(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

One of the exercises I keep recommending is to take 5 minutes of traffic form your own network (any network...), and try to explain each packet. Being an eat your own dogfood kind of guy, I try to do this myself every so often, and yesterday, after setting up a new IPv6 connection, I came across this neat packet:

IP6 2601:aaaa:bbbb:cccc:1122:33ff:fe44:5566  2601:aaaa:bbbb:xxxx:1122:3344:5566:7788:    ICMP6, destination unreachable, unknown unreach code (5)          

If tcpdump calls an ICMP type Unknown, things certainly get interesting. If it is IPv6, then that becomes outright exciting and makes you dive for the RFCs. So whats is happening here?

In the end, it is a simple invalidconfiguration, but something you may find in IPv6 quite commonly. My ISP assigns me an IPv6 prefix via DHCPv6. DHCPv6 has a special feature to do so:Prefix Delegation (often abbreviatedPD). In my case, my DHCP client died. Turns out, that as soon as I no longer request the particular prefix, my modemdecided that the prefix is no longer mine, and itno longer routed it. Now in IPv4, there is no well defined ICMP message that is sent back if you essentially try to spoof a source IP that doesnt belong to you. Maybe an admin prohibited? In IPv6, we got a specific ICMPv6 code, 5, to indicate what is happening.

Type 1 is used for unreachable, similar to 3 in ICMPv4. Code 5 is defined in RFC 4443 as Source address failed ingress/egress policy. This certainly helped me figure out what is going on here.

Here is a quick list of the codes defined for type 1 in RFC 4443:

Code Message
0 No route
1 Admin Prohibited
2 Beyond scope of source address (e.g. a link local address used to reach a global address)
3 Address unreachable
4 Port unreachable
5 ingress/egree policy fail

reject route to destination (trying to use a router that doesnt route to that destination)

Again, this is all for type 1. Code 5 and 6 are described as subtypes of 1 (Admin Prohibited)

As a quick tcpdump filter, you have to use icmp6 and ip[40:2]=0x0105. tcpdump does not support icmp6 offsets at this point.


Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Securing Macs against stealthy malware infections could get more complicated thanks to a new proof-of-concept exploit that allows attackers with brief physical access to covertly replace the firmware of most machines built since 2011.

Once installed, the bootkit—that is, malware that replaces the firmware that is normally used to boot Macs—can control the system from the very first instruction. That allows the malware to bypass firmware passwords, passwords users enter to decrypt hard drives and to preinstall backdoors in the operating system before it starts running. Because it's independent of the operating system and hard drive, it will survive both reformatting and OS reinstallation. And since it replaces the digital signature Apple uses to ensure only authorized firmware runs on Macs, there are few viable ways to disinfect infected boot systems. The proof-of-concept is the first of its kind on the OS X platform. While there are no known instances of bootkits for OS X in the wild, there is currently no way to detect them, either.

The malware has been dubbed Thunderstrike, because it spreads through maliciously modified peripheral devices that connect to a Mac's Thunderbolt interface. When plugged into a Mac that's in the process of booting up, the device injects what's known as an Option ROM into the extensible firmware interface (EFI), the firmware responsible for starting a Mac's system management mode and enabling other low-level functions before loading the OS. The Option ROM replaces the RSA encryption key Macs use to ensure only authorized firmware is installed. From there, the Thunderbolt device can install malicious firmware that can't easily be removed by anyone who doesn't have the new key.

Read 9 remaining paragraphs | Comments


FBI boss: Sony hack was DEFINITELY North Korea, haters gonna hate
The Register
For this reason, infosec professionals remain skeptical the Kim government is responsible for the Sony Pictures hack. Also, in 2012, a US judge rubbished claims that IP addresses can be used to identify culprits in online crime, saying "it is no more ...

and more »

In a speech at the International Conference on Cyber Security (ICCS) today in New York, FBI Director James Comey reiterated the bureau's confidence that North Korea was involved in the cyber attack on Sony Pictures Entertainment. "There's not much I have high confidence about," Comey said, as reported by the FBI New York field office's official Twitter feed. "I have very high confidence... on North Korea." And he downplayed suggestions by outsiders that others might be responsible, saying that critics “don’t have the facts that I have, they don’t see what I see.”

In a separate speech today at the ICCS, Director of National Intelligence James Clapper said that the attack on Sony demonstrated a new type of threat posed by North Korea. During a meeting last year with a North Korean general to negotiate the release of two American prisoners in North Korea, Clapper said that the general told him the regime is "deadly serious" about perceived insults by the US to its "supreme leader" and that North Koreans feel that the US has put their country under siege.

