[security bulletin] HPSBMU02895 SSRT101253 rev.1 - HP Data Protector, Remote Increase of Privilege, Denial of Service (DoS), Execution of Arbitrary Code
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

We do see a lot of probes for port 32764/TCP . According to a post to github from 2 days ago, some Linksys devices may be listening on this port enabling full unauthenticated admin access. [1]

At this point, I urge everybody to scan their networks for devices listening on port 32764/TCP. If you use a Linksys router, try to scan its public IP address from outside your network. 

Our data shows almost no scans to the port prior to today, but a large number from 3 source IPs today. The by far largest number of scans come from ShodanHQ has also been actively probing this port for the last couple of days.


Date Records Targets Sources TCP/UDP*100
Dec 5th 10 2 3 90
Dec 9th 11 2 5 100
Dec 10th 17 5 6 100
Jan 2nd 15068 3833 3 100

We only have 10 different source IP addresses originating more then 10 port 32764 scans per day over the last 30 days:

| date       | source          | count(*) |
| 2014-01-02 | |    18392 |
| 2014-01-01 | |      768 |<-- interesting... 3 days
| 2014-01-02 | |      585 |<--    early hits from ShodanHQ
| 2014-01-02 | |      226 |
| 2013-12-31 | |      102 |<--    
| 2014-01-02 | |       74 |


[1] https://github.com/elvanderb/TCP-32764

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Who will be Microsoft's new CEO? What's next in wearable computing? 2014 promises to be an exciting year. What do you think will be the biggest tech story of the coming year?
The American Civil Liberties Union will appeal a judge's decision to throw out the civil liberties group's lawsuit challenging U.S. National Security Agency surveillance.

The official website for the widely used OpenSSL code library was compromised four days ago in an incident that is stoking concerns among some security professionals.

Code repositories remained untouched in the December 29 hack, and the only outward sign of a breach was a defacement left on the OpenSSL.org home page. The compromise is nonetheless rattling some nerves. In a brief advisory last updated on New Year's Day, officials said "the attack was made via hypervisor through the hosting provider and not via any vulnerability in the OS configuration." The lack of additional details raised the question of whether the same weakness may have been exploited to target other sites that use the same service. After all, saying a compromise was achieved through a hypervisor vulnerability in the Web host of one of the Internet's most important sites isn't necessarily comforting news if the service or hypervisor platform is widely used by others.

Update: Shortly after this brief was published, VMWare posted an advisory saying that there's no evidence any of its products were involved in the compromise.

Read 4 remaining paragraphs | Comments

Wearable gadgets and "smart" devices that can see, track motion and record activities will be out in abundance at this year's International CES trade show.
Enterprise mobile vendor Motorola Solutions has acquired Twisted Pair Solutions, a provider of software for push-to-talk communications spanning PCs, office phones, smartphones and specialized devices such as two-way radios.
A U.S. appeals court has once again rejected Google's argument that it did not break federal wiretap laws when collecting user data from unencrypted wireless networks for its Street View program.
Snapchat, a social media company with a popular photo-messaging app, has taken a blow with a recent hack affecting 4.6 million users.
With the attention given to Twitter's IPO, one might assume that the tech industry is dependent on its success. It isn't. Not even close.
Jeffrey Kilbride, convicted of charges stemming from the CAN-SPAM Act, was returned to federal custody a day after he reportedly broke out of a minimum-security prison.
Could the Chromebook knock out Windows on the desktop? Don't bet against it.
OS X Mavericks' uptake slowed significantly in December, putting a crimp on Apple's plans to move customers to the new -- and free -- operating system.
Eloi Vanderbecken explains the motivation for hacking his own WiFi router in pictures.
Eloi Vanderbecken

A hacker has found a backdoor to wireless combination router/DSL modems that could allow an attacker to reset the router’s configuration and gain access to the administrative control panel. The attack, confirmed to work on several Linksys and Netgear DSL modems, exploits an open port accessible over the wireless local network.

The backdoor requires that the attacker be on the local network, so this isn’t something that could be used to remotely attack DSL users. However, it could be used to commandeer a wireless access point and allow an attacker to get unfettered access to local network resources.

Eloi Vanderbeken described the backdoor in a PowerPoint posted with the code to Github. In his illustrated report, he explained how over the Christmas holiday he was trying to get access to the administrative console of his family’s Linksys WAG200G wireless DSL gateway wirelessly—mostly so he could limit how much bandwidth the others in the house were using. But Vanderbeken had previously turned off wireless access to the administration web console (and had forgotten his administrative password).

Read 7 remaining paragraphs | Comments

Google is working with hardware makers so TVs, smartphones and PCs can play 4K content from YouTube and other streaming services while consuming almost half the bandwidth required by high-definition videos today.

Greyhat hackers have published the partial phone numbers belonging to more than 4.5 million Snapchat users after exploiting a recently disclosed security weakness that officials of the service had described as theoretical.

The database containing usernames and corresponding phone numbers for the majority of Snapchat users was posted to snapchatdb.info on the last day of 2013. Phone numbers published on the site were obscured by censoring the last two digits, but the anonymous people behind the posting said they might make the full version available privately.

