Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google is facing some tough questions from Congress over the privacy concerns raised by Glass, its fledgling augmented reality system for recording and receiving information on the fly. But on the ground at the company's I/O conference for developers, attendees are largely enthusiastic about the technology.
 
An appeals court in Mexico has overturned an approximately US$2.7 billion judgment against Yahoo and Yahoo Mexico in a breach-of-contract suit concerning online directories.
 

 

Like with .biz, I sometimes have the impression that .su and .cc could be sinkholed in their entirety, because the bad domains seem to vastly outnumber whatever (if any) good is running under these TLDs as well.

Earlier today, ISC reader Michael contacted us with information that several PCs on his network had started to communicate with iestats.cc, emstats.su, ehistats.su, e-protections.su and a couple other domains. I was pretty sure that I had seen the latter domain on an earlier occasion in a malware outbreak, but I couldn't find it in our records .. until I only searched for "e-protections", and found e-protections.cc. This domain had been implicated back in October 2012 in a malware spree that was linked to the nasty W32.Caphaw, a backdoor/information stealer. The similarity of the names was too much of a coincidence, and it meant bad news for Michael.

Looking at what was captured by some of our network sensors allowed to reconstruct a (partial) picture of the IPs and ASN's involved in today's malware wave

Domain IP AS Provider Country
ppetoc.iestats.cc 64.85.161.67 30517 Great Lakes Comnet USA
ppetoc.iestats.cc 85.25.132.55 8972 PlusServer Intergenia AG Germany
ppetoc.iestats.cc 173.224.210.244 40676 Psychz Networks USA
ppetoc.iestats.cc 178.63.172.88 24940 Hetzner Online AG Germany
ppetoc.iestats.cc 188.95.48.152 57172 Global Layer B.V. Netherlands

The host name portion for some of the domains looks like it is time dependent (incrementing ascii) whereas other domains use (apparently) random names like d3acofzi7hjft.e-protections.su. Name servers involved today include ns1.abercrombienfr.net (currently 199.68.199.178 - AS1426) and ns1.semi-spa.net (currently 91.227.220.104 - AS50300). I doubt the former has anything to do with the clothing store, the domain was created four months ago.

Closer inspection of Michael's PCs revealed that each infected box was apparently running a slightly different version of the EXE. Anti-Virus coverage is still thin (Virustotal) , but the Heuristics of some products seem to be catching on. This sample looks more like a ransomware trojan than Caphaw, but we'll know more once we analyze all the information gathered so far.

If you have information to add on this particular malware or the domains mentioned, please comment below, or use our contact form.

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Four hackers from the infamous group LulzSec were sentenced in the UK today. Three of them are facing prison, while the fourth got a suspended sentence
    


 
Unless you're a Yahoo employee, theres a very good chance you are working from home or at a coffee shop at least part of the week, according to Forrester Research.
 
Dell reported another quarter of declining profits and revenue Thursday as CEO Michael Dell continues his fight to take the company private.
 
Members of a U.S. congressional group on privacy wrote Thursday to Google CEO Larry Page requesting information on how the futuristic device handles privacy issues.
 
Hoping to entice more enterprises to use the R statistical programming language directly within their predictive modeling and data visualization jobs, Tibco has released a free version of its R runtime engine.
 
ZPanel 'templateparser.class.php' PHP Code Injection Vulnerability
 


As an add-on to ISC Handler Lenny Zeltser's earlier diary on extracting certificates from signed Windows binaries, here's how to do the same on a Mac. Given that today's blog over at F-Secure documents a screenshot-taking Mac spyware that is signed with a developer ID, signed bad .apps might actually be more prevalent than expected.

To verify and extract signatures and certificates on an Apple .app, you can do (example Mail.app)

codesign -dvvvv --extract-certificates  /Applications/Mail.app

This will save the certificates in DER format, named codesign0, codesign1, etc. These can then be displayed as usual with OpenSSL

openssl x509 -inform DER -in codesign0 -text

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google has introduced an integrated developer environment (IDE) aimed at easing development of Android apps.
 
Intel CEO Brian Krzanich admitted Thursday in his first speech in that role that the company has been weak in smartphones and tablets, but aims to improve by advancing chip and manufacturing technologies.
 
Jive Software has released an add-on to its enterprise social networking (ESN) software that automates and simplifies the process of integrating Jive's suite with third-party systems.
 
The U.S. tech industry added nearly 64,000 software related jobs last year, but as the workforce expanded, the average size of workers' pay checks declined by nearly 2%.
 
A data center in Sweden has cut its energy bills by a million dollars a year using seawater to cool its servers, though jellyfish are an occasional hazard.
 
Google beat Apple to the music subscription service punch this week, perhaps the doing of record labels who wanted to put Apple in its place, an analyst said
 
Google is working to build out the app ecosystem for its upcoming Glass, showing off work today at Google I/O from partners like Twitter, Facebook, CNN and Elle.
 
The U.S. Congress should consider a "safe harbor" from legal action for consumers using works protected by copyright as it launches a long-term effort to revamp copyright law, some advocates said Thursday.
 
eBay CIO Scott Seese says he and his team are using technology and innovation to drive the company's mission of connected commerce. He explains how the ecommerce giant taps into the power of social and mobile to help customers find and purchase exactly what they seek from among millions of sellers. Seese also discusses his strategy for success and why it's important to connect the dots.
 
Dell reported another quarter of declining profits and revenue Thursday as CEO Michael Dell continues his fight to take the company private.
 
Adobe Flash Player and AIR CVE-2012-5259 Buffer Overflow Vulnerability
 
Adobe Flash Player and AIR CVE-2012-5258 Memory Corruption Vulnerability
 
Adobe Flash Player and AIR CVE-2012-5257 Buffer Overflow Vulnerability
 
Adobe Flash Player and AIR CVE-2012-5256 Memory Corruption Vulnerability
 
Four British men associated with the LulzSec hacker collective received prison sentences Thursday for their roles in cyberattacks launched by the group against corporate and government websites in 2011.
 
High-tech industry's leading advocate in the immigration bill fight, Sen. Orrin Hatch (R-Utah), has bought himself some time, perhaps until Tuesday, to try get the immigration bill changed to the liking of the tech industry.
 
Adobe Reader And Acrobat CVE-2013-2549 Integer Underflow Remote Code Execution Vulnerability
 
The National Institute of Standards and Technology (NIST) has posted an initial analysis of hundreds of comments submitted by industry and the public related to the Presidents 'Improving Critical Infrastructure Cybersecurity' Executive ...
 
Google yesterday sent a cease-and-desist letter to Microsoft, demanding that its rival remove the YouTube app built for the Windows Phone platform.
 
It became clear at Google I/O this week that Google is quietly but assuredly implementing CEO Larry Page's strategy to use Google+ to transform the entire Google experience.
 
E-commerce trade group NetChoice takes aim at state legislation -- and at open access and privacy advocates -- in the newest list of bills it deems would be awful for the Internet.
 
What is someone scanning the internet for easily accessible industrial plants actually up to? The SCADA honeypot Conpot can help supply answers to that question
    


 
In the middle of its annual developers conference, the Google unveiled updates to its popular Gmail service.
 
The zPanel server is unavailable at the moment, most likely as a result of a hacker attack brought on by a member of the support team who swore at a forum user
    


 
ESA-2013-029: RSA SecurID Sensitive Information Disclosure Vulnerability
 
ESA-2013-041: EMC VNX and Celerra Control Station Elevation of Privilege Vulnerability
 
[slackware-security] mozilla-thunderbird (SSA:2013-135-02)
 
[slackware-security] mozilla-firefox (SSA:2013-135-01)
 

CISO: Chief Infosec Scapegoat Officer
Infosecurity Magazine
You are here: Home; /; News; /; CISO: Chief Infosec Scapegoat Officer · The average tenure of a CISO is now just 18 months; and this is likely to worsen if corporate security doesn't improve. Share. More services. Related Links. Developers need more ...

 
Security researchers from Damballa have found a new variant of the Pushdo malware that's better at hiding its malicious network traffic and is more resilient to coordinated takedown efforts.
 
At the meeting of the RIPE IP address registry, discussions revolved around how to get black sheep to implement overdue security measures
    


 

How can we keep infosec pros a step ahead of the bad guys?
Computerworld Australia
Infosec professionals have to stay one step ahead, and that requires that they be well educated and as thoroughly trained in the dark art of network security as the bad guys. Going forward, IT security gurus will need to think analytically ...

and more »
 
Embedded YouTube videos don't infringe copyright under current German law, but they could violate European rules, the German Federal Court of Justice said on Thursday.
 
Healthcare IT is becoming one of the fastest growing areas in the job market as health service providers rush to get compliant and adopt new technologies.
 
Linux Kernel CVE-2013-2094 Local Privilege Escalation Vulnerability
 
RETIRED: Microsoft May 2013 Advance Notification Multiple Vulnerabilities
 

How can we keep infosec pros a step ahead of the bad guys?
Computerworld
Infosec professionals have to stay one step ahead, and that requires that they be well educated and as thoroughly trained in the dark art of network security as the bad guys. Going forward, IT security gurus will need to think analytically ...

 
Attacks on digital assets are on the rise, and the black hats get more inventive every day. How should educators prepare tomorrow's information security gurus?
 
Dell intends to move workstations into the data center and then serve up intense multimedia and engineering applications to remote users over the cloud or in virtualized environments via thin clients.
 
A Japanese government institute has warned that satellite transmissions, GPS readings, and power lines could be affected over the next two weeks if a recent spate of solar flares continues.
 
Spiceworks has teamed up with Fiberlink to add mobile device management functionality to the next version of its free network and IT management software.
 
RETIRED: Adobe Flash Player and AIR APSB13-14 Multiple Memory Corruption Vulnerabilities
 

Cisco TelePresence Supervisor MSE 8050 contains a vulnerability that may allow an unauthenticated, remote attacker to cause high CPU utilization and a reload of the affected system.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130515-mse

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Amazon Web Services is improving the performance of its DynamoDB database service with Parallel Scan, which gives users faster access to their tables.
 
Mozilla Firefox/Thunderbird CVE-2013-1672 Local Privilege Escalation Vulnerability
 
Mozilla Firefox and Thunderbird CVE-2013-1675 Information Disclosure Vulnerability
 
Google laid out its plan for the future of search at Google I/O, talking about a search engine for mobile and desktop that not only answers your questions but has a conversation with you and offers information before you even ask for it.
 
Oracle has changed the numbering of its Java security updates, prompting one expert to say, "As if Java updates weren't confusing already."
 
A growing number of SaaS providers offer secure encryption log-in to Dropbox and other cloud storage vendors, meaning even they can't access the data you store. And neither can the government.
 
A German online copyright law that will give publishers the exclusive right to the commercial use of their publications on the Internet will come into effect on Aug. 1.
 
At Google I/O on Wednesday, Google unveiled a streaming music service that will compete directly with the likes of Pandora and Spotify -- in what is said to be a growing market, however.
 
To avoid the need to develop new fuzz testing tools, researchers at Fraunhofer FOKUS institute have created the Fuzzino open source fuzzing library that can be used to add fuzzing features to existing test tools
    


 
A bug that was fixed in the development branch of the kernel back in April was not identified as being security relevant and can therefore still be exploited on many systems
    
 
Oracle Sun Products Suite CVE-2013-1498 Local Security Vulnerability
 
A federal court in New York has denied class certification to copyright owners in an infringement lawsuit against YouTube over unauthorized hosting of content, stating that copyright claims have only superficial similarities.
 
Oracle Sun Products Suite CVE-2013-0406 Remote Security Vulnerability
 
Google is integrating Gmail with Google Wallet so that users can send payments as a mail attachment, even if the recipient doesn't have a Gmail address.
 
New Zealand's Supreme Court on Thursday granted Megaupload leave to appeal a ruling that denied it access to evidence the U.S. government holds.
 
The European Union is preparing to investigate the imports of mobile networking gear from China for anti-competitive practices, a move that's likely targeted at telecommunications equipment companies Huawei Technologies and ZTE.
 
Python 'ssl.match_hostname()' Function Denial of Service Vulnerability
 
Portage 'urlopen()' SSL Certificate Validation Security Bypass Vulnerability
 
Internet Storm Center Infocon Status