From security em unicamp.br Tue Jan 10 10:08:33 2012 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 10 Jan 2012 10:08:33 -0200 Subject: [SECURITY-L] [technical-alerts@us-cert.gov: US-CERT Technical Cyber Security Alert TA12-006A -- Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack] Message-ID: <20120110120833.GB61410@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA12-006A -- Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack To: technical-alerts em us-cert.gov Date: Fri, 6 Jan 2012 16:16:48 -0500 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA12-006A Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack Original release date: January 06, 2012 Last revised: -- Source: US-CERT Systems Affected Most Wi-Fi access points that support Wi-Fi Protected Setup (WPS) are affected. Overview Wi-Fi Protected Setup (WPS) provides simplified mechanisms to configure secure wireless networks. The external registrar PIN exchange mechanism is susceptible to brute force attacks that could allow an attacker to gain access to an encrypted Wi-Fi network. I. Description WPS uses a PIN as a shared secret to authenticate an access point and a client and provide connection information such as WEP and WPA passwords and keys. In the external registrar exchange method, a client needs to provide the correct PIN to the access point. An attacking client can try to guess the correct PIN. A design vulnerability reduces the effective PIN space sufficiently to allow practical brute force attacks. Freely available attack tools can recover a WPS PIN in 4-10 hours. For further details, please see Vulnerability Note VU#723755 and further documentation by Stefan Viehbock and Tactical Network Solutions. II. Impact An attacker within radio range can brute-force the WPS PIN for a vulnerable access point. The attacker can then obtain WEP or WPA passwords and likely gain access to the Wi-Fi network. Once on the network, the attacker can monitor traffic and mount further attacks. III. Solution Update Firmware Check your access point vendor's support website for updated firmware that addresses this vulnerability. Further information may be available in the Vendor Information section of VU#723755 and in a Google spreadsheet called WPS Vulnerability Testing. Disable WPS Depending on the access point, it may be possible to disable WPS. Note that some access points may not actually disable WPS when the web management interface indicates that WPS is disabled. IV. References * Vulnerability Note VU#723755 - * Wi-Fi Protected Setup PIN brute force vulnerability - * Cracking WiFi Protected Setup with Reaver - * WPS Vulnerability Testing - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA12-006A Feedback VU#723755" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2012 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History January 06, 2012: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTwdgcT/GkGVXE7GMAQLtAQgAtUPVSW+g9O7PdjUab+1XGBHUN4S1cZxX O3d9r3S6U282dPATsU5tTVj9ovfrngm6f4Rs4wZO1SC80FfQZ04+37gabuab0/G0 bXI8OUzMiKh8nEI55KREkDOCVouZgKqIGw1Hn3oXaqPL2wYSY4vhf9/1yX4MYS8q 2qvfFGtTXVeDzblzKI/8AYjh3tEFCZR06ix2YvDvvuZvJ8tupo1y+JGSYL4JSPD7 kePOqmGSWZoc5pO08QdNYdqmBPf7QBCK3Zk/3HFCZw7WYSsQ5W8Rzz5wlLq6MY/W 1s+L5/APkbin1sqR4abFZ85LOqBGRfXBsedAxkuDIoMTuaGZHm4wNw== =omg5 -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Jan 11 09:20:44 2012 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 11 Jan 2012 09:20:44 -0200 Subject: [SECURITY-L] [technical-alerts@us-cert.gov: US-CERT Technical Cyber Security Alert TA12-010A -- Microsoft Updates for Multiple Vulnerabilities] Message-ID: <20120111112044.GE61579@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA12-010A -- Microsoft Updates for Multiple Vulnerabilities To: technical-alerts em us-cert.gov Date: Tue, 10 Jan 2012 14:22:36 -0500 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA12-010A Microsoft Updates for Multiple Vulnerabilities Original release date: January 10, 2012 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Developer Tools and Software Overview There are multiple vulnerabilities in Microsoft Windows and Microsoft Developer Tools and Software. Microsoft has released updates to address these vulnerabilities. I. Description The Microsoft Security Bulletin Summary for January 2012 describes multiple vulnerabilities in Microsoft Windows. Microsoft has released updates to address the vulnerabilities. II. