(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Serial hacker Samy Kamkar has released all the hardware and software specifications that hobbyists need to build an aerial drone that seeks out other drones in the air, hacks them, and turns them into soldiers in a growing army of unmanned vehicles under the attacker's control.

Dubbed SkyJack, the contraption uses a radio-controlled Parrot AR.Drone quadcopter carrying a Raspberry Pi circuit board, a small battery, and two wireless transmitters. The devices run a combination of custom software and off-the-shelf applications that seek out wireless signals of nearby Parrot drones, hijack the wireless connections used to control them, and commandeer the victims' flight-control and camera systems. SkyJack will also run on land-based Linux devices and hack drones within radio range.

Kamkar is the creator of the infamous Samy worm, a complex piece of JavaScript that knocked MySpace out of commission in 2005 when the exploit added more than one million MySpace friends to Kamkar's account. Kamkar was later convicted for the stunt. He has since devoted his skills to legal hacks, including development of the "evercookie," a highly persistent browser cookie with troubling privacy implications. He has also researched location data stored by Android devices.

Read 4 remaining paragraphs | Comments


Three employees in the Information Technology Laboratory at the National Institute of Standards and Technology (NIST) were chosen as among top 'forward-thinking people working in government IT,' according to FierceGovernmentIT, the ...
The U.S. House of Representatives needs to take more time to debate and rewrite a bill targeting so-called patent trolls because several provisions would hurt legitimate patent holders, several critics of the bill said Tuesday.
Building on a collaboration with Google, software vendor JetBrains has updated its IntelliJ IDEA Java IDE (integrated development environment) to offer more capabilities for creating applications to run on Android devices.
Bullitt would likely not approve.
Warner Brothers

The company E2V has developed a prototype device that uses a radio-frequency pulse to shut down a car’s engine at range, according to a report from the BBC. While the range of the device is fairly short, it worked on a handful of cars and motorbikes and could also potentially be used on boats.

The product, named the RF Safe-stop, works by sending an RF pulse to a car at up to 50 meters (164 feet) away. The pulse “confuses” the car’s electronic systems, which the BBC said made the “dashboard warning lights and dial [behave] erratically.” The engine then stalls, and the car comes to a stop. How safely and quickly the vehicle would stop depends on the vehicle, and this technique would not work on older vehicles.

Engineer Magazine suggests the RF Safe-stop could be used for stopping vehicles that are suspected of being car bombs. Likewise, the Safe-stop could cut police chases short or be installed in a fixed area to prevent cars from entering. The Association of Chief Police Officers, speaking to the BBC, said that it would be a safer alternative to stopping two-wheeled vehicles than shooting out their tires. E2V does not specify how narrowly the Safe-stop can be targeted.

Read 1 remaining paragraphs | Comments



SANS Announces Results Of Its 2013 Mobile Security Policy And Management ...
Dark Reading
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system--the Internet Storm Center. At the heart of SANS are the many security ...

and more »
As more people do their holiday shopping online, either at home or from a mobile device, the traditional Black Friday and Cyber Monday shopping days are losing their distinction.
Schools and universities that license Microsoft Office for their staff can now hand out Office 365 free to students, Microsoft said Monday.
Cisco ASA Software CVE-2013-6696 Denial of Service Vulnerability
Cisco IOS XE Software MPLS Packet Handling Denial of Service Vulnerability
Monitorix HTTP Server 'handle_request()' Session Fixation and Cross Site Scripting Vulnerabilities
Security researches are gradually raising warnings that the Internet of Things will increase, by multitudes, the number of things that can be hacked and attacked. The Hitchcockian plotlines are endless.
In a development likely to concern those who believe that a system that's not connected to a network is safe from surveillance, researchers have demonstrated that microphones and speakers built into laptops can be used to covertly transmit and receive data through inaudible audio signals
As early as 2007, if not earlier, Windows users encountered the very first rogue antivirus programs. Even today, end users are easily fooled by this vicious type of malware.
Ruby Gem Sprout 'unpack_zip()' Function Remote Command Injection Vulnerability
[SECURITY] [DSA 2808-1] openjpeg security update
This year will go down as the PC industry's largest contraction, research firm IDC said, with global shipments dropping by double digits and little relief in sight.
This tool helps with a lot more than telling you at a glance about the threats you face.
LinuxSecurity.com: Several vulnerabilities have been discovered in OpenJPEG, a JPEG 2000 image library, that may lead to denial of service (CVE-2013-1447) via application crash or high memory consumption, possible code execution through heap buffer overflows (CVE-2013-6045), information disclosure [More...]
LinuxSecurity.com: An integer overflow in libtheora might allow remote attackers to execute arbitrary code or cause a Denial of Service condition.
LinuxSecurity.com: Multiple vulnerabilities have been found in OpenSSL allowing remote attackers to determine private keys or cause a Denial of Service.
LinuxSecurity.com: Multiple vulnerabilities have been found in BusyBox, allowing remote attackers to execute arbitrary code or cause a Denial of Service condition.
LinuxSecurity.com: Multiple vulnerabilities have been found in GNU C Library, the worst of which allowing arbitrary code execution and privilege escalation.
LinuxSecurity.com: Mikulas Patocka discovered an integer overflow in the parsing of HTML tables in the Links web browser. This can only be exploited when running Links in graphical mode. [More...]
phpThumb 'phpThumb.php' Arbitrary File Upload Vulnerability
AMD 16h Model Processor CVE-2013-6885 Local Denial of Service Vulnerability
BlackBerry has upgraded its management platform Enterprise Server 10 with more features for managing Android and iOS smartphones and has also improved scalability to lower overall costs.
Salesforce.com has completed a review of the judging process for the hackathon it held at last month's Dreamforce conference, and as a result it will award a second $1 million prize to the initial runner-up.

