Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
An advertising analytics company said it has discovered a botnet that generates upwards of US$6 million per month by generating bogus clicks on display advertisements.
 
Tech enthusiasts upset over Google's recent decision to scrap Google Reader and other products may have one reason to be happy again: They can still subscribe to RSS feeds through an extension within the Chrome browser.
 

Protocols like IPv6 and IPv4 suffer from two very different types of security issues: Oversights in the specification of the protocol and implementation errors. The first one is probably the more difficulat one to fix as it may require changing the protocol itself and it may lead to incompatible implementations. The second one isnt easy to avoid, but at least we do have some decent tools to verify the correct implementation of the protocol. In implementing protocols, developers usually try to stick to the specifications, and implement the robustness principle (RFC 1122) which is sometimes also referred to as Postels law after Jon Postel. In short, the principle stipulates that a protocol implementation should stick close to the specification in sending data, but should be very forgiving in accepting data. This principle makes robust interoperability possible, but also leads to many security issues. For example, in many cases an IDS may not consider data because it is out of spec but the host will still accept it because it will try to make things work. Or on the other hand, an IDS may consider a host to be more forgiving then it actually is.

What we need is techniques and tools to check the implementation and push the boundaries of what the specification considers acceptable. This method of security testing is usually referred to as Fuzzing, and one great tool to implement it for IPv6 is scapy. Scapy used to have an add on, scapy6, that implmeneted IPv6. However, recent versions of scapy include scapy6 as part of the tool.

So what can we do? Lets start with something straight forward: A simple TCP packet. In scapy, we first build an IPv6 header, then attach a TCP header. Here we keep it as simple as possible:

# scapy

Welcome to Scapy (2.2.0)

ip=IPv6(dst=2001:db8::1



sr1(ip/tcp) Begin emission: Finished to send 1 packets. Received 293 packets, got 1 answers, remaining 0 packets Pv6 version=6L tc=0L fl=0L plen=24 nh=TCP hlim=57 src=2001:db8::1 |TCP sport=http dport=32666 seq=3689474164 ack=1 dataofs=6L reserved=0L flags=SA window=5680 chksum=0xaab6 urgptr=0 options=[(MSS, 1420)] |


Cool. We send a SYN packet, and got a SYN-ACK back! All normal and as expected. First rule of fuzzing: Start with something simple and normal that you know works.

Next, lets set a neat little extension header: A Hop-by-Hop header, indicating that we got a jumbogram. But, our jumbogram is nasty. Instead of making it big as it is supposed to, we make it of size 0. We start like above, but the we add an hop-by-hop header:







Begin emission:

Finished to send 1 packet.



And as expected, we do not get a repsonse. To verify, it helps collecting to keep tcpdump running to collect some packets:



# tcpdump -i en0 -nn -tvv ip6 and host 2001:db8::1

IP6 (hlim 64, next-header Options (0) payload length: 28) 2001:db8::2 2001:db8::1: HBH (jumbo: 0) no next header



One thing that scapy fixed for us is the payload length, It should be 0 for a jumbogram. No problem... We can tell scapy to set it to 0.


ip=IPv6(dst=2001:db8::1

and again no response.

So this was prety simple. Next step: Lets do a 3 way handshake. Instead of pasting the script here, I uploaded a simple IPv6 3-way TCP handshake here. The script will setup a TCP connection to port 80, then transmit a simple HTTP request in two segments. Again: We start simple. This should work.

Next, lets be a bit evasive. We will retransmit the second segment, but the second segment contains a different content. The full script can be found here. The interesting part:

my_payload2=sec546.com\r\n\r\n

my_payload3=secxxx.com\r\n\r\n

TCP_PUSH=TCP(sport=sport,dport=dport, flags=PA, seq=isn+1,ack=my_ack)

send(ip/TCP_PUSH/my_payload1)

TCP_PUSH=TCP(sport=sport,dport=dport, flags=PA, seq=isn+1+len(my_payload1),ack=my_ack)

send(ip/TCP_PUSH/my_payload2)

send(ip/TCP_PUSH/my_payload3)



In this case, the second payload will get ignored. This can be confirmed easily if the target web server logs the host name as received from the client. You will see that the target server received sec546.com.

