Hackin9
Intel has an ambitious goal for 2014: get its Atom chips into 40 million tablets, or four times the number of tablets that had Intel inside in 2013. But rather than do it by tailoring its products to what tablets now demand, the cash-rich company has another plan: pay tablet makers to use its chips.
 
Some of the most futuristic features envisioned in networked cars will depend on 5G mobile technology that probably won't be available in full until 2020, according to Ericsson's chief technology officer.
 

One of the coolest things about Chrome is the silent, automatic updates that always ensure that users are always running the latest version. While Chrome itself is updated automatically by Google, that update process also includes Chrome's extensions, which are updated by the extension owners. This means that it's up to the user to decide if the owner of an extension is trustworthy or not, since you are basically giving them permission to push new code out to your browser whenever they feel like it.

To make matters worse, ownership of a Chrome extension can be transferred to another party, and users are never informed when an ownership change happens. Malware and adware vendors have caught wind of this and have started showing up at the doors of extension authors, looking to buy their extensions. Once the deal is done and the ownership of the extension is transferred, the new owners can issue an ad-filled update over Chrome's update service, which sends the adware out to every user of that extension.

We ought to clarify here that Google isn't explicitly responsible for such unwanted adware, but vendors are exploiting Google's extension system to create a subpar—and possibly dangerous—browsing experience. Ars has contacted Google for comment, but we haven't heard back yet. We'll update this article if we do.

Read 6 remaining paragraphs | Comments

 
libvirt 'virDomainBlockStats()' Denial of Service Vulnerability
 
libvirt CVE-2014-1447 Denial of Service Vulnerability
 
memcached Verbose Mode Denial of Service Vulnerability
 
Oracle MySQL Server CVE-2014-0402 Remote Security Vulnerability
 
Oracle MySQL Server CVE-2013-5908 Remote Security Vulnerability
 
President Obama's proposals to reform the National Security Agency's surveillance practices reflect the enormous challenges the administration faces in finding the right balance between national security needs and privacy and civil rights concerns.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Computer security systems may one day get a boost from quantum physics, as a result of recent research from the National Institute of Standards and Technology (NIST). Computer scientist Yi-Kai Liu has devised a way to make a security ...
 
Venture capitalists poured more money into Internet companies last year than they have since the dot-com bust, according to a survey published Friday.
 
President Barack Obama positioned his proposals for government surveillance reforms within the context of U.S. history to argue that spying is -- and always has been -- necessary.
 
President Obama's proposals to reform the National Security Agency's surveillance practices reflect the enormous challenges the administration faces in finding the right balance between national security needs and privacy and civil rights concerns.
 
IT outsourcing experts tell CIO.com what to expect in the year ahead. And if they're right, this could be the year customers -- and a few robots -- take greater control of the IT outsourcing space.
 
Aurich Lawson

Security researchers have published a report that Ars is having a tough time swallowing, despite considerable effort chewing—a botnet of more than 100,000 smart TVs, home networking routers, and other Internet-connected consumer devices that recently took part in sending 750,000 malicious e-mails over a two-week period.

The "thingbots," as Sunnyvale, California-based Proofpoint dubbed them in a press release issued Thursday, were compromised by exploiting default administration passwords that hadn't been changed and other misconfigurations. A Proofpoint official told Ars the attackers were also able to commandeer devices running older versions of the Linux operating system by exploiting critical software bugs. The 100,000 hacked consumer gadgets were then corralled into a botnet that also included infected PCs, and they were then used in a global campaign involving more than 750,000 spam and phishing messages. The report continued:

The attack that Proofpoint observed and profiled occurred between December 23, 2013 and January 6, 2014 and featured waves of malicious email, typically sent in bursts of 100,000, three times per day, targeting Enterprises and individuals worldwide. More than 25 percent of the volume was sent by things that were not conventional laptops, desktop computers or mobile devices; instead, the emails were sent by everyday consumer gadgets such as compromised home-networking routers, connected multi-media centers, televisions and at least one refrigerator. No more than 10 emails were initiated from any single IP address, making the attack difficult to block based on location – and in many cases, the devices had not been subject to a sophisticated compromise; instead, misconfiguration and the use of default passwords left the devices completely exposed on public networks, available for takeover and use.

The Proofpoint report quickly went viral, with many mainstream news outlets breathlessly reporting the findings. The interest is understandable. The finding of a sophisticated spam network running on 100,000 compromised smart devices is extraordinary, if not unprecedented. And while the engineering effort required to pull off such a feat would be considerable, the botnet Proofpoint describes is possible. After all, many Internet-connected devices run on Linux versions that accept outside connections over telnet, SSH, and Web interfaces.

Read 10 remaining paragraphs | Comments

 
Ecava IntegraXor Stack Buffer Overflow Vulnerability
 
The company is dancing around the question of what it knew and when it knew it, but the security problem was not a revelation for it this week.
 
These Internet services pop up on millions of PCs and smartphones every day, selling goods, processing searches and offering the latest in celebrity gossip. But if you're not Chinese, you probably won't recognize their names; they're catering to the giant population of China, and prospering from legions of loyal users.
 
NASA is looking for help creating a robotic rover that will deliver cargo to the surface of the moon.
 
Cisco WebEx Meetings Server Administrative Password Disclosure Vulnerability
 
Almost all C-suite executives at large enterprises believe data and analytics are important to their business, but most are struggling to become data-driven businesses -- and more than half say they don't even know what data to collect.
 
Bank of America experiments with real-time video and chat in online, in-person and mobile channels to improve customer service
 
No independent verification yet that the problem has been eradicated.
 
President Barack Obama called for changes to U.S. National Security Agency surveillance, with new privacy advocates assigned to a surveillance court and a transition away from a controversial telephone records collection program in the U.S.
 
Complexity may be Windows' downfall, and Microsoft has not only failed to address the problem, but exacerbated it by shipping the dual-threat, two-UI Windows 8.
 
In the wake of a large-scale attack on point-of-sale systems at retailer Target, new malware designed to steal payment card data from the sales systems was released earlier this month.
 
Oracle PeopleSoft Enterprise PeopleTools CVE-2014-0381 Remote Security Vulnerability
 
Oracle PeopleSoft Enterprise PeopleTools CVE-2014-0439 Remote Security Vulnerability
 
Oracle PeopleSoft Enterprise PeopleTools CVE-2014-0440 Remote Security Vulnerability
 
Oracle Siebel Core CVE-2014-0369 Remote Security Vulnerability
 
Oracle Java SE CVE-2013-5895 Remote Security Vulnerability
 
Oracle Java SE CVE-2014-0403 Remote Security Vulnerability
 
Oracle Java SE CVE-2014-0424 Remote Security Vulnerability
 
Oracle was in the news for the wrong reason this week when a former employee filed a lawsuit alleging the firm is racist. The incident provides some lessons in image and reputation management in our age of social media and 24-hour news cycles. As it turns out, IT departments can help protect the brand.
 
LinuxSecurity.com: A vulnerability has been discovered and corrected in ISC BIND: The query_findclosestnsec3 function in query.c in named in ISC BIND 9.6, 9.7, and 9.8 before 9.8.6-P2 and 9.9 before 9.9.4-P2, and 9.6-ESV before 9.6-ESV-R10-P2, allows remote attackers to cause [More...]
 
LinuxSecurity.com: A vulnerability has been discovered and corrected in nrpe: Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via $() shell metacharacters, which are [More...]
 
LinuxSecurity.com: A vulnerability has been discovered and corrected in ejabberd: The TLS driver in ejabberd before 2.1.12 supports (1) SSLv2 and (2) weak SSL ciphers, which makes it easier for remote attackers to obtain sensitive information via a brute-force attack (CVE-2013-6169). [More...]
 
LinuxSecurity.com: Multiple vulnerabilities has been discovered and corrected in nagios: Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from [More...]
 
LinuxSecurity.com: A vulnerability has been discovered and corrected in ejabberd: xslt.c in libxslt before 1.1.25 allows context-dependent attackers to cause a denial of service (crash) via a stylesheet that embeds a DTD, which causes a structure to be accessed as a different type. [More...]
 
LinuxSecurity.com: Updated librsvg and gtk+3.0 packages fix security vulnerability: librsvg before version 2.39.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference (CVE-2013-1881). [More...]
 
LinuxSecurity.com: Updated openjpeg package fixes security vulnerabilities: Multiple heap-based buffer overflow flaws were found in OpenJPEG. An attacker could create a specially crafted OpenJPEG image that, when opened, could cause an application using openjpeg to crash or, [More...]
 
LinuxSecurity.com: A vulnerability has been discovered and corrected in openssl: The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x through 1.0.1e does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle [More...]
 
OpenJPEG CVE-2013-6887 Multiple Denial Of Service Vulnerabilities
 
The stolen credit card numbers of millions of Target shoppers took an international trip -- to Russia.
 
Dispelling any lingering doubt that IBM sees cloud computing as the way of the future, the company announced that it will invest US$1.2 billion this year in expanding its global cloud infrastructure.
 
NTT DoCoMo has put on hold its plans to launch a smartphone with the new open-source Tizen mobile operating system, a spokesman said Friday.
 
Google wants more developers to integrate their Android apps with its storage service Drive, and has released a new API that aims to make it easier.
 
Oracle iLearning CVE-2014-0389 Remote Security Vulnerability
 
Open-Xchange Security Advisory 2014-01-17
 
Oracle Java SE CVE-2013-5907 Remote Security Vulnerability
 

KPMG cuts its funding for UK.gov's Cyber Security Challenge
Register
KPMG is cutting back on its sponsorship of the UK government-backed Cyber Security Challenge after concluding the puzzle-based focus of the competition is failing to attract the right kind of potential recruits into the infosec profession. Senior ...

 
Researchers at the Lawrence Livermore National Laboratory are working to revolutionize 3D printing, as well as the way that companies build products ranging from jet engines and satellites to football helmets.
 
Acer reported another net loss at NT$7.6 billion (US$251 million) for the fourth quarter, as senior executives at the struggling PC maker agreed to a 30 percent cut to their salaries.
 
Concern about secret U.S. surveillance programs is fueling the development of another homegrown operating system in China, one that promises to offer a more secure alternative to rival OSes such as Android and Windows.
 
[security bulletin] HPSBUX02961 SSRT101420 rev.1 - HP-UX Running BIND, Remote Denial of Service (DoS)
 

Posted by InfoSec News on Jan 17

http://www.v3.co.uk/v3-uk/news/2323339/uk-critical-infrastructure-at-risk-from-scada-security-flaw

By Alastair Stevenson
V3.co.uk
16 Jan 2014

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
has called for businesses involved in critical infrastructure to be extra
vigilant as it investigates a potential critical flaw in a commonly used
SCADA system.

ICS-CERT issued the warning in a security advisory after security...
 

Posted by InfoSec News on Jan 17

http://qz.com/167817/someones-refrigerator-just-took-part-in-a-malicious-cyberattack/

By Christopher Mims
Quartz
January 16, 2014

Between December 23 and January 6, more than 100,000 internet-connected
smart "things," including media players, smart televisions and at least
one refrigerator, were part of a network of computers used to send 750,000
spam emails. So says a study just released by enterprise security company
Proofpoint....
 

Posted by InfoSec News on Jan 17

http://www.news.com.au/national/documents-and-plans-relating-to-the-f35-joint-strike-fighter-have-been-recovered-from-shipping-containers-destined-for-iran/story-fncynjr2-1226802342086

NEWS.co.au
JANUARY 15, 2014

THE secret plans for America's - and Australia's - next stealth fighter
have been recovered from boxes labelled "household goods" on their way to
Iran.

It's just the latest scare for the troubled...
 

Posted by InfoSec News on Jan 17

http://www.businessweek.com/articles/2014-01-16/atms-face-deadline-to-upgrade-from-windows-xp

By Nick Summers
Businessweek
January 16, 2014

One-dollar bills. Envelope-free deposits. Stamp dispensers. These are a
few of the features that Wells Fargo (WFC), Bank of America (BAC),
JPMorgan Chase (JPM), and other banks tout as the latest and greatest
features of their fleets of ATMs. It’s hardly stuff to set the heart
racing.

When ATMs were...
 

Posted by InfoSec News on Jan 17

http://www.nytimes.com/2014/01/17/business/breach-at-neiman-marcus-went-undetected-from-july-to-december.html

By Nathaniel Popper
The New York Times
Jan. 16, 2014

The computer network at Neiman Marcus was penetrated by hackers as far
back as July, and the breach was not fully contained until Sunday,
according to people briefed on the investigation.

The company disclosed the data theft of customer information late last
week, saying it first...
 

