Hackin9

Look, up in the URL. Its a BASE64, its a URI. This looks like a job for freq.py

This diary is a follow up to yesterdays post on using freq.py to find DGA (Domain Generation Algorithm) host names in your logs using frequency tables. If you didnt see that post you should review it first before continuing. You can find that diary here: https://isc.sans.edu/forums/diary/Detecting+Random+Finding+Algorithmically+chosen+DNS+names+DGA/19893/

Fellow SANS Instructor/GSE Kevin Fiscus suggested another use for the tool to me last week when I showed him what I had been working on. Kevin pointed out that it is difficult to find BASE64 encoded strings programmatically. Because BASE64 uses uppercase letters, lowercase letters, numbers, slashes and plus signs a program has a hard time telling the difference between a BASE64 encoded string and a URI (The part of the URL after the domain name).">String 1: Q09NRSBUTyBNWSBQWVRIT04gQ0xBU1MgSU4gVkVHQVMhISEh
String 2: forums/diary/Detecting+Random+Finding+Algorithmically+chosen+DNS+names+DGA/19893

Both of these are properly formatted BASE64 encoded strings. But only one of them is intentionally a BASE64 encoded string and only one of them will decode to something other than garbage random data. Our frequency table will work nicely to determine the difference between the BASE64 strings and the URI. This time a high probability (above 5) indicates that it is NOT BASE64 encoded and a LOW probability (below 5) indicates that it is BASE64 encoded. You can do this from either the command line with ">python freq --measure suspect base 64 string frequency_table.freq">freq.exe on Windows using the tools available for download here. But we used the command line yesterday and I want to show you another way to use the Python script. This time lets import freq.py as a Python module. First I start up my Python interactive mode session. Then I import the freq module.">RED.">python
Python 2.7.6 (default, Mar 22 2014, 22:59:38)
[GCC 4.8.2] on linux2
Type help, copyright, credits or license for more information.
">from freq import *

Next I will assign the variable fc to hold a frequency counter object, then load my prebuilt english_lowercase.freq">">fc = FreqCounter()
">fc.load(english_lowercase.freq)

Next I use the .probability() method to measure the probability of the two strings.">">fc.probability(forums/diary/Detecting+Random+Finding+Algorithmically+chosen+DNS+names+DGA/19893)
9.490788394012279
">fc.probability(Q09NRSBUTyBNWSBQWVRIT04gQ0xBU1MgSU4gVkVHQVMhISEh)
2.578357325221811

The URI scores well above 5 indicating that it is not random text and in this case not BASE64. But the 2nd string scores a 2.5 indicating that it more likely to be a BASE64 encoded string. Once again this isnt perfect. You could still have URI with random ASCII strings in then that score low, but it does help to differentiate between common URI strings and BASE64 encoded strings. This is confirmed when we try to BASE64 decode each of hte strings.">">forums/diary/Detecting+Random+Finding+Algorithmically+chosen+DNS+names+DGA/19893.decode(BASE64)
~\x8a\xee\x9a\xcf\xdd\x89\xaa\xf2\xfc7\xady\xcbb\x9e\x0f\x91jwh\x9b\xe1b\x9d\xd8\xa7\x83\xe0%\x82\x8a\xe2\xb6\x19\xa2q\xa9e\xcb\xe7!\xa2\xc7\xa7\xf83R\xfav\xa6z\xcf\x83\x18\x0f\xf5\xf7\xcfw
">Q09NRSBUTyBNWSBQWVRIT04gQ0xBU1MgSU4gVkVHQVMhISEh.decode(BASE64)
COME TO MY PYTHON CLASS IN VEGAS!!!!

Follow me on twitter @MarkBaggett

Want to learn to use this code in your own script or build tools of your own? Join me for PythonSEC573 in Las Vegas this September 14th! Click here for more information.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

VMware has issued a security bulletin regarding a privilege escalation attack affecting VMware 10 and 11, Player 6,7 and VMware Horizon Client for Windows prior to version 5.4.2

http://www.vmware.com/security/advisories/VMSA-2015-0005.html

Summary
VMware Workstation, Player and Horizon View Client for Windows updates address a host privilege escalation vulnerability.
2. Relevant Releases
VMware Workstation for Windows 11.x prior to version 11.1.1
VMware Workstation for Windows 10.x prior to version 10.0.7
VMware Player for Windows 7.x prior to version 7.1.1
VMware Player for Windows 6.x prior to version 6.0.7
VMware Horizon Client for Windows (with Local Mode Option) prior to version 5.4.2
3. Problem Description
a. VMware Workstation, Player and Horizon View Client for Windows host privilege escalation vulnerability.

