Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A U.S. district court judge froze the U.S. assets of Mark Karpeles, CEO of failed Bitcoin exchange Mt. Gox, and two associated companies, allowing lawyers to begin demanding documents from the three parties to investigate what they allege is a huge fraud.
 
Aviation experts have cited multiple possible reasons for the problems in the multi-country effort to locate the Malaysia Airlines jetliner that dropped off the grid over the South China Sea four days ago.
 
Aviation experts have cited multiple possible reasons for the problems in the multi-country effort to locate the Malaysia Airlines jetliner that dropped off the grid over the South China Sea four days ago.
 
For this month's "Patch Tuesday" round of bug fixes, Microsoft has focused on correcting multiple vulnerabilities in Internet Explorer (IE), including one that is already being used in targeted attacks.
 
The new LaCie Little Big Disk, featuring Thunderbolt 2 delivers speeds up to 1,375 MB/s.
 
NASA scientists are working to bring the Mars Reconnaissance Orbiter, which has been orbiting the Red Planet for eight years, back online after the spacecraft suffered a glitch Sunday.
 
Apple dominates 64-bit mobile chip devices as rival smartphone makers wait for a 64-bit version of the Android OS, but that early lead could dissipate in the next four years, ABI Research said on Tuesday.
 
The CEO of Japan's SoftBank mobile carrier promised to bring stiff price and speed competition to the U.S., saying he feels an obligation to improve slow speeds and drive down prices.
 
A former federal prosecutor and cybercrime expert tells CIO.com how IT departments can retrieve text messages that the user thought were deleted months or even years ago. As more litigation and investigations turn on the content of texts, every CIO needs to know how to find the smoking gun.
 
New York financial authorities said Tuesday that they would soon begin accepting applications for virtual currency exchanges including those dealing in bitcoins, in a sign of regulators' growing interest in the technology.
 
Huawei's enterprise unit has launched the FusionCube for high-end HANA systems and will also work with SAP on products for areas such as enterprise mobility.
 
As the U.S. Secretary of Defense, Leon Panetta delivered strong warnings about the risks of cyberattacks on the country. His conviction that a possible 'cyber Pearl Harbor' may be looming has not tempered since leaving the post last year.
 
Microsoft said that it would launch a new version of Office for Mac before the end of the year, but won't discuss details until the second half of 2014.
 
LinuxSecurity.com: New udisks and udisks2 packages are available for Slackware 14.0, 14.1, and -current to fix a security issue. [More Info...]
 
LinuxSecurity.com: Multiple vulnerabilities was found and corrected in Wireshark: * The NFS dissector could crash. Discovered by Moshe Kaplan (CVE-2014-2281). [More...]
 
LinuxSecurity.com: An updated sudo package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Moderate [More...]
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: A vulnerability has been discovered and corrected in subversion: The get_resource function in repos.c in the mod_dav_svn module in Apache Subversion before 1.7.15 and 1.8.x before 1.8.6, when SVNListParentPath is enabled, allows remote attackers to cause a [More...]
 
LinuxSecurity.com: Updated gnutls packages fix security vulnerability: It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker [More...]
 
LinuxSecurity.com: UDisks could be made to manipulate directories as the administrator.
 
Joomla! 'index.php' SQL Injection Vulnerability
 
[slackware-security] udisks, udisks2 (SSA:2014-070-01)
 
[CVE-2013-6835] - iOS 7.0.6 Safari/Facetime-Audio Privacy issue
 
[security bulletin] HPSBUX02976 SSRT101236 rev.1 - HP-UX Running NFS rpc.lockd, Remote Denial of Service (DoS)
 
[security bulletin] HPSBMU02948 rev.1 - HP Systems Insight Manager (SIM) Running on Linux and Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS), Disclosure of Information
 

In a previous diary I talked about memory acqusition with Dumpit .in this diary I will talk about how to use Mandiant Redline to analysis the memory dump.[1]

Mandiant Redline:

“Redline, Mandiant’s premier free tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile”.[2]

Installation:

1-Download Mandiant Redline from https://www.mandiant.com/resources/download/redline

2-Double click on Redline-1.11.msi

3-follow up the steps, then click close

Redline Usage:

To analysis a memory image :

1-Select From a Saved Memory File under Analyze Data on the home screen

2-Click Browse under Location of Saved Memory Image (for this diary I will not use an Indicators of Comporomise)

3-Click Next then OK

Depending on the size of the image and the speed of your PC, Mandiant Redline will take time to process the memory image.

4-For this example I am going to choose “I am reviewing A Full Live Response or Memory Image”

Now our Image is ready for Review:

From the left hand side you can choose which type of Data you would like to analysis in this view it’s the “Processes”

Here you can find all the process which was running on the system when the memory image was acquired . It shows the full details about the process such as the Process ID,Path ,Arguemnts ,User name ,SID …etc  .

If you would like to view the open ports on the System while the image was acquired , To view ports, click Ports under Processes on the Analysis Data window’s Host tab.



(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
People can now earn a finder's fee when they refer customers to Google for its Apps email and collaboration suite.
 
Hewlett-Packard has found some success with a platform, called Aurasma, that provides augmented reality services to portable devices.
 
AST-2014-004: Remote Crash Vulnerability in PJSIP Channel Driver Subscription Handling
 
AST-2014-003: Remote Crash Vulnerability in PJSIP channel driver
 

Overview of the March 2014 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS14-012 Cummulative Security Update for Internet Explorer
(ReplacesMS14-010 )
Internet Explorer
CVE-2014-0297
CVE-2014-0298
CVE-2014-0299
CVE-2014-0302
CVE-2014-0303
CVE-2014-0304
CVE-2014-0305
CVE-2014-0306
CVE-2014-0307
CVE-2014-0308
CVE-2014-0309
CVE-2014-0311
CVE-2014-0312
CVE-2014-0313
CVE-2014-0314
CVE-2014-0321
CVE-2014-0322
CVE-2014-0324
KB 2925418 Yes! Severity:Critical
Exploitability: 1
PATCH NOW! Critical
MS14-013 Remote Code Execution Vulnerability in Microsoft Direct Show
(ReplacesMS13-056 )
Direct Show JPEG Library
CVE-2014-0301
KB 2929961 No. Severity:Critical
Exploitability: 1
Critical Important
MS14-014 Vulnerability in Silverlight Could Allow Security Feature Bypass
(ReplacesMS13-087 )
Silverlight
CVE-2014-0319
KB 2932677 No. Severity:Important
Exploitability: 1
Important Important
MS14-015 Privilege Escalation Vulnerability in Windows Kernel-Mode Driver
(ReplacesMS13-101 )
Windows Kernel-Mode Driver
CVE-2014-0300
CVE-2014-0323
KB 2930275 Yes. CVE-2014-0323 was public. Severity:Important
Exploitability: 1
Important Important
MS14-016 Security Bypass Vulnerabilty in Security Account Manager Remote (SAMR)
(ReplacesMS11-095 MS13-032 )
Security Account Manager Remote
CVE-2014-0317
KB 2930275 No. Severity:Important
Exploitability: 1
Important Important
n: center;"> We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Deliberate status updates are losing luster as quick, impromptu, short-lived activity on social media gathers momentum. If the first phase of social media was a massive effort to share our online identities, this current wave is all about fleeting encounters.
 

Security researchers have uncovered a recent distributed denial-of-service (DDoS) attack that used at least 162,000 WordPress-powered websites to knock another site offline.

The technique made it possible for an attacker with modest resources to greatly amplify the bandwidth at its disposal. By sending spoofed Web requests in a way that made them appear to come from the target site, the attacker was able to trick the WordPress servers into bombarding the target with more traffic than it could handle. Besides causing such a large number of unsuspecting sites to attack another one, the attack is notable for targeting XML-RPC, a protocol the sites running WordPress and other Web applications use to provide services such as pingbacks, trackbacks, and remote access to some users.

Researchers from security firm Sucuri recently counted more than 162,000 legitimate WordPress sites hitting a single customer website. They suspect they would have seen more if they hadn't ended the attack by blocking the requests.

Read 6 remaining paragraphs | Comments

 
Apple iOS APPLE-SA-2014-03-10-1 Multiple Security Vulnerabilities
 
AST-2014-002: Denial of Service Through File Descriptor Exhaustion with chan_sip Session-Timers
 
AST-2014-001: Stack Overflow in HTTP Processing of Cookie Headers.
 
AT&T and Audi announced pricing for its previously revealed plan to offer 4G LTE broadband in vehicles this year. GM also plans to begin offering broadband in its vehicles later this year.
 
Apple TV CVE-2014-1279 Local Information Disclosure Vulnerability
 
People who plan to run Windows XP after Microsoft pulls the patch plug should dump Internet Explorer (IE) and replace it with a different browser, the U.S. Computer Emergency Readiness Team (US-CERT) said Monday.
 
IBM SPSS Collaboration and Deployment Services CVE-2013-4043 Information Disclosure Vulnerability
 

Adobe released a new version of Flash Player as part of today's patch Tuesday. No details are available yet. We will update this diary once the details become available. Note that this will also affect browsers like Chrome that include an embeded version of Flash.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Wireshark RLC Dissector 'packet-rlc.c' CVE-2014-2283 Denial of Service Vulnerability
 
Wireshark NFS Dissector CVE-2014-2281 Denial of Service Vulnerability
 
Wireshark MPEG File Parser 'wiretap/mpeg.c' Buffer Overflow Vulnerability
 
Carsales.com, Australia's top online automotive classified site, is helping its independent dealers make the switch to sites built with responsive design in mind. Revenue is up, the company says, in part because of increased traffic from mobile devices.
 
Oracle Java SE CVE-2013-5893 Remote Security Vulnerability
 
Google is facing a lawsuit over unauthorized in-app purchases on Android devices by children.
 
It offers slightly greater payment convenience, but at what cost?
 

Infosec seen as a grudge purchase
ITWeb
Now in its ninth year, the ITWeb Security Summit is southern Africa's premier information security event for IT and business professionals. It is presented by ITWeb, South Africa's leading technology-focused publisher, with media products and services ...

 
A court in California has prohibited the destruction of phone records collected by the government until further orders, raising a potential conflict with an order last week by the secret Foreign Intelligence Surveillance Court in Washington
 
As a company that draws more than 2 billion eyeballs per month, Facebook was a fitting harbinger of trends to come at an optical networking conference.
 
Intel could soon bring to market a faster version of its Thunderbolt connector technology with a throughput of 50Gbps, but the company is biding its time until there is a need for faster connectors.
 
Hundreds of striking workers at an IBM server factory in China have decided to leave their jobs, disappointed with the U.S. company and the wages they will get once Lenovo takes over the factory.
 
In 2008, the U.S. government changed the rules on student visas and allowed foreign STEM students to work in the U.S. for up to 29 months without an H-1B visa. The program quickly grew in popularity.
 
We look at three Windows 8.1 convertibles that can transform into laptops, tablets or presentation devices, and try to discover how useful they really are.
 
Apple last week gave six top executives $12.1 million each in stock grants that will vest over the next four years, according to filings with the U.S. Securities and Exchange Commission (SEC).
 
Todd Miller Sudo 'validate_env_vars()' Local Privilege Escalation Vulnerability
 
Internet Storm Center Infocon Status