(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Enlarge / AirDroid's example imagery.

For at least the past six months, a popular remote management app available in the official Google Play Store has opened tens of millions of Android users to code-execution and data-theft attacks when they use unsecured networks, researchers said Thursday.

AirDroid, which has been downloaded 10 million to 50 million times from the official Google Play Store, uses a static and easily detectable encryption key when transmitting update files and sensitive user data, according to a blog post published by security firm Zimperium. Attackers who are on the same network can exploit the weakness to push fraudulent updates or view potentially sensitive user information, including the international mobile equipment identity and international mobile subscriber identity designations that are unique to each phone.

"A malicious party on the same network as the victim can leverage this vulnerability to remotely gain full control of their device," Simone Margaritelli, principal security researcher at Zimperium's zLabs, told Ars. "Moreover, the attacker will be able to see the user's sensitive information such as the IMEI, IMSI, and so forth. As soon as the update, or fake update, is installed the software automatically launches the updated [Android app file] without ever verifying who built it."

Read 8 remaining paragraphs | Comments

Advantech SUSIAccess Server CVE-2016-9353 Local Privilege Escalation Vulnerability
Advantech SUSIAccess Server Directory Traversal and Information Disclosure Vulnerabilities

First a disclaimer: This methodworks for a home network, maybe a small business network. I do describe how to do this using a specific vendors equipment. This isnt an endorsement of the vendor.

Back in the 100 BaseT days, it was pretty easy to make your own tap. You could essentially just connect the network cables transmit line to the receive pins of a output plug, and all it took was four network plug, a punch down tool and a bit of wire. Sadly, with Gigabit Ethernet, both pairs are used to transmit and receive. Tapping this type of network is a bit more tricky and requires more sophisticated circuitry.

You can buy some relativelycheap Taps, but often a simple switch is cheaper, and provides similar capabilities. To monitor just a single network segment, a simple switch like this may be perfectly acceptable, and with port-based VLANs, you can even aggregate multiple segments." />

There are three possible spots to connect a sensor:

  1. Between Firewall and Modem: In this case, you will see all the traffic entering / leaving the network. But you will only see the NATed traffic assuming that the firewall/router also does NAT. It will be difficult to assign traffic to a particular device on your network
  2. LAN: This is the network we use to connect our workstations/mobile device. We can define a port on the LAN switch as a mirror port and at least mirror the port connected to the gateway. This should give us a nice spot to connect a sensor.
  3. WAN: Same as for the LAN port, a mirror port on the switch will allow us to watch traffic to/from the servers connected to this switch

So how do we monitor traffic in both networks, the LAN and the WAN segment? There are a couple of options here:

Run the sensor on your Firewall/Router

If you are using a homemade Linux deviceor PF Sense, then it is pretty easy to install tools like snort or even bro on the device as well. Again: We are talking home network here. But even in a home network, I find that this type of setup quickly runs out of steam, in particular, if you are using less than state-of-the-art hardware.

Run a dedicated sensor, with multiple network cards

You will need a network card for each segmentand one more for a management network. In the diagram this would require at least three (LAN, DMZ + management) or even four (LAN, DMZ, WAN + management) . Finding a small / low-cost system with more than two network cards is challenging. But luckily, with some port-based VLAN trickery, our cheap monitor switch can be coerced into aggregating multiple networks.

Aggregating Multiple Network Segments with a Switch

I am using the Netgear GS105Ev2 switch. This is a 5 port switch that offers port-based VLANs and port mirroring, the two features I am going to use here. Other switches that provides these two features should work as well. This switch currently sells for about $45.

First, figure out which port you would like to use how. In my example, I am using:

Port 1 to manage the switch
Port 2,3,4 to connect to the different network segments
Port 5 to connect to the sensor (and remember that the monitoring interface of the sensor has no IP address, but is just listening)

First, lets configure the mirror feature. We define ports 2,3,4 as source" />

Next, lets define the VLANs. Setting up port-based VLANs is CRITICAL since we do not want to shortcut" />

So how bad is it? Does it work at all?

It does work pretty well. I still have to measure the exact throughput. The admin interface for the switch does become unresponsive pretty quickly, but well, once it is set up, you dont need to touch it anymore. There are better switches with more buffer memory that you can often get on eBay for not much more money. I am having a hard time finding real gigabit taps for less than a few hundred dollars on eBay. But you may get lucky. Many of the taps that you find around this same price are typically actually just switches that are preconfigured with a monitoring port.