I recently had a migration from one internet uplink to another to do for a client.  As with many organizations, they have about 40% of their workforce at head office, and 60% (and sometimes more) of their workforce operating remotely, so taking the Firewall and especially the VPN services offline is a very big deal.  There is no good time to take things down given that their sales force has people in just about every time zone, there are just times that are "less bad" than others.

Anyway, we settled on a weeknight, starting at around 6pm EST after their shipping was completed.  As in most projects of this type, we finally got most of the "important" users off the network by about 7:30 and where ready to start.

On logging into their firewall, I (as I always do), did a quick check of the real time logs, just because you never know what you'll see.  Imagine my surprise when I saw that it was still pretty busy, and the traffic being logged was mostly this:

So what is that?  Their internal workstation network is, a nice respectable RFC1918 address range.  However, we're seeing lots of outbound requests for, which I would expect to see more on home networks.  Now I could see a simple, persistent series of requests to a single 192.168.1.x address, perhaps a home printer that is a user's default, or a home DLNA server, but this looks a whole lot like reconnaissance doesn't it?  It's a sweep of the entire network, using ICMP.  Looking deeper at the packet, as you'd expect these are echo requests (Type 0, code 0), otherwise known as plain old "ping".

So, what's so interesting about this you ask?  
My answer would be - recon of a network that's the default subnet for many home network routers is always suspect in an enterprise.  In fact, recon of any type in an enterprise network should be considered suspect.  People connect to what they need for to do their jobs, network sweeps are almost always an indicator of compromise, it's almost always malware looking for something else to infect, or an attacker looking for their next foothold.  Happily, if the network being scanned isn't in the internal routing table, if it's not black-holed internally it usually shows up in the firewall logs.

In this case, it was malware looking for PNP devices (printers, cameras, TVs, but especially home firewalls), which Johannes wrote up in January ( https://isc.sans.edu/diary/Exposed+UPNP+Devices/15040 ).  Even though it's what you might consider "old", it sees sustained use ( https://isc.sans.edu/port.html?port=1900 ) in malware and sees continued success, mostly becuase almost nobody patches or fixes their home routers.
It could also just as easily have been malware looking for default home router credentials or one of the home router backdoor vulnerabilities (which Manuel wrote up here  https://isc.sans.edu/diary/Old+D-Link+routers+with+coded+backdoor/16802 )

It was just lucky that I caught this activity on film, the network  was so quiet that the malware activity just popped up without looking for it.  It's funny that when you have a quiet network, sometimes all that's left is the malware and attack traffic.

Of course, when we did a reverse lookup on the workstation IP, it was their HR manager.  You know, the HR manager who insisted that we remove the internet filters from their account so they could be active on social media?  No risk at all having malware on that station !!

But hopefully, this should illustrate why it's so important that part of your day-to-day tasks to secure your organization should be to look at your logs.  And not just glancing at the logs scrolling by on your firewall - review the text logs that you store in disk, that's where you'll find those "gold" log entries.  Make friends with the grep or findstr commands and do some mining for malware, it'll be the most productive time you spend most days!  Heck, just looking at a directory of your logs by day is often enough - if yesterdays logs was 10 times the size you normally see, often that's an IOC (Indicator of Compromise) all on it's own.  Relying simply on tools to alert you of problems and not looking at your logs is passing up the easiest and earliest detection of problems you'll ever get.  As we say over and over - "there's gold in them thar logs!"

Even reviewing the logs of your home network can give you valuable information ( https://isc.sans.edu/diary/Collecting+Logs+from+Security+Devices+at+Home/14614 ).  You'll find the same indicators of compromise or attack in home logs as at work, and if nothing else, it's good practice for reviewing logs for enterprise gear - home gear and enterprise gear all log the same things, if they're configured correctly that is...

