GCSC July 2008. FIRE07282008-01 – User downloaded various free and demo media converter programs (as local admin) and was rootkitted. Detected by machine.

Slides:



Advertisements
Similar presentations
File Server Organization and Best Practices IT Partners June, 02, 2010.
Advertisements

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Microsoft Security Resources. URL’s for this talk All URL’s mentioned in this talk can be found here: All URL’s mentioned in this talk can be found here:
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
-I CS-3505 Wb_ -I.ppt. 4 The most useful feature of the internet 4 Lots of different programs, but most of them can talk to each.
Automating Endpoint Security Policy Enforcement Computing and Networking Services University of Toronto.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
EDUCAUSE Security 2006 Internet John Brown University.
Desktop Security: Worms and Viruses Brian Arkills, C&C NDC-Sysmgt.
Website Hardening HUIT IT Security | Sep
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Module 1: Installing Active Directory Domain Services
Introduction to Active Directory December 10th, pm Daniels 407.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Technology Coordinators Training. Confidential Copyright © 2007 Pearson Education, Inc. and/or one or more of its direct or indirect affiliates. All rights.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
W2k Security At FNAL Jack Schmidt FNAL W2K Migration Working Group Chair April 16.
CERN’s Computer Security Challenge
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
HOW-TO guide This tutorial has sound.
Honeypot and Intrusion Detection System
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
PCI Compliance Technical Overview. RM PCI Calendar Dec 2005: Began PCI 15.1 development Feb 2006: Initial PCI Audit Sept 2006: Official 15.1 PCI Release.
Philadelphia Area SharePoint User Group Building Customer/Partner Extranets Designing a Secure Extranet with Sharepoint 2007 Russ Basiura RJB Technical.
SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016.
Safeguarding OECD Information Assets Frédéric CHALLAL Head, Systems Engineering Team OECD.
Module 11: Remote Access Fundamentals
Module 11: Read-Only Domain Controllers. Overview Describe the Read-Only Domain Controllers role Use Read-Only Domain Controllers.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
LAL Site Report Michel Jouvin LAL / IN2P3
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Module 1: Implementing Active Directory ® Domain Services.
Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam
Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.
Module 7: Implementing Security Using Group Policy.
Slammer Worm By : Varsha Gupta.P 08QR1A1216.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.
Designing a Secure Extranet with Sharepoint Russ Basiura Principal Consultant RJB Technical Consulting
Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Page PearsonAccess™ Technology Training Online Test Configuration.
Page ADP Technology Training. 2 Page2 Confidential Copyright © 2007 Pearson Education, Inc. and/or one or more of its direct or indirect affiliates. All.
1 E-Site - FTP Services Setup / install guide. 2 About FTP services can run on any desired port(s) Runs as a windows service Works for all sites installed.
PC Manager Meeting February 23, Today Updates Next Meeting Windows Policy Security This Month: Lessons Learned: Building the Symantec Patch (Andy.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
WannaCry/WannaCrypt Ransomware
WannaCry/WannaCrypt Ransomware
Chapter 5 Electronic Commerce | Security Threats - Solution
Assignment # 8.
Introduction to Operating Systems
Enabling Secure Internet Access with TMG
Grades4sure PDF Dumps CompTIA Security + Certification Exam
Chapter 5 Electronic Commerce | Security Threats - Solution
MCSA VCE
NSE4-5.4 Dumps
Microsoft Virtual Academy
Information Security Session October 24, 2005
Chapter 27: System Security
Connecting Remotely Winter 2014.
Operating System Security
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
Privileged Access Management
Presentation transcript:

GCSC July 2008

FIRE – User downloaded various free and demo media converter programs (as local admin) and was rootkitted. Detected by machine gun sounds. FIRE – HTML delivery resulting in bot. Detected by external report. FIRE – Mac Leopard test server for Apple Update services (no mA plan yet!!) installed w/SSH (SA violation) access w/no root password. Bot installed. Detected by AB messages to the admin.

Return-Path: Authentication-Results: mta694.mail.mud.yahoo.com from=yahoo.com; domainkeys=pass (ok) Received: from (HELO n69.bullet.mail.sp1.yahoo.com) ( ) by mta694.mail.mud.yahoo.com with SMTP; Tue, 29 Jul :54: Received: from [ ] by n69.bullet.mail.sp1.yahoo.com with NNFMP; 29 Jul :54: Received: from [ ] by t3.bullet.sp1.yahoo.com with NNFMP; 29 Jul :54: Received: from [ ] by omp405.mail.sp1.yahoo.com with NNFMP; 29 Jul :54: Received: (qmail invoked by uid 60001); 29 Jul :54: DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:X-Mailer:Date:From:Reply- To:Subject:To:MIME-Version:Content-Type:Message-ID; b=PGeIP8IkHw/JqGgMAEOGSryZgnfhW4rkgsPflamkUolTp8 Wb/4ybRK/xXK3n0axQynm2ktRgZbABmMBwTJ3a7T3uGu 0DvSZ5/dsPupHXyxwcj7hmJQG5JP5H0ow28tfZ0yHzQi/M+ fyu3Rff4iMXLO9gmGiCXwvJ36fi2yDrH8I=; Received: from [ ] by web45712.mail.sp1.yahoo.com via HTTP; Tue, 29 Jul :54:26 PDT

d FNAL patched: ~> 510$ dig in txt +short " is GREAT: 26 queries in 1.6 seconds from 26 ports with std dev 17757" ~> 511$ dig in txt +short porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. " is GREAT: 26 queries in 1.6 seconds from 26 ports with std dev 18019"

The only detected instance is in MIS on True64. The released exploit is coded for Windows.

Known issue since 10/2006 (see MS KB ) FERMI GPO pushed out Patches available

Q: A:

Lots of activity Starts through malicious s (.doc,.ppt,.pdf,.swf) or web sites or scanning Steals local hashes Moves to other systems via shares, remote desktops, others Tries to get admin access Focus on interactive access Leaves some systems ‘dormant’ Can compromise an entire domain Tries network equipment also -Deny logon over network for local accounts -Don’t store cached credentials -Randomize local admin password at every logon* -Don’t run as admin!!! -Separation of accounts DA’s and SMS admins evaluating the provided tools, settings and lessons learned to eval our site.

Security Plans being finalized Integration testing beginning soon Covers: -Meeting Maker -VPN - -Jabber -Web (non-KCA) -Databases -Basically (most) anything that cannot accept (technically and per policy) Kerberos/Active Directory/KCA authentication Part of the FNAL Authentication Strategies. Guidance docs will be available.

Web filters on order. Expect full implementation by calendar year end. Fail open operation. Transparent to the users. Subscription updates. Some categories blocked, others require acknowledgement. Affected: Userland web traffic/’business’ type computing Unaffected: Farms Negotiated: Standard/’Business’ servers

Alerting for now, no blocking (blocking soon) Offsite RDP detection coming soon Need to evaluate TB2 Kerberos support

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.