RE: Port 445, BB-style security news services,

["Edward Ray" <support () mmicman com>]

Reading articles like these makes me want to start my own security blog...

You have to look at your audience here.  While I am surprised that E-week
would pick up on this FUD, this is what Gartner makes its money on.  Some
CIO who is paying oodles of money for access to Gartner's reports and advice
will look and see that his security devices are in the "Magic Quadrant" and
thus his/her network is safe.

What is even more amusing is the "Magic Quadrant" that I here quoted by
vendors and Gartner alike.  I think my Tipping Point IPS and Netscreen
devices are/were in the Magic Quadrant.   Whew, what a relief :)

This article has been repeated on vunet and elsewhere.  At least some other
sources bring a little sanity.  From http://isc.sans.org:

"... several readers sent us their thoughts on the recent spike in tcp/445
traffic. The general consensus seems to be that there was no wide-spread
Internet attack or scans. Others postulated that some locations might have
been victims of "routine" scans on ports that are listed in the monthly
Microsoft security advisories. Another thought was that what Symantec (and
later the US-CERT and Gartner) reported was really based on increased bot
activity. Regardless, we did not see any significant increases in the
DShield database on tcp/445 but will continue to monitor the situation."

Edward W. Ray

-----Original Message-----
From: dailydave-bounces () lists immunitysec com
[mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Dave Aitel
Sent: Friday, June 24, 2005 8:51 AM
To: dailydave
Subject: [Dailydave] Port 445, BB-style security news services, 

http://www.eweek.com/article2/0,1759,1830698,00.asp

Ok. I had to forward this. Because it made us laugh out loud here at
Immunity HQ, and I figured it might give a few of you giggles too.
Normally I don't just repost news articles, but this one is more of a spoof
on a news article than an actual news article itself.

"An ominous increase in sniffing activity on TCP Port 445 could signal an
impending mass malicious code attack targeting a recently patched Microsoft
vulnerability, according to a warning from security researchers."

"Port scanning is an activity that may be indicative of an attempt to
discover attack vectors against any vendor product and is not an activity
unique to Microsoft products," she added.

She said software engineers at Redmond would continue to analyze and monitor
for any malicious activity but stressed that she was not aware of any
customers being attacked via sniffing against TCP Port 445 and have not
received any indication of malicious activity associated with MS05-027.

"John Pescatore, VP of security research at Gartner Inc., said the reports
of increased sniffing on Port 445 are a "serious concern for enterprise
security managers" because such activity usually means a mass attack is
imminent."

This is the sort of article that could be autogenerated Bloomberg-style.
A couple weeks ago Justine was looking into Immunity developing a
Boomberg-like device for security specific news. Something marketed towards
Stephen Scharf (the current CSO of BB) and people like him who don't have
time to go click everywhere to learn what they need. Plus, scrollies look
cool. I think the idea was to do it as a Buzzword-compliant JNXA web
application that was distributed as a portable touchscreen device, hooked
into Verizon's EDGE network so you wouldn't have to configure it at all or
hook it up to your network.
Ideally there'd be modules for various channels - things like IRC where you
could connect all the Financial CSO's together and have them discuss their
ongoing issues, if an emergency pops up. And of course, the ongoing news of
the security world, sorted automatically by an automated filter. We might
still do it since I think we could beat AT&T at the game handily, although I
don't think articles like the above one would make it through the filter. :>

-dave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave