Haiti domain registrations on the rise

Over the past couple days I've been reporting over on the Internet Storm Center about the number of domains that have been registered (either legitimately for good use, or for malicious use) concerning the Haitian Earthquake disaster.  Read the original article here.

Like I said in that article, we're assuming that these domains are being registered for legitimate and helpful use, but we try and keep our eye out for the illegitimate ones, just in case someone wants to put some malware on a site, or try and trick you into giving up your credit card numbers or donating money via Paypal to a "cause" that never donates the money to Haiti on the backend.  We saw this with Hurricane Katrina, we saw it with the Tsunami disaster, and now, we are seeing it with the Haitian Earthquake.  (See the article here.)

But the number of registered domains is on the rise.  We saw 38 on Wednesday, 445 on Thursday, and today we saw 680.   (So, well over 1,000) It's practically impossible to check these domains by hand, so we are working with a couple partners in the Internet Space to take a look at these domains with us to ensure that they are clean.

Please exercise caution when visiting these sites, and please, donate money for the cause.  But please be extra cautious about who you are donating money to.  You know you can donate to legitimate sites like the RedCross, but do you also know you can donate to these other organizations:

• CARE: http://www.care.org/


• International Red Cross:  http://www.icrc.org/


• Medecins Sans Frontieres/Doctors Without Borders: http://doctorswithoutborders.org

(Thanks Kevin for those links)

Haitian earthquake news

Today, I posted an article on the Internet Storm Center about the fact that sometimes domains are parked and used for malicious use when a disaster occurs.

Domains like haitiearthquake2010 and haitiearthquakerelief and various names like that.

Well, because this is of such a large concern, I was contacted by no less than 5 news organizations today. Newsweek, ABC news, CBS news, SCMagazine, and Foxnews.com. All wanted comments and news about the Haitian disaster and the monitoring that we have taking place in order to protect people from getting scammed.

A couple of the articles I was mentioned in can be found above at my "in the media" link.

I think it's great that news organizations are taking an interest in protecting the World against these predators.

Always remember, the safe bet is to donate money via an outlet like redcross.org.

Please donate.

Fedora 12 allows installation of software without root privs

I posted this on the ISC this morning as well, but I just wanted to post it here as well.

A "bug" created back in November against the latest Fedora release (12) indicates that, through the GUI, desktop users of the Fedora system are able to install signed packages without root privileges or root authentication.  Yes, you just read that correctly.  (I'll give you a second re-read that sentence so I don't have to retype it.)  Yes, "it's a feature, not a bug".

In all my travels I've only ran across one company, ever, that has Fedora rolled out as an enterprise operating system on every desktop.  But what kind of security implications does this have?  I obviously don't have to explain why this is (may be) a bad idea to the readers of the ISC, as we are all security minded people.

Now, the restrictions.  This change does not affect yum on the command line.  This only affects installing things through the GUI.  (Not that helps any, as most users will be running the GUI anyway.)  You can also disable it.

create a file in:

/var/lib/polkit-1/localauthority/20-org.d  (you can name if file anything you want)

and include the following:

[NoUsersInstallAnythingWithoutPassword]
Identity=unix-user:someone;unix-user:someone_else
Action=org.freedesktop.packagekit.*
ResultAny=auth_admin
ResultInactive=auth_admin
ResultActive=auth_admin

(the above came from the release notes for Fedora 12, found here.

Also, I found this as a solution:

pklalockdown --lockdown org.freedesktop.packagekit.package-install

Currently in the bug, there is some debate about if they should revert this feature.  So, this may be just temporary.

Please leave comments below.

Fedora 12 allows installation of software without root privs

I posted this on the ISC this morning as well, but I just wanted to post it here as well.

A "bug" created back in November against the latest Fedora release (12) indicates that, through the GUI, desktop users of the Fedora system are able to install signed packages without root privileges or root authentication.  Yes, you just read that correctly.  (I'll give you a second re-read that sentence so I don't have to retype it.)  Yes, "it's a feature, not a bug".

In all my travels I've only ran across one company, ever, that has Fedora rolled out as an enterprise operating system on every desktop.  But what kind of security implications does this have?  I obviously don't have to explain why this is (may be) a bad idea to the readers of the ISC, as we are all security minded people.

Now, the restrictions.  This change does not affect yum on the command line.  This only affects installing things through the GUI.  (Not that helps any, as most users will be running the GUI anyway.)  You can also disable it.

create a file in:

/var/lib/polkit-1/localauthority/20-org.d  (you can name if file anything you want)

and include the following:

[NoUsersInstallAnythingWithoutPassword]
Identity=unix-user:someone;unix-user:someone_else
Action=org.freedesktop.packagekit.*
ResultAny=auth_admin
ResultInactive=auth_admin
ResultActive=auth_admin

(the above came from the release notes for Fedora 12, found here.