VMware Workstation, Player and Horizon View Client for Windows do not set a discretionary access control list (DACL) for one of their processes. This may allow a local attacker to elevate their privileges and execute code in the security context of the affected process.

VMware would like to thank Kyriakos Economou of Nettitude for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-3650 to this issue.

Full details are available here:

http://www.vmware.com/security/advisories/VMSA-2015-0005.html

Twitter:@markbaggett

. Summary
VMware Workstation, Player and Horizon View Client for Windows updates address a host privilege escalation vulnerability.
2. Relevant Releases
VMware Workstation for Windows 11.x prior to version 11.1.1
VMware Workstation for Windows 10.x prior to version 10.0.7
VMware Player for Windows 7.x prior to version 7.1.1
VMware Player for Windows 6.x prior to version 6.0.7
VMware Horizon Client for Windows (with Local Mode Option) prior to version 5.4.2
3. Problem Description
a. VMware Workstation, Player and Horizon View Client for Windows host privilege escalation vulnerability.

VMware Workstation, Player and Horizon View Client for Windows do not set a discretionary access control list (DACL) for one of their processes. This may allow a local attacker to elevate their privileges and execute code in the security context of the affected process.

VMware would like to thank Kyriakos Economou of Nettitude for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-3650 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version ">
. Summary
VMware Workstation, Player and Horizon View Client for Windows updates address a host privilege escalation vulnerability.
2. Relevant Releases
VMware Workstation for Windows 11.x prior to version 11.1.1
VMware Workstation for Windows 10.x prior to version 10.0.7
VMware Player for Windows 7.x prior to version 7.1.1
VMware Player for Windows 6.x prior to version 6.0.7
VMware Horizon Client for Windows (with Local Mode Option) prior to version 5.4.2
3. Problem Description
a. VMware Workstation, Player and Horizon View Client for Windows host privilege escalation vulnerability.

VMware Workstation, Player and Horizon View Client for Windows do not set a discretionary access control list (DACL) for one of their processes. This may allow a local attacker to elevate their privileges and execute code in the security context of the affected process.

VMware would like to thank Kyriakos Economou of Nettitude for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-3650 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version ">
. Summary
VMware Workstation, Player and Horizon View Client for Windows updates address a host privilege escalation vulnerability.
2. Relevant Releases
VMware Workstation for Windows 11.x prior to version 11.1.1
VMware Workstation for Windows 10.x prior to version 10.0.7
VMware Player for Windows 7.x prior to version 7.1.1
VMware Player for Windows 6.x prior to version 6.0.7
VMware Horizon Client for Windows (with Local Mode Option) prior to version 5.4.2
3. Problem Description
a. VMware Workstation, Player and Horizon View Client for Windows host privilege escalation vulnerability.

VMware Workstation, Player and Horizon View Client for Windows do not set a discretionary access control list (DACL) for one of their processes. This may allow a local attacker to elevate their privileges and execute code in the security context of the affected process.

VMware would like to thank Kyriakos Economou of Nettitude for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-3650 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version ">
. Summary
VMware Workstation, Player and Horizon View Client for Windows updates address a host privilege escalation vulnerability.
2. Relevant Releases
VMware Workstation for Windows 11.x prior to version 11.1.1
VMware Workstation for Windows 10.x prior to version 10.0.7
VMware Player for Windows 7.x prior to version 7.1.1
VMware Player for Windows 6.x prior to version 6.0.7
VMware Horizon Client for Windows (with Local Mode Option) prior to version 5.4.2
3. Problem Description
a. VMware Workstation, Player and Horizon View Client for Windows host privilege escalation vulnerability.

VMware Workstation, Player and Horizon View Client for Windows do not set a discretionary access control list (DACL) for one of their processes. This may allow a local attacker to elevate their privileges and execute code in the security context of the affected process.

