Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
While reports have been circulating that Hewlett-Packard's board of directors is considering breaking up the company, a source close to company said it's simply not true.
 
Twitter has pushed out an update to its mobile app that has a new search tool intended to make it easier for users to find relevant content.
 
Microsoft and Symantec have dismantled a botnet that took over millions of computers for criminal activities such as identity theft and click fraud.
 
If designed and built efficiently, flexibly and securely, next-generation cyber-physical systems (CPS) now sprouting from interconnections that join the digital and engineered physical worlds will deliver extraordinary capabilities and ...
 
Yahoo has signed a global advertising deal with Google that will result in Google ads appearing on some of Yahoo's websites, the companies announced Wednesday.
 
Dr Peter Lawrence, the newly appointed CIO at the Department of Defence, admits he has "one of the larger and more complex CIO roles in Australia at the moment." --
 
Cisco Security Advisory: Cisco ATA 187 Analog Telephone Adaptor Remote Access Vulnerability
 
DefenseCode Security Advisory: Cisco Linksys Remote Preauth 0day Root Exploit Follow-Up
 
A new guide* for Web developers recently released by the National Institute of Standards and Technology (NIST) will make it easier for electric utilities and vendors to give customers convenient, electronic access to their energy usage ...
 
The National Institute of Standards and Technology (NIST) has issued a call for grant proposals for a broad range of potential research projects covering the institutes interests in the physical sciences and engineering.The 2013 NIST ...
 
The National Institute of Standards and Technology (NIST) is requesting comments on the final public draft of Security and Privacy Controls for Federal Information Systems and Organizations, Special Publication (SP)800-53, Revision 4. ...
 
The National Institute of Standards and Technology (NIST) invites organizations to participate in a National Cybersecurity Center of Excellence (NCCoE) effort to integrate commercially available security technologies with health ...
 
The National Institute of Standards and Technology (NIST) has announced a new competition for grants to create pilot projects for online secure identity systems that advance the vision of the National Strategy for Trusted Identities in ...
 
She is the first woman president of FICCI, a Padma Shri recipient, a Harvard Business School alumnus, and the woman at the helm of one of the world's most renowned banks. Naina Lal Kidwai needs no introduction. As the group GM and country head of HSBC India, Kidwai has been instrumental in charting the growth path of HSBC in India for the past 10 years. In this interview, Kidwai talks about the changes shaping the banking sector, how IT is aiding private banks do a one up on public sector entities, and how it is redefining banking.
 
Barracuda Networks released a new update on Monday to further mitigate a security issue that could have allowed attackers to gain unauthorized access to some of its network security appliances through backdoor accounts originally intended for remote support. The company apologized to customers for its design decisions that led to this situation and promised to look into additional ways to strengthen the remote support functionality.
 
Virtualization was a top priority last year. It continues to remain so for partners and CIOs alike.
 
Partners need to adopt new-age security practices. The opportunities appear huge.
 
Although it isn't as popular as the private cloud model, the public cloud is set for big growth.
 
Private cloud remains the go-to choice for most organizations. Even with the advent of the hybrid model, nothing much is expected to change.
 
The easy availability of smartphones and bandwidth will increase enterprise mobility adoption.
 
Analytics and its usage is on the rise. Are partners equipped to ride this wave?
 

An interesting blog post by Kristian Kielhofer describes how a specific SPI packet can kill an Intel Gigabit ethernet card [1]. If a card is exposed to this traffic, the system has to be physically power cycled. A reboot will not recover the system.

The network card crashed whenever the value 0x32 or 0x33 was found at offset 0x47f. Kristian first noticed this happening for specific SIP packets, but in the end, it turned out that any packet with 0x32 at 0x47f caused the crash. Intel traced the problem to an EEPROM used in this specific card (82574L). There are some links in the comment to the blog suggesting that others have run into this problem before. For example, the commend: ping -p 32 -s 1110 x.x.x.x can crash an affected card remotely.

