Hackin9

Thanks for reading the ISC Diary!  I hope you find useful information in the diary posts.  I, and the other handlers, work hard to try and bring you the latest news as it develops, as well as point out interesting new research that affects our industry and our ability to protect our networks.  BUT don’t stop with the diary.  Quite often the MOST interesting part of the article is in the comments from the readers.  Consider the following:

About a year ago I did a post entitled “What can you do with funky directory names?”   https://isc.sans.edu/forums/diary/Challenge+What+can+you+do+with+funky+directory+names/12958

The post is about creating a “..  “ (Dot Dot Space) directory.  You can even create a funky directory name that will cause windows to generate an error dialog message and go into an error condition.  This is COOL STUFF right?  Well, yeah but not nearly as interesting as the mostly overlooked last comment on the page.  An anonymous ISC reader posted this comment:

“It's also easy to use similar file name tricks to make your malicious binary appear to be Microsoft signed. Name your malware file "svchost.exe " (note trailing space) and put it in the same folder as the legitimate file. Attempted reads of your malicious file will "miss" your file and instead hit the legitimate (and signed) binary. (This is because win32 will auto-remove the trailing space.)

The nice thing about CreateProcess is that it launches the malicious process just fine.”


What does this mean?  Well, if you create a executable on the hard drive that ends with a SPACE and then execute it some interesting things happen.  Applications such as Microsoft Sigcheck, Mandiant Redline, Process hacker and other tools that will check the digital signatures of the processes in the process list check the incorrect file.  The malware is “svchost.exe  “.  But when these tools turn to the hard drive to read the executable digital signature the underlying API trims the trailing space and they read the signature on the real “svchost.exe”.  The result is that those security tools find a legitimate digital signature and incorrectly believe the file  “svchost.exe   “  has been digitally signed by Microsoft.

Matt Graeber (@mattifestation) did a write up on his testing of the issue here http://www.exploit-monday.com/2013/02/WindowsFileConfusion.html

I have found this technique to be useful for fooling Non-Microsoft tools that rely on digital signatures.  So don't stop with the article!  Read the comments from our brilliant readers.   Please TEST your HIPS, Whitelisting applications, Forensics tools and other digital signature based tools using the process outline by Matt Graeber.   Is it vulnerable?   Post a comment (responsible disclosure is encouraged) and other brilliant insights in the comments! 

Follow me on Twitter: @markbaggett

There are a couple of chances to sign up for SANS Python programming course.  The course starts from the very beginning, assuming you don't know anything about programming or Python.  The course is self paced learning and we cover the essentials before we start building tools you can use in your next security engagement.   You will love it!!    Join me for Python for Penetration testers in Reston VA March 17-21 or at SANSFire in Baltimore June 23-27.

http://www.sans.org/event/northern-virginia-2014/course/python-for-pen-testers

http://www.sans.org/event/sansfire-2014/course/python-for-pen-testers

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

The easiest way to not be tracked via your phone is to not have a phone. Of course, that means you won’t have a phone. So you can’t call or text, much less check your e-mail or play Angry Birds while on the bus.

Even if you do have a phone, setting it up with privacy-minded tools—Tor, OTR chat, secure texting, and calling—is cumbersome, and of course requires that your calling or texting partner on the other end of the line has all of that installed as well.

On Wednesday FreedomPop, a Los Angeles-based mobile data startup, announced what it’s nicknamed the “Snowden Phone” after the notorious whistleblower. Officially called the Freedom Privacy Phone, it's actually a three-year-old Samsung Galaxy II Android with a modified bootloader, which means you can’t easily upgrade the Android firmware without, say, breaking the entire VOIP setup.

Read 4 remaining paragraphs | Comments

 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The notebook features a lightweight yet tough finish, and the latest tech specs; up to 16GB of memory; storage options up to 1TB hard drive or 256GB SSD; 802.11ac Wi-Fi.
 
[CVE-2014-0683]Router Cisco RV110W - RV215W - CVR100W - Bypass Login Page - Admin Password Disclosure
 
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers
 

We've all read a lot about the scans and exploits of UPNP (Universal Plug N Play), on UDP port 1900.  Jens, one of our readers, pinged us this morning with a question about an uptick he was seeing in TCP/5000, which is also listed as UPNP - who knew?  (not me, that's who!)

After a quick check, I'm seeing an uptick in attack activity on TCP/5000 starting in mid-February, both in our dshield database and on various customer firewalls.  Our reader was seeing his attacks come from an IP allocated to China, but I'm seeing more attacks sourced from the US.

https://isc.sans.edu/port.html?startdate=2014-02-03&enddate=2014-03-05&port=5000&yname=sources&y2name=targets


Does anyone have any of these attack packets captured, preferably more than just SYN packets? 

Or if anyone has a sample of the attack software or any malware involved, we'd of course love a sample of that as well !

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Challenging Microsoft's Windows Azure on its own turf, Red Hat is ramping up services that would offer Microsoft .NET and SQL Server capabilities on its OpenShift platform as a service (PaaS).
 
Facebook announced a set of new restrictions designed to curb the illegal sale of guns and other restricted items on its site, a phenomenon that had become vexing problem for the social network.
 
Google Chrome CVE-2014-1681 Multiple Unspecified Security Vulnerabilities
 
Cisco Security Advisory: Cisco Small Business Router Password Disclosure Vulnerability
 
[CVE-2014-0683]Router Cisco RV110W - RV215W - CVR100W - Bypass Login Page - Admin Password Disclosure
 
ESA-2014-012: EMC Documentum TaskSpace Multiple Vulnerabilities
 
Shipments of new PCs, most of them equipped with Microsoft Windows, will decline more in 2014 than thought a few months ago, according to IDC.
 
That someone had to take the fall for the massive breach at Target is neither surprising nor unexpected. The only question is whether more heads will roll in the aftermath of one the biggest data compromises in retail history.
 
The U.S. Congress should mandate that banks, retailers and payment card processors adopt new security standards to protect against widespread data breaches, some lawmakers said Wednesday.
 
SAP is introducing a set of new subscription pricing options for its Hana in-memory cloud computing platform, in a move that falls in step with the pay-as-you-go model common in the cloud computing industry.
 
 
Phil Cummings says network firewalls will continue to be a critical piece of Health Information Technology Services -- Nova Scotia security portfolio for one simple reason: nothing's come along to replace them.
 
What if one day you accidentally step on your smartphone and instead of it shattering, it simply bends? Research underway at the Los Alamos National Lab could give consumers more durable smartphones, tablets and laptops.
 
Hackers found security weaknesses that allowed them to overdraw accounts with Flexcoin and Poloniex, two websites that facilitate bitcoin transactions, and exploited them to steal bitcoins from the two services. The attacks put Flexcoin out of business and cost Poloniex's users 12.3 percent of their bitcoins.
 
As it works on its much-anticipated version of Office for touch interfaces, Microsoft envisions building on what it calls "natural interaction" technologies like digital ink and voice recognition, according to a company official.
 
Macworld's Dan Moren offers a reason to be optimistic about the future of Apple's new CarPlay in-car, iPhone user interface after its less-than-enthusiastic reception: Apple's expertise in developing and updating software.
 
Roku's new iteration of its streaming media stick chops the price from $99 to $49 and it now works with any TV. And it's not just looks that make it different from Chromecast.
 
Target CIO Beth Jacob has resigned following a data breach at the retailer that may have affected as many as 110 million U.S. residents.
 
Dassault Systemes Catia Stack Buffer Overflow Vulnerability
 
An asteroid is flying relatively closely past Earth today, NASA reported.No need to duck or take to the root cellar, though.
 
President Barack Obama's fiscal 2015 budget plan would increase federal R&D spending by 1.2% over this year, if Congress approves.
 
OpenDocMan 'ajax_udf.php' Multiple SQL Injection Vulnerabilities
 
OpenStack Compute (Nova) CVE-2013-7048 Insecure Directory Permissions Vulnerability
 
OpenStack Compute (Nova) Ephemeral Disk Backing Files Denial of Service Vulnerability
 
Oregon is holding back $25.6 million in payments from Oracle over work the vendor did on the state's troubled health care exchange website.
 
Target CIO Beth Jacob has resigned following a data breach at the retailer that may have affected as many as 110 million U.S. residents.
 

Flexcoin, the self-proclaimed "world's first Bitcoin bank," was robbed by attackers who took advantage of a flaw in the bank's code for transferring bitcoins.