Also, I found this as a solution:

pklalockdown --lockdown org.freedesktop.packagekit.package-install

Currently in the bug, there is some debate about if they should revert this feature.  So, this may be just temporary.

Please leave comments below.

Spam Increase lately?

As I posted on the Internet Storm Center this morning:

Thanks to a reader (Thanks Bob), who wrote in this morning asking if we have seen an increase in spam lately, I can personally confirm that yes, I have seen more spam in my inbox lately.

Bob sent us a couple interesting graphics, the first being a graph of how much of a spam increase there has been recently:

Secondly another graph he sent in was an interesting correlation.  It was how many viruses have been blocked by ClamD.

As I said, I've noticed a big increase in spam lately in my own personal email as well.

What about the rest of the readers?  Have you guys experienced similiar?

Please leave comments below.

Spam Increase lately?

As I posted on the Internet Storm Center this morning:

Thanks to a reader (Thanks Bob), who wrote in this morning asking if we have seen an increase in spam lately, I can personally confirm that yes, I have seen more spam in my inbox lately.

Bob sent us a couple interesting graphics, the first being a graph of how much of a spam increase there has been recently:

Secondly another graph he sent in was an interesting correlation.  It was how many viruses have been blocked by ClamD.

As I said, I've noticed a big increase in spam lately in my own personal email as well.

What about the rest of the readers?  Have you guys experienced similiar?

Please leave comments below.

ISC Podcast Episode Eleven Posted

Hey everyone, sorry it has taken so long to get around to recording another podcast episode. Travel schedules have been very crazy between us lately. Anyway, enough excuses, here is episode eleven. Thanks for all the emails asking me where it is! :) It helps to remind me....

All the podcasts
Just this podcast
Podcast through iTunes

Subscribe in a reader

ISC Podcast Episode Eleven Posted

Hey everyone, sorry it has taken so long to get around to recording another podcast episode. Travel schedules have been very crazy between us lately. Anyway, enough excuses, here is episode eleven. Thanks for all the emails asking me where it is! :) It helps to remind me....

All the podcasts
Just this podcast
Podcast through iTunes

Subscribe in a reader

Internet Storm Center Podcast Episode 10 posted

Just a quick note to let everyone know that we put out Podcast Episode 10.

iTunes users, go here to subscribe.
Non-iTunes users, go here to download.

As always we are looking for listener feedback, be sure and write in!

Subscribe in a reader

Internet Storm Center Podcast Episode 10 posted

Just a quick note to let everyone know that we put out Podcast Episode 10.

iTunes users, go here to subscribe.
Non-iTunes users, go here to download.

As always we are looking for listener feedback, be sure and write in!

Subscribe in a reader

Podcast Episode X Record Notice

Tomorrow night at 7:30 EDT (Eastern Daylight Savings Time) Johannes, John, and I will be recording Episode X of the Internet Storm Center Podcast.

We'll be broadcasting live at http://www.stickam.com/joelesler

Please come and join! We love live feedback, talk with us in the stickam interface or via IRC in #dshield on irc.freenode.net.

Thanks!


Subscribe in a reader

Podcast Episode Nine Posted

Okay, so after much crazyness concerning the Live Podcast from SANSFIRE of Episode 9, its finally posted.

So to give you a quick run down on what took us so long to get this thing posted, all of the mics that we were being used was going into a Soundboard, and the Soundboard audio was going directly out to a DVD recorder. The DVD recorder also had video In from a camera in the back of the room that was being manned during the podcast.

Turns out, the camera was also recording! Isn't that awesome? Well, turns out, there is alot of FAIL in this story.

The camera, has mysteriously vanished. Don't know where it went, but in it somewhere wherever it is, is a recording of the podcast. If someone finds this mythical recording, please, feel free to give me the video/audio off of what is inside it.

Wait, you say, what about the DVD Recorder? Well, we got the DVD, but the DVD has a big fat scratch down the middle of it, and we can't get the video off of it.

But luckily, I had garageband open, and I recorded the podcast using my built in mic on my macbook pro. Now, this is not the best audio in the whole wide world, but at the time, we had no alternative. So THAT's what the audio from the podcast is. Not out of the soundboard, not off of a video camera, but off of my built in mic on the MacBook Pro.

As a result the audio of some of the people, unless they were loud, or speaking into a mic, is not the best. You'll hear some of this in the beginning, but once we got everyone speaking into mics, and being loud, it gets a bit better.

You'll also hear me whispering for beer at some point in the beginning, just disregard that, beer was needed. :)

Enjoy.

UPDATE: Probably helps if I put a URL right?

All the podcasts

Just this podcast

Podcast through iTunes

Subscribe in a reader

Podcast Episode Nine Posted

Okay, so after much crazyness concerning the Live Podcast from SANSFIRE of Episode 9, its finally posted.

