Hackin9

Krebs is running a story about the recent data breach that has happened to restaurant chain PF Chang's [1]. As it so happens we decided to have lunch their today and I polled one of the managers if she had been briefed on the breach. She had been informed. 

I observed two things of note at lunch, one people were still paying with credit cards but what returned was a pleasant and welcome surprise. The bar tender placed the bill down along with a manually run credit card from one of the ole'school card imprinters [2].

The extent of the breach is still under investigation according to the general manager of the PF Chang's we frequent, and it is time to change the CC ... again ...

Maybe we should keep a breach causes CC change score board :( [3]

 

[1] http://krebsonsecurity.com/2014/06/banks-credit-card-breach-at-p-f-changs/

[2] http://www.amazon.com/Addressogragh-Bartizan-4000-Imprinter-Without/dp/B0057YIHMM

​[3] https://www.privacyrights.org/

 

Richard Porter

--- ISC Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Samsung is banking on the high-resolution Super AMOLED screens on its Galaxy Tab S tablets, which also weigh less than Apple's latest iPads, to help it maintain momentum in a tough market.
 
I'm not easily impressed by tablets, so I haven't been tempted to buy an upgrade for my (ancient-by-tech-standards) Nexus. But the Galaxy Tab S 8.4 and 10.5 are definitely contenders.
 

A trojan that's currently doing the rounds in Japan is using Windows itself to try to defeat security software on infected machines.

Trend Micro reports that the BKDR_VAWTRAK malware, which steals credentials used for online banking at some Japanese banks, is using a Windows feature called Software Restriction Policies (SRP) to prevent infected systems from running a wide range of security programs, including anti-virus software from Microsoft, Symantec, and Intel. A total of 53 different programs are blocked by the malware.

SRP is intended to give corporate administrators greater control over the software that systems can run. Normally configured through Group Policies, administrators can both whitelist and blacklist applications. Applications can be identified in several ways; by their cryptographic hash, digital signature, their download source, or simply their path on the system.

Read 3 remaining paragraphs | Comments

 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
This week, at its annual Discover user conference, Hewlett-Packard put cloud computing and big data on the top of the agenda, capitalizing on the heavy work it has been doing with these technologies.
 


Earlier this week, we were testing the security aspects of an application that integrates with LinkedIn. Given that I do not own a LinkedIn account, I had to create one temporarily, to be able to test. I used a throw-away email address, and did not add any personal data, but I happened to connect to LinkedIn from the business where we were performing the work.

When I connected back, two days later, from home, to delete the temporary account, I was surprised that LinkedIn suggested "people you could know". And lo and behold, I actually knew some of them. They were employees of the company where we had conducted the test.

The only conceivable link, as far as we could determine, is the IP address. Those other users, company employees, might have logged in to LinkedIn before from at work, and this seems to be a data point that LinkedIn remembers, and uses, in determining "connections" between members.

Nothing much wrong with that - LinkedIn is mostly transparent in their declaration of what data mining they do, the privacy policy clearly states "We collect information from the devices and networks that you use to access LinkedIn. This information helps us improve and secure our Services".  Of course the IP address is a data point that is visible to them, and it makes $$$ sense to store and use it. But, call me naïve, seeing it used so blatantly still caught me by surprise.

Lesson learned: If you create a LinkedIn account, don't do so from the public WiFi at the pub or brothel or bank branch that you frequent -- you might end up with friend suggestions that link you to unsavory characters ;).

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Some of SAP's largest customers plan to nearly double what they now spend on cloud deployments in the next year -- good news for a company that is trying to position itself as a key player in that market -- according to research commissioned by IT services provider HCL.
 
After Verizon issued a cease-and-desist letter to Netflix for calling out poor broadband service, Netflix shot back,r saying poor streaming video quality rests squarely with ISPs.
 
Spurred by stronger demand for business PCs than expected, Intel raised its revenue guidance for this quarter.
 
Personal information, including Social Security numbers and call records, was accessed for an unknown number of AT&T Mobility customers by people outside of the company, AT&T has confirmed.
 

Victoria introduces new privacy, infosec legislation
iT News
Victorian Attorney-General Robert Clark yesterday introduced a new privacy and security bill into the state's legislative assembly that will seek to enshrine common government data security standards into law. The Victorian Privacy Data and Protection ...

 
After years of research and late nights, a team of scientists set up their robot Thursday to take on a NASA-funded autonomous robotics challenge.
 
Hewlett-Packard's attempt to come up with a new architecture for computers is "laughable" and would make trillions of dollars in software investment obsolete, a top Dell executive said Thursday.
 

We've all been there at some point—tempted to create a user account on a website that's mildly interesting, but the hassle of creating yet another unique password is just too high. Enter the secret URL, a Web address that ends with a long jumble of numbers and letters that aren't easily guessed.

NosPronos.com, a site for predicting winners in the World Cup, recently implemented this approach. Creating an account requires a single click and the entering of a user name. The site then assigns a unique URL for the user to bookmark. As long as it remains secret, the link locks down the account without requiring the user to enter a password or to use a computer or smartphone that stores a previously acquired authentication cookie.

"Noooooo I don't want to create an account either!" the creator of NosPronos wrote. "I know I'm going to need to come up with some password, not to mention I'll need to 'verify' my e-mail address, give a few personal details that I don't want to give, all that for something that I don't even care that much about... what a hassle, seriously." In a few days, he said, his site acquired thousands of users from all around the world.

Read 1 remaining paragraphs | Comments

 
MediaWiki 'Special:PasswordReset' Cross Site Scripting Vulnerability
 
Diesel, a Labrador Retriever, appears to live in a perpetual state of glee and is unbothered by the electronics-packed vest he is wearing.
 
RSS aggregator Feedly today went dark for the second time in two days as another wave of distributed-denial-of service attacks knocked it offline today.
 
The U.S. government has lifted a long-standing restriction that meant companies like Google and Microsoft didn't have access to the most accurate pictures taken by imaging satellites.
 
Advanced Micro Devices has combined product groups and promoted two executives for the next phase of its planned multiple-year strategy to maintain profitability.
 
Starbucks plans to install Powermat wireless charging stations nationwide in all of its U.S. operated stores, but IHS says the technology is incompatible with nearly all enabled devices.
 
The U.S. Federal Communications Commission is threatening to step in with regulations if network providers don't take steps to improve cybersecurity.
 
 
 
Amazon launched Prime Music, a streaming music service with more than a million tunes, zero ads, and zero cost to Amazon Prime subscribers.
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Updated python-jinja2 packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate [More...]
 
LinuxSecurity.com: New mozilla-thunderbird packages are available for Slackware 14.1 and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Libav could be made to crash or run programs as your login if it opened aspecially crafted file.
 
LinuxSecurity.com: Updated tor packages fix multiple vulnerabilities: Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a certain HardwareAccel setting on Intel Sandy Bridge and Ivy Bridge platforms, does not properly generate random numbers for relay identity [More...]
 
LinuxSecurity.com: Updated chkrootkit package fixes security vulnerability: The chkrootkit script contains a flaw that allows a local attacker to create an executable in /tmp that will be run by the user running chkrootkit (usually root), allowing the attacker to escalate privileges [More...]
 
Microsoft Internet Explorer CVE-2014-2775 Remote Memory Corruption Vulnerability
 
Microsoft Internet Explorer CVE-2014-2776 Remote Memory Corruption Vulnerability
 
Microsoft Internet Explorer CVE-2014-2777 Remote Privilege Escalation Vulnerability
 
Microsoft Internet Explorer CVE-2014-1764 Remote Code Execution Vulnerability
 
An Android Trojan program originally designed to steal mobile banking credentials from Russian users was recently retrofitted with ransomware functionality and has started infecting users in the U.S., using photos of its victims to intimidate them into paying a fictitious FBI fine.
 
Intel lost its appeal against a €1.06 billion (US$1.44 billion) antitrust fine on Thursday when the General Court of the European Union upheld a 2009 ruling by the European Commission that the company had abused its dominant market position.
 
Microsoft promises that a revamped Skype app for the iPhone will be significantly better than the current version, although it may be too late for users who have long since switched to other options.
 
IBM Smart Analytics System CVE-2014-0935 Local Privilege Escalation Vulnerability
 
Intel lost its appeal against a a!1.06 billion (US$1.44 billion) antitrust fine on Thursday when the General Court of the European Union upheld a 2009 ruling by the European Commission that the company had abused its dominant market position.
 
The security of open source software relies on the community spotting errors -- but Heartbleed and other recent events suggest that that's not happening.
 
For all the buzz around mobility and BYOD, the entry of new devices into the network poses challenges for federal CIOs, who must tailor policies to address security and usage challenges.
 
An Android Trojan program originally designed to steal mobile banking credentials from Russian users was recently retrofitted with ransomware functionality and has started infecting users in the U.S., using photos of its victims to intimidate them into paying a fictitious FBI fine.
 
