Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Dark Reading

7 Signs of Infosec's Groundhog's Day Syndrome
Dark Reading
Sometimes working in information security can make people feel a little bit like Sisyphus. Or, at least like Bill Murray in the movie Groundhog Day. You wake up and the same types of weaknesses in your people and technology are being attacked by the ...

 
Oracle Java SE CVE-2015-4902 Remote Security Vulnerability
 
Oracle Java SE CVE-2015-4806 Remote Security Vulnerability
 
Oracle Java SE CVE-2015-4805 Remote Security Vulnerability
 

(credit: Jeremy Brooks )

An open source network utility used by administrators and security professionals contains a cryptographic weakness so severe that it may have been intentionally created to give attackers a surreptitious way to eavesdrop on protected communications, its developer warned Monday.

Socat is a more feature-rich variant of the once widely used Netcat networking service for fixing bugs in network applications and for finding and exploiting security vulnerabilities. One of its features allows data to be transmitted through an encrypted channel to prevent it from being intercepted by people monitoring the traffic. Amazingly, when using the Diffie-Hellman method to establish a cryptographic key, Socat used a non-prime parameter to negotiate the key, an omission that violates one of the most basic cryptographic principles.

The Diffie-Hellman key exchange requires that the value be a prime number, meaning it's only divisible by itself and the number one. Because this crucial and most basic of rules was violated, attackers could calculate the secret key used to encrypt and decrypt the protected communications. What's more, the non-prime value was only 1,024 bits long, a length that researchers recently showed is susceptible to cracking by state-sponsored attackers even when prime numbers are used.

Read 6 remaining paragraphs | Comments

 
MailPoet Newsletter 2.6.19 - Security Advisory - Reflected XSS
 
Re: VMWare Zimbra Mailer | DKIM longterm Mail Replay vulnerability
 

NASA breach shows again that brute force password attacks work
IT World Canada
It isn't uncommon for hackers to boast about their exploits; it adds a bit of credibility to their work. So infosec teams should pay attention to claims from a group called AnonSec, which says it brute-force cracked the password of an administrator at ...

and more »
 

As Good As They're Getting, Analytics Don't Inherently Protect Data
Dark Reading
Prudent infosec professionals think about security in the context of reducing threat surface area and minimizing damage in the event of the exploit. The joke used to be that the only secure system is the one that isn't connected to the Internet. But ...

 

IPv6 poses a problem for systems like Shodan, who try to enumerate vulnerabilities Internet-wide. Tools like zmap can scan the IPv4 internet in minutes (or maybe hours), but for IPv6, the same approach will still fail. The smallest IPv6 subnet is a /64, or 18.4 Quintillion addresses. A tool like zmap would take about 40,000 years to scan just the smallest subnet that may be assigned to a home user, assuming 5 minutes to scan 32 bits worth of addresses.

There are a couple of methods to make IPv6 scanning somewhat feasible:

  • interesting systems, like gateways, web servers, DNS servers and the like, often use non-randomIP addresses like 2001:db8::1, 2001:db8::50 or 2001:db8::35. This will narrow the scope somewhat.
  • Reverse DNS records may give away some of these addresses.
  • Yes, the last 64 bits may be derived from the MAC address, and not all MAC addresses are used.
  • Finally: The system may be reaching out to you

Looks like Shodan started to use the last option recently. Systems using the pool.ntp.org NTP servers have been observed as being scanned by Shodan. It appears that the Shodan project did add one or more NTP servers to the public NTP pool to find targets for its unauthorized scans [2]. Other scanner projects may do the same. DNS servers could of course be used in the same way, but there are no open DNS servers pools like this I am aware off (OpenDNS or Google could do similar tests, but I am not aware of them allowing 3rd parties into their pool).

So what to do about it?

Depending on how you feel about being scanned by Shodan, you may not care. But in particular with IPv6, databases like Shodan (Google and other web search engines tooof course) will play a larger role in finding targets than they already do. As a first step, you probably should fix your NTP infrastructure. Systems in your network should only synchronize with internal NTP servers, and only these authorized NTP servers should communicate with the outside (or better, an internal standard like GPS or GSM). If you have a GPS signal in your environment, you may be able to setup a Raspberry Pi based master clock. [3] In an enterprise network, buy a professional NTP server that includes a GSM or GPS module. (GSM usually works better in data centers without requiring an external rooftop antenna).

Also consider using a secure NTP configuration template [4] to avoid other issues, like the famous monlist problem. NTP is a bit of a forgotten protocol in that it just works without having to mess with it in many cases. But if you didnt configure it, it probably isnt configured right for you.

FWIW: Our threat feeds include lists of internet wide research scanners (IPv4 only at this point). You can get a quick machine parsable version from our API (https://isc.sans.edu/api/threatcategory/research/), or a more visually appealing version using our threat feed map.

[1]http://arstechnica.com/security/2016/02/using-ipv6-with-linux-youve-likely-been-visited-by-shodan-and-other-scanners/
[2]http://netpatterns.blogspot.de/2016/01/the-rising-sophistication-of-network.html
[3]https://xmission.com/blog/2014/05/28/building-a-stratum-1-ntp-server-with-a-raspberry-pi
[4]http://www.team-cymru.org/secure-ntp-template.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

CSO Online

Does attribution matter to security leaders?
CSO Online
Levi's career as an information security professional includes unique operational and leadership experience in government (U.S. Secret Service), threat intelligence providers (Team Cymru and Recorded Future), and multi-vertical Fortune 500 enterprises ...

 

Infosecurity Magazine (blog)

Accepting the Unknown Risk
Infosecurity Magazine (blog)
Well some may say that their brand of “Infosec-Rap” is disrespectful of their trade, while others watch over and over again. Host Unknown 'sole founder' Agnês explained the long gap between songs: “When you smash it out of the park like I did with C I ...

 

2016 Information Security Predictions
Blogger News Network (blog)
No bones about it, 2016 is sure to see some spectacular, news-chomping data breaches, predicts many in infosec. If you thought 2015 was interesting, get your seatbelt and helmet on and prepare for lift off… 4W Wearable Devices. Cyber crooks don't care ...

 
WebKitGTK+ Security Advisory WSA-2016-0001
 
Internet Storm Center Infocon Status