|
Title: Internet Storm Center Post by: RichM on March 29, 2007, 08:47:14 PM For anyone not familiar, Internet Storm Center (ISC) is a great way to keep track of the current condition of the internet. Each day a different administrator is assigned to keep diary entries. These entries vary from current attack vectors, to discussions of critical patches for various OS' and applications. The ISC also contains a list of the top 10 ports being attacked and a world map depicting attack trends.
The ISC is a resource that helps to paint a picture of what is going on in the cloud, the problem is that most of us have 20 tasks to complete, and even the two minutes needed to browse the site it too much to spare. Luckily (and if you are running Windows), Tom Liston of Intelguardians, wrote an application that sits in the system tray http://handlers.sans.org/tliston/ISCAlert.zip. Simply download the .zip file, and double click the .exe. If you have an environment which restricts executables, simply copy the .exe into C:\Documents and Settings\uuser\Start Menu\Programs\Startup. In the system tray you will see a small icon of the world, which hopefully will be green, this indicates that everything is normal. As the threat level increases, the color of the icon changes; for a complete breakdown of each threat level and the color which represents the threat see http://isc.sans.org/infocon.html Title: Re: Internet Storm Center Post by: Cutaway on March 29, 2007, 11:35:05 PM For those of you using Yahoo Widgets there are several that monitor ISC. I prefer the one I developed ;D which you can find at http://widgets.yahoo.com/gallery/view.php?widget=40554 (http://widgets.yahoo.com/gallery/view.php?widget=40554).
Although the default skin is rather large the circle skin can be minimized very small. Enjoy, Cutaway Title: Re: Internet Storm Center Post by: BillV on March 30, 2007, 08:06:36 AM oOoOo, Neato :-D
Will try 'em both out. Title: Re: Internet Storm Center Post by: jimbob on April 02, 2007, 02:00:38 AM For info, ISC Internet Threat Level was raised to yellow following the issues surrounding the Windows ANI bug. ISC is a good place to get headlines and links to current topics and worth a visit.
Jimbob Title: Re: Internet Storm Center Post by: RichM on April 03, 2007, 07:50:58 PM I noticed that and to be honest was a little suprised taht they waited a full day. When the vuln. was first announced the level was left at green but the next morning it was yellow. Does anyone know if the the threat level is up to the discretion of the incident handler of the day, or if a governing body at SANS makes that decision.
Title: Re: Internet Storm Center Post by: Negrita on April 04, 2007, 04:29:00 PM RichM, you'll find your answer here; *ANI exploit code drives INFOCon to Yellow (http://isc.sans.org/diary.html?storyid=2542).
Quote Published: 2007-03-31, Last Updated: 2007-03-31 14:31:15 UTC by Kevin Liston (Version: 1) The ANI vulnerability has been been of recent concern. I've been waiting for a few key events to be confirmed before adjusting the INFOCon. We don't take these decisions lightly. Rating systems such as Symantec's ThreatCon (currently at 2 of 4,) FS/ISAC's Cyber Threat Advisory (currently at Guarded,) and our INFOCon (now at Yellow) all have their particular niche. Symantec focuses on their AV and managed-security-service customers. FS/ISAC focuses on financial institutions. The Internet Storm Center's INFOCon intent is to "to reflect changes in malicious traffic and the possibility of disrupted connectivity." In the initial stages of this event, we did not satisfy the criteria to raise the INFOCon level. Now, we have a different landscape. * Exploit code has been publicly released which allows trivial modification to add any arbitrary payload. * The number of malicious sites reported is rising rapidly, limiting the efficacy of blacklisting. * The number of compromised sites pointing to malicious sites is also on the rise. Recommendations: * Keep anti-virus up-to-date. So far this is the most effective layer, particularly generic signatures that detect non-compliant ANI files. Also, the secondary payloads downloaded by these exploits are often detectable (not always though.) * Content-filtering. If your environment supports it, dropping ANI files (not based on file extention, but actual file-inspection) may be prudent until patches are deployed. This will impact your myspace.com browsing experience though. We intend to maintain INFOCon Yellow status and reassess every 24 hours. (~1400 UTC) BTW, were back to GREEN for now. :D
Powered by SMF 1.1.18 |
SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com |