To The Last Tribe Consulting

I have just finished with my 2nd SANS class: “Security Policy & Awareness.”

I will say that it was good, but not as good as my first SANS class.

Presentation

Like my previous class, I took it OnDemand, meaning that I logged into the SANS website, and took it online, at my own pace.  I have to say that I really do like this format, but I do have to say that the OnDemand interface is not the most intutive.  Check out CERT’s VTE for Intuitive.

Content

Overall, if I can sum up the content in a phrase, I would say “Quality, but again, Unituitive”  I was quite disspaointed in the content of the class.  There was a bit of outdated content (We discused Pre-PCI DSS Regulations instead of PCI DSS itself, as well as old statistics).  I also struggled with the layout of the first Section: Policies.  The organization of how it was layed out left a lot to be desired.

Teacher

The teacher, SANS Ex Officio Steven Northcutt, was, as always, excellent.  Great real-world examples.

Overall, I would have to give the quality of the class a middle-of-the-road B.

Alot of great quality material, as well as a great teacher, but the presentation made it diffucult to understand it all.

Josh

So today I got an interesting alert from OSSEC (a Host-Based IDS) on my web-hosting server:

—————————————-

Rule: 31115 fired (level 13) -> “URL too long. Higher than allowed on most browsers. Possible attack.”

Portion of the log(s):

81.197.69.xxx – -16/Dec/2008:16:14:20 -0600] “SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\

——————————–

As we can see, host 81.197.69.xxx tried to connect to my server on TCP port 80, looking to exploit a IIS WebDAV vulnerbility.  (Microsoft Security Bulletin MS03-007)  This is most often seen by a variant of Welchia, specfically, W32.Welchia.B.Worm .  From the Symantec article, “The worm specifically targets machines running Microsoft IIS 5.0 using this exploit. The worm’s use of this exploit will impact Windows 2000 systems and may impact Windows NT/XP systems.”

After doing a IP Lookup, using my favorite tool, http://logbud.com, I found that it is an IP in Western Finland.  After that, I fired up Nmap, and did a quick scan of the IP.  Since it blocked pings, Nmap thought that the host was down, so I had to change the scan parameters to not ping before scanning.  Using regular TCP SYN scans, it seems that the most commonly used ports are filtered, and therefore I was unable to get an accurate OS type reading. Most likley, the machine is a compromised Windows machine, blasting out arbitrary scans, trying to compromise internet-facing, unpatched Windows machines.

The Moral of the Post:

Make sure your machines are all patched, even for old vulnerabilities.  Those worms are still out there.

Josh

PS: Obligatory xkcd

Two weeks ago I ordered some business cards off of VistaPrint.com.  I had never used them, but they seemed to be a reputable company.  I should have done a cursory google search, because a couple days ago, I was checking through my credit card statement, and I stumbled across a $14.95 charge from a vendor that I didn’t recognize. “AP9*VISTAPRINTRWRDS US 888-243-6185 CT U”

It was obviously somehow affiliated with VistaPrint, so I called the listed 888 number.  I was greeted with a greeting that prompted me to pick one of three options to “quickly process your call”.  1) Enter your membership number 2) Enter your Credit Card # to which your membership was billed 3) Enter your home phone number

Doesn’t it kind of set the tone when one of the 3 options is entering your credit card number to which you were billed!?

After I was on hold for a couple minutes, I was able to talk to a woman who was able to pull up my account.  I said I had never agreed to a membership, and she said that I did when I went through the billing process at VistaPrint.com.  I told her that I had just gone through the billing process at VistaPrint.com to doublecheck all the agreements I had  agreed to.  I never once saw anything that pertained to a membership.  She responded by saying that I must have agreed to it, because a pop-up comes up, and I have to enter my email twice to agree to the membership.  Either way, she said, she could refund my money.  I went ahead and told her to do it.

What I didn’t tell her, was that there was no way that I could have agreed to the membership, because I have NoScript running in Firefox, which blocks ALL scripts, unless I specifically allow them.  In other words, there is no possible way that I agreed to this membership.

So, in conclusion, I would recommend that you do not frequent VistaPrint with your business.  Who knows what else they might do?

Josh