[1]http://blog.krisk.org/2013/02/packets-of-death.html

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The Election Assistance Commission (EAC) and National Institute of Standards and Technology (NIST) are sponsoring a symposium to explore emerging trends in voting system technology, Feb. 26-28, 2013, in Gaithersburg, Md.NIST and the ...
 
BlackBerry says launch sales of its new BlackBerry 10 handsets in Canada and the U.K. have beaten previous company records, but it isn't releasing actual sales figures.
 
Apple's OS X Snow Leopard, which shipped in August 2009, continued to resist retirement last month, new data from Web analytics vendor Net Applications showed.
 
Despite strong support from IT pros, SharePoint faces increased skepticism from business leaders; it's unclear whether Microsoft can deliver cloud, social and mobile advancements needed for future growth.
 
Cloud storage services Dropbox today released an API that it said addresses the complexity around caching, syncing and working offline so developers can focus on mobile app creation.
 
Countries that have signed on to international cybersecurity agreements tend to have fewer malware infections among their citizens, according to new research released by Microsoft and George Washington University.
 
SAP user groups aren't pleased with the vendor's announcement this week that new customers will soon pay more for Standard Support, but at least so far, there doesn't seem to be a backlash as strong as the one that occurred a few years ago over SAP's higher-priced Enterprise Support service.
 
The mathematician who found the largest known prime number said the discovery last month was like climbing Mount Everest or landing on the moon.
 
Oracle Java SE CVE-2013-0429 Remote Java Runtime Environment Remote Security Vulnerability
 

(This is a guest diary submitted by Bill Parker)

How many administrators review log files in /var/log/*, but dontrealize they may be losing possibly important (or even critical)information?



In working with a commonly used IDS (Snort 2.9.x) on one of my testplatforms (CentOS 6.3 64-bit inside of VirtualBox 4.2.6), I happenedto notice a unusual line in /var/log/messages when snort initializedvia startup script in /etc/init.d:



Feb 5 13:07:52 plugh snort[12105]: Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07

Feb 5 13:07:52 plugh snort[12105]: Whitespace Characters: 0x09 0x0b 0x0c 0x0d

Feb 5 13:07:52 plugh snort[12105]: rpc_decode arguments:

Feb 5 13:07:52 plugh snort[12105]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779

Feb 5 13:07:52 plugh snort[12105]: alert_fragments: INACTIVE

Feb 5 13:07:52 plugh snort[12105]: alert_large_fragments: INACTIVE

Feb 5 13:07:52 plugh snort[12105]: alert_incomplete: INACTIVE

Feb 5 13:07:52 plugh snort[12105]: alert_multiple_requests: INACTIVE

Feb 5 13:07:52 plugh snort[12105]: FTPTelnet Config:

Feb 5 13:07:52 plugh snort[12105]: GLOBAL CONFIG

Feb 5 13:07:52 plugh rsyslogd-2177: imuxsock begins to drop messages from pid 12105 due to rate-limiting - LOOK HERE

Feb 5 13:07:57 plugh snort[12106]: Daemon initialized, signaled parent pid: 12105

Feb 5 13:07:57 plugh snort[12106]: Reload thread starting...

Feb 5 13:07:57 plugh snort[12106]: Reload thread started, thread 0x7f4039a37700 (12106)

Feb 5 13:07:57 plugh kernel: device eth0 entered promiscuous mode

Feb 5 13:07:57 plugh snort[12106]: Decoding Ethernet

Feb 5 13:07:57 plugh snort[12106]: Checking PID path...

