InfoSec News

Microsoft will unveil new features next week to enhance the Bing search engine's capabilities to search for entertainment-related content, specifically in areas such as music, television, movies and online games.
 
User frustration ran high in IT news this week. People cursed Apple and AT&T after both companies' Web sites crashed from the crush of iPhone 4 pre-orders. Twitter users were miffed at the social media site's ongoing service outages, which the company has been grappling with since the start of the month. Broadband providers were also angry this week, but their ire was directed at the U.S. federal government for taking the first step to implementing network neutrality. Finally, if the amount of radiation your cell phone emits is a concern, San Francisco could be the city for you.
 
The Federal Communications Commission Spectrum Task Force laid out preliminary ideas on Friday for making frequencies now used for satellite services available for conventional mobile broadband.
 
Apple recently released a redesigned version of its entry-level desktop computer, the Mac mini. Macworld's own Dan Frakes gave us his initial hands-on impressions as well as a photo tour of the $699 desktop computer. And though the biggest changes may be external, there are a few under-the-hood improvements that helped boost the system's performance in our Speedmark 6 test suite.
 

Malware is a cloud-scale problem
ZDNet (blog)
My quest at the time led to an interview during London's InfoSec show with Gerhard Eschelbeck, CTO of anti-malware vendor Webroot, and previously one of the ...

 

A Cynics guide to Infosec Consultancy
CIO
So you want to be an infosec consultant? If you're like most guys, its better you consider a career in risk management or audit. Or maybe you've already got ...

 
Venture capitalists focused on Latin America's technology market say the region offers a much better investment climate than in years past in the Internet market, with opportunities both in consumer and enterprise segments.
 
Oracle has brought in the big guns to assist in its intellectual-property lawsuit against rival applications vendor SAP, hiring attorney David Boies, well-known for his high-profile role prosecuting the U.S. government's landmark antitrust case against Microsoft.
 
Dell's Vostro 3300 inherits its svelte design and thin esthetic from the original Dell Adamo design, though the 3300 isn't quite as skinny or light as the Adamo. Even so, Dell's new small-business laptop offers combination of hardware and support options well tuned to its target market. With Dell's current discounts, the Vostro 3300 starts at $599 (as of 6/18/10).
 
Based on an analysis of the logs for my SSH honeypot, it appears that this latest spate of SSH brute force attacks are using keyboard-interactive authentication, rather than the standard password authentication.



