CNN.com - Georgia bride-to-be fabricated abduction story - Apr 30, 2005

Georgia bride-to-be fabricated abduction story

Saturday, April 30, 2005 Posted: 7:50 AM EDT (1150 GMT)

(CNN) -- A Georgia woman, who was found in New Mexico early Saturday and who said she had been abducted, admitted today she had made up the story because she was nervous about her upcoming wedding, police said.

Albuquerque Police Chief Ray Schultz said Jennifer Wilbanks, 32, had told them she had taken a bus to Las Vegas, Nevada, and on Saturday had taken another bus to New Mexico.

Earlier, Wilbanks had told family members and police that she had been abducted by a man and a woman in a van. She was to be married Saturday.

"Agents and detectives learned Miss Wilbanks had become scared and concerned about her pending marriage and decided she needed some time alone," Schultz said.

Schultz said no charges would be filed against Wilbanks, saying that would be up to authorities in Georgia.

Wilbanks called her fiance, John Mason, at his Duluth, Georgia, home from an Albuquerque pay phone at 1 a.m. EDT Saturday to say she had freed by two strangers who abducted her Tuesday night, Mason said.

Within minutes, Wilbanks was located by Albuquerque Police at a 7-Eleven convenience store.

Family members are expected to fly to Albuquerque Saturday morning to be with her.

Wilbanks, who was to be married to Mason in Duluth, was last seen by her fiance Tuesday night, when she left the home she shares with him for a jog about 8:30 p.m.

Earlier, Pastor Alan Jones, who was to preside at the wedding said Wilbanks told him her abductors "came up behind her, cut her hair and put her in a blue van," Jones said.

Among the clues found during the search that followed her disappearance was a clump of hair along the route she was believed to have been jogging. Ahrensfield, the Albuquerque Police spokeswoman, said it appeared Wilbanks hair had been cut.

Her father, Harris Wilbanks, said a new wedding date will be set after they talk to her.

He said Friday evening, the hours before learning his daughter was alive, was the lowest point of his life.
Disappearance drew national attention

News of Wilbanks' admission comes just hours after police in Georgia announced they would suspend their ground search for her, saying they've looked everywhere she may have been.

Her disappearance quickly drew national media attention, including talk show speculation sometimes comparing the story to that of Laci Peterson, the pregnant woman who disappeared from her Modesto, California, home on Christmas Eve, 2002. In that case, husband Scott Peterson was convicted of murder and sentenced to death.

Wilbanks' fiance said he tried not to get upset about the media comparisons to the Peterson case since he knew her family had faith in him.

"I never worried that they were going to point their fingers at me," Mason said.

Must be a lot of hobbyists out there…

Slashdot | Firefox Breaks 50,000,000 Barrier

Firefox Breaks 50,000,000 Barrier

Posted by Zonk on Friday April 29, @02:19PM
from the get-up-get-on-up dept.

MrDrBob writes "Today at 16:59 GMT (8:58 AM PST) Mozilla Firefox received its 50,000,000th download. To celebrate, SpreadFirefox.com has created a special page, where you can watch the downloads continue to climb in real time. Three cheers for Firefox! May it go on swiftly to 100,000,000!"

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

MS05-019/Win2k3 SP1 Update Troubleshooting
More information is available regarding incompatibilities and gotchas after applying this update:
http://www.sans.org/newsletters/newsbites/newsbites.php?vol=7&issue=17#307

Also
http://support.microsoft.com/default.aspx?scid=898060

MS05-020 POC Exploit Released by FrSIRT

As detailed here: http://www.frsirt.com/english/advisories/2005/0340

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Handler on Duty: Deb Hale
Updated April 28th 2005 15:52 UTC
TCP port 1025 activity; continued DNS poisonings;

TCP port 1025 activity
After the huge spike in activity on this port on 31 March, things seemed to have calmed down for a while, but we've seen a couple of smaller spikes the last few days (see http://isc.sans.org/port_details.php?port=1025 ). We're still not sure what is causing all of this, so we again ask for assistance if anyone has captured any of this traffic, we'd appreciate any samples you can share.

Continued DNS poisonings
We continue to get reports of sporadic DNS cache poisonings. We've covered this in great detail earlier this month, so we won't spend a lot of time on it except to remind folks that the Internet Software Consortium (maintainer of BIND) agrees that BIND 4 and 8 are no longer suitable for use as forwarders, so, if you are running DNS servers that act as forwarders, please upgrade as soon as possible.