Within 24 hours, the site was no longer accessible, but much of the data can still be found in search engine caches and mirror servers. The data has also been incorporated into Have I Been Pwned, a whitehat service that helps people track whether their personal information has been leaked online. The Snapchat data has likely also been downloaded by less scrupulous hackers for use in phishing and social engineering scams.

Read 7 remaining paragraphs | Comments

LinuxSecurity.com: Several vulnerabilities were discovered in TYPO3, a content management system. This update addresses cross-site scripting, information disclosure, mass assignment, open redirection and insecure unserialize vulnerabilities and corresponds to TYPO3-CORE-SA-2013-004. [More...]
LinuxSecurity.com: Multiple security issues have been fixed in OpenSSL: The TLS 1.2 support was susceptible to denial of service and retransmission of DTLS messages was fixed. In addition this updates disables the insecure Dual_EC_DRBG algorithm (which was unused anyway, see [More...]
LinuxSecurity.com: Multiple vulnerabilities have been found in memcached, a high-performance memory object caching system. The Common Vulnerabilities and Exposures project identifies the following issues: [More...]
LinuxSecurity.com: An unsafe use of temporary files was discovered in Puppet, a tool for centralized configuration management. An attacker can exploit this vulnerability and overwrite an arbitrary file in the system. [More...]
eduTrac 'showmask' Parameter Directory Traversal Vulnerability
Global spending on technology will rise 6.2% to $2.22 trillion in 2014, helped by an improving economy and growing interest in areas such as mobility and cloud computing, according to new data from Forrester Research.
Ford plans to unveil at the Consumer Electronics Show next week an hybrid concept car that runs primarily on solar power.
Path Traversal in eduTrac

By now, most of you have heard that the openssl.org website was defaced.  While the source code and repositories were not tampered with, this obviously concerned people.  What is more interesting is that the attack was made possible by gaining access to the hypervisor that hosts the VM responsible for the website.  Attacks of this sort are likely to be more common as time goes on as it provides easy ability to take over a host without having to go through the effort of actually rooting a box.  (Social engineering credentials is easy, ask the Syrian Electronic Army... actual penetrations take effort).

The key takeaways are to obviously protect the Hypervisor from unauthorized access.  Beyond that, protect your VMs as if they are physical machines and as feasible use a BIOS password, boot password, disable DVDROM and USB storage.  Don't trust the hypervisor or VM host to secure your machine for you.  For additional reading, see this NIST Guide to Security for Full Virtualization Technologies.

More on the openssl.org defacement as it develops.

John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

UPDATE 1500 PDT 01 JAN: Skype Blogs now recovered and reverted to normal. Be sure to add all available protection to your social media accounts and don't use one password to access them all.

The Syrian Electronic Army (SEA) has compromised Skype’s blog and posted anti-NSA and anti-Microsoft messages with such joyful tidbits as "Don’t use Microsoft emails (hotmail,outlook), They are monitoring your accounts and selling the data to the governments."

Skype Blog Pwn

SEA also gained control of Skype’s Facebook and Twitter accounts although messages posted have since been removed.
Follow all the fun on Twitter.

Russ McRee | @holisticinfosec


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Windows 8 surged in December to end the year with almost 12% of the user share of all Windows personal computers, while the destined-for-retirement Windows XP restarted its decline after a two-month pause, a Web analytics company Net Applications said Thursday.

The Syrian Electronic Army has hacked Skype's Twitter account to accuse the company's owner, Microsoft, of colluding with governments to share user data.

"Don't use Microsoft emails (hotmail, outlook). They are monitoring your accounts and selling the data to the governments," the collective tweeted on New Year's Day, before posting the contact details of the company's outgoing CEO Steve Ballmer. "You can thank Microsoft for monitoring your accounts/emails using this details," it said. Communicating across Skype's Twitter feed, Facebook page, and blog, the group went on to implore the FBI to "stop spying on people."

Skype, having regained control of its account, provided no retort to the accusation, but tweeted, "You may have noticed our social media properties were targeted today. No user info was compromised. We're sorry for the inconvenience."

Read 8 remaining paragraphs | Comments

CIO's Publisher Adam Dennison doesn't buy the notion that CMO budgets for IT will outstrip those of CIOs in the coming years, citing new State of the CIO research to prove it.
Digital strategist or traditional CIO? Our 13th annual State of the CIO research reveals the great career divide.
Lenovo announced its first LTE smartphone and other handsets priced between $219 to $549, but none will be immediately available in the U.S., one of the largest mobile device markets.

PixlCloud CEO Raffael Marty on the importance of security visualisation
... lot of work with Pixlcloud. About the author: Jay Turla is a security researcher for the InfoSec Institute and one of the goods of ROOTCON (Philippine Hackers Conference). About 3 minutes ago - 0 comments. Categories: Code, Design, Developers ...

Skype said its social media properties were targeted, with a group calling itself the Syrian Electronic Army appearing to claim credit for the hacks.
How three companies are coping -- even thriving -- amid the Android explosion. Insider (registration required)
Phone numbers paired with user names of over 4.6 million alleged Snapchat users were posted online by hackers, a few days after a security research group claimed a vulnerability in the social sharing service that could allow attackers to match phone numbers to Snapchat accounts.
Internet Storm Center Infocon Status