(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

More evidence has emerged that makes the Sony Pictures hack look similar to a suspected attack on South Korean companies over a year ago. And a spokesperson for the North Korean government, rather than denying his country’s involvement, is playing coy as the damage to Sony appears to be growing daily.

When contacted by the BBC, a spokesperson for North Korea’s mission to the United Nations said, "The hostile forces are relating everything to [North Korea]. I kindly advise you to just wait and see."

Sony Pictures’ computers were reportedly the victim of wiper malware which erased all the data on infected PCs and the servers they were connected to. As Ars reported yesterday, this is similar to the attack on two South Korean broadcasters and a bank that was launched in 2013. As security reporter Brian Krebs reports, the FBI sent out a “Flash Alert” to law enforcement warning of a cyber attacker using “wiper” malware this week—malicious software that erases the entire contents of the infected machine’s hard drives as well as the contents of the master boot record of the computer. The FBI shared a Snort intrusion detection signature for the malware file, and as Krebs noted,that "the language pack referenced by the malicious files is Korean."

Read 7 remaining paragraphs | Comments


The OpenVPN folks released a security advisory and updates to its server software yesterday for a vulnerability that has existed in the source code since 2005. CVE-2014-8104 is a vulnerability that can result in an OpenVPN server crashing when sent a too-short control channel packet. Note, that in their words both client certificates and TLS auth will protect against this exploit as long as all OpenVPN clients can be trusted to not be compromised and/or malicious. If Im reading this correctly, this means that adding tls-auth keyfile (0|1) (as appropriate) to the configuration files on both server and client as well as using client certificates should protect against this attack. Folks running OpenVPN servers are strongly urged to update to v2.3.6 as soon as possible. The fixes have also been backported to v2.2 and can be found in the git repository, but may also exist in earlier v2.x code if anyone is still running old server software. Note that the v3.x code used in most OpenVPN Connect clients (such as those for Android and iOS) are not vulnerable. My Ubuntu systems got the update last night, so if you are running an OpenVPN server on Linux hopefully the patches are available via the usual package update mechanism or soon will be.



Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

For more than two years, pro-Iranian hackers have penetrated some of the world's most sensitive computer networks, including those operated by a US-based airline, auto maker, natural gas producer, defense contractor, and military installation, security researchers said.

In many cases, "Operation Cleaver," as the sustained hacking campaign is being dubbed, has attained the highest levels of system access of targets located in 16 countries total, according to a report published Tuesday by security firm Cylance. Compromised systems in the ongoing attacks include Active Directory domain controllers that store employee login credentials, servers running Microsoft Windows and Linux, routers, switches, and virtual private networks. With more than 50 victims that include airports, hospitals, telecommunications providers, chemical companies, and governments, the Iranian-backed hackers are reported to have extraordinary control over much of the world's critical infrastructure. Cylance researchers wrote:

Perhaps the most bone-chilling evidence we collected in this campaign was the targeting and compromise of transportation networks and systems such as airlines and airports in South Korea, Saudi Arabia and Pakistan. The level of access seemed ubiquitous: Active Directory domains were fully compromised, along with entire Cisco Edge switches, routers, and internal networking infrastructure. Fully compromised VPN credentials meant their entire remote access infrastructure and supply chain was under the control of the Cleaver team, allowing permanent persistence under compromised credentials. They achieved complete access to airport gates and their security control systems, potentially allowing them to spoof gate credentials. They gained access to PayPal and Go Daddy credentials allowing them to make fraudulent purchases and allow[ing] unfettered access to the victim’s domains. We were witnessed [sic] a shocking amount of access into the deepest parts of these companies and the airports in which they operate.

Tuesday's 86-page report relies on circumstantial evidence to arrive at the conclusion that the 20 or more hackers participating in Operation Cleaver are backed by Iran's government. Members take Persian handles such as Salman Ghazikhani and Bahman Mohebbi; they work from numerous Internet domains, IP addresses, and autonomous system numbers registered in Iran; and many of the custom-configured hacking tools they use issue warnings when their external IP addresses trace back to the Middle Eastern country. The infrastructure supporting the vast campaign is too sprawling to be the work of a lone individual or small group; it could only have been sponsored by a nation state.

Read 7 remaining paragraphs | Comments

Drupal Avatar Uploader Module Information Disclosure Vulnerability
Drupal Notify Module Multiple Access Bypass Vulnerabilities
CVE-2014-9129: XSS and CSRF in CM Download Manager plugin for WordPress
blkid 'blkid.c' Local Command Injection Vulnerability
[RT-SA-2014-012] Unauthenticated Remote Code Execution in IBM Endpoint Manager Mobile Device Management Components

Rodrigo Montoro and Joaquim Espinharadid an interesting test, and like so many interesting tests, it is actually pretty obvious in hindsight: They looked at different vulnerability scanners, and checked how they behave if a web site is coded in a language other then English [1]. The quick answer: They pretty much fail. The presentation is looking at a couple of open source and commercial scanners, and threw in snort as an IDS. Turns out all of the scanners (and snort) have issues recognizing evidence of vulnerabilities (like SQL error messages) if the language is changed to anything but english.


- dont just trust your vulnerability scanner. A clean bill from a basic vulnerability scanner doesnt mean you have no vulnerabilities.
- watch your error logs while the scan is in progress. You may find a lot more evidence of problems that way, in particular if you are not very forthcoming on error messages.
- configure your scanner (and in the case of snort: your IDS) correctly. Maybe adjust your server configuration to make it easier for the scanner to find problems.
- and yes... a web site written in Klingon is likely much more difficult to hack, but also not that useful (they dont pay!)

On a similar note: Some sites use different code for different language versions of the site. In this case, it is very important to test all language versions, which may not be easy.


Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
LinuxSecurity.com: Security Report Summary
Kingsoft Office CVE-2014-2271 Remote Code Execution Vulnerability
Huawei P2 CVE-2014-2273 Local Privilege Escalation Vulnerability
Huawei Mobile Partner Local Privilege Escalation Vulnerability
eyeD3 Insecure Temporary File Creation Vulnerability

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Xen CVE-2014-8595 Local Privilege Escalation Vulnerability
Xen MMU CVE-2014-8594 Local Security Bypass Vulnerability

Help Net Security

Training kids to become infosec superheroes
Help Net Security
This is what motivated three cybersecurity professionals to create The Cynja, a new comic series teaching infosec concepts in a way that kids can grasp, and why they've launched The Cynja Field Instruction Manual, an activity book for “trainee ...

TYPO3 Questionnaire Extension CVE-2014-8874 Information Disclosure Vulnerability
Apple TV and iOS CVE-2014-4404 Heap Based Buffer Overflow Vulnerability
[SECURITY] [DSA 3084-1] openvpn security update
Internet Storm Center Infocon Status