Developers who use the official Git client and related software are being urged to install a security update that kills a bug that could allow attackers to hijack end-user computers.

The critical vulnerability affects all Windows- and Mac-based versions of the official Git client and related software that interacts with Git repositories, according to an advisory published Thursday. The bug can be exploited to give remote code execution when the client software accesses booby-trapped Git repositories.

"An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine," Thursday's advisory warned. "Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive filesystem."

Read 1 remaining paragraphs | Comments

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Beyond ACORN: Cracking the infosec skills nut
iT News (blog)
But just as important as overt displays of this new-found infosec focus is building and recognising the skilled professionals that will be critical to our future cyber defences. Last month Minister for Justice Michael Keenan announced a new national ...


More than 12 million routers in homes and small offices are vulnerable to attacks that allow hackers anywhere in the world to monitor user traffic and take administrative control over the devices, researchers said.

The vulnerability resides in "RomPager" software, embedded into the residential gateway devices, made by a company known as AllegroSoft. Versions of RomPager prior to 4.34 contain a critical bug that allows attackers to send simple HTTP cookie files that corrupt device memory and hand over administrative control. Attackers can use that control to read plaintext traffic traveling over the device and possibly take other actions, including changing sensitive DNS settings and monitoring or controling Web cams, computers, or other connected devices. Researchers from Check Point's malware and vulnerability group have dubbed the bug Misfortune Cookie, because it allows hackers to determine the "fortune" of an HTTP request by manipulating cookies. They wrote:

If your gateway device is vulnerable, then any device connected to your network—including computers, phones, tablets, printers, security cameras, refrigerators, toasters or any other networked device in your home or office network—may have increased risk of compromise. An attacker exploiting the Misfortune Cookie vulnerability can easily monitor your Internet connection, steal your credentials and personal or business data, attempt to infect your machines with malware, and over-crisp your toast.

Determining precisely what routers are vulnerable is a vexing undertaking. Devices frequently don't display identifying banners when unauthenticated users access them, and when such banners are presented, they often don't include information about the underlying software components. Beyond that, some device manufacturers manually patch the bug without upgrading the RomPager version, a practice that may generate false positives when automatically flagging all devices running versions prior to 4.34. To work around the challenges, Check Point researchers performed a comprehensive scan of Internet addresses that probed for vulnerable RomPager services. The results showed 12 million unique devices spanning 200 different models contained the bug. Manufacturers affected included Linksys, D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL.

Read 5 remaining paragraphs | Comments

LinuxSecurity.com: Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security [More...]
LinuxSecurity.com: Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 6.5 Extended Update Support. Red Hat Product Security has rated this update as having Important security [More...]
LinuxSecurity.com: Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security [More...]

Sony Pictures Entertainment's (SPE) computer hygiene in the years leading up to last month's hack was breathtakingly sloppy, with the movie studio's CEO regularly being reminded of e-mail, banking, and travel passwords in plaintext e-mails, according to an Associated Press report published Thursday.

Headlined "Sony emails show a studio ripe for hacking," the article is based on a review of more than 32,000 stolen corporate e-mails released on the Internet by people connected to last month's hack of SPE. The e-mails show CEO Michael Lynton repeatedly receiving plaintext passwords in unencrypted e-mails for his and his family's e-mail, banking, travel, and shopping accounts. The unencrypted e-mails were frequently sent by executive assistant David Diamond. Other e-mails included images of passports, driver licenses, and banking statements.

While the catastrophic hack that hit SPE is generating intense scrutiny of the company's security practices, it's widely believed that many if not most corporations and smaller businesses are no better at securing their data. Executives assume that e-mails they send can't be read by anyone other than the intended recipient. Employees have little awareness how easy it is for the computers and smartphones they use to be compromised and for those hacks to then spread to corporate networks. The AP quoted security expert Kevin Mitnick as saying, "It's pretty ordinary for CEOs and executive assistants to share confidential information by e-mail. They feel their e-mail is secure and they have nothing to worry about."

Read 2 remaining paragraphs | Comments

IBM WebSphere Application Server CVE-2014-3021 Unspecified Information Disclosure Vulnerability
iTwitter v0.04 WP Plugin - XSS & CSRF Web Vulnerability

This is a guest diary submitted by Brad Duncan.

