Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Intel is developing a version of its energy-efficient "Bay Trail" Atom chip for embedded devices, which can include products like car computers, robots and set-top boxes.
 

Infosec analysts back away 'Feds attacked Tor' theory
Register
Some infosec specialists quickly analysed the malware and suggested it was controlled by an entity using IP addresses associated with defence contractor Science Applications International Corporation (SAIC) and/or the NSA. One and one were promptly put ...

and more »
 
Earlier this week reports started to appear that the DNS of several webhosting companies in the Netherlands had been hijacked and those using the services were being redirected to malware sites, notably blackhole. 
 
According to the notification by the provider (http://noc.digitalus.nl/dashboard/136/Storing-DNS-servers) requests were being forwarded to external name servers. The issue was picked up relatively quickly. According to Digitalus and other reports SIDN, the Foundation for Internet Domain Registration in the Netherlands suffered a breach which affected the domain name registration systems.  The change was made at 0330 and the zone fully recovered by 0800, but that did mean that those who had already erroneously resolved the malicious domains would retain those records for a typical 24 hours. Whilst the provider is still investigating, at the moment there is no additional information available. It is not yet clear how the initial change was made.  the result however is still being felt by a number of their customers.  
 
Webstekker was another organisation affected by the same issue, however their notificatino states that the issue lies at VD (http://www.webstekker.nl/over-ons/nieuws/2013/augustus/19/berichtgeving-dns-redirect-onjuist - In Dutch). VDS, the third party points the finger at SIDN.  Interestingly SIDN states that it is an "annoying issue" and they are working with the registrars to identify the cause.  (https://www.sidn.nl/nieuws/nieuwsbericht/article/sidn-ondersteunt-onderzoek-naar-incident-bij-een-van-haar-registrars/ - In Dutch). 
 
FOX-IT wrote up an analysis of the resulting attack here http://blog.fox-it.com/2013/08/05/dns-takeover-redirects-thousands-of-websites-to-malware/
 
Looking through some other articles it looks like SIDN identified a possible breach back in July (https://www.sidn.nl/en/news/news/article/preventieve-maatregelen-genomen-2/ - In Dutch)  Whilst contained, in my view based on the incident this week, I'm guessing that the whole issue may not have been identified at the time and addressed. DNS.be had a similar defacement issue on their site at about the same time, however their front end systems do not have access to backend systems, according to their notification (http://www.dns.be/en/news/recent_news/deface-hack-on-dnsbe-website2#.UgLiRD7bprh). 
 
These issues show that attackers are not shy about going after the critical infrastrucutre components on the net. Something we all need to keep in mind. 
 
Mark H
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Microsoft's Windows 8 app ecosystem badly needs a jolt to make it competitive with iOS and Android on tablets.
 

Cloud services are here to stay. This poses a big challenge for information security professionals, because we cannot longer restrict mobility and thus we need to implement controls to ensure that mobility services does not pose a threat to any information security asset of the company.

Bad guys tend to steal critical information from the company and takes it out using e-mails, chat file transfers and could file storage services. The first two are being monitored in most companies, but not all companies have the technical controls available to regulate usage on the third one. There are two big services here: Skydrive and Dropbox. Skydrive does not announce to the network and so the only way to detect it is to monitor outgoing traffic for the file transfer protocol used, which is MS-FSSHTTP (File Synchronization via SOAP over HTTP Protocol). For example, if anyone is saving a file to http://Example/Shared%20Documents/test1.docx, the request sent would be:

