(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Intel has provided more details on its upcoming 15-core Xeon chip code-named Ivytown, which has 4.31 billion transistors and will go into high-end servers.
Amazon Web Services now offers a hosted version of the R programming language, providing an easy way for individuals and organizations to start and test their big-data-styled analysis projects.
Microsoft on Monday unexpectedly added two more critical security updates to the list it will deliver tomorrow, including one for all versions of Internet Explorer and another for the soon-to-be-retired Windows XP.
Google's sale of Motorola to Lenovo may appear to mark the close of a dark chapter in the search giant's history -- the failure to succeed in the hardware business.
Nokia plans to announce an Android-based smartphone at Mobile World Congress in Barcelona in two weeks, according to the Wall Street Journal.
Jeff Godin had a good job as a police dispatcher in Chester County, Penn., but quit to work full-time on other projects, including building an app for police and emergency professionals.
A problem identified by Mt. Gox as a bug in Bitcoin software is actually a longstanding technical issue Mt. Gox should have prepared for, the Bitcoin Foundation said Monday.
Television sales fell 9% last year due to a lack of interest by consumers in refreshing current technology, according to IHS.
There's some good news for the many SAP customers who use Oracle's database underneath SAP applications. Breaking from tradition, SAP will certify its software for the initial major release of the Oracle 12c database.
Mask victims by IP address.
Kaspersky Lab

Calling it the most sophisticated malware-driven espionage campaign ever discovered, researchers said they have uncovered an attack dating back to at least 2007 that infected computers running the Windows, OS X, and Linux operating systems of 380 victims in 31 countries.

The "Mask" campaign, which gets its name from a string of text found in one of the malware samples, includes a variety of components used to siphon encryption keys, key strokes, Skype conversations, and other types of sensitive data off infected computers. There is also evidence that the Spanish-speaking attackers had malware that ran on devices running both Apple's iOS and Google's Android mobile operating systems. Victims include government agencies, embassies, research institutions, private equity firms, activists, energy companies, and companies in other industries. The sophistication of Mask makes it likely that the campaign is the work of attackers sponsored by a well-resourced nation-state, said researchers from Kaspersky Lab, the Moscow-based security company that discovered it.

Mask—or "Careto" as its Spanish translation appears in source code analyzed by Kaspersky—joins a pantheon of other state-sponsored malware campaigns with names including Stuxnet, Flame, Duqu, Red October, Icefog, and Gauss. Unlike more opportunistic crimeware campaigns that generate revenue by targeting anyone with an Internet-connected computer, these "advanced persistent threats" (APTs) are much more determined. They're tailored threats that are aimed as specific people or organizations who possess unique data or capabilities with strategic national or business value.

Read 7 remaining paragraphs | Comments


A vulnerability in Snapchat allows attackers to launch denial-of-service attacks against users of the popular photo messaging app, causing their phones to become unresponsive and even crash.
A recent survey from ThreatTrack Security found that 40 percent of tech support employees said they'd been called in to remove malware from the devices of employees who'd been visiting porn sites online. Have you run into this problem at your organization?
Microsoft's new service, Power BI, provides a way to analyze data and present the results in a visually appealing way, without the bother of consulting an enterprise business intelligence software package.
Intel has designed a new integrated graphics core that the company claims can improve the battery life of smartphones, tablets and laptops.
Investment agitator and former corporate raider Carl Icahn today ended his fight to get Apple to boost its share buyback program by another $50 billion after an influential proxy advisory service nixed the idea.
Bill Gates has hopes a better condom will reduce HIV infections, is optimistic about digital currencies' ability to help the poor, and trusts he'll be able to help Microsoft in his new role as technology adviser.
Now that Sony plans to sell off its Vaio laptop business and convert its TV business into a subsidiary, the Japanese electronics giant appears poised to beef up its line of mobile products, including smartphones and tablets -- but especially wearable tech.
CHICKEN 'read-string!' Procedure Remote Buffer Overflow Vulnerability
GNU libiberty '_objalloc_alloc()' Function CVE-2012-3509 Remote Integer Overflow Vulnerability
Turkey might be about to learn how attempts to control the population by limiting the Internet can backfire.
Microsoft's appeal to its technically-advanced customers to help friends and family ditch Windows XP didn't quite work out like the company had hoped.
LinuxSecurity.com: An insecure temporary file usage has been reported in PulseAudio, possibly allowing symlink attacks.
LinuxSecurity.com: A buffer overflow in Apache mod_fcgid might allow remote attackers to execute arbitrary code or cause a Denial of Service condition.
LinuxSecurity.com: Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors, use-after-frees, too-verbose error messages and missing permission checks may lead to the execution of arbitrary code, the bypass of security [More...]
LinuxSecurity.com: Two vulnerabilities in International Components for Unicode might allow remote attackers to cause a Denial of Service condition.
LinuxSecurity.com: A vulnerability in DjVu could result in execution of arbitrary code or Denial of Service.
LinuxSecurity.com: PAM S/Key does not clear provided credentials from memory, allowing local attackers to gain access to cleartext credentials.
LinuxSecurity.com: New mozilla-firefox packages are available for Slackware 14.1 and -current to fix security issues. [More Info...]
LinuxSecurity.com: New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]
LinuxSecurity.com: New mozilla-thunderbird packages are available for Slackware 14.1 and -current to fix security issues. [More Info...]
LinuxSecurity.com: It was discovered by the Spring development team that the fix for the XML External Entity (XXE) Injection (CVE-2013-4152) in the Spring Framework was incomplete. [More...]
LinuxSecurity.com: It was discovered that the Apache Commons FileUpload package for Java could enter an infinite loop while processing a multipart request with a crafted Content-Type, resulting in a denial-of-service condition. [More...]
LinuxSecurity.com: An integer overflow in Links might allow remote attackers to cause a Denial of Service condition.
Mozilla Network Security Services CVE-2014-1491 Unspecified Security Vulnerability

