AT&T says it has stopped its controversial practice of adding a hidden, undeletable tracking number to its mobile customers' Internet activity.

"It has been phased off our network," said Emily J. Edmonds, an AT&T spokeswoman.

The move comes after AT&T and Verizon received a slew of critical news coverage for inserting tracking numbers into their subscribers' Internet activity, even after users opted out. Last month, ProPublica reported that Twitter's mobile advertising unit was enabling its clients to use the Verizon identifier. The tracking numbers can be used by sites to build a dossier about a person's behavior on mobile devices, including which apps they use, what sites they visit and for how long.

Read 8 remaining paragraphs | Comments

Visual Mining NetCharts Server CVE-2014-8516 Arbitrary File Upload Vulnerability

In the 14 months following the advent of Cryptolocker, there has been a rash of malware copycats that also use strong cryptography to encrypt contents of hard drives until victims pay a hefty ransom, almost always in bitcoins. Usually, they're little more than old wine in a new bottle, but the latest follow-on has tried a new tack: it allows victims to recover exactly one of the encrypted files for free.

Dubbed Coinvault, it was documented Friday by a researcher from antivirus provider Webroot. It allows victims to pick any encrypted file on their hard drive and get it back immediately, free of charge. To decrypt the remaining files, a victim must pay a ransom of 0.5 bitcoins, or about $200 at current exchange rates.

"What’s unique about this variant that I wanted to share with you all is that this is the first Encrypting Ransomware that I've seen which actually gives you a free decrypt," Webroot's Tyler Moffitt wrote in a blog post. "It will let you pick any single file that you need after encryption and will decrypt it for you."

Read 2 remaining paragraphs | Comments

Huawei Mobile Partner 'wintab32.dll' DLL Loading Arbitrary Code Execution Vulnerability
An interruption in satellite imagery from NOAA’s Geostationary Satellite Server was caused by efforts to end an alleged Chinese infiltration of NOAA's satellite operations systems—not, as the agency initially reported, "unscheduled maintenance."

An interruption of satellite imagery feeds to the National Weather Service in October was caused by a National Oceanographic and Atmospheric Administration (NOAA) shutdown of network connections intended to combat an intrusion into NOAA’s computer systems, the Washington Post reported this week. But the breach, which started in September and lasted until late October, was not reported to Commerce Department officials and other federal cybersecurity authorities.

The NOAA satellite imagery system is used by civilian and military meteorologists worldwide to build weather models; it is also used in planning commercial aircraft and merchant shipping traffic. While NOAA did not identify the attacker publicly, agency officials reportedly told Rep. Frank R. Wolf (R-VA) about the attack and that it was traced back to China. The attacks happened during the same timeframe of an alleged Chinese infiltration of the White House’s unclassified network and a data breach at the US Post Office that exposed 800,000 employee records—also now attributed to Chinese attackers.

Ironically, the attacks came just before President Barack Obama’s visit to Beijing where he discussed (among other things) measures to combat climate change.

Read 2 remaining paragraphs | Comments

Aircrack-ng 'buddy-ng.c' Denial of Service Vulnerability
Aircrack-ng 'src/aireplay-ng.c' Stack Buffer Overflow Vulnerability
Aircrack-ng 'gps_tracker()' Function Stack Buffer Overflow Vulnerability
A flowchart of the infection process used by a malicious Tor exit node.

Three weeks ago, a security researcher uncovered a Tor exit node that added malware to uncompressed Windows executables passing through it. Officials with the privacy service promptly shut down the Russia-based node, but according to new research, the group behind the node had likely been infecting files for more than a year by that time, causing careless users to install a backdoor that gave attackers full control of their systems.

What's more, according to a blog post published Friday by researchers from antivirus provider F-Secure, the rogue exit node was tied to the "MiniDuke" gang, which previously infected government agencies and organizations in 23 countries with highly advanced malware that uses low-level code to stay hidden. MiniDuke was intriguing because it bore the hallmark of viruses first encountered in the mid-1990s, when shadowy groups such as 29A engineered innovative pieces of malware for fun and then documented them in an E-zine of the same name. Written in assembly language, most MiniDuke files were tiny. Their use of multiple levels of encryption and clever coding tricks made the malware hard to detect and difficult to reverse engineer. The code also contained references to Dante Alighieri's Divine Comedy and alluded to 666, the "mark of the beast" discussed in the biblical Book of Revelation.

"OnionDuke," as the malware spread through the latest attacks is known, is a completely different malware family, but some of the command and control (C&C) channels it uses to funnel commands and stolen data to and from infected machines were registered by the same persona that obtained MiniDuke C&Cs. The main component of the malware monitored several attacker-operated servers to await instructions to install other pieces of malware. Other components siphoned login credentials and system information from infected machines.

