Bill OK'd to Enhance NIST Cybersecurity Role
Years before the federal government issued the cybersecurity framework last February, Sen. Jay Rockefeller offered legislation to establish a process for the government to develop IT security best practices with advice from industry that critical ...

Jease CMS v2.11 - Persistent UI Web Vulnerability

According to multiple reports, unnamed government officials have said that the cyber-attack on Sony Pictures was linked to the North Korean government. The Wall Street Journal reports that investigators suspect the attack was carried out by Unit 121 of North Korea’s General Bureau of Reconnaissance, the country’s most elite hacking unit.

But if the elite cyber-warriors of the Democratic People’s Republic of Korea were behind the malware that erased data from hard drives at Sony Pictures Entertainment, they must have been in a real hurry to ship it.

Analysis of a malware sample matching the MD5 hash signature of the “Destover” malware that was used in the attack on Sony Pictures by researchers at Cisco revealed that the code was full of bugs, and anything but sophisticated. It was the software equivalent of a crude pipe bomb.

Read 11 remaining paragraphs | Comments

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Speaking off the record, senior intelligence officials have told the New York Times, CNN, and other news agencies that North Korea was "centrally involved" in the hack of Sony Pictures Entertainment (SPE).

This news comes as SPE cancelled the planned December 25th release of The Interview, a comedy about a plot to assassinate North Korean dictator Kim Jong-un. The film was withdrawn in response to threats to carry out attacks on those cinemas showing the film.

This threat, transforming the hacks from an embarrassment to Sony to a potential risk to life and limb, sets the SPE hack apart from past attacks on corporate computer systems, according to officials speaking to NYT.

Read 2 remaining paragraphs | Comments


While the Sony hack hogs media headlines and stolen credit card details are sold nearly everywhere, counterfeit documents and how-to-hack tutorials are some of the fastest growing sellers on online underground marketplaces, according to an annual study of prices published by Dell Secureworks on Monday.

A scan of a Social Security card along with a name and address costs about $250, for example, with supporting documents—such as a credit card statement or utility bill—costing another $100. A fake driver’s license lists between $100 and $150. In total, a would-be identity thief could get all the information they needed to access health services, obtain government assistance, or apply for financial credit for under $500.

Overall, illicit sites are now selling more types of identity documents than last year, when the researchers—Joe Stewart and David Shear of Dell Secureworks—conducted their first study. The increase is, in part, because proof of identity is required by more organizations and financial institutions, Shear said.

Read 7 remaining paragraphs | Comments


Unknown attackers used a spearphishing campaign to compromise sensitive systems operated by the Internet Corporation for Assigned Names and Numbers (ICANN), a coup that allowed them to take control of employee e-mail accounts and access personal information of people doing business with the group.

ICANN, which oversees the Internet's address system, said in a release published Tuesday that the breach also gave attackers administrative access to all files stored in its centralized zone data system, as well as the names, postal addresses, e-mail addresses, fax and phone numbers, user names, and cryptographically hashed passwords of account holders who used the system. Domain registries use the database to help manage the current allocation of hundreds of new generic top level domains (gTLDs) currently underway. Attackers also gained unauthorized access to the content management systems of several ICANN blogs.

"We believe a 'spear phishing' attack was initiated in late November 2014," Tuesday's press release stated. "It involved email messages that were crafted to appear to come from our own domain being sent to members of our staff. The attack resulted in the compromise of the email credentials of several ICANN staff members."

Read 4 remaining paragraphs | Comments

PEAR Installer Multiple Insecure Temporary File Creation Vulnerabilities

Alert Logic published a widely publizised blog outlining a common configuration problem with Polkit. To help with dissemination, Alert Logic named the vulnerability Grinch [1] .

In some ways, this isnt so much a vulnerability, as more a common overlypermissive configuration of many Linux systems. It could easily be leveraged to escalate privileges beyond the intent of the polkitconfiguration.

Lets first step back: In the beginning, there was sudo. Sudo served the Unix community well for many decades. I had to Google this myself, but looks like sudo initially was developed in 1986 [2]. Sudois relatively simple in its approach. A simple configuration file outlines who can run what command as what user. Of course, it isnt always as simple, as some software (e.g. many editors) allow the user to spawn shells, but for the most part administrators have found ways to fix these problems over the years. Most importantly, proper ly configured sudo requires the user to enter a password.

Polkit works differently then sudo. With sudo, I configure which software a user is allowed to run as root (or another user). With polkit, I configure which privileges a user is allowed to take advantage of while running a particular piece of software.

The problem pointed out by Alert Logic is two fold. First of all, the default polkitconfiguration on many Unix systems (e.g. Ubuntu), does not require authentication. Secondly, the polkit configuration essentially just maps the wheels group, which is commonly used for sudo users, to the polkit Admin. This gives users in the wheel group access to administrative functions, like installing packages, without having to enter a password.

The main risk is privilege escalation. With sudo, an attacker would have to enter the users password after compromising a lesser user account in the wheel group. With polkit, all it takes is to install a package using the polkit tool pkcon, which takes advantage of the loose polkit configuration to install packages.

What should you do? What is the risk?

First, have a relaxed christmas and enjoy it with your family. Next, take a look around your network and narrow down how is a member of the wheel group. Only administrators should be a member of the group (people who change system configurations and install software for a living). If you got some time between now and Jan 1st: Read up on Polkit and educate yourself as to what it does.

After new year: Make sure you understand how polkit action are logged, and start reviewing them. Polkit is still new, so many system administrators dont know about it and may ignore the alerts.

