Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Brett, who operates an ISP in Wyoming, notified us that he had a number of customers with compromissed Linksys routers these last couple of days. The routers, once compromissed, scan port 80 and 8080 as fast as they can (saturating bandwidth available). 

It is not clear which vulnerability is being exploited, but Brett eliminated weak passwords. E1200 routers with the latest firmware (2.0.06) appear to be immune agains the exploit used. E1000 routers are end-of-life and don't appear to have an immune firmware available.

As indicators, look for E1000/1200 routers which scan IP addresses sequentially on port 80/8080. Some of the routers may have modified DNS settings to point to Google's DNS server (8.8.8.8 or 8.8.4.4). 

If you have any insight, please let us know.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Mt. Gox, Bitstamp, and other Bitcoin exchanges have temporarily suspended withdrawal transactions after coming under a form of a denial-of-service attack that abuses weaknesses in the way they keep track of fund balances, a security expert said.

The attacks don't have any permanent effect on the central accounting mechanism for the digital currency, but they are likely the driving force behind a sharp decline in the bitcoin-to-dollar exchange rate over the past 48 hours. Since the attacks began on Monday, the price of one bitcoin on Mt. Gox has fallen from just below $700 to well below $540 at one point. It has see-sawed ever since and was at about $580 as this report was being prepared. Other exchanges showed similar fluctuations.

Andreas M. Antonopoulos, chief security officer of digital wallet developer Blockchain, said the attacks work by flooding exchanges with a large number of malformed transactions that are similar, but not identical, to legitimate transactions that were already made. Exchanges that trust one or more of the fake records instead of the entries in the official Bitcoin blockchain quickly fall out of sync with the rest of the network and must recalculate their fund balances once the mistakes become apparent. Malformed transactions aren't necessarily new, but over the past 48 hours their numbers have mushroomed, causing logjams that have prevented some exchanges from being able to process withdrawal requests.

Read 7 remaining paragraphs | Comments


    






 
A workshop aimed at improving federal cryptographic key management systems will be held at the National Institute of Standards and Technology (NIST)aposs Gaithersburg, Md., campus on March 4-5, 2014. The workshop will focus on discussing ...
 
Microsoft will call it quits not only on Windows XP in less than two months, but will pull the plug on Office 2003 the same day.
 
Administrators hoping to slack off a bit for this month's Microsoft Patch Tuesday will have no opportunity to do so. At the last minute, Microsoft added a slew of Internet Explorer (IE) fixes to its monthly release of software patches, including one patch that fixes a publicly known vulnerability.
 
The headlines about the storm approaching Georgia include a tinge of panic and wonder, but the view from Monty Hamilton's Atlanta office is of streets calm and empty.
 
Perl 'Perl_reg_numbered_buff_fetch()' Function Remote Denial of Service Vulnerability
 
Google is teaming up with long-time Apple partner Foxconn to work on Google's robotics vision, according to the Wall Street Journal.
 
The cars of tomorrow will listen, talk, entertain, protect, get energy from the sun and even drive themselves. Not all carmakers plan to take the same road, though, and some face more potholes than other.
 
Attackers abused insecure Network Time Protocol servers to launch what appears to be one of the largest DDoS (distributed denial-of-service) attacks ever, this time against the infrastructure of CloudFlare, a company that operates a global content delivery network.
 
Adobe Shockwave Player CVE-2014-0500 Memory Corruption Vulnerability
 
Red Hat and Hortonworks have vowed to work together to make it easier to run Hortonwork's Hadoop Data Platform (HDP) with Red Hat's JBoss set of middleware, and other Red Hat enterprise software.
 
Box will beef up its consulting team this year with several CIOs as it seeks to grow sales and adoption of its enterprise cloud storage and file sharing service in specific industries.
 
Contributing to open-source projects can give software developers an edge over other applicants in the competitive IT job market, say hiring professionals.
 
 

Overview of the February 2014 Microsoft patches and their status.

