he .eu top-level domain is relatively new and in the build-up phase and had a co-worker notice something fun.
When ssh'ing to a local server, he typo'd and finished the DNS name as .eu, it connected with an SSH handshake (it was a new server so the key warning wasn't considered a big deal) and took a password. The individual immediately recognized the problem when the password wasn't accepted and we investigated.
It appears any DNS name at ourdomain.eu would resolve to this machine. Not only that, but the machine in question was hosting at least 7 other domains under .eu that would map to an educational institution. For instance, for "fake" educational institution at ufoo.edu you could search for ufoo.eu and get a response to this machine.
Unrelenting and increasingly sophisticated attacks against enterprise networks have dramatically raised organizations’ IT security risks. With the relative ease that many types of attacks by-pass perimeter security, traditional perimeter based security approaches are no longer sufficient to adequately protect enterprise assets. To combat these threats, security professionals are implementing multi-layered defenses, with the last line of defense being implemented at the host itself.
State-of-the-art high-speed network intrusion detection and prevention systems are often designed using multiple intrusion detection sensors operating in parallel coupled with a suitable front-end load-balancing traffic splitter. In this paper, we argue that, rather than just passively providing generic load distribution, traffic splitters should implement more active operations on the traffic stream, with the goal of reducing the load on the sensors. We present an active splitter architecture and three methods for improving performance. The first is early filtering/forwarding, where a fraction of the packets is processed on the splitter instead of the sensors.
There are a variety of Intrusion Detection Systems in the market ranging from the enterprise-level managed-network monitoring solution to a simple on-the-host logging system. There is also a distinction between an Intrusion Prevention System (IPS) and an IDS. An IPS goes one better than the IDS and attempts to block an attack in progress whereas the IDS attempts to log the attack and optionally notify a responsible party to employ an incident response plan.
Scrap told me a story once from his college days in an attempt to explain to me why he is frequently late. I had concluded early on that it was because he didn't own a watch, but apparently there was much more to do with it than just that.
Scrap is an industrious person and has a knack for creative problem solving. It's a talent that few people can really exploit well. He is a master.
Back in his college days, Scrap spent most of his evenings rushing through homework assignments and then calling a long list of social contacts in his ScrapBook (this pre-dates laptops, so this was an actual paper-bound book!) to find out where 'the party was at'. Nobody answered phones back then, because you actually had to be at home and within hearing distance of the ringing.
Source: Alberto Gonzalez - Posted by Benjamin D. Thomas
Most of the papers deal with the potential gains a honeypot can give you, and the proper way to monitor a honeypot. Not very many of them deal with the honeypots themselves. Honeypots are a hot topic in the security research community right now. It seems everyone is starting up their own honeypot system. Most of the papers deal with the potential gains a honeypot can give you, and the proper way to monitor a honeypot. Not very many of them deal with the honeypots themselves.
Most honeypots as deployed as just an extra box someone has lying around. They slapped an OS on it, checksummed all the files, installed an IDS, and set about waiting for the hackers to arrive. Those kinds of honeypots ignore some of the most interesting parts of what a honeypot can do. Honeypots can be used to ensnare and beguile potential hackers; entice them to give you more research information, and actively defend your production network.
Source: Technet.com - Posted by Benjamin D. Thomas
In technical terms, a honeypot performs a function very similar to that of a “honeypot” in the outside world: a sweet lure. A "honeypot" is a system designed with the purpose of attracting the attention of prospective attackers, to assess how they are attempting to infiltrate the machine and what they doing once they gain access. There are literally thousands of honeypot networks and systems setup by security professionals and hobbyists worldwide. These systems can provide a wealth of information into forensics and assessing trends in network intrusion.
As information systems in hospitals continue to advance and evolve, so do the threats to those systems. In today’s healthcare environment, Patient Health Information (PHI) is no more than a few clicks away. The ease of access helps healthcare providers be more efficient and provide better patient care. This same access introduces risks that must be addressed to ensure that this information is protected. Not only is this protection of PHI the right thing to do, legislation such as the Health Insurance Portability and Accountability Act (HIPPA) make it mandatory.
Spyware and Trojan threats are rising dramatically, now accounting for the majority of the online attacks, a new report reveals. Webroot's latest report shows that during the first quarter of 2006 the number of spyware infections jumped to 87 per cent from 72 per cent in the same period in 2005; a rise of 15 percent.
Source: InfoSecWriters - Posted by Benjamin D. Thomas
Log analysis is one of the most overlooked aspects of intrusion detection. Nowadays we see every desktop with an antivirus, companies with multiple firewalls and even simple endusers buying the latest security related tools.
However, who is watching or monitoring all the information these tools generate? Or even worse, who is watching your web server, mail server or authentication logs? I'm not talking about pretty usage statistics of your web logs (like what webalizer does). I'm talking about the crucial security information that only few of these events have and nobody notices. A lot of attacks would not have happened (or would have been stopped much earlier) if administrators cared to monitor their logs.
We are not saying that log analysis is easy or that you should be manually looking at all your logs on a daily basis. Because of their complexity and generally high volume, automatic log analysis is essential.
