Microsoft released its pre-announcement for the upcoming patch Tuesday. The summary indicates 11 bulletins total, 5 are critical all with remote code execution and 6 Important with a mix of remote code execution, security feature bypass and elevation of privileges. The announcement is available here.

[1] http://technet.microsoft.com/en-us/security/bulletin/ms13-dec


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The FBI has an elite hacker team that creates customized malware to identify or monitor high-value suspects who are adept at covering their tracks online, according to a published report.

The growing sophistication of the spyware—which has the capability to remotely activate video cameras and report users' geographic locations—is pushing the boundaries of constitutional limits on searches and seizures, The Washington Post reported in an article published Friday. Critics compare it to a physical search that indiscriminately seizes the entire contents of a home, rather than just those items linked to a suspected crime. Former US officials said the FBI uses the technique sparingly, in part to prevent it from being widely known.

The 2,000-word article recounts an FBI hunt for "Mo," a man who made a series of threats by e-mail, video chat, and an Internet voice service to detonate bombs at universities, airports, and hotels across a wide swath of the US last year. After tracing phone numbers and checking IP addresses used to access accounts, investigators were no closer to knowing who the man was or even where in the world he was located. Then, officials tried something new.

Read 5 remaining paragraphs | Comments



We have received information about a suspected Rovnix botnet controller currently using at least 2 domains (mashevserv[.]com and ericpotic[.]com) pointing to the same IP address of (AS 44050).

This is the information that we currently have available that should help identify if any hosts in your network is currently contacting this botnet:

  • mashevserv[.]com/config.php?version=[value here]&user=[value here]&server=[value here]&id=[value here]&crc=[value here]&aid=[value here] is where the compromised clients send an HTTP GET request to when requesting a configuration file.  If the correct values are inputted the server will return an encrypted configuration file.
  • mashevserv[.]com/admin appears to be the admin console

  • ericpotic[.]com/task.php has similar values appended to it an when the GET request is done it appears to be some sort of check-in to tell the server it is alive.
  • Posts to ericpotic[.]com/data.php are use to exfiltrating data. All communications with C&C are unencrypted over TCP 80.

It also appears this malware has very little detection. This is all we currently have. If you can recover samples either on the host or via packets and are willing to share them with us, you can upload them to our contact page.

[1] https://www.robtex.com/dns/mashevserv.com.html#graph
[2] https://www.robtex.com/dns/ericpotic.com.html#graph
[3] https://www.robtex.com/ip/
[4] http://www.xylibox.com/2013/10/reversible-rovnix-passwords.html


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
LinuxSecurity.com: USN-2048-1 introduced a regression in curl.
LinuxSecurity.com: New hplip packages are available for Slackware 14.0 to fix a security issue. [More Info...]
LinuxSecurity.com: New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]
LinuxSecurity.com: New mozilla-nss packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]
LinuxSecurity.com: New mozilla-thunderbird packages are available for Slackware 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]
LinuxSecurity.com: Multiple vulnerabilities have been found in SWI-Prolog which allow attackers to execute arbitrary code or cause a Denial of Service condition.
LinuxSecurity.com: Fraudulent security certificates could allow sensitive information tobe exposed when accessing the Internet.
LinuxSecurity.com: Updated nss and nspr packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 5. [More...]
LinuxSecurity.com: Updated kernel packages that fix three security issues and several bugs are now available for Red Hat Enterprise Linux 6.3 Extended Update Support. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Updated kernel packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...]
A screenshot showing BlackHole statistics.

An online crime kingpin arrested in October and charged with creating and distributing the Blackhole exploit kit may have had his hand in as much as 40 percent of the world's malware infections, according to information released by the security firm that helped track him down.

The 27-year-old Russian, identified only as Paunch, allegedly earned about $50,000 per month selling BlackHole subscriptions for as much as $500 per month, according to a report published Friday by security firm Group-IB. He is also alleged to be behind the much more expensive Cool Exploit Kit and a "Crypt" service used to obfuscate malware to go undetected by antivirus programs. With more than 1,000 customers, he was able to lead a lavish lifestyle that included driving a white Porsche Cayenne, Group-IB said.

Exploit kits are the do-it-yourself tools used to embed crimeware into hacked or malicious websites so they target a host of vulnerabilities found on end-user computers. People who visit the websites are exposed to "drive-by" attacks that are often able to install highly malicious software on the computers with no sign that anything is amiss. Group-IB estimated that Paunch may have supplied the code used in as much as 40 percent of the PC crimeware infections worldwide. Researchers arrived at that guess by gauging sales of BlackHole and Cool, which they said accounted for about 40 percent of world revenue for exploit kits. Even assuming that some crimeware is installed independent of exploit kits, it's hard to overstate the role these two kits played in seeding the Web with exploit code that installed malware used in bank fraud and other forms of online crime.

