Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Stop us if this sounds familiar: a company executive does something that makes a foreign government’s leadership upset. A few months later, hackers break into the company’s network through a persistent cyber attack, and plant malware that erases the contents of hard drives, shuts down e-mail servers and phone systems, and brings operations to a screeching halt.

That’s not just what happened to Sony Pictures Entertainment in late November—it’s also what happened to Las Vegas Sands Corp., owners of the Sands, Venetian and Palazzo hotels and casinos in a cyber attack that began last January. The attack and the damage it did were kept quiet by the company until it was reported in a story by Bloomberg Businessweek today.

Attempts to reach Las Vegas Sands Corp. have gone unanswered, and a spokesperson for Dell SecureWorks—which was brought in to clean up the mess afterward and determine its cause—declined to speak about the article as it is the company’s policy not to discuss work done for a customer. But according to Bloomberg’s sources, the Sands attack was undertaken by “hacktivists” who were responding to a speech by Sands majority owner Sheldon Adelson. The billionaire 52-percent owner of the Sands and Israeli media mogul made an October 2013 appearance on a panel at the Manhattan campus of Yeshiva University, where he called for a nuclear attack on Iran to get the country to abandon its own nuclear program.

Read 4 remaining paragraphs | Comments

 

The malware that thoroughly penetrated Sony Pictures Entertainment was so sophisticated it likely would have worked against nine out of 10 security defenses available to companies, a top FBI official told members of Congress.

The comments, made under oath Wednesday by Joseph Demarest, assistant director of the FBI's cyber division, are the latest to largely let Sony officials off the hook. Last month's rooting of servers operated by Sony's movie division is believed to have exposed more than 100 gigabytes of data, including not only unreleased movies but, more importantly, personal details on tens of thousands of employees. Speaking before the Senate Banking, Housing, and Urban Affairs Committee, Demarest's apologist comments closely resembled those reported earlier this week from the CEO of Mandiant, the security firm investigating the breach on behalf of Sony.

"The level of sophistication is extremely high and we can tell...that [the hackers] are organized and certainly persistent," Demarest said, according to IDG News. "In speaking with Sony and separately, the Mandiant security provider, the malware that was used would have slipped or probably gotten past 90% of Net defenses that are out there today in private industry and [likely] challenged even state government."

Read 1 remaining paragraphs | Comments

 

Those trying to download files and films from the recent Sony Pictures Entertainment leak are being widely frustrated thanks to a large number of Torrent filesharing nodes that advertise fake “seeds." These files are offered via the Bittorrent file sharing protocol, and they match the signature of the stolen data while containing no usable content. Instead the bad seeds, which now may outnumber the computers actively sharing the actual files stolen from Sony, provide a download of corrupted or fake versions of the archive files for the vast majority of individuals attempting to access them.

According to a source at Sony that spoke with Re/Code, the company was using Amazon Web Services to run hundreds of virtual machines and distribute fake file versions to disrupt the Guardians of Peace (GoP) file dumps. That is supported by analysis from security firm Adallom, which tracks the signature of files on torrent streams and other sources in order to watch for data breaches from client companies.

Tal Klein, vice president of strategy at Adallom, told Ars that starting yesterday, “all of a sudden we saw files matching the SHA1 signatures of the Sony torrents starting to be populated across all the torrent sites.” He said that the files were intelligently designed to have the same signature as the GoP file torrents—unlike earlier opportunistic attempts by malware distributors who packaged malware using the same filenames used by the GoP file dumps.

Read 4 remaining paragraphs | Comments

 
Adobe Flash Player CVE-2014-9162 Information Disclosure Vulnerability
 
Adobe Flash Player CVE-2014-9163 Stack Based Buffer Overflow Vulnerability
 
ResourceSpace Multiple Cross Site Scripting, and HTML and SQL Injection Vulnerabilities
 
APPLE-SA-2014-12-11-1 Safari 8.0.2, Safari 7.1.2, and Safari 6.2.2
 
[SECURITY] [DSA 3098-1] graphviz security update
 
Microsoft Internet Explorer CVE-2014-8966 Remote Memory Corruption Vulnerability
 
Microsoft Internet Explorer CVE-2014-6373 Remote Memory Corruption Vulnerability
 
Microsoft Internet Explorer XSS Filter CVE-2014-6328 Security Bypass Vulnerability
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: New bind packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: New openvpn packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. [More Info...]
 
LinuxSecurity.com: New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: New pidgin packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current. [More Info...]
 
LinuxSecurity.com: New wpa_supplicant packages are available for Slackware 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: New openssh packages are available for Slackware 14.0, 14.1, and -current. [More Info...]
 
LinuxSecurity.com: New mozilla-firefox packages are available for Slackware 14.1 to fix security issues. [More Info...]
 
LinuxSecurity.com: Multiple vulnerabilities have been found in Adobe Flash Player, the worst of which allows remote attackers to execute arbitrary code.
 
LinuxSecurity.com: A vulnerability in libxml2 could result in Denial of Service.
 
LinuxSecurity.com: A vulnerability in Clam AntiVirus can lead to a Denial of Service condition.
 
LinuxSecurity.com: Security Report Summary
 

Yesterday while reviewing our logs here at the SANS Internet Storm Center I stumbled upon these:

login failed for [email protected]
login failed for [email protected]
login failed for [email protected]
login failed for [email protected]

The reason this caught my eye is because I recall reading that GMail ignores periods in email addresses. For example, if I register [email protected] but then begin sending email to [email protected], it will arrive in my new inbox despite the additional periods.

Many blog and forum platforms have functionality for banning by email address. Spammers can use the periods in GMail addresses to subvert such banning controls by registering again without having to produce a truly new email address. Do your systems and/or websites allow for registering multiple accounts this way?

Where this becomes more interesting is that these logs indicate visitors that tried to log in using these email addresses without having even attempted to register them first. None of the above logs come from a single IP address, though the first two do come from a single IP range. Is this due to a poorly programmed bot, or is it indicative of something else?

Let us know what you think in the comments!

--
Alex Stanford - GIAC GWEB GSEC,
Research Operations Manager,
SANS Internet Storm Center
/in/alexstanford

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Microsoft Internet Explorer CVE-2014-6329 Remote Memory Corruption Vulnerability
 
Unbound CVE-2014-8602 Remote Denial of Service Vulnerability
 
X.Org X Server CVE-2014-8091 Denial of Service Vulnerability
 
X.Org X Server Protocol Handling Multiple Out-of-Bounds Memory Corruption Vulnerabilities
 
[slackware-security] wpa_supplicant (SSA:2014-344-07)
 
[slackware-security] seamonkey (SSA:2014-344-06)
 
[slackware-security] pidgin (SSA:2014-344-05)
 
[slackware-security] openvpn (SSA:2014-344-04)
 
[SECURITY] [DSA 3096-1] pdns-recursor security update
 
X.Org X Server CVE-2014-8100 Out of Bounds Read Multiple Remote Denial of Service Vulnerabilities
 
X.Org X Server CVE-2014-8102 Out of Bounds Denial of Service Vulnerability
 

All aboard the internet of things infosec hype train
ZDNet
All that is obvious, because every infosec vendor is looking at the same "threat landscape", as we must call it these days. Every vendor's customers continue to make the same mistakes in the face of those threats, thanks to the universal constants of ...

and more »
 
Internet Storm Center Infocon Status