Feb 5 13:07:57 plugh snort[12106]: PID path stat checked out ok, PID path set to /var/run/

Feb 5 13:07:57 plugh snort[12106]: Writing PID 12106 to file /var/run//snort_eth0.pid

Feb 5 13:07:57 plugh snort[12106]: Set gid to 40000

Feb 5 13:07:57 plugh snort[12106]: Set uid to 40000

Feb 5 13:07:57 plugh snort[12106]:

Feb 5 13:07:57 plugh snort[12106]: --== Initialization Complete ==--

Feb 5 13:07:57 plugh snort[12106]: Commencing packet processing (pid=12106)



It turns out that many modern Linux distributions come with rsyslog,which is a replacement for syslogd or sysklogd, but starting withversion 5.7.1 of rsyslog, a feature known as rate-limiting was addedto the utility, and if a given process ID (PID) were to send more than200 messages to /var/log/messages in a 5 second interval (the defaultsetting in rsyslog), it will start to drop messages and place thefollowing warning inside of /var/log/messages:



Feb 5 13:07:52 plugh rsyslogd-2177: imuxsock begins to drop messages

from pid 12105 due to rate-limiting



In the case of daemons or processes logging to /var/log/messages(or any other directory/file which rsyslog happens to be handling logging for), a great deal of important and/or critical logging data could be lost to security or system administrators.



While rate-limiting on routers/firewalls/web servers is a usefulmethod of containing certain types of network based attacks, inthe case of system and/or application logging, this may create alogistical nightmare for SIEMs or applications which collect andanalyze large amounts of system and/or application logs for eventinformation/messages/warnings.



In doing some research on rsyslog, I found two solutions whichcan be used to solve this condition on systems where rsyslog isthe default system logging method.



Note - Back up any file(s) listed below before proceeding!



The first solution is to simply increase the messages allowed andthe time interval before rate-limiting occurs in rsyslog. To dothis, locate the rsyslog.conf and/or rsyslog.early.conf (usuallyin /etc) and add the following lines:



$SystemLogRateLimitInterval 10

$SystemLogRateLimitBurst 500



after any ModLoad commands in rsyslog.conf and/or rsyslog.early.conf



This will tell rsyslog to start rate-limiting (discarding messages)when more than 500 messages from a single PID are received within a10 second interval (these numbers are not absolutes, they can betailored to any given system, btw).



The second solution is to simply turn off rate-limiting for rsyslog,and to do this, add the following line to rsyslog.early.conf and/orrsyslog.conf using your favorite editor (Im a vi/vim/gvim hound):



$SystemLogRateLimitInterval 0



after any ModLoad commands in rsyslog.conf and/or rsyslog.early.conf



This will disable any rate-limiting in effect for the rsyslog processrunning on this system. Note that by doing this, an out of controlprocess ID on your system can fill up /var/log/messages with a lotof useless messages (which is why rate-limiting is enabled by defaultin rsyslog).



Remember to stop/start or restart the rsyslog daemon in order to makethe changes to rsyslog.conf and/or rsyslog.early.conf take effect.



The following Linux systems use rsyslog as the default systemlogger (these are distributions which I am actively using, btw):



CentOS 6.x

Debian 5.0 or greater

Fedora 13 or greater

OpenSuSE 11.x/12.x

Ubuntu 10.0 or greater



BSD based systems (FreeBSD 8.x/9.0, OpenBSD 5.x, and NetBSD 5.x/6.0)use traditional syslogd as the default system logging utility.



If you need more information about rsyslog, you can visit thefollowing URL:



http://www.rsyslog.com/doc



Questions/Comments/Suggestions?



Bill Parker (wp02855 at gmail dot com)


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
VCE said its partnership with Cisco has been unaffected by Cisco's strengthening a reseller agreement with NetApp to sell cloud architectures.
 
HD Moore unveiled research showing wide-scale UPnP security issues last week, but some of the problems have been known for years.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Oracle Java SE CVE-2013-0440 Remote Java Runtime Environment Vulnerability
 

-Kevin -- ISC Handler on Duty
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Last week, I was debugging the podcast access script, I came across some interesting behaviour regarding the Range header in HTTP requests. The purpose of the Range header is to allow for resumable downloads via HTTP. The client may ask the server to only sent a certain part of the page, instead of the entire response. Not all servers (or browsers) necessarily support this feature. The feature is very different from Chunked encoding, another feature that can be used to break up a page, but not to break it up as demanded by the client.

