Hackin9

Last week, the imageboard site 8chan.co was brought offline for a sustained period of over five days due to a prolonged DDoS attack. On Monday, it returned only to go back offline for a much different reason: Its domain had been seized.

Site founder Fredrick Brennan posted an e-mail on Monday that he says came from the site's Bahamas-based registar, Internet.bs. The note explained that the domain 8chan.co had been put "on hold" due to "child abuse" content appearing on the site.

This followed a swell of complaint e-mails sent over the weekend to Cloudflare, the "pass-through" content delivery network that had been operating 8chan's servers. Some users were upset over content posted on 8chan by its imageboard users and directed their complaints to Cloudflare. "Please take appropriate measures to stop your customer from abusing your services and enabling illegal content," one complainant wrote after posting links to 11 8chan boards that contained underage "girls and boys shown in sexual poses."

Read 3 remaining paragraphs | Comments

 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Thanks to our reader David for sending us this detect (anonymized):

GET announce?info_hash=....peer_id=....ip=....port=....uploaded=....downloaded=....*left=....numwant=.... HTTP/1.0
Host: a.tracker.thepriatebay.org
User-Agent: Bittorrent
Accept: */*
Connection: closed

Davids web server was hit with a sufficient number of requests like the one above to cause a denial of service. The requests originated from thousands of different IP addresses, all appear to be located in China. A quick Google search revealed that he wasnt alone, but other web servers experienced similar attacks.

Given the host header (and David observed various thepriatebay.org host names), it looks like some DNS servers responded with Davids IP address if queried for thepiratebay.org.

I did a quick check of passive DNS systems, and didnt find Davids IP. But when I queried Chinese DNS servers for the host name, I recieved numerous answers. Each answer was only repeated a couple times, if at all. It sort of looked like they all returned different IP addresses. US based DNS servers on the other hand usually dont resolve the host name, or respond with 127.0.0.1, a typical blacklisting technique. Only a handful responded with a routable IP address.

Overall, I am not sure what is happening. Looks like a Chinese firewall issue to me. But if you have any ideas or packets, please let me know.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

A security researcher examining the website of North Korea's official news service, the Korean Central News Agency, has discovered that the site delivers more than just the latest photo spread of Democratic Peoples' Republic of Korea leader Kim Jong Un inspecting mushroom farms. There's a little extra surprise hidden in the site's code—malware. The news site appears to double as a way for North Korea to deliver a "watering hole" attack against individuals who want to keep tabs on the "activities" of the DPRK's dear leader.

Ars has independently verified a reference within part of the site's JavaScript code called from the home page to a download named "FlashPlayer10.zip." The file, which is set as a JavaScript variable "FlashPlayer" on the site's main page and on other site pages, contains two files labeled as Windows executable installers containing updates for the long-since obsolete Flash Player 10—one for an alleged ActiveX control, and the other for a browser plug in. Both are identical files, and they contain a well-known Windows malware dropper, based on an analysis through the malware screening site Virustotal.

Read 3 remaining paragraphs | Comments

 

The perennial problem of bug disclosure has provoked a new squabble between Microsoft and Google. On Sunday, Google disclosed the existence of a Windows elevation of privilege flaw that the company reported privately in October. That flaw hasn't been patched yet. It will be very soon—the update is due to land on Patch Tuesday, tomorrow—but Google's publication of the flaw means that, for a couple of days, Windows users are vulnerable to an unfixed flaw.

In response, Chris Betz, senior director of the Microsoft Security Response Center, published a lengthy complaint calling for "better coordinated vulnerability disclosure."

Microsoft has been promoting "coordinated vulnerability disclosure" since 2010, but the security community has long been split on how best to disclose security flaws. On one extreme is the full disclosure crowd; security flaws are documented and described in full, in public, typically onto a mailing list. In the early days, that disclosure was typically the first time the software developer responsible even heard of the flaw, though some researchers promised to disclose to vendors first.

Read 12 remaining paragraphs | Comments

 

Thousands of articles have called the December attack against Sony Pictures a wake-up call to industry. Regardless of whether the attacker was the North Korean government, a disgruntled former employee, or a group of random hackers, the attack showed how vulnerable a large organization can be and how devastating the publication of its private correspondence, proprietary data, and intellectual property can be.

But while companies are supposed to learn that they need to improve their security against attack, there's another equally important but much less discussed lesson here: companies should have an aggressive deletion policy.