This is a great way to start the day.  Looks like Symantec and Trend Micro are both reporting a new variant of MyDoom and Symantec is also reporting a new variant of Netsky.  Lets hope these don’t spread too fast.

http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.ai@mm.html

 W32.Netsky.AI@mm is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses it gathers from certain files on the compromised computer, and copies itself to mapped network drives. The worm also downloads a copy of Backdoor.Nemog.D.

http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.bl@mm.html

 Symantec Security Response is currently investigating this threat and will post more information as it becomes available.

 WORM_MYDOOM.AQ

 This worm uses its own Simple Mail Transfer Protocol (SMTP) to propagate. It sends multiple copies of itself to all addresses found in the infected system's Windows address book.

The email it sends has varying subjects, message bodies, and attachment file names.  Upon execution, it drops a copy of itself in the Windows system folder. It modifies the registry to ensure its automatic execution at every system startup.

Slashdot | Microsoft Demands Removal Of Longhorn Images

Microsoft Demands Removal Of Longhorn Images

Posted by timothy on Wednesday April 27, @03:51PM

from the now-there's-a-marketing-move dept.

bonch writes "After the previously reported release of the Longhorn beta at this year's WinHEC, Neowin and other Windows sites are reporting that Microsoft is going around sending legal letters demanding removal of Longhorn Build 5048 screenshots. Paul Thurrott discusses it on his site, stating that Microsoft never told anyone beforehand not to post screenshots of the publicly available beta, and links to the new galleries he has up now. 'Enjoy it while it lasts.'"

F-Secure : News from the Lab

Bagle history

Posted by Mikko @ 09:14 GMT

Jason Gordon from infectionvectors.com has written a thorough three-part study on the history of the Bagle worm.

The study is available as PDF files: part 1, part 2 and part 3.



Yury Mashevsky from Kaspersky lab has also posted a good article on Bagle botnets.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Google != Googkle
Reader Alan Phelps wrote in this morning to alert us to a malicious site that has registered a domain that might be entered as a typo for google.com. DO NOT VISIT THIS SITE! Visiting this site installs about 49 pieces of spyware, uses the local hosts file to block access to popular anti-virus websites, and offers a link to a website that sells AV and anti-spyware tools with the slogan "We help people"... No comment.
Administrators might want to do a quick check on their DNS cache records to see if any users have resolved anything matching "googkle" lately, and then have field support visit the (likely) infested workstations.

Update 2005-04-27 @ 10:21 UTC
Several readers have written in to add that there are several other sites similar to the Googkle site including:

msnm(dot)com, gfoogle(dot)com, ghoogle(dot)com, googfle(dot)com, luycos(dot)com, msn1(dot)com, passpport(dot)com and xcnn(dot)com.

Did I mention that you should NOT visit these sites?
More information on googkle is available at http://www.f-secure.com/v-descs/googkle.shtml

Thanks to Juha-Matti Laurio, Barrie Dempster, Gene Chen, Arjan Haringa and anonymous posters who submitted their reports regarding this and other sites.

CNN.com - Preliminary autopsy: Toddlers drowned - Apr 26, 2005

Preliminary autopsy: Toddlers drowned

WARRENTON, Georgia (CNN) -- Two toddlers whose bodies were found in an algae-covered sanitation pond drowned, according to preliminary autopsy results, a rural Georgia county official said Tuesday.

Warren County Coroner Paul Lowe noted that although the investigation continues, there is no evidence foul play was involved.

"We'll be looking at some other avenues," Lowe said. "We're still waiting to put some things together with the [Georgia Bureau of Investigation]."

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Oracle April Critical Patch Update
Following up on Jim Clausing's diary regarding the Oracle April Critical Patch Update, this most recent patch cluster resolves several critical issues in 9i and 10g database releases. Two sections of this patch bundle seem to be the most pressing:

Oracle HTTP Server/Apache
The Oracle HTTP Server is a release of Apache 1.3.22. The April CPU updates the Apache distribution to resolve several Apache bugs, the oldest of which was reported in Jun 22, 2002. If you are using the Oracle HTTP Server product, it is recommended that you apply this patch bundle to resolve several outstanding vulnerabilities. If you are NOT using the Oracle HTTP Server on your database, it is recommended that you remove the software using the Oracle Universal Installer (OUI) tool.

