Information Security News
Krebs is running a story about the recent data breach that has happened to restaurant chain PF Chang's . As it so happens we decided to have lunch their today and I polled one of the managers if she had been briefed on the breach. She had been informed.
I observed two things of note at lunch, one people were still paying with credit cards but what returned was a pleasant and welcome surprise. The bar tender placed the bill down along with a manually run credit card from one of the ole'school card imprinters .
The extent of the breach is still under investigation according to the general manager of the PF Chang's we frequent, and it is time to change the CC ... again ...
Maybe we should keep a breach causes CC change score board :( 
--- ISC Handler on Duty(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
by Peter Bright
A trojan that's currently doing the rounds in Japan is using Windows itself to try to defeat security software on infected machines.
Trend Micro reports that the BKDR_VAWTRAK malware, which steals credentials used for online banking at some Japanese banks, is using a Windows feature called Software Restriction Policies (SRP) to prevent infected systems from running a wide range of security programs, including anti-virus software from Microsoft, Symantec, and Intel. A total of 53 different programs are blocked by the malware.
SRP is intended to give corporate administrators greater control over the software that systems can run. Normally configured through Group Policies, administrators can both whitelist and blacklist applications. Applications can be identified in several ways; by their cryptographic hash, digital signature, their download source, or simply their path on the system.
Earlier this week, we were testing the security aspects of an application that integrates with LinkedIn. Given that I do not own a LinkedIn account, I had to create one temporarily, to be able to test. I used a throw-away email address, and did not add any personal data, but I happened to connect to LinkedIn from the business where we were performing the work.
When I connected back, two days later, from home, to delete the temporary account, I was surprised that LinkedIn suggested "people you could know". And lo and behold, I actually knew some of them. They were employees of the company where we had conducted the test.
The only conceivable link, as far as we could determine, is the IP address. Those other users, company employees, might have logged in to LinkedIn before from at work, and this seems to be a data point that LinkedIn remembers, and uses, in determining "connections" between members.
Lesson learned: If you create a LinkedIn account, don't do so from the public WiFi at the pub or brothel or bank branch that you frequent -- you might end up with friend suggestions that link you to unsavory characters ;).(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Victoria introduces new privacy, infosec legislation
Victorian Attorney-General Robert Clark yesterday introduced a new privacy and security bill into the state's legislative assembly that will seek to enshrine common government data security standards into law. The Victorian Privacy Data and Protection ...
We've all been there at some point—tempted to create a user account on a website that's mildly interesting, but the hassle of creating yet another unique password is just too high. Enter the secret URL, a Web address that ends with a long jumble of numbers and letters that aren't easily guessed.
NosPronos.com, a site for predicting winners in the World Cup, recently implemented this approach. Creating an account requires a single click and the entering of a user name. The site then assigns a unique URL for the user to bookmark. As long as it remains secret, the link locks down the account without requiring the user to enter a password or to use a computer or smartphone that stores a previously acquired authentication cookie.
"Noooooo I don't want to create an account either!" the creator of NosPronos wrote. "I know I'm going to need to come up with some password, not to mention I'll need to 'verify' my e-mail address, give a few personal details that I don't want to give, all that for something that I don't even care that much about... what a hassle, seriously." In a few days, he said, his site acquired thousands of users from all around the world.
Denial-of-service mitigation service CloudFlare will provide free protection to political and artistic websites that come under attack for exercising their free-speech rights, the company is expected to announce Thursday.
Under a program it's calling Project Galileo, San Francisco-based CloudFlare will work with the Electronic Frontier Foundation, the American Civil Liberties Union, the Committee to Protect Journalists, and at least 14 other non-profit groups to identify sites that are targeted for publishing politically or artistically themed content that may be considered controversial or objectionable. The program effectively equips the non-profit partners with a "bat phone" they can use to reach a CloudFlare representative whenever such a site comes under a distributed denial-of-service attack designed to knock it offline. CloudFlare will then immediately provide mitigation services free of charge.
Right now there are just under 100 sites that are enrolled in Project Galileo, CloudFlare CEO Matthew Prince told Ars. The company protects about two million websites total, under a variety of pricing plans from no cost at all for small sites to premium fees for banks and other types of sites that regularly come under attack and require constant uptime. Sites that receive free services generally receive fewer resources. Under the program being unveiled Thursday, qualifying sites will receive whatever resources are necessary to keep them online.
The latest release of Metasploit released today includes a module to ease exploitation of CVE-2014-0195. This vulnerability in the DTLS implementation of OpenSSL was patch last week and didn't get the attention the MitM vulnerability got that was patched at the same time. It is absolutely critical that you patch and/or firewall your DTLS services. This is complicated buy the fact that many of them are part of embeded devices like routers and switches (SNMPv3) or VoIP systems. Your web servers are NOT affected by this.
The Metasploit module in its current form does NOT allow for code execution, but instead will just crash the service. The vulnerablity could however be used to execute code on the target device.
Here again a quick rundown of possibly affected protocols:
SNMPv3 (161/UDP), LDAP over SSL (636/UDP), DTLS-SRP (VoIP, WebRTC, various ports), OpenVPN (1194/UDP)
DTLS uses UDP over various ports. Some of the protocols listed above, e.g. DTLS-SRP, use various ports that are negotiated between the endpoints dynamically. DTLS can also use port 4433 for some applications.
----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.