Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Bitcoin exchange Mt. Gox plans to lift its suspension of external Bitcoin transfers soon after fixing a weakness in its accounting process that left it susceptible to denial-of-service attacks, company representatives said Monday.

As Ars reported last week, the Tokyo-based Mt. Gox was one of at least two Bitcoin exchanges that temporarily suspended withdrawals after coming under attacks that deliberately flooded it with malformed transaction records. The phantom transactions didn't allow attackers to steal money or permanently tamper with the central accounting system for the digital currency, but it had a noticeable effect on some exchanges. The malformed records created discrepancies in the effected exchange's accounting systems that caused them to fall out of sync with the network. The exchanges then experienced slow downs as they recalculated their account balances. The attack and the vulnerability it exploited came to public attention through the research of Bitcoin wallet developer Blockchain.info.

In a statement issued Monday, Mt. Gox representatives said:

Read 1 remaining paragraphs | Comments


    






 
 
As we discussed here back in January, there has been a significant rise in large Network Time Protocol (NTP) reflection DDoS attacks. In such an attack, an attacker sends a crafted packet that requests a large amount of data that is ultimately sent to the spoofed host. 
 
In our previous post[1], we discussed in detail the “monlist” command but it’s not just “monlist” that can be abused but many level-6 and level-7 commands such as “showpeer”, “sysstats”, “peers”, “listpeers”.
 
To lock down your NTP server, please follow our previous post and upgrade your NTP version as outlined by US-Cert here[2].
 
Additionally, as a FYI, a recent US Cert alert [3] identified other possible sources of UDP amplification attacks and it is recommended to review.
 
For those that think, well that won't happen to me or "Who cares, DDoS attacks have been happening since 1999" this year has already shown an excessive number of public attacks using NTP, creating a devastating flood of traffic to anyone without top notch mitigation* measures lined up. And we're only in February.
 
Brian Krebs's web site, a reporter that write about cyber security stories,  was hit by a 200Gbps of NTP traffic over the last week [4]. Brian reports how and by whom launched the attack in a detail story that's well worth a read. It's not just small targets; since the start of 2014, as reported here, many online gaming websites have been targeted through these reflection-type attacks with the attackers taking to Twitter to announce the upcoming attack and later bask in the glory. The latest Arbor report [5] talks about this in further detail, mentions attacks of up to 309Gbps and names the relevant Twitter IDs tweeting about DDOS. Cloudflare indicated that the attack they saw earlier this week was 400Gbps. The sheer size of these attacks mean that they just don’t break the target but significant areas of the Internet, i.e. large collateral damage.
 
If you see NTP reflection attacks being targeted towards you, the standard best practice follows – 
 
• Apply ACLs to your perimeter network and as far possible upstream 
 
• Work with your ISP(s) to do the same [6]
 
• Lock down your own NTP servers and other UDP-listening servers 
 
• If you detect open ntp servers, report them to the Open NTP project [7]
 
For those that are looking for a handy DDoS quick reference guide explaining the different DDoS attack http://www.us-cert.gov/sites/default/files/publications/DDoS%20Quick%20Guide.pdf
 
* For the majority of businesses DDoS mitigation has a financial cost associated with it that increases upward for increased protection
 
[1] https://isc.sans.edu/diary/NTP+reflection+attack/17300
[2] https://www.us-cert.gov/ncas/alerts/TA14-013A
[3] https://www.us-cert.gov/ncas/alerts/TA14-017A 
[4] http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/
[5] http://www.arbornetworks.com/asert/2014/02/ntp-attacks-welcome-to-the-hockey-stick-era/
[6] http://www.ietf.org/rfc/rfc3704.txt 
[7] http://openntpproject.org/
 

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
[ MDVSA-2014:038 ] kernel
 
Jerry

An Ars reader by the name of Jerry got a nasty surprise as he was browsing the contents of his external hard drive over the weekend—a mysterious text file warning him that he had been hacked thanks to a critical vulnerability in the Asus router he used to access the drive from various locations on his local network.