VMware would like to thank Kyriakos Economou of Nettitude for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-3650 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version ">
. Summary
VMware Workstation, Player and Horizon View Client for Windows updates address a host privilege escalation vulnerability.
2. Relevant Releases
VMware Workstation for Windows 11.x prior to version 11.1.1
VMware Workstation for Windows 10.x prior to version 10.0.7
VMware Player for Windows 7.x prior to version 7.1.1
VMware Player for Windows 6.x prior to version 6.0.7
VMware Horizon Client for Windows (with Local Mode Option) prior to version 5.4.2
3. Problem Description
a. VMware Workstation, Player and Horizon View Client for Windows host privilege escalation vulnerability.

VMware Workstation, Player and Horizon View Client for Windows do not set a discretionary access control list (DACL) for one of their processes. This may allow a local attacker to elevate their privileges and execute code in the security context of the affected process.

VMware would like to thank Kyriakos Economou of Nettitude for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-3650 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version ">
. Summary
VMware Workstation, Player and Horizon View Client for Windows updates address a host privilege escalation vulnerability.
2. Relevant Releases
VMware Workstation for Windows 11.x prior to version 11.1.1
VMware Workstation for Windows 10.x prior to version 10.0.7
VMware Player for Windows 7.x prior to version 7.1.1
VMware Player for Windows 6.x prior to version 6.0.7
VMware Horizon Client for Windows (with Local Mode Option) prior to version 5.4.2
3. Problem Description
a. VMware Workstation, Player and Horizon View Client for Windows host privilege escalation vulnerability.

VMware Workstation, Player and Horizon View Client for Windows do not set a discretionary access control list (DACL) for one of their processes. This may allow a local attacker to elevate their privileges and execute code in the security context of the affected process.

VMware would like to thank Kyriakos Economou of Nettitude for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-3650 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version ">
. Summary
VMware Workstation, Player and Horizon View Client for Windows updates address a host privilege escalation vulnerability.
2. Relevant Releases
VMware Workstation for Windows 11.x prior to version 11.1.1
VMware Workstation for Windows 10.x prior to version 10.0.7
VMware Player for Windows 7.x prior to version 7.1.1
VMware Player for Windows 6.x prior to version 6.0.7
VMware Horizon Client for Windows (with Local Mode Option) prior to version 5.4.2
3. Problem Description
a. VMware Workstation, Player and Horizon View Client for Windows host privilege escalation vulnerability.

VMware Workstation, Player and Horizon View Client for Windows do not set a discretionary access control list (DACL) for one of their processes. This may allow a local attacker to elevate their privileges and execute code in the security context of the affected process.

VMware would like to thank Kyriakos Economou of Nettitude for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-3650 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version ">
. Summary
VMware Workstation, Player and Horizon View Client for Windows updates address a host privilege escalation vulnerability.
2. Relevant Releases
VMware Workstation for Windows 11.x prior to version 11.1.1
VMware Workstation for Windows 10.x prior to version 10.0.7
VMware Player for Windows 7.x prior to version 7.1.1
VMware Player for Windows 6.x prior to version 6.0.7
VMware Horizon Client for Windows (with Local Mode Option) prior to version 5.4.2
3. Problem Description
a. VMware Workstation, Player and Horizon View Client for Windows host privilege escalation vulnerability.

VMware Workstation, Player and Horizon View Client for Windows do not set a discretionary access control list (DACL) for one of their processes. This may allow a local attacker to elevate their privileges and execute code in the security context of the affected process.

VMware would like to thank Kyriakos Economou of Nettitude for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-3650 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version ">
. Summary
VMware Workstation, Player and Horizon View Client for Windows updates address a host privilege escalation vulnerability.
2. Relevant Releases
VMware Workstation for Windows 11.x prior to version 11.1.1
VMware Workstation for Windows 10.x prior to version 10.0.7
VMware Player for Windows 7.x prior to version 7.1.1
VMware Player for Windows 6.x prior to version 6.0.7
VMware Horizon Client for Windows (with Local Mode Option) prior to version 5.4.2
3. Problem Description
a. VMware Workstation, Player and Horizon View Client for Windows host privilege escalation vulnerability.

