Hackin9
 
Can blog spam be of any real use to security teams? Here’s my take on turning a piece of what some consider internet background noise in to information ripe to becoming actionable intelligence.
 
I get waves of blog spam – comments that posted to a blog site advertising someone else’s wares (including links to malware!), services or attempts to increase search engine rankings – to my small corner of the internet at infrequent cycles. To many of my fellow blog owners this is a source of constant annoyance, but for me I get a little, gleeful smile and promptly dump the user agent [1], body text (extracting any embedded URLs), and posting IP address in to my pile of “all things to observe and search on”.  
 
Once carefully added in to my speed optimized database*, I then sort it, note the duplicate posts and do some passive look-ups on free resources, such as the Internet Storm Center (ISC) IP lookup tables [2], to see if it’s a known or reported as malicious/bad. I then pipe the IP address, domains and URLs into a local copy of Collective Intelligence Framework (CIF), regardless if the passive searching didn’t yield any information, to see if anyone else has run into it. For those unfamiliar with CIF, fellow Handler, Russ McRee, did a nice write up on the basics [3] on the Collective Intelligence Framework (CIF) by Wes Young [4]. CIF pools data from numerous sources and can quickly help identify if any of the collected data points to botnets, infected systems, malware hosts, etc. All of which is an huge informational leap up from an annoying automated posting with an IP address and URL.  
 
With the results from those searches completed, I can then compare those results back to historical data or logs from other sources (firewalls, proxy logs or spam filters [5]). All of this is automated via some ‘internet researched’ code - poorly shunted together by yours truly. After any matches and final results are spat out, it allows me to then make decisions whether to add the IP address, net block, user agent or URL to a block or monitor list. I’m not a fan of trusting my scripts or intelligence feeds to be completely accurate for automatic blocking IP ranges, but don’t worry so much on pushing alerted URLs in to the Suspicious category on web proxy system. I’ve found my human web surfing anomaly detection systems are really good at ring up and moaning if we, that’s the Royal We (meaning me), accidently blocks Google.
 
If you want to go to visually to town with the data, pop the resolved spamming IP addresses in to a geo-IP, the ISC has a page to help with that [6] and show friends, family or the management where the bad IP addresses live. Who says the whole family can't enjoy an evening of PowerPoint together, listing the towns, cities and countries that spam your blog sites. Surely that beats watching re-runs of some random TV show?
 
All this possible intelligence from humble blog spam, so what could you do with that data?
   
As ever, feel free to pitch in any thoughts or comments.
 
 
 
*It’s not a text file – well, not any more …
 
[1] http://www.useragentstring.com/
[2] https://isc.sans.edu/ipinfo.html
[3] http://holisticinfosec.blogspot.com.au/2012/07/toolsmith-collective-intelligence.html
[4] https://code.google.com/p/collective-intelligence-framework/
[5] https://isc.sans.edu/diary/Can+users'+phish+emails+be+a+security+admin's+catch+of+the+day%3F/14578
[6] https://isc.sans.edu/tools/whereis.html

 

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Network Solutions said Wednesday it has restored services after a distributed denial-of-service (DDoS) attack knocked some websites it hosts offline for a few hours.
 
Upcoming Atom chips from Intel will appear in tablets priced as low as US$150, the company's CEO said Wednesday, vowing that Intel will not get caught flat footed again by "the next big thing."
 
A rebound for IBM failed to materialize in the second quarter, as profit and sales declined along with a slump in revenue from hardware and services.
 
The move to a BYOD workplace means an employee's work life and personal life coexist on a single device. As employees are asked to sign strict user policies, are they also signing away their right to privacy? Here's a look at what a company can and cannot see on personal devices.
 

New Service Turns Facebook Photos Into Products Without Your Friend's Consent
PetaPixel
Want to turn your friend's Facebook photograph into a mug to sip your morning coffee from? A new service called Photos At My Door can help you do that. It's an app that can access any of your Facebook friends' public photographs and turn them into ...

 
Cisco Unified Communications Manager CVE-2013-3412 SQL Injection Vulnerability
 
Multiple OpenStack Products CVE-2013-1665 XML External Entity Information Disclosure Vulnerability
 
[SECURITY] [DSA 2723-1] php5 security update
 
Re: Full Disclosure ASUS Wireless Routers Ten Models - Multiple Vulnerabilities on AiCloud enabled units
 
[security bulletin] HPSBHF02888 rev.2 - HP Network Products including H3C and 3COM Routers and Switches, Remote Information Disclosure and Code Execution
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Yahoo has bought ad tech startup Admovate to grow its mobile advertising sales and provide a stronger channel for personalized display advertising.
 
The U.S. National Security Agency and Department of Justice exceeded their legal authority to conduct surveillance when collecting the telephone records of millions of U.S. residents, several U.S. lawmakers said Wednesday.
 
The federal government is making one of the most powerful supercomputers in its computing arsenal available to any U.S. businesses that can help make the country more competitive.
 
Intel reported another drop in profits for the second quarter and narrowed its sales outlook for the full year, as the declining PC market continues to eat away at its business.
 
SAP is set to release its second-quarter results on Thursday, and as usual market watchers will be paying close attention given the vendor's bellwether status within the enterprise software market.
 
Oracle Java SE CVE-2013-3744 Remote Security Vulnerability
 
Oracle Java SE CVE-2013-2400 Remote Security Vulnerability
 
Re: Full Disclosure ASUS Wireless Routers Ten Models - Multiple Vulnerabilities on AiCloud enabled units
 
The two biggest mobile operators in the U.S. are fiercely competitive and closely matched in size. So will AT&T's proposed multibillion-dollar acquisition of Leap Wireless change the balance?
 
Lenovo has discontinued sales of the Yoga 11 convertible with Windows RT on its website, which analysts said was a sign of PC makers moving away from their commitment to the struggling OS.
 
A banner ad from a malware marketplace for a "binder" kit for the Androrat remote administration tool.
Symantec

Remote access tools have long been a major part of targeted hacker attacks on individuals and corporate networks. RATs have been used for everything from hacking the e-mail boxes of New York Times reporters to capturing video and audio of victims over their webcams. Recently, wireless broadband and the power of smartphones and tablets have extended hackers’ reach beyond the desktop. In a blog post yesterday, Symantec Senior Software Engineer Andrea Lelli described the rise of an underground market for malware tools based on Androrat, a remote administration tool that can give an attacker complete control over devices running the Android OS.

Androrat was published on GitHub in November 2012 as an open source tool for remote administration of Android devices. Packaged as a standard Android application (in an APK file), Androrat can be installed as a service on the device that launches at start-up or as a standard “activity” application. Once it’s installed, the user doesn’t need to interact with the application at all—it can be activated remotely by an SMS message or a call from a specific phone number.

The app can grab call logs, contact data, and all SMS messages on the device, as well as capture messages as they come in. It can provide live monitoring of call activity, take pictures with the phone’s camera, and stream audio from the phone’s microphone back to its server. It can also post “toasts” (application messages) on the screen, place phone calls, send text messages, and open websites in the phone’s browser. If it is launched as an application (or “activity”), it can even stream video from the camera back to the server.

Read 2 remaining paragraphs | Comments

    


 

Why Crowdstrike's focus on attackers and active defense polarizes infosec pros
PandoDaily (blog)
I've been writing this story forever it seems, trying to arrive at a reasonable version of the truth. I've been sworn to secrecy, and have had so many off-the-record conversations I'm tempted to just leave part of this page blank as a symbolic ...

 

Without Def Con, the Feds Have a Hacker Recruitment Problem
Motherboard (blog)
... this year's conference, a move that will effectively deprive federal law enforcement and intelligence agencies of prime recruiting opportunities among the conference's 15,000+ talent pool of hackers, cyber security researchers, and corporate ...

and more »
 
As you may (or may not) have noticed, the print version of the Cool Tools column is no more. The main reason (about 100%, really) is that the print version of Network World is gone, and it's tough to have a column in a print product that no longer exists.
 
Making the move from the military to a corporate IT leadership role can be difficult. Don't make it harder on yourself by showcasing the wrong skills.
 
Starting at around 8.30 a.m. ET Thursday, dozens of major Wall Street firms will come under a series of simulated cyberattacks aimed at crippling financial services networks around the country.
 
Manhattan is one of the best locations in the U.S. for data center network connectivity, but it is also an increasingly risky location because of flooding. That didn't stop Telx from opening a third facility there.
 
On by default on most newer Android devices, Google's Android backup stores your personal details in plaintext.

If you’re using Google’s “back up my data” feature for Android, the passwords to the Wi-Fi networks you access from your smartphone or tablet are available in plaintext to anyone with access to the data. And as a bug report submitted by an employee of the Electronic Frontier Foundation (EFF) on July 12 suggests, that leaves them wide open to harvesting by agencies like the NSA or the FBI.

“The ‘Back up my data’ option in Android is very convenient,” wrote Micah Lee, staff technologist at the EFF. “However, it means sending a lot of private information, including passwords, in plaintext to Google. This information is vulnerable to government requests for data.”

The Backup Manager app stores Android device settings in Google’s cloud, associated with the user account paired with the device; the Backup Manager interface is part of the core Android application API as well, so it can be used by other Android apps. Backup is turned on by default for Nexus devices and can push data such as MMS and SMS messages, browser bookmarks, call logs, and system settings—including Wi-Fi passwords—to Google’s cloud for retrieval in the event that a device is broken, lost, or stolen.

Read 6 remaining paragraphs | Comments

    


 
RETIRED: Oracle July 2013 Critical Patch Update Multiple Vulnerabilities
 
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Intrusion Prevention System Software
 
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified Communications Manager
 
By this fall, Apple and Microsoft will have followed in the footsteps of Google to automatically update apps on their mobile and desktop platforms, another move to take security out of users' hands.
 
Several smartphone launches are imminent, including next Tuesday's Verizon Wireless event in New York City to unveil what the carrier's calling "the next generation of one of their most popular family of devices."
 
Libxml2 Entities Expansion CVE-2013-0339 Denial of Service Vulnerability
 
Salesforce.com is hoping customers will tap more pieces of its growing cloud software portfolio with a new product, Sales Performance Accelerator, that combines its CRM software with its Work.com performance management application as well as customer lead information from Data.com.
 

Network Solutions appears to be experiencing an extended outage. Based on a note posted to Facebook, the note indicates that the outage may be related to a larger compromisse of customer sites.

"Network Solutions is experiencing a Distributed Denial of Service (DDOS) attack that is impacting our customers as well as the Network Solutions site. Our technology team is working to mitigate the situation. Please check back for updates."

The referenced blog website is currently responding slowly as well (it redirects to a networksolutions.com site, which may be affected by the overall outage of "networksolutions.com" ). After a couple minutes, the blog post loaded for me, and it is more or less a copy of the Facebook post above:

"On July 15, some Network Solutions customer sites were compromised. We are investigating the cause of this situation, but our immediate priority is restoring the sites as quickly as possible. If your site has been impacted and you have questions, please call us at 1-866-391-4357."

Various web sites hosting DNS with Network Solutions appear to be down as well as a result. The outage appears to be diminishing over the last 15-30 min or so (4pm GMT) with some affected sites returning back to normal.

This outage comes about 3-4 weeks after the bad DDoS mitigation incident that redirected a large number of Network Solution Hosted sites to an IP in Korea. (see http://blogs.cisco.com/security/hijacking-of-dns-records-from-network-solutions/ )

Network Solution's Facebook page: https://www.facebook.com/networksolutions

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
ESA-2013-055: EMC Avamar Multiple Vulnerabilities
 
[slackware-security] php (SSA:2013-197-01)
 
Linux Kernel CVE-2013-4125 Remote Denial of Service Vulnerability
 
XSS Vulnerabilities in OpenCms
 
As SAP invests heavily in mobile, a security testing company will release a tool next month to ensure mobile-accessible SAP systems are not vulnerable to hackers.
 
