Information Security News
Developers who use the official Git client and related software are being urged to install a security update that kills a bug that could allow attackers to hijack end-user computers.
The critical vulnerability affects all Windows- and Mac-based versions of the official Git client and related software that interacts with Git repositories, according to an advisory published Thursday. The bug can be exploited to give remote code execution when the client software accesses booby-trapped Git repositories.
"An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine," Thursday's advisory warned. "Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive filesystem."
Beyond ACORN: Cracking the infosec skills nut
iT News (blog)
But just as important as overt displays of this new-found infosec focus is building and recognising the skilled professionals that will be critical to our future cyber defences. Last month Minister for Justice Michael Keenan announced a new national ...
More than 12 million routers in homes and small offices are vulnerable to attacks that allow hackers anywhere in the world to monitor user traffic and take administrative control over the devices, researchers said.
The vulnerability resides in "RomPager" software, embedded into the residential gateway devices, made by a company known as AllegroSoft. Versions of RomPager prior to 4.34 contain a critical bug that allows attackers to send simple HTTP cookie files that corrupt device memory and hand over administrative control. Attackers can use that control to read plaintext traffic traveling over the device and possibly take other actions, including changing sensitive DNS settings and monitoring or controling Web cams, computers, or other connected devices. Researchers from Check Point's malware and vulnerability group have dubbed the bug Misfortune Cookie, because it allows hackers to determine the "fortune" of an HTTP request by manipulating cookies. They wrote:
If your gateway device is vulnerable, then any device connected to your network—including computers, phones, tablets, printers, security cameras, refrigerators, toasters or any other networked device in your home or office network—may have increased risk of compromise. An attacker exploiting the Misfortune Cookie vulnerability can easily monitor your Internet connection, steal your credentials and personal or business data, attempt to infect your machines with malware, and over-crisp your toast.
Determining precisely what routers are vulnerable is a vexing undertaking. Devices frequently don't display identifying banners when unauthenticated users access them, and when such banners are presented, they often don't include information about the underlying software components. Beyond that, some device manufacturers manually patch the bug without upgrading the RomPager version, a practice that may generate false positives when automatically flagging all devices running versions prior to 4.34. To work around the challenges, Check Point researchers performed a comprehensive scan of Internet addresses that probed for vulnerable RomPager services. The results showed 12 million unique devices spanning 200 different models contained the bug. Manufacturers affected included Linksys, D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL.
Sony Pictures Entertainment's (SPE) computer hygiene in the years leading up to last month's hack was breathtakingly sloppy, with the movie studio's CEO regularly being reminded of e-mail, banking, and travel passwords in plaintext e-mails, according to an Associated Press report published Thursday.
Headlined "Sony emails show a studio ripe for hacking," the article is based on a review of more than 32,000 stolen corporate e-mails released on the Internet by people connected to last month's hack of SPE. The e-mails show CEO Michael Lynton repeatedly receiving plaintext passwords in unencrypted e-mails for his and his family's e-mail, banking, travel, and shopping accounts. The unencrypted e-mails were frequently sent by executive assistant David Diamond. Other e-mails included images of passports, driver licenses, and banking statements.
While the catastrophic hack that hit SPE is generating intense scrutiny of the company's security practices, it's widely believed that many if not most corporations and smaller businesses are no better at securing their data. Executives assume that e-mails they send can't be read by anyone other than the intended recipient. Employees have little awareness how easy it is for the computers and smartphones they use to be compromised and for those hacks to then spread to corporate networks. The AP quoted security expert Kevin Mitnick as saying, "It's pretty ordinary for CEOs and executive assistants to share confidential information by e-mail. They feel their e-mail is secure and they have nothing to worry about."
This is a guest diary submitted by Brad Duncan.
Nuclear exploit kit (also known as Nuclear Pack) has been around for years. Version 2.0 of Nuclear Pack was reported in 2012  . Blogs like malware.dontneedcoffee.com have mentioned version 3.0 of Nuclear Pack in posts during 2013  .
This month, Nuclear Pack changed its traffic patterns. The changes are significant enough that I wonder if Nuclear Pack is at version 4. Or is this merely an evolution of version 3, as weve seen throughout 2014? Lets look at the traffic.
In January 2014, traffic from Nuclear Pack was similar to what Id seen in 2013. Here" />
2014 saw Fiesta exploit kit-style URLs from Nuclear Pack. Also, like other exploit kits, Nuclear sent Flash and Silverlight exploits. Here" />
The above example has Silverlight, Flash, PDF and IE exploits. In each case, a payload was sent to the vulnerable VM. The traffic consists of two TCP streams." />
These patterns are not far off from the beginning of the year. I only saw additional exploits from Nuclear Pack that I hadnt noticed before.
In December 2014, Nuclear Pack moved to a different URL structure. I first noticed this on a pcap from Threatglass.com . Initially, Id mistaken the traffic for Angler exploit kit." />
Since the change in URL patterns, Nuclear Pack is XOR-ing the malware payload. The image below shows an example where one of payloads is XOR-ed with the ASCII string: DvnQkxI
The change in traffic patterns is fairly significant for Nuclear Pack. I havent found any reason on why the change occurred. Is this merely an evolution, or do these changes indicate a new version of Nuclear Pack?
Brad Duncan is a Security Analyst at Rackspace, and he runs a blog on malware traffic analysis at http://www.malware-traffic-analysis.net
 http://malware-traffic-analysis.net/2014/12/12/index.html(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Posted by InfoSec News on Dec 18http://www.theregister.co.uk/2014/12/17/icann_hacked_admin_access_to_zone_files/
Posted by InfoSec News on Dec 18http://marcrogers.org/2014/12/18/why-the-sony-hack-is-unlikely-to-be-the-work-of-north-korea/
Posted by InfoSec News on Dec 18http://www.wnyc.org/story/cyber-city-military-grade-miniature-town/