Oracle Built-In Package SQL Injection
Several Oracle packages have been fixed with the April CPU to resolve SQL injection vulnerabilities that can allow an authenticated attacker to cause a denial-of-service attack, or to run arbitrary code as the SYS user with SQL injection techniques. As exploit code is publicly available for these vulnerabilities, it is important that DBA's take action to protect against authorized users escalating their privileges on the database.
The three most important packages that are of concern are DBMS_CDC_PUBLISH, DBMS_CDC_SUBSCRIBE and DBMS_METADATA. As a workaround, DBA's are encouraged to revoke PUBLIC privileges on these functions:

revoke EXECUTE on DBMS_METADATA from PUBLIC;
revoke EXECUTE on DBMS_CDC_PUBLISH from PUBLIC;
revoke EXECUTE on DBMS_CDC_SUBSCRIBE from PUBLIC;

F-Secure : News from the Lab

Hackers infiltrate WLAN conference Posted by Jarno @ 13:47 GMT

Silicon.com  is reporting of rather interesting hacker attack that happened on WLAN IT conference in London on previous week.

Apparently the hackers created malicious WLAN hotspots with forged log-in web page, that tries to install malware on users computer that logs to the hotspot and tries to access web over it.

While technically this kind of attack is rather simple to accomplish, it raises worrying implications on use of free wireless hotspots. As business travellers frequently use whatever connection is available, and carry quite important data in their laptops.

The best way to protect yourself against such attack, is to have up to date operating system and browser, with Anti-Virus and firewall installed. Also it is important to have any critical connections done over VPN, and not to use unsecure connection for any service that requires user name and password.

So if you are using open WLAN connection, do not log in to any service that requires user name and password and does not use SSL. If you really need to use such service, use VPN connection to your company office and route the connection from there. Or use some proxy service that provides SSL such as Anonymizer

I am at a loss for words..

CNN.com - Missing Georgia toddlers found dead - Apr 25, 2005

Missing Georgia toddlers found dead

Monday, April 25, 2005 Posted: 4:35 PM EDT (2035 GMT)

WARRENTON, Georgia (CNN) -- The bodies of two toddlers reported missing over the weekend were found Monday in a pond near their rural Georgia home, state investigators said.

"It appears that our worst fears have been realized," said John Bankhead, spokesman for the Georgia Bureau of Investigation.

Bankhead said the bodies were found about 12:15 p.m. in a sanitation pond, and that they were positively identified in a photograph by their father. The spokesman said an autopsy will be performed Tuesday and that the investigation was ongoing.

CNN.com - Georgia toddlers missing since Saturday - Apr 25, 2005

Georgia toddlers missing since Saturday
Spokesman: Children need daily medical treatments

Monday, April 25, 2005 Posted: 12:35 PM EDT (1635 GMT)

WARRENTON, Georgia (CNN) -- The search for two missing toddlers who need daily medical treatment resumed Monday morning, said Warren County sheriff's officials, who suspended the search Sunday night because of fatigue.

The officials said they still had no reason to suspect foul play in the disappearance of 3-year-old Jonah Payne and his 2-year-old sister, Nicole.

Nicole needs "a particular type of breathing machine on a daily basis" and Jonah requires medication, said Jay Jones, a friend of the children's parents, Lottie Kain and Dennis Payne.

"It's very important we find these children as quickly as we can so we can see that their medical needs are taken care of," he said.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Handler on Duty: David Goldsmith
Updated April 25th 2005 12:15 UTC

Update on TrendMicro Pattern 594 Issue

If you came in to the office this morning, are running a Windows OS on your computer, your computer CPU is maxing out close to 100% utilization and you have a TrendMicro antivirus product installed, please go to the link referenced below.

As reported in the diary on 2005-04-23 and on 2005-04-24, TrendMicro had a problem with their Patterm 594 update released Friday afternoon around 15:30 PDT. They have now posted an explanation of the cause and solution on their site here.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Trend Pattern 594 Update

We're continuing to receive reports from readers who have been impacted by the Trend Micro AV Signature 594 issues, including reports of machines being rebuilt to restore functionality. An ISC reader who prefers to remain anonymous suggest the following solution*:

"If customers are using Trend OfficeScan and have Outbreak Prevention Services, they can active Outbreak mode on the server. This will lock down the firewall on the client machines and allow them to only communicate with the OfficeScan server. The reduction in network traffic being processed by the client should allow enough CPU usage to download (albeit, slowly) the update from the server. This could take several hours depending on the number of clients...it took us about 2 1/2. But, if it works it keeps you from having to touch all 100's, 1000's, or 10's of thousands of clients. Trend has a lot of 30,000+ client customers that were slammed by this and are probably still trying to recover from it. This might help them."