 

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS14-005 Information Disclosure Vulnerability in Microsoft XML Code Services
(ReplacesMS10-051 )
Microsoft XML Core Services
CVE-2014-0266
KB 2916036 Yes. Severity:Important
Exploitability: 3
Important Important
MS14-006 IPv6 Denial of Service
(ReplacesMS13-065 )
TCP/IP Stack (IPv6)
CVE-2014-0254
KB 2904659 Yes. (vuln. known) Severity:Important
Exploitability: 3
Important Important
MS14-007 Remote Code Execution in Direct2D
(Replaces )
Direct2D
CVE-2014-0263
KB 2912390 No. Severity:Critical
Exploitability: 1
Critical Important
MS14-008 Allow Remote Code Execution in Microsoft Forefront
(Replaces )
Microsoft Forefront
CVE-2014-0294
KB 2927022 No. Severity:Critical
Exploitability: 1
N/A Critical
MS14-009 Elevation of Privilege Vulnerability in .Net Framework
(Replaces MS13-052, MS11-100 )
.Net Framework
CVE-2014-0253
CVE-2014-0257
CVE-2014-0295
KB 2916607 Yes. Severity:Important
Exploitability: 1
Important Important
MS14-010 Cumulative Security Update for Internet Explorer
(ReplacesMS13-097 )
Internet Explorer
CVE-2014-0267
CVE-2013-0268
CVE-2013-0269
CVE-2013-0270
CVE-2013-0271
CVE-2013-0272
CVE-2013-0273
CVE-2013-0273
CVE-2013-0274
CVE-2013-0275
CVE-2013-0276
CVE-2013-0277
CVE-2013-0278
CVE-2013-0279
CVE-2013-0280
CVE-2013-0281
CVE-2013-0283
CVE-2013-0284
CVE-2013-0285
CVE-2013-0286
CVE-2013-0287
CVE-2013-0288
CVE-2013-0289
CVE-2013-0290
CVE-2013-0293
KB 2909921 Yes
(CVE-2014-0267)
Severity:Critical
Exploitability: 1
PATCH NOW! Important
MS14-011 Remote Code Execution Vulnerability in VBScript Scripting
(Replaces MS10-022 )
VBScript
CVE-2014-0271
KB 2928390 No. Severity:Critical
Exploitability: 1
Critical Critical
;"> We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Adobe released one patch today: APSB14-006 [1]. It addresses a vulnerablity in Shockwave Player.It does affect Windows and OS X. The current version is now 12.0.9.149 . The update has a priority rating of "1" which implies that the vulnerability has been exploited in targeted attacks.

 

[1] http://helpx.adobe.com/security/products/shockwave/apsb14-06.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google's Glass project is getting a shot in the arm as the New York Police Department and Virgin Atlantic both announce that they're testing the computerized eyeglasses.
 
LinuxSecurity.com: Multiple vulnerabilities have been discovered in Pidgin, a multi-protocol instant messaging client: CVE-2013-6477 [More...]
 
LinuxSecurity.com: An updated wget package that fixes one security issue and one bug is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Low [More...]
 
LinuxSecurity.com: libgadu could be made to crash or run programs if it received speciallycrafted network traffic.
 
LinuxSecurity.com: Firefox could be made to crash or run programs as your login if itopened a malicious website.
 
LinuxSecurity.com: A vulnerability in Roundcube could result in arbitrary code execution, SQL injection, or reading of arbitrary files.
 
LinuxSecurity.com: Multiple vulnerabilities has been discovered and corrected in pidgin: The Yahoo! protocol plugin in libpurple in Pidgin before 2.10.8 does not properly validate UTF-8 data, which allows remote attackers to cause a denial of service (application crash) via crafted byte [More...]
 

A distributed denial-of-service attack targeting a client of the content delivery network Cloudflare reached new highs in malicious traffic today, striking at the company’s data centers in Europe and the US. According to a Twitter post by Cloudflare CEO Matthew Prince, the full volume of the attack exceeded 400 gigabits per second—making it the largest DDoS attack ever recorded.

