InfoSec News

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
In January 2010, I posted a diary on how to configure zone files to setup a DNS sinkhole using IPv4 addresses. This updated diary shows how to add IPv6 support to your zone file to sinkhole both IPv4 and IPv6.
Single Hostname (/var/named/sinkhole/client.nowhere)

Wildcard Domain (/var/named/sinkhole/domain.nowhere)

Note: If you are not currently using IPv6 in your network, change the example fec0:0:0:bebb::5 to ::1 (localhost) to prevent 6to4, Toredo, etc from leaving the network.
To verify your zone files are correctly configured, you can use nslookup to query a hostname or a domain loaded in your sinkhole.
With Windows 7 (note that it shows both IPv4 and IPv6):
C:nslookup zz87lhfda88.com

Server: seeker.someserver.com

Address: 192.168.25.5
Name: zz87lhfda88.com

Addresses:fec0:0:0:bebb::5

192.168.25.6
With Linux, you need to specify query AAAA record:
[email protected]:~$ nslookup -q=aaaa zz87lhfda88.com

Server: 192.168.25.5

Address: 192.168.25.5#53
zz87lhfda88.com has AAAA address fec0:0:0:bebb::5
[1] http://isc.sans.edu/diary.html?storyid=7930

[2] http://www.whitehats.ca/main/members/Seeker/seeker_sinkhole/Seeker_DNS_Sinkhole.html

[3] http://www.whitehats.ca/downloads/sinkhole/sinkhole.iso

[4] http://www.whitehats.ca/downloads/sinkhole/sinkhole64-bit.iso
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
Community SANS SEC 503 coming to Ottawa Sep 2011 (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

===============
Rob VandenBrink
Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The hackers who broke into EMC's RSA Security division last March used the same attack code to try to break into several other companies, including two U.S. national security organizations, according to data provided by the VirusTotal website.
 
The U.S. Senate has voted to approve a major overhaul of the nation's patent system, with the legislation allowing a new kind of challenge to patents granted by the U.S. Patent and Trademark Office.
 
LightSquared's proposed 4G mobile network on satellite frequencies would hinder hurricane and tornado tracking, earthquake reporting and the prediction of floods and volcanic eruptions, federal officials told Congress on Thursday.
 
Stanford University Hospital is reported to be investigating how a spreadsheet containing personal medical data on 20,000 patients that was being handled by one of its billing contractors ended up for nearly one year on a homework help site for students.
 
Stanford University Hospital is reported to be investigating how a spreadsheet containing personal medical data on 20,000 patients that was being handled by one of its billing contractors ended up for nearly one year on a homework help site for students.
 
Advanced Micro Devices this week said it has shipped the first 16-core chips for servers, which is a positive step ahead for the company as it tries to reverse its sagging fortunes in the server market.
 
Smartphones can help you record video clips, compose music and find the nearest Ethiopian restaurant, but they can't cure acne, the U.S. Federal Trade Commission said.
 
The hacker with links to several breaches of SSL certificate-issuing networks this year admitted sharing stolen certificates with others in Iran, and threatened to extend future spy-style attacks to computer users in the U.S., Europe and Israel.
 
The next version of the Microsoft's desktop OS, code-named "Windows 8", will include the ability to run other OSes in virtualized containers, the company announced by blog Wednesday.
 
Following the high-profile hack of DigiNotar, the makers of the Firefox browser are asking issuers of digital certificates to take a hard look at their internal security and to report back in a week.
 
Microsoft's Dynamics AX 2012 ERP (enterprise-resource-planning) software suite is now available in 25 countries, with special incentives for customers willing to switch from rival platforms sold by Lawson Software, Microsoft announced Thursday.
 
Microsoft today said it will dispense five security updates next week to patch 15 vulnerabilities in Windows, Excel, SharePoint Server and Groove.
 
Twitter has 100 million active users, half of which log on to the microblogging site every day, the company said on Thursday.
 
Mozilla issued a Do Not Track Field Guide to encourage advertisers and publishers to implement do-not-track (DNT) functionality.
 
Although desktop virtualization is still a relatively new technology, Ravi Ravishanker is no stranger to it. He helped implement VDI projects at Pace University and Wesleyan University in recent years and now is overseeing a rollout at Wellesley College, the all-women's school west of Boston where he serves as CIO.
 
The strength of the once-prosperous Wintel alliance could be tested at Intel's developer show next week as the chip maker and Microsoft adapt to a market shift from PCs to mobile devices such as tablets, analysts said this week.
 