VMware Workstation, Player and Horizon View Client for Windows do not set a discretionary access control list (DACL) for one of their processes. This may allow a local attacker to elevate their privileges and execute code in the security context of the affected process.

VMware would like to thank Kyriakos Economou of Nettitude for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-3650 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version ">
. Summary
VMware Workstation, Player and Horizon View Client for Windows updates address a host privilege escalation vulnerability.
2. Relevant Releases
VMware Workstation for Windows 11.x prior to version 11.1.1
VMware Workstation for Windows 10.x prior to version 10.0.7
VMware Player for Windows 7.x prior to version 7.1.1
VMware Player for Windows 6.x prior to version 6.0.7
VMware Horizon Client for Windows (with Local Mode Option) prior to version 5.4.2
3. Problem Description
a. VMware Workstation, Player and Horizon View Client for Windows host privilege escalation vulnerability.

VMware Workstation, Player and Horizon View Client for Windows do not set a discretionary access control list (DACL) for one of their processes. This may allow a local attacker to elevate their privileges and execute code in the security context of the affected process.

VMware would like to thank Kyriakos Economou of Nettitude for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-3650 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version ">
. Summary
VMware Workstation, Player and Horizon View Client for Windows updates address a host privilege escalation vulnerability.
2. Relevant Releases
VMware Workstation for Windows 11.x prior to version 11.1.1
VMware Workstation for Windows 10.x prior to version 10.0.7
VMware Player for Windows 7.x prior to version 7.1.1
VMware Player for Windows 6.x prior to version 6.0.7
VMware Horizon Client for Windows (with Local Mode Option) prior to version 5.4.2
3. Problem Description
a. VMware Workstation, Player and Horizon View Client for Windows host privilege escalation vulnerability.

VMware Workstation, Player and Horizon View Client for Windows do not set a discretionary access control list (DACL) for one of their processes. This may allow a local attacker to elevate their privileges and execute code in the security context of the affected process.

VMware would like to thank Kyriakos Economou of Nettitude for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-3650 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version ">
. Summary
VMware Workstation, Player and Horizon View Client for Windows updates address a host privilege escalation vulnerability.
2. Relevant Releases
VMware Workstation for Windows 11.x prior to version 11.1.1
VMware Workstation for Windows 10.x prior to version 10.0.7
VMware Player for Windows 7.x prior to version 7.1.1
VMware Player for Windows 6.x prior to version 6.0.7
VMware Horizon Client for Windows (with Local Mode Option) prior to version 5.4.2
3. Problem Description
a. VMware Workstation, Player and Horizon View Client for Windows host privilege escalation vulnerability.

VMware Workstation, Player and Horizon View Client for Windows do not set a discretionary access control list (DACL) for one of their processes. This may allow a local attacker to elevate their privileges and execute code in the security context of the affected process.

VMware would like to thank Kyriakos Economou of Nettitude for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-3650 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version ">
. Summary
VMware Workstation, Player and Horizon View Client for Windows updates address a host privilege escalation vulnerability.
2. Relevant Releases
VMware Workstation for Windows 11.x prior to version 11.1.1
VMware Workstation for Windows 10.x prior to version 10.0.7
VMware Player for Windows 7.x prior to version 7.1.1
VMware Player for Windows 6.x prior to version 6.0.7
VMware Horizon Client for Windows (with Local Mode Option) prior to version 5.4.2
3. Problem Description
a. VMware Workstation, Player and Horizon View Client for Windows host privilege escalation vulnerability.

VMware Workstation, Player and Horizon View Client for Windows do not set a discretionary access control list (DACL) for one of their processes. This may allow a local attacker to elevate their privileges and execute code in the security context of the affected process.

VMware would like to thank Kyriakos Economou of Nettitude for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-3650 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version
- See more at: http://www.vmware.com/security/advisories/VMSA-2015-0005.html#sthash.AJRkrkOR.dpuf
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Last year's massive hack of the US Office of Personnel Management's security clearance system affected 21.5 million people, including 1.8 million people who didn't apply for a background investigation, officials said Thursday, making it official the breach was the worst in US government history.

The new figure includes most, if not all, of the 4.2 million people the agency previously said were exposed in a separate breach of personnel files. The much larger number resulted from the hack in June or July of last year on the system used to conduct background checks on contractors and other private sector employees, as well as federal workers. Some 1.1 million of the stolen records included applicants' fingerprints. Background checks for people applying with the Central Intelligence Agency weren't affected because that agency conducts its own security clearance investigations.

"If you underwent a background investigation through OPM in 2000 or afterwards (which occurs through the submission of forms SF-86, SF-85, or SF-85P for either a new investigation or a reinvestigation), it is highly likely that you are impacted by the incident involving background investigations," OPM officials warned in an update published Thursday. "If you underwent a background investigation prior to 2000, you still may be impacted, but it is less likely."

Read 4 remaining paragraphs | Comments

 

BankInfoSecurity.com (blog)

InfoSec Spending: Playing Catchup
BankInfoSecurity.com (blog)
The federal government last year spent $13 billion on cybersecurity, and President Obama proposes spending $14 billion next year. Will the extra money make a difference? Perhaps. But it feels as if we'll never be fully secure regardless of how much ...

 

CSO Online

The CSA is the new VIP of information security
CSO Online
With a bit of license, a CSA can be defined as the person who plans, designs and oversees the information security components of networks, systems and applications (software). The CSA provides key constituent stakeholders with effective architectural ...

 

There's a critical vulnerability in some versions of the widely used OpenSSL code library that in some cases allows attackers to impersonate cryptographically protected websites, e-mail servers, and virtual private networks, according to an advisory issued early Thursday morning.

The bug allows attackers to force vulnerable end-user applications into treating an invalid certificate as a legitimate transport layer security (TLS) or secure sockets layer (SSL) credential. As a result, adversaries with the ability to monitor a connection between the end user and trusted server could intercept or even modify data passing between them. The vulnerability resides in OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n, and 1.0.1o. The flaw appears to have been added earlier this year, based on this Github contribution dated January 27. It wasn't introduced into the actual OpenSSL versions until last month, however.

The flaw has the potential to be extremely serious because in certain cases it makes it trivial to bypass the most popular—and in many cases, the only—form of encryption and cryptographic authentication available for websites, e-mail servers, and virtual private networks. The bug allows attackers to bypass certain checks that are supposed to be carried out when an end-user app is establishing an encrypted session with a server. As a result, the attacker can make an invalid certificate appear as if it belongs to a trusted certificate authority and issue forged certificates for any website.

Read 4 remaining paragraphs | Comments

 

OpenSSL1.0.2.d and 1.0.1p were release fixing an issue with the Certification verification process. The security advisory for the issue can be found here:"> OpenSSL Security Advisory [9 Jul 2015]=======================================Alternative chains certificate forgery (CVE-2015-1793)======================================================Severity: HighDuring certificate verification, OpenSSL (starting from version 1.0.1n and1.0.2b) will attempt to find an alternative certificate chain if the firstattempt to build such a chain fails. An error in the implementation of thislogic can mean that an attacker could cause certain checks on untrustedcertificates to be bypassed, such as the CA flag, enabling them to use a validleaf certificate to act as a CA and issue an invalid certificate.This issue will impact any application that verifies certificates includingSSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2dOpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1pThis issue was reported to OpenSSL on 24th June 2015 by Adam Langley/DavidBenjamin (Google/BoringSSL). The fix was developed by the BoringSSL project.Note====As per our previous announcements and our Release Strategy(https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for thesereleases will be provided after that date. Users of these releases are advisedto upgrade.References==========URL for this Security Advisory:https://www.openssl.org/news/secadv_20150709.txtNote: the online version of the advisory may be updated with additionaldetails over time.For details of OpenSSL severity classifications please see:https://www.openssl.org/about/secpolicy.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 

Patch your firewalls!

2015-July-08 UPDATE:">Cisco PSIRT is aware of disruption to some Cisco customers with Cisco ASA devices affected by CVE-2014-3383, the Cisco ASA VPN Denial of Service Vulnerability that was disclosed in this Security Advisory. Traffic causing the disruption was isolated to a specific source IPv4 address. Cisco has engaged the provider and owner of that device and determined that the traffic was sent with no malicious intent. Cisco strongly recommends that customers upgrade to a fixed Cisco ASA software release to remediate this issue.">">Follow me on twitter">Join me for PythonSEC573 in Las Vegas this September 14th!">Click here for more information.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
LinuxSecurity.com: Several security issues were fixed in Django.
 