Read 3 remaining paragraphs | Comments


The chip industry is in for major changes in the coming years, according to Broadcom Chairman and Chief Technical Officer Henry Samueli. In 1991, he co-founded the communications chip giant, which today brings in annual revenue of more than US$8 billion from components for all manner of network, business and consumer products. At a pre-CES event in San Francisco earlier this week, Samueli visited from the company's Irvine, California, headquarters and sat down with IDG News Service to talk about devices, mobile networks and the uncertain future of silicon.

VMware released an ESX 4.1 update to third party libraries. The complete advisory can be viewed here.

VMware updated advisory VMSA-2013-0007 for ESX 4.0 and 4.1 related to third party update for Service Console package sudo. Additional information on this update is can be viewed here.

ESXi isn't affected by these updates.

[1] VMSA-2013-0015 http://www.vmware.com/security/advisories/VMSA-2013-0015.html
[2] VMSA-2013-0007.1 http://www.vmware.com/security/advisories/VMSA-2013-0007.html


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apple is taking a closer look at shoppers in its retail stores, under a new program that will push product-related information to their mobile devices using its iBeacon trackers.
In the race to deliver online shopping purchases faster, drones don't impress eBay's CEO.
Microsoft may revert to separate release schedules for consumer and business versions of Windows, the company's top OS executive hinted this week.
The maker of a popular flashlight app for Android phones has agreed to settle charges brought by the Federal Trade Commission that it left consumers in the dark about its data-sharing practices.
The U.S. Supreme Court has agreed to hear a controversial software patent case after a federal appeals court ruled that an abstract idea is not patentable simply because it is tied to a computer system.
The National Security Agency cited a 1981 executive order signed by then-President Ronald Reagan as the authority under which it is collecting location data daily from tens of millions of cell phones around the world.
Most budget phones offer a sub-par experience, but the new Moto G provides an excellent experience at a low off-contract price. So is this the phone for you?
Apple has incurred legal costs of over US$60 million in its court battle against Samsung in California, and the bill is still rising.
IBM is developing software that will allow organizations to use multiple cloud storage services interchangeably, reducing dependence on any single cloud vendor and ensuring that data remains available even during service outages.
Hackers have exposed millions of passwords from Facebook, Google, and Twitter. Sadly, password compromise is so common that it barely even registers as news any more. Suffice to say that it's probably time to change your password again.
U.S. securities regulators questioned an early version of Twitter's initial public offering prospectus that claimed the social media company was becoming more profitable when it was actually losing increasing amounts of money.
Microsoft's Cybercrime Center, where the Digital Crimes Unit coordinated its investigation of ZeroAccess, was opened in November.

On Thursday, Microsoft's Digital Crimes Unit, the legal and technical team that has driven the takedown of botnets such as Bamital and Nitol during the past year, announced that it has moved with Europol, industry partners, and the FBI to disrupt yet another search fraud botnet. The ZeroAccess botnet, also known as ZAccess or Siref, has taken over approximately 2 million PCs worldwide; Microsoft estimates that it has cost search engine advertisers on Google, Bing, and Yahoo over $2.7 million each month.

According to security reporter Brian Krebs, ZeroAccess began its life cycle in 2009 as a delivery network for other malware—dropping paying customers' viruses and Trojans, including "scareware" fake antivirus packages—onto PCs it had successfully infected. But since then, it has evolved into a "clickfraud" platform—intercepting search requests from the user's Web browser and injecting fraudulent hyperlinks into the results returned from major search sites. The botnet operators get paid through advertising networks for the traffic sent to the sites as if the user had clicked on a legitimate ad.

After identifying the IP addresses of 18 command-and-control servers involved in directing ZeroAccess, Microsoft filed civil lawsuits last week against the botnet operators in the US District Court for the Western District of Texas. The court gave Microsoft permission in court to block traffic between them and PCs in the US using technology provided by networking vendor A10 Networks.

Read 4 remaining paragraphs | Comments


Nearly three months after the launch of iOS 7, three-quarters of all mobile devices from Apple are running the newest operating system.
An IT specialist working for the U.S. National Science Foundation has pleaded guilty to theft of government property for redirecting more than US$94,000 in government funds for his personal use, the U.S. Department of Justice said.
HawtJNI CVE-2013-2035 Local Privilege Escalation Vulnerability
Storage vendors struggled with a decline in spending by the U.S. government and increased investment in public cloud capacity during the third quarter, according to IDC.
Where did you first learn about Amazon's crazy plan to deliver packages via drone? "60 Minutes"? The New York Times? Increasingly, the answer is likely to be Twitter, Facebook or Yahoo, and that's just how the online giants like it.
Jamroom Search Module 'search_string' Parameter Cross Site Scripting Vulnerability
Cross-Site Scripting (XSS) in Jamroom