Sysstat Insecure Temporary File Creation Vulnerability
 
Wireshark IKE Packet Handling Denial of Service Vulnerability
 
Planned updates affect Microsoft Office, Excel and SharePoint Workspace 2010.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Presented By:
Visualize the Future of the Network
  Do you know what a zettabyte is? Does the cloud confuse you? Why will your company need a CIO? Make sure you?re in the know with Cisco and be prepared for what?s in store. Read, learn, share and discuss the future of the Internet.
socialmedia.cisco.com

Ads by Pheedo

 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
[security bulletin] HPSBUX02702 SSRT100606 rev.1 - HP-UX Apache Web Server, Remote Denial of Service (DoS)
 
Cybercriminals are increasingly targeting Android devices with crimeware that is actively communicating with multiple criminal command-and-control servers.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Several of Microsoft's business productivity applications will be available for free on Nokia's latest Symbian Belle smartphones later this year, Nokia announced today.
 
A nationwide voice and data network for emergency response agencies may be close to approval in Congress.
 
Many companies had refined their IT disaster recovery programs prior to 9/11, but the attacks exposed a lack of attention to continuity of business operations.
 
The 9/11 attacks raised awareness in the IT industry about disaster recovery and data backup.
 
An unusual Lapdock accessory for the Motorola Droid Bionic smartphone, which Verizon Wireless started selling on Thursday, can be had for $300.
 
Google has acquired venerable restaurant ratings publisher Zagat to boost its online maps and local business listings with trustworthy reviews and recommendations, which Web surfers increasingly seek and value.
 
Symantec on tap with "O3"; can VMware's "Project Horizon" be far behind?
 

Want to beat hackers? Know the risks and know thy enemy
CNN International
However only a few days before the emergence of this latest hacking outfit, a far less conspicuous but similarly-skilled group met at a London hotel to discuss the other side of all matters of information security, otherwise known as "infosec". ...

and more »
 
The recent problems at DigiNotar (and now GlobalSign) has gotten a lot of folks thinking about what happens when significant events impact our trust of Public Certificate Authorities, and how it affects users of secured services. But aside from the browsers at the desktop, what is affected and what should we look at in our infrastructure?



What has been brought up by several of our readers, as well as a lively discussion on several of the SANS email lists, is SSL proxy servers, and any other IDS / IPS device that does SSL proxy encryption. If you are not familiar with this concept, in a general way these products work as shown in the diagram:





As you can see from the diagram, the person at the client workstation sees an HTTPS browser session with a target webserver. However, the client's HTTPS session is actually with the proxy box (using the client's trust in the Private CA to cut a dynamic cert), and the HTTPS session with the target web server is actually between the proxy and the web server, not involving the client at all.

In many cases, the private CA for this resides directly on the proxy hardware, allowing certs to be issued very quickly as the clients browse.



In any case, the issue that we're seeing is that these units are often not patched as rapidly as servers and desktops, so many of these boxes remain blissfully unaware of all the issues with DigiNotar. If you have an SSL proxy server (or an IDS / IPS unit that handles SSL in this way), it's a good idea to check the trusted CA list on your server, and also check for any recent patches or updates from the vendor.



It's probably a good time to do some certificate housekeeping - - look at all devices that use public, private or self-signed certificates. Off the top of my head, I'd look at any web or mail servers you might have with certificates, load balancers you have in your web farm that might front-ending any HTTPS web servers, any FTP servers or SSH servers that might use public certificates, or any SSL VPN appliances. What should you look for? Make sure that you're using valid private or public certificates - not self-signed certificates for anything (this is especially common for admin interfaces for datacenter infrastructure). It often makes sense at a time like this to see if it makes sense in your organization to get all your certs with one vendor, in one contract on a common renewal date to simplify the renewals and ensure that nothing gets missed, resulting in an expired cert facing your clients. Or it may make sense to see if it's time to consider an EV (extended validation) cert on some servers, or downgrading an existing EV cert to a standard one. (Look for more on CA nuts and bolts in an upcoming diary). Check renewal dates to ensure that you have them all noted properly. If you've standardized on 3 year certificates, has one of your admins slipped a 1 year cert in by accident (we see this all the time, often a 1 year cert is less than the corporate POlimit, and a 2 or 3 year cert is over).



What else should you check? What other devices in the datacenter can you think of that needs to trust a public CA? Mail servers come to mind, but I'm sure that there are others in the mix - please use our comment form to let us know what we've missed.



===============

Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Shortly after agreeing to mediation with Google in its lawsuit over alleged Java patent violations in the Android mobile OS, Oracle has taken issue with the executive Google proposed to represent its side, saying he is not senior enough and was also part of past failed attempts at a resolution.
 
As things stand now, the best thing you can do to make your phone more secure is to swear off downloading apps. But who wants a smartphone with no apps on it?
 