Most normal user traffic communicates via a hostname and not an IP address. Solooking at traffic communicating directly by IP with no associated DNS request is a good thing do to. Some attackers use DNS names for their communications. There is alsomalware such as Skybot and the Styx exploit kit that use algorithmically chosen host name rather than IP addresses for their command and control channels. This malware uses what has been called DGA or Domain Generation Algorithms to create random lookinghost names for its TLS command and control channel or to digitally sign its SSL certificates. These do not look like normal host names. A human being can easily pick them out of our logs and traffic, but it turns out to be a somewhat challenging thing to do in an automated process. Natural Language Processing or measuring the randomness dont seem to work very well. Here is a video that illustrates the problem and one possible approach to solving it.

One way you might try to solve this is with a tool called ent. ent a great Linux tool for detecting entropy in files.">Entropy = 7.999982 bits per byte."> --">[~]$ python -c print A*1000000 | ent
Entropy = 0.000021 bits per byte. -- 0 = not random

So 8 is highly random and 0 is not random at all.">[~]$ echo google | ent
Entropy = 2.235926 bits per byte.
[~]$ echo clearing-house | ent
Entropy = 3.773557 bits per byte. - Valid hosts are in the 2 to 4 range

Google scores 2.23 and clearing-house scores 3.7. So it appears as thoughlegitimate host names willbe in the 2 to 4 range.">[~]$ echo e6nbbzucq2zrhzqzf | ent
Entropy = 3.503258 bits per byte.
[~]$ echo sdfe3454hhdf | ent
Entropy = 3.085055 bits per byte. - Malicious host from Skybot and Styx malware are in the same range as valid hosts

Thats no good. Known malicious host names are also in the 2 to 4 range. They score just about the same as normal host names. We need a different approach to this problem.

Normal readable English has some pairs of characters that appear more frequently than others. TH, QU and ER appear very frequently but other pairs like WZ appear very rarely. Specifically, there is approximately a 40% chance that a T will be followed by an H. There is approximately a 97% change that a Q will be followed by the letter U. There is approximately a 19% chance that E is followed by R. With regard to unlikely pairs, there is approximately a 0.004% chance that W will be followed by a Z. So here is the idea, lets analyze a bunch of text and figure out what normal looks like. Then measure the host names against the tables. Im making this script and a Windows executable version of this tool available to you to try it out. Let me know how it works. Here is a look at how to use the tool.

Step 1) You need a frequency table. I shared two of them in my github if you want to use them you can download them and skip to step 2.

1a) Create the table: Im creating a table called custom.freq.">C:\freqfreq.exe --create custom.freq

1b) You can optionally turn ON case sensitivity if you want the frequency table to count uppercase letters and lowercase letters separately. Without this option the tool will convert everything to lowercase before counting character pairs.">C:\freqfreq.exe -t custom.freq

1c) Next fill the frequency table with normal text. You might load it with known legitimate host names like the Alexa top 1 million most commonly accessed websites. (http://s3.amazonaws.com/alexa-static/top-1m.csv.zip) I will just load it up with famous works of literature.">C:\freqfor %i in (txtdocs\*.*) do freq.exe --normalfile %i custom.freq
C:\freqfreq.exe --normalfile txtdocs\center_earth custom.freq
C:\freqfreq.exe --normalfile txtdocs\defoe-robinson-103.txt custom.freq
C:\freqfreq.exe --normalfile txtdocs\dracula.txt custom.freq
C:\freqfreq.exe --normalfile txtdocs\freck10.txt custom.freq
C:\freq">

Step 2) Measure badness!

