Hackin9

Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Sure, the enterprise push by Apple and IBM should worry the Android camp, and business writers should make sure they have an up-to-date obituary ready for BlackBerry. But Microsoft is the company with the most to lose.
 
Microsoft reportedly will announce the biggest round of layoffs in its history on Thursday as massive changes wrought by new CEO Satya Nadella start to take hold at the struggling IT giant.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The big news this week of Apple and IBM joining forces to dominate the mobile enterprise market makes a great story -- at least on the surface.
 
Multiple HP Products CVE-2014-2622 Information Disclosure Vulnerability
 
Multiple HP Products CVE-2014-2621 Information Disclosure Vulnerability
 
Multiple HP Products CVE-2014-2620 Information Disclosure Vulnerability
 
Amazon.com looks to be prepping a $9.99-a-month e-book and audiobook subscription service dubbed "Kindle Unlimited."
 
Implementing a security awareness program seems rather straightforward, until you actually start to implement one - factoring in things like resources and the people (users) to be trained. At that point, it can seem complicated, costly, and unnecessary. However, the process doesn't have to be a logistical and expensive nightmare, and it's certainly worth it in the long run.
 
Microsoft's renewed push into cloud computing, announced this week, doesn't change the fact that it faces unprecedented competition in a business that's critical to its future.
 

Bitcoin pool GHash.io announced on Wednesday that “it is not aiming to overcome 39.99 [percent] of the overall Bitcoin hashrate."

This marks a clear departure from the large pool’s recent flirtations with 51 percent. If that threshold is crossed for sustained periods of time, it concentrates power in ways that Bitcoin’s decentralized design normally does not allow.

“If GHash.io approaches the respective border, it will be actively asking miners to take their hardware away from GHash.io and mine on other pools,” the statement continues. “GHash.io will encourage other mining pools to write similar voluntary statements from their sides.”

Read 6 remaining paragraphs | Comments

 

By now, most readers know the advice cold. Use long, randomly generated passwords to lock down your digital assets. Never use the same password across two or more accounts. In abstract terms, the dictates are some of the best ways to protect against breaches suffered by one site—say, the one that hit Gawker in 2010 that exposed poorly cryptographically scrambled passwords for 1.3 million users—that spread like wildfire. Once hackers cracked weak passwords found in the Gawker database, they were able to compromise accounts across a variety of other websites when victims used the same passcode.

A team of researchers says the widely repeated advice isn't feasible in practice, and they've provided the math they say proves it. The burden stems from the two foundations of password security that (A1) passwords should be random and strong and (A2) passwords shouldn't be reused across multiple accounts. Those principles are sound when protecting a handful of accounts, particularly those such as bank accounts, where the value of the assets being protected is considered extremely high. Where things break down is when the dictates are applied across a large body of passwords that protect multiple accounts, some of which store extremely low-value data, such as the ability to post comments on a single website.

Employing even relatively weak, 40-bit passwords (say, one with eight lower-case characters) across 100 accounts is equivalent to recalling 1,362 randomly chosen digits or 170 random eight-digit PINs, something that's well beyond the capabilities of most people. Reducing the number of bits by choosing more memorable passwords such as "password123" and "123456" helps ease the burden. But even then, users must have under their control 525 bits just to remember which weak password goes with which account. That's more than double what's required to memorize the order of a shuffled deck of cards. Yes, people can use password managers, but those available in the cloud may be susceptible to online attacks, and those that aren't Web-based lose one of the major advantages of passwords, which is their ability to be entered across any client device.

Read 5 remaining paragraphs | Comments

 
Multiple HP Products CVE-2014-2618 Information Disclosure Vulnerability
 
The Apple-IBM partnership will have little effect on Microsoft's dominance in the enterprise, or drastically change its mutating mobile strategy.
 
Microsoft's renewed push into cloud computing, announced this week, doesn't change the fact that it faces unprecedented competition in a business that's critical to its future.
 
Visa announced a new simplified digital payment service called Visa Checkout, which is designed to allow customers to pay quickly for goods online on any connected device.
 
Fake apps dressed up to look like official ones but actually designed to steal user data are increasingly targeting Android phone users, according to a study by Trend Micro.
 
The U.S. Senate has passed a bill that would allow mobile phone customers to unlock their devices for the purposes of switching carriers.
 
Oracle has hooked up its social relationship management software suite to LinkedIn, a move to give marketing and customer support staffers a way to reach the business-oriented social network's 300 million users.
 
Intel wants your future laptop to be thinner than an iPad and, like the iconic tablet, to be wire free. And it should cost less too.
 
My single favorite feature of the iPhone 5s is the Touch ID fingerprint scanner, which lets you unlock your device with the tap of a finger. So when Samsung recently sent me its new Galaxy Tab S 10.5" tablet for review, the first thing I did was test the Tab S fingerprint scanner.
 
Today an enterprise system must engage the workforce the same way Twitter, Facebook, Google and a galaxy of apps have engaged the masses. That means the next system we deploy cannot be the result of a traditional negotiation between business analysts and technologists. It must come from the same place as those consumer apps and Internet successes: the nexus of fast-paced, multi-disciplinary and human-focused development that doesn't look or act at all like the people or processes that created the systems of the last 30 years.
 
Pennsylvania has signed a seven-year deal with Unisys to consolidate the state's data centers and create an on-demand, cloud computing environment
 
LinuxSecurity.com: A vulnerability in GnuPG can lead to a Denial of Service condition.
 
LinuxSecurity.com: Multiple vulnerabilities have been found in Xen, the worst of which could lead to arbitrary code execution.
 
Ruby on Rails 'ActiveRecord' CVE-2014-3482 SQL Injection Vulnerability
 
Apple has reached a settlement in a long-standing case that accused the company of fixing the price on e-books, with the company paying up to US$400 million, depending on the outcome of its appeal in the case, a law firm has announced.
 
The new Apple-IBM partnership seems sure to help Apple sell more iPads to businesses, but it may also be setting off alarm bells at mobile device management companies large and small.
 
Microsoft's future will be less devoted to its Windows operating system as it continues to push into mobile and cloud services, CEO Satya Nadella said, using his keynote speech at the Worldwide Partner Conference to talk about where the company is headed.
 
Few security executives at global enterprises--or even at smaller organizations--have not had to deal with issues related to social media, mobile technology, big data/analytics, or cloud computing.
 
A District Court judge in Stockholm ruled on Wednesday that the Swedish detention order against WikiLeaks co-founder Julian Assange, issued on allegations of sexual assault, will remain in force.
 
LinuxSecurity.com: MiniUPnPc could be made to crash if it received specially crafted networktraffic.
 
LinuxSecurity.com: Transmission could be made to crash or run programs if it receivedspecially crafted network traffic.
 
LinuxSecurity.com: Updated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. The Red Hat Security Response Team has rated this update as having Critical [More...]
 
LinuxSecurity.com: Updated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Libav could be made to crash or run programs as your login if it opened aspecially crafted file.
 
LinuxSecurity.com: File could be made to crash or hang if it processed specially crafted data.
 
SEC Consult SA-20140716-3 :: Multiple critical vulnerabilities in Bitdefender GravityZone
 
SEC Consult SA-20140716-2 :: Multiple vulnerabilities in Citrix NetScaler Application Delivery Controller and Citrix NetScaler Gateway
 
Reflected Cross-Site Scripting (XSS) in e107
 
Oracle Java SE CVE-2014-4219 Remote Security Vulnerability
 
Microsoft has begun boosting the free allowance of its OneDrive cloud-based storage service to one terabyte for subscribers to consumer and college student Office 365 plans.
 
Transmission Out of Bounds Memory Corruption Vulnerability
 
SEC Consult SA-20140716-1 :: Remote Code Execution via CSRF in OpenVPN Access Server "Desktop Client"
 
VUPEN Security Research - Microsoft Internet Explorer "ShowSaveFileDialog()" Sandbox Bypass (Pwn2Own 2014)
 
VUPEN Security Research - Microsoft Internet Explorer "Request" Object Confusion Sandbox Bypass (Pwn2Own 2014)
 
VUPEN Security Research - Microsoft Internet Explorer CSS @import Memory Corruption (Pwn2Own 2014)
 
Oracle VM VirtualBox CVE-2014-2477 Local Privilege Escalation Vulnerability
 
Messaging apps like WhatsApp and Snapchat are at the perfect crossroads of mobile and social. These apps are simple and ubiquitous with some subscriber bases already in the hundreds of millions of users.
 
The next phase in the evolution of wearable technology is upon us; brand-name fashion designers are joining the party, and style conscious women can now preorder a few different accessories to make their Fitbit Flex fitness trackers look less like wrist-worn rubber bands and more like pricey jewelry.
 
As recently as five years ago, setting up a new business and equipping it for a PC-literate workforce was a costly affair. You needed to acquire server hardware and pay various software licensing fees.
 
Yes, users sometimes do stupid things. Some always will. But developers need to do more to save users from themselves.
 

Posted by InfoSec News on Jul 16

http://www.wired.com/2014/07/google-project-zero/

By Andy Greenberg
Threat Level
Wired.com
07.15.14

When 17-year-old George Hotz became the world’s first hacker to crack
AT&T’s lock on the iPhone in 2007, the companies officially ignored him
while scrambling to fix the bugs his work exposed. When he later reverse
engineered the Playstation 3, Sony sued him and settled only after he
agreed to never hack another Sony product.

When...
 
Intel has started shipping Xeon E5 chips based on the Haswell microarchitecture to server makers, and the chip will be in servers this quarter.
 

Posted by InfoSec News on Jul 16

http://www.nationaldefensemagazine.org/archive/2014/August/Pages/CyberLaborShortageNotWhatitSeemsExpertsSay.aspx

By Stew Magnuson
National Defense
August 2014

Businesses and government agencies are engaged in a dogfight over cyber
security talent, or so the conventional thinking goes. The shortage of
qualified cyber security personnel continues to cause hand-wringing inside
the beltway.