2010-05-21 19:29:11+0000 203.185.xxx.xxx trying auth password

2010-05-23 19:31:57+0000 200.175.xxx.xxx trying auth password

2010-05-25 01:02:57+0000 122.155.xxx.xxx trying auth password

2010-05-25 01:09:06+0000 75.156.xxx.xxx trying auth none

2010-05-25 01:09:07+0000 75.156.xxx.xxx trying auth password

2010-05-25 05:08:07+0000 68.40.xxx.xxx trying auth password

2010-05-29 14:39:51+0000 122.226.xxx.xxx trying auth password

2010-06-02 06:27:31+0000 217.25.xxx.xxx trying auth password

2010-06-03 11:32:22+0000 62.83.xxx.xxx trying auth none

2010-06-03 11:32:24+0000 62.83.xxx.xxx trying auth password

2010-06-11 08:44:52+0000 222.173.xxx.xxx trying auth password

2010-06-11 15:42:46+0000 220.163.xxx.xxx trying auth password

2010-06-13 22:14:15+0000 67.228.xxx.xxx trying auth password

2010-06-15 01:21:39+0000 211.254.xxx.xxx trying auth password

2010-06-15 02:09:01+0000 202.98.xxx.xxx trying auth password

2010-06-15 19:53:49+0000 89.128.xxx.xxx trying auth none

2010-06-15 19:53:51+0000 89.128.xxx.xxx trying auth password

2010-06-15 20:10:45+0000 89.133.xxx.xxx trying auth password

2010-06-16 18:20:54+0000 165.98.xxx.xxx trying auth keyboard-interactive

2010-06-16 18:33:35+0000 64.122.xxx.xxx trying auth keyboard-interactive

2010-06-16 19:05:53+0000 59.124.xxx.xxx trying auth password

2010-06-16 19:06:47+0000 220.73.xxx.xxx trying auth keyboard-interactive

2010-06-16 19:28:54+0000 219.159.xxx.xxx trying auth keyboard-interactive

2010-06-16 19:47:52+0000 80.94.xxx.xxx trying auth keyboard-interactive

2010-06-16 19:57:57+0000 203.15.xxx.xxx trying auth keyboard-interactive

2010-06-16 20:18:00+0000 119.161.xxx.xxx trying auth keyboard-interactive

2010-06-16 20:27:40+0000 82.91.xxx.xxx trying auth keyboard-interactive

2010-06-16 20:47:02+0000 190.12.xxx.xxx trying auth keyboard-interactive

2010-06-16 21:27:00+0000 200.40.xxx.xxx trying auth keyboard-interactive

2010-06-17 16:59:36+0000 210.82.xxx.xxx trying auth password



Understand: If you have disabled password authentication in your ssh_config by uncommenting the line:



PasswordAuthentication no



that *WILL NOT* protect you against this latest round of attacks.



In order to disable keyboard-interactive logins, you must also uncomment the line:



ChallengeResponseAuthentication no



NOTE: DO NOT DO THIS unless you understand what you're doing and know that it will not break anything (I don't want a bunch of emails saying I got in trouble because I did what Liston said...)



To test if your server is configured correctly, log in using the command line version of ssh with the -v option. That will spit out a whole bunch of debugging information. The important line is this:



debug1: Authentications that can continue: publickey,password,keyboard-interactive



If you see something like that, then you're not only vulnerable to standard password brute force attacks, but this newer keyboard-interactive attack as well.



Tom Liston

Handler - SANS Internet Storm Center

Senior Security Analyst - InGuardians, Inc. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Ten months after it debuted rudimentary malware scanning in Snow Leopard, Apple this week quietly added a signature for a third piece of malware, security researchers reported.
 
Mark Gibbs checks out a device that puts all of Wikipedia (the text portion at least) in your pocket.
 
So I'm testing this super-cool Lenovo system that would make a perfect media center for the den. It's an all-in-one, meaning there's no bulky tower--just a screen, a base, and a wireless keyboard and mouse.
 
Oracle's updated business process management software includes social networking, greater integration, exec says
 
The Samsung Captivate, an Android 2.1 smartphone, will go on sale through AT&T later this year. It will feature a 4-in. Super AMOLED touchscreen display and a 1-GHz processor that may help make it a viable competitor to the iPhone.
 
New York Attorney General Andrew Cuomo has created a database aimed at keeping child pornography off of social networking sites like Facebook and Myspace.
 
The new version of WordPress includes useful new features for both single-site bloggers and organizational admins.
 
The new version of WordPress includes useful new features for both single-site bloggers and organizational admins.
 
Verizon may follow in AT&T's footsteps and introduce tiered, limited data plans this year, Businessweek reports.
 
Evolutionary IT's Joseph Guarino explains how to achieve network security the open way (Third in a series on open-source security solutions)
 
Wi-Fi traffic intercepted by Google's Street View cars included passwords and e-mail, according to the French National Commission on Computing and Liberty (CNIL).
 
OCZ today announced it is selling two new series of 1.8-in solid state drives, targeted at netbook and ultra-thin notebook owners.
 
Wi-Fi traffic intercepted by Google's Street View cars included passwords and e-mail, according to the French National Commission on Computing and Liberty (CNIL).
 