Trend have also posted updated information at http://www.trendmicro.com/en/support/pattern594/overview.htm

Hopefully this will help any readers out there who haven't already resorted to scorched-earth tactics in dealing with this unfortunate issue. If only they were running Macs, they wouldn't have to run antivirus.

Oh, wait a minute...

Macintosh Trojan "Discovered"

As a Mac aficionado (3 Powerbooks between home & work), I'm happy to report that we've finally warranted some attention from the Malware community. It's about damn time. Intrepid ISC reader Juha-Matti alerted us to Sophos' (brief) writeup on the Cowhand trojan. If any readers have spotted this thing in the wild, please let us know.

Now this just makes me smile..

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Symantec Website Restructuring

We had more than one reader write in to let us know that both securityresponse.symantec.com and Symantec's SARC site were apparently MIA for several hours today. While things are back to normal, I'd be remiss if I didn't point our readers at Chris Mosby's insightful commentary. It's good to see that we're not the only ones who get flamed for site redesigns. ;)

I posted earlier today about Symantec’s new website design. I wish that I had taken some screen shots, because everything now seems to be back to the way it was. Did Symantec listen, or was I hallucinating this morning?

OK, OK, break it up there is nothing to say here….

Here I am doing my morning routine, eating my

Raisin Nut Bran Cereal (yum!) and checking my usual set of 
security and antivirus websites when I noticed something was not right.  One of my tabs in Firefox is set to open to http://securityresponse.symantec.com/ , and I find a graphic and slick website that has obviously been hijacked by some marketing guys.  I then give http://www.sarc.com a try and I am forwarded to the exact same page. Both have some antivirus\security information there, but it is not anywhere near the level of detail that I have come to expect over the years.

What was Symantec thinking???

It took me about 15 minutes of searching and clicking and I finally found a page with the information I wanted and needed, which can be found here:

http://www.symantec.com/enterprise/security_response/index.jsp

It didn’t take me long to find out that not only have they redesigned their website, but they have redesigned the URI structure and look of their virus information pages as well (Looks suspiciously like Trend Micro’s pages). So any bookmarks that you have on Symantec’s website are now null and void.  This also seems to cause trouble with links to virus information on Secunia's virus information page as well.  I did notice that they still have the link on the page above for putting Symantec info on their own site, so it might be better to set this up on your intranet somewhere, if this information is important.  Maybe I can throw something together that will have that information on it, so we can all use it.

WHAT WAS SYMANTEC THINKING???

I can’t speak for everyone, but personally I HATE the new website design.  The previous design was a lot easier to read and find the information that a security professional needs.  If you agree, you can send feedback to Symantec on the new design here (this was unavailable when I tried to go to it this morning): http://www.symantec.com/feedback/index.jsp

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Update on Problem with MS05-019

Yesterday, we mentioned in our diary that there may have network connectivity problem when applying MS05-019 patch. Microsoft has published an article revealing that network connectivity between clients and servers may fail when applying MS05-019 patch or Windows Server 2003 Service Pack 1. Accordingly to the article, the following symptoms may occur:
* Inability to connect to terminal servers or to file share access.
* Failure of domain controller replication across WAN links.
* Microsoft Exchange servers cannot connect to domain controllers.

If you experience similar issue, you may want to check out the article at:

http://support.microsoft.com/default.aspx?scid=898060

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Trojan Vundo

We are seeing apparently a new variant of Trojan Vundo. Symantec has yet to detect it but there is a writeup on it.

http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.html

The file matches the description except that the systems were patched for MS04-040.

Below is the result of from VirusTotal scan:

