Hackin9
A 5-year-old San Diego boy has been commended by Microsoft for his security skills after finding a vulnerability in the company's Xbox games console.
 
MediaWiki Multiple Security Vulnerabilities
 
The roots of the iPhone can probably be traced to many corners of Apple's campus in Cupertino, Calif., but a Silicon Valley courtroom on Friday heard how some of the phone's most recognizable software design features were born of a team working in a dark, dirty, windowless room with special security to keep others out.
 

Regulators from several states are investigating a data breach from a subsidiary of the credit-tracking behemoth Experian.

The investigation by attorneys general in these states concerns whether the subsidiary adequately secured some 200 million social security numbers and whether victims were properly notified. The investigation, first disclosed by Reuters, comes as the Obama administration is pressing for legislation requiring companies to better secure customer data.

A Vietnamese man who operated a website, called findget.me, offering social security numbers has pleaded guilty to charges that he obtained the data from the Experian subsidiary, Court Ventures. The firm, a court document retrieval service, also jointly maintains a database of some 200 million social security numbers with another firm.

Read 5 remaining paragraphs | Comments

 

10 ways to prep for – and ace – a security job interview
CSO
Infosec is baked into nearly every business and tech process, so the candidate should be prepared to identify the infosec activities within their existing strengths, and explain how they can be improved or exploited," says K. C. Yerrid, senior security ...

and more »
 
BlackBerry is promoting an upcoming end-to-end encrypted messaging service called BBM Protected for industries that need the highest levels of security.
 
MediaWiki 'Special:ChangePassword' CVE-2014-2665 Cross Site Request Forgery Vulnerability
 
Scientists are already 3D printing different kinds of tissue, from skin to livers, and someday they say it will be commonplace to simply print out a body part when needed.
 
BlackBerry is promoting an upcoming end-to-end encrypted messaging service called BBM Protected for industries that need the highest levels of security.
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Updated httpd packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate [More...]
 
LinuxSecurity.com: Updated httpd packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Moderate [More...]
 
LinuxSecurity.com: Updated openstack-keystone packages that fix two security issues are now available for Red Hat Enterprise Linux OpenStack Platform 3.0. The Red Hat Security Response Team has rated this update as having Moderate [More...]
 
LinuxSecurity.com: Updated openstack-swift packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 3.0. The Red Hat Security Response Team has rated this update as having Moderate [More...]
 
LinuxSecurity.com: Updated openstack-nova packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux OpenStack Platform 3.0. The Red Hat Security Response Team has rated this update as having Moderate [More...]
 
LinuxSecurity.com: Updated python-django-horizon packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux OpenStack Platform 3.0. [More...]
 
LinuxSecurity.com: Updated ruby193-libyaml packages that fix two security issues are now available for Red Hat Enterprise Linux OpenStack Platform 3.0. The Red Hat Security Response Team has rated this update as having [More...]
 
Bouncy Castle TLS CVE-2013-1624 Information Disclosure Vulnerability
 
Apache Camel CVE-2014-0002 XML External Entity Information Disclosure Vulnerability
 
NASA announced on Thursday that its Cassini spacecraft and Deep Space Network have found evidence pointing to an underground ocean on Saturn's moon Enceladus. And if there's water, there could be life.
 
Google, which has been testing balloon-powered Internet access in underdeveloped area, said one of its balloons circled the Earth in 22 days.
 
Attackers exploited a vulnerability in a popular video-sharing site to hijack users' browsers for use in a large-scale distributed denial-of-service attack, according to researchers from Web security firm Incapsula.
 

Thanks to Susan, one of or readers, who dropped us a line today to tell me that we (and by "we" I mean "I") missed that Windows 8.1 Update was announced on April 2.

This is an important update for all of the Windows 8.x folks out there for a couple of reasons:

  • The base 8.1 update includes 2 out-of-band security updates (KB2922229 and KB2936068, both available separately)
  • More importantly, it's the service baseline for 8.x, so you should have this installed before applying the in-band updates coming in May (next month).

