(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[SECURITY] [DSA 2976-1] eglibc security update
IBM, Microsoft, Red Hat and other IT vendors are lending a hand to Google to help build software that enterprises could use to manage their computerized workloads in the cloud.
Outsourcing firm Infosys is being sued by for 4 IT pros who allege it discriminates against U.S.workers.

Microsoft has issued an emergency update for most supported versions of Windows to prevent attacks that abuse recently issued digital certificates impersonating Google and Yahoo. Company officials warned undiscovered fraudulent credentials for other domains may still be in the wild.

Thursday's unscheduled update effectively blocks 45 highly sensitive secure sockets layer (SSL) certificates that hackers managed to generate after compromising systems operated by the National Informatics Centre (NIC) of India. That's an intermediate certificate authority (CA) whose certificates were automatically trusted by all supported versions of Windows. Millions of sites operated by banks, e-commerce companies, and other types of online services use such cryptographic credentials to encrypt data passing over the open Internet and to prove the authenticity of their servers. As Ars explained Wednesday, the counterfeit certificates pose a risk to Windows users accessing SSL-protected sections of Google, Yahoo, and any other affected domains.

"These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against Web properties," a Microsoft advisory warned. "The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks."

Read 5 remaining paragraphs | Comments

RETIRED: FireEye Malware Analysis System Multiple Security Vulnerabilities
Dell SonicWALL Scrutinizer Multiple Security Vulnerabilities
Microsoft's price cuts for some Office 365 plans was an attempt to keep momentum on its software-by-subscription push, an analyst said.
Oracle's massive annual OpenWorld conference isn't happening until late September, but the vendor recently unveiled details of nearly 1,800 sessions planned for the event that on balance paint a comprehensive picture of what its customers, partners and competitors can expect.
Police from eight countries together with several private security companies disrupted the online infrastructure used by cybercriminals to control computers infected with a malware program called Shylock.
Amazon Web Services is offering a new document sharing service with management and security features designed to appeal to businesses.
Looking to spend less dough on stuff you want or need? I've got two new, free apps that can help.

'Negative Joblessness' In InfoSec
BankInfoSecurity.com (blog)
Characterizing the state of employment among American information security practitioners, executive recruiter Joyce Brocaglia says, "We are experiencing negative unemployment in the field of information security." Brocaglia, chief executive of the ...

Microsoft Internet Explorer CVE-2014-2761 Remote Memory Corruption Vulnerability
Microsoft Windows Ancillary Function Driver CVE-2014-1767 Local Privilege Escalation Vulnerability
HP Universal Configuration Management Database Multiple Security Vulnerabilities
Apple fans may not be the only ones waiting for a new iPhone later this year -- semiconductor industry revenue will get a boost from it too, according to Gartner.
Scientists are prepping the Large Hadron Collider for the start of its third two-year run next year.
Amazon.com has billed parents for millions of dollars' worth of unauthorized in-app purchases made by their children, the FTC said in a complaint filed Thursday in a U.S. court.
The U.S. Senate Judiciary Committee has voted to approve legislation that would allow mobile phone owners to unlock their devices for the purposes of switching carriers.

So often I see clients faithfully logging everything from the firewalls, routers and switches - taking terabytes of disk space to store it all.  Sadly, the interaction after the logs are created is often simply to make sure that the partition doesn't fill up - either old logs are just deleted, or each month logs are burned to DVD and filed away.

The comment I often get is that logs entries are complex, and that the sheer volume of information makes it impossible to make sense of it.  With 10's, hundreds or thousands of events per minute, the log entries whiz by at a dizzying speed.  Just deciding to review logs can be a real time-eater, unless you use methods to distil how you find the "clowns" on the carousel so you can deal with them appropriately.

(not to scale)

The industry answer to this is to install a product.  You can buy one of course, or use free tools like  Bro, ELSA, Splunk (up to a certain daily log volume) which can all do a good job at this.  Netflow solutions will also do a great job of categorizing traffic up pictorially.

But what if you don't have any of that?  Or what if you've got a few hundred gigs of text logs, and need to solve a problem or do Incident Handling RIGHT NOW?

Let's look at a few examples of things you might look for, and how you'd go about it.  I'll use Cisco log entries as an example, but aside from field positions, you can apply this to any log entry at all, including Microsoft events that have been redirected to syslog with a tool such as snare.

First, let's figure out who is using DNS but is NOT a DNS server?
type syslogcatchall.txt | grep "/53 " | grep -v a.a.a.b | grep -v a.a.a.c

Where a.a.a.b and a.a.a.c are the "legit" internal DNS servers. We're using "/53 ", with that explicit trailing space, to make sure that we're catching DNS queries, but not traffic on port 531, 532, 5311, 53001 and so on.

