Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

If you are at SANSFIRE 2015 in Hilton Baltimore, dont forget to join us today at 7:15 PM EDT for the SANS Internet Storm Center state of the internet panel!

Manuel Humberto Santander Pelez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

RFC 7540 has been out for a month now. What should we expect with this new version?

1. New frame: HTTP/2 implements a binary protocol with the following frame structure:

  • Length: The length of the frame payload expressed as an unsigned 24-bit integer. Values greater than 2^14 must not be sent unless the receiver has set a larger value for SETTINGS_MAX_FRAME_SIZE parameter.
  • Type: The 8-bit type of the frame. It determines the format and semantics of the frame.">Length: The length of the frame payload expressed as an unsigned 24 bit integer. Values greater than 2^14 must not be sent unless the receiver has set a larger value for">Type: The 8-bit type of the frame. The frame type determines the format and semantics of the frame.">RST_STREAM: Type 0x3, allows for immediate termination of a stream.">Settings: Type 0x4, used to transmit configuration parameters that affect how endpoints communicate, such as preferences and constraints on peer behavior.">GOAWAY: 0x7, used to initiate shutdown of a connection or to signal serious error conditions.">Continuation: type=0x9, used to continue a sequence of header block fragments.">Stream Identifier: A stream identifier expressed as an unsigned 31-bit integer. The value 0x0 is reserved for frames that are associated with the connection as a whole as opposed to an individual stream.

2. Security:

  • Implementations of HTTP/2 MUST use TLS version 1.2 or higher for HTTP/2 over TLS. The general TLS usage guidance in RFC 7525 should be followed.
  • The TLS implementation MUST support the Server Name Indication (SNI) extension to TLS.">Safari supports HTTP/2 in version 8.1, but only for OS X v10.11 and iOS 9.

Manuel Humberto Santander Pelez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

LastPass officials warned Monday that attackers have compromised servers that run the company's password management service and made off with cryptographically protected passwords and other sensitive user data. It was the second breach notification regarding the service in the past four years.

In all, the unknown attackers obtained hashed user passwords, cryptographic salts, password reminders, and e-mail addresses, LastPass CEO Joe Siegrist wrote in a blog post. It emphasized that there was no evidence the attackers were able to open cryptographically locked user vaults where plain-text passwords are stored. That's because the master passwords that unlock those vaults were protected using an extremely slow hashing mechanism that requires large amounts of computing power to work.

"We are confident that our encryption measures are sufficient to protect the vast majority of users," Siegrist wrote. "LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed."

Read 5 remaining paragraphs | Comments

 
[SECURITY] [DSA 3289-1] p7zip security update
 

Some of the malware that infected the corporate network of antivirus provider Kaspersky Lab concealed itself using digital certificates belonging to Foxconn, the electronics manufacturing giant and maker of the iPhone, Xbox, and other well-known products.

Cryptographically generated credentials are required to install drivers on newer, 64-bit versions of Windows. Foxconn used one such certificate when installing several legitimate drivers on Dell laptop computers in 2013. Somehow, the attackers who infected the Kaspersky Lab network appropriated the digital seal and used it to sign their own malicious drivers. As Ars explained last week, the drivers were the sole part of the entire Duqu 2.0 malware platform that resided on local hard drives. These drivers were on Kaspersky firewalls, gateways, or other servers that had direct Internet access and were used to surreptitiously marshal sensitive information in and out of the Kaspersky network.

Not the first time

The Foxconn certificate is the third one used to sign malware that has been linked to the same advanced persistent threat (APT) attackers. The Stuxnet malware, which reportedly was developed by the US and Israel to sabotage Iran's nuclear program, used a digital certificate from Realtek, a hardware manufacturer in the Asia Pacific region. A second driver from Jmicron, another hardware maker in the Asia Pacific, was used several years ago to sign Stuxnet-related malware developed by some of the same engineers. Like the previous two certificates, the one belonging to Foxconn had never been found signing any other malicious software.