Before installation, the 8.1 update requires a prerequisite of KB2919442  http://support.microsoft.com/kb/2919442

More on the 8.1 Update here (amongst lots of other Microsoft posts):
http://blogs.windows.com/windows/b/windowsexperience/archive/2014/04/02/windows-8-1-update-important-refinements-to-the-windows-experience.aspx
http://blogs.windows.com/windows/b/springboard/archive/2014/04/02/windows-8-1-update-the-it-pro-perspective.aspx

8.1 Update will be available as KB2919355 April 8 (this coming Patch Tuesday)

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Apache Tomcat CVE-2013-4286 Security Bypass Vulnerability
 
OpenSSL CVE-2014-0076 Information Disclosure Weakness
 
The make-or-break project kept engineers just out of college working around the clock hunting down bugs. The product had so much buzz that speculators bought up units to resell later for a profit. The company invested so much in development that its future was riding on success.
 
Cisco Emergency Responder CVE-2014-2116 Multiple Cross Site Scripting Vulnerabilities
 
Cisco Emergency Responder CVE-2014-2117 Open Redirection Vulnerability
 
Cisco Emergency Responder CVE-2014-2114 Cross Site Scripting Vulnerability
 
Cisco Emergency Responder CVE-2014-2115 Cross-Site Request Forgery Vulnerability
 
Linux-PAM 'format_timestamp_name()' Function Directory Traversal Vulnerability
 
Microsoft has toughened its criteria for classifying programs as adware and gave developers three months to conform with the new principles or risk having their programs blocked by the company's security products.
 
Apple wouldn't be where it is today if it hadn't taken redefined consumer electronics. VCE could very well do the same to the enterprise cloud market. First, it just has to convince companies to 'think different.'
 
In many ways, the modern computer era began in the New Englander Motor Hotel in Greenwich, Connecticut.
 

I had a client call me recently with a full on service outage - his servers weren't reachable, his VOIP phones were giving him more static than voice, and his Exchange server wasn't sending or receiving mail - pretty much everything was offline.

I VPN'd in (I was not onsite) and started with the firewall, because things were bad enough that's all I could initially get to from a VPN session.  No surprise, I saw thousands of events per second flying by that looked like:

So right away this looks like malware, broadcasting on UDP ports 137 and 138 (netbios name services and datagrams).  You''ll usually have some level of these in almost any network, but the volumes in this case where high enough to DOS just about everything, I was lucky to keep my SSH sessions (see below) going long enough to get things under control.  And yes, that was me that was behind Monday's post on this if this sounds familiar

To get the network to some semblance of usability, I ssh'd to each switch in turn and put broadcast limits on each and every switch port:

On Cisco:
interface gigabitethernet0/x
  storm-control broadcast level 20  (for 20 percent)
or
  storm-control broadcast level pps 100  (for packets per second)

On HP Procurve:
interface x
   broadcast-limit 5  (where x is a percentage of the total possible traffic)

On HP Comware:
int gig x/0/y
 broadcast-suppression pps 200
or
storm-constrain broadcast pps 200 200
(you can do these in percent as well if you want)

Where I can, I try to do this in packets per second, so that the discussion with the client can be "of course we shut that port down - there's no production traffic in your environment that should generate more than 100 broadcasts per second."

With that done, I now could get to the syslog server.  What we needed was a quick-and-dirty list of the infected hosts, in order of how much grief they were causing.

First, let's filter out the records of interest - everything that has a broadcast address and a matching netbios port in it - it's a Windows host, so we'll use windows commands (plus some GNU commands):

type syslogcatchall.txt | find "172.xx.yy.255/13"

But we don't really want the whole syslog record, plus this short filter still leaves us with thousands of events to go through

Let's narrow this down:
first, let's use "cut" to pull out the just source IP out of these events of interest.  

cut -d " " -f 7

Unfortunately, that field also includes the source port, so let's remove that by using "/" as the field delimeter, and take only the source ip address (field one)

cut -d "/" -f 1

Use sort and uniq -c (the -c gives you a count for each source ip)
then use sort /r to do a reverse sort based on record count

Putting it all together, we get:

type syslogcatchall.txt | find "172.xx.yy.255/13" | cut -d " " -f 7 | cut -d "/" -f 1 | sort | uniq -c | sort /r > infected.txt

This gave us a 15 line file, sorted so that the worst offenders were at the top of the list, with a record count for each.  My client took these 15 stations offline and started the hands-on assess and "nuke from orbit" routine on them, since their AV package didn't catch the offending malware.

What else did we learn during this incident?

  • Workstations should never be on server VLANs.
  • Each and every switch port needs basic security configured on it (broadcast limits today)

and, in related but not directly related lessons ...

  • Their guest wireless network was being used as a base for torrent downloads
  • Their guest wireless network also had an infected workstation (we popped a shun on the firewall for that one).
  • Their syslog server wasn't being patched by WSUS - that poor server hadn't seen a patch since December's patch Tuesday


What did we miss?
By the time I got onsite, the infected machines had all been re-imaged, so we didn't get a chance to assess the actual malware.  We don't know what it was doing besides this broadcast activity, and don't have any good way if working out for sure how it got into the environment.  Though since this distilled down to one infected laptop, my guess would be this is malware that got picked up at home, but that's just a guess at the moment.

Just a side note, but an important one - cut, uniq, sed and grep are all on your syslog server if it's a *nux host, but if you run syslog on Windows, these commands are still pretty much a must-have.  As you can see, with these commands we were able to distill a couple of million records down to 15 usable, actionable lines of text within a few minutes - a REALLY valuable toolset and skill to have during an incident.  Microsoft provides these tools in their "SUA" - Subsystem for Unix Based Applications, which has been available for many years and for almost every version of Windows.  
Or if you need to drop just a few of these commands on to a server during an incident, especially if you don't own that server, you can get what you need from gnutools (gnuwin32.sourceforge.net) - I keep this toolset on my laptop for just this sort of situation.
Once you get the hang of using these tools, you'll find that your fingers will type "grep" instead of find or findstr in no time!

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Microsoft has posted their regular pre-announcement for Patch Tuesday here:  http://technet.microsoft.com/en-us/security/bulletin/ms14-apr

We can expect:

  • The final, yes final patches for XP
  • The final patches for Office 2003 also - this has gotten a lot less press than XP but is just as critical ( http://office.microsoft.com/en-ca/help/support-is-ending-for-office-2003-HA103306332.aspx )
  • The usual patches for other Windows and IE versions
  • A couple of updates for WSUS and Windows Update.  Changes to Windows Update often result in Tuesday's updates coming two parts - we'll see on Tuesday I guess

So after Tuesday, XP and Office 2003 join the ranks of the "internet of hostile things" - platforms that are no longer being patched by the vendor as new issues arise, so quickly become compromised.   This includes things like your TV, your DVR or home internet router, your fridge, treadmill, IV pump, heart monitor or pacemaker - oh, and likely your phone as well  - -  read our stories over the last couple of months (or years really) for more on these.  Unfortunately, this XP event happens all in one fell swoop - millions of hostile hosts being added to the opposing army all at once. 

Fortunately, we can do something about this.  Updating to Windows 7 or 8 is cheap, if your hardware is up to the task.  If you've got older hardware, I'm seeing used Windows 7/8 capable desktop hardware for $100-$200 these days, and laptops seem to be in the same range.  If going to a new Windows platform isn't in your future, you're probably already looking at one of the more popular Linux distributions - distros like Unbuntu, or  Xubunto or Mint that try to mimic the UI that many home users are familiar with.  There is a similar range of options for Office (upgrades and alternatives).

Use our comment form to let us know what you are doing or have done for your user community (or family members) that might still be on XP or Office 2003 after Tuesday.