I got to thinking about the 3 "big story" breaches that we've all been discussing over the last month or so.  Just adding things up, we're at a count of over 100 million cards and personal information disclosed.

Just thinking about it over the weekend, I realized two things:
1/ All these breaches affect the only region still using card-swipe only credit cards - the United States.
2/ The count of cards compromised is right around 1/3 the population of the United States

With this many cards compromised and needing replacement, isn't it time that the industry wakes up and smells the coffee? Everyone (yes everyone) else in the world has moved to Chip and PIN technology, which makes theft of credit cards much more difficult (though not impossible, looking at recent events in the UK).  These breaches illustrate (again) that the US staying on this old technology for cards has the effect of making theft of cards much easier in the US, focusing the attention of criminals on US cards.

If we're replacing that many cards, wouldn't RIGHT NOW be a really good time to issue 110 million bright, shiny new Chip and PIN credit cards for the folks who are the victims of these breaches?  I know that this would complicate things on the logistics side, but it's not new technology - this could certainly be arranged.  Even if the Chip / PIN technology isn't actually used (there are a boatload of machines that need replacing for one thing), it at least gets things moving in the right direction.

Please, share your thoughts on this in our comment form - am I off base?

Rob VandenBrink

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

I have a client who's done the right thing, they've broken out their test environment from their production environment.  The production environment is in a colocation facility, and uses a different firewall.  The test environment is in the office location, and shares the office subnet and the office firewall.  So sort-of the right thing, they're moving in the right direction - I would have given the test lab it's own firewalled DMZ subnet.

About two years ago, one of the server admins asked the office firewall administrator to open port 3389 (RDP) to a test box, so that they could continue their build at home.  Not a great solution - I would have told him to VPN in and do it without changing the firewall - but it was done, the build got done and life moved on.

Unfortunately, the firewall change was not documented, was not remembered and was not backed out.

Fast forward 2 years.  The two folks from 2 years back have both moved on to other positions and/or companies, and a new server admin is building a new Hyper-V server in the test environment.  They're just about to deploy to producion when he notices RDP connections to it from our friends in China.  Yes, that undocumented change had come home to roost!

So, after we did the post mortem, what did they learn?

  • There's no fixing a compromised hypervisor - NFO (Nuke from Orbit) - repartition the RAID Array and starting over is always the best advice.
  • Hypervisors don't need a GUI - they shouldn't be RDP'ing into that box for admin in the first place.
  • DOCUMENT ALL FIREWALL CHANGES.  HAVE A CHANGE CONTROL PROCESS.  Happily, they've got a formal change control process now.  On the firewall, there's an assessment step on all changes, to decide if the requested change is a good idea in the first place (open RDP was a singularly BAD idea).
  • Finally, they now run a basic NMAP scan (all addresses in the range, all ports) of the office environment from the colo, and the results are run through diff, comparing it for changes against yesterday's results.  This client is lucky in this regard because they have 2 separate locations that can scan each other, but in a more typical situation, the folks responsible for security might do this from their laptop, scanning from home after work or before driving in each day.