Next, we can add a destination header into the mix. We only add the destination header to the first copy (payload2). The destination header is constructed such that it will cause the packet to be dropped. As a result, only the second copy of the segment will get used. The full script can be found here The diff again:




DH=IPv6ExtHdrDestOpt(options=HBHOptUnknown(otype=255,optdata=x))

send(ip/DH/TCP_PUSH/my_payload2)

send(ip/TCP_PUSH/my_payload3)



payload2 will be ignored, but payload3 will be received just fine. As a result, the web server will respond with secxxx.com, not sec546.com. But how do our packet tools reassemble this kind of traffic? You can find a packet capture here to try your own favorite tool. Let me know what you find!




------



Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Apple iPhone Lock Screen Security Bypass Vulnerability
 
Adobe CTO Kevin Lynch is leaving the company to take a job at Apple, a one-time close partner of Adobe that became the most vociferous critic of its Flash technology.
 
Facebook's News Feed is a popular landing page for photos and updates from friends, but now it can also function as a digital storefront of sorts, through a partnership with e-commerce startup Chirpify.
 
Nvidia wants graphics processors to create avatars with realistic human faces, and power visual searches in which images can be identified to produce matching search results.
 
Nvidia hopes to make its ambitious break into the portable handheld gaming market in the next few months, CEO Jen Hsun Huang said Tuesday.
 
Apple last week silently updated the aged Safari 5 browser for Snow Leopard to version 5.1.8, more evidence that the company intends to support the 2009 operating system for an unusually long time.
 
Add Nvidia CEO Jen Hsun Huang to the list of people disappointed with the debut of Windows RT.
 
Microsoft today said it would cooperate with federal regulators who are reportedly investigating claims that some of its business partners bribed officials in China, Romania and Italy to close deals.
 
Microsoft hoped recent updates to its Dynamics AX 2012 ERP software would help it grab enterprise-level deals that would ordinarily be won by the likes of Oracle and SAP. To some degree, the strategy appears to be clicking.
 
Nvidia wants to bump up graphics and application performance on tablets and smartphones with the two new Tegra mobile processors it announced on Tuesday.
 
Foreign students in the federal Optional Practical Training (OPT) program often work long hours and for much less pay than their U.S. counterparts, according to Karen Panetta, a professor of electrical and computer engineering at Tufts University.
 
If U.S. law enforcement agencies agree to changes in electronic surveillance law to better protect the privacy of stored email and documents, they want several changes in return, including a requirement that email and cloud service providers hold onto records longer.
 
Warren East, the outgoing CEO of U.K. chip design company ARM, has never displayed the bravado of his counterparts across the Atlantic, and that was on show Tuesday when he explained his surprise decision to leave the company on July 1.
 
Microsoft offered more details on Tuesday about its plans to integrate SharePoint and Yammer, saying it will give Office 365 customers the option of replacing SharePoint Online's activity-stream component with that of Yammer.
 
OpenFabrics ibutils Insecure Temporary File Creation Vulnerability
 
Microsoft Internet Explorer CVE-2013-0087 Use-After-Free Remote Code Execution Vulnerability
 

Security researchers have discovered a botnet that is stealing millions of dollars per month from advertisers. The botnet does so by simulating click-throughs on display ads hosted on at least 202 websites. Revealed and dubbed "Chameleon" by the Web analytics firm spider.io because of its ability to fool advertisers' behavior-tracking algorithms, the botnet is the first found to use display advertisements to generate fraudulent income for its masters.

In a blog post today, spider.io reported that the company had been tracking Chameleon since December of 2012. Simulating multiple concurrent browser sessions with websites, each bot is able to interact with Flash and JavaScript based ads. So far, more than 120,000 Windows PCs have been identified—95 percent of them with IP addresses associated with US residential Internet services. The company has issued a blacklist of the 5,000 worst-offending IP addresses for advertisers to use to protect themselves from fraud.

While in many respects the botnet simulates human activity on webpages to fool countermeasures to clickfraud, it generates random mouse clicks and mouse pointer traces across pages. This makes it relatively easy for bot-infected systems to be identified over time. The bot is also unstable because of the heavy load it puts on the infected machine, and its frequent crashes can also be used as a signature to identify infected systems.