Gartner on Thursday sharply dropped its worldwide PC shipment growth forecast for this year and next, citing economic struggles and a market shift from PCs to devices like tablets.
 
system-config-printer Package 'pysmb.py' Local Privilege Escalation Vulnerability
 
OpenSSH Ciphersuite Specification Information Disclosure Weakness
 
Multiple XSS vulnerabilities in LightNEasy 3.2.4
 
[SECURITY] [DSA 2302-1] bcfg2 security update
 
There's a very large push within the last few years for organizations, of all types, industries and sizes, to spend the majority of their data protection efforts on the "Insider Threat". That's to say, focusing in on the employee or temp with the access already in hand, who then could decide to misuse or abuse those given privileges. It is true, the insider threat needs to be addressed and given attention. But is it possible that some of us are focusing on that too much and losing sight of what may be happening on the outside?
 
[ MDVSA-2011:133 ] mozilla
 
OWASP AppSec USA 2011 - Two Weeks Away
 
Amazon's SDKs (software development kits) for Android and Apple's iOS have exited the beta testing phase, the company said on Wednesday.
 
With DDoS attacks at epidemic level, Imperva has announced a new cloud service it claims offers a practical way to fend off the menace up to multi-gigabit level.
 
WordPress Community Events Plugin 'id' Parameter SQL Injection Vulnerability
 
WordPress Paid Downloads Plugin 'download_key' Parameter SQL Injection Vulnerability
 
Hewlett-Packard upgraded the popular Pavilion DM1 laptop and also lowered its price as the company shows that business continues as usual amid efforts to sell or spin off the PC unit.
 
A security researcher criticized Apple for what he called "foot dragging" over the DigiNotar certificate fiasco, and urged the company to quickly update Mac OS X to protect users.
 
NTT DoCoMo said it will offer two tablets on its high-speed LTE network, along with streaming video from Hulu's new Japan service.
 
The ability to run Mac OS X Lion VMs has real appeal, but the implementation is not fully baked
 
IBM has pledged US$1 billion in financing to help small and mid-sized businesses (SMBs) procure certain IBM systems and services, the company announced Thursday.
 
The smartphone war seems to have been won by Android, according to the latest data on smartphones brought to global market over the past year. But there's a fierce fight for the second place spot.
 
NTT DoCoMo's CEO said Thursday that the launch of the Samsung Galaxy Tab next month will not be affected by a patent-infringement lawsuit by Apple.
 
SkaDate 'blogs.php' Cross Site Scripting Vulnerability
 

Posted by InfoSec News on Sep 08

http://www.eweek.com/c/a/Security/Automotive-Navigatoin-Entertainment-Systems-Susceptible-to-Hackers-McAfee-876878/

By Fahmida Y. Rashid
eWEEK.com
2011-09-07

Automobiles are getting smarter as carmakers put in computers that can
help drivers parallel park and add Internet connectivity to post
Facebook or Twitter updates. They are also driving into uncharted
territory as the smart features expose the vehicles to cyber-attacks,
McAfee said in...
 

Posted by InfoSec News on Sep 08

http://thehill.com/blogs/hillicon-valley/technology/179897-obama-administration-wants-tougher-penalties-for-cyber-crimes

By Gautham Nagesh
The Hill
09/07/11

The Obama administration is seeking tougher sentences for people who are
found guilty of hacking or other digital offenses, two officials said
Wednesday.

Associate Deputy Attorney General James Baker and Secret Service Deputy
Special Agent in Charge Pablo Martinez said the maximum...
 

Posted by InfoSec News on Sep 08

http://online.wsj.com/article/SB10001424053111903285704576556072879332538.html

By CASSELL BRYAN-LOW, STEVE STECKLOW and JEANNE WHALEN
The Wall Street Journal
September 8, 2011

LONDON -- U.K. police arrested a man currently employed by News Corp.'s
Times of London newspaper, whose voice allegedly can be heard on a
tape—which was seized by police when he worked at another British
newspaper—in which he receives instructions on how to...
 

Posted by InfoSec News on Sep 08

http://www.military.com/news/article/navy-news/naval-academy-expands-on-cyber-security.html

By Mass Communication Specialist 2nd Class Alexia Riveracorrea
Navy News
September 07, 2011

ANNAPOLIS, Md. -- The new academic year marks the beginning of the Naval
Academy's new cyber security curriculum, in which midshipmen are
required to take classes that will enhance their knowledge of cyber
warfare and the threat it poses to national...
 

Ethical hackers battle to prevent 'information security apocalypse'
CNN International
However only a few days before the emergence of this latest hacking outfit, a far less conspicuous but similarly-skilled group met at a London hotel to discuss the other side of all matters of information security, otherwise known as "infosec". ...

 
Internet Storm Center Infocon Status