A security review of network-attached storage (NAS) devices from multiple manufacturers revealed that they typically have more vulnerabilities than home routers, a class of devices known for poor security and vulnerable code.
It's time for enterprise applications and storage to work more closely together, even to the point where SSDs become a pool of computing power, according to Samsung Semiconductor.
Marcelo Claure, Sprint's incoming CEO, knows how to corner a market and make billions doing behind-the-scenes tasks that are pretty unglamorous -- except when he's on stage with J. Lo.

LAS VEGAS—During his keynote and a press conference that followed here at the Black Hat information security conference, In-Q-Tel chief information security officer Dan Geer expressed concern about the growing threat of botnets powered by home and small office routers. The inexpensive Wi-Fi routers commonly used for home Internet access—which are rarely patched by their owners—are an easy target for hackers, Geer said, and could be used to construct a botnet that "could probably take down the Internet." Asked by Ars if he considered home routers to be the equivalent of critical infrastructure as a security priority, he answered in the affirmative.

Geer spoke about the threat posed by home routers in advance of "SOHOpelessly Broken," a router hacking contest scheduled for the DEF CON security conference later this week sponsored by the Electronic Frontier Foundation. "Because they are so cheap, you can get a low-end router for less than 20 bucks that hasn't been updated in a while," Geer explained.

Attackers could identify vulnerabilities in particular models and then scan the Internet for targets based on the routers' signatures. "They can then build botnets on the exterior of the network—the routing that it does is only on side facing ISPs," he said. "If I can build a botnet on the outside of the routers, I could probably take down the Internet."

Read 2 remaining paragraphs | Comments

There's still much that's unclear about Tuesday's revelation that a small group of hackers in Russia have amassed a database of 1.2 billion stolen user IDs and passwords. The company that disclosed the incident, Hold Security, didn't offer any fresh information Wednesday, but here are five questions we'd like to see answered (and a bonus one that we already know the answer to).
Dan Geer, speaking at Black Hat, outlined a series of policies he believes will help make the Internet more secure.
Sean Gallagher

LAS VEGAS—In a wide-ranging keynote speech at the Black Hat information security conference today, computer security icon Dan Geer gave attendees a sort of personal top 10 list of things that could be done to make the Internet more secure, more resilient, and less of a threat to personal privacy. Among his top policy picks: the US government should move to “corner the market” on security vulnerabilities by paying top dollar for them and then publish them to the world.

Geer is the chief information security officer for In-Q-Tel, the not-for-profit venture capital firm funded by the Central Intelligence Agency to incubate technologies that aid intelligence operations. However, he noted that he was speaking in a private capacity at the event, and not as a public official.

“We could pay 10 times the market price" for zero-day vulnerabilities, Geer said. “If we make them public, we zero the inventory of cyber weapons where it stands.”

Read 24 remaining paragraphs | Comments

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Ars Technica

CIA infosec guru: US govt must buy all zero-days and set them free
Black Hat 2014 Computer security luminary Dan Geer has proposed a radical shakeup of the software industry in hope of avoiding total disaster online. Geer played a crucial role in the development of the X Window System and the Kerberos authentication ...
Black Hat 2014 Keynote: What InfoSec Needs to DoInfosecurity Magazine
Black Hat 2014: Dan Geer says system dependencies threaten securityTechTarget

all 13 news articles »
You can almost hear the hint of desperation in Matt Holton's voice.
Don't worry, you're not the only one with more questions than answers about the 1.2 billion user credentials amassed by Russian hackers.

Various Internet Storm Center Handlers have written Diaries on the malware called CryptoLocker, a nasty piece of malware which encrypting the files of the systems it infects, then gives victims 72 hours to pay the ransom to receive a private key that decrypts those files. There are still victims out there with encrypted files, and if you're one of them or know of someone affected, the folks at FireEye and Fox-IT have created a web portal https://www.decryptcryptolocker.com/ to decrypt those files. 

This is a free service for any afflicted by CryptoLocker, many of which are small businesses without the resources to deal with this properly, so let people know.