Despite cloud computing security risks, infosec pros know their role
ORLANDO, Fla. -- Misconceptions abound regarding the approach enterprise information security professionals must take in order to successfully address cloud computing security risks in their organizations. It's unfortunate when those misconceptions are ...

and more »
In theory, a hybrid offshore deal combines the best of pure outsourcing and a captive IT services center. In reality, it's more complicated -- and not for everyone.
While it may not seem logical, the holiday season is the perfect time to focus on your job search. Networking opportunities abound and there's less competition with other job candidates.
Net-SNMP SNMPD AgentX Subagent Timeout Denial of Service Vulnerability
Microsoft has quietly ended retail sales of Windows 7, according to a notice on its website.
A new website allows Internet users to check if their usernames and passwords were exposed in some of the largest data breaches in recent years.
Oracle's copyright case against Google's Android OS appeared to gain new life this week after a federal appeals court judge poked holes in Google's defense.
Teams of researchers are hoping to give life to a six-foot, 330-pound humanoid robot at the the Robotics Challenge in Homestead, Fla. on Dec. 20 and 21.
Cisco Prime Network Registrar CVE-2013-3394 Cross Site Scripting Vulnerability
Cisco IOS and IOS XE Software CVE-2013-6705 Denial of Service Vulnerability
Anonymous members, charged with a distributed denial-of-service attack on PayPal, entered a plea Thursday that could see some of them walk free at sentencing next December.
The head of China's top Bitcoin exchange didn't expect the Chinese government would act so soon in taking its first step to regulating the digital currency, but said he welcomed controls.
Oracle's copyright case against Google's Android OS appeared to gain new life this week after a federal appeals court judge poked holes in Google's defense.
Microsoft and law enforcement agencies said Thursday that they disrupted a botnet that defrauded online advertisers of $2.7 million a month but that the malicious network hasn't been completely eliminated.
In a major move for data portability, Google will let users download their entire set of Gmail messages in a single file and do the same with their Google Calendar items.
Amazon's nascent plan to use unmanned drones to deliver packages to customers has already raised strong privacy concerns that could ultimately nip it in the bud.
Only 30% of the CEOs at the top companies traded on the NASDAQ stock exchange are active on social media sites, gathering spots for millions of potential customers.
IT managers want to cut the number of servers they manage, or at least slow the growth, and they may be succeeding, according to new data.
Rackspace Cloud Server Agent CVE-2013-6795 Remote Code Execution Vulnerability
Linux Kernel 'xfs_attrlist_by_handle()' Function Local Buffer Overflow Vulnerability

Posted by InfoSec News on Dec 06

On Monday I sent out a query about a paid version of InfoSec News, as companion
to the free list, complete news articles with no advertising signature at the
bottom, or moderators notes, unless there would be a brief service
interruption. Archived only for subscribers of the paid service.

(I should add I am working to get the complete past archive of InfoSec News
back online, I've been having some issues with the developer. )

A number...

Posted by InfoSec News on Dec 06


By Don Walker
Journal Sentinel
December 5, 2013

City Attorney Grant Langley says his office is still working on the formal
complaint the city plans to file with the U.S. Department of Health and
Human Services accusing Froedert Health and Dynacare Laboratories of a
security breach involving the personal information of thousands of city

Langley spoke shortly after the city's...

Posted by InfoSec News on Dec 06


By Sharon Chen & Jasmine Ng
Dec 5, 2013

Standard Chartered Plc (STAN) said data from some of its private banking
clients were stolen in Singapore after the city-state’s police found bank
statements on a laptop seized from an alleged hacker.

The monthly statements of 647 clients for February 2013 were stolen from...

Posted by InfoSec News on Dec 06


By Lucian Constantin
05 December 2013

New attack campaigns have infected point-of-sale (PoS) systems around the
world with sophisticated malware designed to steal payment card and
transaction data.

Researchers from security firm Arbor Networks found two servers that were
used to collect data stolen from PoS systems by...

Posted by InfoSec News on Dec 06


By Jonathan Kaiman
DECEMBER 4, 2013

DHARAMSALA, India -- Lobsang Gyatso Sither sits at the front of a Tibetan
school auditorium, the bright rectangle of his PowerPoint presentation
dimly illuminating the first few rows of students before him. "Never open
attachments unless you are expecting them," Sither says. The students nod.
A portrait...

Posted by InfoSec News on Dec 06


By Matt Markovich
Dec 3, 2013

SEATTLE -- Ninety thousand UW Medicine patients are being notified via
letter of a data security breach that potentially involves their personal

But some patients, such as Karen Hauger, are questioning why they're not
being offered "credit...

Posted by InfoSec News on Dec 06


By David Henry and Jim Finkle
December 5, 2013

JPMorgan Chase & Co. is warning some 465,000 holders of prepaid cash cards
issued by the bank that their personal information may have been accessed
by hackers who attacked its network in July.

The cards were issued for corporations to pay employees and for government
agencies to...
Internet Storm Center Infocon Status