One of the social trends of the computerization of our business and social communications tools is the loss of the ephemeral. Things we used to say in person or on the phone we now say in e-mail, by text message, or on social networking platforms. Memos we used to read and then throw away now remain in our digital archives. Big data initiatives mean that we're saving everything we can about our customers on the remote chance that it might be useful later.

Read 7 remaining paragraphs | Comments

 

The Twitter and YouTube accounts belonging to the US Central Command were compromised on Monday by people who claimed they hacked sensitive US military PCs and leaked confidential material in support of the Islamic State.

The compromised CENTCOM Twitter account contained graphics and text supporting the Islamic State in Iraq and Syria (ISIS), and it warned the US to expect more hacks. It was carried out by a person or group dubbed the CyberCaliphate. Central Command is one of nine unified commands in the US military. With its area of responsibility covering Afghanistan, Iraq, Syria, and Iran, it leads the US campaign against Islamic State extremists. Monday's attacks appeared to be carried out by the same group that earlier this month commandeered the Twitter accounts of CBS affiliate WBOC-TV and the Albuquerque Journal.

At the time this post was being prepared, there was conflicting evidence supporting the claim that anything more than CENTCOM's Twitter and YouTube accounts were compromised. Files linked in a post on Pastebin contained what appeared to be rosters of US military personnel, including contact information for Army commands and retired Army generals. A separate series of documents, contained in a folder titled war-scenarios, showed PowerPoint slides that appeared to be related to war games exercises involving China, North Korea, and regions in Africa, Indonesia, and the Caspian. One slide in a file titled SOCOM_Africa_Scenario.ppt was dated January 12, 2015. It proposed a CIA operation in Congo and Southern Africa dubbed "Operation Cakewalk" to seize yellowcake uranium. CENTCOM officials confirmed the compromise of the social networking accounts but told CNN none of the leaked documents appeared to be classified.

Read 2 remaining paragraphs | Comments

 
Linux Kernel 'fs/isofs/rock.c' Local Information Disclosure Vulnerability
 
WordPress Js-Multi-Hotel Plugin 'roomid' Parameter Cross Site Scripting Vulnerability
 
[SECURITY] [DSA 3126-1] php5 security update
 

SC Magazine UK

GCHQ hiring InfoSec pros for new Manchester office
SC Magazine UK
GCHQ has opened a new site in Manchester and is already looking to hire software developers, engineers and information security professionals to fill the space. GCHQ hiring InfoSec pros for new Manchester office. The UK spy agency has headquarters in ...

 
ZfcUser 'redirect' Parameter Cross Site Scripting Vulnerability
 
Corel Software DLL Hijacking
 
VDG Security Sense Multiple Security Vulnerabilities
 

[This is a guest diary submitted by Xavier Mertens]

Our houses and offices are more and more infested by electronic devices embedding a real computer with anoperating system and storage. They areconnected to network resources for remote management, statistics or datapolling. This is called the Internet of Things or IoT. My home network ishardened and any new (unknown)device connected to it receives an IP address from a specific range which has no connectivity with other hosts or theInternet but its packets are logged. The goal is to detect suspicious activity like data leaks or unexpected firmwareupdates. The last toy I boughtyesterday is aSmart Plugfrom Supra-Electronics. This device allows you to control apower plug via your mobile device and calculate the energyconsumption with nice stats. I had a very goodopportunity to buy one for a very low price (25). Lets see whats inside....

The documentation mentions a setup procedure and management via a mobile device (with a free app for IOS orAndroid) but the first reflex is to scan the box. Interesting, a webserver as well as a telnet server are waiting forpackets. Lets try common credentials like admin/admin and...

$ telnet 192.168.254.225
Trying 192.168.254.225...
Connected to 192.168.254.225.
Escape character is ^].
(none) login: admin
Password:
BusyBox v1.12.1 (2014-07-31 06:32:52 CEST) built-in shell (ash)
Enter help for a list of built-in commands.
#

Immediately after the boot sequence, the device started to try to communicate with remote hosts:


Amongst DNS requests and NTP synchronization, a lot of traffic was generated to different IP addresses overUDP/10001. The same packet being sent to different hosts. The payload was a block of 60 bytes:



I was not able to decode the content of this payload, please comment if you recognize some patterns. The devicealso performs a regular connectivity check via a single ICMP ECHO packet sent towww.google.com(every 5 mins).This network traffic is generated by the process called RDTServer:

