CERT Warning
Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: CERT Warning

  1. #1
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867

    CERT Warning

    Someone just forwarded an e-mail warning from CERT. The e-mail reads as follows:

    US-CERT has received a report today, indicating that extensive attacks and system compromises (exploit unknown at this time) have originated from the following IP addresses.

    200.128/16
    200.222.216.133
    200.149.99.228

    Very little technical detail is available at this time. US-CERT requests that each recipient check your logs from 1 Jan 05 to present. Provide US-CERT or Control Systems Center your results either positive or negative.

    Preliminary analysis indicates that the activity initiated from these IPs appear to have been made by a group rather than an individual. More than 526 exploit attempts have been noted. The attacks seem to have targeted specific IPs, not ranges of IPs. Only servers were attacked. No desktop machines were observed to be scanned or targeted for attack. Initial attacks were automated, followed by manual hands-on attacks. All of the attacked servers were running a Microsoft Windows Operating System and at least one was fully patched when compromised.

    Please disseminate to your owner operators ASAP so US-CERT can judge the national impact of these compromised systems.

    Please review any contact with the above systems through logs, fw's, and IDS's and report back through the ISAC or directly to US-CERT or me directly at david.n.sanders@dhs.gov. I cannot stress enough the seriousness of these attacks. Response teams have been deployed to deal with system compromises from NCSD.
    best regards,

    David N Sanders
    Director, Control Systems Center
    National Cyber Security Division
    Department of Homeleand Security
    703-915-8769
    703-235-5193
    Now I checked CERT (I still am) and couldn't find anything, so I thought I'd check here to see if anyone has got any info on this or if it's just a Hoax.

    Cheers:
    DjM

  2. #2
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    A cursory glance at us-cert.gov shows nothing. Digging a bit through the official Dept. of Homeland Security site doesn't show any Control Systems Center, nor a Director David N Sanders. A google of 'control systems center site:dhs.gov' returns -0- hits, and a search for Sanders at same doesn't return a David N Sanders.

    It's some sort of hoax, joke(?), or spam, I'd bet. It could still be legit, I'm not the first person to not have known of the existence of an organization within the US federal gov't (hehe), but I'd question the source that forwarded it to you. I haven't bothered to check the phone numbers via a reverse lookup. I'm on the CERT mailing list, and this is unfamiliar to me.

    If anything, it is a social engineering/spam-smurf attack against the email box of david.n.snaders@dhs.gov ...which makes it elementary but ingenious inmy book. Send out an official looking message, asking for tons of log's to be sent to an email address of some prominent official who you want to bog down...

    /* edit for my sh!tty grammar */
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Looks like a hoax........................

    526 exploit attempts....................chickenfeed!

    Uruguay??????????????

    c'mon




  4. #4
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by zencoder
    A cursory glance at us-cert-gov shows nothing. Digging a bit through the official Dept. of Homeland Security doesn't show an Control Systems Center, nor a Director David N Sanders. A google of control systems center site:dhs.gov returns -0- hits, and a search for Sanders at same doesn't return a David N Sanders.

    It's some sort of hoax, bs, or spam, I'd bet. It could still be legit, I'm not the first person to now have known of the existence of an organization within the US federal gov't (hehe), but I'd question the source that forwarded it to you. I haven't bothered to check the phone numbers via a reverse lookup. I'm on the CERT mailing list, and this is unfamiliar to me.

    If anything, it is a social engineering/spam-smurf attack against the email box of david.n.snaders@dhs.gov ...which makes it elementary but ingenious inmy book. Send out an official looking message, asking for tons of log's to be sent to an email address of some prominent official who you want to bog down...
    My source said he copied it directly from here:

    https://us-cert.esportals.net/member...partmentP=2135

    Now I am not a member so I can't log-in to verify.

    Cheers:
    DjM

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    I don't think that security alerts of that nature come out on secure sites, it would kind of defeat the object would it not?

    On the other hand, as it cannot be readily verified or otherwise?.....................

    EDIT:

    Department of Homeland Security, National Cyber Security Division

    Mr. Sanders is the Director of the Critical Infrastructure Protection and Cyber Security within the Department of Homeland Security, National Cyber Security Division. The National Cyber Security Division provides for 24 x 7 cyber security functions, including conducting cyberspace analysis, issuing alerts and warning, improving information sharing, responding to major incidents, and aiding in national-level recovery efforts.

    Most recently Mr. Sanders was the founder and President of the information security firm Securicon. He served as an executive level consultant to some of the largest corporate and government agencies in the world on matters of information security and risk management. Previously, Mr. Sanders was the Senior Security Consultant for Riptech, Inc. until its acquisition by Symantec Corporation.

    Mr. Sanders spent 20 years in the United States Army and served in a variety of assignments including Infantry, Armor, tactical and strategic satellite, and with the National Command Authority.

    David.N.Sanders@dhs.gov

    Office: 703-915-8769


  6. #6
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    It may be an internal request. Upon following the link and being greeted by:
    [size=large]ATTENTION:[/size]
    This is a restricted system.
    Unauthorized use of this system is prohibited.


    and seeing Secure Portal User Login at the top, I don't think this is intended for mass distribution. I don't know if its a major problem that it's out, but then I could be wrong. Anyone bother to see where those IP's are from? I don' recognize the 200. octet.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Montivideo, Uruguay


  8. #8
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    200.122.216.133 =Brazil
    telmar.net.br

    ???
    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Yes, it is Brasil,

    new whois tool

    This is what CIAC have to say:

    Real warnings about viruses and other network problems are issued by computer security response teams (CIAC, CERT, ASSIST, NASIRC, etc.) and are digitally signed by the sending team using PGP

    No digital signature?

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Hey, it must be boring at CERT, maybe that's just a joke internal only type thing that they write up just for kicks.
    Or it could be real and you're not supposed to be sending it around.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •