Hackin9

It's payback time for the group that knocked the Sony PlayStation and Microsoft Xbox networks offline in December. First came the report Friday morning that a UK man was arrested in connection with the distributed denial-of-service attacks, making him at least the second person to be detained in an ongoing investigation. Now comes word the customer database Lizard Squad members maintained as part of their DDoS-for-hire service has been breached, spilling details on more than 14,241 users.

But the comeuppance doesn't end there. According to KrebsOnSecurity reporter Brian Krebs, who broke the story about the compromised database, all registered names and passwords were stored in plaintext. The cache shows that customers deposited $11,000 in bitcoins to pay for attacks on thousands of Internet addresses. The information will no doubt prove interesting to members of rival gangs and law enforcement agencies around the world.

The database was tied to LizardStresser[dot]ru, a so-called stresser or boot service ostensibly available to test a website's resistance to attacks. In the vast majority of cases, they're nothing more than fronts for DDoS services. According to Krebs, the December attacks on the PlayStation and Xbox networks were designed to be advertisements promoting the service. Given the breach that has now leaked potentially sensitive customer information that was left woefully unprotected, it's safe to assume any buzz in underground markets surrounding the LizardStresser service is over.

Read on Ars Technica | Comments

 

Mobile dating apps have revolutionized the pursuit of love and sex by allowing people not only to find like-minded mates but to identify those who are literally right next door, or even in the same bar, at any given time. That convenience is a double-edge sword, warn researchers. To prove their point, they exploited weaknesses in Grindr, a dating app with more than five million monthly users, to identify users and construct detailed histories of their movements.

The proof-of-concept attack worked because of weaknesses identified five months ago by an anonymous post on Pastebin. Even after researchers from security firm Synack independently confirmed the privacy threat, Grindr officials have allowed it to remain for users in all but a handful of countries where being gay is illegal. As a result, geographic locations of Grindr users in the US and most other places can be tracked down to the very park bench where they happen to be having lunch or bar where they're drinking and monitored almost continuously, according to research scheduled to be presented Saturday at the Shmoocon security conference in Washington, DC.

Grindr officials declined to comment for this post beyond what they said in posts here and here published more than four months ago. As noted, Grindr developers modified the app to disable location tracking in Russia, Egypt, Saudi Arabia, Nigeria, Liberia, Sudan, Zimbabwe, and any other place with anti-gay laws. Grindr also locked down the app so that location information is available only to people who have set up an account. The changes did nothing to prevent the Synack researchers from setting up a free account and tracking the detailed movements of several fellow users who volunteered to participate in the experiment.

Read 8 remaining paragraphs | Comments

 
Microsoft Windows CVE-2015-0002 Local Privilege Escalation Vulnerability
 
Adobe Flash Player and AIR CVE-2015-0301 Unspecified Security Vulnerability
 
Adobe Flash Player and AIR CVE-2015-0309 Unspecified Heap Based Buffer Overflow Vulnerability
 

Google's security researchers have published another pair of Windows security flaws that Microsoft hasn't got a fix for, continuing the disagreement between the companies about when and how to disclose security bugs.

The first bug affects Windows 7 only and results in minor information disclosure. Microsoft says, and Google agrees, that this does not meet the threshold for a fix. Windows 8 and up don't suffer the same issue.

The second bug is more significant. In certain situations, Windows doesn't properly check the user identity when performing cryptographic operations, which results in certain shared data not being properly encrypted. Microsoft has developed a fix for this bug, and it was originally scheduled for release this past Tuesday. However, the company discovered a compatibility issue late in testing, and so the fix has been pushed to February.

Read 7 remaining paragraphs | Comments

 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2014-8634 Multiple Memory Corruption Vulnerabilities
 
GE Proficy HMI/SCADA - CIMPLICITY CVE-2014-2355 Multiple Local Buffer Overflow Vulnerabilities
 
Cisco Secure Access Control Server CVE-2014-8027 Privilege Escalation Vulnerability
 

It has been 12 years since the SQL Slammer worm plagued the Interwebs .. come to think of it, that was also in January. But thats not the point :). Today, twelve years later, there are amazingly still infected Slammer drones out there, and if you are running a Honeypot on udp/1434, I promise you wont have to wait all that long until an ancient piece of malware history comes a-knockin.

