Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Dell Monday confirmed it has cut its global workforce by what it called a "small percentage," which could mean a reduction of thousands of employees.
 
Hewlett-Packard has revised financial reports for its Autonomy division after the company said that an audit turned up a number of serious accounting errors.
 
The total compensation packages of top executives at Intel fell sharply in 2013 as a result of changes in the way the chip maker pays senior employees.
 
Google, Facebook and Microsoft were among the technology companies to release new figures showing a rising number of requests for their users' data coming from a secretive U.S. surveillance court.
 
A group of Democrat lawmakers have introduced a bill in both the U.S. Senate and the House of Representatives to restore net neutrality rules at the U.S. Federal Communications Commission.
 
Memcached verbose mode CVE-2013-7291 Denial of Service Vulnerability
 
Memcached 'items.c' Denial of Service Vulnerability
 
Recently, we have been called in to help companies handle attacks from the Syrian Electronic Army (SEA). Our first priority is to help contain the damage, figure out which accounts have been compromised that have not been used yet to cause damage, and clean things up.
 
Any product that can be connected to a network is also being given the ability to sense our environment, largely through use of MEMS sensors.
 
The head of the organization in charge of maintaining security controls over credit card transactions insisted Monday that its standards remain solid despite the concerns raised by data breaches at Target and other companies.
 
An early build of Microsoft's Windows 8.1 Update 1, a tweaked refresh of last fall's revamp to 2012's original Windows 8, has leaked to pirate websites, according to Web searches.
 
AT&T cut its prices on large shared data plans for families and small businesses that use up to 10 lines, a move seen as a reaction to T-Mobile US that could also apply pressure on Verizon Wireless.
 
The Super Bowl may have set a record for Twitter, but it was a tougher game for companies trying to score big on social media.
 
If imitation is the sincerest form of flattery, might the folks in Cupertino be pleased when they see the latest version of North Korea's home-grown operating system?
 
Amid the speculation on what Lenovo's $2.91 billion acquisition of Google's Motorola smartphone unit means for the mobile market, for China and the U.S. and for the two companies involved, one thing's been missing: What about Motorola's workforce?
 
Sunday's Super Bowl produced skyrocketing wireless voice and data usage by fans inside the MetLife Stadium, in East Rutherford, N.J., higher than any other one-day sporting event, according to AT&T and Verizon Wireless.
 
 

Google engineers have added a new feature to the Chrome browser that automatically warns users when browsing settings have been altered by malicious software.

The new protection was unveiled in a blog post published Friday by Linus Upson, Google's vice president of engineering. It is designed to augment a feature introduced in October that allows users to return Chrome settings to a factory-fresh state with the click of a single button.

Malicious code frequently included with screensavers and other free software can surreptitiously make any number of changes to Chrome settings. Injecting ads into webpages and blocking the ability to revert settings to those previously chosen by the user are two of the more common ways unscrupulous developers tamper with browser options. The hijackings were among the top issue users reported in Chrome help forums when the reset button was introduced in October. Upson explained:

Read 1 remaining paragraphs | Comments


    






 
[SECURITY] [DSA 2851-1] drupal6 security update
 
Xen Use After Free Memory Corruption Vulnerability
 
Chrony cmdmon Protocol Amplification Remote Denial of Service Vulnerability
 
Security advisory, LedgerSMB 1.3.0-1.3.36
 
By offering their latest operating systems for free, Microsoft and Apple have accelerated the adoption pace of their newest OSes, according to data released by analytics firm Net Applications.
 
CVE-2014-1213 - Denial of Service in Sophos Anti Virus
 
[SECURITY] [DSA 2850-1] libyaml security update
 
If hitting a target is hard and hitting a moving target is even harder, then creating a new hit technology is next to impossible because the shape and nature of the target morphs as it moves. Think of building a swish new laptop just as laptops are heading out of favor, or a must-have mobile app just as smartphones plateau, or a dynamite tablet experience just as the wearable future takes hold.
 
Google hasn't been anyone's idea of an ethical beacon in recent years.
 

I think I have seen it referred to as the "X-Files Effect". You just installed a new firewall or IDS, it is still all new and shiny and the logs are still fresh and interesting. Looking at your logs, it starts dawning at you: "They are out there to get me!". While many of these attacks are attacks, there are also quite a few false positives that typically show up in your logs. At this point, lets quickly define false positives: These are either benign traffic that is mistaken for an attack, or an attack, that just doesn't affect you (Famous SQL Slammer attack against a Linux host).

Lets look at a few examples we have come across lately:

 a.b.c.d is constantly sending DoS ACK replies to my network, I would like to report this abuse and learn how to report future abuse more easily in the future because this kind of thing happens all the time. 

Thank you for taking the time to read this. Below is the log for the incident.

[DoS Attack: ACK Scan] from source: a.b.c.d, port 80, Thursday, January 30,2014 14:10:02

This is an e-mail we receive about once a month. In most cases the source is a busy web server, sometimes a CDN (Content Delivery Network) like Akamai. The reason for these alerts is that most firewalls will consider a connection closed if no activity has been seen in a while. However, in this case, the connection is still open and the web server will eventually send another data packet that is then rejected. This is NOT the result of a SYN flood attack (more about that later) and I am not sure why this particular device labels it a DoS attack.

If someone is spoofing your IP address, and using it to launch a DoS attack, then you should see SYN ACK packets, not ACK packets. For example a slightly abbreviated iptables log:

SRC=a.b.c.d DST=v.x.y.z LEN=60 TOS=0x00 PREC=0x20 TTL=49 ID=0 DF PROTO=TCP SPT=80 DPT=62547 WINDOW=2896 RES=0x00 ACK SYN URGP=0

Typical for these logs: The source is a well known server port (80). Could also be 443, 6667 or other ports. The target port is a "random" ephemeral port.