Read 1 remaining paragraphs | Comments

 
Video: PayPal CISO Michael Barrett discusses the FIDO Alliance launch and how the open standard for online authentication might help replace weak passwords.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Linux Kernel CVE-2013-1827 Multiple NULL Pointer Dereference Local Denial of Service Vulnerability
 
Linux Kernel CVE-2013-1826 NULL Pointer Dereference Local Denial of Service Vulnerability
 
The new Samsung Galaxy S4 smartphone with HSPA+ costs $236 for materials, up 15% from the equivalent Galaxy S III, according to a virtual teardown by IHS iSuppli.
 
An anonymous researcher created a massive botnet by hijacking about 420,000 Internet-accessible embedded devices with default or no login passwords and used it to map the entire Internet.
 

More than a month after security researchers pointed out a new passcode bug in iOS, Apple has patched it with the release of iOS 6.1.3. The software update, released over the air or via iTunes, is mainly aimed at addressing the security vulnerability that allowed attackers to get around an iOS device's passcode by performing a series of steps. Apple says that iOS 6.1.3 also comes with "improvements to Maps in Japan."

It was mid-February when reports began to spread that an old vulnerability in the iPhone's emergency call feature had resurfaced as part of iOS 6.1. As we wrote at that time, "[w]ith the right sequence of button clicking, it's possible to get to an iPhone user's voicemails, contacts, and photos—even if the iPhone is locked and password protected." A couple weeks later, different researchers pointed out another way to get around the iPhone's lock screen based on the same vulnerability. Apple released iOS 6.1.2 in the meantime, but it did not fix the passcode bug with that update.

As rumored, however, iOS 6.1.3 does in fact address the passcode lock screen vulnerability. Since this is a security concern that could affect many iOS device users, we certainly recommend installing it as soon as you get the chance. But be warned: if you've jailbroken your iOS 6.1.x device, we're hearing that 6.1.3 update fixes one of the security holes that enables the evasi0n jailbreak. In that case, update at your own risk.

Read on Ars Technica | Comments

 

This one made it past my (delibertly porous) spam filter today. We dont cover these usually, as there are just too many of them (I just got another facebook related one while typing this). But well, from time to time its fun to take a closer look, and they make good slides for awareness talks.



The initial link sends the user to hxxp:// swiat-feromonow.pl / wiredetails.html which redirects the users to the usual obfuscated javascript athxxp:// salespeoplerelaunch. org/ close/printed_throwing-interpreting-dedicated.php .

The later page not only uses javascript, but in addition for good measure will also try to run a java applet. Wepawet, as usual has no issues analyzing the file [1]. It discovers the usual browser plugin fingerprinting code, but no specific exploits.

ok. cool... yet more malware. But I didnt want to leave it at that, and went ahead to try and get that site shut down. First stop: whois salexpeoplerelaunch.org . The result is a legit looking contact in Michigan with a phone number, which has been disconnected :( ... so I am trying an e-mail to the listed e-mail address (just sent... no response yet, but will update this diary if I get one)

Moving on to the IP address. It is assigned tohttps://www.wholesaleinternet.net , a low cost dedicated server / colocation provider. Sending them an abuse request now via email, and again, will update this diary if I hear from them. Interestingly, the IP address is not known to serve any other domains based on a quick check of some passive DNS replication systems. I also sent an email toabuse @ szara.net which hosts the domainswiat-feromonow.pl.

Lets see how long the link will stay up.

[1]http://wepawet.iseclab.org/view.php?hash=dbeb07e4d46aa4cbd38617a925499c22type=js

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
U.S. residents have the right to resell software and other products protected by copyright even when they are manufactured overseas, the U.S. Supreme Court has ruled.
 
The latest version of the Skype for Windows Phone 8 Preview has support for HD video calls on some phones and reinstated integration with the People hub.
 
Microsoft is hoping to shove aside rivals such as Salesforce.com and Oracle in the CRM software market by linking its own Dynamics CRM application with new capabilities for marketing automation and social media analysis.
 
Apple's iPhone dominance in the U.S. is largely due to carriers suppressing market economics, an analyst said today.
 
Microsoft's AX ERP application will be receiving a set of mobile applications that mix connectivity to back-end systems and processes with a social milieu.
 
Although no exploit won by reliably felling the defences of the browser and OS, the winner from last year returned with a chain of bugs and a style of attack that Google called plausible. One was a Linux kernel bug


 
Linux Kernel 'CLONE_NEWUSER|CLONE_FS' Local Privilege Escalation Vulnerability
 
VUPEN Security Research - Microsoft Internet Explorer 10-9-8-7-6 "OnMove" Use-after-free (MS13-021 / CVE-2013-0087)
 
VUPEN Security Research - Microsoft Internet Explorer 10-9-8-7-6 "OnResize" Use-after-free (MS13-021 / CVE-2013-0087)
 
Simon Segars will become ARM CEO when Warren East retires July 1, the company said Tuesday.
 
Citrix Systems has upgraded its Podio applications for Android and iOS, as well as the ShareFile app for the latter, which can now be used to edit Microsoft Office documents.
 
A hacker has produced his own "Internet Census 2012" using a dedicated botnet set up just for that purpose. He found 420 million active devices which responded to queries and turned up a whole host of security vulnerabilities


 
RubyGems MiniMagic 'mini_magick.rb' Remote Command Execution Vulnerability
 
RubyGems fastreader 'entry_controller.rb' Remote Command Execution Vulnerability
 
RubyGems Curl 'curl.rb' Remote Command Execution Vulnerability
 
VUPEN Security Research - Mozilla Firefox "nsHTMLEditRules" Use-After-Free (MFSA-2013-29 / CVE-2013-0787)
 
Remote command execution in Ruby Gem Command Wrap
 

Security Blanket
Network World (blog)
... Security · Storage · White Papers · Webcasts · Tests · White Papers · Webcasts · Tests · Cool Tools · IT Asked & Answered · White Papers · Webcasts · Tests · White Papers · Webcasts · Tests · White Papers · Webcasts · Solution Centers. Infosec ...

and more »
 

Microsoft will start pushing Service Pack 1 for Windows 7 as well as Windows Server 2008 R2 as of today [1][2]. As usual, the service pack includes a few enhancements and bug fixes in addition to security patches. If you are up to date on patches, the service pack will only add the additional features.

The service pack has been available since February 2011, but so far only as an optional download. The push to making it an automatic download was likely motivated by the upcoming expiration of the RTM (Released to Manufacturing) initial version of Windows 7 in April.

The service pack is also available as a stand alone patch image to update existing machines. Or existing Windows 7 users can install the service pack via Windows Update. The size of the download for Windows Update is about 70MB for Windows 7 and 100 MB for Windows Server 2008 R2.

[1] http://technet.microsoft.com/en-us/windows/gg635126.aspx

[2]http://blogs.windows.com/windows/b/bloggingwindows/archive/2013/03/18/windows-7-sp1-to-start-rolling-out-on-windows-update.aspx



------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

To meet the requirements of working in a unique environment such as those that existed in the power trading business and to accommodate its future business needs, the Tata Power Trading Company chose to streamline its business processes using cloud technology. Here's how its CIO, Ujjal Kumar Ghatak did it.

 
A cloud service broker is pitching Google Apps to enterprises by playing on their fears about recent changes Microsoft's made to Office. Insider (registration required)
 
For the past month or so, the hot topic among Apple users has been the iWatch. Columnist Michael deAgonia weighs on whether there's really a market for the device.
 
With an ever-increasing data volume but by no means an ever-increasing IT budget, businesses are facing a tough task in optimising their storage. Most believe that deduplicating redundant copies was the storage saviour.A CNMEA investigates the trend of eliminating cloned data.
 

Password cracking experts have reversed a secret cryptographic formula recently added to Cisco devices. Ironically, the encryption type 4 algorithm leaves users considerably more susceptible to password cracking than an older alternative, even though the new routine was intended to enhance protections already in place.

It turns out that Cisco's new method for converting passwords into one-way hashes uses a single iteration of the SHA256 function with no cryptographic salt. The revelation came as a shock to many security experts because the technique requires little time and computing resources. As a result, relatively inexpensive computers used by crackers can try a dizzying number of guesses when attempting to guess the corresponding plain-text password. For instance, a system outfitted with two AMD Radeon 6990 graphics cards that run a soon-to-be-released version of the Hashcat password cracking program can cycle through more than 2.8 billion candidate passwords each second.