Antivirus 	Version 	   Update 		Result 
AntiVir 	6.30.0.7 	   04.22.2005 	TR/Agent.CS 
AVG 		718 		   04.21.2005 	Agent.U 
BitDefender 	7.0 		   04.23.2005 	no virus found 
ClamAV 	devel-20050307  04.22.2005 	no virus found 
DrWeb 		4.32b 		   04.22.2005 	Trojan.Virtumod 
eTrust-Iris 	7.1.194.0 	   04.23.2005 	Win32/Vundo.AD!DLL!Trojan 
eTrust-Vet 	11.7.0.0 	   04.22.2005 	Win32.Vundo.AD 
Fortinet 	2.51 		   04.23.2005 	W32/Agent.FZ-tr 
F-Prot 	3.16b           04.22.2005 	no virus found 
Ikarus 	2.32 	         04.22.2005 	Trojan.Win32.Agent.CS 
Kaspersky 	4.0.2.24 	   04.23.2005 	Trojan.Win32.Agent.cs 
McAfee 	4475 	         04.22.2005 	Generic BackDoor.d 
NOD32v2 	1.1075 	   04.23.2005 	Win32/Agent.CS 
Norman 	5.70.10        04.20.2005 	no virus found 
Panda 		8.02.00 	  04.22.2005 	no virus found 
Sybari 	7.5.1314 	  04.23.2005 	Win32.Vundo.AD 
Symantec 	8.0 		  04.22.2005 	no virus found 
VBA32 		3.10.3 	  04.22.2005 	Trojan.Win32.Agent.cs 

Let us know if you have experienced the same Trojan.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Trend Micro Virus Sig 594 causes systems to experience high CPU utilization

We have received a few reports from our readers (in particular, thanks for Brad) that there are some issues in Trend Micro Virus Sig 594.

All Win 2003 Servers & XP machines with virus sig 594 will cause the systems to experience high 100% CPU utilization.

Apparently, this is due to incompatibility between the scanning engine, the sig file and the platforms.

Trend Micro has provided a new sig 596 to solve this issue.

For more information to resolve this issue, please refer to:

http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionId=24263

http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionId=24264

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

 Updated April 23rd 2005 02:59 UTC

DNS problems at Network Solutions

(This story reported by handler Kyle Haugsness)

We have reports from numerous people about problems with the worldnic.com nameservers and there appears to have been an outage today. These nameservers provide authoritative nameservers for Network Solutions customers that don't have their own DNS servers. This outage reported today on the NANOG mailing list:

http://www.merit.edu/mail.archives/nanog/msg07136.html

However, there seems to be another potential issue. Numerous sites are reporting problems resolving names against the worldnic servers. There seems to be a bug in the Symantec gateway products including the SEF (Raptor) product line. This seems to be known by the Symantec DNS engineers and they seem to be working on it.

http://groups-beta.google.com/group/mailing.unix.bind-users/browse_thread/thread/474e7dde9970fd16/226668b6822a4251?q=dns+worldnic&rnum=3&hl=en#226668b6822a4251

Here is a public post on the issue from Barry Margolin, CISSP, Sr. Technical Support Engineer at Symantec.

"When I investigated, I found that occasionally the worldnic.com servers will respond to a query with an empty response with the Truncated flag set. The problem on our end is that the DNS proxy in our firewall seems to ignore the Truncated flag, rather than retry using TCP (I've reported this bug to development), so we cache the NOANSWER response (but we have a hard-coded 60-second negative cache TTL, so the problem usually clears up shortly)."

Finally, the Network Solutions problems may be causing issues on BIND servers. The empty response to the UDP query and the Truncated Flag should force a DNS server to use TCP and ask the question. Apparently, TCP sessions to those servers are very slow so it is looking like an outage (or a high number of SYN-SENT sessions to the worldnic.com servers).

This issue could be wreaking havoc with e-mail delivery. Receiving mail servers can't lookup MX records from remote servers and reject mail as spam. Given the large number of DNS queries some spam filters produce, this can be an issue.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Potential Problems with MS05-019
We are hearing of some problems with the MS05-019 patch. There is a posting by Darryl J. Roberts at

http://archives.neohapsis.com/archives/ntbugtraq/2005-q2/0049.html

Here is what he said:

"After installing the update in Microsoft Security Bulletin MS05-019 on two servers at a customer site, we are no longer able to connect via VPN to terminal services on those servers. (Other servers that did not have the security bulletins from last Tuesday installed can connect via VPN.)

After many hours over two days working with Microsoft Product Support Services, we discovered that forcing the MTU size down allowed the client to connect to terminal services. Today Microsoft PSS reported the they have confirmed that there is a problem with ICMP messages being incorrectly discarded (other have opened PSS cases about this issue). This could be why the MTU size is not being set correctly.

There will be an update to the patch in MS05-019, but as of this time, that update is not available. A Microsoft KB article is being written and has been assigned the number KB898060, but as to this time, that article is not publicly available.

I will be uninstalling the update for Security Bulletin MS05-019 from our customers servers this evening and waiting for the corrected patch before reinstalling it."