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. III. Solution Apply updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for January 2012. That bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). IV. References * Microsoft Security Bulletin Summary for January 2012 - * Microsoft Windows Server Update Services - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA12-010A Feedback VU#806915" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2012 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History January 10, 2012: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTwyNVT/GkGVXE7GMAQL3cQf/QGrbwXlSvf4A26ZlKSl35diecmcmmxQF 8dipsD1evpihNNcYi66QqjjvFnJjMIRW2UPoNZeaCOz/GWdsTLekr/YcVjtd8a1o fDlQEVyYwEkOhJBgIa+h9r2/t8Kc1o0Q9GfRLFtdb8czmkxNuHsHfSuj5kom+a3w 7OrkLeuO0uMa8DbmlQ40NL75Sm4Jmh6zkkfJQw8y02j5IkmUlAlQv2eAooNbcc6Q 4wHt/H2nHtpDpg3KH3HXzGj8Q75BQ+hacFVklPJADl83qROQzVNsOIO+CvhyOZgV +lKzulReTu7bXyhcSgNi9SyW9gDsgGP87iz5BUXsn/csRs9V9pJBQw== =ErKk -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Jan 11 15:48:13 2012 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 11 Jan 2012 15:48:13 -0200 Subject: [SECURITY-L] [technical-alerts@us-cert.gov: US-CERT Technical Cyber Security Alert TA12-010A -- Microsoft Updates for Multiple Vulnerabilities] Message-ID: <20120111174813.GF61579@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA12-010A -- Microsoft Updates for Multiple Vulnerabilities To: technical-alerts em us-cert.gov Date: Tue, 10 Jan 2012 14:22:36 -0500 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA12-010A Microsoft Updates for Multiple Vulnerabilities Original release date: January 10, 2012 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Developer Tools and Software Overview There are multiple vulnerabilities in Microsoft Windows and Microsoft Developer Tools and Software. Microsoft has released updates to address these vulnerabilities. I. Description The Microsoft Security Bulletin Summary for January 2012 describes multiple vulnerabilities in Microsoft Windows. Microsoft has released updates to address the vulnerabilities. II. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. III. Solution Apply updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for January 2012. That bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). IV. References * Microsoft Security Bulletin Summary for January 2012 - * Microsoft Windows Server Update Services - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA12-010A Feedback VU#806915" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2012 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History January 10, 2012: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTwyNVT/GkGVXE7GMAQL3cQf/QGrbwXlSvf4A26ZlKSl35diecmcmmxQF 8dipsD1evpihNNcYi66QqjjvFnJjMIRW2UPoNZeaCOz/GWdsTLekr/YcVjtd8a1o fDlQEVyYwEkOhJBgIa+h9r2/t8Kc1o0Q9GfRLFtdb8czmkxNuHsHfSuj5kom+a3w 7OrkLeuO0uMa8DbmlQ40NL75Sm4Jmh6zkkfJQw8y02j5IkmUlAlQv2eAooNbcc6Q 4wHt/H2nHtpDpg3KH3HXzGj8Q75BQ+hacFVklPJADl83qROQzVNsOIO+CvhyOZgV +lKzulReTu7bXyhcSgNi9SyW9gDsgGP87iz5BUXsn/csRs9V9pJBQw== =ErKk -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Thu Jan 12 10:36:40 2012 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 12 Jan 2012 10:36:40 -0200 Subject: [SECURITY-L] [cais@cais.rnp.br: CAIS-Alerta: resumo dos Boletins de Segurana Microsoft - Jan/2012] Message-ID: <20120112123640.GA74754@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: resumo dos Boletins de Segurança Microsoft - Jan/2012 To: pop-seg em cais.rnp.br, rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Thu, 12 Jan 2012 10:23:05 -0200 (BRST) -----BEGIN PGP SIGNED MESSAGE----- Prezados, A Microsoft publicou 7 boletins de segurança em 11 de janeiro que abordam ao todo 8 vulnerabilidades em produtos da