Hackin9
Meet the new guy: He sounds just like the old guy.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
When Google awarded Eric Schmidt a $100 million stock bonus in 2011 it was seen as unprecedented for the company. Now it's doing it again.
 
Ross Ulbricht, alleged creator of the online black market Silk Road, was indicted in New York Tuesday on narcotics, money laundering and so-called "kingpin" charges, and faces up to life in prison.
 
If there is one region in the U.S. that can absorb Dell's planned workforce cutbacks, it may be the Austin, Texas, area, one of the nation's hottest areas for tech jobs.
 

Producing secure cryptographic code has never been easy, especially for developers cranking out smartphone apps on tight deadlines. Now, Facebook engineers hope to ease the pain with an open-source tool that automates some of the more difficult tasks.

Conceal, as the code library has been dubbed, provides a set of easy-to-use programming interfaces for securely storing sensitive app data on an Android-based smartphone's secure digital (SD) card. Using an SD card to stash authentication tokens and similar data helps speed up bandwidth- and resource-constrained mobile apps, but it often comes at a cost. Android designates SD cards as a public resource, a design that allows other apps to access the same files. That means developers who want to improve the performance of their apps have frequently struggled to secure SD-residing data so it can't be accessed by other programs.

"Many develop one-off solutions themselves," Facebook software engineer Subodh Iyengar told Ars. "One objective of releasing Conceal is to enable other developers to quickly get up and running. We also believe that libraries get better with contributions and feedback from the community, and the community support can help improve the performance and security of this library."

Read 4 remaining paragraphs | Comments


    






 
SAP's strategy event for the investment community on Tuesday offered few major surprises to anyone who's been closely monitoring the software vendor lately, but did serve to cement the company's future direction for product development, growth and customer retention. Here's a look at some of the highlights of the event.
 

GOP Report Stresses Gov't InfoSec Flaws
GovInfoSecurity.com
Days before the Obama administration will release a framework aimed at securing the nation's critical infrastructure, Senate Republicans issued a report detailing vulnerabilities in federal IT, suggesting the White House get its own house in order ...

and more »
 
There will soon be nowhere to hide from Facebook selfies, Justin Bieber news and emails from your boss.
 
Oracle MySQL Server CVE-2014-0431 Remote Security Vulnerability
 
Hadoop distributor Cloudera has released a commercial edition of the Apache Spark program, which analyzes data in real time from within Cloudera's Hadoop environments.
 
Despite the continuing rise in home computer usage, a substantial portion of U.S. households are not Internet users.
 
If there is one region in the U.S. that can absorb Dell's planned workforce cutbacks, it may be the Austin, Texas, area, one of the nation's hottest areas for tech jobs.
 
The FCC will invest $2 billion during the next two years to expand high-speed Internet at America's schools and libraries, and major tech companies will chip in another $750 million.
 
The NFL deployed a new Wi-Fi analytics tool to study how fans used Instagram and other mobile apps while at MetLife Stadium during Sunday's Super Bowl game.
 
Microsoft co-founder Bill Gates will step down as chairman of the board to spend his time with the company advising the new CEO, Satya Nadella.
 
Adobe released an update for Flash Player to fix a critical remote code execution vulnerability that is actively being targeted by attackers.
 
The failure of U.S. financial institutions and retailers to implement more robust cybersecurity measures, such as the smart-card technology widely used in Europe, was questioned and criticized by members of the U.S. Senate Judiciary Committee at a hearing Tuesday.
 
Sencha has introduced Space, aiming to make it easier for IT departments to manage HTML5 apps running on Android, iOS or BlackBerry devices.
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2014-1478 Multiple Memory Corruption Vulnerabilities
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2014-1477 Multiple Memory Corruption Vulnerabilities
 
ImpressCMS Arbitrary File Access And Multiple Cross Site Scripting Vulnerabilities
 
Oracle MySQL Server CVE-2013-5894 Remote Security Vulnerability
 

Update^2:

We now got confirmation that these packets are related to NVidia driver updates. One reader send us a complete capture, and also see the comments to this story below.

Here is a summary of the complete packet capture:

1 - DNS lookup for gfe.nvidia.com (returns 8.36.113.132)
2 - DNS lookup for download.gfe.nvidia.com (returns 8.36.113.133)
3 - HTTP GET for download.gfe.nvidia.com/packages/DAO/production/1234567/0.dat   (I obfuscated the full URL)

0.dat is a signed Windows executable

After it finished, the update software will send the three pings that were observed. One reader also submitted a comment to this post (see below) pointing out that the ICMP payload string can be found in the NVidia updater binary.

Thanks all for your help solving this!!

 

Update:

Our reader Jim sent in an interesting comment. Apparently, this traffic may be related to NVidia in some way. Many of the destination addresses are related to NVidia. In our example below, only one IP fits that description: 83.150.122.97 - Nvidia Helsinki DSL . But other IP addresses reported also point to NVidia.

There is also a discussion at https://forums.geforce.com/default/topic/534267/covert-channel-exploit-in-icmp-packet about packets that may match this event.

---------

Thanks to Donald for sending us a couple of interesting ICMP echo requests. They are coming from a machine that is having "issues" (problems staying live on the network, credentialed nessus scans are unable to connect). 

The ICMP echo requests being sent from the host contain the payload "PING DATA!" , nothing else of interest in the packets. They go out to various hosts. (see below for details).

Has anybody seen these before? They seems "familiar", but I can't point to the exact tool right now...

 xxx.xxx.xx.xx > 83.150.122.97: icmp: echo request
0x0000   4500 003c 211d 0000 fe01 b5bf xxxx xxxx        E..<!.........Wb
0x0010   5396 7a61 0800 b6b3 0001 0001 5049 4e47        S.za........PING
0x0020   2044 4154 4121 0000 0000 0000 0000 0000        .DATA!..........
0x0030   0000 0000 0000 0000 0000 0000                  ............

 xxx.xxx.xx.xx > 90.83.94.114: icmp: echo request
0x0000   4500 003c 3508 0000 fe01 b706 xxxx xxxx        E..<5.........Wb
0x0010   5a53 5e72 0800 b6b2 0001 0002 5049 4e47        ZS^r........PING
0x0020   2044 4154 4121 0000 0000 0000 0000 0000        .DATA!..........
0x0030   0000 0000 0000 0000 0000 0000                  ............

 xxx.xxx.xx.xx > 101.78.148.14: icmp: echo request
0x0000   4500 003c 356a 0000 fe01 760d xxxx xxxx        E..<5j....v...Wb
0x0010   654e 940e 0800 b6b1 0001 0003 5049 4e47        eN..........PING
0x0020   2044 4154 4121 0000 0000 0000 0000 0000        .DATA!..........
0x0030   0000 0000 0000 0000 0000 0000                  ............

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Samsung announced Tuesday that its four newest Android KitKat tablets will include the somewhat controversial Magazine UX, a customizable user interface designed by Samsung, not Google.
 
LinuxSecurity.com: Florian Weimer of the Red Hat Product Security Team discovered a heap-based buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a YAML document with a specially-crafted tag that, when parsed by an application using libyaml, [More...]
 
LinuxSecurity.com: Multiple vulnerabilities have been found in libwww-perl, the worst of which could allow attackers to execute arbitrary code.
 
LinuxSecurity.com: New pidgin packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: libcurl could be made to expose sensitive information.
 
LinuxSecurity.com: Updated openldap packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: Updated librsvg2 packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: Christian Mainka and Vladislav Mladenov reported a vulnerability in the OpenID module of Drupal, a fully-featured content management framework. A malicious user could exploit this flaw to log in as other users on the site, including administrators, and hijack their accounts. [More...]
 
LinuxSecurity.com: A NVIDIA drivers bug allows unprivileged user-mode software to access the GPU inappropriately, allowing for privilege escalation.
 
LinuxSecurity.com: An integer underflow vulnerability in Pixman may allow a context-dependent attacker to cause Denial of Service.
 
LinuxSecurity.com: Multiple vulnerabilities have been found in GNU libmicrohttpd, the worst of which may allow execution of arbitrary code.
 

Adobe has released an unscheduled update for its ubiquitous Flash media player to patch a critical vulnerability that may already be under active exploit in the wild.

The security flaw exists in Adobe Flash Player 12.0.0.43 and earlier versions for Windows and OS X and 11.2.202.335 and earlier versions for Linux, according to an advisory published Tuesday morning. The vulnerability stems from an integer underflow bug in the underlying code that could be exploited to execute arbitrary code on the affected system. Because attackers can typically trigger such vulnerabilities surreptitiously after luring victims to websites hosting attacks, Adobe rated the threat as "critical," the company's highest severity category.

"Adobe is aware of reports that an exploit for this vulnerability exists in the wild and recommends users update their product installations to the latest versions," the Adobe advisory stated. It went on to thank Alexander Polyakov and Anton Ivanov of antivirus provider Kaspersky Labs for reporting the vulnerability, which was listed as CVE-2014-0497 under the standardized common vulnerabilities and exposure disclosure system.

Read 1 remaining paragraphs | Comments


    






 

Adobe today released an emergency patch for a vulnerability that is currently actively exploited. The patch addresses CVE-2014-0497. [1]

The address affects all Windows, OS X and Linux. for Windows/OS X, the current version is now 12.0.0.44 and for Linux 11.2.202.336. Google Chrome users need to update Google Chrome to fix the included version of Flash as do users of Internet Explorer 10 and 11. [2]

[1] http://helpx.adobe.com/security/products/flash-player/apsb14-04.html
[2] http://technet.microsoft.com/en-us/security/advisory/2755801

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
 
Samsung announced that three of its latest four Galaxy tablet models running Android 4.4 (KitKat) will go on sale at U.S. retailers starting Feb. 13, with online orders starting today.
 
GNU a2ps 'spy_user()' Function Insecure Temporary File Creation Vulnerability
 
Microsoft today ended its five-month CEO search where it began as it named insider Satya Nadella its third-ever chief executive.
 
[slackware-security] pidgin (SSA:2014-034-01)
 
Microsoft has finally concluded its protracted search and chosen its new CEO: Satya Nadella, who as executive vice president of the company's Cloud and Enterprise group has successfully steered the shift of the company's back-end server software and tools to the cloud.
 
Google has added Cisco to the list of tech companies with which it has struck a long-term patent cross-licensing agreement.
 
Recent data breaches suggest that retailers are security laggards, but the professionalism of the attacks should worry just about anyone.
 
Facebook, the company that defines social networking, is turning 10 years old and looking into a future where it must evolve or risk becoming the next MySpace -- a company Facebook eclipsed years ago.
 
Fujitsu Laboratories and Furukawa Electric have developed an optical connector that could reduce connectivity costs for servers.
 

This is more a quick question then a full post: Many attacks use recently registered domain names. Do you block newly registered domain names (lets say for the first week)? What system do you use to do so? I am thinking about setting up a simple API to return a "days registered" for a domain name, but first want to see what else is out there.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Premier 100 IT Leader Mujib Lodhi also answers questions on keeping abreast of technology and the value of certifications.
 
The new LG G Flex Android smartphone has a curved design, flexible body, and 'self-healing' skin. Does that make a difference in real-world use?
 
Lodgers at Holiday Inns, Marriott and Renaissance hotels may have had their payment card details compromised following a new disclosure on Monday of suspected point-of-sale device attacks.
 
Tech overreach now has its mascot: the True Love Tester bra. How do companies green-light such hare-brained product ideas?
 
Mediatrix 4402 Web Management Interface 'login' Page Cross Site Scripting Vulnerability
 
Cisco Unified Communications Manager CVE-2014-0686 Local Privilege Escalation Vulnerability
 
Lodgers at Holiday Inns, Marriott and Renaissance hotels may have had their payment card details compromised following a new disclosure on Monday of suspected point-of-sale device attacks.
 
The U.S. Department of Transportation will propose making all new cars talk to each other so they can warn drivers of impending collisions.
 
Samsung Electronics is planning a launch event dubbed Unpacked 5 at Mobile World Congress, hinting that it will launch the Galaxy S5 there.
 
App developers can now push their software onto a TV screen using a software development kit that Google is introducing for its Chromecast media streaming device.
 
Retailers will face an increased risk of data breaches after Microsoft ends support for Windows XP, a version of which powers the majority of modern cash registers, security vendor Symantec warned in a report published Monday.
 
Facebook, the company that defines social networking, is turning 10 years old and looking into a future where it must evolve or risk becoming the next MySpace -- a company Facebook eclipsed years ago.
 

Posted by InfoSec News on Feb 04

http://www.informationweek.com/security/attacks-and-breaches/hotel-company-investigates-data-breach-card-fraud/d/d-id/1113671

By Mathew J. Schwartz
InformationWeek.com
2/3/2014

White Lodging Services, a hospitality company that manages 168 hotels in
21 states -- under franchises from Hilton, Marriott, Sheraton, and Westin
-- is investigating reports that it suffered a data breach that lasted
from March 2013 until the end of the year.

Word...
 

Posted by InfoSec News on Feb 04

http://pando.com/2014/02/03/congress-is-looking-into-consumer-data-security-but-will-they-actually-act/

BY CALE GUTHRIE WEISSMAN
Pando Daily
FEBRUARY 3, 2014

Today in Washington, a congressional Banking, Housing, and Urban Affairs
subcommittee met to discuss recent consumer financial data breaches, and
the role retailers, bankers, and the government must play to prevent them
from happening again. Leading the subcommittee was Congressman Mark...
 

Posted by InfoSec News on Feb 04

http://freebeacon.com/the-belarusian-connection/

By Bill Gertz
Washington Free Beacon
February 3, 2014

U.S. intelligence agencies last week urged the Obama administration to
check its new healthcare network for malicious software after learning
that developers linked to the Belarus government helped produce the
website, raising fresh concerns that private data posted by millions of
Americans will be compromised.

The intelligence agencies...
 
Internet Storm Center Infocon Status