Of course, Shellshock and this Polkitissue make a great 1-2 punch to get root on a Unix system. But I doubt a system still vulnerable to Shellshock has no other privilege escalation vulnerability. So I dont think it this is such a huge issue. Fix Shellshock first if that is the case.

And as always, make sure to read the original Alert Logic document to get all the details.

[1] https://www.alertlogic.com/blog/dont-let-grinch-steal-christmas/

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Morfy CMS v1.05 - Command Execution Vulnerability
Bird Feeder v1.2.3 WP Plugin - CSRF & XSS Vulnerability
Cross-Site Scripting (XSS) in Revive Adserver

People have grown so dependent on websites to shop, travel, and socialize that we often forget how easy it is to slow or completely shut down the underlying server. A case in point is a new lightweight script that causes many websites to falter.

Dubbed FlashFlood, the looped JavaScript bombards a website with requests in a way that bypasses server defenses designed to protect against crashes. It can be run from computers with modest bandwidth and hardware resources. Researchers from security firm WhiteHat Security said attackers could lure unwitting participants into taking part in denial-of-service attacks, through cross-site scripting (XSS) attacks, or by tricking large numbers of people into visiting an innocuous-looking link. In a blog post published Tuesday, they wrote:

It works by sending tons of HTTP requests using different parameter value pairs each time, to bypass caching servers like Varnish. Ultimately it’s not a good idea to ever use this kind of code as an adversary because it would be flooding from their own IP address. So instead this is much more likely to be used by an adversary who tricks a large swath of people into executing the code. And as Matt points out in the video, it’s probably going to end up in XSS code at some point.

FlashFlood is particularly potent against heavy database-driven sites if they rely on caching to protect themselves. Many sites running on Drupal are a good example. The researchers estimate it would take anywhere from four to 40 machines to take down an average Apache system. "I've run into the problem before where people seem to not understand how this works, or even that it's possible to do this, despite multiple attempts at trying to explain it multiple times," WhiteHat Security researcher Robert Hansen wrote.

Read on Ars Technica | Comments


Esentire Releases Cybersecurity Documentation Framework Featuring Infosec ...
Dark Reading
Culled from years of industry expertise, this Information Security Policy Framework provides Registered Investment Advisors the means to proactively document and manage their defense posture while responding to due diligence and regulatory requirements ...

LinuxSecurity.com: Updated thermostat1-thermostat packages that fix one security issue are now available for Red Hat Software Collections 1. Red Hat Product Security has rated this update as having Important security [More...]
LinuxSecurity.com: Updated mailx packages that fix two security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security [More...]
LinuxSecurity.com: Updated kernel-rt packages that fix one security issue are now available for Red Hat Enterprise MRG 2.5. Red Hat Product Security has rated this update as having Important security [More...]
LinuxSecurity.com: Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security [More...]
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Security Report Summary
python 'os._get_masked_mode()' Function Local Race Condition Vulnerability

Researchers at Palo Alto found that many ROM images used for Android smart phones manufactured by Coolpad contain a backdoor, giving an attacker full control of the device. Palo Alto named the backdoor Coolreaper.

With Android, it is very common for manufacturers to install additional applications. But these applications are installed on top of the Android operating system. In this case, Coolpad integrated additional functionality into the firmware of the device. This backdoor was then used by Coolpad to push advertisements to its users and to install additional Android applications.But its functionality goes way beyond simple advertisements.

The backdoor provides full access to the device. It allows the installation of additional software, accessing any information about the device, and even notifying the user of fake over the air updates.

How important is this threat?

Coolpad devices are mostly used in China, with a market share of 11.5% according to the report. They are not found much outside of China. The phones are typically sold under brands like Coolpad, Dazen and Magview.

The following domains and IPs are used for the CC channel:, dmp.coolyn.com, dmp.51coolpad.com, icudata.coolyun.com, icudata.51coolpad.com,, icucfg.coolyun.com and others. Blocking and logging outbound traffic for these IPs will help you identify affected devices.

For details, see the Palo Alto Networks report athttps://www.paloaltonetworks.com/threat-research.html

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
MantisBT CVE-2014-1609 Multiple Unspecified SQL Injection Vulnerabilities
secuvera-SA-2014-01: Reflected XSS in W3 Total Cache
[REVIVE-SA-2014-002] Revive Adserver 3.0.6 and 3.1.0 fix multiple vulnerabilities
FreeBSD Security Advisory FreeBSD-SA-14:30.unbound
OpenSSL CVE-2014-8730 Man In The Middle Information Disclosure Vulnerability
Linux Kernel CVE-2014-9322 Local Privilege Escalation Vulnerability
ISC BIND 9 Remote Cache Poisoning Vulnerability
BSD mailx CVE-2014-7844 Local Arbitrary Command Execution Vulnerability
BSD mailx CVE-2004-2771 Local Arbitrary Command Execution Vulnerability
[security bulletin] HPSBMU03217 rev.1 - HP Vertica Analytics Platform running Bash Shell, Remote Code Execution
[security bulletin] HPSBOV03226 rev.1 - HP TCP/IP Services for OpenVMS, BIND 9 Resolver, Multiple Remote Vulnerabilities
[security bulletin] HPSBOV03225 rev.1 - HP OpenVMS running POP, Remote Denial of Service (DoS)
Elefant CMS v1.3.9 - Persistent Name Update Vulnerability
[security bulletin] HPSBMU03221 rev.1 - HP Connect-IT running SSLv3, Remote Disclosure of Information
RelateIQ Bug Bounty #1 - Persistent Signup Vulnerability
Konakart v7.3.0.1 CMS - CS Cross Site Web Vulnerability
Internet Storm Center Infocon Status