Information Security News
This isnt really new. But two readers submitted logs like this today. So I figured it is time for a reminder.
If you see requests like this in your weblogs:
a.b.c.d - - [04/Oct/2016:14:57:34 +0000] \x16\x03\x02\x00\xDC\x01\x00\x00\xD8\x03\x02SC[\x90\x9D\x9Br\x0B\xBC\x0C\xBC+\x92\xA8H\x97\xCF\xBD9\x04\xCC\x16 400 166 - -
The reason is almost always an SSL request sent to a non SSL server. In particular if you are running a web server on a port other then port 80 (e.g. 8080 or 8000), you will see attackers trying to scan your server assuming that it is running SSL.
To decode the byte sequence above:
\x16 - This indicates a handshake. Typically, connections start with a client hello.
\x03\x02 - the SSL/TLS version. In this case cutting edge TLS 1.1 (0x03 0x01 is TLS 1.0)
\x00\0xDC - the length of the message. 0xDC = 220 Bytes.
\x01 - indeed.. a client hello (server hello would be 2)
\x00\x00\xD8 - the length of the client hello part of the message ( 216 Bytes)
\x03\x02 - SSL/TLS version again
SC[\x90 - four byte time stamp (only non-printable characters use the \x encoding. So this translates to 0x53 0x43 0x5B 0x90
followed by some random bytes...
You will find various versions of this, depending on the SSL/TLS version used, the number of ciphers offered and the like.
by Sean Gallagher
WikiLeaks celebrated its tenth anniversary today by teasing a release of documents that would damage presidential candidate Hillary Clinton. But when Julian Assange failed to release anything new, the individual who refers to himself as Guccifer 2.0 posted what he claimed were files from the Clinton Foundation's servers.
"Many of you have been waiting for this, some even asked me to do it," Guccifer 2.0, or whoever is posting under that name, wrote in a blog post. "So, this is the moment. I hacked the Clinton Foundation server and downloaded hundreds of thousands of docs and donors' databases. Hillary Clinton and her staff don't even bother about the information security. It was just a matter of time to gain access to the Clinton Foundation server." Ars contacted Guccifer 2.0, or whomever runs his Twitter account. He claimed the files came directly from the Clinton Foundation server—but declined to say how he got access to them ("I prefer to keep it to me yet").
However, a review by Ars found that the files are clearly not from the Clinton Foundation. While some of the individual files contain real data, much of it came from other breaches Guccifer 2.0 has claimed credit for at the Democratic National Committee and the Democratic Congressional Campaign Committee—hacks that researchers and officials have tied to "threat groups" connected to the Russian Government. Other data could have been aggregated from public information, while some appears to be fabricated as propaganda. Aside from some DNC payroll data, and lease documents for some Democratic Party field offices, most of the documents in the dump were originally authored either at the DCCC or by people working for the DCCC on their personal computers.
According to a new report by Reuters citing anonymous former employees, in 2015, Yahoo covertly built a secret “custom software program to search all of its customers' incoming emails for specific information.”
Reuters noted that Yahoo “complied with a classified US government directive, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said two former employees and a third person apprised of the events.” It is not clear what data, if any, was handed over.
Presuming that the report is correct, it would represent essentially the digital equivalent of a general warrant—which is forbidden by the Fourth Amendment, as Electronic Frontier Foundation lawyer Andrew Crocker noted on Twitter.