Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

F-Secure's Hypponen leads RSA refuseniks to NSA-free infosec chatfest
Register
It was probably inevitable: a group of RSA Conference refuseniks have established a rival conference within walking distance of the original. The one-day TrustyCon, to be held on 27 February at the AMC Metreon Theatre in San Francisco, has drawn Mikko ...

and more »
 
Two Mexican nationals have been arrested in Texas after they allegedly attempted to enter the U.S. with fraudulent credit cards that could be tied to the massive Target data breach.
 
Hewlett-Packard today launched a new online promotion that discounts several consumer PCs by $150 when equipped with Windows 7, saying the four-year-old OS is "back by popular demand."
 
RETIRED: Oracle January 2014 Critical Patch Update Multiple Vulnerabilities
 
Network Security Services 'ssl_Do1stHandshake()' Function Information Disclosure Vulnerability
 
Moodle 'profile' Fields Multiple Cross Site Request Forgery Vulnerabilities
 
Starbucks CVE-2014-0647 Information Disclosure Vulnerability
 
IBM Tivoli Federated Identity Manager Business Gateway Security Bypass Vulnerability
 
Cxxtools CVE-2013-7298 Infinite Loop Denial of Service Vulnerability
 
Drupal Ubercart Module Session Fixation Vulnerability
 

In any study of internet traffic, you'll notice that one of the top activities of attackers is to mount port scans looking for open SSH servers, usually followed by sustained brute-force attacks.  On customer machines that I've worked on, anything with an open port tcp/22 for SSH, SFTP (FTP over SSH) or SCP will have so many login attempts on these ports that using the system logs to troubleshoot any other problem on the system can become very difficult.

We've written this up many times, and often one of the initial things people do - thinking that this will protect them - is move their SSH service to some other port.  Often people will choose 2222, 222 or some "logical" variant as their new home for SSH, this really just takes away the background noise of automated attacks, real attackers will still find your service.  We've covered this phenomena and real options for protecting open services like SSH in the past (google for ssh inurl:isc.sans.edu for a list)

What got me thinking about this was a bit of "data mining" I did the other night in the Dshield database using the reporting interfaces on the ISC site, as well as our API.  Port 22 traffic of course remains near the top of our list of ports being attacked:
https://isc.sans.edu/port.html?startdate=2013-01-01&enddate=2014-01-16&port=22&yname=sources&y2name=targets

However, this past week we saw an unusual spike in TCP port 222:
https://isc.sans.edu/api/topports/records/10/2014-01-13
and
https://isc.sans.edu/api/topports/records/10/2014-01-14

 

On the 14th, port 222 actually topped our list.  This event only lasted 2 days, and was primarily sourced by only two IP addresses.  Note the other spike in December.

https://isc.sans.edu/port.html?port=222

 

This looked like a full internet scan for port 222, sourced from these two addresses (I won't call them out here).  Looking closer at the IP's, they didn't look like anything special, in fact one was in a DSL range, so two days for a full scan is about right, given the fast scanning tools we have these days and bandwidth a home user will usually have.

The moral of the story?  No matter where you move your listening TCP ports to, there is someone who is scanning that port looking for your open service.  Using a "logical" approach to picking a new port number (for instance, 222 for scp or ssh, 2323 for telnet and so on) just makes the job easier for the attacker.  And that's just accounting for automated tools doing indiscriminate scanning.  If your organization is being targetted, a full port scan on your entire IP range takes only a few minutes to set up and will complete within an hour - even if it's on a "low and slow" timer (to avoid your IPS or to keep the log entry count down), it'll likely be done within a day or two.  Moving your open service to a non-standard port is no protection at all if you are being targetted.

If you don't absolutely need to have a service on the public internet, close the port.  If you need to offer the service, put it behind a VPN so that only authorized folks can get to it.  And in almost all cases, you don't need that SSH port (whatever the port number is) open to the entire internet.  Restricting it to a known list of IP addresses or better yet, putting it behind a VPN is by far the best way to go.  If you MUST have "common target" services like SSH open to the internet, use certificates rather than or in addition to simple credentials, and consider implementing rate limiting services such as fail2ban, so that once the brute-force attacks start, you've got a method to "shun" the attacker (though neither of these measures will protect you from a basic port scan).

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Your company's value zone has more to do with the employees who deliver your services than the services themselves.
 
 
The e-mail received by EFF staffers carrying a link to malware that has been connected with a Vietnamese government campaign against bloggers.