"This is an automated message being sent out to everyone effected [sic]," the message, uploaded to his device without any login credentials, read. "Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection. You need to protect yourself and learn more by reading the following news article: http://nullfluid.com/asusgate.txt."

It's likely that Jerry wasn't the only person to find the alarming message had been uploaded to a hard drive presumed to be off-limits to outsiders. Two weeks ago, a group posted almost 13,000 IP addresses its members said hosted similarly vulnerable Asus routers. They also published a torrent link containing more than 10,000 complete or partial lists of files stored on the Asus-connected hard drives.

Read 8 remaining paragraphs | Comments


    






 
[ MDVSA-2014:036 ] varnish
 
Recon 2014 Call For Papers - June 27-29, 2014 - Montreal, Quebec
 
My PDF Creator & DE DM v1.4 iOS - Multiple Vulnerabilities
 
Project management experts discuss the best ways to set, manage and adjust expectations to ensure that projects don't veer off course -- and they suggest what steps project managers should take if they do.
 
Full Disclosure - Linksys EA2700, EA3500, E4200 and EA4500 - Authentication Bypass to Administrative Console
 
[ MDVSA-2014:037 ] ffmpeg
 
Office Assistant Pro v2.2.2 iOS - File Include Vulnerability
 
phpMyBackupPro-2.4 Cross-Site Scripting vulnerability
 
NumPy '__init__.py' Insecure Temporary File Creation Vulnerability
 
NumPy 'mktemp' Insecure Temporary File Creation Vulnerability
 
python-swiftclient SSL Certificate Validation Security Bypass Vulnerability
 

Last week, we mentioned a new vulnerability in Symantec Endpoint Protection Management [1]. According to Symantec's advisory, this product listens on port 9090 and 8443/TCP. Both ports are scanned regularly for various vulnerabilities, in particular 8443, being that it is frequently used by web servers as an alternative to 443. However, on February 7th, we detected a notable increase in scans for both ports. 

(click on image for larger version)

Interestingly, it looks like two different IP addresses caused this increase, scanning for one port only each.

217.174.250.228 is the "heavy hitter" for port 8443, and 125.217.252.183 for port 9090. There is no organizational connection between the two IPs based on Whois. 

125.217.252.183 is assigned to a University in China (the whois record contains a bit a weird looking "description": ~{;*[email protected]$4sQ'~} ). 
217.174.250.228 is assigned to a british hosting company. 

My assumption is that both hosts were compromised at the time. 

Today, we are also seeing a large increase in scanning for port 9090, pointing to someone building a target list of vulnerable systems. Pretty much the only source scanning today is 113.010.155.079. This address is interesting in that it is not assigned according to APNIC (the RIR in charge of this address), but it does respond to pings. It runs a phpmyadmin website as default host, which pretty much guarantees that it is a compromised system (could actually also be a honeypot).

[1] http://www.symantec.com/docs/TECH214866

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Over the weekend, Google acquired SlickLogin, a security startup that enables smartphone owners to log in to their PCs via an inaudible, high-frequency sound. SlickLogin can be used for two-factor authentication, but rather than shipping someone an RSA token, SlickLogin uses a smartphone app like Google Authenticator. Instead of forcing users to type in a long, constantly changing code, though, SlickLogin sends the authentication information via sound waves to a listening computer.

SlickLogin doesn't just offer two-factor authentication; the sound waves can transmit user account information as well, meaning you could log in to a website by doing nothing other than holding your phone next to a computer. This is mostly likely the feature that caught Google's attention. The Mountain View company has been out to kill the password for some time now. Previously, it experimented with authentication tokens in the form of a ring that could be tapped onto a computer or a USB stick. The benefit of SlickLogin's approach is that it doesn't require additional hardware—most computers already have microphones, and every smartphone has a speaker.

The company launched just five months ago at TechCrunch Disrupt, (and TechCrunch was the first to report the acquisition) where it gave a demo of its technology and fielded questions from the judges. Each login uses a different sound key, so having someone record and play back the login sound won't work. Everything is encrypted, and while an Internet connection is currently required, SlickLogin says it is working on an offline version. If the device doesn't have a microphone, SlickLogin can also work with NFC, Bluetooth, Wi-Fi, or QR codes.

Read 2 remaining paragraphs | Comments


    






 
Linux Kernel CVE-2013-6432 NULL Pointer Dereference Local Denial of Service Vulnerability
 
CISTI'2014: List of Workshops
 
[ MDVSA-2014:034 ] yaml
 
[ MDVSA-2014:033 ] socat
 
[ MDVSA-2014:032 ] flite
 
MapR's latest Hadoop distribution includes support for Hadoop 2.2 with YARN, but is also backward compatible with the MapReduce 1.x scheduler, promising organizations a risk-free upgrade path to the latest Hadoop architecture.
 
LinuxSecurity.com: Updated libpng and libpng12 packages fix security vulnerability: The png_do_expand_palette function in libpng before 1.6.8 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PLTE chunk of zero bytes or a NULL palette, [More...]
 
LinuxSecurity.com: Several vulnerabilities have been discovered in the chromium web browser. CVE-2013-6641 [More...]
 
LinuxSecurity.com: It was discovered that file, a file type classification tool, contains a flaw in the handling of "indirect" magic rules in the libmagic library, which leads to an infinite recursion when trying to determine the file type of certain files. The Common Vulnerabilities and Exposures project [More...]
 
LinuxSecurity.com: A vulnerability has been discovered and corrected in yaml: The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute [More...]
 
LinuxSecurity.com: A vulnerability has been discovered and corrected in socat: Stack-based buffer overflow in socat 1.3.0.0 through 1.7.2.2 and 2.0.0-b1 through 2.0.0-b6 allows local users to cause a denial of service (segmentation fault) via a long server name in the [More...]
 
LinuxSecurity.com: Multiple vulnerabilities has been discovered and corrected in flite: The play_wave_from_socket function in audio/auserver.c in Flite 1.4 allows local users to modify arbitrary files via a symlink attack on /tmp/awb.wav. NOTE: some of these details are obtained from third [More...]
 
LinuxSecurity.com: Multiple security issues was identified and fixed in drupal: The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors (CVE-2014-1475). [More...]
 
LinuxSecurity.com: New curl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. [More Info...]
 
LinuxSecurity.com: New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. [More Info...]
 
Pidgin 'libpurple' Multiple Denial of Service Vulnerabilities
 
EU privacy regulators say U.S. privacy laws are too weak to protect EU personal data. But a new analysis of 358 privacy-enforcement actions paints the opposite picture.
 
Microsoft VBScript CVE-2014-0271 Remote Code Execution Vulnerability
 
eForum 'busca.php' Multiple Cross Site Scripting Vulnerabilities
 
The team at SlickLogin, a company working on technology for online authentication using sounds from a mobile phone, said it has joined Google.
 
LG Electronics has introduced the third generation of its low-end L series, with three new smartphones that all run Android 4.4 or KitKat.
 
Technical details about a vulnerability in Linksys routers that's being exploited by a new worm have been released Sunday along with a proof-of-concept exploit and a larger than earlier expected list of potentially vulnerable device models.
 
Apple Boot Camp 'AppleMNT.sys' Memory Corruption Vulnerability
 
TomatoCart 'install/rpc.php' Local File Include Vulnerability
 
Google Chrome CVE-2013-6643 Unspecified Security Vulnerability
 
Google Chrome CVE-2013-6649 Use After Free Remote Code Execution Vulnerability
 
Google Chrome CVE-2013-6650 Memory Corruption Vulnerability
 
Internet Storm Center Infocon Status