We are now at INFOCON YELLOW

UPDATE 20100720: As of 1510 hours CDT, Lake Masonic Center network (to include the domains lakemasoniccenter.org, firstlutheranelca.org, and flippingcoinsband.com) acknowledges receipt of INFOCON GREEN from isc.sans.edu.

As of 1130 hours CDT, Lake Masonic Center network (to include the domains lakemasoniccenter.org, firstlutheranelca.org, and flippingcoinsband.com) acknowledges receipt of INFOCON YELLOW from isc.sans.edu.

My INFOCON scripts worked like a charm:

The system works

The system works

I heard a SAME header (7-bit FSK w/parity, 1200 baud) being broadcast from my server’s PC speaker.  This happens weekly and monthly on a regular basis for testing purposes.  Today was not a scheduled test day.  I ran to my console to see what prompted the broadcast.  I saw the messages about INFOCON YELLOW scrolling past.

So I went through my checklist:

  1. Bash prompt displays “INFOCON YELLOW”
  2. Firewall rules for INFOCON YELLOW are applied
  3. System policies (idle time enforcement, max. failed login attempts, etc.) rolled in for INFOCON YELLOW
  4. INFOCON YELLOW on login banners
  5. INFOCON YELLOW on lakemasoniccenter.org website

Since the event that prompted the elevation was related to windows LNK files, I also cataloged all LNK files on the system and tarballed the ones that weren’t immediately necessary.  ClamAV found nothing (though the particular vulnerability isn’t in ClamAV’s latest definitions).  I removed the execute bit from all LNK files since Samba ignores it and there’s no legitimate reason to need execute permissions on LNK files on a Linux box.

One more screenie for good measure:

INFOCON YELLOW

INFOCON YELLOW

Even my Windoze Box gets it right

Even my Windoze Box gets it right

Advertisements

,

  1. #1 by Phillip on July 20, 2010 - 11:59 AM

    From what I’ve read, the vulnerability has something to do with when Windows does a peek into the LNK file to see what it should display. I am curious if, for example, when I look at a bookmark if Windows is pulling this thing off. I could see how it would. Regardless, this could blow up.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: