Xen CVE-2015-8338 Denial of Service Vulnerability
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This is what cyber looks like. (credit: CSI: Cyber / CBS)

There are lots of cringeworthy technology moments on television, especially when the words "hacking" and "cyber" are introduced into the plot. But of all the broadcast and cable networks, CBS is the biggest purveyor of techno-idiocy, proving again and again that none of the producers behind its stable of pseudo-procedural dramas has a clue about how anything on that crazy thing called the Internet works. NCIS set the benchmark with its two-people-on-one-keyboard-to-out-hack-a-hacker scene, but then the network doubled down and launched CSI:Cyber, which returned last night.

The future of Cyber is currently in doubt. CBS has pulled its timeslot to make room for a midseason replacement, so there may well be only a few more opportunities for the latest CSI franchise to cyber-scare network viewers with plots loosely based on something producers read about on Yahoo Answers. OK, to be fair, Cyber's writers are at least occasionally inspired by actual vulnerabilities that have been ripped from the headlines. It's just often these headlines are several years old.

Throughout its run thus far, the show has offered hat-tips to real security researchers. An episode late last year involved a "jackpotting" hack of ATMs at "Barnaby Bank," named for a security researcher who demonstrated that vulnerability—Barnaby Jack. Jack would afterward serve as director of embedded device security research at IOActive until his death in 2013. But the road to entertainment hell is paved with good intentions.

Read 22 remaining paragraphs | Comments


83% of InfoSec Pros Think Successful Attack On Critical Infrastructure Likely ...
Dark Reading
83% of InfoSec Pros Think Successful Attack On Critical Infrastructure Likely In 2016. ISACA survey finds that a majority of cybersecurity professionals feel privacy is being compromised in effort to create stronger security regulation. The lion's ...

and more »

Antivirus provider TrendMicro has released an emergency product update that fixes critical defects that allow attackers to execute malicious code and to view contents of a password manager built in to the malware protection program. The release came after a Google security researcher publicly castigated a TrendMicro official for the threat.

Details of the flaws became public last week after Tavis Ormandy, a researcher with Google's Project Zero vulnerability research team, published a scathing critique disclosing the shortcomings. While the code execution vulnerabilities were contained in the password manager included with the antivirus package, they could be maliciously exploited even if end users never make use of the password feature. Those who did use it were also susceptible to hacks that allowed attackers to view hashed passwords and the plaintext Internet domains they belonged to.

"I don't even know what to say—how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?" Ormandy wrote in an exchange with a TrendMicro official. "You need to come up with a plan for fixing this right now. Frankly, it also looks like you're exposing all the stored passwords to the internet, but let's worry about that screw up after you get the remote code execution under control."

Read 2 remaining paragraphs | Comments


The malware used in the recent Ukranian cyber attack was (allegedly) delivered via a malicious spreadsheet. I analyzed this maldoc (97b7577d13cf5e3bf39cbe6d3f0a7732) and its very simple: the macro runs automatically, writes an exe to disk (embedded as an array of bytes) and executes it. Theres no obfuscation of the VBA code or encoding of the PE file.

If you want to practice the analysis of such documents, I have something for you: I produced a spreadsheet that uses exactly the same method to embed a PE file, but it has no code to write to disk neither to run the payload. And the VBA code doesnt run automatically. And in stead of a PE file, I embedded a JPEG file. So this example is very safe. You can download the example here.

In case you have no idea how to get started, I have a video for you where I show my analysis method.

You can find the tools I used on my blog.

But there are many ways to analyze this example. Please post your method in a comment. And also, let me know what you think of the picture.

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Our friends over at VMware have released their first security bulletin of the year. The vulnerability is a privilege escalation issue in VMware Tools in Windows guests. Affected products include ESXi, Workstation (versions prior to 11.1.2, version 12 is not affected), Player (prior to 7.1.2), and Fusion (prior to 7.1.2, version 8 is not affected). This is not a guest escape and does not impact the host OS.



Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[SECURITY] [DSA 3441-1] perl security update
[SECURITY] [DSA 3440-1] sudo security update
Exploiting XXE vulnerabilities in AMF libraries
Re: Mozilla Firefox 44.0b2 Cross-site Scripting Vulnerability
Mozilla Firefox 44.0b2 Cross-site Scripting Vulnerability
Mozilla Firefox 44.0b2 Cross-site Scripting Vulnerability

Naked Security

Monday review – the hot 16 stories of the week
Naked Security
... not sign up for our daily newsletter to make sure you don't miss anything. You can easily unsubscribe if you decide you no longer want it. Follow @NakedSecurity. Image of days of week courtesy of Shutterstock. computer security · Infosec · monday ...

CVE-2015-8397: GDCM out-of-bounds read in JPEGLSCodec::DecodeExtent
CVE-2015-8396: GDCM buffer overflow in ImageRegionReader::ReadIntoBuffer
[SECURITY] [DSA 3438-1] xscreensaver security update
[SECURITY] [DSA 3437-1] gnutls26 security update
[security bulletin] HPSBUX03435 SSRT102977 rev.1 - HP-UX Web Server Suite running Apache, Remote Denial of Service (DoS)
[SECURITY] [DSA 3436-1] openssl security update

The people who carried out last month's first known hacker-caused power outage used highly destructive malware to gain a foothold into multiple regional distribution power companies in Ukraine and delay restoration efforts once electricity had been shut off, a newly published analysis confirms.

The malware, known as BlackEnergy, allowed the attackers to gain a foothold on the power company systems, said the report, which was published by a member of the SANS industrial control systems team. The still-unknown attackers then used that access to open circuit breakers that cut power. After that, they likely used a wiper utility called KillDisk to thwart recovery efforts and then waged denial-of-service attacks to prevent power company personnel from receiving customer reports of outages. In Saturday's report, SANS ICS Director Michael J. Assante wrote:

The attackers demonstrated planning, coordination, and the ability to use malware and possible direct remote access to blind system dispatchers, cause undesirable state changes to the distribution electricity infrastructure, and attempt to delay the restoration by wiping SCADA servers after they caused the outage. This attack consisted of at least three components: the malware, a denial of service to the phone systems, and the missing piece of evidence of the final cause of the impact. Current evidence and analysis indicates that the missing component was direct interaction from the adversary and not the work of malware. Or in other words, the attack was enabled via malware but consisted of at least three distinct efforts.

The report stresses there's no evidence BlackEnergy or its recently developed KillDisk component was the direct cause of the outage, which so far has been shown to affect about 80,000 customers. The analysis also cautioned that evidence showing some past BlackEnergy infections relied on booby-trapped Microsoft Office documents to spread are no indication such a vector was used in the recent Ukrainian power grid attacks. Still, this weekend's report leaves little doubt the blackout was the result of a highly coordinated hacker attack that relied on BlackEnergy as a key ingredient.

Read 2 remaining paragraphs | Comments

Internet Storm Center Infocon Status