(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Xen has issued an advisory and a related patch to address an issue that allows a "buggy or malicious HVM guest to crash the host or read data relating to other guests or the hypervisor itself."

Xen 4.1 and onward are vulnerable, only x86 systems are vulnerable. ARM systems are not vulnerable.

Applying the patch resolves this issue.

Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Per Security Onion's Doug Burks, Seth Hall has developed some comprehensive ShellShock detection scripts for Bro.
These scripts "detect successful exploitation of the Bash vulnerability with CVE-2014-6271 nicknamed "ShellShock" and are more comprehensive than most detections in that they're watching for behavior from the attacked host that might indicate successful compromise or actual vulnerability."
Seth has updated these scripts again today to "Add shellscripts as a post-exploit detection mechanism."
Doug has updated the securityonion-bro-scripts package to include these changes and has also updated the securityonion-web-page package to include some ELSA queries for "ShellShock Exploits" and "ShellShock Scanners".

This is great for current Security Onion users, and even better for readers who have not yet investigated and invested in Security Onion. Now's the time to become familiar and improve your situational awareness, particularly given the fact that it's National Cyber Security Awareness Month. :-)

Everything you need is available on Doug's blog: http://blog.securityonion.net/2014/10/new-securityonion-bro-scripts-and.html

Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
nginx CVE-2014-3616 SSL Session Fixation Vulnerability
Perl CVE-2014-4330 Stack Overflow Denial of Service Vulnerability

This post originally appeared on the Electronic Frontier Foundation's website. The author, Dave Maass, is a media relations coordinator and investigative researcher for EFF.

For years, local law enforcement agencies around the country have told parents that installing ComputerCOP software is the “first step” in protecting their children online.

Police chiefs, sheriffs, and district attorneys have handed out hundreds of thousands of copies of the disc to parents for free at schools, libraries, and community events, usually as a part of an “Internet Safety” outreach initiative. (You can see the long list of ComputerCOP outlets here.) The packaging typically features the agency’s official seal and the chief’s portrait, with a signed message warning of the “dark and dangerous off-ramps” of the Internet.

Read 45 remaining paragraphs | Comments

WordPress Colormix Theme Multiple Security Vulnerablities

The Xen Project has published a security advisory that could affect millions of virtualized servers running in Amazon’s cloud and other public hosting services. A flaw in the Xen hypervisor could allow a malicious fully virtualized server to read data about other virtualized systems running on the same physical hardware or the hypervisor hosting the virtual machine. The malicious system could also potentially crash the server hosting the virtual machines. A patch, which was privately disclosed last week under embargo, has been issued to correct the issue.

Xen is used by a number of public and private cloud providers to support infrastructure-as-a-service (IaaS) offerings such as Amazon’s Elastic Compute Cloud, Rackspace, and some configurations of the OpenStack cloud provisioning environment. The flaw, discovered by Jan Beulich at SUSE, affects servers configured to support hardware-assisted virtualization (HVM) mode virtualization. HVM lets operating systems use hardware extensions that give them faster access to the physical server’s hardware, and it uses software emulation of other Intel platform hardware to allow those operating systems to run without modification. Windows virtual machines running on Xen require HVM support.

The bug, introduced in versions of Xen after version 4.1, is in HVM code that emulates Intel’s x2APIC interrupt controller. While the emulator restricts the ability of a virtual machine to write to memory reserved specifically for its own emulated controller, a program running within a virtual machine could use the x2APIC interface to read information stored outside of that space. If someone were to provision an inadvertently buggy or intentionally malicious virtual machine on a server using HVM, Beulich found that VM could use the interface to look at the physical memory on the physical machine hosting the VM reserved for other virtual machines or for the virtualization server software itself. In other words, an "evil" virtual machine could essentially read over the shoulder of other virtual machines running on the same server, bypassing security.

Read 6 remaining paragraphs | Comments

[SECURITY] [DSA 3041-1] xen security update
Reflected Cross-Site Scripting (XSS) in Textpattern
Cross-Site Scripting (XSS) in Photo Gallery WordPress plugin
[security bulletin] HPSBHF03119 rev.1 - HP DreamColor Display running Bash Shell, Remote Code Execution
NEW VMSA-2014-0010 - VMware product updates address critical Bash security vulnerabilities
HP MPIO DSM Manager CVE-2014-2639 Local Privilege Escalation Vulnerability
[SECURITY] [DSA 3040-1] rsyslog security update
PayPal Inc Bug Bounty #71 PPM - Persistent Filter Vulnerability
[security bulletin] HPSBGN03117 rev.1 - HP Remote Device Access: Virtual Customer Access System (vCAS) running Bash Shell, Remote Code Execution
[security bulletin] HPSBMU03112 rev.1 - HP System Management Homepage (SMH) on Linux and Windows, Multiple Vulnerabilities
[security bulletin] HPSBST02958 rev.1 - HP MPIO Device Specific Module Manager, Local Execution of Arbitrary Code with Privilege Elevation
libvirt XML External Entity CVE-2014-5177 Multiple Information Disclosure Vulnerabilities

Posted by InfoSec News on Oct 01


Buth Reaksmey Kongkea
The Phnom Penh Post
1 October 2014

Two members of “hacktivist” group Anonymous Cambodia convicted of computer
hacking yesterday will be spared further jail time. Instead, they have
been ordered to put their “excellent” IT skills to use combating
cybercrime in the Ministry of Interior.

Bun King Mongkolpanha, 21, alias “Black Cyber”, and...

Posted by InfoSec News on Oct 01

Forwarded from: THOTCON NFP <info (at) thotcon.org>

***BEGIN THOTCON TRANSMISSION**********************************************

Greetings InfoSec News Readers

What: THOTCON 0x6 - Chicago's Hacking Conference

When: 05.14-15.15

Where: TOP_SECRET / совершенно секретно / 絕密

Tickets: Tickets on Sale 10.01.2014

Call For Papers: CFP Opens...

Posted by InfoSec News on Oct 01


By Patrick Ouellette
Health IT Security
September 30, 2014

Dale Nordenberg, moderator of the medical device security panel discussion
at this year’s HIMSS Privacy and Security Forum, made an interesting point
in saying that medical devices fit somewhere between BioMed, IT and
security. Given the likelihood that they fall through the cracks, what are...

Posted by InfoSec News on Oct 01


By Sean Gallagher
Ars Technica
Sept 30 2014

Over the past few days, Apple, Red Hat, and others have pushed out patches
to vulnerabilities in the GNU Bourne Again Shell (bash). The
vulnerabilities previously allowed attackers to execute commands remotely
on systems that use the command parser under some conditions—including Web

Posted by InfoSec News on Oct 01


By Aliya Sternstein
September 29, 2014

Look for the whole government to take a page from the Pentagon and require
that firms notify their agency customers of hacks into company-owned
systems within three days of detection, procurement attorneys and federal
officials say.

Right now, vendors only have to report compromises of...

Posted by InfoSec News on Oct 01


By Jayanth Jacob
Hindustan Times
New Delhi
September 29, 2014

Israel has invited India to be part of Prime Minister Benjamin Netanyahu’s
latest pet project of national cyber defense authority-- a dedicated force
to fight cyber threats—during his meeting with his Indian counterpart
Narendra Modi in New York on Sunday.


Posted by InfoSec News on Oct 01


By Nicky Woolf
30 September 2014

Four men have been charged with breaking into the computer systems of
Microsoft, the US army and leading games manufacturers, as part of an
alleged international hacking ring that netted more than $100m in
intellectual property, the US Department of Justice said on Tuesday.

The four, aged...
Internet Storm Center Infocon Status