Nuclear exploit kit (also known as Nuclear Pack) has been around for years. Version 2.0 of Nuclear Pack was reported in 2012 [1] [2]. Blogs like malware.dontneedcoffee.com have mentioned version 3.0 of Nuclear Pack in posts during 2013 [3] [4].

This month, Nuclear Pack changed its traffic patterns. The changes are significant enough that I wonder if Nuclear Pack is at version 4. Or is this merely an evolution of version 3, as weve seen throughout 2014? Lets look at the traffic.

In January 2014, traffic from Nuclear Pack was similar to what Id seen in 2013. Here" />

2014 saw Fiesta exploit kit-style URLs from Nuclear Pack. Also, like other exploit kits, Nuclear sent Flash and Silverlight exploits. Here" />

The above example has Silverlight, Flash, PDF and IE exploits. In each case, a payload was sent to the vulnerable VM. The traffic consists of two TCP streams." />

These patterns are not far off from the beginning of the year. I only saw additional exploits from Nuclear Pack that I hadnt noticed before.

In December 2014, Nuclear Pack moved to a different URL structure. I first noticed this on a pcap from Threatglass.com [7]. Initially, Id mistaken the traffic for Angler exploit kit." />

Here" />

Since the change in URL patterns, Nuclear Pack is XOR-ing the malware payload. The image below shows an example where one of payloads is XOR-ed with the ASCII string: DvnQkxI

The change in traffic patterns is fairly significant for Nuclear Pack. I havent found any reason on why the change occurred. Is this merely an evolution, or do these changes indicate a new version of Nuclear Pack?


Brad Duncan is a Security Analyst at Rackspace, and he runs a blog on malware traffic analysis at http://www.malware-traffic-analysis.net


[1] http://blog.spiderlabs.com/2012/04/a-new-neighbor-in-town-the-nuclear-pack-v20-exploit-kit.html

[2] http://www.webroot.com/blog/2012/10/31/nuclear-exploit-pack-goes-2-0/

[3] http://malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html

[4] http://3.bp.blogspot.com/-iqXmOKC5Zgk/UieYOEA8jPI/AAAAAAAAA_c/nlX2cgxhyZo/s1600/screenshot_2013-09-04_020.png

[5] http://malware-traffic-analysis.net/2014/01/24/index.html

[6] http://malware-traffic-analysis.net/2014/09/29/index.html

[7] http://threatglass.com/malicious_urls/firstliving-org

[8] http://malware-traffic-analysis.net/2014/12/12/index.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Facebook Bug Bounty #16 (Studio) - Persistent Vulnerability
E-Journal CMS (ID) - Multiple Web Vulnerabilities
Apple iOS v8.x - Message Context & Privacy Vulnerability

Posted by InfoSec News on Dec 18


By Kieren McCarthy
The Register
17 Dec 2014

Domain-name overseer ICANN has been hacked and its DNS zone database
compromised, the organization has said.

Attackers sent staff spoofed emails appearing to coming from icann.org.
The organization notes it was a "spear phishing" attack, suggesting
employees clicked on a link in the messages that took them...

Posted by InfoSec News on Dec 18


By Marc Rogers

Everyone seems to be eager to pin the blame for the Sony hack on North
Korea. However, I think it’s unlikely. Here’s why:1. The broken English
looks deliberately bad and doesn’t exhibit any of the classic
comprehension mistakes you actually expect to see in “Konglish”. i.e it
reads to me like an English speaker...

Posted by InfoSec News on Dec 18


By Eric Molinsky
December 17, 2014

Somewhere hidden in the sleepy suburbs of New Jersey, there is a very
small town. This all-American village boasts good public transit, its own
reservoir, a coffee shop, a church, a bank... you name it. Their
international airport rarely has delays.

Where is this idyllic hideaway? That's a military secret.

CyberCity, as...
MantisBT XmlImportExport Plugin 'ImportXml.php' Arbitrary PHP Code Execution Vulnerability
MantisBT XmlImportExport Plugin CVE-2014-8598 Multiple Security Bypass Vulnerabilities
QEMU 'arch_init.c' Local Memory Corruption Vulnerability
GNU glibc 'getanswer_r()' Function Infinite Loop Denial of Service Vulnerability
Internet Storm Center Infocon Status