CERT Blogs

The Risks of Microsoft Exchange Features that Use Oracle Outside In

Tue, 04 Jun 2013 08:20:00 -0500

The WebReady and Data Loss Prevention (DLP) features in Microsoft Exchange greatly increase the attack surface of an Exchange server. Specifically, Exchange running on Windows Server 2003 is particularly easy to exploit.

Keep Calm and Deploy EMET

Wed, 08 May 2013 09:44:45 -0500

CVE-2013-1347, the Internet Explorer 8 CGenericElement object use-after-free vulnerability has gotten a lot of press lately because it was used in a "watering hole" attack against several sites.

Controlling the Malicious Use of USB Media

Mon, 06 May 2013 06:40:00 -0500

Hello, this is George J. Silowash, Cybersecurity Threat and Incident Analyst for the CERT Division of the Software Engineering Institute. Earlier this year, we released the report Insider Threat Control: Understanding Data Loss Prevention (DLP) and Detection by Correlating Events from Multiple Sources. In this report, we discuss the challenges universal serial bus (USB) flash drives present to organizations, especially those concerned with protecting their intellectual property.

Don't Sign that Applet!

Tue, 30 Apr 2013 06:19:00 -0500

Hi, it's Will. I've recently been looking into the state of signed Java applet security. This investigation was triggered by the Oracle blog post IMP: Your Java Applets and Web Start Applications Should Be Signed, which as the title implies, suggests that all Java developers sign their applets, regardless of the privileges required. In this blog entry, I explain why this practice is a bad idea.

Finding Patterns of Malicious Use in Bulk Registrations

Wed, 24 Apr 2013 08:14:00 -0500

Hi, this is Leigh Metcalf with my colleague Jonathan Spring. In 2011, .co.cc [1] and .co.tv [2] were removed from Google’s search results because of the high incidence of malicious domains (.cc is the TLD for the Cocos Islands and .tv is the TLD for Tuvalu). Neither of these domains is an official TLD of its respective country of origin, but is a zone in which the owner happens to make single subdomains freely available and charge a nominal fee for bulk registrations. Similarly, an APWG report for the second half 2011 lists .tk, the TLD of the island of Tokulu, as the most common TLD used in phishing attacks. It also permits free domain registration.

GeoIP in Your SOC (Security Operations Center)

Wed, 17 Apr 2013 10:44:00 -0500

Hi, this is Vijay Sarvepalli, Security Solutions Engineer in the CERT Program. Today, whether you’re shopping for a new house or trying to find a babysitter, you end up using Google maps or a similar service to assist your decision making. In this blog post, I discuss GeoIP capabilities that can be built into your SOC to provide a spatial view of your network threats and how this view can help your network situational awareness.

Second Level Domain Usage in 2012 for Common Top Level Domains

Thu, 04 Apr 2013 15:04:00 -0500

Hi, this is Leigh Metcalf with my colleague Jonathan Spring. Here is a look at second level domain (SLD) usage in 2012 for the most common generic Top Level Domains (gTLDs): biz, com, info, mobi, net, and org. We used two data sources: (1)the master zone files (RFC 1035 sec. 5) and (2) the SIE (http://sie.isc.org), a passive DNS data source. From these sources we examined three features of global gTLD usage—the number registered, the number active, and the ratio.

The Growth of IPv6 Announcements

Wed, 27 Mar 2013 08:39:00 -0500

Hi, this is Leigh Metcalf again with my colleague Rhiannon Weaver. IPv6, the replacement for IPv4, has been heavily marketed. To consider exactly how popular IPv6 is on the internet, one method is to examine the number of autonomous systems (ASes) that announce IPv6.

An Alternate View of Announced IPv4 Space

Thu, 21 Mar 2013 10:18:00 -0500

In my previous post, I examined the total amount of IPv4 space announced and presented cumulative graphics. While this view is useful in determining how much IPv4 space is announced, it doesn’t say much about which IPv4 space is announced. The graphic in Figure 1 is an alternate visualization of the data from that post and is called the Internet barcode.

The Growth Rate of IP Addresses That Are Advertised as Usable on the Internet

Wed, 13 Mar 2013 13:12:00 -0500

Hi, this is Leigh Metcalf of the Network Situational Awareness Team. Recently, I have been considering the amount of IPv4 space that is announced on the Internet. All blocks have been allocated, but how many are actually being used? To investigate this, I examined the routing tables to determine which networks were announced on the internet as usable from January 1, 2009 through December 31, 2012.

How Ontologies Can Help Build a Science of Cybersecurity

Tue, 12 Mar 2013 06:35:00 -0500

Hello, this is David Mundie, a Senior Member of the Technical Staff in the CERT Program. The term "science of cybersecurity" is a popular one in our community these days. For some time now I have advocated ontologies and controlled vocabularies as an approach to building such a science. I am fond of citing the conclusion of the Jason Report, that the most important step towards a “science of cybersecurity "would be the construction of a common language and a set of basic concepts about which the security community can develop a shared understanding," or in other words, an ontology.

Watching Domains That Change DNS Servers Frequently

Mon, 11 Mar 2013 09:04:33 -0500

Hello, this is Leigh Metcalf of the CERT Network Situational Awareness (NetSA) Team. Timur Snoke and I have discovered some interesting results in our continuing examination of the public Domain Name System (DNS). Our work has been focusing on domains that change their name servers frequently.

CERT Insider Threat Events at the RSA Conference

Tue, 19 Feb 2013 07:01:00 -0500

Hi, this is Dawn Cappelli, Director of the CERT Insider Threat Center. The RSA Conference is rapidly approaching, and since many of you will likely be there, I thought I’d let you know how to find us there. Also, if you would like to get together to discuss insider threat while you’re there please email us at insider-threat-feedback@cert.org this week and we’ll make arrangements to meet.

Common Sense Guide to Mitigating Insider Threats - Best Practice 19 (of 19)

Wed, 13 Feb 2013 07:29:00 -0500

Hello, this is Derrick Spooner, Cyber Threat Solutions Engineer for the CERT Program, with the last of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats.

Common Sense Guide to Mitigating Insider Threats - Best Practice 18 (of 19)

Mon, 11 Feb 2013 07:23:33 -0500

Hello, this is Randy Trzeciak, Technical Team Lead of Research in the CERT Insider Threat Center, with the eighteenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats.