Friday, August 31, 2007

If, Not When...

A little while ago, the network sysadmin started thinking more about security. I think the incident with the Storm Worm got him a little worried. He really took to the firewall and started locking it down. One night, I performed a port scan of our firewall from home. I was a little surprised at what came back. One of the open ports was FTP, 21. I suggested we shut down the FTP server. It doesn't get used. Well, it does, but once in a blue moon. We don't allow attachments larger than 10 megs through the firewall. So, if a vendor needs to get us a file, we create a temporary user on the firewall, and let them upload it. The reverse happens when one of our users needs to get a big file to a vendor. Since this happens maybe 5-6 times a year, I suggested we turn off FTP, and start it as needed.
The decision was "no."
The other day, the network admin was scanning the ftp logs. The FTP server is getting attacked brutally. Each log has thousands upon thousands of brute-force login attempts.
I still say we should turn off FTP, but the answer is still "no."

Tuesday, August 21, 2007

Better Late Than Never

[Given the theme here.....]

BRUCE SPRINGSTEEN'S 'MAGIC'
SET FOR OCTOBER 2 RELEASE ON COLUMBIA RECORDS

'Magic,' Bruce Springsteen's new studio recording and his first with the E Street Band in five years, is set for release by Columbia Records on October 2, 2007. Produced and mixed by Brendan O'Brien, the album features eleven new Springsteen songs and was recorded at Southern Tracks Recording Studio in Atlanta, GA.

'Magic' Song Titles:

1. Radio Nowhere
2. You'll Be Comin' Down
3. Livin' in the Future
4. Your Own Worst Enemy
5. Gypsy Biker
6. Girls in Their Summer Clothes
7. I'll Work for Your Love
8. Magic
9. Last to Die
10. Long Walk Home
11. Devil's Arcade

'Magic' is the first new studio album by Bruce Springsteen and the E Street Band since 2002's GRAMMY Award-winning, multi-platinum, number one album 'The Rising' (Columbia Records), which was also produced by O'Brien.

Bruce Springsteen's longtime manager Jon Landau said, "'Magic' is a high energy rock CD. It's light on its feet, incredibly well played by Bruce and the members of the E Street Band, and, as always, has plenty to say. It's also immensely entertaining. 'Magic' is the third collaboration between Bruce and Brendan O'Brien and is a culmination of their very productive creative relationship."

Tuesday, August 14, 2007

Firewall log: LDAP.Request.DoS

We keep seeing this in our firewall logs. The packets are going from our DMZ server to our primary domain controller. What I'm not sure is if this is an active attack, or, is there something mis-configured on the DMZ server that triggers a false positive?
====Alert====
From: FortiLog-100A(192.168.1.12)
Trigger Name: Attack Log Warning
Log type: attack log
Alert Severity: High
Triggered Threshold: More than 1 event occured in the last 0.5 hour.
Source Device: Local FortiAnalyzer[Hostname:FortiLog-100A IP: 192.168.1.12]
Last Raw Message:
itime=1187120433 date=2007-08-14 time=15:42:40 devname=Fortigate-200A device_id=FG200A2105401280 log_id=0419070000 type=ips subtype=signature pri=alert vd=root serial=1945370 attack_id=14770 severity=critical src=192.168.9.2 dst=192.168.1.201 src_port=55845 dst_port=389 src_int=dmz1 dst_int=internal status=detected proto=6 service=389/tcp user=N/A group=N/A ref="http://www.fortinet.com/ids/ID14770" msg="operating_system: MS.Windows.Active.Directory.LDAP.Request.DoS

We get quite a few of these. Because of the frequency, I seem to think that they are malicious in nature. The knowledge base says the attack is against a Windows 2000 vulnerability. Our servers are Windows 2003. If anyone has seen this and has any insight, I would love to hear from you.

Friday, August 10, 2007

Updates....

I've updated my links section to add a couple of links. The ISC should be read every day in order to get a good idea of what is current.

Plus, if you don't read Chief's column at "A Day In The Life Of An Information Security Investigator," you should. Absolutely great reading. He's got two great columns up; a picture dump, and a write up of Black Hat and Defcon. I couldn't attend. I wish I could have. Chief's write ups at least let me get a feeling for it.

Pictures From Black Hat and DefCon 2007, 1

Pictures From Black Hat and DefCon 2007, 2

Some Things I've Learned Attending Black Hat & DefCon

Saturday, August 4, 2007

Wireless hacking

I'm still learning. I have a long way to go. I was reading another blog on the activities of Black Hat, out in Vegas. This attack was discussed:

http://www.tgdaily.com/content/view/33207/108/

It almost makes me not want to use a laptop with public wireless.