That is mostly still true, but the situation is more...
 

Posted by InfoSec News on Jul 16

http://www.computerworld.com/s/article/9249738/Overreliance_on_the_NSA_led_to_weak_crypto_standard_NIST_advisers_find

By Lucian Constantin
IDG News Service
July 15, 2014

The National Institute of Standards and Technology needs to hire more
cryptographers and improve its collaboration with the industry and
academia, reducing its reliance on the U.S. National Security Agency for
decisions around cryptographic standards.

Lack of internal...
 
Getting employees to take security seriously can be a game that everyone wins.
 
Oracle Java SE CVE-2014-4252 Remote Security Vulnerability
 
Oracle Java SE CVE-2014-4216 Remote Security Vulnerability
 
Oracle Java SE CVE-2014-4266 Remote Security Vulnerability
 
Mozilla has released an updated version of its JPEG compression tool that shaves down file sizes by 5%, a small figure but one that is significant for image-intensive Web services such as Facebook.
 
IBM and Apple have a history of working together that dates back more than 20 years.
 
Cloud Foundry impresses with broad application support, streamlined deployment, and enterprise extras from Pivotal, though initial setup could be simpler
 
Fujitsu has developed an approach to cluster supercomputers that reduces the number of network switches by 40% without sacrificing performance.
 
Oracle Java SE CVE-2014-4209 Remote Security Vulnerability
 
Oracle Java SE CVE-2014-2490 Remote Security Vulnerability
 
Oracle Java SE CVE-2014-4244 Remote Security Vulnerability
 
Oracle Java SE CVE-2014-4262 Remote Security Vulnerability
 

Posted by InfoSec News on Jul 16

Forwarded from: cfp (at) ruxcon.org.au
______________________________________________________________
_._) (_._
| .%$$% .. |
' __________. ._____ ________.&&$ '$$%$.__________ '
._\ /___.___\ \_____/ ____/$? &&$\ /_...
 

Posted by InfoSec News on Jul 16

http://www.nytimes.com/2014/07/16/world/asia/chinese-hackers-extend-reach-in-us-government.html

By Michael S. Schmidt
The New York Times
July 15, 2014

WASHINGTON -- After years of cyberattacks on the networks of high-profile
government targets like the Pentagon, Chinese hackers appear to have
turned their attention to far more obscure federal agencies.

Law enforcement and cybersecurity analysts in March detected intrusions on
the computer...
 

Reader Jake sent us an awesome bundle of RAT-related mayhem collected during performance of his duties while investigating the unfortunate and prolonged compromise of a company we'll fictitiously call Hazrat Supply.
Guess what?  The RAT that was plaguing the Hazrat Supply environment was proxying traffic back to a Chinese hosting company.
This is my shocked face.

Shocked face

Really, I'm shocked, can you tell?

With the plethora of malicious files shared with us in this package it represents a huge opportunity to create some related IOCs with Mandiant's IOCe as well as run some of this evil through my preferred toolkit with which to identify then build said IOCs. We'll do this in three parts as I'm handler on duty for the next three days (lucky you); there's lots here to play with (lucky me).

Let me give you a quick manifest first:

bybtt.cc3    MD5 c2f0ba16a767d839782a36f8f5bbfcbc
Backdoor:Win32/Zegost.B

mylcx.exe    MD5 4984fd547065ddcd781b068c4493ead6
HackTool:Win32/Zeloxat.A

PwDump7.exe    MD5 d1337b9e8bac0ee285492b89f895cadb
HackTool:Win32/PWDump

svchost.exe    MD5 20a6310b50d31b3da823ed00276e8a50
VirTool:Win32/Obfuscator.BL

Ironically the RDP server the attackers used, RemoteMany3389.exe, is not flagged as malicious by AV detection. Apparently it's a legitimate tool...in China. :-)
Seemingly so too is the file locker they used, xlkfs.sys, courtesy of XOSLAB.COM (signed by Yang Ping). Hey, thanks for signing it, I trust it more.
I'm going to go out on a limb here (not really) and say treat these files as flagrantly hostile.
Hit the big red button if they happen to be on your systems along with their malicious compatriots cited above.
Here are their hashes regardless:
RemoteMany3389.exe    MD5 c9913698afc7288b850f3af602f50819
xlkfs.sys        MD5 4aa2d2975d649d2e18440da0f3f67105

Building IOCs with Mandiant IOCe is in many ways straight forward for simple logic, you'll need to understand AND and OR substructures to build more complex logic branches.
Read the user guide that's installed with the editor.
I took just a few attributes (MD5, SHA1, file size) to start my IOC file for HackTool:Win32/Zeloxat.A as seen in Figure 1.

IOCe

Figure 1

I'll be populating this further and sharing the full IOC file set for each of these samples upon request after Friday's shift.
Tweet me for them @holisticinfosec or email me via russ at holisticinfosec dot org.

Tomorrow, I'll run Jake's dump file for svchost.exe through Volatility to see what we can further learn and use to create additional IOCs.
Stay tuned.

Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status