(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This is a commonly used phrase, usually when describing free products on the internet (often social media sites).

When my wife asked me to convert a PDF to a DOCX file, I thought Id test this proverb in a slightly different way. I googled convert PDF DOC, and tried the first group of free online converters.

Of the ones that are actually free, I took the resultant DOC file and pulled it apart, first just by unzipping it, then in much more detail using some of the tools on Lenny Zeltsers cheat sheet page on analyzing malicious documents: https://zeltser.com/analyzing-malicious-documents/. At this point I think you know where Im going.

Yes, 3 of the first 5 on the list converted to doc files that contained gasp malware - Angler variants all of them. So an older kit, but an exploit all the same.

So I guess its true, you are the product!

Oh, and my wifes request? I just opened the PDF in Word 2013 and did a save as. Some of the graphics were lost, but everything she needed came through just fine!

Rob VandenBrink

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

My new neighbor was using AirDrop to move some files from his phone to his iMac. I hadn't introduced myself yet, but I already knew his name. Meanwhile, someone with a Pebble watch was walking past, and someone named "Johnny B" was idling at the stoplight at the corner in their Volkswagen Beetle, following directions from their Garmin Nuvi. Another person was using an Apple Pencil with their iPad at a nearby shop. And someone just turned on their Samsung smart television.

I knew all this because each person advertised their presence wirelessly, either over "classic" Bluetooth or the newer Bluetooth Low Energy (BTLE) protocol—and I was running an open source tool called Blue Hydra, a project from the team at Pwnie Express. Blue Hydra is intended to give security professionals a way of tracking the presence of traditional Bluetooth, BTLE devices, and BTLE "iBeacon" proximity sensors. But it can also be connected to other tools to provide alerts on the presence of particular devices.

Despite their "Low Energy" moniker, BTLE devices are constantly polling the world even while in "sleep" mode. And while they use randomized media access control (MAC) addresses, they advertise other data that is unique to each device, including a universally unique identifier (UUID). As a result, if you can tie a specific UUID to a device by other means, you can track the device and its owner. By using the Received Signal Strength Indication (RSSI), you can get a sense of how far away they are.

Read 6 remaining paragraphs | Comments

EMC Documentum D2 CVE-2016-6644 Authentication Bypass Vulnerability
Oracle MySQL CVE-2016-6663 Unspecified Security Vulnerability
Oracle MySQL CVE-2016-6662 Remote Code Execution Vulnerability

Enlarge (credit: Pander)

Attackers are draining the CPU and power resources of thousands file transfer protocol servers by infecting them with malware that surreptitiously mints the relatively new crypto currency called Monero, researchers said.

A notable percentage of the 3,000 or so infected servers are powered by Seagate Central, a network-attached storage device that allows users to remotely retrieve files using FTP connections, according to a report published Friday by researchers from antivirus provider Sophos. The Seagate device contains a weakness that allows attackers to upload malicious files to any device that has been configured to allow remote file access, the report said. Once users inadvertently click on the malicious files, their systems are infected with Mal/Miner-C, the malware that mines the Monero coins.

Sophos Senior Threat Researcher Attila Marosi estimated that Mal/Miner-C has already mined Monero coins valued at 76,599 Euros (about $88,347) and has the ability to earn about $481 each day. While new crypto coins sold on the open market don't always fetch their entire estimated value, the earnings are nonetheless significant, since virtually all the hardware and electricity costs are borne by the people hosting the infected servers. The researcher went on to calculate that the infected servers comprised about half of the monorepool.com pool. The estimate was based on the infected servers having the capacity to generate 431,000 hashes per second when mining Monero coins, while the overall pool as measured by monoepool.com was 861,000 hashes per second. That translated to about 2.5 of the entire mining community.

Read 4 remaining paragraphs | Comments

QEMU CVE-2016-7170 Denial of Service Vulnerability
libarchive CVE-2016-4809 Denial Of Service Vulnerability
Internet Storm Center Infocon Status