Posted by InfoSec News on Jan 17

http://www.computing.co.uk/ctg/news/2323357/cyber-security-challenge-ceo-hits-back-at-kpmg-s-lack-of-credible-candidates-claim

By Sooraj Shah
Computing
16 Jan 2014

The CEO of the Cyber Security Challenge, Stephanie Daman, has hit back at
claims that the series of national events designed to encourage talented
professionals to join the UK IT security sector has failed to attract
suitable candidates.

KPMG's UK head of cyber security,...
 

Posted by InfoSec News on Jan 17

http://arstechnica.com/security/2014/01/healthcare-gov-riddled-with-flaws-that-could-expose-user-data-experts-say/

By Dan Goodin
Ars Technica
Jan 16 2014

The federal government's HealthCare.gov website continues to be riddled
with flaws that expose confidential user data to the public, a security
expert testified Thursday at a hearing on Capitol Hill.

David Kennedy, founder of security firm TrustedSec, told members of the
House of...
 

On 9 JAN, Bojan discussed reports of massive RFI scans. One of the repetitive artifacts consistent with almost all the reports we've received lately is that the attackers are attempting to include http://www.google.com/humans.txt. I investigated a hunch, and it turns out this incredibly annoying script kiddie behavior is seemingly, rather than bots, thanks to the unfortunate misuse of the beta release of Vega, the free and open source web application scanner from Subgraph.

One of the numerous Vega modules is Remote File Include Checks found in C:\Program Files (x86)\Vega\scripts\scanner\modules\injection\remote-file-include.js.

Of interest in remote-file-include.js:

var module = {
  name: "Remote File Include Checks",
  category: "Injection Modules"
};
function initialize(ctx) {
  var ps = ctx.getPathState();
  if (ps.isParametric()) {
    var injectables = createInjectables(ctx);
    ctx.submitMultipleAlteredRequests(handler, injectables);
  }
}
function createInjectables(ctx) {
  var ps = ctx.getPathState();
  var injectables = ["http://www.google.com/humans.txt",
                     "htTp://www.google.com/humans.txt",
                     "hthttpttp://www.google.com/humans.txt",
                     "hthttp://tp://www.google.com/humans.txt",
                     "www.google.com/humans.txt"];
    var ret = [];
    for (var i = 0; i < injectables.length; i++)
      ret.push(injectables[i]);
     return ret;
}

Great, now the kiddies don't even need to figure out how to make RFI Scanner Bot or the VopCrew Multi Scanner work, it's been dumbed down all the way for them!

What steps can you take to prevent and detect possible successful hits?

  • Remember that the likes of Joomla and WordPress, amongst others, are favorite targets.
    • If you're using add-on components/modules you're still at risk even if keeping these content management systems (CMS) or frameworks (CMF) fully up to date. As always, you're only as strong as your weakest link.
    • Component/module developers are not always as diligent as the platform developers themselves; believe me when I say the Joomla team cares a great deal about the security of their offering.
    • Audit add-on components/modules you have installed, see if there are any open vulnerabilities for them via https://secunia.com/advisories/search, and ensure you're utilizing the most current version.
  • Check your web site directories for any files written during or soon after scans.
    • If the remote file inclusion testing proved successful, the attackers will turn right around and drop a file(s) typically.
    • Such files could be a TXT, PHP, or JS file but they also like image file extensions too and will often drop them in the images directory if the vulnerability permits.
  • Yours truly has been dinged by this issue; you have to remember to keep ALL related code current or kiddies will have their way with you.
  • Check your logs for successful 200 (successful) responses where the humans.txt file was attempted, particularly where the GET string includes a path specific to your CMS/CMF.
  • Hopefully you see only 404 (not available) responses, but if you do see a 200 it warrants further investigation.
    • 404 example entry: 192.64.114.73 - - [05/Jan/2014:18:16:13 +0800] "GET /A-Blog/navigation/search.php?navigation_end=http://www.google.com/humans.txt? HTTP/1.0" 404 927 "-" "-"
    • 200 example entry: 192.64.114.73 - - [05/Jan/2014:18:29:29 +0800] "GET /configuration.php?absolute_path=http://www.google.com/humans.txt? HTTP/1.0" 200 - "-" "-"

Now that we know it's less likely bot behavior and more likely annoying miscreants, take the opportunity to audit your Internet-facing presence particularly if you use a popular CMS/CMF.

Cheers and feel free to comment or send additional log samples.

Russ McRee | @holisticinfosec
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status