So to give you a quick run down on what took us so long to get this thing posted, all of the mics that we were being used was going into a Soundboard, and the Soundboard audio was going directly out to a DVD recorder. The DVD recorder also had video In from a camera in the back of the room that was being manned during the podcast.

Turns out, the camera was also recording! Isn't that awesome? Well, turns out, there is alot of FAIL in this story.

The camera, has mysteriously vanished. Don't know where it went, but in it somewhere wherever it is, is a recording of the podcast. If someone finds this mythical recording, please, feel free to give me the video/audio off of what is inside it.

Wait, you say, what about the DVD Recorder? Well, we got the DVD, but the DVD has a big fat scratch down the middle of it, and we can't get the video off of it.

But luckily, I had garageband open, and I recorded the podcast using my built in mic on my macbook pro. Now, this is not the best audio in the whole wide world, but at the time, we had no alternative. So THAT's what the audio from the podcast is. Not out of the soundboard, not off of a video camera, but off of my built in mic on the MacBook Pro.

As a result the audio of some of the people, unless they were loud, or speaking into a mic, is not the best. You'll hear some of this in the beginning, but once we got everyone speaking into mics, and being loud, it gets a bit better.

You'll also hear me whispering for beer at some point in the beginning, just disregard that, beer was needed. :)

Enjoy.

UPDATE: Probably helps if I put a URL right?

All the podcasts

Just this podcast

Podcast through iTunes

Subscribe in a reader

Webinar with Dan Kaminsky

There is a webinar with Dan Kaminsky today to talk about the DNS issue.

Link is here.  Go and register and listen to all the news about the DNS vuln/exploit.

List of people on the panel:

* Dan Kaminsky, Director of Penetration Testing, IOactive
* Jerry Dixon, Former Director of the National Cyber Security Division, DHS
* Rich Mogul, Securosis
* Joao Damas, Sr. Programme Manager, ISC

 Subscribe in a reader

Podcast Last night

The podcast last night (and my speech) went great, we had a great attendance (about 50-70 ish) turn out.

Unfortunately we were not able to broadcast it live since we had no internet, but we did get video and audio recordings of the whole thing.  We'll try and make those available soon!

Thanks for all those that turned out!

UPDATE:  I received word that there were 65 in the speech.  Even more in the podcast!

 Subscribe in a reader

Webinar with Dan Kaminsky

There is a webinar with Dan Kaminsky today to talk about the DNS issue.

Link is here.  Go and register and listen to all the news about the DNS vuln/exploit.

List of people on the panel:

* Dan Kaminsky, Director of Penetration Testing, IOactive
* Jerry Dixon, Former Director of the National Cyber Security Division, DHS
* Rich Mogul, Securosis
* Joao Damas, Sr. Programme Manager, ISC

 Subscribe in a reader

Podcast Last night

The podcast last night (and my speech) went great, we had a great attendance (about 50-70 ish) turn out.

Unfortunately we were not able to broadcast it live since we had no internet, but we did get video and audio recordings of the whole thing.  We'll try and make those available soon!

Thanks for all those that turned out!

UPDATE:  I received word that there were 65 in the speech.  Even more in the podcast!

 Subscribe in a reader

Podcast Episode 8 Record Notice

Hey everyone, we're going to have a live Podcast record tomorrow at 6 pm EDT.  (That's Eastern Daylight Savings Time)

We'll be streaming it live via Stickam, and as always we welcome your feedback.  The link we'll be stream from is: http://www.stickam.com/joelesler

Please feel free to join us, we look forward to hearing your live feedback either in the Stickam Chat room, or in #dshield on irc.freenode.net.

 Subscribe in a reader

Podcast Episode Seven has been posted

The publishment (like that word don't you) of Podcast Episode Seven of the Internet Storm Center Podcast.

I'd like to thank all the viewers that were live on the show while broadcasting, it was great having you, maybe next time we'll be able to get more?  We had about 20 I believe (I didn't count) at one point.  It would be great if we could increase this count, as I'd like to do a live Q&A via the listeners.  (Couple new segments I'm working on)

We had Paul Asadoorian of PaulDotCom Security Weekly as a guest, and it's probably our best podcast yet!

Go grab it through iTunes, and for those of you that are not listeners of PaulDotCom, please subscribe to that one too!

 Subscribe in a reader

Podcast Episode Seven has been posted

The publishment (like that word don't you) of Podcast Episode Seven of the Internet Storm Center Podcast.

I'd like to thank all the viewers that were live on the show while broadcasting, it was great having you, maybe next time we'll be able to get more?  We had about 20 I believe (I didn't count) at one point.  It would be great if we could increase this count, as I'd like to do a live Q&A via the listeners.  (Couple new segments I'm working on)

We had Paul Asadoorian of PaulDotCom Security Weekly as a guest, and it's probably our best podcast yet!

Go grab it through iTunes, and for those of you that are not listeners of PaulDotCom, please subscribe to that one too!

 Subscribe in a reader