There is also discussion that it doesn't affect all operating systems. Here are some more links:

http://marc.theaimsgroup.com/?l=patchmanagement&r=1&b=200504&w=2

http://www.winserverhelp.com/ftopic22712.html

If anyone has experienced issues with this patch or has other information, please let us know.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

A "Database" that has an embedded Trojan

"Backdoor.Ryejet is a back door Trojan horse that allows unauthorized remote access to a compromised computer. The Trojan also contains rootkit functionality to hide the presence of its files on the compromised computer. The threat may be distributed embedded in a Microsoft Jet Database".
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.ryejet.html

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Trojan.Riler.B
"Discovered on: April 19, 2005
Last Updated on: April 20, 2005 01:26:27 PM
LSP's aren't new, but still sorta notable, ymmv;
Trojan.Riler.B is a back door Trojan horse program that installs itself as a layered service provider (LSP), and allows a remote attacker to have unauthorized access to the compromised system."
http://securityresponse.symantec.com/avcenter/venc/data/trojan.riler.b.html

I have had a few of the other bloggers mention that I should have a picture on my blog so people can find me easier here at MMS.

Well here you go:

Well I have to say that it is really great to finally be here after all the waiting for this event to finally arrive.  For me MMS has always been and opportunity to recharged my batteries, both physical and mental.

Registration was a lot smoother in my opinion, the idea of sending your card\badge was a really good idea, made the process a piece of cake.  Good job guys!!

For all those people out there that have trouble justifying a conference here in Las Vegas like I do, I have some good news.  The back of the conference guide states that MMS 2006 will be in San Diego, CA on April 24th to April 28th.  So like Rod said on his blog, start planning for next year right now.  I am sure that the new location will make things a lot easier.

Here are some pictures of what and who I have seen so far.

View at the Luxor on in font of the tram to Mandalay Bay at night

Some pictures of the CommNet dedicated workstations

Pretty good picture of Brad Ferguson, one of the best networking\hardware guys I have ever met.  Brad and I worked together for a few years at my last place of employment (and as he is always reminding me, also the guy that was left to run my mess after I left ).  He looks so happy to see me.

Some people finally showed up at the Orchid Lounge before the opening Expo and Reception.

Seated here you will find (from left) Brad Ferguson, Dan Thomson, Ron Crumbaker, Reed Porter, Josh Searles, (up against the column), Randy Hammer (and Haig), Tim Wood, and Harry Wilson.  What a happy looking bunch!!

Here is Ed Aldrich having a chat with John Hann and some other conference attendees.

Here are some pictures of the Opening Reception and Expo.  This was probably the biggest Expo they have yet, and it covered a big area.  The food was pretty good too.

 I ran into a few more members of the MyITforum community, here as well.  First I found Garth Jones.  Glad to see he is still up and about.

Here you a great picture of the Michael Mott, charming as usual.

To finish off my blog post, I have a surprise for all you blog readers out there.

Here are some quick videos that I took of the conference as well.

This one shows how big the CommNet center is. 

http://www.chris.mosby.org/blog/mms 011.mov

This one shows the size of the Expo during the Opening Reception.

http://www.chris.mosby.org/blog/mms 020.mov

Take care all, I hope to blog again soon 

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

MS05-019 Proof of concept released
Numerous intelligence services are reporting (and in some cases publishing) proof of concept code for MS05-019. MS05-019 is the TCP/IP stack issue with ICMP. On other platforms, it can result in a Denial of Service. On Microsoft, it is reported to also allow execution of code. Fortunately, the Proof of concept is only a Denial of Service.

---------------------------------------------------------------------------
Kevin Liston
kliston at isc dot sans dot org

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

IRC spam worm
We got reports today from several readers about some fast-spreading malware that was spreading via IRC and sending out spam e-mail. It looks like the A/V vendors have finally caught up since they all seem to be catching it now, but as usual this only does some good when the signatures are current. :/ They are identifying it variously as FunLove or Parite.



------------------------
Jim Clausing, jclausing_At_isc_dot_sans_dot_org

I am just about ready to leave work for the day, and I thought I would write up a quick post.

For all of you that are going to MMS, have a safe trip and I hope to see you there.  I am going to try to get some blog posts in as well, and keep you filled in on what as going on during and after the conference.

Just a word of caution though, I am terrible with names.  So if you come up an say hello and I have a funny look on my face, please introduce yourself!  ;-)

On Monday it will be easy to find me because I will be wearing one of these:

If enjoy reading my blog from time to time, make sure to say hi, I would love to know what you think.

Green Lantern of Sector 38801 signing off :-)