empresa. A exploração destas vulnerabilidades permitem execução remota de código, desvio de recurso de segurança, elevação de privilégio e divulgação não autorizada de informação. SEVERIDADE . Crítica - MS12-004 - Vulnerabilidades no Windows Media podem permitir a execução remota de código . Importante - MS12-001 - Vulnerabilidade no kernel do Windows pode permitir o desvio do recurso de segurança - MS12-002 - Vulnerabilidade no Windows Object Packager pode permitir a execução remota de código - MS12-003 - Vulnerabilidade no Windows Client/Server Run-time Subsystem pode permitir elevação de privilégio - MS12-005 - Vulnerabilidade no Microsoft Windows pode permitir a execução remota de código - MS12-006 - Vulnerabilidade no SSL/TLS pode permitir divulgação não autorizada de informações - MS12-007 - Vulnerabilidade na AntiXSS pode permitir a divulgação não autorizada de informações . Moderada - Nenhum boletim . Baixa - Nenhum boletim O sistema de classificação de severidade das vulnerabilidades adotado pelo CAIS neste resumo é o da própria Microsoft. O CAIS recomenda que se aplique, minimamente, as correções para vulnerabilidades classificadas como crítica e importante. No caso de correções para vulnerabilidades classificadas como moderadas o CAIS recomenda que ao menos as recomendações de mitigação sejam seguidas. . Crítica - Vulnerabilidades cuja exploração possa permitir a propagação de um worm sem a necessidade de interação com o usuário. . Importante - Vulnerabilidades cuja exploração possa resultar no comprometimento de confidencialidade, integridade ou disponibilidade de dados de usuários ou a integridade ou disponibilidade de recursos de processamento. . Moderada - exploração é mitigada significativamente por fatores como configuração padrão, auditoria ou dificuldade de exploração. . Baixa - uma vulnerabilidade cuja exploração seja extremamente difícil ou cujo impacto seja mínimo. CORREÇÕES DISPONÍVEIS Recomenda-se atualizar os sistemas para as versões disponíveis em: . Microsoft Update https://www.update.microsoft.com/microsoftupdate/ . Windows Server Update Services http://www.microsoft.com/windowsserversystem/updateservices/default.mspx MAIS INFORMAÇÕES . Resumo do Boletim de Segurança da Microsoft de janeiro 2012 http://www.microsoft.com/technet/security/bulletin/ms12-jan . Microsoft TechCenter de Segurança http://technet.microsoft.com/pt-br/security/ . Microsoft Security Response Center - MSRC http://www.microsoft.com/security/msrc/ . Microsoft Security Research&Defense - MSRD http://blogs.technet.com/srd/ . Segurança Microsoft http://www.microsoft.com/brasil/security/ . MS12-001 - Vulnerabilidade no kernel do Windows pode permitir o desvio do recurso de segurança http://technet.microsoft.com/en-us/security/bulletin/ms12-001 . MS12-002 - Vulnerabilidade no Windows Object Packager pode permitir a execução remota de código http://technet.microsoft.com/en-us/security/bulletin/ms12-002 . MS12-003 - Vulnerabilidade no Windows Client/Server Run-time Subsystem pode permitir elevação de privilégio http://technet.microsoft.com/en-us/security/bulletin/ms12-003 . MS12-004 - Vulnerabilidades no Windows Media podem permitir a execução remota de código http://technet.microsoft.com/en-us/security/bulletin/ms12-004 . MS12-005 - Vulnerabilidade no Microsoft Windows pode permitir a execução remota de código http://technet.microsoft.com/en-us/security/bulletin/ms12-005 . MS12-006 - Vulnerabilidade no SSL/TLS pode permitir divulgação não autorizada de informações http://technet.microsoft.com/en-us/security/bulletin/ms12-006 . MS12-007 - Vulnerabilidade na AntiXSS pode permitir a divulgação não autorizada de informações http://technet.microsoft.com/en-us/security/bulletin/ms12-007 Identificador CVE (http://cve.mitre.org): CVE-2011-3389, CVE-2012-0001, CVE-2012-0009, CVE-2012-0005, CVE-2012-0003, CVE-2012-0004, CVE-2012-0013, CVE-2012-0007 O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as últimas versões e correções oferecidas pelos fabricantes. Os Alertas do CAIS também são oferecidos no formato RSS/RDF e no Twitter: http://www.rnp.br/cais/alertas/rss.xml