SSH brute force attempts seem to be on the rise again, at the SANS Internet Storm Center we have received a number of reports that a number of networks are seeing them. The source IP addresses vary with each new attempted username in the wordlist, which would indicate that the attempts are distributed through botnet(s). It only takes a single user with a weak password for a breach to occur, then with that foothold escalation and further attacks are likely next. This is certainly not a new phenomenon, however I think it is a good time to raise awareness about it once again.



Reader xemaps wrote in with this log snippet:



Whole day my server has been targeted by a botnet, attacker also changed ip each new dictionary user.



Jun 17 23:02:03 pro sshd[17444]: Invalid user mailer from 217.37.x.x

Jun 17 23:03:24 pro sshd[17460]: Invalid user mailer from 87.66.x.x

Jun 17 23:05:27 pro sshd[17617]: Invalid user mailman from 89.97.x.x

Jun 17 23:09:30 pro sshd[17639]: Invalid user mailtest from 62.2.x.x

Jun 17 23:15:44 pro sshd[17894]: Invalid user maker from 83.236.x.x

Jun 17 23:16:47 pro sshd[17925]: Invalid user mama from 84.73.x.x



Reader Ingvar wrote in with a similar pattern:



On my home system I have seen these login attempts that start with user aaa and goes on alphabetically from over 1000 different hosts around the world (judging from the DenyHosts reports). Normally I only see single-digit attempts per day.



Jun 17 02:14:56 MyHost sshd[808]: error: PAM: authentication error for illegal user aaa from 151.100.x.x

Jun 17 02:23:11 MyHost sshd[870]: error: PAM: authentication error for illegal user aabakken from 150.254.x.x

Jun 17 02:24:57 MyHost sshd[875]: error: PAM: authentication error for illegal user aapo from 173.33.x.x

Jun 17 02:35:23 MyHost sshd[885]: error: PAM: authentication error for illegal user abakus from 121.160.x.x

Jun 17 02:37:32 MyHost sshd[895]: error: PAM: authentication error for illegal user abas from 190.200.x.x

Jun 17 02:38:18 MyHost sshd[900]: error: PAM: authentication error for illegal user abc from 193.251.x.x



Last year ISC Handler Rick wrote up a diary for Cyber Security Awareness Month - Day 17 - Port 22/SSH about SSH brute force attempts and some safeguards that can be implemented. Here is a brief summary:

Deploy the SSH server on a port other than 22/TCP
Deploy one of the SSH brute force prevention tools
Disallow remote root logins
Set PasswordAuthentication to no and use keys
If you must use passwords, ensure that they are all complex
Use AllowGroups to limit access to a specific group of users
Use as a chroot jail for SSH if possible
Limit the IP ranges that can connect to SSH

If you have any comments, additional examples of safeguards, or additional information please let us know here.
Cheers,

Adrien de Beaupr

EWA-Canada.com


















(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
An interface designer interning at Mozilla has suggested that the company mimic gimmicks in Google's Chrome to make users think Firefox starts up faster.
 
An interface designer interning at Mozilla has suggested that the company mimic gimmicks in Google's Chrome to make users think Firefox starts up faster.
 
Despite the hype that's built up around tablet computers and handheld devices with larger screens, Sony Ericsson remains focused on smartphones even as it keeps its future product options open, according to a top company executive.
 
According to many vendors, this is the year for 3-D TV. But the technology may not be as ready for the market as they claim.
 
Eight music publishers have sued LimeWire LLC of massive copyright infringement even as a federal court in New York is considering a request by the Recording Industry Association of America to shut the file-sharing software maker down over a similar complaint.
 
InfoSec News: Extended Deadline: Final CFP: ERCIM STM'2010 : Forwarded from: "M. Carmen Fernadez Gago" <mcgago (at) cc.uma.es>
** Apologies for multiple copies **
*Call for Papers *
*6th International Workshop on
SECURITY and TRUST MANAGEMENT (STM'10)
Athens, Greece
23-24 September 2010 *
http://www.isac.uma. [...]
 