You'd be surprised what a full port scan might find - those issues we're stuck with on open ports on home firewalls (https://isc.sans.edu/forums/diary/Scans+Increase+for+New+Linksys+Backdoor+32764+TCP+/17336 and https://isc.sans.edu/diary/Exposed+UPNP+Devices/15040 for instance) would have been caught a long time ago if more folks scanned their infrastructure from the untrusted outside network!  Mind you, typically home users never patch their firewalls anyway, so all those open PNP and other backdoor ports are with us for the long haul now.

Do you regularly scan your firewall from the outside?  Does your scan highlight changes, or are you looking for just vulnerabilities (using Nessus or similar) rather than changes?   Let us know in our comment form below.

Rob VandenBrink

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
CIOs still have the last word over most IT spending but over time they will work more closely with business units on buying decisions, a Forrester Research survey finds.
Xen XSM/Flask Hypercalls Local Integer Overflow Vulnerability
Xen 'FLASK_AVC_CACHESTAT' Hypercall Off-By-One Error Local Memory Corruption Vulnerability
Dokeos Multiple HTML Injection Vulnerabilities
The antitrust division of the U.S. Department of Justice closed its investigation into attempts by Samsung Electronics to use standards-essential patents to ban Apple products from the U.S. market.
Hewlett-Packard is expanding the scope of its OneView infrastructure management console, releasing a OneView plug-in that should help system administrators more efficiently manage their VMware vCenter operations with OneView functionality.
Erickson Living, a company that manages 16 Continuing Care Retirement Communities in nine states, faces a unique challenge when it comes to installed a wireless network a each retirement community has common areas where residents share available bandwidth, but there are also individual residential units where end users have their personal phone and Internet connections.
ZTE ZXV10 W300 Wireless Router Hardcoded Credentials Security Bypass Vulnerability
suPHP 'source-highlighting' Feature Local Restriction-Bypass Vulnerability
As vice president and CIO at WellPoint's commercial business unit, Darren Ghanayem is juggling the mandates of the new federal healthcare law while continuing to support corporate initiatives.
The U.S. government has asked industry for information on whether commercially available services can provide a viable alternative to the government's holding bulk phone records for a program of the National Security Agency.
While the path-to-mastery pattern is conceptually simple, successfully executing it requires courage, perseverance and patience.
Today, lawyers at times have as much influence as engineers, if not more, and patents are used to fend off competitors and to force them to pay licensing fees that can run to billions of dollars annually.
You know technology cold, you understand the business, and you're ready to step up to a senior IT leadership position, but can you communicate all that to the C-suite? Here's how other CIOs got their voices heard.
Microsoft disclosed new CEO Satya Nadella's stock holdings -- both those he now controls and a larger number he has coming to him -- at 1.1 million shares, with a paper value of nearly $40 million.
The most-sought skills of 2014, and the outlook for IT spending this year.
By combining the current deployment of network data loss prevention with endpoint DLP, hidden network recesses will come into view.
Android SDK Platform Tool Signedness Error Stack Buffer Overflow Vulnerability
Spring Framework 'JavaScriptUtils.javaScriptEscape()' Method Cross Site Scripting Vulnerability
Spring Framework CVE-2013-6429 Multiple XML External Entity Injection Vulnerabilities
DjVuLibre '.djv' File CVE-2012-6535 Remote Memory Corruption Vulnerability
PulseAudio Insecure Temporary File Creation Vulnerability
ASUS AiCloud Enabled Routers 12 Models - Authentication bypass and Sensitive file/path disclosure
[slackware-security] mozilla-thunderbird (SSA:2014-039-02)
Apache Commons FileUpload CVE-2014-0050 Denial Of Service Vulnerability
#CONFidence 2014- Call for Papers, only 0111 days left to become CONFidence ninja
[slackware-security] seamonkey (SSA:2014-039-03)
[slackware-security] mozilla-firefox (SSA:2014-039-01)
[SECURITY] [DSA 2857-1] libspring-java security update
[SECURITY] [DSA 2856-1] libcommons-fileupload-java security update
WHMCS Denial of Service Vulnerability
Facebook Bug Bounty #12 - Client Side Exception Web Vulnerability
gpEasy v4.3.x CMS - Multiple Web Vulnerabilities
Internet Storm Center Infocon Status