Siga @caisrnp Atenciosamente, Equipe do CAIS/RNP ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iQCVAwUBTw7Qwukli63F4U8VAQGw0gP/b7W7UdMfjV5+O1x2zje7TlIDhWGZQuV9 bF5j7ofQb8MIAM9ftHRU0LZjHAZsvrIkZtpqGezCjp3qfzjZo1qiG4tXHXaXyJHQ VQJij8iV15N1ZR7+zzDPvw4jilW8keAi302hrjzyPNkot8yMKRkbS9yiTptauP5H aXVWxWKc7Pg= =y/R6 -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Jan 25 10:31:24 2012 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 25 Jan 2012 10:31:24 -0200 Subject: [SECURITY-L] [technical-alerts@us-cert.gov: US-CERT Technical Cyber Security Alert TA12-024A -- Anonymous DDoS Activity] Message-ID: <20120125123123.GA64614@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA12-024A -- "Anonymous" DDoS Activity To: technical-alerts em us-cert.gov Date: Tue, 24 Jan 2012 22:06:18 -0500 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA12-024A "Anonymous" DDoS Activity Original release date: January 24, 2012 Last revised: -- Source: US-CERT Overview US-CERT has received information from multiple sources about coordinated distributed denial-of-service (DDoS) attacks with targets that included U.S. government agency and entertainment industry websites. The loosely affiliated collective "Anonymous" allegedly promoted the attacks in response to the shutdown of the file hosting site MegaUpload and in protest of proposed U.S. legislation concerning online trafficking in copyrighted intellectual property and counterfeit goods (Stop Online Piracy Act, or SOPA, and Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act, or PIPA). I. Description US-CERT has evidence of two types of DDoS attacks: One using HTTP GET requests and another using a simple UDP flood. The Low Orbit Ion Cannon (LOIC) is a denial-of-service attack tool associated with previous Anonymous activity. US-CERT has reviewed at least two implementations of LOIC. One variant is written in JavaScript and is designed to be used from a web browser. An attacker can access this variant of LOIC on a website and select targets, specify an optional message, throttle attack traffic, and monitor attack progress. A binary variant of LOIC includes the ability to join a botnet to allow nodes to be controlled via IRC or RSS command channels (the "HiveMind" feature). The following is a sample of LOIC traffic recorded in a web server log: "GET /?id=1327014400570&msg=We%20Are%20Legion! HTTP/1.1" 200 99406 "hxxp://pastehtml.com/view/blafp1ly1.html" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1" The following sites have been identified in HTTP referrer headers of suspected LOIC traffic. This list may not be complete. Please do not visit any of the links as they may still host functioning LOIC or other malicious code. "hxxp://3g.bamatea.com/loic.html" "hxxp://anonymouse.org/cgi-bin/anon-www.cgi/" "hxxp://chatimpacto.org/Loic/" "hxxp://cybercrime.hostzi.com/Ym90bmV0/loic/" "hxxp://event.seeho.co.kr/loic.html" "hxxp://pastehtml.com/view/bl3weewxq.html" "hxxp://pastehtml.com/view/bl7qhhp5c.html" "hxxp://pastehtml.com/view/blafp1ly1.html" "hxxp://pastehtml.com/view/blakyjwbi.html" "hxxp://pastehtml.com/view/blal5t64j.html" "hxxp://pastehtml.com/view/blaoyp0qs.html" "hxxp://www.lcnongjipeijian.com/loic.html" "hxxp://www.rotterproxy.info/browse.php/704521df/ccc21Oi8/ vY3liZXJ/jcmltZS5/ob3N0emk/uY29tL1l/tOTBibVY/wL2xvaWM/v/b5/ fnorefer" "hxxp://www.tandycollection.co.kr/loic.html" "hxxp://www.zgon.cn/loic.html" "hxxp://zgon.cn/loic.html" "hxxp://www.turbytoy.com.ar/admin/archivos/hive.html" The following are the A records for the referrer sites as of January, 20, 2012: 3g[.]bamatea[.]com A 218[.]5[.]113[.]218 cybercrime[.]hostzi[.]com A 31[.]170[.]161[.]36 event[.]seeho[.]co[.]kr A 210[.]207[.]87[.]195 chatimpacto[.]org A 66[.]96[.]160[.]151 anonymouse[.]org A 193[.]200[.]150[.]125 pastehtml[.]com A 88[.]90[.]29[.]58 lcnongjipeijian[.]com A 49[.]247[.]252[.]105 www[.]rotterproxy[.]info A 208[.]94[.]245[.]131 www[.]tandycollection[.]co[.]kr A 121[.]254[.]168[.]87 www[.]zgon[.]cn A 59[.]54[.]54[.]204 www[.]turbytoy[.]com[.]ar A 190[.]228[.]29[.]84 The HTTP requests contained an "id" value based on UNIX time and user-defined "msg" value, for example: GET /?id=1327014189930&msg=%C2%A1%C2%A1NO%20NOS%20GUSTA%20LA%20 Other "msg" examples: msg=%C2%A1%C2%A1NO%20NOS%20GUSTA%20LA%20 msg=:) msg=:D msg=Somos%20Legion!!! msg=Somos%20legi%C3%B3n! msg=Stop%20S.O.P.A%20:)%20%E2%99%AB%E2%99%AB HTTP/1.1" 200 99406 "http://pastehtml.com/view/bl7qhhp5c.html" msg=We%20Are%20Legion! msg=gh msg=open%20megaupload msg=que%20sepan%20los%20nacidos%20y%20los%20que%20van%20a%20nacer %20que%20nacimos%20para%20vencer%20y%20no%20para%20ser%20vencidos msg=stop%20SOPA!! msg=We%20are%20Anonymous.%20We%20are%20Legion.%20We%20do%20not%20 forgive.%20We%20do%20not%20forget.%20Expect%20us! The "msg" field can be arbitrarily set by the attacker. As of January 20, 20012, US-CERT has observed another attack that consists of UDP packets on ports 25 and 80. The packets contained a message followed by variable amounts of padding, for example: 66:6c:6f:6f:64:00:00:00:00:00:00:00:00:00 | flood......... Target selection, timing, and other attack activity is often coordinated through social media sites or online forums. US-CERT is continuing research efforts and will provide additional data as it becomes available. II. Solution There are a number of mitigation strategies available for dealing with DDoS attacks, depending on the type of attack as well as the target network infrastructure. In general, the best practice defense for mitigating DDoS attacks involves advanced preparation. * Develop a checklist or Standard Operating Procedure (SOP) to follow in the event of a DDoS attack. One critical point in a checklist or SOP is to have contact information for your ISP and hosting providers. Identify who should be contacted during a DDoS, what processes should be followed, what information is needed, and what actions will be taken during the attack with each entity. * The ISP or hosting provider may provide DDoS mitigation services. Ensure your staff is aware of the provisions of your service level agreement (SLA). * Maintain contact information for firewall teams, IDS teams, network teams and ensure that it is current and readily available. * Identify critical services that must be maintained during an attack as well as their priority. Services should be prioritized beforehand to identify what resources can be turned off or blocked as needed to limit the effects of the attack. Also, ensure that critical systems have sufficient capacity to withstand a DDoS attack. * Have current network diagrams, IT infrastructure details, and asset inventories. This will assist in determining actions and priorities as the attack progresses. * Understand your current environment and have a baseline of daily network traffic volume, type, and performance. This will allow staff to better identify the type of attack, the point of attack, and the attack vector used. Also, identify any existing bottlenecks and remediation actions if required. * Harden the configuration settings of your network, operating systems, and applications by disabling services and applications not required for a system to perform its intended function. * Implement a bogon block list at the network boundary. * Employ service screening on edge routers wherever possible in order to decrease the load on stateful security devices such as firewalls. * Separate or compartmentalize critical services: * Separate public and private services * Separate intranet, extranet, and internet services * Create single purpose servers for each service such as HTTP, FTP, and DNS * Review the US-CERT Cyber Security Tip Understanding Denial-of-Service Attacks. III. References * Cyber Security Tip ST04-015 - * Anonymous's response to the seizure of MegaUpload according to CNN - * The Internet Strikes Back #OpMegaupload - * Twitter Post from the author of the JavaScript based LOIC code - * Anonymous Operations tweets on Twitter - * @Megaupload Tweets on Twitter - * LOIC DDoS Analysis and Detection - * Impact of Operation Payback according to CNN - * OperationPayback messages on YouTube - * The Bogon Reference - Team Cymru - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA12-024A Feedback INFO#919868" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2012 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History January 24, 2012: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTx9v3z/GkGVXE7GMAQJvTQf+J3rSHG60QPyNunnw9E7ifrGoY0ib+GvV Z1y2NvfwdxStka5xaq7KVmGXd7yExwdhDhWJrfmfXTjA+9Ac18xHdDn+FwdzqueY qF1+P+LevwJM1gNI/g2RdJDna/ij5M7+eCpk03olRcieMtANZgolh07yCiuJDodm utleV2m/PYXVNbNsZw74x3dZcxxpYlCdBojV4jpeYSvVG5Qf7uYgQ6/Q9WHY6j4D Z7UTIQlkA/YULjTNFcDqjdSv4DHMSJsXcmkP0BLM1n11mfRpbToSZVkKZuCZUlqI wag8ZkuGVwiXt93hIfMpWhgfPzjAbYGeeRpt3sVivBfNyzmME1FIvw== =A0+U -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Jan 25 10:55:41 2012 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 25 Jan 2012 10:55:41 -0200 Subject: [SECURITY-L] CAIS-Resumo: Setembro a Dezembro de 2011 Message-ID: <20120125125541.GB64614@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Resumo: Setembro a Dezembro de 2011 To: pop-seg em cais.rnp.br, rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Wed, 25 Jan 2012 10:14:09 -0200 (BRST) -----BEGIN PGP SIGNED MESSAGE----- =========================================================================== CAIS Resumo Alertas, vulnerabilidades e incidentes de segurança Publicação quadrimestral do Centro de Atendimento a Incidentes de Segurança da Rede Nacional de Ensino e Pesquisa Setembro a Dezembro de 2011 Disponível em: http://www.rnp.br/cais/alertas/2012/cais-res-2011-3.html =========================================================================== Neste CAIS Resumo são abordados os alertas, as vulnerabilidades e os demais acontecimentos que se destacaram na área de segurança no terceiro quadrimestre de 2011. 1. DESTAQUES 2. ALERTAS 3. CAIS NA MÍDIA 4. ESTATÍSTICAS 5. NOTAS ___________________________________________________________________________ 1. DESTAQUES . De setembro a dezembro de 2011, o CAIS tratou 82.905 incidentes de segurança identificados na rede da RNP, com parciais de 23.798 em setembro, 25.505 em outubro, 21.407 em novembro e 12.195 em dezembro. . A quantidade de incidentes tratados durante o terceiro quadrimestre de 2011 diminuiu 31,21% em relação ao período de maio a agosto de 2011. . A utilização de páginas web falsas em ataques de fraude contra instituições financeiras e a difusão de malwares para a captura de informações bancárias voltou a subir. Neste quadrimeste, o CAIS notificou 1.896 incidentes de phishing contra 389 notificações realizadas no quadrimestre anterior. . Os casos de máquinas infectadas com Worm/Bot continuam em alta, representando 86,38% dos incidentes tratados no período de setembro a dezembro de 2011. . Também ocorreu um aumento significativo no número de incidentes, neste quadrimestre, para os casos de violação de direitos autorais, com um aumento de 48,29% (de 1.462 para 2.168 incidentes nos 4 ultimos meses de 2011). . No início do terceiro quadrimestre, o CAIS aprimorou o seu processo de gestão de incidentes envolvendo ataques de negação de serviço, visando sua mitigação de forma mais eficiente. . De setembro a dezembro foram cadastradas 603 novas fraudes no Catálogo de Fraudes do CAIS, totalizando 3.445 fraudes desde o lançamento do serviço, em Março de 2008. ___________________________________________________________________________ 2. ALERTAS Neste quadrimestre o CAIS divulgou 07 alertas de segurança através da lista CAIS-Alerta. Abaixo segue uma relação dos principais alertas do período. CAIS-Alerta: Resumo dos Boletins de Segurança Microsoft - Setembro/2011 Microsoft Security Bulletin Summary for September 2011 [RNP, 13.09.2011] CAIS-Resumo - Maio a Agosto de 2011 Alertas, vulnerabilidades e incidentes de segurança [RNP, 07.10.2011] CAIS-Alerta: Resumo dos Boletins de Segurança Microsoft - Outubro/2011 Microsoft Security Bulletin Summary for October 2011 [RNP, 13.10.2011] Horário de Verão 2011/2012 Alerta do CAIS 20111017 [RNP, 17.10.2011] CAIS-Alerta: Vulnerabilidade no JBoss Alerta do CAIS 20111107 [RNP, 07.11.2011] CAIS-Alerta: Resumo dos Boletins de Segurança Microsoft - Novembro/2011 Microsoft