We havent really mentioned the ongoing SONY compromise here. In part, because there is very little solid information public (and we dont want to just speculate), and also, without a good idea about what happened, it is difficult to talk about lessons learned.

However, one facetof he attack may have wider implications. Securelist is reporting that they spotted malware that is signed with a valid SONY certificate. It is very likely that the secret key used to create the signature was part of the loot from the recent compromise. Having malware that is signed by a major corporation will make it much more likely for users to install the malware. It also emphasizes againthe depth at which SONY was (or is)compromised.

An effort is underway to revoke the certificate. But certificate revocation lists are notoriously unreliable and slow to update so it may take a while for the revocation to propagate.

Stolen certificate serial number:01 e2 b4 f7 59 81 1c 64 37 9f ca 0b e7 6d 2d ce
Thumbprint:8d f4 6b 5f da c2 eb 3b 47 57 f9 98 66 c1 99 ff 2b 13 42 7a


Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Moodle LTI Module CVE-2014-7832 Access Bypass Vulnerability
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Adobe today released two new bulletins, and updaed the Reader/Acrobat bulletin that was published a week ago.


Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
NEW VMSA-2014-0013 - VMware vCloud Automation Center product updates address a critical remote privilege escalation vulnerability

Charge Anywhere, a company that routes payment transactions between merchants and payment card processors, said that malicious software planted on its network may have accessed unencrypted sensitive cardholder data for almost five years.

In a statement, the company warned that some of the card data it sends or receives appears in plaintext, allowing attackers to copy it and use it in fraudulent transactions. Details including names, account numbers, expiration dates, and verification codes are known to be exposed for transactions that occurred this year from August 17 through September 24, although it's possible transactions dating back to November 5, 2009 may also have been accessed, the statement said. The disclosure came after company officials hired an unidentified security firm to investigate the breach.

"The investigation revealed that an unauthorized person initially gained access to the network and installed sophisticated malware that was then used to create the ability to capture segments of outbound network traffic," the release stated. "Much of the outbound traffic was encrypted. However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests."

Read 2 remaining paragraphs | Comments


The security company investigating the attack against Sony Pictures Entertainment has reportedly penned a letter that seemingly holds the entertainment firm blameless for the breach of its systems—a move that has opened up the investigating firm to criticism by security professionals.

The letter—to SPE’s CEO Michael Lynton from Kevin Mandia, the head of FireEye’s Mandiant, the incident response service the company hired to investigate the attack and restore its network—calls the attack “unprecedented in nature.” Mandia states that the attack would not have been detected by antivirus programs, and the attackers used non-standard strategies to cause damage to the company.

“In fact, the scope of this attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public,” Mandia states in the letter, which was leaked to media outlets. “The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared.”

Read 13 remaining paragraphs | Comments


Security firm Kaspersky Labs reports that a new sample of the Destover malware—the malware family used in the recent attack on the networks of Sony Pictures—has been found bearing a valid digital signature that could help it sneak past security screening on some Windows systems. And that digital signature is courtesy of a certificate stolen from Sony Pictures.

The newly discovered variant of the malware was signed on December 5 and is otherwise identical to a version compiled in July. It attempts to connect to two different command and control servers, both previously associated with the malware that took down Sony Pictures—one at a university in Thailand, and another associated with a business customer of Time Warner Cable in Champlain, New York. According to a post by Kaspersky Lab’s Global Research and Analysis Team, the malware alternates attempts at connections between the two IP addresses, pausing between attempts.

The version that was used to spread the “wiper” malware that took down Sony Pictures was compiled just days before that attack and included hard-coded instructions for attacking infrastructure within Sony’s network. The new signed version appears to be a more general-purpose version of the backdoor and could conceivably be part of a botnet toolkit used to deliver other malware. The signature could allow the malware to be installed without being stopped by corporate system management measures such as application whitelisting—especially if it was intended to re-target Sony Pictures’ network for another attack.

Read on Ars Technica | Comments

Adobe Reader and Acrobat CVE-2014-9150 Security Bypass Vulnerability
[security bulletin] HPSBGN03222 rev.1 - HP Enterprise Maps running SSLv3, Remote Disclosure of Information
[security bulletin] HPSBGN03208 rev.1 - HP Cloud Service Automation running SSLv3, Remote Disclosure of Information
[CVE-2014-8340] phpTrafficA SQL injection

Overview of the December 2014 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS14-075 Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege
(Replaces MS13-105)
Microsoft Exchange

KB 3009712 . Severity:Important
N/A Important
MS14-080 Cumulative Security Update for Internet Explorer
(Replaces MS14-065)
Microsoft Windows, Internet Explorer
CVE-2014-6327, CVE-2014-6328, CVE-2014-6329, CVE-2014-6330, CVE-2014-6363, CVE-2014-6365, CVE-2014-6366, CVE-2014-6368, CVE-2014-6369, CVE-2014-6373, CVE-2014-6374, CVE-2014-6375, CVE-2014-6376, CVE-2014-8966
KB 3008923 . Severity:Critical
Critical Critical
MS14-081 Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution
(Replaces MS14-017 MS14-061 MS14-069)
Microsoft Office

