GCSC

1. GCSC July 2008

3. FIRE07282008-01 • User downloaded various free and demo media converter programs (as local admin) and was rootkitted. Detected by machine gun sounds. • FIRE07042008-01 • HTML email delivery resulting in bot. Detected by external report. • FIRE07032008-01 • Mac Leopard test server for Apple Update services (no mA plan yet!!) installed w/SSH (SA violation) access w/no root password. Bot installed. Detected by AB messages to the admin.

4. Return-Path: <scottmcclure726@yahoo.com> Authentication-Results: mta694.mail.mud.yahoo.com from=yahoo.com; domainkeys=pass (ok) Received: from 98.136.44.41 (HELO n69.bullet.mail.sp1.yahoo.com) (98.136.44.41) by mta694.mail.mud.yahoo.com with SMTP; Tue, 29 Jul 2008 15:54:38 -0700 Received: from [216.252.122.218] by n69.bullet.mail.sp1.yahoo.com with NNFMP; 29 Jul 2008 22:54:27 -0000 Received: from [69.147.65.157] by t3.bullet.sp1.yahoo.com with NNFMP; 29 Jul 2008 22:54:27 -0000 Received: from [127.0.0.1] by omp405.mail.sp1.yahoo.com with NNFMP; 29 Jul 2008 22:54:27 -0000 Received: (qmail 90381 invoked by uid 60001); 29 Jul 2008 22:54:27 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type:Message-ID; b=PGeIP8IkHw/JqGgMAEOGSryZgnfhW4rkgsPflamkUolTp8Wb/4ybRK/xXK3n0axQynm2ktRgZbABmMBwTJ3a7T3uGu0DvSZ5/dsPupHXyxwcj7hmJQG5JP5H0ow28tfZ0yHzQi/M+fyu3Rff4iMXLO9gmGiCXwvJ36fi2yDrH8I=; Received: from [131.225.43.102] by web45712.mail.sp1.yahoo.com via HTTP; Tue, 29 Jul 2008 15:54:26 PDT

5. d FNAL patched: ~> 510$ dig in txt +short porttest.dns-oarc.net. @fnsrv0porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. "131.225.8.120 is GREAT: 26 queries in 1.6 seconds from 26 ports with std dev 17757" ~> 511$ dig in txt +short porttest.dns-oarc.net. @fnsrv1 porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. "131.225.17.150 is GREAT: 26 queries in 1.6 seconds from 26 ports with std dev 18019"

6. The only detected instance is in MIS on True64. The released exploit is coded for Windows.

7. Known issue since 10/2006 (see MS KB 917021) FERMI GPO pushed out Patches available

8. Q: A:

9. Lots of activity • Starts through malicious emails (.doc, .ppt, .pdf, .swf) or web sites or scanning • Steals local hashes • Moves to other systems via shares, remote desktops, others • Tries to get admin access • Focus on interactive access • Leaves some systems ‘dormant’ • Can compromise an entire domain • Tries network equipment also DA’s and SMS admins evaluating the provided tools, settings and lessons learned to eval our site. • Deny logon over network for local accounts • Don’t store cached credentials • Randomize local admin password at every logon* • Don’t run as admin!!! • Separation of accounts

11. Security Plans being finalized • Integration testing beginning soon • Covers: • Meeting Maker • VPN • Email • Jabber • Web (non-KCA) • Databases • Basically (most) anything that cannot accept (technically and per policy) Kerberos/Active Directory/KCA authentication • Part of the FNAL Authentication Strategies. Guidance docs will be available.

12. Web filters on order. Expect full implementation by calendar year end. Fail open operation. Transparent to the users. Subscription updates. Some categories blocked, others require acknowledgement. Affected: Userland web traffic/’business’ type computing Unaffected: Farms Negotiated: Standard/’Business’ servers

13. Alerting for now, no blocking (blocking soon) • Offsite RDP detection coming soon • Need to evaluate TB2 Kerberos support