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
  <s:Body>
    <RequestVersion Version="2" MinorVersion="0" 
                    xmlns="http://schemas.microsoft.com/sharepoint/soap/"/>
    <RequestCollection CorrelationId="{83E78EC0-5BAE-4BC2-9517-E2747382569B}" 
                    xmlns="http://schemas.microsoft.com/sharepoint/soap/">
      <Request Url="http://Example/Shared%20Documents/test1.docx" RequestToken="1">
        <SubRequest Type="Coauth" SubRequestToken="1">
          <SubRequestData CoauthRequestType="RefreshCoauthoring" 
                          SchemaLockID=" 29358EC1-E813-4793-8E70-ED0344E7B73C" 
                          ClientID="{BE07F85A-0CD1-4862-BDFC-F6CC3C8588A4}" Timeout="3600"/>
        </SubRequest>
        <SubRequest Type="SchemaLock" SubRequestToken="2" DependsOn="1" 
                    DependencyType="OnNotSupported">
          <SubRequestData SchemaLockRequestType="RefreshLock" 
            SchemaLockID=" 29358EC1-E813-4793-8E70-ED0344E7B73C" 
            ClientID="{BE07F85A-0CD1-4862-BDFC-F6CC3C8588A4}" Timeout="3600"/>
        </SubRequest>
        <SubRequest Type="Cell" SubRequestToken="3" DependsOn="2" 
                    DependencyType="OnSuccessOrNotSupported">
          <SubRequestData Coalesce="true" CoauthVersioning="true" 
                   BypassLockID="29358EC1-E813-4793-8E70-ED0344E7B73C" 
                   SchemaLockID="29358EC1-E813-4793-8E70-ED0344E7B73C" BinaryDataSize="17485">
            <i:Include xmlns:i="http://www.w3.org/2004/08/xop/include" 
            href="cid:[email protected]"/>
          </SubRequestData>
        </SubRequest>
      </Request>
    </RequestCollection>
  </s:Body>
</s:Envelope>

And the response would be:

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
  <s:Body>
    <ResponseVersion Version="2" MinorVersion="0"
          xmlns="http://schemas.microsoft.com/sharepoint/soap/"/>
    <ResponseCollection WebUrl="http://Example"
          xmlns="http://schemas.microsoft.com/sharepoint/soap/">
      <Response Url="http://Example/Shared%20Documents/test1.docx"
          RequestToken="1" HealthScore="0">
        <SubResponse SubRequestToken="1" ErrorCode="Success" HResult="0">
          <SubResponseData LockType="SchemaLock" CoauthStatus="Alone"/>
        </SubResponse>
        91
        <SubResponse SubRequestToken="2"
             ErrorCode="DependentOnlyOnNotSupportedRequestGetSupported"  
            HResult="2147500037">
          <SubResponseData/>
        </SubResponse>
        1dd
        <SubResponse SubRequestToken="3" ErrorCode="Success" HResult="0">
          <SubResponseData Etag="&quot;{600CE272-068F-4BD7-A1FB-4AC10C54386C},2&quot;"
           CoalesceHResult="0" ContainsHotboxData="False">DAALAJ3PKfM5lAabFgMCAAAOAgYAAwsAhAAmAiAA9jV
6MmEHFESWhlHpAGZ6TaQAeCRNZ9PslLQ+v5Vxq4ReeFt+AMF4JLKYLBNrS8FAlXGrhF54W
34At1ETASYCIAATHwkQgsj7QJiGZTP5NMIdbAFwLQz5C0E3b9GZRKbDJyMu3KcRCTMAAAC1
EwEmAiAADul2OjKADE253fPGUClDPkwBICYMspgsE2tLwUCVcauEXnhbfrcApRMBQQcBiwE=</SubResponseData>
        </SubResponse>
        36
      </Response>
    </ResponseCollection>
  </s:Body>
</s:Envelope>

The following table resumes all possible subrequest operations and their descriptions.

Operation

Description

Cell subrequest

Retrieves or uploads a file’s binary contents or a file’s metadata contents.

Coauth subrequest

Gets a shared lock on a coauthorable file that allows for all clients with the same schema lock identifier to share the lock. The protocol server also keeps tracks of the clients sharing the lock on a file at any instant of time.

SchemaLock subrequest

Gets a shared lock on a coauthorable file that allows all clients with the same schema lock identifier to share the lock.

ExclusiveLock subrequest

Gets an exclusive lock on the file, which ensures only one client edits the file at an instant in time.

WhoAmI subrequest

Retrieves the client's friendly name and other client-specific information for a client with a unique client identifier.

ServerTime subrequest

Retrieves the server time.

Editors Table subrequest

Adds the client to the editors table, which is accessible to all clients editing or reading a document.

GetDocMetaInfo subrequest

Retrieves various properties for the file and the parent folder as a series of string pairs.

GetVersions subrequest

Sends back information about the previous versions of a file.

This protocol can be easily detected and tracked using IPS signatures or, if you have a layer 7 firewall, you can use their functionality to detect this protocol application and stop it. Checkpoint can do it with its software blade for 5052 applications as of today.

