crashed with proof-of-concept code that has been published yesterday and a Metasploit module is out. We have confirmed it affects Windows 7/Vista/Server 2008. The exploit needs no authentication, only file sharing enabled with one 1 packet to create a BSOD. We recommend filtering access to port TCP 445 with a firewall. Windows 2000/XP are NOT affected by this exploit. We will update this diary with more information as we get it. Update 1: Theodore, an ISC contributor has sent us a couple links on how to disable SMB version 2.0 on Vista or Server 2008. The first post is by Hameed on AskPerf here an the second post is by Daniel Petri here. Update 2: Microsoft released an new advisory here that shows only the following OS are affected:
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org
Keywords: Windows SMB2
4 comment(s)
acebook
witter
Published: 2009-09-09,
7 comment(s)
acebook
witter
Last Updated: 2009-09-09 11:45:11 UTC by Mark Hofman (Version: 2) The group anonymous, who were reported to be responsible for the attack on scientology sites now have the Australian Government in their sights. In 2008 the Australian Government decided that the internet should be filtered. They are running trials with a number of ISPs. There is within Australia a fair amount of resistance to this practice for a number of reasons. You can read the government position here (http://www.dbcde.gov.au/online_safety_and_security/cybersafety_plan/internet_service_provider_isp_filtering). This Wikipedia article has more information on the issue as well (http://en.wikipedia.org/wiki/Internet_censorship_in_Australia) In addition to opposition to this scheme within Australia it looks like the group anonymous has also become involved. A web site 09-09-2009.org was set up and it looks like activities are coordinated through another web site. The crux of their demands is for the senator responsible for the filtering scheme to resign and the plans for filtering to be abandoned, or else. The or else is a DDOS attack on Australian government sites starting at 9.00 am GMT which is 7.00PM on the east coast. Fax machines and phone lines may also be targeted. Some "interesting" activity has been observed on some of the networks, but whether this is related or not is uncertain at this stage. In preparation, make sure you have your incident handling processes ready, make sure that servers and other perimeter devices are patched so they are better able to resist attack. You may want to have your ISP's contact details handy just in case you need them to stem the flow of traffic. If your infrastructure is outsourced, maybe ask the outsourcer what plans they have in place, should anything happen. But most importantly decide if switching off the site in the face of an attack is an option for you. Mark H UPDATE 1 Well the DDOS Started at 7 pm on the dot and has been going on for about an hour or so. www.pm.gov.au is being kept busy and over the hour it was unavailable from where I am for a few minutes at best. The attack seems to be mostly multiple web requests on the site which exhausts the threads on the web server causing it to respond with a 503 error. Once left alone by a few of the attackers the site is again more than happy. As far as impact goes the net result seems to be zilch. UPDATE 2 The attack is over. It achieved some publicity and managed to make the pm's website unavailable for a few minutes. Otherwise there was no impact. - M
Keywords: DDOS
7 comment(s)
acebook
witter
Published: 2009-09-08,
1 comment(s)
acebook
witter
Last Updated: 2009-09-09 11:10:09 UTC by Guy Bruneau (Version: 1) ISC reader Kurt reported that Cisco has released an advisory affecting TCP State Manipulation which cause a Denial of Service that affect multiple Cisco Products. If an attacker send TCP connections forced into long-lived or indefinite state by preventing new TCP connections from being accepted, it could possibly cause a DoS indefinitely. Additional information on the Cisco advisory is available here. The following products are affected:
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org UPDATE In addition to the Cisco advisory there is some additional information and response to the issue from other vendors here ==> https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html - M
Keywords: Cisco DoS
1 comment(s)
acebook
witter
Published: 2009-09-08,
2 comment(s)
acebook
witter
Last Updated: 2009-09-09 00:31:36 UTC by Guy Bruneau (Version: 1) Overview of the September 2009 Microsoft patches and their status.
We will update issues on this page for about a week or so as they evolve.
We appreciate updates US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY (*): ISC rating
(**): If installed. (***): Critical of ISA servers Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org
Keywords: Black Tuesday MSFT patches
2 comment(s)
acebook
witter
If you have more information or corrections regarding our diary, click here to contact us. Diary Archive
Search Diaries: |
StormCastlast update 10 hrs 54 min ago. Featured EventLatest Reading Room Papers
PollTrendsmore detailsWorld Map |