Information Security News
Here's one way how to get at sensitive data that seems to be making a comeback. Already in the olden days, it was popular with the crooks to register domain names that only differed by a typo from the name of a legitimate high traffic site. Googl.com, for example. The crooks would then run web pages with lots of advertisements on these domains, and live happily ever after from the ad revenue that the misdirected typo traffic alone brought their way.
Google put a stop to this by registering, for themselves, pretty much all typos of their brand that you can imagine. Not all companies have done so, and with the increased use of smart phones with annoyingly fumbly keyboards (and often autocorrect, as well), typos are making a comeback. As do the typo harvesting sites. This time though, it looks as if they are not after ad clicks -- instead, we see an increase of typo domains that publish an MX record, and thus receive all the mail that was meant for the attacked company, but where the @domain portion of the address contained a typo.
I was recently participating in the analysis of data taken from such a server that the crooks had used to collect other people's mail. One thing that particularly stood out was that a lot of the harvested emails actually came from within the attacked real estate company, and contained rather sensitive internal mails. In other words, say, an employee @samplecompany.com had wanted to send something to a coworker, but typed [email protected]maplecompany.com instead on her (not-so)smartphone. As a result, instead of getting delivered internally, the email took the Internet route, and ended up on the server that the crooks had set up.
For every email address with a typo that came from a customer or other external sender, we found a dozen or so of mails that were intended to be from and to an internal employee. What made matters worse is that some of the mobile phones that the company employees used were helpfully "remembering" previously typed email addresses, so once a typo had been made, the fix was in, and the problem persisted until/unless the user noticed that his colleague never answered.
If you don't own the most likely permutations and typos of your main email domain for yourself, you might want to check who does. And if they publish an MX record for these domains, you might want to check your outbound email log to see how much of your intended internal email has typos, and is leaking out.
Update: ISC reader Jerry points out that according to RFC 5321, if no MX record is returned, the A record will be tried instead. So don't count only on the presence of MX records in typo squatting domains to determine if your email is being siphoned off, if in doubt, check their port 25 as well.
Â(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The recent arrest of a Russian hacker by the US Department of Homeland Security is stirring up diplomatic difficulties.
The suspect, 30-year-old Roman Valerevich Seleznev, is the son of a Russian lawmaker. The Russian Foreign Ministry, which says he was arrested in an airport in the Maldives, has condemned the tactics used by the US. Seleznev has now been transported to Guam, where he has made his first court appearance.
"We consider this as the latest unfriendly move from Washington," stated the Ministry, according to a Reuters report. The Russian Foreign Ministry's statement (Russian) describes the event as a "kidnapping."
Update: Almost four hours after this article went live, a Tumblr spokeswoman e-mailed Ars to say the site has been patched against the Rosetta Flash attack.
A serious attack involving a widely used Web communication format is exposing millions of end users' authentication credentials on sites including eBay, Tumblr, and Instagram, a well-respected security researcher said Tuesday.
The exploit—which stems from the ease of embedding malicious commands into Adobe Flash files before they're executed—has been largely mitigated by a Flash security update Adobe released Tuesday morning to coincide with a technical analysis of the threat, including proof-of-concept exploit code. It will take days or weeks for a meaningful percentage of end users to install the fix, so the researcher who wrote the advisory is warning engineers at large websites to make server-side changes that will minimize the damage attackers can inflict on visitors. eBay, Tumblr, Instagram, and Olark are known to be vulnerable to attacks that can intercept authentication cookies or other data they send end users. Until recently, both Twitter and a wide range of Google services were also susceptible to the exploit. The common identifier assigned to the exploit is CVE-2014-4671.
Overview of the July 2014 Microsoft patches and their status.
|#||Affected||Contra Indications - KB||Known Exploits||Microsoft rating(**)||ISC rating(*)|
|MS14-037||Cumulative Security Update for Internet Explorer|
|Microsoft Windows, Internet Explorer
CVE-2014-1763 CVE-2014-1765 CVE-2014-2785 CVE-2014-2786 CVE-2014-2787 CVE-2014-2788 CVE-2014-2789 CVE-2014-2790 CVE-2014-2791 CVE-2014-2792 CVE-2014-2794 CVE-2014-2795 CVE-2014-2797 CVE-2014-2798 CVE-2014-2800 CVE-2014-2801 CVE-2014-2802 CVE-2014-2803 CVE-2014-2804 CVE-2014-2806 CVE-2014-2807 CVE-2014-2809 CVE-2014-2813 CVE-2014-1763 CVE-2014-1765 CVE-2014-2783 CVE-2014-2785 CVE-2014-2786 CVE-2014-2787 CVE-2014-2788 CVE-2014-2789 CVE-2014-2790 CVE-2014-2791 CVE-2014-2792 CVE-2014-2794 CVE-2014-2795 CVE-2014-2797 CVE-2014-2798 CVE-2014-2800 CVE-2014-2801 CVE-2014-2802 CVE-2014-2803 CVE-2014-2804 CVE-2014-2806 CVE-2014-2807 CVE-2014-2809 CVE-2014-2813
|MS14-038||Vulnerability in Windows Journal Could Allow Remote Code Execution|
|MS14-039||Vulnerability in On-Screen Keyboard Could Allow Elevation of Privilege|
|MS14-040||Vulnerability in Ancillary Function Driver|
|MS14-041||Vulnerability in DirectShow Could Allow Elevation of Privilege|
|MS14-042||Vulnerability in Microsoft Service Bus Could Allow Denial of Service|
|Microsoft Server Software
|Less Urgent||Less Urgent|
Alex Stanford - GIAC GWEB,
Research Operations Manager,
SANS Internet Storm Center
Update: Cert.org corrected it's advisory. The GS105PE is affected, not the GS108PE as indicated earlier. The NVD CVE entry still lists the old model number .
Yet another hard coded password. This time it's Netgear's Prosafe Switch (GS105PE) running firmware version 126.96.36.199 and earlier . The pre-configured username is "ntgruser" and the password is "debugpassword". If you have any Netgear equipment, it may be worthwhile checking for this username and password even if your device isn't listed as vulnerable.
Sadly, at this point there doesn't appear to be a solution to the problem, other then returning the switch to the store and buying another one if you can.
CVE Number: CVE-2014-2969 
Posted by InfoSec News on Jul 08http://www.theregister.co.uk/2014/07/07/north_korea_employs_6000_leet_hackers_source_claims/
Posted by InfoSec News on Jul 08http://arstechnica.com/security/2014/07/crypto-weakness-in-smart-led-lightbulbs-exposes-wi-fi-passwords/
Posted by InfoSec News on Jul 08http://www.networkworld.com/article/2449855/security0/bloody-june-what-s-behind-last-month-s-ddos-attacks.html
Posted by InfoSec News on Jul 08http://www.computerworld.com/s/article/9249590/Chinese_hackers_switched_targets_to_U.S._experts_on_Iraq
Posted by InfoSec News on Jul 08http://www.capitolhillseattle.com/2014/07/russian-hacker-arrested-in-2010-broadway-grill-data-breach/