Using the site is very straight forward (Steps taken from the FireEye blog[1]):

How to use the DecryptCryptoLocker tool

Users need to connect to the https://www.decryptcryptolocker.com/
Identify a single, CryptoLocker-encrypted file that they believe does not contain sensitive information.
Upload the non-sensitive encrypted file to the DecryptCryptoLocker portal.
Receive a private key from the portal and a link to download and install a decryption tool that can be run locally on their computer.
Run the decryption tool locally on their computer, using the provided private key, to decrypt the encrypted files on their hard drive.
DecryptCryptoLocker is available globally and does not require users to register or provide contact information.

This is a fantastic resource from both FireEye and Fox-IT, so thanks to all involved in making this happen and making it free to use.

For more background on CryptoLocker from Fox-IT, read their CryptoLocker ransomware intelligence report [2].


[1] http://www.fireeye.com/blog/corporate/2014/08/your-locker-of-information-for-cryptolocker-decryption.html

[2] http://blog.fox-it.com/2014/08/06/cryptolocker-ransomware-intelligence-report/

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Google's YouTube division has bought the Directr movie-making app for smartphones and will offer it free.
PHP 'ext/spl/spl_array.c' Use After Free Memory Corruption Vulnerability
Microsoft IIS HTTP TRACK Method Information Disclosure Vulnerability
PHP Fileinfo Component 'cdf_count_chain()' Function Remote Denial of Service Vulnerability

This month's Patch Tuesday update for Internet Explorer will include a new feature: it will block out-of-date ActiveX controls.

More specifically, it will block out-of-date versions of the Java plugin. Although Microsoft is describing the feature as an ActiveX block, the list of prohibited plugins is currently Java-centric. Stale versions of Flash and Silverlight will be able to stick around, at least for now, though Microsoft says that other out-of-date ActiveX controls will be added to the block list later.

Old, buggy versions of the Java plugin have long been used as an exploit vector, with Microsoft's own security report fingering Java in 84.6 to 98.5 percent of detected exploit kits (bundles of malware sold commercially). Blocking obsolete Java plugins should therefore go a long way toward securing end-user systems.

Read 1 remaining paragraphs | Comments

GNU glibc Locale Environment Handling Directory Traversal Vulnerability
Microsoft's Internet Explorer will begin blocking out-of-date ActiveX controls when the company updates the versions that run on Windows 7 and Windows 8 next week.
The world's fastest computer is facing a challenge from Fujitsu, which is developing a new high-performance chip that could go into supercomputers up to three times faster.
Google has acquired Emu, a text-messaging app with a built-in virtual assistant created by a veteran of Apple's Siri team.

An exploit is no available at exploit-db.com for the Symantec End Point Protection privilege escalation vulnerability. Symantec released a patch for this issue earlier this week [1].

The vulnerability requires normal-user access to the affected system and can be used to escalate privileges to fully control the system (instead of being limited to a particular user) so this will make a great follow up exploit to a standard drive-by exploit that gains user privileges.

We have gotten some reports that users have problems installing the patch on legacy systems (e.g. Windows 2003). Applying the patch just fails in these cases and appears to have no ill effect on system stability.