Once the frequency table is filled with data you can start to measure strings to see how probable they are according to our frequency tables.">C:\freqfreq.exe --measure google custom.freq
6.59612840648
C:\freqfreq.exe --measure clearing-house custom.freq
12.1836883765

So normal host names have a probability above 5 (at least these two and most others do). We will consider anything above 5 to be good for our tests.">C:\freqfreq.exe --measure asdfl213u1 custom.freq
3.15113061843
C:\freqfreq.exe --measure po24sf92cxlk">Our malicious hosts are less than 5. 5 seems to be a pretty good benchmark. In my testing it seems to work pretty well for picking out these abnormal host names. But it isnt perfect. Nothing is. One problem is that very small host names and acronyms that are not in the source files you use to build your frequency tables will be below 5. For example, fbi and cia both come up below 5 when I just use classic literature to build my frequency tables. But I am not limited to classic literature. That leads us to step 3.

Step 3) Tune for your organization.

The real power of frequency tables is when you tune it to match normal traffic for your network. --normal and --odd. --normal can be given a normal string and it will update the frequency table with that string. Both --normal and --odd can be used with the --weight option tocontrol how much influence the given string has on the probabilities in the frequency table. Its effectiveness is demonstrated by the accompanying youtube video. Note that marking random host names as --odd is not a good strategy. It simply injects noise into the frequency table. Like everything else in security identifying all the bad in the world is a losing proposition. Instead focus on learning normal and identifying anomalies. So passing --normal cia --weight 10000 adds 10000 counts of the pair ci and the pair ia to the frequency table and increases the probability of cia">C:\freqfreq.exe --normal cia --weight 10000 custom.freq

The source code and a Windows Executable version of this program can be downloaded from here:https://github.com/MarkBaggett/MarkBaggett/tree/master/freq

Tomorrow I in my diary I will show you some other cool things you can do with this approach and how you can incorporate this into your own tools.

Follow me on twitter @MarkBaggett

Want to learn to use this code in your own script or build tools of your own? Join me for PythonSEC573 in Las Vegas this September 14th! Click here for more information.

What do you think? Leave a comment.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Posted by InfoSec News on Jul 09

http://arstechnica.com/security/2015/07/meet-the-hackers-who-break-into-microsoft-and-apple-to-steal-insider-info/

By Dan Goodin
Ars Technica
July 8, 2015

In February 2013, Twitter detected a hack attack in progress on its
corporate network. "This attack was not the work of amateurs, and we do
not believe it was an isolated incident," a Twitter official wrote when
disclosing the intrusion. Sure enough, similar attacks were visited...
 

Posted by InfoSec News on Jul 09

http://www.informationweek.com/mobile/mobile-devices/encryption-hinders-investigations-fbi-chief/d/d-id/1321231

By Thomas Claburn
Informationweek.com
July 8, 2015

FBI Director James Comey appeared before the Senate Judiciary Committee on
Wednesday to argue for legal support to weaken strong encryption, which he
claims obstructs criminal investigations.

The title of the hearing, "Going Dark: Encryption, Technology, and the
Balance...
 

Posted by InfoSec News on Jul 09

http://www.bankinfosecurity.com/interviews/fs-isac-remote-access-attack-alert-i-2787

By Tracy Kitten
Bank Info Security
July 8, 2015

Remote-access attacks waged against smaller merchants are a growing
threat, according to a cybersecurity alert published July 7. The alert was
released by the Financial Services Information Sharing and Analysis
Center, along with Visa, the U.S. Secret Service and The Retail Cyber
Intelligence Sharing Center,...
 

Posted by InfoSec News on Jul 09

http://healthitsecurity.com/news/healthcare-vendor-risk-management-programs-lagging-says-study

By Elizabeth Snell
healthitsecurity.com
July 8, 2015

Healthcare vendor risk management programs can have a huge impact on a
healthcare organization’s ability to keep sensitive data - such as patient
PHI - secure. However, if a recent study is any indication, healthcare
vendor risk management programs have room for improvement.

The 2015 Vendor...
 

Posted by InfoSec News on Jul 09

http://www.defenseone.com/technology/2015/07/how-break-cias-cloud-amazon/117175/

By Patrick Tucker
defenseone.com
July 7, 2015

Last year, Amazon Web Services surprised a lot of people in Washington by
beating out IBM for a $600 million contract to provide cloud services and
data storage to the CIA and the broader intelligence community. But more
money can bring more problems. Amazon, in essence, has turned itself into
the most valuable data...
 
Internet Storm Center Infocon Status