InfoSec News: Kyrgyzstan on verge of cyber war: http://english.ruvr.ru/2010/06/17/10020320.html
By Marina Volkova The Voice of Russia Jun 17, 2010
The escalating ethnic conflict in Kyrgyzstan has already given rise to cyber attacks carried out on government and media websites. Russian cyber security experts refer to them as means of information warfare.
Cyber attacks, sometimes known as Distributed Denial of Service (DDoS) attacks, involve breaking into millions of computers to forward requests to all servers within the .kg domain zone, bringing them down. Users cannot therefore get access to official information, said Roman Romachev, the Director General of the R-Techno agency of business intelligence. Hackers launch attacks from computers all over the Internet, making the tracing of these requests absolutely impossible, he said.
As part of the cyber war, DDoS attacks block all your opponent.s information. Frequently used during election campaigns and costing only one hundred dollars, these attacks may deactivate numerous web sites, Roman Romachev says.
The information war has not yet started in full force and effect in Kyrgyzstan, according to Russian IT-analyst Andrei Masalovich of DialogueScience Inc. He believes cyber attacks could be launched on every country which will send its troops to Kyrgyzstan to help resolve the ethnic conflict. Russia should not therefore intervene in the current situation, the businessman said.
Further aggravation of the ongoing conflict will result in a full-scale information war. Those who will bring armed forces to the republic, will be definitely exposed to massive cyber attacks.
Battles in cyberspace are an integral part of armed conflicts, like for instance, the Georgian aggression against South Ossetia in 2008. Tbilisi then unleashed another kind of war, blocking the country.s entire web segment, so that the world could not find out the truth about the origins of the conflict.
 
InfoSec News: Banking's big dilemma: How to stop cyberheists via customer PCs: http://www.networkworld.com/news/2010/061710-online-banking.html
By Ellen Messmer Network World June 17, 2010
In online banking and payments, customers' PCs have become the Achilles' heel of the financial industry as cyber-crooks remotely take control of [...]
 
InfoSec News: Cybersecurity Not A 'Command And Control' Effort: http://www.darkreading.com/security/government/showArticle.jhtml?articleID=225700567
By Kelly Jackson Higgins DarkReading June 17, 2010
Cybersecurity initiatives will always be distributed efforts, which is what makes the cybersecurity czar's position so crucial, according to [...]
 
InfoSec News: Researcher shows how to strike back at web assailants: http://www.theregister.co.uk/2010/06/17/exploiting_online_attackers/
By Dan Goodin in San Francisco The Register 17th June 2010
A security researcher has disclosed details on more than a dozen previously unknown vulnerabilities that people responding to web-based [...]
 
InfoSec News: Secunia Weekly Summary - Issue: 2010-24: ========================================================================
The Secunia Weekly Advisory Summary 2010-06-10 - 2010-06-17
This week: 89 advisories [...]
 
InfoSec News: Computer Hacker Jailed: http://www.dailystar.co.uk/news/view/140336/Computer-hacker-jailed/
By Elizabeth James Daily Star 18th June 2010
A COMPUTER hacker who bought 30,000 U.K.P. of gold bullion thanks to an intricate fraud scam was jailed yesterday.
Alistair Peckover, 21, also bought a Porsche and had 40,000 cash stashed in two containers when arrested.
The 'obsessive loner' used his self-taught skills to breach security barriers on Google and BT websites and obtain details of customers. email accounts.
He used the information to defraud them and fund his gambling habit.
[...]
 

Posted by InfoSec News on Jun 17

Forwarded from: "M. Carmen Fernadez Gago" <mcgago (at) cc.uma.es>

** Apologies for multiple copies **

*Call for Papers *

*6th International Workshop on

SECURITY and TRUST MANAGEMENT (STM'10)

Athens, Greece

23-24 September 2010 *

http://www.isac.uma.es/stm10

in conjunction with EuroPKI'10 and CRITIS'10, and just after ESORICS'10

Extended deadline, June the 25th 2010

STM (Security and Trust Management) is a working group...
 