Dropbox can be easily detected on the network. It sends every 30 seconds a packet announcing the client for possible LAN Sync operations. Those packets are like the following one:

Dropbox LAN Sync Packet

If you want to detect those packets, you can use wireshark and look for them using the filter udp.port==17500 or performing the following command using nmap:

This command performs portscan to all the IP address where the Dropbox listener was detected. The nmap script shown in the last figure has the following options:

  • --script=broadcast-dropbox-listener: This nmap scripts listen for the Dropbox LAN Sync protocol broadcast packet sent every 30 second on the LAN.
  • --script-args=newtargets: This option tells nmap to add the detected IP as a target to perform a scan.
  • -Pn: Treat all hosts as online without performing host discovery.

How can we provide this kind of services to our users without having their mobility ability affected? Skydrive Pro can be used with Sharepoint Online or local Sharepoint Server 2013. If you don't have servers inside, you can use Dropbox for business, which is now able to integrate with your local active directory.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

One of the security relevant features that arrived in the latest version of Firefox was the blocking of mixed active content. In the past, you may have seen popups warnings in your browser alerting you of "mixed content". This refers to pages that mix and match SSL and non SSL content. While this is not a good idea even for passive content like images, the real problem is active content like script. For example, a page may download javascript via HTTP but include it in an HTTPS page. The javascript could now be manipulated by someone playing man in the middle. The modified javascript can then in turn alter the HTML page that loaded it. After all we are using the HTML to load the javascript, so we will not have any "origin" issues. 

Firefox 23 refined how it deals with "mixed ACTIVE content". If an HTML page that was loaded via HTTPS includes active content, like javascript, via HTTP, then Firefox will block the execution of the active content.

I setup a quick test page to allow you to compare browsers. The first page https://isc.sans.edu/mixed.html just includes two images. One is loaded via https and one via http. The second page, https://isc.sans.edu/mixed2.html does include some javascript as well. If the javascript executes, then you should see the string "The javascript executed" under the respective lock image.

For more details, see Mozilla's page about this feature: 

https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
HP 3PAR StoreServe 7400 combines high scalability, high performance, and a big bag of tricks for easing storage management
 
The U.S. Court of Appeals for the Federal Circuit has given Apple new life in its patent claims against Google-owned Motorola Mobility.
 
Facebook is rolling out Graph Search, its newfangled social search engine, to everyone who uses the U.S. English language, the company announced Wednesday.
 
The administration panel for Hand of Thief.
RSA

Signaling criminals' growing interest in attacking non-Windows computers, researchers have discovered banking fraud malware that targets people using the open-source Linux operating system.

Hand of Thief, as researchers from security firm RSA have dubbed it, sells for about $2,000 in underground Internet forums and boasts its own support and sales agents. Its functionality—consisting of form grabbers and backdoor capabilities—is rudimentary compared to Windows banking trojans spawned from the Citadel or Blackhole exploit kits, but that's likely to change. RSA researcher Limor Kessem said she expects Hand of Thief to become a full-blown banking trojan that includes more advanced features such as the ability to inject attacker-controlled content into trusted bank webpages.

"Although Hand of Thief comes to the underground at a time when commercial trojans are high in demand, writing malware for the Linux OS is uncommon, and for good reason," Kessem wrote. "In comparison to Windows, Linux's user base is smaller, considerably reducing the number of potential victims and thereby the potential fraud gains."

Read 5 remaining paragraphs | Comments

    


 

Federal infosec director to step down
iT News
The director of the Federal Government's information security and foreign intelligence authority Ian McKenzie will wrap up a six year career leading the department when he retires in December. McKenzie was appointed the director of the Australian ...

 
As NASA scientists continue to search for signs of past life on Mars, they're also casting a hopeful eye toward finding life on one of Jupiter's moons.
 
The U.S. Court of Appeals for the Federal Circuit has given Apple new life in its patent claims against Google-owned Motorola Mobility.
 
Microsoft said that 30,000 Windows 8 Pro tablets will be deployed to sales personnel at Meiji Yasuda Life Insurance in Tokyo.
 
Atlassian JIRA 'name' Parameter Cross Site Scripting Vulnerabiliy
 
Atlassian Confluence '/doconfigurerssfeed.action' Multiple Cross Site Scripting Vulnerabilities
 
Shipments of solid-state drives (SSDs) rocketed in this year's first quarter and the technology is now becoming the storage of choice in thin and light laptops.
 
Microsoft said that 30,000 Windows 8 Pro tablets will be deployed to sales personnel at Meiji Yasuda Life Insurance in Tokyo.
 
Google Wednesday rolled out load balancing features to its public cloud service, allowing customers to automatically scale up and down virtual machines to accommodate unexpected spikes in demand.
 
Instagram is adding several features to its mobile apps including the ability to import and post previously recorded videos.
 