# ps
PID USER VSZ STAT COMMAND
1 admin 1400 S init
2 admin 0 SWN [ksoftirqd/0]
3 admin 0 SW [events/0]
4 admin 0 SW [khelper]
5 admin 0 SW [kthread]
6 admin 0 SW [kblockd/0]
7 admin 0 SW [kswapd0]
8 admin 0 SW [pdflush]
9 admin 0 SW [pdflush]
10 admin 0 SW [aio/0]
11 admin 0 SW [mtdblockd]
18 admin 1084 S nvram_daemon
19 admin 1612 S goahead
20 admin 872 R RDTServer
24 admin 1400 R telnetd
26 admin 872 S RDTServer
27 admin 872 S RDTServer
33 admin 872 S RDTServer
34 admin 872 S RDTServer
35 admin 872 S RDTServer
36 admin 872 S RDTServer
53 admin 1400 S /bin/sh
238 admin 0 SW [RtmpCmdQTask]
239 admin 0 SW [RtmpWscTask]
366 admin 1400 S -sh
505 admin 1400 R ps
678 admin 1400 S udhcpd /etc/udhcpd.conf
1116 admin 1396 S udhcpc -i apcli0 -s /sbin/udhcpc.sh -p /var/run/udhcp
1192 admin 872 S RDTServer
1207 admin 772 S ntpclient -s -c 0 -hntp.belnet.be-i 86400
#

I grabbed a copy of the RDTServer binary (Mips) and using the strings command against the file revealedinteresting stuff. The IP addresses used were found in the binary:

IP FQDN NetName Country
50.19.254.134 m1.iotcplatform.com AMAZON-EC2-8 US
122.248.234.207 m2.iotcplatform.com AMAZON-EC2-SG Singapore
46.137.188.54 m3.iotcplatform.com AMAZON-EU-AWS Ireland
122.226.84.253 JINHUA-MEIDIYA-LTD China
61.188.37.216 CHINANET-SC China
220.181.111.147 CHINANET-IDC-BJ China
120.24.59.150 m4.iotcplatform.com ALISOFT China
114.215.137.159 m5.iotcplatform.com ALISOFT China
175.41.238.100 AMAZON-AP-RESOURCES-JP Japan


Seeing packets sent to China is often suspicious! The domain nameiotcplatform.combelongs toThroughTek, a company specialized in IoT and M2M (Machine toMachine) connection platforms:

Domain Name:IOTCPLATFORM.COM
Registry Domain ID: 1665166563_DOMAIN_COM-VRSN
Registrar WHOIS Server:whois.godaddy.com
Registrar URL:http://www.godaddy.com
Update Date: 2014-07-09T11:44:15Z
Creation Date: 2011-07-04T08:50:36Z
Registrar Registration Expiration Date: 2016-07-04T08:50:36Z
Registrar:GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email:[email protected]
Registrar Abuse Contact Phone: +1.480-624-2505
Registry Registrant ID:
Registrant Name: Charles Kao
Registrant Organization:
Registrant Street: 4F., No.221, Chongyang Rd.,
Registrant City: Taipei
Registrant State/Province: Nangang District
Registrant Postal Code: 11573
Registrant Country: Taiwan
Registrant Phone: +886.886226535111
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:[email protected]

In fact, theIOTC platformis a service developed by ThoughTek to establish P2P communications between devices.I read the documentation provided with the device as well as all the website pages and there is no mention of thisservice. Manufacturers should include some technical documentation about the network requirements (ex: todownload firmware updates). In this case, its not a major security issue but this story enforces what we alreadyknow (and be afraid) about IoT: those devices have weak configuration and they lack of visibility/documentationabout their behavior. Take care when connecting them on your network. A best practice is to inspect the traffic theygenerate once online (DNS requests, HTTP(S) request or any other protocol).

--
If the enemy leaves a door open, you must rush in. - Sun Tzu
PGP Key:http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x42D006FD51AD7F2C

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
LinuxSecurity.com: Updated wireshark packages fix security vulnerabilities: The DEC DNA Routing Protocol dissector could crash (CVE-2015-0562). The SMTP dissector could crash (CVE-2015-0563). [More...]
 
LinuxSecurity.com: Updated curl packages fix security vulnerability: When libcurl sends a request to a server via a HTTP proxy, it copies the entire URL into the request and sends if off. If the given URL contains line feeds and carriage returns those will be sent along to [More...]
 