That leaves us with a bit of a mess - wa-a-ay too many records and the text is just plain too tangled to deal with.  Let's just pull out the source IP address in each line, then sort the list and count the log entries per source address - note that we're using a Windows Server host, with the Microsoft "Services for Unix" installed.  For all the *nix purists, I realize this could be done simpler in AWK, but that would be more difficult to illustrate.  If anyone is keen on that, by all means post the equivalent / better AWK syntax in our comment form - or perl / python or whatever your method is  - the end goal is always the same, but the different methods of getting there can be really interesting!

Anyway, my filtering command was:

D:\syslog\archive\2014-07-03>type SyslogCatchAll.txt | grep -v a.a.a.b | grep -v a.a.a.c | grep "/53 " | sed s/\t/" "/g | cut -d " " -f 13 | grep inside | sed s/:/" "/g | sed s/\//" "/g | cut -d " " -f 2 | sort | uniq -c | sort /R

This might look a little complicated, but let's break it up.

grep -v a.a.a.b | grep -v a.a.a.c remove all the records from the two "legit" DNS Servers
grep "/53 " We're looking for DNS queries, which includes traffic with destination ports of TCP or UDP port 53.  Note again the trailing space.
sed s/\t/" "/g convert all of the tab characters in the cisco syslog event line to a space.  This mixing of tabs and spaces is typical in syslogs, and can be a real challenge in splitting up a record for searches.
cut -d " " -f 13  using the space character as a delimeter, we just want field 13, which will look like  "interface name/source ip address:53"
sed s/:/" "/g | sed s/\//" "/g  change those pesky ":" and "/" characters to spaces
cut -d " " -f 2 pull out just the source address
sort | uniq -c finally, sort the resulting ip addresses, and count each occurence
sort /R sort this final list by count in descending order.  Note that this is the WINDOWS sort command.  In Linux, you would use "sort -rn"


The final result is this, the list of hosts that are sending DNS traffic, but are not DNS servers. So either they're misconfigured, or they are malicious traffic using UDP/53 or TCP/53 to hide from detection

  525 10.x.z..201
   182 10.x.y.236
   115 10.x.z.200
    40 10.x.y.2
    34 10.x.y.38
    20 10.x.y.7
    20 10.x.y.118
     2 10.x.x.138
     2 10.x.x.137
     2 10.x.x.136
     2 10.x.x.135
     2 10.x.x.133
     2 10.x.x.132
     2 10.x.x.131

So what did these turn out to be?    The first few are older DNS servers that were supposed to be migrated, but were forgotten - this was a valuable find for my client.  The rest of the list is mostly misconfigured in many cases they were embedded devices (cameras, timeclocks and TVs)  that were installed by 3rd parties, with Google's DNS hard coded.  A couple of these stations had some nifty malware, running botnet C&C over UDP port 53 to masquerade as DNS.  All of these finds were good things for my client to find and deal with!

What else might you use this for?  Search for tcp/25 to find hosts that are sending mail directly out that shouldn't (we found some of the milling machinery on the factory floor that was also happily sending SPAM), or tcp/110  for users who are using self-installed email clients

If you are using a proxy server for internet control, it's useful to find workstations that have incorrect proxy settings - in other words, find all the browser traffic (80, 443, 8080, 8081, etc) that is NOT using proxy.

SSH, Telnet, tftp, ftp, sftp and ftps are other protocols that you might be interested in, as they are common protocols to send data in or out of your organization.

VPN and other tunnel traffic is another traffic type that you should be looking at for analysis.  Various common VPN protocols include:
IPSEC is generally some combination of:
ESP - IP Protocol 50.  For this you would look for "ESP" in your logs - it's not TCP or UDP traffic at all.
ISA udp/500
IPSEC can be encapsulated in UDP, commonly in udp/500 and/or udp/4500, though really you can encapsulate using any port, as long as the other end matches.  You can also encapsulate in tcp, many VPN gateways default to tcp/10000., but that's just a default, it could be anything.

GRE (Cisco's Generic Routing Encapsulation) - IP Protocol 47
Microsoft PPTP - TCP/1723 plus IP protocol 47

What else might you look for?  How about protocols that encapsulate IPv6?Teredo / 6to4 is the tunneling protocl that Microsoft uses by default - IP protocol 41 (see  https://isc.sans.edu/diary/IPv6+Focus+Month%3A+IPv6+Encapsulation+-+Protocol+41/15370 )

If you've got a list of protocols of interest, you can easily drop all of these in a single script and run them at midnight each day, against yesterday's logs.

Using just CLI tools, what clowns have you found in your logs?  And what commands did you use to extract the information?

