Information Security News
One of the exercises I keep recommending is to take 5 minutes of traffic form your own network (any network...), and try to explain each packet. Being an eat your own dogfood kind of guy, I try to do this myself every so often, and yesterday, after setting up a new IPv6 connection, I came across this neat packet:
IP6 2601:aaaa:bbbb:cccc:1122:33ff:fe44:5566 2601:aaaa:bbbb:xxxx:1122:3344:5566:7788: ICMP6, destination unreachable, unknown unreach code (5)
If tcpdump calls an ICMP type Unknown, things certainly get interesting. If it is IPv6, then that becomes outright exciting and makes you dive for the RFCs. So whats is happening here?
In the end, it is a simple invalidconfiguration, but something you may find in IPv6 quite commonly. My ISP assigns me an IPv6 prefix via DHCPv6. DHCPv6 has a special feature to do so:Prefix Delegation (often abbreviatedPD). In my case, my DHCP client died. Turns out, that as soon as I no longer request the particular prefix, my modemdecided that the prefix is no longer mine, and itno longer routed it. Now in IPv4, there is no well defined ICMP message that is sent back if you essentially try to spoof a source IP that doesnt belong to you. Maybe an admin prohibited? In IPv6, we got a specific ICMPv6 code, 5, to indicate what is happening.
Type 1 is used for unreachable, similar to 3 in ICMPv4. Code 5 is defined in RFC 4443 as Source address failed ingress/egress policy. This certainly helped me figure out what is going on here.
Here is a quick list of the codes defined for type 1 in RFC 4443:
|2||Beyond scope of source address (e.g. a link local address used to reach a global address)|
|5||ingress/egree policy fail|
reject route to destination (trying to use a router that doesnt route to that destination)
Again, this is all for type 1. Code 5 and 6 are described as subtypes of 1 (Admin Prohibited)
As a quick tcpdump filter, you have to use icmp6 and ip[40:2]=0x0105. tcpdump does not support icmp6 offsets at this point.
Securing Macs against stealthy malware infections could get more complicated thanks to a new proof-of-concept exploit that allows attackers with brief physical access to covertly replace the firmware of most machines built since 2011.
Once installed, the bootkit—that is, malware that replaces the firmware that is normally used to boot Macs—can control the system from the very first instruction. That allows the malware to bypass firmware passwords, passwords users enter to decrypt hard drives and to preinstall backdoors in the operating system before it starts running. Because it's independent of the operating system and hard drive, it will survive both reformatting and OS reinstallation. And since it replaces the digital signature Apple uses to ensure only authorized firmware runs on Macs, there are few viable ways to disinfect infected boot systems. The proof-of-concept is the first of its kind on the OS X platform. While there are no known instances of bootkits for OS X in the wild, there is currently no way to detect them, either.
The malware has been dubbed Thunderstrike, because it spreads through maliciously modified peripheral devices that connect to a Mac's Thunderbolt interface. When plugged into a Mac that's in the process of booting up, the device injects what's known as an Option ROM into the extensible firmware interface (EFI), the firmware responsible for starting a Mac's system management mode and enabling other low-level functions before loading the OS. The Option ROM replaces the RSA encryption key Macs use to ensure only authorized firmware is installed. From there, the Thunderbolt device can install malicious firmware that can't easily be removed by anyone who doesn't have the new key.
FBI boss: Sony hack was DEFINITELY North Korea, haters gonna hate
For this reason, infosec professionals remain skeptical the Kim government is responsible for the Sony Pictures hack. Also, in 2012, a US judge rubbished claims that IP addresses can be used to identify culprits in online crime, saying "it is no more ...
by Sean Gallagher
In a speech at the International Conference on Cyber Security (ICCS) today in New York, FBI Director James Comey reiterated the bureau's confidence that North Korea was involved in the cyber attack on Sony Pictures Entertainment. "There's not much I have high confidence about," Comey said, as reported by the FBI New York field office's official Twitter feed. "I have very high confidence... on North Korea." And he downplayed suggestions by outsiders that others might be responsible, saying that critics “don’t have the facts that I have, they don’t see what I see.”
In a separate speech today at the ICCS, Director of National Intelligence James Clapper said that the attack on Sony demonstrated a new type of threat posed by North Korea. During a meeting last year with a North Korean general to negotiate the release of two American prisoners in North Korea, Clapper said that the general told him the regime is "deadly serious" about perceived insults by the US to its "supreme leader" and that North Koreans feel that the US has put their country under siege.
While the Sony attackers had largely concealed their identity by using proxy servers, Comey said that on several occasions they "got sloppy" and connected directly, revealing their own IP address. It was those slip-ups, he said, that provided evidence linking North Korea to the attack on Sony's network. Comey also said that analysts at the FBI found the patterns of writing and other identifying data from the attack matched previous attacks attributed to North Korea. Additionally, there was other evidence, Comey said, that he could not share publicly.
How cloud service providers can effectively monetise and deliver the ultimate ...
The cloud ecosystem has ushered in an exciting era of open access to world-class computing power, resources, storage, development framework and software applications. With this has come an explosion of innovation. While cloud service providers (CSPs) ...
A report published by South Korea's Defense Ministry on December 6 estimates that North Korea has further increased its focus on network and electronic warfare over the last year, doubling the size of its "cyber forces" to 6,000 soldiers. The report also warned that North Korea has made significant advances in its nuclear weapons technology and could now have the capability of threatening the mainland of the United States with a nuclear strike.
The report, the ministry's 2014 Defense White Paper, is a biennial review of South Korea's defense policy similar to the US Department of Defense's Quadrennial Review, intended to define the government's defense policy. Defense Ministry officials stated in the report that North Korea's efforts in cyber-warfare and other "asymmetric" capabilities are part of an effort to cause "physical and psychological paralysis inside South Korea such as causing troubles for military operations and national infrastructures."
The Defense Ministry report also claimed that North Korea had made advances in miniaturization of nuclear warheads, which
would allow them to be mounted more readily on intercontinental ballistic missiles. "The ability to miniaturize nuclear weapons seems to be at an early but significant level and is estimated as having the ability to threaten the US mainland through a long-range missile," a Defense Ministry spokesperson said in a summary of the report. The assessment is based on estimates of North Korea's production of highly enriched uranium.
Researchers demo new IPv6 attack against Windows 8 PCs
Due for full disclosure at the DEF CON 21 conference, the attack's design isn't new – the similar Stateless Address Auto Configuration (SLAAC) principle was demonstrated at Infosec in 2011 – but extends it to Windows 8 segments for the first time ...
Posted by InfoSec News on Jan 07http://www.theregister.co.uk/2015/01/06/former_ms_bug_bounty_program_developer_forced_into_paris_laptop_decryption/
Posted by InfoSec News on Jan 07http://www.defenseone.com/technology/2015/01/problem-calling-cyber-attacks-terrorism/102309/
Posted by InfoSec News on Jan 07http://freebeacon.com/national-security/noaa-employee-charged-with-computer-breach-met-senior-chinese-official-in-beijing/
Posted by InfoSec News on Jan 07http://www.dailydot.com/politics/dox-doxing-protection-how-to/
Posted by InfoSec News on Jan 07http://mashable.com/2015/01/06/google-security-princess-white-house-hack