Client Side / Request

A request may include a range header, asking only for a part of the file. For example:

Range: bytes=0-100

would request the first 100 bytes from the response. The server may ignore this header, and the browser should accept whatever comes back, even if it is more or less then the requested range

Server Side / Response

A partial response always uses the status code 206 instead of 200. In addition, a header indicating the range delivered, and the total length of the file will be included:

From the RFC:



HTTP/1.1 206 Partial content
Date: Wed, 15 Nov 1995 06:25:24 GMT
Last-Modified: Wed, 15 Nov 1995 04:58:08 GMT
Content-Range: bytes 21010-47021/47022
Content-Length: 26012
Content-Type: image/gif

The Content-Range header indicates the range delivered, and the number following the / is the size of the file. In addition, you should still see a content-length header.

So what could possibly go wrong? I played with various invalid combinations, and so far, what I found is that the browser will ignore them. I havent gotten around to test them all with respect to an IDS, but assume that a properly configured HTTP preprocessor will reassemble these ranges. Of course, without preprocessor, there will be a wide range of evasion/insertion attacks.

An issue I found is that some podcast clients will first try to download byte range 0-1, then they will download the file. Most of the time in one attempt, but frequently in multiple ranges. This can confuse web log analysis software as it will register them as multiple hits to the same file. You need at least to look at the status code (200 vs. 206). Also, the clients did not access the complete file if the server returned the entire file instead of just bytes 0-1.

It is also possible to specify multiple byte ranges in one request, and older versions of Apache had a denial of service vulnerability if an excessive number of byte ranges was specified.

Let us know if you find anythingelse interesting when it comes to processing the Range header.

References: RFC 2616http://www.w3.org/Protocols/rfc2616

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The benefits could be greatest for small businesses, which could be devastated by a data loss and its complications. (Insider, registration required)
 
Investments in new technology areas such as collaboration and mobility are important to companies' long-term competitiveness -- and the pressure is on IT to deliver.
 
A recent push in the IT industry to collect and monetize big data is headed for a clash with privacy concerns from Internet users and potential regulation from some governments, according to tech analyst firm Ovum.
 
Salesforce.com has quietly acquired a startup called EntropySoft, a maker of content management and integration software, in a move likely meant to bolster Salesforce.com's Chatterbox service.
 
HTC and Nokia are preparing to go head-to-head with new cameras on upcoming smartphones, as they hope to steal market share from Apple and Samsung Electronics.
 
Microsoft made the clearest case yet for its Surface Pro tablet when a top Windows executive said it should be compared with not one, but two Apple devices.
 
Criminals used the shell of a company as a front which enabled them to purchase a digital certificate that they then used to sign banking trojans and other malware


 
WordPress WP-Table Reloaded Plugin 'id' Parameter Cross Site Scripting Vulnerability
 
Oracle Java SE CVE-2013-0450 Remote Java Runtime Environment Vulnerability
 
[KIS-2013-02] CubeCart <= 5.2.0 (cubecart.class.php) PHP Object Injection Vulnerability
 
Cross-Site Scripting (XSS) Vulnerability in CommentLuv WordPress Plugin
 
Microsoft's $2 billion loan to Dell, the world's third-largest seller of personal computers, was a signal that the personal computer, Microsoft's Windows, or both, are at growing risk of irrelevance, analysts said Tuesday.
 
The BlackBerry Q10 with a physical qwerty keyboard may not be available in the U.S. until May or June, suggested BlackBerry CEO Thorsten Heins in an interview with the Associated Press.
 