[1] http://www.symantec.com/business/support/index?page=content&id=TECH223338

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Samba 'nmbd' NetBIOS Name Services Daemon Remote Code Execution Vulnerability
A selfie taken by a black macaque monkey and an entire aboriginal language were asked to be removed from Wikipedia by people who claimed to have the copyrights to them, the Wikimedia Foundation said in its first transparency report.
After a decade of traveling at about 34 thousand miles an hour through deep space , the European Space Agency's Rosetta spacecraft has become the first craft to rendezvous with a comet.
Digital rights group Public Knowledge will file net neutrality complaints against each of the four largest mobile carriers in the U.S. over their practice of throttling some traffic, in some cases on so-called unlimited data plans.
Samsung Electronics is expected to soon launch the Galaxy Note 4 in a bid to help improve its ailing fortunes in the high-end segment of the smartphone market.
Google has removed over 50 links to Wikipedia from its search results on European domains as a consequence of the EU's "right to be forgotten" ruling which, according to Wikimedia, "punches holes in freeA knowledge."
Advanced Micro Devices has stepped up its supercomputer battle with Nvidia, claiming the graphics performance crown with its fastest server GPU offering yet, the FirePro S9150.
IBM hopes to expand its customer base and sell to executives outside of IT with a new set of consulting services that can be bought online with a credit card.
GPGME 'status_handler()' Function Heap Based Buffer Overflow Vulnerability
Mozilla Firefox/Thunderbird CVE-2014-1548 Multiple Memory Corruption Vulnerabilities
D-Link DSP-W215 '/common/info.cgi' Handler Stack Buffer Overflow Vulnerability
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Mobile carrier Sprint faces an uncertain future after announcing it is replacing long-time CEO Dan Hesse and reportedly abandoning its bid to by competitor T-Mobile USA.
China's government, which banned Windows 8 from agencies' computers, has now dropped Apple's notebooks and tablets from an approved list of purchases.
Watch out Oracle, Pivotal is offering a lighter alternative to the Java Enterprise Edition (JEE) stack.
A crowdfunding project hopes to attract enough money to develop the heads-up car display, which can be controlled by voice or hand gestures and syncs with iPhone or Android devices.
Timex will ship its Ironman One GPS+ smartwatch in November, starting at $399.
LinuxSecurity.com: Updated samba packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Updated samba4 packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: USN-2306-1 introduced a regression in the GNU C Library.
LinuxSecurity.com: GPGME could be made to crash or run programs as your login if it processeda specially crafted certificate.
LinuxSecurity.com: Updated tor package fixes security vulnerability: Tor before maintains a circuit after an inbound RELAY_EARLY cell is received by a client, which makes it easier for remote attackers to conduct traffic-confirmation attacks by using the pattern [More...]
LinuxSecurity.com: Multiple vulnerabilities has been discovered and corrected in php: Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via [More...]
LinuxSecurity.com: Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Moderate [More...]
LinuxSecurity.com: Updated php53 and php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6 respectively. The Red Hat Security Response Team has rated this update as having Moderate [More...]
LinuxSecurity.com: Updated resteasy-base packages that fix one security issue are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Moderate [More...]
It must be one of these...

Whitehat hackers have struck back at the operators of the pernicious CryptoLocker ransom trojan that has held hundreds of thousands of hard drives hostage.

Through a partnership that included researchers from FOX-IT and FireEye, researchers managed to recover the private encryption keys that CryptoLocker uses to lock victims' personal computer files until they pay a $300 ransom. They also reverse engineered the binary code at the heart of the malicious program. The result: a website that allows victims to recover the key for their individual content.

To use the free service, victims must upload one of the files encrypted by CryptoLocker along with the e-mail address where they want the secret key delivered. Both FOX-IT and FireEye are reputable security companies, but readers are nonetheless advised to upload only non-sensitive files that contain no personal information.

Read 3 remaining paragraphs | Comments

I've been thinking a lot lately about wearable technology and how the true value of many of today's wearables lies in data collection and the subsequent analysis and correlation of that information. The idea couldn't have been clearer at last month's Wearable Tech Expo in New York City, where Pebble's Chief Product Evangelist, Myriam Joire told attendees of her keynote address:
Horror stories don't just happen at the movie theater. In a few cases, companies make a big play to use the wrong cloud application or experience widespread outages in their connection to cloud storage.
If you've read any of my articles, you know that the agile practices I advocate are rarely even tried in government projects. How can the guys who popularized the Gantt Chart and the PERT diagram help modern software projects? Oh, and don't forget the folks behind Healthcare.gov.
Sprint confirmed today that CEO Dan Hesse will be replaced by board member Marcelo Claure, effective Monday.
[ MDVSA-2014:149 ] php
PhotoSync v2.2 iOS - Command Inject Web Vulnerability
PhotoSync Wifi & Bluetooth v1.0 - File Include Vulnerability
[security bulletin] HPSBMU03085 rev.1 - HP Application Lifecycle Management / Quality Center, Elevation of Privilege
Re: ownCloud Unencrypted Private Key Exposure
[SECURITY] [DSA 2997-1] reportbug security update
An Austrian 'class action' lawsuit against Facebook over the company's privacy policies is expected to reach a limit of 25,000 participants on Wednesday. It remains however uncertain if the commercial court in Vienna will accept the case.

Some of it may be hype. But no matter if 500 Million, 1.5 Billion or even 3.5 Billion passwords have been lost as yesterday's report by Hold Security states, given all the password leaks we had over the last couple years it is pretty fair to assume that at least one of your passwords has been compromised at some point. [1]

yes. we have talked about this many times, but it doesn't seem to get old sadly.

So what next? Password have certainly been shown to "not work" to authenticate users. But being cheap, they still are used by most websites (including this one, but we do offer a 2-factor option). 

For web sites:

  • review your password policies. There is no "right" policy, but come up with something that rejects obvious weak passwords and on the other hand, allows users to choose passwords that they can remember (so they can have a unique password for your site).
  • Make sure your site works with commonly used password managers. The only real way for the user to have a unique password for each site is a password manager.
  • lock accounts that haven't been used in a long time, and delete their password from your database forcing a password reset if they try to reactivate it
  • consider two factor authentication, at least as an option and maybe mandatory for high value accounts (e.g. administrators). Google authenticator is probably the easiest one to implement  and it is free. We talked about other alternatives in the past as well.

For users:

  • Have a unique password for each site. As an alternative, you may have a single "throw away" password for sites that you don't consider important. But be aware that at one point, a site that is not important now, may become important as you are doing more business with them.
  • Use a password safe, if possible one that allows syncing locally without having to send your password collection to a cloud service.
  • For important sites that don't allow for two factor authentication, consider a "two-part password": One part will be kept in your password safe, while the second part you type in. The password safe part is unique to the site while the additional second part can be the same for different sites or at least easy to remember. This will give you some protection against a compromised password safe.
  • Change passwords once in a while (I personally like every 6 months... ) in particular the "static" part of these high-value passwords.
  • Ask sites that you consider important to implement 2-factor authentication.

That's at least what I can come up with while sipping on my first cup of coffee for the day. 

[1] http://www.holdsecurity.com/news/cybervor-breach/

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Sony is stopping e-reader production following the transfer of its e-book business outside Japan to Canada's Kobo.
After spending two weeks with Amazon's Fire Phone, our reviewer thinks Amazon should be paying YOU to carry the device around.
Apple and Samsung Electronics have agreed to end their patent litigation outside the U.S., in an indication of a softening of their dispute that has extended across many countries.
Symantec has released a patch for privilege escalation flaws in its Endpoint Protection product, and the company which found the issues released the exploit code on Tuesday.
Google has pushed the 64-bit version of Chrome for Windows to the browser's Beta distribution channel, and boosted Chrome for OS X to 64-bit on the more preliminary Canary and Dev builds.

Posted by InfoSec News on Aug 06


By William Knowles @c4i
Senior Editor
InfoSec News
August 6, 2014

For those of you not in Las Vegas for Black Hat, BSides or Defcon, the
InfoSec News mailing list still works, I’ll be doing my best to cover
Black Hat, BSides, and Defcon, posting infrequently and maybe taking a
little break from things at least til’ next Tuesday.


Posted by InfoSec News on Aug 06


The New York Times
AUG. 5, 2014

A Russian crime ring has amassed the largest known collection of stolen
Internet credentials, including 1.2 billion user name and password
combinations and more than 500 million email addresses, security
researchers say.

The records, discovered by...

Posted by InfoSec News on Aug 06


By Matthew Sparkes
Deputy Head of Technology
The Telegraph
06 Aug 2014

UK universities are failing to teach enough computer security skills and
are churning out IT graduates who present a “risk to their own
organisation”, according to a senior NHS IT manager.

Derrick Bates, senior information security officer at North...

Watch this Aussie infosec bod open car doors from afar
Silvio Cesare has probably spent enough on home alarm systems at hardware stores to buy a small pacific island. The Canberra hacker has over the last three years embarrassed manufacturers by buying remote alarms, baby monitors and locks from eBay ...

and more »
Internet Storm Center Infocon Status