Posted by InfoSec News on Jun 17

http://english.ruvr.ru/2010/06/17/10020320.html

By Marina Volkova
The Voice of Russia
Jun 17, 2010

The escalating ethnic conflict in Kyrgyzstan has already given rise to
cyber attacks carried out on government and media websites. Russian
cyber security experts refer to them as means of information warfare.

Cyber attacks, sometimes known as Distributed Denial of Service (DDoS)
attacks, involve breaking into millions of computers to forward...
 

Posted by InfoSec News on Jun 17

http://www.networkworld.com/news/2010/061710-online-banking.html

By Ellen Messmer
Network World
June 17, 2010

In online banking and payments, customers' PCs have become the Achilles'
heel of the financial industry as cyber-crooks remotely take control of
the computers to make unauthorized funds transfers, often to faraway
places.

That's what happened to the town of Poughkeepsie in New York earlier
this year to the tune of $378,000 carried...
 

Posted by InfoSec News on Jun 17

http://www.darkreading.com/security/government/showArticle.jhtml?articleID=225700567

By Kelly Jackson Higgins
DarkReading
June 17, 2010

Cybersecurity initiatives will always be distributed efforts, which is
what makes the cybersecurity czar's position so crucial, according to
the Department of Homeland Security's cybersecurity director.

"This is not a command and control environment," says Philip Reitinger,
who is director of the...
 

Posted by InfoSec News on Jun 17

http://www.theregister.co.uk/2010/06/17/exploiting_online_attackers/

By Dan Goodin in San Francisco
The Register
17th June 2010

A security researcher has disclosed details on more than a dozen
previously unknown vulnerabilities that people responding to web-based
attacks can exploit to strike back at online assailants.

The bugs reside in off-the-shelf crimeware kits that go by names such as
Eleonore, Liberty, Neon, and Yes. Attackers...
 

Posted by InfoSec News on Jun 17

========================================================================

The Secunia Weekly Advisory Summary
2010-06-10 - 2010-06-17

This week: 89 advisories

========================================================================
Table of Contents:

1.....................................................Word From...
 

Posted by InfoSec News on Jun 17

http://www.dailystar.co.uk/news/view/140336/Computer-hacker-jailed/

By Elizabeth James
Daily Star
18th June 2010

A COMPUTER hacker who bought 30,000 U.K.P. of gold bullion thanks to an
intricate fraud scam was jailed yesterday.

Alistair Peckover, 21, also bought a Porsche and had 40,000 cash stashed
in two containers when arrested.

The 'obsessive loner' used his self-taught skills to breach security
barriers on Google and BT websites and...
 
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Cisco announces the end-of-sale and end-of life dates for the Cisco Security Agent. There is no replacement available for the Cisco Security Agent at this time.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps2330/end_of_life_c51-602579.html

(Sales end this December, Maintenance the following December, and it will no longer be supported after December 2013).

Thanks Brian!
Cheers,

Adrien de Beaupr

EWA-Canada.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
If you're looking for a portable multimedia machine, the Gateway NV5933u--which features an Intel Core i3 processor and a Blu-ray Disc player--might be for you. This 15.6-inch all-purpose laptop multitasks with ease, and it even has a number pad next to its big, flat keyboard. Our review model, priced at a modest $649 (as of June 3, 2010), came with a 2.13GHz Intel Core i3-330M processor, 4GB of RAM, a 320GB hard drive, a 15.6-inch 1366-by-768-pixel display, and Windows 7 Home Premium (64-bit). The system also has a built-in Webcam and microphone, 802.11b/g/n Wi-Fi, and--perhaps its biggest selling point--a 4X Blu-ray Disc/DVD-Super Multi double-layer drive.
 

Internet Storm Center Infocon Status