Hackin9

InfoSec News

The U.K.'s Home Office will decide by Oct. 16 whether to block the extradition to the U.S. of Gary McKinnon, who has admitted to hacking into U.S. government computers, McKinnon's attorney said on Thursday.
 
Enterprises continued to buy more storage in the second quarter despite economic woes in many parts of the world, driving total disk storage system revenue up 8.0 percent from a year earlier, according to research company IDC.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A while ago, a reader submitted some odd looking web log entries like the following:

default 10.5.0.48 - - [06/Sep/2012:23:11:36 +0000] \x16\x03 200 15 - -

default 10.5.0.48 - - [06/Sep/2012:23:12:26 +0000] \x16\x03 200 15 - -

After some experimenting, we figured out that these are SSL connection attempts that are directed at a non-SSL server. These log entries are common if your web server is misconfigured, and the SSL module is not enabled on port 443. But in this case, the log entries showed up on a web server listening on port 80.
To force an https request on port 80, you have to add the port explicitly to the URL. For example the log entries above, I created using the command:
wget https://webserver:80/index.html
The bytes \x16\x03 are the first two payload bytes transmitted for the connection (a \x00 is the third byte, which terminates the string as far as the server is concerned). The server may actually still respond with a default error page. The server I used was configured to respond with a 200 code for any request (to make URL brute forcing harder).
The Wireshark analysis of course doesn't make much sense here:

However, luckily we can use Wireshark's decode as feature to make more sense of the packet. If we ask Wireshark to decode this traffic as SSL, we do get a perfectly fine Client Hello packet:

The 0x16 byte indicates that this is a Handshake and the 0x03 tells us that we are dealing with SSL 3.0. So now we can do a bit fingerprinting on these requests.
Here is a sample from today's ISC log:

\t\xe2)\x18\x12\xbc\xcc\x04U\xbf\xddj\xc4\xf9q\x163\xa0\x90
\xc4]\xd6\x1cg\x90\xc1\xf2\xe9\x9a\x1e\xba\v\xca2N\x92\x1a\xd0
\xb2\xf28i\xe5{A\x16`\xc2\x01\xa1\x84\xd4_\xfe%\x93\x92\xf8\xb1
\xb7\x85\x15\x05\xdc\xae\xde\x9d\xbb'\x05\x8e\x11\x17\xb9\xdf\xee|%\xd19\xf3\x9b\xeb
\xb9\xa4\x03{\xea\x88\xf4\x88\x87\xfb\x17\xc5\x07\x9c\xc5{\xaa?{\xc7]v\xcf
\x04c\x98\xbf\x87+in
\x83\x91w\xe2\x13\x85\xae,qs\xdb\xbe\xd78\xa4\xed\xbf\
\xd2\xa2 *\xcaUV\xd7\x0e\xab\xaa\x91A\x13\xf7E\xaf\x01\xc1\x9e\xbf\xd3
\x99\xd2\xad\x1b5\xcc\x85\xef\xaa\r:9\xdcp\xdf\xfb\xb8\xb6\xd1Pj4\x04\xb1\
\x1f\xe4\xbet\xec\x0c\xcc\xf3\
Avg\xdc\x94\xd5\xd9\bO\x18y+\xcd\xb0
\xd1\xaf\x855\xeb\xb4\x19/3\xa8\xab\x15ZNZU9=\x0e\x87\xb8\xa0\xe2\x12
\x16\x03
\x16\x03

(I shortened some lines a bit to avoid page width problems)
Based on our analysis above, on the last two appear to be SSL requests. The others, appear to be something else. Can you identify them? Telnet doesn't cause any additional characters to show in the log (I suspected telnet's terminal negotiation, but was not able to trigger the characters ). Have you seen similar entries in your logs? Haven't seen anything with SSH either. The SSH client first waits for the banner from the server before sending anything (I may have to wait longer).
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

ISC2 woos youth to infosec
SC Magazine Australia
A Young Professionals Programme has been launched by ISC2 to offer a pathway into the cyber security field. According to the organisation, the new group has been designed to help cultivate the information security workforce of the future. It will begin ...

and more »
 
Two security researchers claim to have developed a new attack that can decrypt session cookies from HTTPS (Hypertext Transfer Protocol Secure) connections.
 
Claims that security awareness training doesn't work are unsubstantiated, explain software security experts Gary McGraw and Sammy Migues.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Attachmate Reflection DLL Loading Arbitrary Code Execution Vulnerability
 
Effective File Search (EFS) DLL Loading Arbitrary Code Execution Vulnerability
 
EC Software Help & Manual 'ijl15.dll' DLL Loading Arbitrary Code Execution Vulnerability
 
In a decision likely to be sobering for firms fighting insider threats, an appeals court has ruled that a worker who used valid computer access rights to access data from his company can't be prosecuted under a federal anti-hacking law.
 
After a month on the surface of Mars, NASA's robotic rover Curiosity has driven more than the length of a football field and has started gearing for some real scientific work.
 
The "core values of Hong Kong" (freedom, democracy, human rights and rule of law) are the most debated topics in many election forums of the upcoming Legislative Council (LegCo) Election, which is scheduled on Sunday (September 9).
 
CyberLink PowerProducer Multiple DLL Loading Arbitrary Code Execution Vulnerabilities
 
CyberLink StreamAuthor Insecure Library Loading Multiple Arbitrary Code Execution Vulnerabilities
 
Amazon announced new e-readers and tablets Thursday, but the biggest surprise to analysts was a $499 Kindle Fire HD 4G LTE tablet.
 
Microsoft will issue just two security updates next week, giving give IT admins time to prepare for an October update that invalidates all certificates with keys less than 1,024 bits long.
 
Amazon heated up the tablet competition with the introduction of new Kindle Fire HD tablets, including a model with LTE capabilities and another model with an 8.9-inch screen that can display images at a resolution of 1920 by 1200 pixels.
 
Apple's cryptic invitation on Tuesday to an event set for next week triggered another surge in trade-in activity by consumers wanting to unload older iPhones in time to buy the new model.
 
IBM has combined a number of its online marketing software programs into a unified service, called the IBM Marketing Center.
 
[security bulletin] HPSBMU02811 SSRT100937 rev.1 - HP Business Availability Center (BAC) Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and Web Session Hijacking
 
[CVE-2012-3373] Apache Wicket XSS vulnerability via manipulated URL parameter
 
Internet Explorer Script Interjection Code Execution (updated)
 
Japan's Sharp, one of the world's largest makers of LCD panels and a supplier of displays for Apple products, has taken the rare step of mortgaging its factories and buildings to secure an emergency loan from its main banks, a spokeswoman said Thursday.
 
The sequel to the BEAST attacks on SSL is approaching as the researchers who brought us the browser-based attack plan to go on a spree with CRIME


 
The first smartphones to rely on Google's Chrome browser for Android will be Motorola Mobility's just-announced Droid Razr M, Droid Razr Maxx and Droid Razr HD, the company said Wednesday.
 
ownCloud 'Remember Me' Function Authentication Bypass Vulnerability
 
[SECURITY] [DSA 2539-1] zabbix security update
 
Nokia issued an apology Thursday for an advertisement that lacked a disclaimer for using a simulated video to describe the new PureView anti-blur technology inside its Lumia 920 smartphone.
 
Western Digital announced its smallest form factor external hard drive for Macs and PCs that includes a USB 3.0 port, backup software and encryption.
 
Oracle hopes to stay on schedule for Java EE 7 by deferring planned cloud capabilities to Java EE 8, due in 2015
 
As many as six million people have encountered malware during the last 12 months, according to mobile security firm Lookout.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

Project Manager
Patch.com
The person in this position will be responsible for the planning, implementation, and tracking of programming and operational projects within the InfoSec PEIS team. They will also act as the liaison between several units within Cisco. A Bachelor's ...

 
Worldwide, private individuals have reportedly suffered approximately $100 billion in financial losses as a result of cybercrime. Online criminals increasingly appear to be targeting mobile devices and social networking accounts


 
Xen 'GNTTABOP_swap_grant_ref' CVE-2012-3516 Denial of Service Vulnerability
 
A visit to the English countryside gave CIO.com columnist Bernard Golden the chance to see Roman ruins, a medieval church and a replica of the first supercomputer. It wasn't until he returned home and saw a driverless car on a California freeway that the scale of innovation he witnessed while sightseeing became clear.
 
