InfoSec News

The CEO of Brocade Communications has announced plans to retire from the company, even as the storage networking vendor reported increased profits for the quarter just ended.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Chad sent us a report today that they have been receiving strange eFax messages. Users who are using eFax are receiving spear phishing emails.
The emails are using the default eFax account (From: eFax [email protected]) and avoiding most corporate SPAM filters. The link contained in this fax is suspicious which redirect to 3 different sites with the same Javascript.

We are looking for additional information that could help us understand if this new spear phishing method is widespread. If you have been receiving similar messages or have any tips on how you managed to filter this type of activity, please use our contact form, or share in the comments below.
[1] http://wepawet.iseclab.org/view.php?hash=dc41d8a1e845994cb01e3223ab51cbf1t=1345162214type=js

[2] http://wepawet.iseclab.org/view.php?hash=5c8c6f3205e7aa28bfd32d59f320e069t=1345162348type=js

[3] http://wepawet.iseclab.org/view.php?hash=f990f01593e5b603ee319c92f8cf3e94t=1345162442type=js
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
SquidClamav URL Parsing Denial of Service Vulnerability
I still think, DNS logs are one of the most overlooked resources for intrusion and malware detection. Frequently, command and control servers will use specific top level domains or host names, and due to short TTL values, infected hosts will frequently query DNS servers for these names.
Additionally, DNS servers are overlooked choke points, which are as valuable to collect network wide data as firewalls and routers connecting the network to the internet.
In this diary, I would like to introduce a simple shell script to answer one question that in my opinion is quite useful to detect anomalous DNS queries: Which are the top 10 new host names that we looked up today.
First, you need DNS query logs, there are two ways to collect them: you could either enable query logging in your DNS server, or you could just use tcpdump on the DNS server to collect the logs. Query logging works fine for me, but it can put too much strain on a very busy name server. Running tcpdump on the name server, or a sensor monitoring the name server, may work better. We do not have to capture every single query for this technique to work.
First, we need to summarize past queries. In my case, the query logs are rotated hourly, and saved in files with names like query.log.* (* is a number). A sample line from my query logs:
16-Aug-2012 21:42:00.260 queries: info: client query: a1406.g.akamai.net IN A + (
To extract the host names, and summarize them, I use the following script:
cat query.log.*|sed -e 's/.*query: //' | cut -f 1 -d' ' | sort | uniq -c | sort -k2 oldlog
This will sort the output by hostname (sort -k2 sorts by the second column), which becomes important later.
Next, I apply the same procedure to the current log:
cat query.log| sed -e 's/.*query: //' | cut -f 1 -d' ' | sort | uniq -c | sort -k2 newlog
Now, we need to find all entries in newlog, that are not included in oldlog. To do so, we use the bash command join, which works pretty much like the SQL command join, but uses the two text files as input. It is important that the join column (the host name) is sorted, which was the reason for the -k 2 argument earlier.
join -1 2 -2 2 -a 2 oldlog newlog combined
-a 2 will include all records from newlog that are not found in oldlog. combined now includes lines from both files, as well as the lines only found in newlog. We need to remove the lines found in both files (which are identified by having two numbers):
cat combined |egrep -v '.* [0-9]+ [0-9]+$' | sort -nr -k2 | head -10
In the end, we sort the host names by frequency, and return the top 10.
To summarize the script for simple copy/paste.I broke some lines up to a



cat $oldlogs | sed -e 's/.*query: //' | cut -f 1 -d' ' | sort | uniq -c | sort -k2 $tmpdir/oldlog

cat $newlog | sed -e 's/.*query: //' | cut -f 1 -d' ' | sort | uniq -c | sort -k2 $tmpdir/newlog

join -1 2 -2 2 -a 2 oldlog newlog | egrep -v '.* [0-9]+ [0-9]+$' | sort -nr -k2 | head -10 $tmpdir/suspects
The file suspects will now include the top 10 suspect domains. For added credit: add the ability to keep a whitelist.

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Despite widespread calls for more spectrum to carry mobile data, there is a wide range of technologies already being used or explored that could help to speed up networks or put off the day when more frequencies need to be cleared.
Starting yesterday, Microsoft began releasing the final code of Windows 8 to developers, IT professionals and businesses that license the company's products in volume.
Wireshark Versions Prior to 1.8.2 Multiple Security Vulnerabilities
Google is partnering with a new Internet registrar that will let Apps customers choose Internet domains with a country code (CC) suffix.
Adobe Flash Player CVE-2012-1535 Remote Code Execution Vulnerability
GNU Emacs 'enable-local-variables' Remote Code Execution Vulnerability
GNU glibc Formatted Printing Functionality Multiple Security Vulnerabilities
Acer does plan to produce Windows RT devices at some point, according to a company spokeswoman.
A senior Republican senator insisted that there is no partisan dissent over the need for a strong national cybersecurity policy but added that a bill that is stalled in the Senate is not the answer.
A U.S. Department of Justice investigation has concluded that a multifaceted $3.9 billion agreement between Verizon Wireless and four of the largest cable TV network operators in the country could substantially harm competition and lead to higher prices in the wireless communications market.
Aruba Networks has released the latest version of its WLAN system software, with several changes designed to optimize throughput even as the wireless network is flooded with mobile clients.
Multiple Cisco Nexus Devices CVE-2012-1357 Remote Denial of Service Vulnerability
Cisco NX-OS CVE-2012-2469 Remote Denial of Service Vulnerability
Google will pay up to $2 million for major vulnerabilities in its Chrome browser at a second Pwnium hacking contest this fall.
To augment its line of storage and data center systems with solid state technology, IBM is acquiring flash memory system provider Texas Memory Systems (TMS). Financial terms of the deal were not disclosed.
The search engine giant is doubling its payout when it holds its Pwnium 2 hacking contest in October at the Hack In the Box conference in Malaysia.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Oracle said it would begin providing timely security updates to Java for Mac OS X.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Name: Scott Morrison
Web usage by iPhone and iPad owners has grown by 35% in North American over the past year, while browsing with BlackBerry smartphones and the PlayBook tablet has dropped by 25%.
Kaspersky says there were 15,000 samples of Android malware and a tripling of the risk to users, but the less hyperbolic estimate from F-Secure estimates only 40 new variants in the wild

vulnerabilities in Samsung Epic 4G Touch with 2.3.6 and probably other Samsung Galaxies
For the second time in less than two weeks, the journalists' blog from the Reuters news agency has been hacked. A false report stating that Saudi Arabia's Foreign Minister Prince Saud al-Faisal had died was published on the blog

[ MDVSA-2012:133 ] usbmuxd
[slackware-security] t1lib (SSA:2012-228-01)
In principle, trapping adorably rotund bugs to feed them to birds is not my idea of a fun game. I like cute things, and I don't like watching or making them to die. But I quickly got over my ethical gripes about killing tiny critters when I started playing Bubble Grubble HD, a new game by Fan Studio for the iPad and iPhone that works with iOS 4.3 and later.
Drupal Ubercart Module Multiple Security Vulnerabilities
WordPress ShareYourCart plugin Path-Disclosure Vulnerability
Ecuador has decided to grant Julian Assange political asylum, in a move meant to prevent the WikiLeaks founder from being extradited to Sweden where he is suspected of committing sexual offenses.
Many don't know what they don't know. Insider (registration required)
Reveton, which is also known as the BKA trojan, has been expanding its reach internationally. The FBI is seeing a sizeable outbreak of the ransomware in the US and warns users not to give in to its demands

Following the success of the first Pwnium competition, Google has pledged up to $2 million in rewards for security researchers who can find vulnerabilities in its web browsers at its next contest: Pwnium 2

Cisco IOS XR Software Route Processor Denial of Service Vulnerability
Apple has opposed a government proposed judgment in an e-books price-fixing lawsuit, stating that the judgement seeks to terminate and rewrite its contracts "before a single document has been introduced into evidence, before any witness has testified, and before the court has resolved the disputed facts."
Chinese PC maker Lenovo said on Thursday net profit in its fiscal first quarter ended June 30 grew by 30% year-over-year, as the company inched closer toward surpassing HP to become the top vendor in the market.
Despite the humor and the interest in meeting tech firms in Silicon Valley, Ryan may be tough sell to the tech industry.
New to Android 4.0? This handy reference for Google's Ice Cream Sandwich OS shows you how to do everything from tweaking an app's notification settings to getting detailed info about your battery usage.
Whether you're new to Android or upgrading from an earlier version, we've got the goods on how to find your way around Android 4.0, a.k.a. Ice Cream Sandwich, and make the most of its new features.

Posted by InfoSec News on Aug 16


By Thor Olavsrud
August 15, 2012

Regardless of the security expertise and resources you apply to securing
your assets, you are unlikely to achieve much unless you focus on the
most vulnerable element of your organization: your employees.

"Computers have become much more secure over the past 15 years, but
humans have not," says...

Posted by InfoSec News on Aug 16


By Dan Goodin
Ars Technica
Aug 15, 2012

Turning the tables on miscreants who paralyze websites with torrents of
junk data, security researchers have published a detailed manual that
shows how to neutralize some of the Internet's most popular
denial-of-service tools.

The do-it-yourself how-to provides instructions that even hacking
novices can follow to exploit critical...

Posted by InfoSec News on Aug 16


By Brad McCarty
The Next Web
15th August 2012

For the second time in as many weeks, international news magnate Reuters
has had its blogging platform hacked. This time a story of a Saudi
foreign minister’s death appeared and was quickly pulled.

Though it’s interesting, as some are now saying that legitimate articles
are written in such...

Posted by InfoSec News on Aug 16


By Ellen Messmer
Network World
August 14, 2012

A startup called SecurityStarfish intends to become the central point
where chief information security officers (CISO) can discreetly share
information about cyberattacks and obtain anonymized real-time
information from others in order to deter cybercrime against their

This ambitious effort is being led by...

Posted by InfoSec News on Aug 16


By Sohn Hae-yong
Korea JoogAng Daily
Aug 15, 2012

The Financial Supervisory Service and the National Police Agency issued
a warning this week about an online hacking scam dubbed “pharming,” a
newly coined word that combines farming and phishing.

Unlike phishing, which focuses on stealing users’ personal access data
including passwords, pharming redirects a...
Prolexic, a company that specialises in protecting against distributed denial-of-service (DDoS) attacks, has disclosed various security holes in the Dirt Jumper DDoS toolkit - and itself went offline temporarily

The U.S. government lost a bid on Thursday to withhold some evidence in advance of the extradition hearing for four Megaupload defendants charged with criminal copyright infringement.
Internet Storm Center Infocon Status