KB 3017301 . Severity:Critical
Critical Important
MS14-082 Vulnerability in Microsoft Office Could Allow Remote Code Execution
(Replaces MS09-060)
Microsoft Office

KB 3017349 . Severity:Important
Critical Important
MS14-083 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
(Replaces MS13-085)
Microsoft Office

KB 3017347 . Severity:Important
Critical Important
MS14-084 Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution
(Replaces MS14-011)
Microsoft Windows

KB 3016711 . Severity:Critical
Critical Critical
MS14-085 Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure
Microsoft Windows

KB 3013126 vuln. public. Severity:Important
Important Important
enter;">We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become interesting">Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
    • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

Alex Stanford - GIAC GWEB GSEC
Research Operations Manager,
SANS Internet Storm Center

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Cybersecurity Skills Shortage Panic in 2015?
Network World
When it comes to cybersecurity, it's sexy to talk about sophisticated adversaries, innovation and VC-backed startups – intrigue, money and technology drive the infosec market. I get this but we still need people in place who know what they are doing ...

LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Ghostscript could be made to crash or run programs as your login if itopened a specially crafted file.
LinuxSecurity.com: JasPer could be made to crash or run programs as your login if it opened aspecially crafted file.
LinuxSecurity.com: Multiple vulnerabilities have been found in libvirt, worst of which allows context-dependent attackers to escalate privileges.
LinuxSecurity.com: A vulnerability in Dovecot could allow a remote attacker to create a Denial of Service condition.
LinuxSecurity.com: A vulnerability in nfs-utils might allow remote attackers to gain access to restricted information.
LinuxSecurity.com: Multiple vulnerabilities have been found in QEMU, the worst of which allows context dependent attackers to cause Denial of Service.
Mozilla Firefox CVE-2014-1589 XBL Bindings Security Bypass Vulnerability
Mozilla Firefox CVE-2014-1591 Information Disclosure Vulnerability
Subrion CMS Security Advisory - XSS Vulnerability - CVE-2014-9120
[SECURITY] [DSA 3093-1] linux security update
binutils CVE-2014-8502 Heap Based Buffer Overflow Vulnerability
[security bulletin] HPSBST03154 rev.2 - HP StoreFabric C-series MDS switches and HP C-series Nexus 5K switches running Bash Shell, Remote Code Execution
[SECURITY] [DSA 3094-1] bind9 security update

Posted by InfoSec News on Dec 09


By Peter Lauria
BuzzFeed Staff
December 3, 2014

The vast trove of internal data hackers took from Sony Pictures
Entertainment isn’t just a nightmare for its employees, whose deeply
personal information was made public. It also revealed intricate details
about Sony’s business, including syndication contracts and movie licensing
deals, which...

Posted by InfoSec News on Dec 09


By Sara Peters
Dark Reading

Over the past seven weeks, we've examined how to reach that lofty position
of chief information security officer (CISO). We got a peek into what
employers are looking for in a CISO from Mark Aiello, president of the
Boston cyber security staffing firm Cyber360 Solutions. We heard the
professional origin stories of five CISOs:...

Posted by InfoSec News on Dec 09


By Elizabeth Snell
Health IT Security
December 8, 2014

With cyber threats on the rise, healthcare security systems must keep pace
in order to best protect patient data, as well as their own clinical

One of the best ways to do that is with organizations working together and
communicating strategies to one another, according to Lynne Dunbrack,...

Posted by InfoSec News on Dec 09


By Gabriella Coleman
Dec. 8 2014

This essay is adapted from Hacker, Hoaxer, Whistleblower, Spy: The Many
Faces of Anonymous, by Gabriella Coleman, published by Verso. On the
evening of Thursday, Dec. 11, Coleman will be discussing her book with the
ACLU’s Christopher Soghoian at a free Future Tense...

Posted by InfoSec News on Dec 09


By Dan Goodin
Ars Technica
Dec 8 2014

Some of the world's leading websites—including those owned or operated by
Bank of America, VMware, the US Department of Veteran's Affairs, and
business consultancy Accenture—are vulnerable to simple attacks that
bypass the transport layer security encryption designed to thwart...
QEMU CVE-2014-3640 Local Denial of Service Vulnerability
[CVE-2014-7807] Apache CloudStack unauthenticated LDAP binds
libvirt CVE-2013-4292 Multiple Remote Denial of Service Vulnerabilities
JasPer 'jpc_dec.c' Multiple Remote Heap Buffer Overflow Vulnerabilities
Internet Storm Center Infocon Status