As reported yesterday, Flexcoin shut down after an attacker made off with 896 bitcoins, the equivalent of about $600,000. The company has since posted a more thorough explanation of just how it was robbed on its home page:

The attacker logged into the flexcoin front end from IP address 207.12.89.117 under a newly created username and deposited to address 1DSD3B3uS2wGZjZAwa2dqQ7M9v7Ajw2iLy

The coins were then left to sit until they had reached 6 confirmations.

The attacker then successfully exploited a flaw in the code which allows transfers between flexcoin users. By sending thousands of simultaneous requests, the attacker was able to "move" coins from one user account to another until the sending account was overdrawn, before balances were updated.

This was then repeated through multiple accounts, snowballing the amount, until the attacker withdrew the coins. (Here and Here.)

The stolen coins were in Flexcoin's "hot wallet," the account used to instantly pay out withdrawals. The bitcoins that Flexcoin customers had deposited were stored separately on computers that weren't connected to the Internet, according to Flexcoin. The company said it will attempt to give users their coins back, presuming it can verify users' identities.

Read 1 remaining paragraphs | Comments

 
OpenStack Swift Secret URL Information Disclosure Vulnerability
 
Multiple Vulnerabilities in OpenDocMan
 
Cross-Site Scripting (XSS) in Ilch CMS
 
CVE-2014-1599 - 39 Type-1 XSS in SFR DSL/Fiber Box
 
[security bulletin] HPSBST02955 rev.2 - HP XP P9000 Performance Advisor Software, 3rd party Software Security - Apache Tomcat and Oracle Updates, Multiple Vulnerabilities Affecting Confidentiality, Availability And Integrity
 

In late January we all heard about bluetooth enabled credit card skimmers on gas pumps.  Since that story broke, I've been seeing some attempts at reassuring the public on this issue - I'm seeing pumps at multiple chains having their card readers taped and initialed.


I suppose they figure crooks don't have red tape, or pens.  This really is more to reassure consumers, to say "yes, we do check these once in a while to make sure that your card isn't being skimmed".  Though that assumes the person checking can tell a reader cover from a skimmer.

I was surprised also to find that this "breaking story" on skimmers which hit the news in January 2014 was first posted by Brian Krebbs way back in 2010 -
http://krebsonsecurity.com/2010/07/skimmers-siphoning-card-data-at-the-pump/
http://krebsonsecurity.com/all-about-skimmers/

... but by the time my brain caught up with who's page I found this on, I wasn't surprised at all.

The main protection we have against skimmers is the moral fortitude of the attendant working at the station.  We're depending on that person doing the right thing when faced with a choice between a potentially very large bribe.  Skimmer operations can easily net tens of thousands per week, or millions in this recent case  https://krebsonsecurity.com/2014/01/gang-rigged-pumps-with-bluetooth-skimmers/.  So the risk / reward proposition is a large bribe, often in the tens-of-thousands range, against being aprehended and charged/convicted if the operation is caught and apprehended before they shut down and move on to the next set of target gas stations.

Please, weigh in using our comment form.  I'd be really interested if our readers might have solutions or preventitive measures that will work better than the red tape I described in this story!
 

==============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Microsoft has reached a critical milestone for its next update to Windows 8, which is slated to ship early next month, according to reports.
 
A long time ago, a computer program was a stack of punch cards, and moving the program from computer to computer was easy as long as you didn't drop the box. Every command, instruction, and subroutine was in one big, fat deck. Editors, compilers, and code repositories have liberated us from punch cards, but somehow deploying software has grown more complicated. Moving a program from the coding geniuses to the production team is fraught with errors, glitches, and hassles. There's always some misconfiguration, and it's never as simple as carrying that deck down the hall.
 
Adobe has made its Revel photo-app available for Android, allowing users to share and edit photos on their Android devices.
 
WebKit CVE-2013-6635 Use After Free Memory Corruption Vulnerability
 
Google Chrome Prior to 33.0.1750.146 Multiple Security Vulnerabilities
 
PHP: patch to make session handling with default config more secure against local attackers
 
(Added CVE) Dassault Systemes Catia Stack Buffer Overflow
 
Public disclosure of Buffer Overflow Dassault Systems
 
Facebook has made its Messenger app available for Windows Phone 8, a bonus for Microsoft as it seeks to increase the number of applications available for its smartphone OS.
 
WebKit CVE-2013-2909 Use After Free Remote Code Execution Vulnerability
 
Google Chrome CVE-2013-2925 Use After Free Remote Code Execution Vulnerability
 
Google Chrome CVE-2013-2928 Multiple Unspecified Security Vulnerabilities
 
 
Users of Yahoo services will down the line have to use a Yahoo username to sign on to its services, as the company plans to phase out signing up to these services using Facebook and Google credentials.
 
In his first public appearance since he stepped down as Microsoft CEO, Steve Ballmer again acknowledged that the company missed the boat on mobile.
 
One thing is certain: You won't mistake Apple's powerful new Mac Pro for any other desktop computer. And it has the computing chops to match its high-style look.
 
AT&T is remaking its infrastructure as a 'user-defined network cloud' in the pursuit of greater flexibility, lower costs and faster response to user needs, the carrier's infrastructure chief said.
 

Posted by InfoSec News on Mar 05

http://www.informationweek.com/government/cloud-computing/fedramp-cloud-security-approval-look-who-applied/d/d-id/1114101

By Wyatt Kash
InformationWeek Government
March 4, 2014

FedRAMP (Federal Risk and Authorization Management Program), the program
that helps agencies migrate to the cloud securely, is making public the
names of cloud service providers that are in the process of obtaining the
government's security certification.

The...
 

Posted by InfoSec News on Mar 05

http://www.infosecnews.org/the-open-enigma-project-kickstarter/

By William Knowles
Senior Editor
InfoSec News
March 5, 2014

Imagine having this iconic device on your desk: You can use it to simply
display a scrolling marquee of any text message on its unique LED screen
or encrypt/decrypt any information you wish to use (still today) a very
secure key. This is an ideal device to teach or learn about encryption,
history & math. Because of...
 

Posted by InfoSec News on Mar 05

http://www.fiercegovernmentit.com/story/dhs-proposes-125-billion-cybersecurity-spending/2014-03-04

By David Perera
FierceGovernmentIT
March 4, 2014

The proposed Homeland Security Department cybersecurity budget for the
coming federal fiscal year amounts to $1.25 billion, show budget documents
released today.

DHS over the course of the Obama administration has assumed an
increasingly central role in securing federal networks and in urging...
 

Posted by InfoSec News on Mar 05

http://www.washingtonpost.com/world/national-security/italian-spyware-firm-relies-on-us-internet-servers/2014/03/03/25f94f12-9f00-11e3-b8d8-94577ff66b28_story.html

By Ellen Nakashima and Ashkan Soltani
The Washington Post
March 3, 2014

An Italian computer spyware firm, whose tools foreign governments
allegedly have used to snoop on dissidents and journalists, relies heavily
on the servers of U.S. Internet companies, according to a new report....
 

Posted by InfoSec News on Mar 05

http://www.computerworld.com/s/article/9246737/No_special_treatment_for_China_on_XP_patches_end_April_8_in_the_PRC_too

By Gregg Keizer
Computerworld
March 3, 2014

Microsoft today said it has not changed the end-of-support policy for
Windows XP users in China, and will still cut off those customers -- as it
will others around the world -- from security patches after April 8.

"Nothing has changed regarding Windows XP support," a...
 

Posted by InfoSec News on Mar 05

http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/

By Dan Goodin
Ars Technica
Mar 4 2014

Hundreds of open source packages, including the Red Hat, Ubuntu, and
Debian distributions of Linux, are susceptible to attacks that circumvent
the most widely used technology to prevent eavesdropping on the Internet,
thanks to an extremely critical vulnerability in a widely used
cryptographic...
 

Posted by InfoSec News on Mar 05

http://www.dailymail.co.uk/sciencetech/article-2573101/Could-NHS-COMPUTER-virus-Outdated-software-putting-official-sites-risk-attack.html

By James Temperton
Computer Active Magazine
4 March 2014

Hundreds of NHS websites have huge security flaws that could see them
taken over or defaced by hackers.

During investigations, more than 2,000 vulnerabilities have been found,
with experts warning criminals could use these flaws to easily infect...
 
Internet Storm Center Infocon Status