Bytemark Symbiosis 'pattern.rb' Denial of Service Vulnerability
 

Denial-of-service mitigation service CloudFlare will provide free protection to political and artistic websites that come under attack for exercising their free-speech rights, the company is expected to announce Thursday.

Under a program it's calling Project Galileo, San Francisco-based CloudFlare will work with the Electronic Frontier Foundation, the American Civil Liberties Union, the Committee to Protect Journalists, and at least 14 other non-profit groups to identify sites that are targeted for publishing politically or artistically themed content that may be considered controversial or objectionable. The program effectively equips the non-profit partners with a "bat phone" they can use to reach a CloudFlare representative whenever such a site comes under a distributed denial-of-service attack designed to knock it offline. CloudFlare will then immediately provide mitigation services free of charge.

Right now there are just under 100 sites that are enrolled in Project Galileo, CloudFlare CEO Matthew Prince told Ars. The company protects about two million websites total, under a variety of pricing plans from no cost at all for small sites to premium fees for banks and other types of sites that regularly come under attack and require constant uptime. Sites that receive free services generally receive fewer resources. Under the program being unveiled Thursday, qualifying sites will receive whatever resources are necessary to keep them online.

Read 1 remaining paragraphs | Comments

 

The latest release of Metasploit released today includes a module to ease exploitation of CVE-2014-0195. This vulnerability in the DTLS implementation of OpenSSL was patch last week and didn't get the attention the MitM vulnerability got that was patched at the same time. It is absolutely critical that you patch and/or firewall your DTLS services. This is complicated buy the fact that many of them are part of embeded devices like routers and switches (SNMPv3) or VoIP systems. Your web servers are NOT affected by this.

The Metasploit module in its current form does NOT allow for code execution, but instead will just crash the service. The vulnerablity could however be used to execute code on the target device.

Here again a quick rundown of possibly affected protocols:

SNMPv3 (161/UDP), LDAP over SSL (636/UDP), DTLS-SRP (VoIP, WebRTC, various ports), OpenVPN (1194/UDP) 

DTLS uses UDP over various ports. Some of the protocols listed above, e.g. DTLS-SRP, use various ports that are negotiated between the endpoints dynamically. DTLS can also use port 4433 for some applications.

[1] http://www.rapid7.com/db/modules/auxiliary/dos/ssl/dtls_fragment_overflow

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
It's looking like Microsoft won't be bringing back the Start menu until 2015. Way to put the customer first, Microsoft!
 
The developer who earlier this week uncovered code within iOS 8 that pointed to a split-screen mode posted demonstrations of the feature in action.
 
Facebook is moving to offer users a familiar trade-off: their browsing privacy in return for more targeted advertising. Those who find that no deal at all will be able to use opt-out tools, but all users will be given a little more control over the ads they see.
 
Cisco Security Advisory: Cisco IOS XR Software IPv6 Malformed Packet Denial of Service Vulnerability
 
[SECURITY] [DSA 2956-1] icinga security update
 
[SECURITY] [DSA 2955-1] iceweasel security update
 
 

----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

BIND has released a security update (CVE-2014-3859) for versions 9.10.0-p2, 9.9.5-p1, 9.8.7-p1. The update is available for download here.

[1] https://kb.isc.org/article/AA-01166/74/CVE-2014-3859%3A-BIND-named-can-crash-due-to-a-defect-in-EDNS-printing-processing.html
[2] http://www.isc.org/downloads/

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
[ MDVSA-2014:123 ] tor
 
[ MDVSA-2014:122 ] chkrootkit
 
Intel lost its appeal against a $1.44 billion antitrust fine on Thursday when the General Court of the European Union upheld a 2009 ruling by the European Commission that the company had abused its dominant market position.
 
Microsoft on Wednesday released a preview version of Outlook Web App (OWA) for Google's Android, fulfilling a promise made in March.
 
Google has started an open-source project for a PDF software library, which developers will be able to incorporate into applications designed for a variety of platforms.
 
AlienVault OSSIM and Unified Security Management 'newpolicyform.php' SQL Injection Vulnerability
 
Jinja2 'jinja2.bccache.FileSystemBytecodeCache' Insecure File Permissions Vulnerability
 
SAP's former technology chief Vishal Sikka will head ailing Indian outsourcer Infosys, in a marked shift from his focus at his former company on technology and product development.
 
Internet Storm Center Infocon Status