While the Sony attackers had largely concealed their identity by using proxy servers, Comey said that on several occasions they "got sloppy" and connected directly, revealing their own IP address. It was those slip-ups, he said, that provided evidence linking North Korea to the attack on Sony's network. Comey also said that analysts at the FBI found the patterns of writing and other identifying data from the attack matched previous attacks attributed to North Korea. Additionally, there was other evidence, Comey said, that he could not share publicly.

Read 3 remaining paragraphs | Comments

Schneider Electric ProClima CVE-2014-8514 Remote Buffer Overflow Vulnerability
Schneider Electric ProClima CVE-2014-8512 Remote Buffer Overflow Vulnerability
Schneider Electric ProClima CVE-2014-9188 Remote Buffer Overflow Vulnerability
Schneider Electric ProClima CVE-2014-8511 Remote Buffer Overflow Vulnerability

How cloud service providers can effectively monetise and deliver the ultimate ...
The cloud ecosystem has ushered in an exciting era of open access to world-class computing power, resources, storage, development framework and software applications. With this has come an explosion of innovation. While cloud service providers (CSPs) ...

Brother MFC Administration Reflected Cross-Site Scripting
Self-XSS in Microsoft Dynamics CRM 2013 SP1
[SECURITY] [DSA 3120-1] mantis security update
[security bulletin] HPSBMU03118 rev.3 - HP Systems Insight Manager (SIM) on Linux and Windows, Multiple Remote Vulnerabilities

A report published by South Korea's Defense Ministry on December 6 estimates that North Korea has further increased its focus on network and electronic warfare over the last year, doubling the size of its "cyber forces" to 6,000 soldiers. The report also warned that North Korea has made significant advances in its nuclear weapons technology and could now have the capability of threatening the mainland of the United States with a nuclear strike.

The report, the ministry's 2014 Defense White Paper, is a biennial review of South Korea's defense policy similar to the US Department of Defense's Quadrennial Review, intended to define the government's defense policy. Defense Ministry officials stated in the report that North Korea's efforts in cyber-warfare and other "asymmetric" capabilities are part of an effort to cause "physical and psychological paralysis inside South Korea such as causing troubles for military operations and national infrastructures."

The Defense Ministry report also claimed that North Korea had made advances in miniaturization of nuclear warheads, which
would allow them to be mounted more readily on intercontinental ballistic missiles. "The ability to miniaturize nuclear weapons seems to be at an early but significant level and is estimated as having the ability to threaten the US mainland through a long-range missile," a Defense Ministry spokesperson said in a summary of the report. The assessment is based on estimates of North Korea's production of highly enriched uranium.

Read on Ars Technica | Comments

MantisBT 'file_download.php' HTML Injection Vulnerability
LinuxSecurity.com: Security Report Summary
Python pip CVE-2014-8991 Local Denial of Service Vulnerability

Researchers demo new IPv6 attack against Windows 8 PCs
Due for full disclosure at the DEF CON 21 conference, the attack's design isn't new – the similar Stateless Address Auto Configuration (SLAAC) principle was demonstrated at Infosec in 2011 – but extends it to Windows 8 segments for the first time ...

OpenStack Horizon Login Page Denial of Service Vulnerability

Posted by InfoSec News on Jan 07


By John Leyden
The Register
6 Jan 2015

Paris airport security went one step further than simply asking a security
expert to power up her laptop - they requested she type in her password to
decrypt her hard drive and log into the machine.

Katie Moussouris, chief policy officer at HackerOne, and best known as the
woman behind...

Posted by InfoSec News on Jan 07


By Micah Zenko
Council on Foreign Relations
January 6, 2015

Yesterday, Sen. Robert Menendez (D-NJ), the ranking member of the Senate
Foreign Relations Committee, appeared on CNN’sState of the Union where he
proposed placing North Korea on the State Department’s State Sponsors of
Terrorism list. Menendez contended that the additional sanctions...

Posted by InfoSec News on Jan 07


By Bill Gertz
The Free Beacon
January 6, 2015

A federal weather service employee charged with stealing sensitive
infrastructure data from an Army Corps of Engineers database met a Chinese
government official in Beijing, according to court documents that reveal
the case to be part of an FBI probe of Chinese economic...

Posted by InfoSec News on Jan 07


By Joseph Cox
The Daily Dot
January 06, 2015

There are few things more startling than seeing your private information
released online. It makes you feel vulnerable and on-edge, knowing that
anyone has the details necessary to throw a brick through your window at a
moment’s notice.

The act, known as doxing, has become a popular tactic with activists and
trolls alike, with...

Posted by InfoSec News on Jan 07


By Lorenzo Franceschi-Bicchierai
Jan 6, 2015

After hackers breached its internal network in late October, the White
House got the help of a Google security engineer, Parisa Tabriz, the
company's self-proclaimed "security princess."

Tabriz was tapped by the newly founded U.S. Digital Service, a tech task
force for the government which...
Internet Storm Center Infocon Status