Odds are that Shellshock exploits wont have the same stamina, primarily because the Shellshock attack is not self-contained wormy in one packet, but rather usually pushed by previously Shellshocked bots that scan for targets. But it still looks like Shellshock scanning and bot-pushing will now be background noise for the foreseeable future, because there is a surprising number of systems out there that remain vulnerable. Systems that our sensors then pick up as being part of a Shellbot army. Investigating one of these bots recently, I discovered that it was a Slackware installation from 2007 and appeared to be a remote weather sensor, complete with webcam that showed the (sadly, very green) ski slope below. I managed to track down the owner, a hotel in Switzerland, who were unaware that their weather station contained a computer. If our DShield logs are any indication, there are A LOT of these devices (and hotels, etc ..) out there.

Here is what you can do to help." />

The address in the red box - 76.12.A.B in this case - is from where you are being scanned. This does not mean that the originator is evil. Most likely, it is just another weather station or deep fryer where the owner is unaware. So if you contact them, be gentle, and prepared to explain a lot :)

The address in the blue box - 91.142.C.D in this case - is from where the bot code is being pulled. This is most commonly a hacked web server, or a throwaway free website hosting account. In this case, you can locate the hoster via Whois, and make use of their Abuse contact address to let them know. If you include a log snippet like shown above, most hosters will respond and take the bot code down.

A third thing that you can do is download the bot code (carefully :) to your machine, by going to http://91.142.C.D/img.txt in this case. I am not a lawyer (so dont take my word for it) but since the activity is clearly malicious, and since your computer was instructed by the scanning bot to download this code, I would say that doing so on your own is okay. The bot code itself is not very interesting, but the ones weve seen so far are usually written in Perl, and contain a hard-coded IP address used for the CommandControl. Again, you can determine the hoster of that CC address via Whois, and let them know.

The latter two measures will though leave the original victim infected and vulnerable. So .. if you have the time and patience, and it looks like the scanning host is in a residential or small business address range (think DSL), then it might be worthwhile to try and contact the original victim (76.12.A.B above), and enlighten them about all the unexpected things in life that contain a computer these days.

Another word of caution: Obviously, a bot that is scanning you for the presence of Shellshock is most likely vulnerable to Shellshock itself, and missing a plethora of other patches. You might be tempted to poke back at the system, and use the Shellshock conduit on your own to determine what is inside. Doing so though is hacking, and illegal. Owners of hacked systems do not appreciate getting hacked once more by researchers, no matter how allegedly well-intentioned the researcher is. For the hotel weather station that I mention above, I used a passive combination of reverse DNS, Google, archive.org, Netcraft and Whois to determine what it was, and whom to contact.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

For anyone who has freaked out when an antivirus alert popped up on their screen and spent time researching it only to find out it was a false alarm, a recent survey will hit home.

A survey of information-technology professionals published on Friday found that the average large organization has to sift through nearly 17,000 malware alerts each week to find the 19 percent that are considered reliable. The efforts at triage waste employees’ time—to the tune of a total estimated annual productivity loss of $1.3 million per organization. In the end, security professionals only have time to investigate four percent of the warnings, according to the survey conducted by the market researcher Ponemon Institute.

The survey results show the problems posed by security software that alerts for any potential threat, says Brian Foster, chief technology officer of network-security firm Damballa, the sponsor of the research.

Read 9 remaining paragraphs | Comments

 
[ MDVSA-2015:027 ] kernel
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: GTK+ improperly handled the menu key, possibly allowing lock screen bypass.
 
LinuxSecurity.com: [More...] _______________________________________________________________________
 
LinuxSecurity.com: Updated mpfr packages fix security vulnerability: A buffer overflow was reported in mpfr. This is due to incorrect GMP documentation for mpn_set_str about the size of a buffer (CVE-2014-9474). [More...]
 
LinuxSecurity.com: Updated libsndfile packages fix security vulnerabilities: libsndfile contains multiple buffer-overflow vulnerabilities in src/sd2.c because it fails to properly bounds-check user supplied input, which may allow an attacker to execute arbitrary code or cause [More...]
 
LinuxSecurity.com: curl could be tricked into adding arbitrary requests when following certainURLs.
 
Facebook Bug Bounty #19 - Filter Bypass Web Vulnerability
 
File Pro Mini v5.2 iOS - Multiple Web Vulnerabilities
 
VeryPhoto v3.0 iOS - Command Injection Vulnerability
 
CatBot v0.4.2 (PHP) - SQL Injection Vulnerability
 
[SECURITY] [DSA 3129-1] rpm security update
 
WiFi File Browser Pro v2.0.8 - Code Execution Vulnerability
 

Is Blackhat the Greatest Hacking Movie Ever? Hackers Think So
Wired
Many info-sec specialists will tell you how much they like Sneakers—the 1992 film with Robert Redford, Sidney Poitier, Dan Ackroyd, Ben Kingsley, and River Phoenix—but few films have so closely hewed to info-sec reality as Mann's new movie, fashioned ...

and more »
 

Posted by InfoSec News on Jan 16

http://www.infosecnews.org/nasdaq-vulnerable-to-xss/

By William Knowles @c4i
Senior Editor
InfoSec News
January 16, 2015

Bob Greifeld, CEO of The NASDAQ Stock Market explains in a promotional
video “that NASDAQ is a technology based company, those businesses that
we’re in have a unifying theme that are built upon our technology.”

Top technology companies such as Google, Tesla, Amazon, and GoPro to name
a few use NASDAQ as their...
 

Posted by InfoSec News on Jan 16

http://www.eweek.com/security/effective-computer-security-means-covering-all-your-bases.html

By David Needle
eWEEK.com
2015-01-15

PALO ALTO, Calif. — How safe is your company from malware attacks and
security breaches? As the technology and methods behind cyber-attacks are
constantly evolving, it's virtually impossible for any company to
accurately say it's completely safe, but there are steps you can take to
minimize threats....
 

Posted by InfoSec News on Jan 16

http://pagesix.com/2015/01/15/caa-calls-party-foul-on-tina-and-amys-sony-hack-jokes/

By Emily Smith and Ian Mohr
PageSix.com
January 15, 2015

Hollywood drama followed the Golden Globes Sunday night when top agency
CAA demanded its famous clients not attend Tina Fey and Amy Poehler’s bash
after the pair poked fun at the Sony hacking scandal.

Sources tell us CAA’s Bryan Lourd — whom the Hollywood Reporter says has
been serving as...
 

Posted by InfoSec News on Jan 16

http://www.forbes.com/sites/thomasbrewster/2015/01/15/researcher-says-progressive-insurance-dongle-totally-insecure/

By Thomas Fox-Brewster
Forbes Staff
1/15/2015

Corey Thuen has been braving the snow and sub-zero temperatures of Idaho
nights in recent weeks, though any passerby would have been perplexed by a
man, laptop in hand, tinkering with his aptly-named 2013 Toyota Tundra at
such an ungodly hour.

He hasn’t been doing repairs,...
 

Posted by InfoSec News on Jan 16

http://www.theguardian.com/us-news/2015/jan/15/-sp-secret-us-cybersecurity-report-encryption-protect-data-cameron-paris-attacks

By James Ball
The Guardian
15 January 2015

A secret US cybersecurity report warned that government and private
computers were being left vulnerable to online attacks from Russia, China
and criminal gangs because encryption technologies were not being
implemented fast enough.

The advice, in a newly uncovered...
 
Internet Storm Center Infocon Status