Let me know if it works for you, or if you have better ideas to monitor multiple gigabit network segments. If you are just interested in using a switch as a tap, there are a couple of videos on YouTube walking you through the setup.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Smiths-Medical CADD-Solis Medication Safety Software Multiple Security Bypass Vulnerabilities
Multiple Mitsubishi Electric MELSEC-Q Series Security Bypass and Denial of Service Vulnerabilities
Serendipity CVE-2016-9752 SSRF Security Bypass Vulnerability
GraphicsMagick 'memory.c' Denial of Service Vulnerability
libming 'read.c' Null Pointer Deference Denial of Service Vulnerability
Linux Kernel 'IPv6 Implementation' Local Integer Overflow Vulnerability

Enlarge / Avalanche once hosted ransomware that spoofed messages from law enforcement. Now, a team of 40 law enforcement agencies has shut it down. (credit: Symantec)

[Update, 3:00 PM EDT: This story has been updated with additional details from The Shadowserver Foundation and Europol.]

A botnet that has served up phishing attacks and at least 17 different malware families to victims for much of this decade has been taken down in a coordinated effort by an international group of law enforcement agencies and security firms. Law enforcement officials seized command and control servers and took control of more than 800,000 Internet domains used by the botnet, dubbed "Avalanche," which has been in operation in some form since at least late 2009.

"The operation involves arrests and searches in five countries," representatives of the FBI and US Department of Justice said in a joint statement issued today. "More than 50 Avalanche servers worldwide were taken offline."

Read 8 remaining paragraphs | Comments

Broadcom Wifi Driver 'brcmf_cfg80211_start_ap()' Function Stack Buffer Overflow Vulnerability


A new variant of Shamoon, the malware that wiped hard drives at Saudi Aramco and other energy companies in 2012, has struck multiple organizations in Saudi Arabia in a new campaign that researchers call a "carefully planned operation." The new variant, which is almost identical to the version used in the 2012 attacks, has replaced the message it previously displayed—which included an image of a burning American flag—with the photo of the body of Alan Kurdi, the 3-year-old Syrian refugee boy who drowned as his family tried to cross from Turkey to Greece.

Bloomberg reports that digital forensics by Saudi officials indicated that the attacks were launched from Iran. Several Saudi government agencies were among the organizations attacked.

New versions of Shamoon, also known as Disttrack, have been detected by multiple information security companies, including McAfee, Symantec, Palo Alto Networks, and FireEye. It isn't yet clear how the malware's "dropper" has gotten into the networks it has attacked. But once on a victim's Windows system, it determines whether to install a 32-bit or 64-bit version of the malware. According to a report from Symantec, the latest Shamoon attack was configured to automatically start wiping the disk drives of computers it had infected at 8:45am local time on November 17.

Read 3 remaining paragraphs | Comments

PHP CVE-2016-7131 NULL pointer Dereference Remote Denial of Service Vulnerability
ImageMagick CVE-2016-8862 Memory Corruption Vulnerability
ImageMagick CVE-2016-9556 Heap Buffer Overflow Vulnerability
Linux Kernel 'kvm/emulate.c' Local Information Disclosure Vulnerability

Enlarge / Unfortunately, it's easier to stick a lock on the Brooklyn Bridge than it is to secure your data. We can at least try to help, though. (credit: Andrew Cunningham)

With Thanksgiving behind us, the holiday season in the US is officially underway. If you're reading Ars, that can only mean one thing: you'll be answering technical questions that your relatives have been saving since the last time you visited home.

This year in addition to doing the regular hardware upgrades, virus scans, and printer troubleshooting, consider trying to advise the people in your life about better safeguarding their security and privacy. Keeping your data safe from attackers is one of the most important things you can do, and keeping your communications and browsing habits private can keep that data from being used to track your activities.

This is not a comprehensive guide to security, nor should it be considered good enough for professional activists or people who suspect they may be under targeted surveillance. This is for people who use their phones and computers for work and in their personal lives every single day and who want to reduce the chances that those devices and the accounts used by those devices will be compromised. And while security often comes at some cost to usability, we've also done our best not to impact the fundamental utility and convenience of your devices.

Read 28 remaining paragraphs | Comments

Mozilla Firefox CVE-2016-5296 Heap Buffer Overflow Vulnerability
Mozilla Firefox Multiple Security Vulnerabilities
[slackware-security] mozilla-firefox (SSA:2016-336-01)

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
HP Network Automation CVE-2016-8511 Remote Code Execution Vulnerability
Mozilla Firefox CVE-2016-9079 Use After Free Remote Code Execution Vulnerability
Symantec Norton App Lock CVE-2016-6591 Local Security Bypass Vulnerability
[security bulletin] HPSBGN03680 rev.1 - HPE Propel, Local Denial of Service (DoS), Escalation of Privilege
[security bulletin] HPSBUX03665 rev.3 - HP-UX Tomcat-based Servlet Engine, Remote Denial of Service (DoS), URL Redirection
Internet Storm Center Infocon Status