Read 3 remaining paragraphs | Comments


Just a quick update on the SChannel problem (MS14-066, CVE-2014-6321). So far, there is still no public available exploit for the vulnerability, and details are still sparse. But apparently, there is some progress in developing a working exploit. For example, this tweet by Dave Aitel :

" />

Overall: Keep patching, but I hope your weekend will not be disrupted by a major new exploit being released.

Emerging Threats also released some public/free snort rules that promise to cover the various vulnerabilities patched by MS14-066. (http://emergingthreats.net/daily-ruleset-update-summary-11132014/)

I also got a VERY experimental scanner that may be helpful scanning for unpatched hosts. This scanner does not scan for the vulnerability. Instead, it scans for support for the 4 new ciphers that were added with MS14-066. Maybe someone finds it helpful. Let me know if it works. It is a bash script and uses openssl on Unix. You will need at least openssl version 1.0.1h (and you need to connect directly to the test server, not a proxy).

See: https://isc.sans.edu/diaryimages/MSFT1466test.sh (sig: MSFT1466test.sh.asc)

feedback welcome.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
QEMU CVE-2014-7815 Local Denial of Service Vulnerability
QEMU CVE-2014-3689 Multiple Local Security Bypass Vulnerabilities

Job description: Infosec Ranger at Pwnie Express
Help Net Security
I told them I'm good at telling people what I like and I really, really like the defensive solutions that Pwnie Express makes and the plans they have for the future! So as the Infosec Ranger for Pwnie Express I'll be one of the voices for them ...

cURL/libcURL 'curl_easy_duphandle()' Function Heap Memory Corruption Vulnerability
Ruby CVE-2014-8080 XML External Entity Denial of Service Vulnerability
Linux Kernel CVE-2014-3687 Denial of Service Vulnerability
Microsoft Windows CVE-2014-6332 OLE Remote Code Execution Vulnerability

Posted by InfoSec News on Nov 14


By Jeffrey Roman
Bank Info Security
November 12, 2014

HSBC Turkey confirms that a recent cyber-attack exposed payment card
information for 2.7 million customers.

The bank is a subsidiary of London-based HSBC Group, which has operations
worldwide in 74 countries and territories.

Information compromised in the breach includes debit and credit cardholder
names, account...

Posted by InfoSec News on Nov 14


By Dan Goodin
Ars Technica
Nov 12 2014

An iPhone 5S, Samsung Galaxy S5, LG Nexus 5, and Amazon Fire Phone were
all hijacked by whitehats on the first day of an annual hacking contest
that pays hefty cash prizes for exploits bypassing security sandbox

Day one of the Mobile Pwn2Own competition at the PacSec conference in...

Posted by InfoSec News on Nov 14


By Jack Moore
November 13, 2014

It may come as no surprise an agency that accidentally destroys a computer
hard drive and two years of archived emails along with it -- in seeming
contravention of federal record-keeping laws -- struggles with making
risk-based decisions regarding technology.

We’re talking, of course, about...

Posted by InfoSec News on Nov 14


By Bill Gertz
The Washington Times
November 12, 2014

U.S. Cyber Command recently conducted large-scale digital war games that
involved cyberattacks and defense against foreign strikes on critical

Cyber Command — led by Navy Adm. Mike Rogers, who is also director of the
National Security Agency — said in a statement that the exercise...

Posted by InfoSec News on Nov 14


By Maria Korolov
Nov 12, 2014

"This year was the year of the breach," ISACA international president
Robert Stroud told CSO Online.

ISACA, a global association of risk and cybersecurity professionals,
released its global IT Risk/Reward Barometer today, a survey of over 1,600
IT professionals and 4,000...

Posted by InfoSec News on Nov 14


By John E. Dunn
13 November 2014

Coca-Cola is facing a potential class-action lawsuit after one of the
people whose personal data was on one of a clutch of laptops stolen from
the company says he suffered identity theft as a result of the breach.

Laptops thefts are a common occurrence for most large organisations but...

Posted by InfoSec News on Nov 14

Dear Friends

Greetings from nullcon!
Another year passes by with more severe vulnerabilities and threats being
discovered. From heartbleed to poodle, Enterprises and Governments now face a
real threat to their confidential data and communication.

We at nullcon strive to provide actionable information on latest and unknown
threats to the industry and the community via our cutting edge talks and
Hi-Tech security trainings. "The neXt...
Internet Storm Center Infocon Status