Hackin9
Samsung Electronics is expecting a drop in its operating profit for the third consecutive quarter, citing an overall slowdown in smartphone market growth and increased competition in China and some European markets.
 
A sophisticated Chinese hacker group that had been stealing information from U.S. policy experts on Southeast Asia suddenly changed targets last month to focus on Iraq, security researchers said Monday.
 
Mark Zuckerberg sees the Internet as a vital service that should be made available to everyone across the world -- a service that can be as vital as, say, the ability to call for emergency help on a telephone.
 
The Social Security numbers of roughly 18,000 California physicians and health-care providers were inadvertently made public after a slip-up at health insurance provider Blue Shield of California, the organization said Monday.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Thanks to reader Gary for sending us in a sample of a *Coin miner that he found attacking Port 32764. Port 32764 was recently found to offer yet another backdoor on Sercomm equipped devices. We covered this backdoor before [1]

The bot itself appears to be a variant of the "zollard" worm sean before by Symantec [2]. Symantec's writeup describes the worm as attacking a php-cgi vulnerability, not the Sercomm backdoor. But this worm has been seen using various exploits.

Here some quick, very preliminary, details:

The reason I call it *Coin vs. Bitcoin is that in the past, we found these miners to mostly attack non-Bitcoin crypto-currencies to make use of the limited capabilities of these devices. I do not have sufficient detail yet about this variant.

Interestingly, Gary found what looks like 5 binaries with identical functionality, but compiled for 4 different architecture providing for larger coverage across possible vulnerable devices. The binaries are named according to the architecture they support.

Name Size "file" output
arm 86680 ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
armeabi 131812 ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
mips 140352 ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
mipsel 141288 ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
x86 74332 ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

The binary appears to do the following among other things:

  • delete and then recreate the /tmp directory (to have an empty one for download)
  • create a directory /var/run/.zollard
  • firewall port 23 (telnet) and 32764 (trying to avoid re-exploitation. Port 23 is odd ...)
  • start the telnet demon (odd that it also firewalls port 23)
  • it uses this user agent for some outbound requests: Mozilla/5.0 (compatible; Zollard; Linux)
  • setup a php file with a backdoor (simple php "exec") 

It also looks like there are many other variants for different architectures based on string in the file Gary sent us.

[1] https://isc.sans.edu/diary/Port+32764+Router+Backdoor+is+Back+(or+was+it+ever+gone%3F)/18009
[2] http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices

---

Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
WordPress MailPoet Newsletters Plugin Remote File Upload Vulnerability
 
GitList CVE-2014-4511 Unspecified Remote Code Execution Vulnerability
 
ESA-2014-064: EMC Documentum Content Server Privilege Escalation Vulnerabilities
 
ESA-2014-057: EMC Documentum Foundation Services (DFS) XML External Entity (XXE) Vulnerability
 
Many CIOs have wrestled with stitching together an integrated technology platform after a corporate merger. But Robert Logan, CIO of Leidos, faced an altogether different scenario: creating the platforms, data and applications needed for two big companies born from the splitting of an even bigger company. Logan's company was born from SAIC, a major government contractor that bifurcated in August 2013 into Leidos and a smaller SAIC -- a strategic move driven by changes in the federal services marketplace.
 
Premier 100 IT Leader William Mayo also answers questions on combining international teams and the skills needed to become a CIO.
 
Google co-founder and CEO Larry Page said we may someday see more part-time work weeks than we do today -- and that would be a good thing.
 
The National Security Agency Monday defended its data collection practices amid revelations that almost 90% of the data it sweeps up involves ordinary Internet users not suspected of crimes.
 
Gartner today scaled back its forecast of Windows' near future, saying that while Microsoft's OS will power a growing number of devices this year and next, the gains will be smaller than it projected in January.
 
In some ways, veteran CIO Sam Lamonica is an old dog learning new tricks.
 

In the latest cautionary tale involving the so-called Internet of things, white-hat hackers have devised an attack against network-connected lightbulbs that exposes Wi-Fi passwords to anyone in proximity to one of the LED devices.

The attack works against LIFX smart lightbulbs, which can be turned on and off and adjusted using iOS- and Android-based devices. Ars Senior Reviews Editor Lee Hutchinson gave a good overview here of the Philips Hue lights, which are programmable, controllable LED-powered bulbs that compete with LIFX. The bulbs are part of a growing trend in which manufacturers add computing and networking capabilities to appliances so people can manipulate them remotely using smartphones, computers, and other network-connected devices. A 2012 Kickstarter campaign raised more than $1.3 million for LIFX, more than 13 times the original goal of $100,000.

According to a blog post published over the weekend, LIFX has updated the firmware used to control the bulbs after researchers discovered a weakness that allowed hackers within about 30 meters to obtain the passwords used to secure the connected Wi-Fi network. The credentials are passed from one networked bulb to another over a mesh network powered by 6LoWPAN, a wireless specification built on top of the IEEE 802.15.4 standard. While the bulbs used the Advanced Encryption Standard (AES) to encrypt the passwords, the underlying pre-shared key never changed, making it easy for the attacker to decipher the payload.

Read 4 remaining paragraphs | Comments

 
Apache Tomcat CVE-2014-0099 Request Processing Information Disclosure Vulnerability
 
Global spending on public cloud services reached US$45.7 billion last year and will experience a 23 percent compound annual growth rate through 2018, according to analyst firm IDC.
 
A Russian man suspected of hacking into point-of-sale systems at U.S. retailers has been arrested and faces charges in a U.S. court, the Department Justice said.
 
Photo Org WonderApplications v8.3 iOS - File Include Vulnerability
 
NetGear N150 WNR1000v3 Password Recovery Feature Information Disclosure Vulnerability
 
Microsoft's Windows OS could play a crucial rule in returning worldwide PC shipments to modest growth next year after multiple years of decline, Gartner said on Monday.
 
Yahoo! Bug Bounty #25 Flickr API - Persistent Service Vulnerability
 
PayPal Inc Bug Bounty #74 - Persistent Core Backend Vulnerability
 
Paypal Inc Bug Bounty #109 Multi Shipping Application API - Filter Bypass & Persistent Vulnerability
 
Backdoor access to Techboard/Syac devices
 
CVE-2014-3863 - Stored XSS in JChatSocial
 
Re: Android KeyStore Stack Buffer Overflow (CVE-2014-3100)
 
[SECURITY] [DSA 2972-1] linux security update
 
Lime Survey 2-05+ Multiple Vulnerabilities
 
A vulnerability present in most Android devices allows apps to initiate unauthorized phone calls, disrupt ongoing calls and execute special codes that can trigger other rogue actions.
 
LinuxSecurity.com: The system could be made to crash or run programs as an administrator.
 
LinuxSecurity.com: The system could be made to crash or run programs as an administrator.
 
LinuxSecurity.com: The system could be made to crash or run programs as an administrator.
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: The system could be made to crash or run programs as an administrator.
 
LinuxSecurity.com: The system could be made to crash or run programs as an administrator.
 
LinuxSecurity.com: The system could be made to crash or run programs as an administrator.
 
LinuxSecurity.com: The system could be made to crash or run programs as an administrator.
 
LinuxSecurity.com: The system could be made to crash or run programs as an administrator.
 

SANS Tallinn Offers Infosec Training in Estonia
Infosecurity Magazine
SANS will be offering three vital information security courses in Estonia this September. The Sokos Hotel Viru in Tallinn will welcome students from September 1–6 for the six-day courses led by world-class SANS Instructors. The SANS Institute provides ...

 
Microsoft's messy mobile strategy and incompatible platforms have frustrated would-be app developers. Can Universal Apps stop the rot?
 
In the world of programming languages, sometimes you don't need the overhead and performance of Java, C#, C++ and other power tools. Sometimes a scripting language, or Swiss army knife, will do.
 
In theory, the concept of "work-life balance" seems to make sense a splitting your days and weeks between a collaborative and connected working life while also enjoying personal activities and leisure time with friends, family, pursuing hobbies, exercise or just watching TV.
 
It's really not difficult to say, "I'm sorry." But getting companies to say it a and mean it a is sometimes akin to turning water into wine.
 
Technology is about to take a big slice of the traditional banking business. Bankers have been slow to see what's coming, but they're starting to realize what's at stake.
 
Microsoft Internet Explorer CVE-2014-0325 Memory Corruption Vulnerability
 

'Negative Joblessness' In InfoSec
BankInfoSecurity.com (blog)
Characterizing the state of employment among American information security practitioners, executive recruiter Joyce Brocaglia says, "We are experiencing negative unemployment in the field of information security." Brocaglia, chief executive of the ...

 
With a starting price of just $299, the unlocked, Cyanogen-powered OnePlus One Android phone beats the bigger brands at their own game.
 
China's nagging pollution problems could start to abate with the help of an IBM project that seeks to predict and control the air quality in Beijing, using new computing technologies.
 
Security researchers have a working prototype of an instant messaging application that aims to thoroughly obscure and scrub evidence that two parties have been chatting.
 
The U.S. Transportation Security Administration has said it may ask air travelers headed to the U.S. on direct flights to power up some electronic devices, including cell phones, as part of enhanced security measures at certain airports abroad.
 
 

Posted by InfoSec News on Jul 07

http://www.infosecnews.org/event/cyber-security-expo/

October 8-9, 2014

Brand new for 2014, Cyber Security EXPO is the new place for everybody
wanting to protect their organisation from the increasing commercial
threat of cyber attacks

Co-located with IP EXPO Europe, Cyber Security EXPO has been designed to
provide CISOs and IT security staff the tools, new thinking and policies
to meet the 21st century business cyber security challenge....
 
Oracle Event Processing CVE-2014-2424 Remote Code Execution Vulnerability
 
MediaWiki 'InfoAction.php' HTML Injection Vulnerability
 
PHP Fileinfo Component 'cdf_read_short_sector()' Function Remote Denial of Service Vulnerability
 
PHP Fileinfo Component 'cdf_check_stream_offset()' Function Remote Denial of Service Vulnerability
 
PHP Fileinfo Component Incomplete Fix Remote Denial of Service Vulnerability
 
Internet Storm Center Infocon Status