Europe's competition chief confirmed Wednesday that he has written to Eric Schmidt to ask for better assurances from Google in an ongoing antitrust investigation.
 
The Apache Software Foundation has released Struts 2.3.15.1, a security update for its popular Java Web application development framework that addresses two vulnerabilities, including a critical one that could allow remote attackers to execute arbitrary code on the server.
 
Project management experts discuss sure-fire ways to delay or derail a project and--more importantly--how you can avoid these common project management pitfalls.
 
HP Network Node Manager I CVE-2013-2351 Unspecified Unauthorized Access Vulnerability
 
ReadyMedia Multiple SQL Injection Vulnerabilities
 
Tumblr, the blogging site recently acquired by Yahoo, has released a security update for its iPhone and iPad apps that it said addresses an issue that allowed passwords to be compromised in certain circumstances.
 
More fixes are appearing for a pair of highly dangerous vulnerabilities exposed earlier this month in the Android mobile operating system.
 
We compared hosted virtual desktop infrastructure (VDI) products from Microsoft, Citrix, VMware, Oracle and Ericom and came to many conclusions, but the most important one is this: Setting up hosted desktop sessions in a BYOD world is a complex undertaking.
 
China's Internet populace grew to 591 million by the end of June, as more new users in the country relied on handsets to go online, according to a non-profit research group.
 
Microsoft must be ready to accept, as has Apple, that it's better to cannibalize its own sales than to let competitors do it.
 
Drupal Hatch Theme Cross Site Scripting Vulnerability
 
Drupal Stage File Proxy Module Denial Of Service Vulnerability
 
Drupal TinyBox Module Cross Site Scripting Vulnerability
 
AT&T's Next smartphone and tablet upgrade and no-contract plan, competes with a similar plan called Jump! from T-Mobile and another expected soon from Verizon Wireless.
 
After a year with Marissa Mayer at the helm, Yahoo is no longer seen as a 'dead company walking,' according to one analyst.
 
Microsoft Windows TrueType Font CVE-2013-3129 Remote Code Execution Vulnerability
 

Posted by InfoSec News on Jul 17

https://www.computerworld.com/s/article/9240843/Oracle_39_s_July_patch_release_includes_27_fixes_for_remote_exploits

By Jeremy Kirk
IDG News Service
July 16, 2013

Oracle said on Tuesday that its monthly round of patches for July includes
89 fixes, 27 of which address remotely exploitable vulnerabilities in four
widely used products.

The most serious, remotely exploitable vulnerabilities affect the Oracle
Database, its Fusion Middleware, the...
 

Posted by InfoSec News on Jul 17

http://www.seattlepi.com/technology/businessinsider/article/Cyber-Expert-We-ve-Remotely-Spied-Through-The-4668683.php

By Geoffrey Ingersoll
Business Insider
July 16, 2013

Remotely taking control of someone's computer is not an unheard of hacker
exploit, but this claim about remotely controlling a Chinese hacker's
webcam is just crazy.

It starts with something called "attribution."

Attribution — finding the identity of...
 

Posted by InfoSec News on Jul 17

http://news.techworld.com/security/3457878/ddos-attacks-hit-one-in-five-uk-businesses-in-2012/

By John E Dunn
Techworld
16 July 2013

One in five UK businesses experienced a DDoS attack at some point during
2012, a survey by analytics firm Neustar has discovered, a percentage
still significantly lower than that experienced by their US equivalents.

Overall, 22 percent of the 381 organisations participating in the annual
trends study reported...
 
Oracle Java SE CVE-2013-2459 Remote Security Vulnerability
 
Oracle Java SE CVE-2013-2450 Remote Security Vulnerability
 
Internet Storm Center Infocon Status