Tenable Blog

The Story:

--US and South Korean Sites Under Attack; Late Data Says Attacking PCs to Self Destruct (July 8 & 9, 2009)
A variant of MyDoom is believed to be behind the distributed denial-of-service (DDoS) attacks that took down US and South Korean government, military and private industry websites last week. Some reports have speculated that North Korea may be behind the attacks, which have been described as unsophisticated and "a nuisance." Brian Krebs of the Washington Post reports that the virus that is causing PCs to attack these sites will overwrite the files (including the operating system) of the infected computers.
http://isc.sans.org/diary.html?storyid=6757
http://voices.washingtonpost.com/securityfix/2009/07/pcs_used_in_korean_ddos_attack.html?wprss=securityfix
http://www.nextgov.com/nextgov/ng_20090708_6262.php
http://www.computerworld.com/s/article/9135279/
Updated_MyDoom_responsible_for_DDOS_attacks_says_AhnLab?taxonomyId=17 ...

Once again, we have a "cyberwar" that only registers as a blip on the radar screen for most of us. Other than that, it's an inconvenience for government or commercial sites that didn't think about capacity when they built out their internet connections. It's far from a disaster; in fact, it's hardly news-worthy. It's only remotely interesting because, once again, the cyberwar pundits attempted to link the attacks to state sponsorship. Like with the attacks on Estonia in 2007, ("Russia accused of unleashing cyberwar against Estonia") will it turn out to be a few civilians operating under their own initiative? Another way of phrasing that question is "is the North Korean intelligence service a bunch of wimps?"

Attackers have access to a great deal of public information about your organization. Public web sites, domain records, routing information and several other sources can provide an attacker with useful information to launch attacks. Public documents posted on your web site contain metadata that can be very useful to an attacker. Metadata, in the context of the documents created within your organization, is information about the document itself. This can include who created it, their email address, the creation date, the software used to create and publish it and the software version and platform. This information can then be used to create client-side attacks that specifically target individuals and the software they are using.

It’s the Small Things

Embedded systems continue to be overlooked in many environments, but often can present as much risk, if not more, than other systems on your network. Every enterprise has some form of an embedded device, from printers to routers and switches, that exists on the network and exposes services that could be exploited. Some recent examples include:

Setting up the Log Correlation Engine & Splunk

Tenable has recently released a new Log Correlation Engine (LCE) client that allows you to collect log data from Splunk installations to send to LCE, Tenable’s solution for log storage, normalization and correlation. If you have instances of Splunk in your environment, it’s a simple process to configure the integration. Below is an overview of the traffic flow:

Tenable CEO, Ron Gula, Tenable CSO, Marcus Ranum and 451 Group Vice President Nick Selby will discuss the recent 451 study which concluded that log management was more valuable to organizations than correlation. The webinar will discuss the 451 research, Mr. Selby will answer questions from Mr. Gula, Mr. Ranum and the webinar attendees, and then Tenable will demonstrate how their Log Correlation Engine can meet the needs of organizations who want to perform both log management and event correlation.