LinuxSecurity.com: Updated libssh packages fix security vulnerability: Double free vulnerability in the ssh_packet_kexinit function in kex.c in libssh 0.5.x and 0.6.x before 0.6.4 allows remote attackers to cause a denial of service via a crafted kexinit packet (CVE-2014-8132). [More...]
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: New openssl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]
 
[ MDVSA-2015:021 ] curl
 
[ MDVSA-2015:022 ] wireshark
 
[RT-SA-2014-015] Cross-site Scripting in Tapatalk Plugin for WoltLab Burning Board 4.0
 
CVE-2014-8870: Arbitrary Redirect in Tapatalk Plugin for WoltLab Burning Board 4.0
 
Wireshark TLS/SSL Decryption CVE-2015-0564 Denial of Service Vulnerability
 
Wireshark SMTP Dissector 'packet-smtp.c' Remote Denial of Service Vulnerability
 
Wireshark DEC DNA Routing Protocol Dissector CVE-2015-0562 Remote Denial of Service Vulnerability
 
CodeWrights 'HART DTM' Library CVE-2014-9191 Local Denial of Service Vulnerability
 
[ MDVSA-2015:020 ] libssh
 
ZTE Datacard PCW(Telecom MF180) - Multiple Software Vulnerabilities
 

Posted by InfoSec News on Jan 12

http://www.bloomberg.com/news/2015-01-12/biggest-u-s-hack-case-is-tale-of-gamers-interrupted-vacation.html

By Stepan Kravchenko, Carol Matlack and Dune Lawrence
Bloomberg
Jan 11, 2015

Vladimir Drinkman says he met Dmitriy Smilianets online playing
Counter-Strike, a shooter game in which cyber-combatants assume the roles
of either terrorists or counter-terrorists: bad guys or good guys.

More than a decade later, the two young Russians are...
 

Posted by InfoSec News on Jan 12

http://www.cultofmac.com/308478/confidential-apple-product-plans-quanta/

By Leander Kahney
Cult of Mac
Jan 9, 2015

Incredibly sloppy security at one of Apple’s key suppliers exposed some of
Cupertino’s most closely guarded secrets to anybody who could conduct a
simple Google search.

For months, one of Quanta Computer‘s internal databases could be accessed
using usernames and a default password published in a PowerPoint
presentation...
 

Posted by InfoSec News on Jan 12

http://arstechnica.com/information-technology/2015/01/heads-up-dear-leader-security-hole-found-in-north-koreas-home-grown-os/

By Sean Gallagher
Ars Technica
Jan 9, 2015

North Korea is a technological island in many ways. Almost all of the
country's "Internet" is run as a private network, with all connections to
the greater global Internet through a collection of proxies. And the
majority of the people of the Democratic...
 
cURL/libcURL CVE-2014-8150 Remote Security Bypass Vulnerability
 
Blitz CMS Community - SQL Injection Web Vulnerability
 
Heroku API Deep Dive Bug Bounty #3 - Persistent UI Vulnerability
 
Heroku API Bug Bounty #1 - Persistent Invitation Vulnerability
 

The Register

Security's revamped index of pain readies for release
The Register
The great unwashed has been afforded an opportunity to comment on a new scheme for classifying the severity of infosec vulnerabilities issued by the National Institute of Standards and Technology. The Common Vulnerability Scoring System (CVSS) is a ...

 
OpenSSL Certificate Fingerprints CVE-2014-8275 Local Security Bypass Vulnerability
 
OpenSSL 'ssl23_get_client_hello()' Function NULL Pointer Dereference Denial of Service Vulnerability
 
binutils Remote Denial of Service Vulnerability
 
binutils 'peXXigen.c' Remote Denial of Service Vulnerability
 
[SECURITY] [DSA 3124-1] otrs2 security update
 
Wordpress plugin Pods <= 2.4.3 XSS and CSRF vulnerabilities
 
[security bulletin] HPSBOV03227 rev.1 - HP SSL for OpenVMS, Remote Disclosure of Information, Denial of Service (DoS) and Other Vulnerabilities
 
[SECURITY] [DSA 3125-1] openssl security update
 

Docker security 'immature', but not scary says Gartner
The Register
Those arrivals will, he suggests, make it easier to operate Docker within the parameters of known best practices and therefore also lessening worries for infosec and governance professionals alike. That Fritsch also doesn't mention Docker's ...

 
Internet Storm Center Infocon Status