The attack used Network Time Protocol (NTP) reflection, the same technique used in recent attacks against gaming sites by a group called DERP Trolling. NTP is used to synchronize the time settings on computers across the Internet. The attack made fraudulent synchronization requests to NTP servers that caused them to send a flood of replies back at the targeted sites.

Reflection attacks have been a mainstay of DDoS tools and botnets, but the use of NTP in such attacks is relatively new. Last year’s attack on Spamhaus, which previously set the record for the largest DDoS ever, used a Domain Name Service (DNS) protocol attack—a much more common approach that takes advantage of the Internet’s directory service, forging requests for DNS lookups from the intended target and sending them to scores of open DNS servers. The size of the traffic directed back at the target from these requests far exceeds the size of the requests sent to the DNS servers, which is why the technique is often called a DNS amplification attack.

Read 2 remaining paragraphs | Comments


    






 
Pacemaker Insecure Temporary File Creation Vulnerability
 
Oracle Java SE TTF Font Parsing Remote Code Execution Vulnerability
 
Oracle's database, WebLogic application server and Java programming language will soon be generally available on Microsoft's Windows Azure cloud service, marking a major milestone in the high-profile partnership the vendors announced in June 2013.
 
A U.S. House of Representatives committee has passed legislation that would prohibit mobile phone users from making voice calls during airline flights, despite a U.S. Federal Communications Commission move to allow in-flight calls.
 
In the past, infrastructure deployment and application updates both slowed the development lifecycle. Now that cloud computing lets organizations provision resources in minutes, not months, it's time to alter the application lifecycle accordingly. DevOps can help -- but only if it extends beyond 'culture change' to actually achieve continuous deployment.
 
The Alliance for Wireless Power and Power Matters Alliance announced today they have reached an agreement to establish interoperability standards for wireless power charging.
 
Apple continued to have problems meeting demand for its radically redesigned Mac Pro desktop computer, with ship dates today extending into April.
 
Businesses of all sizes embrace open source software and the benefits it can bring. Sometimes, though, choosing proprietary software makes better business sense. Here are seven scenarios when it pays to pay for your software.
 
This year's Mobile World Congress will see an LTE that's more mature than ever, with higher speeds, more device selection and more chip suppliers adding to the range of options for the fast mobile technology.
 
A cyberespionage operation that used highly sophisticated multi-platform malware went undetected for more than five years and compromised computers belonging to hundreds of government and private organizations in more than 30 countries.
 
The U.S. government has chosen a Google subsidiary to rehabilitate Moffett Federal Airfield in Silicon Valley, a site that has hosted Google executives' fleet of private jets.
 
ARM is targeting midrange smartphones and tablets priced starting at US$200 with its Cortex-A17 processor core, announced Tuesday.
 
Apple will continue to be watched by an antitrust monitor during its appeal of a court order creating the position, a court ruled.
 
Microsoft is offering multifactor authentication free as an option to all users of its Office 365 suite, a hosted set of Microsoft Office tools and applications.
 
Migrating U.S. payment systems to the Europay MasterCard Visa (EMV) smartcard standard could take significantly longer than envisioned and offer fewer security benefits than what's being touted by proponents of the technology.
 
You might see security and privacy pitfalls, but the advantages of the Internet of Things mean there's no stopping it. Your smart fridge is going to miss you when you're working every night.
 
[SECURITY] [DSA 2858-1] iceweasel security update
 
[SECURITY] [DSA 2859-1] pidgin security update
 
[mwrlabs advisory][CVE-2014-0748] Cray Aprun/Apinit Privilege Escalation
 
Learning to use a 3D printer for the first time is not complicated, but learning to do it well comes with a significant learning curve.
 
Phpbb Forum Denial of Service Vulnerability
 
Open-Xchange Security Advisory 2014-02-10
 
cURL/libcURL NTLM connection Remote Security Bypass Vulnerability
 
Tableau Server Multiple SQL Injection Vulnerabilities
 
Multiple WellinTech Products ActiveX Remote Code Execution Vulnerability
 
Internet Storm Center Infocon Status