Security Bulletin Summary for November 2011 [RNP, 09.11.2011] CAIS-Alerta: Resumo dos Boletins de Segurança Microsoft - Dezembro/2011 Microsoft Security Bulletin Summary for December 2011 [RNP, 15.12.2011] ___________________________________________________________________________ 3. CAIS NA MÍDIA A seguir estão relacionadas as matérias e entrevistas que contaram com a participação da equipe do CAIS. Imagens do Evento DISI 2011, Hackerinfo esteve presente Hackerinfo - 01/09/2011 http://hackerinfo.com.br/category/tags/disi2011 Segurança em Redes Sociais Securing The Human - 01/09/2011 http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201109_pt.pdf Como Denunciar Crimes Digitais Crimes Pela Internet - 18/10/2011 http://www.crimespelainternet.com.br/como-denunciar-crimes-digitais/ Catálogo de fraudes do CAIS Dicas-l - 24/10/2011 http://www.dicas-l.com.br/arquivo/catalogo_de_fraudes_do_cais.php#.Txl7TBBSTJ5 Cartilha do CAIS traz dicas sobre compras online seguras no fim de ano Internet Legal - 21/12/2011 http://www.internetlegal.com.br/2011/12/cartilha-do-cais-traz-dicas-sobre-compras-online-seguras-no-fim-de-ano/ Como manter a segurança em Redes Sociais? Canal Digital - 27/12/2011 http://canaldigitalweb.blogspot.com/2011/12/como-manter-seguranca-em-redes-sociais.html ___________________________________________________________________________ 4. ESTATÍSTICAS Apresentamos uma análise comparativa das estatísticas de incidentes reportados ao CAIS no terceiro quadrimestre de 2011 em relação a dados do período correspondente em anos anteriores. - -------------------------------- Mês 2009 2010 2011 - -------------------------------- Set 28.638 1.580 23.798 Out 1.625 23.712 25.505 Nov 1.873 33.842 21.407 Dez 1.542 34.018 12.195 - -------------------------------- TOTAL 33.678 93.152 82.905 - -------------------------------- No terceiro quadrimestre de 2011 o CAIS tratou 82.905 incidentes de segurança. Foi observado uma redução de 11% no total de incidentes tratados de setembro a dezembro em comparação com o mesmo período de 2010 e um aumento de 146,16% em relação ao mesmo período de 2009. - ------------------------------------------------------- Quadrimestre #incidentes Quadrimestre #incidentes anterior atual - ------------------------------------------------------- Mai/2011 36.332 Set/2011 23.798 Jun/2011 29.061 Out/2011 25.505 Jul/2011 26.987 Nov/2011 21.407 Ago/2011 28.155 Dez/2011 12.195 - ------------------------------------------------------- TOTAL 120.535 82.905 Média 30.133 20.726 - ------------------------------------------------------- A média de incidentes no terceiro quadrimestre de 2011 diminuiu 9.407 em relação ao quadrimestre anterior. Ainda neste quadrimeste, a quantidade de incidentes em outubro superou os demais meses, principalmente por conta de incidentes relacionados à códigos maliciosos (bot, worm). - -------------------------- Média mensal de incidentes (nos últimos anos) - -------------------------- Ano #incidentes - -------------------------- 2011 26.611 2010 8.753 2009 22.233 2008 2.995 - -------------------------- A média mensal de incidentes tratados em 2011 é de 26.611 incidentes ao mês, valor 204,03% maior que a média mensal de 2010. ___________________________________________________________________________ 5. NOTAS O CAIS ressalta que manter os sistemas e aplicativos atualizados, seguir uma política de segurança e orientar os usuários são algumas das práticas recomendadas para diminuir os riscos de comprometimento de sua rede, além de contribuir para o aumento da segurança da Internet como um todo. Assim, o CAIS recomenda aos administradores que se mantenham cientes e conscientes dos alertas, correções e atualizações disponibilizados pelos fabricantes e órgãos de renome na área de segurança. ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iQCVAwUBTx/yGOkli63F4U8VAQE//gP/aaeezJOR4VvHP+bxuFoiwCz7L8+eZAAr C88H2Q2i/NDMcpy3FGWkMZn9B7A78h70EY5FYNYuckT9KDYCsi2GDIdSJ+Lo72Ev Zll1Cd+pwbgZeDk4ThRnakDOjEbaqFiZpeIlfSdNtjrbDZPF2cunEowBtf+sNS0z +xs/mb44kVc= =Xev0 -----END PGP SIGNATURE----- ----- End forwarded message -----