But it isn't just firewalls. IDSs of course love to annoy us with false positives to beg us to properly configure them. But we don't because an IDS with all rules it possibly offers enabled is SO much safer! (sarcasm if you didn't spot it...)

Snort for example has a very neat feature, the "sensitive data" plugin. It can spot sensitive data like e-mail addresses or social security numbers being sent in the clear. Here is an example alert:

[138:5:1] SENSITIVE-DATA Email Addresses [Classification: Sensitive Data] [Priority: 2] {TCP} a.b.c.d:80 -> v.x.y.z:63715

An e-mail address was received from port 80. So in other words: you accessed a web page that contained an e-mail address. Probably not what I would consider a "leak", in particular if this web server was located outside of my control. I have seen this signature trigger a lot on FTP and of course SMTP traffic. Probably still a good reminder to not sure a legacy protocol like clear text ftp.

But lets look at a more tricky one:

Reset outside window [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 23.202.88.93:80 -> 70.91.145.11:59867

The traffic that triggered this alert:

a.80 > b59782: Flags [P.], seq 1886684918:1886685156, ack 659663868, win 7240, options [nop,nop,TS val 1132895224 ecr 605850989], length 238
a.80 > b.59782: Flags [F.], seq 1886685156, ack 659663869, win 7240, options [nop,nop,TS val 1132895245 ecr 605851009], length 0
a.80 > b.59782: Flags [R], seq 1886685157, win 0, length 0
 
As you can tell, the sequence number for the reset packet is actually right on. This was again more of a timed out connection. In this case, the web server was Akamai and they appear to like to send an extra reset, likely to make sure the connection is down and save them some resources. The connection itself was triggered by an AV tool's "update check".
 
Which gets me to another favorite firewall false-positive:
 
SRC=v.x.y.z DST=a.b.c.d LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=49424 DF PROTO=TCP SPT=80 DPT=52968 WINDOW=14600 RES=0x00 ACK FIN URGP=0
 
A "FIN-ACK" being blocked coming in this case from my web server to a (valid) client. iptables loves to block the final fin-ack as it considered the connection already closed.
 
Any good false positives you keep running into?

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
MediaWiki Multiple Remote Code Execution Vulnerabilities
 
NVIDIA Graphics Driver GPU Access CVE-2013-5986 Local Privilege Escalation Vulnerability
 
NVIDIA Graphics Driver GPU Access Local Privilege Escalation Vulnerability
 
Mozilla last week said that the earliest its new "Australis" user interface will appear in Firefox is at the end of April, six weeks later than the company previously projected.
 
Computerworld asked readers to rate their mobile data providers on connection speed, reliability, customer service and more. We name the best and the worst services -- and throw in some fun facts about how people use their mobile data networks.
 
Hackers found a new way to slip past security software and deliver Zeus, a long-known malicious software program that steals online banking details.
 
Email, perhaps still the most widely used Internet application, has about the same level of security as a postcard. But unlike postcards, it's widely depended on by businesses.
 
LibYAML 'scanner.c' Remote Heap Based Buffer Overflow Vulnerability
 

Posted by InfoSec News on Feb 03

http://www.stripes.com/news/us/several-cyber-security-initiatives-lost-after-snowden-leaks-1.265344

By Ken Dilanian
Tribune Washington Bureau
February 2, 2014

WASHINGTON -- Early last year, as Edward Snowden was secretly purloining
classified documents from National Security Agency computers in Hawaii,
the NSA director, Gen. Keith Alexander, was gearing up to sell Congress
and the public on a proposal for the NSA to defend private U.S....
 

Posted by InfoSec News on Feb 03

http://tribune.com.pk/story/666537/cyber-warfare-pakistani-hackers-claim-defacing-over-2000-indian-websites/

By Farooq Baloch
The Express Tribune
February 2, 2014

KARACHI: Pakistani hackers have claimed responsibility for hacking over
2,000 Indian websites on the country’s Republic Day, confirming reports
published by the Indian media earlier this week.

"Hackers defaced more than 2,000 Indian websites -- 2,118 to be exact --
on...
 

Posted by InfoSec News on Feb 03

http://www.theglobeandmail.com/report-on-business/bell-small-business-customer-information-breached-in-hacking-attack/article16653395/

By RITA TRICHUR
TELECOM REPORTER
The Globe and Mail
Feb. 02 2014

Bell Canada is the latest big-name company to become ensnared in a hacking
incident after announcing that a cyberattack on a third-party supplier
compromised the confidential account information of more than 22,000 of
its small business...
 

Posted by InfoSec News on Feb 03

http://www.helsinkitimes.fi/finland/finland-news/domestic/9193-investigation-into-data-security-breach-at-ministry-for-foreign-affairs-progresses.html

Helsinki Times
01 Feb 2014

While investigating the cyber-espionage attack against it, the Ministry
for Foreign Affairs has determined, for example, the methods used to
infiltrate its data network. The ministry's information and documentation
division is currently finalising a report on...
 

Posted by InfoSec News on Feb 03

http://www.therepublic.com/view/story/4264b27a65ef438fad61aeb199fef4bf/AZ--Embry-Riddle-College-of-Security-and-Intelligence

By PATRICK WHITEHURST
The Daily Courier
February 02, 2014

PRESCOTT, Arizona -- The shield for Embry-Riddle Aeronautical University's
(ERAU) new College of Security and Intelligence (CSI) depicts a metallic
torch, a metal key, and a bald eagle atop a split field of blue and gold -
the colors of the university....
 
Internet Storm Center Infocon Status