By contrast, the type 5 algorithm the new scheme was intended to replace used 1,000 iterations of the MD5 hash function. The large number of repetitions forces cracking programs to work more slowly and makes the process more costly to attackers. Even more important, the older function added randomly generated cryptographic "salt" to each password, preventing crackers from tackling large numbers of hashes at once.

Read 7 remaining paragraphs | Comments

 

The Providence Journal

Howard Schmidt to Keynote InfoSec World 2013 in Orlando in April
The Providence Journal
SOUTHBOROUGH, Mass., March 19, 2013 /PRNewswire/ -- Security veteran Howard Schmidt will be the kick-off keynote at InfoSec World 2013 that will take place April 15-17, 2013 in Orlando, Florida. Security veteran Howard Schmidt, who has headed up ...

and more »
 
Europe's Justice Commissioner on Tuesday criticized how European Union member states have handled Apple's alleged misselling of warranties and called for tougher sanctions.
 
Nokia has won an injunction against the sale in Germany of some HTC handsets that infringe on a power-saving technology for mobile phones.
 
Spree 'spree_auth_devise' Security Bypass Vulnerability
 

MarketWatch (press release)

Howard Schmidt to Keynote InfoSec World 2013 in Orlando in April
MarketWatch (press release)
SOUTHBOROUGH, Mass., March 19, 2013 /PRNewswire via COMTEX/ -- Security veteran Howard Schmidt will be the kick-off keynote at InfoSec World 2013 that will take place April 15-17, 2013 in Orlando, Florida. Security veteran Howard Schmidt, who has ...

and more »
 

Video: Bill Brenner on the role of media in infosec
CSO (blog)
His approach is particularly creative and I love watching them after the show. With his permission and that of Tripwire, I always run them here because, after all, sharing is caring. Here, I chat with Anthony Freed about the role of media in infosec.

 
Microsoft has released a number of enhancements to Windows Azure that will make it easier to deploy and manage Hadoop clusters and integrate more mobile apps with the cloud platform.
 
Anticipating explosive growth in video communications, Cisco is readying product improvements designed to simplify the management of videoconferencing traffic and to streamline its use for employees.
 
Support for Windows 7 will continue until 2020, but only if the latest Service Pack has been installed. Users who have not yet installed Service Pack 1 for Windows 7 will get it automatically


 
Adobe Flash Player Unspeficied Remote Code Execution Vulnerability
 
Salesforce.com will upgrade its Chatter enterprise social networking (ESN) application for iOS and release one for the first time for Android on Tuesday, delivering in both new capabilities to integrate them with its main CRM software.
 
A website that leaked credit reports of celebrities and government officials last week appears to have a curious link to the malicious banking software known as "Zeus."
 
Twitter is beefing up its self-service ad platform to give smaller businesses more targeting and analytics tools to reach potential customers on the site.
 
Customers of JPMorgan Chase reported seeing zero balances in their accounts both online and on mobile, and speculated that the bank's systems had been hacked.
 
Updates to Rails close two XSS vulnerabilities due to insufficient sanitization, a denial of service issue in ActiveRecord and XML parsing problem when running with jRuby


 
If a stranger sneaks into one of the new "smart" cameras via an integrated web server, they can take and upload pictures. A brave new networked photo world?


 
BlackBerry Z10 sales kick off this Friday in the U.S., but it is still unclear how popular the smartphone and its Q10 cousin running BlackBerry 10 will be, amid a number of contradictory predictions and indicators.
 
The kids may have moved on, but business users love (and hate) their email. Here's why we can't dig out.
 
Blue Jeans Network is rolling out an iOS app, partnering with with Tely Labs on an affordable video collaboration appliance and launching dual streams in a bid to expand access to videoconferencing.
 
U.S. Senator Chuck Grassley has re-introduced an H-1B reform bill that once again takes aim at offshore outsourcers, and on Monday he got more ammunition for that battle.
 
After a computer glitch sidelined NASA's Mars rover Curiosity late last month, another problem has it down again.
 
Cisco IOS and IOS XE Insecure Password Hash Weakness
 
Internet Storm Center Infocon Status