Information Security News
We do see a lot of probes for port 32764/TCP . According to a post to github from 2 days ago, some Linksys devices may be listening on this port enabling full unauthenticated admin access. 
At this point, I urge everybody to scan their networks for devices listening on port 32764/TCP. If you use a Linksys router, try to scan its public IP address from outside your network.
Our data shows almost no scans to the port prior to today, but a large number from 3 source IPs today. The by far largest number of scans come from 126.96.36.199. ShodanHQ has also been actively probing this port for the last couple of days.
We only have 10 different source IP addresses originating more then 10 port 32764 scans per day over the last 30 days:
+------------+-----------------+----------+ | date | source | count(*) | +------------+-----------------+----------+ | 2014-01-02 | 080.082.078.009 | 18392 | | 2014-01-01 | 198.020.069.074 | 768 |<-- interesting... 3 days | 2014-01-02 | 198.020.069.074 | 585 |<-- early hits from ShodanHQ | 2014-01-02 | 178.079.136.162 | 226 | | 2013-12-31 | 198.020.069.074 | 102 |<-- | 2014-01-02 | 072.182.101.054 | 74 | +------------+-----------------+----------+
The official website for the widely used OpenSSL code library was compromised four days ago in an incident that is stoking concerns among some security professionals.
Code repositories remained untouched in the December 29 hack, and the only outward sign of a breach was a defacement left on the OpenSSL.org home page. The compromise is nonetheless rattling some nerves. In a brief advisory last updated on New Year's Day, officials said "the attack was made via hypervisor through the hosting provider and not via any vulnerability in the OS configuration." The lack of additional details raised the question of whether the same weakness may have been exploited to target other sites that use the same service. After all, saying a compromise was achieved through a hypervisor vulnerability in the Web host of one of the Internet's most important sites isn't necessarily comforting news if the service or hypervisor platform is widely used by others.
Update: Shortly after this brief was published, VMWare posted an advisory saying that there's no evidence any of its products were involved in the compromise.
by Sean Gallagher
A hacker has found a backdoor to wireless combination router/DSL modems that could allow an attacker to reset the router’s configuration and gain access to the administrative control panel. The attack, confirmed to work on several Linksys and Netgear DSL modems, exploits an open port accessible over the wireless local network.
The backdoor requires that the attacker be on the local network, so this isn’t something that could be used to remotely attack DSL users. However, it could be used to commandeer a wireless access point and allow an attacker to get unfettered access to local network resources.
Eloi Vanderbeken described the backdoor in a PowerPoint posted with the code to Github. In his illustrated report, he explained how over the Christmas holiday he was trying to get access to the administrative console of his family’s Linksys WAG200G wireless DSL gateway wirelessly—mostly so he could limit how much bandwidth the others in the house were using. But Vanderbeken had previously turned off wireless access to the administration web console (and had forgotten his administrative password).
Greyhat hackers have published the partial phone numbers belonging to more than 4.5 million Snapchat users after exploiting a recently disclosed security weakness that officials of the service had described as theoretical.
The database containing usernames and corresponding phone numbers for the majority of Snapchat users was posted to snapchatdb.info on the last day of 2013. Phone numbers published on the site were obscured by censoring the last two digits, but the anonymous people behind the posting said they might make the full version available privately.
Within 24 hours, the site was no longer accessible, but much of the data can still be found in search engine caches and mirror servers. The data has also been incorporated into Have I Been Pwned, a whitehat service that helps people track whether their personal information has been leaked online. The Snapchat data has likely also been downloaded by less scrupulous hackers for use in phishing and social engineering scams.
By now, most of you have heard that the openssl.org website was defaced. While the source code and repositories were not tampered with, this obviously concerned people. What is more interesting is that the attack was made possible by gaining access to the hypervisor that hosts the VM responsible for the website. Attacks of this sort are likely to be more common as time goes on as it provides easy ability to take over a host without having to go through the effort of actually rooting a box. (Social engineering credentials is easy, ask the Syrian Electronic Army... actual penetrations take effort).
The key takeaways are to obviously protect the Hypervisor from unauthorized access. Beyond that, protect your VMs as if they are physical machines and as feasible use a BIOS password, boot password, disable DVDROM and USB storage. Don't trust the hypervisor or VM host to secure your machine for you. For additional reading, see this NIST Guide to Security for Full Virtualization Technologies.
More on the openssl.org defacement as it develops.
bambenek \at\ gmail /dot/ com
UPDATE 1500 PDT 01 JAN: Skype Blogs now recovered and reverted to normal. Be sure to add all available protection to your social media accounts and don't use one password to access them all.
The Syrian Electronic Army (SEA) has compromised Skype’s blog and posted anti-NSA and anti-Microsoft messages with such joyful tidbits as "Don’t use Microsoft emails (hotmail,outlook), They are monitoring your accounts and selling the data to the governments."
SEA also gained control of Skype’s Facebook and Twitter accounts although messages posted have since been removed.
Follow all the fun on Twitter.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The Syrian Electronic Army has hacked Skype's Twitter account to accuse the company's owner, Microsoft, of colluding with governments to share user data.
"Don't use Microsoft emails (hotmail, outlook). They are monitoring your accounts and selling the data to the governments," the collective tweeted on New Year's Day, before posting the contact details of the company's outgoing CEO Steve Ballmer. "You can thank Microsoft for monitoring your accounts/emails using this details," it said. Communicating across Skype's Twitter feed, Facebook page, and blog, the group went on to implore the FBI to "stop spying on people."
Skype, having regained control of its account, provided no retort to the accusation, but tweeted, "You may have noticed our social media properties were targeted today. No user info was compromised. We're sorry for the inconvenience."
PixlCloud CEO Raffael Marty on the importance of security visualisation
... lot of work with Pixlcloud. About the author: Jay Turla is a security researcher for the InfoSec Institute and one of the goods of ROOTCON (Philippine Hackers Conference). About 3 minutes ago - 0 comments. Categories: Code, Design, Developers ...