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Microsoft's App Studio beta test has been expanded to allow novice developers to build applications for Windows tablets and PCs, in addition to Windows Phone.
 

A new version of PHP has been released. The announcement comments:

"The PHP development team announces the immediate availability of PHP 5.4.27.  6 bugs were fixed in this release, including CVE-2013-7345 in fileinfo module."

Details of CVE-2013-7345 are available at Mitre.

Steve Hall ISC Handler www.tarkie.net

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Intelligent Platform Management Interface CVE-2013-4786 Information Disclosure Vulnerability
 
RETIRED: HP Integrated Lights-Out CVE-2013-4786 Unspecified Authentication Bypass Vulnerability
 
Microsoft's announcement of universal Windows apps demonstrates the company's commitment to improving its share of the tablet and smartphone markets.
 
With its Enterprise Mobility Suite, Microsoft will make it easier for companies to manage a range of devices, including those running Apple's iOS and Google's Android. It's a smart move, says columnist Ryan Faas.
 
Edward Snowden's revelations about the National Security Agency's data collection practices have eroded the public's trust in major technology companies -- and in the Internet, a Harris Interactive survey found.
 
The Chicago Sun-Times is now accepting bitcoins as payment for subscription, becoming the first major U.S. newspaper to take the digital currency.
 
Nest, the connected-home device maker Google agreed to buy in January, is disabling a feature that allows its Nest Protect smoke and carbon-monoxide alarm to be silenced with a wave of the hand.
 

Posted by InfoSec News on Apr 04

http://healthitsecurity.com/2014/04/03/how-a-community-hospital-cio-stays-ahead-of-the-security-curve/

By Patrick Ouellette
Health IT Security
April 3, 2014

When a smaller community hospital doesn’t necessarily have the same level
of funding and resources as a larger hospital or healthcare network, it’s
forced to maximize what it already has in place while staying in line with
federal regulations. In many ways, the type of privacy and...
 

Posted by InfoSec News on Apr 04

http://krebsonsecurity.com/2014/04/u-s-states-investigating-breach-at-experian/

By Brian Krebs
krebsonsecurity.com
April 3, 2014

An exclusive KrebsOnSecurity investigation detailing how a unit of credit
bureau Experian ended up selling consumer records to an identity theft service
in the cybercrime underground has prompted a multi-state investigation by
several attorneys general, according to wire reports.

Reuters moved a story this...
 

Posted by InfoSec News on Apr 04

http://www.usatoday.com/story/tech/columnist/2014/04/03/hackers-government-cybersecurity-private-and-public-sector/7259729/

By Marc Rogers
SPECIAL FOR USA TODAY
April 3, 2014

SAN FRANCISCO -- Hackers were once considered nothing but a bane to
governments and businesses -- an emerging threat which defied
understanding.

Today, those same governments and businesses worldwide are recognizing how
critical hackers are in defending a...
 

Posted by InfoSec News on Apr 04

http://www.networkworld.com/news/2014/040314-cybercrime-280395.html

By Ellen Messmer
Network World
April 03, 2014

Security professionals are playing defense against cybercrime, and often
feel outgunned by tech-savvy hackers and insiders out to steal sensitive
data from within the business. They see a shortage of qualified security
personnel to call on, but also believe that threat-detection tools are
getting better.

Those were sentiments...
 

Posted by InfoSec News on Apr 04

http://blogs.wsj.com/digits/2014/04/03/bounty-hunter-earns-record-payout-from-facebook/

By REED ALBERGOTTI
Digits
The Wall Street Journal
April 3, 2014

Reginaldo Silva was poring over computer code in November when the
one-time software engineer found what he thought was a security loophole
on Facebook's servers. The discovery led to the largest "bug bounty" ever
paid by the company, and a job for Silva as an engineer at...
 
CA20140403-01: Security Notice for CA Erwin Web Portal
 
Internet Storm Center Infocon Status