By the way, did you catch the other problem that our captures showed?  Yes, the NTP server that the firewall was synced to had been retired, so the date and time on the firewall was completely out of whack.  If you've ever tried to correlate logs from multiple systems, perhaps to get a complete picture of how a compromise happened or what it did after it got it's toe-hold, you'll appreciate just how big a deal syncing your clocks is. 

If you've found malware with plain old text logs as a primary source or using a log analysis tool, please let us know using our comment form!

Rob VandenBrink



(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
MIT Kerberos 5 KDC 'do_tgs_req.c' Remote Denial of Service Vulnerability
Multiple issues in OpenSSL - BN (multiprecision integer arithmetics).
D-Link DIR-XXX remote root access exploit.
A Wisconsin man was sentenced for participating in a DDoS attack by hacker group Anonymous on a Kansas company.
Apple is seeking to bar Samsung Electronics executives with knowledge of leaked confidential information from negotiating any mobile device licenses for the South Korean company for the next two years.
The U.S. Supreme Court will leave it to Congress to settle the contentious question of online sales tax collection that brick-and-mortar retailers contend puts them at a disadvantage to giants such as Amazon.com.
The Microsoft Desktop Optimization Pack suite of IT management tools has been updated with support for Windows 8.1 device and application management and Office 2013 virtualization.
Google has been selling its Nexus series of smartphones and tablets for nearly four years. While the devices aren't big sellers, they are still challenging other Android makers.
If you can't keep track of your business cards, one of these 7 smartphone apps will help you scan and store all those new contacts.
Facebook is retooling its ranking system to make some news articles appear more prominently at the expense of other content such as certain photos, the company announced Monday.
D-Link published patches on Monday for a firmware coding goof that could allow attackers to remotely change the settings of several of its router models.
Salesforce.com has completed a review of the judging process for the hackathon it held at last month's Dreamforce conference, and as a result it will award a second $1 million prize to the initial runner-up.
Apple has acquired Topsy, a social media analytics company that analyzes a range of data from Twitter, according to a recent Wall Street Journal report.
Mozilla Firefox and SeaMonkey Theora Video Library Remote Integer Overflow Vulnerability

Response: Beware the Nascent Cyber Insurance Market
Infosecurity Magazine
US public companies are more forthcoming with details regarding their cybersecurity risk profiles – and more transparency regarding cyber-risk and cyber-attacks is expected to drive greater adoption of cyber-insurance as a means of demonstrating better ...

and more »

Posted by InfoSec News on Dec 03


The Wall Street Journal
Dec. 2, 2013

Akamai Technologies Inc. agreed to buy Prolexic Technologies Inc. for
about $370 million in cash, expanding its cybersecurity offerings.

Prolexic specializes in technology that guards data centers against
distributed denial of service attacks, an increasingly common threat that
can shut...

Posted by InfoSec News on Dec 03


Staff Reporter
Chicago Sun-Times
November 29, 2013

A small amount of Chicago Public Schools’ students’ health data was
accidentally posted online, but the issue is fixed, the city of Chicago
announced Friday.

Data collected about some 2,000 student who participate in a free vision
examination program...

Posted by InfoSec News on Dec 03


December 02, 2013

USED memory sticks being sold on the internet have been found to contain
sensitive Australian government data, according to a new study.

The research paper, to be presented at a cyber security conference in
Perth, reveals how researchers discovered the government information
amongst a "treasure...

Posted by InfoSec News on Dec 03


By Dan Goodin
Ars Technica
Dec 2 2013

Computer scientists have developed a malware prototype that uses inaudible
audio signals to communicate, a capability that allows the malware to
covertly transmit keystrokes and other sensitive data even when infected
machines have no network connection.

The proof-of-concept software—or...

Posted by InfoSec News on Dec 03


02 DECEMBER 2013

One of the largest heists in bitcoin history is happening right now.
96,000 bitcoins - that’s roughly £60m as of the time of writing - was
taken from the accounts of customers, vendors and administrators of the
Sheep Marketplace over the weekend.

Sheep was one...

Posted by InfoSec News on Dec 03

Forwarded from: Vic Vandal <vvandal (at) well.com>

h4x0rs, stuff breakers, InfoSec pros, g33k girls, international spies, and
script kidz,

CarolinaCon-10 will occur on May 16th-18th 2014 in Raleigh NC (USA). We are
now officially accepting speaker/paper/demo submissions for the event.

If you are somewhat knowledgeable in any interesting field of hacking,
technology, robotics, science, global thermonuclear war, etc. (but mostly...

Posted by InfoSec News on Dec 03


By Prashanth Vijayakumar
Deccan Chronicle
30th Nov 2013

Chennai: Cyber security experts who convened in the city on Fr­iday to observe
the World Security Day conference said India is highly vulnerable to cyber
threats, as the country is not fully equ­ipped to tackle sophisticated attacks.

With cyber warfare bec­oming...
ClientExec Multiple SQL Injection and Cross Site Scripting Vulnerabilities
Internet Storm Center Infocon Status