ERP apps may run the core operations of companies around the world, but enterprises are placing a higher priority in 2013 on other types of software, in particular BI, according to a new Forrester Research survey.
 
Nokia finished its buyout of Nokia Siemens Networks on Wednesday and renamed the company Nokia Solutions and Networks, or NSN.
 
PHPFox v3.6.0 (build3) Multiple SQL Injection vulnerabilities
 
Trustport Webfilter Remote File Access Vulnerability
 
National Instruments Multiple ActiveX Controls CWUI Remote Code Execution Vulnerability
 
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
 
Cisco Security Advisory: Cisco TelePresence System Default Credentials Vulnerability
 
Options are growing for SAP ERP customers that want to snazz up the system's screens, both for the enjoyment of end-users and improved productivity.
 
Apple has continued to send out invitations to users of its iCloud backup and sync service to try the beta of iWork for iCloud, the online word processing, spreadsheet and presentation-making apps slated to release to everyone later in the year.
 
LG announced its newest flagship smartphone, the G2, with a 5.2-in. HD IPS display and an unusual rear-control key for device on-and-off and volume.
 
Developers can now submit Web apps and offer them alongside native Android-based programs in Amazon's Appstore.
 
Apache suEXEC privilege elevation / information disclosure
 
[SECURITY] [DSA 2735-1] iceweasel security update
 
[ MDVSA-2013:210 ] firefox
 
Apple's share of global smartphone shipments declined to 13.2% in the second quarter, while both Android and Windows Phone registered slight increases, IDC said Wednesday.
 
FortiGuard Labs reports a 30% increase in mobile malware so far in 2013, and cautions ransomware is also making an appearance on mobile devices.
 
LinuxSecurity.com: This update provides compatible packages for Firefox 23.
 
LinuxSecurity.com: Firefox could be made to crash or run programs as your login if itopened a malicious website.
 
LinuxSecurity.com: Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical [More...]
 
LinuxSecurity.com: Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors, missing permission checks and other implementation errors may lead to the execution of arbitrary code, cross-site scripting, privilege [More...]
 
LinuxSecurity.com: Several security issues were fixed in Thunderbird.
 
LinuxSecurity.com: Multiple security issues was identified and fixed in mozilla firefox: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under [More...]
 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Today's students need a good dose of technology to do their best work. But the market for consumer tech is both crowded and confusing. Before you invest in a laptop--and, yes, you should get your student a laptop--here are 10 important considerations.
 
OpenX 'flowplayer-3.1.1.min.js' Backdoor Vulnerability
 
Moto X, the first smartphone completely designed after Google acquired Motorola Mobility, is an interesting and well-fashioned consumer device.
 
Patent company VirnetX is adding a patent it was recently granted to its ongoing patent infringement lawsuit against Apple in a federal court in Texas.
 
The Feedly RSS service raised half a million dollars Monday, pulling in an average of more than $62,000 in subscriptions each hour over an eight-hour span.
 
The Chinese are going to have a very, very hard time kicking the Windows XP habit.
 
In a move to consolidate overlapping lines of software, Helwett-Packard is merging three of its records management products into a single offering, to be called HP Records Manager.
 
Taiwanese PC maker Acer reported a net loss in the second quarter, attributing it to the company's growing investment in product design and the recent rise in DRAM prices.
 
The latest version of Citrix Systems' XenClient offers better integration with its other desktop virtualization offerings and more user personalization, as the vendor hopes to make the bare-metal hypervisor more popular among road warriors.
 
Multiple Vulnerabilities in BigTree CMS
 
Defense in depth -- the Microsoft way (part 6): beginner's errors, QA sound asleep or out of sight!
 
Microsoft Yammer Social Network - oAuth Bypass (Session Token) Vulnerability
 
OpenStack Nova CVE-2013-2256 Security Bypass Vulnerability
 
OpenStack Nova CVE-2013-4185 Denial of Service Vulnerability
 
NASA took a big step this week in its effort to launch a spacecraft to Mars this fall.
 

Same Old Same Old as IT Fails to Mature
CSO (blog)
Lack of IT centralization when it comes to capital planning and investment control along with leadership that has no infosec pedigree are standard indicators of long running IT issues. Will it ever end? Flush the current IT leadership. cyber ...

 
Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2013-63 through -75 Multiple Vulnerabilities
 
Attacking Google Accounts with 'weblogin:' Tokens
 
Internet Storm Center Infocon Status