Xen 'set_debugreg' CVE-2012-3494 Denial of Service Vulnerability
 
Xen 'physdev_get_free_pirq' CVE-2012-3495 Denial of Service Vulnerability
 
ZABBIX 'itemid' Parameter SQL Injection Vulnerability
 
As Apple says that it never gave a list of iOS device UDIDs and other details to the FBI, the mystery around the original source of the list increases


 
PricewaterhouseCoopers said it has found no evidence of unauthorized data access despite a group's claim that Republican presidential candidate Mitt Romney's tax returns were stolen in a late-night office theft.
 
Symantec said Windows 8 "doesn't move the needle much" on security as it rolled out new versions of its antivirus software and promised to provide users with several so-called "Modern" apps for the new operating system.
 
To benefit from a growing Chinese market, Microsoft said it is increasing its investment in the country, with new hires, more research for local requirements, and an expansion to additional cities and provinces to bring cloud computing services to its enterprise customers.
 
Criminals have found a way to convince users to give them the authorisation numbers for banking transactions despite those numbers being generated on a handheld hardware device


 
The Tennessee Valley Authority's help desk was a career graveyard. It was that way for years and customers suffered for it. Not any more.
 
QLogic announced a host bus adapter card that pools all types of server flash storage resources on a SAN for shared application use.
 
Security suites from McAfee, Symantec, Trend Micro and Webroot offer protection for all your devices along with Web-based management.
 
HP SiteScope UploadFilesHandler Directory Traversal Vulnerability
 
HP SiteScope Multiple Security Bypass Vulnerabilities
 

Posted by InfoSec News on Sep 06

http://www.guardian.co.uk/technology/2012/sep/05/gchq-private-sector-cyber-attack

By Richard Norton-Taylor
guardian.co.uk
4 September 2012

GCHQ, the government's electronic eavesdropping and security agency, is
to warn the chief executives of Britain's biggest companies about an
unprecedented threat from cyber-attacks.

Ministers and the intelligence agencies are for the first time
confronting senior private sector company figures...
 

Posted by InfoSec News on Sep 06

http://www.infoworld.com/d/security/3-security-mistakes-your-management-making-now-201624

By Roger A. Grimes
InfoWorld
SEPTEMBER 05, 2012

One of the joys of being a traveling consultant is I get to see what
does and doesn't work across a wide range of products and companies.
Guess what? The same issues pop up again and again.

Here are the three most common big mistakes I see senior management make
regarding computer security. Some are...
 

Posted by InfoSec News on Sep 06

http://www.theregister.co.uk/2012/09/05/huawei_denies_spying/

By Neil McAllister in San Francisco
The Register
5th September 2012

Even as execs of the Chinese telecom giant Huawei prepare to testify
before Congress over concerns that the company's networking equipment
may pose a security threat to US infrastructure, the company issued a
public statement claiming that it has never participated in cyber
espionage or any other illegal...
 

Posted by InfoSec News on Sep 06

http://www.informationweek.com/security/attacks/fbi-antisec-spar-on-apple-ids/240006742

By Mathew J. Schwartz
InformationWeek
September 05, 2012

Does the release of one million Apple UDIDs (Unique Device
Identifiers)--including device types and associated usernames--reveal a
massive device-tracking operation involving the FBI, an attempt by the
hacktivist group AntiSec to make the bureau look bad, or something in
between?

For now, the...
 

Posted by InfoSec News on Sep 06

http://news.cnet.com/8301-1009_3-57506843-83/feds-probe-alleged-hacking-theft-of-romneys-tax-returns/

By Elinor Mills and Greg Sandoval
CNET News
Security & Privacy
September 5, 2012

The U.S. Secret Service is looking into claims that someone stole
presidential nominee Mitt Romney's income tax returns and is threatening
to release them if he doesn't pay up. Secret Service spokesman George
Ogilvie told CNET today that the agency...
 
Sony said Thursday that hackers accessed about 400 names and email addresses of its mobile customers in China and Taiwan, but that no credit card or banking information was compromised.
 
Internet Storm Center Infocon Status