Rob VandenBrink

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft Internet Explorer CVE-2014-2809 Remote Memory Corruption Vulnerability
HP SiteScope CVE-2014-2614 Unspecified Authentication Bypass Vulnerability
The top American intelligence officer in Germany has been asked to leave the country in the wake of revelations about National Security Agency spying and two recent cases in which the U.S. reportedly recruited German spies.
Yahoo! Bug Bounty #30 YM - Application-Side Mail Encoding (File Attachment) Vulnerability
Yahoo! Bug Bounty #29 YM - Filter Bypass & Persistent Web Vulnerability
[ MDVSA-2014:135 ] python
[ MDVSA-2014:134 ] liblzo
Microsoft staffers worldwide should buckle their seat belts because a big culture shakeup is in the works at the company.
[ MDVSA-2014:133 ] gd
SEC Consult SA-20140710-3 :: Design Issue / Password Disclosure in WAGO-I/O-SYSTEM with CODESYS V2.3 WebVisu
SEC Consult SA-20140710-2 :: Multiple critical vulnerabilites in Schrack MICROCONTROL emergency light system
SEC Consult SA-20140710-0 :: Multiple critical vulnerabilities in Shopizer webshop

It looks like there's a mis-assignment of certificates today at Office 365.  After login, the redirect to portal.office.com reports the following error:

portal.office.com uses an invalid security certificate.

The certificate is only valid for the following names: *.bing.com, *.platform.bing.com, bing.com, ieonline.microsoft.com, *.windowssearch.com, cn.ieonline.microsoft.com, *.origin.bing.com, *.mm.bing.net, *.api.bing.com, ecn.dev.virtualearth.net, *.cn.bing.net, *.cn.bing.com, *.ssl.bing.com, *.appex.bing.com, *.platform.cn.bing.com


Hopefully they'll have this resolved quickly.  Thanks to our reader John for the heads-up on this!


Looks like this has been resolved - note from Microsoft:

Closure Summary: On Thursday, July 10, 2014, at approximately 3:57 AM UTC, engineers identified an issue in which some customers may have encountered intermittent certificate errors when navigating to the Office 365 Customer Portal. Investigation determined that a recent update to the environment caused impact to a limited portion of capacity which is responsible for handling site certificate authorization. Engineers reconfigured settings to correct the underlying issue which mitigated impact. The issue was successfully fixed on Thursday, July 10, 2014, at 5:54 PM UTC.

Great job guys - thanks much !

Rob VandenBrink

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Do you remember when you were first assigned a leadership role? It's an exciting adventure, filled with anticipation, anxiousness, fear of the unknown and an overwhelming need to ensure you're ready to take on one of the greatest responsibilities of a career.

NIST's New Approach to InfoSec Standards
The National Institute of Standards and Technology is developing new cybersecurity standards based on the same principles engineers use to build bridges and jetliners. NIST Fellow Ron Ross, in an interview with Information Security Media Group ...

Doors just stop working when one old PC in a storage closet dies.
In these lean times, backups aren't what they used to be; it's inevitable that IT staffers will be called to help, especially when an important issue is brewing.
A U.S. senator has asked the Federal Trade Commission to scrutinize the use of big data by Facebook and other Internet companies, following a controversy over a Facebook experiment on some of its users.
IT management positions generally pay quite well, but a new survey finds that so do a lot of other IT jobs.
IBM is pouring $3 billion into computing and chip materials research over the next five years as it rethinks computer design, looking toward the future of computing, which may not involve silicon chips.
Microsoft has reached a settlement with domain provider No-IP to disable some of its domains, after taking control of part of its network to shut down a botnet.
A U.S. senator has asked the Federal Trade Commission to scrutinize the use of big data by Facebook and other Internet companies, following a controversy over a Facebook experiment on some of its users.

Posted by InfoSec News on Jul 10


By Michael S. Schmidt, David E. Sanger and Nicole Perlroth
The New York Times
July 9, 2014

WASHINGTON -- Chinese hackers in March broke into the computer networks of
the United States government agency that houses the personal information
of all federal employees, according to senior American officials. They
appeared to be targeting the files on...

Posted by InfoSec News on Jul 10


By Warwick Ashford
09 July 2014

More than a third of organisations are failing to encrypt sensitive data
sent outside their systems, a survey has revealed.

Nearly 36% of more than 200 security professionals, polled at Infosecurity
Europe 2014 in London, admitted their organisations are not using...

Posted by InfoSec News on Jul 10


By David Shamah
Times of Israel
July 9, 2014

As the war against Hamas terrorists in Gaza rages on, anti-Israel hackers
are gearing up for yet another large-scale cyber-attack on Israel. Set for
Friday, July 11, #OpSaveGaza, anti-Israel hackers promise, the denial of
service (DDOS) attack will be the "greatest campaign ever against
‘Israhell,’ to expose...

Posted by InfoSec News on Jul 10


July 9, 2014

TULSA - Sand Springs police say they arrested a man after he posed as a
security officer in an attempt to get the password for a stolen computer.

Investigators say Frank Sudduth, 23, stole jewelry and a laptop computer
from a neighbor and later returned to the apartment later wearing a police...

Posted by InfoSec News on Jul 10


By Kendra Hogue
Portland Tribune
09 July 2014

When the power goes out on a hot day, most people assume overuse of air
conditioning is to blame.

But from June 12 through July 7, four substation outages in Portland’s
westside suburbs and in North Portland were caused by adorably nimble,
fluffy-tailed and overly adventurous squirrels.

Internet Storm Center Infocon Status