Read 9 remaining paragraphs | Comments

 
LinuxSecurity.com: replace deprecated gnutls use in qemu-xen-traditional based on qemu-xen patches,work around a gcc 5 bug,Potential unintended writes to host MSI message data field via qemu[XSA-128, CVE-2015-4103],PCI MSI mask bits inadvertently exposed to guests [XSA-129,CVE-2015-4104],Guest triggerable qemu MSI-X pass-through error messages [XSA-130,CVE-2015-4105],Unmediated PCI register access in qemu [XSA-131, CVE-2015-4106]
 
LinuxSecurity.com: Changes since 0.2.8.3.2:- security fix: do not read ahead of the beginning of network buffer.- security fix: don't attribute network errors from processing random packets to the connection to the server- security fix: while at it, don't process random packets unless they may be important- fix for potential crash with friend list filtering- intel driver compatibility- fix for rare crash with sound lock- fix for camera turning for bizarre axis configurations
 
LinuxSecurity.com: Potential unintended writes to host MSI message data field via qemu[XSA-128, CVE-2015-4103],PCI MSI mask bits inadvertently exposed to guests [XSA-129,CVE-2015-4104],Guest triggerable qemu MSI-X pass-through error messages [XSA-130,CVE-2015-4105],Unmediated PCI register access in qemu [XSA-131, CVE-2015-4106]
 
LinuxSecurity.com: Changes since 0.2.8.3.2:- security fix: do not read ahead of the beginning of network buffer.- security fix: don't attribute network errors from processing random packets to the connection to the server- security fix: while at it, don't process random packets unless they may be important- fix for potential crash with friend list filtering- intel driver compatibility- fix for rare crash with sound lock- fix for camera turning for bizarre axis configurations
 
LinuxSecurity.com: Changes since 0.2.8.3.2:- security fix: do not read ahead of the beginning of network buffer.- security fix: don't attribute network errors from processing random packets to the connection to the server- security fix: while at it, don't process random packets unless they may be important- fix for potential crash with friend list filtering- intel driver compatibility- fix for rare crash with sound lock- fix for camera turning for bizarre axis configurations
 
LinuxSecurity.com: Updated to 3.13 for CVE-2015-3204
 
LinuxSecurity.com: Security fix for CVE-2015-4000Update to the upstream NSS 3.19.1 release, which includes a fix for the recently published logjam attack.The previous 3.19 release made several notable changes related to the TLS protocol, one of them was to disable the SSL 3 protocol by default.For the full list of changes in the 3.19 and 3.19.1 releases, please refer to the upstream release notes documents:https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.1_release_noteshttps://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes
 
LinuxSecurity.com: Security fix for CVE-2015-4000Update to the upstream NSS 3.19.1 release, which includes a fix for the recently published logjam attack.The previous 3.19 release made several notable changes related to the TLS protocol, one of them was to disable the SSL 3 protocol by default.For the full list of changes in the 3.19 and 3.19.1 releases, please refer to the upstream release notes documents:https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.1_release_noteshttps://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes
 
LinuxSecurity.com: Security fix for CVE-2015-4000Update to the upstream NSS 3.19.1 release, which includes a fix for the recently published logjam attack.The previous 3.19 release made several notable changes related to the TLS protocol, one of them was to disable the SSL 3 protocol by default.For the full list of changes in the 3.19 and 3.19.1 releases, please refer to the upstream release notes documents:https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.1_release_noteshttps://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 

Infosecurity Magazine (blog)

Li-Fi fantastic – Quocirca's Report from Infosec 2015
Infosecurity Magazine (blog)
As with any trade show, Infosecurity Europe (the continent's biggest IT security bash) can get a bit mind-numbing, with one vendor after another going on about the big issues of the day – advanced threat detection, threat intelligence networks, the ...

 
WebdesignJiNi Cms Sql Injection Vulnerability
 
[SECURITY] [DSA 3252-2] sqlite3 security update
 
[RT-SA-2015-002] SQL Injection in TYPO3 Extension Akronymmanager
 
Productsurf Cms Sql Injection Vulnerability
 
[SECURITY] [DSA 3286-1] xen security update
 
[SECURITY] [DSA 3288-1] libav security update
 
[SECURITY] [DSA 3287-1] openssl security update
 
Buffer Overflow in My Wifi Router Software
 
Internet Storm Center Infocon Status