[ MDVSA-2013:008 ] mysql
 
SQL Injection Vulnerability in Wysija Newsletters WordPress Plugin
 
[CVE-2013-1463]Wordpress wp-table-reloaded&#8207; plugin XSS in SWF
 

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The Federal Reserve, the US central bank, has confirmed that one of its internal systems – a contact database for emergencies – was hacked. Anonymous released 4000 bank executive details based on that contact database


 

Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form

--

Adam Swanger, Web Developer (GWEB, GWAPT)

Internet Storm Center https://isc.sans.edu
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Microsoft delivers an ultrabook in the sleek guise of a tablet.
 
Just as Dell announced it had finalized its deal to go private, Hewlett-Packard came out swinging, criticizing its rival and declaring it's going after Dell's customers.
 
iOS jailbreaks may come and go, but Apple continues to warn that hacking an iPhone to install unapproved software, while not illegal, may void the device's service warranty.
 
Twitter has confirmed that it acquired Bluefin Labs, a vendor of data that uses commentary on social networks to measure the effectiveness of commercials and programs on TV.
 
A critical security hole is gaping in D-Link's DIR-300 and DIR-600 router models that allows attackers, in many cases directly from the internet, to execute arbitrary commands at root privilege level. The manufacturer does not intend to fix the problem


 
As the number of officially reported bugs and holes rises, so the need for more unique identifiers for them is rising. MITRE, the organisation behind the CVE project is setting out to increase the supply of those identifiers in 2014


 
BlackBerry's new Z10 smartphone offers a superior display, great navigation and interesting BYOD features. But is it too little, too late?
 
ScienceLogic EM7 brings ultraflexible, ultrascalable, carrier-grade network monitoring to the enterprise
 
OpenStack Keystone CVE-2013-0247 Denial of Service Vulnerability
 

Posted by InfoSec News on Feb 05

http://english.peopledaily.com.cn/90883/8122948.html

(Xinhua)
February 06, 2013

BEIJING, Feb. 5 (Xinhua) -- Chinese experts on Tuesday refuted latest
accusations from the U.S. side linking Chinese authorities to alleged hacking
activities.

The New York Times and Wall Street Journal last week claimed that they had
detected cyber attacks from China-based hackers, while China had been regularly
labeled a major origin for cyber threats to the...
 

Posted by InfoSec News on Feb 05

http://www.theregister.co.uk/2013/02/06/aquilla_urges_mckinnon_pardon_us/

By Phil Muncaster
The Register
6th February 2013

A leading US military strategist has urged the Obama administration to soften
its stance if it wants to attract the kind of “master hackers” that would
enable it to compete in cyber space with China, starting with the symbolic
gesture of pardoning Gary McKinnon.

John Arquilla, a US Naval Postgraduate School...
 

Posted by InfoSec News on Feb 05

https://www.computerworld.com/s/article/9236535/President_can_order_preemptive_cyberattacks_if_needed

By Jaikumar Vijayan
Computerworld
February 5, 2013

A secret review of American policies governing the use of cyberweapons has
concluded that President Barack Obama has the broad power to order pre-emptive
strikes on any country preparing to launch a major digital attack against the
U.S.

The review is part of an ongoing effort by the...
 

Posted by InfoSec News on Feb 05

http://news.cnet.com/8301-1009_3-57567831-83/chinese-still-hacking-us-says-wall-street-journal-owner/

By Dara Kerr
CNET News
February 5, 2013

Several U.S. media outlets experienced a massive wave of cyberattacks allegedly
coming from the Chinese military over the last few months. While some
newspapers have claimed that their networks are now safe, the Wall Street
Journal may still be a victim of the online onslaught.

The newspaper's...
 

Posted by InfoSec News on Feb 05

http://www.washingtontimes.com/news/2013/feb/4/while-advising-the-public-on-cybersecurity-fcc-fai/

By Phillip Swarts
Washington Guardian
February 4, 2013

When the Federal Communication Commission’s computer systems were breached in
Sept. 2011, it decided to take action to improve cybersecurity.

But more than a year and $10 million later, investigators found the agency is
back at square one. In fact,fcc.pdf”> the security improvements...
 
Internet Storm Center Infocon Status