The Electronic Frontier Foundation has published details of an attempted malware attack on two of its employees by a group of hackers associated with the Vietnamese government. The hacker group, known as Sinh Tử Lệnh, has targeted Vietnamese dissidents and bloggers in the past; it now appears that the campaign has been extended to attacks on US activists and journalists who publish information seen as critical of the Vietnamese government.

The Vietnamese government has gone after bloggers in its own country before, and as of last year it had jailed 18 independent journalists—bloggers being the only journalists in the country not affiliated with state-run media. And since 2009, the hacker group has taken that campaign beyond Vietnam's borders, targeting members of the Vietnamese diaspora critical of the Hanoi regime.

In December, two staff members of the EFF received e-mails from someone claiming to be from Oxfam International, inviting them to “Asia Conference.” The e-mail, from a Gmail address for “Andrew Oxfam,” appeared to have been sent to a list and included links to two documents that appeared to be information on the conference shared over Google Drive.

Read 2 remaining paragraphs | Comments

 
"I should have added a 6."
MGM

An annual list of the most commonly used passwords, a source of both humor and sadness to the human race, shows a change at the top for the first time in three years.

SplashData, a maker of password management software, started analyzing passwords leaked by hackers in 2011 and for the first two years of its study found that "password" was the most commonly used password, ahead of "123456."

The two switched places in 2013, according to the latest list released over the weekend. The new rankings were influenced by a hack on Adobe that revealed 130 million passwords protected only by reversible encryption. Security firm Stricture Consulting Group was able to reveal the top 100 passwords from the Adobe hack, and "123456" came in first by a long shot. Stricture found 1.91 million uses of "123456" compared to 446,162 uses of "123456789" and 345,834 uses of "password." Only 43,497 people used the password for Druidia's air shield and President Skroob's luggage.

Read 4 remaining paragraphs | Comments

 
Most of today's applications, and all of tomorrow's, are built with the cloud in mind. That means yesterday's infrastructure -- and accompanying assumptions about resource allocation, cost and development -- simply won't do.
 
Mobility has brought back I/O problems after two decades. (Insider; registration required)
 
RETIRED: Microsoft December 2013 Advance Notification Multiple Vulnerabilities
 
RETIRED: Microsoft November 2013 Advance Notification Multiple Vulnerabilities
 
After a month-long wait, some owners of Microsoft's Surface Pro 2 tablet this weekend said that they received a fix for a faulty firmware update that exhausted their batteries and caused sleep mode problems.
 
Changes in Google Chrome extension ownership can expose thousands of users to aggressive advertising and possibly other threats, two extension developers have recently discovered.
 
Enterprise mobility management (EMM) can encompass a broad range of functions, from managing mobile devices, to applications, expenses, personnel, and policies. But perhaps the most important aspect is mobile information/data/content management, tracking the distribution and usage of sensitive organizational data, as well as ensuring appropriate security and policy compliance.
 
[SECURITY] [DSA 2831-2] puppet regression update
 
[SECURITY] [DSA 2845-1] mysql-5.1 security update
 
RETIRED: Adobe Reader and Acrobat APSB14-01 Prenotification Multiple Vulnerabilities
 
RETIRED: Microsoft January 2014 Advance Notification Multiple Vulnerabilities
 
[SECURITY] [DSA 2846-1] libvirt security update
 
SI6 Networks' IPv6 Toolkit v1.5.2 released!
 
Oracle VM VirtualBox CVE-2014-0405 Local Security Vulnerability
 
Oracle VM VirtualBox CVE-2014-0406 Local Security Vulnerability
 
Oracle VM VirtualBox CVE-2014-0404 Local Security Vulnerability
 
[ MDVSA-2014:010 ] memcached
 
[ MDVSA-2014:008 ] openjpeg
 
[ MDVSA-2014:007 ] openssl
 
Oracle VM VirtualBox CVE-2014-0407 Local Security Vulnerability
 
gdomap Multiple Local Information Disclosure Vulnerabilities
 
gdomap Arbitrary Configuration File Line Count 'load_iface()' Integer Overflow Vulnerability
 
Cisco Secure Access Control System RMI Interface Authorization Bypass Vulnerability
 
Oracle Java SE CVE-2014-0417 Remote Security Vulnerability
 
Oracle Java SE CVE-2013-5905 Remote Security Vulnerability
 
Oracle Java SE CVE-2014-0382 Remote Security Vulnerability
 
Oracle Java SE CVE-2013-5889 Remote Security Vulnerability
 
Oracle Java SE CVE-2013-5899 Remote Security Vulnerability
 
Oracle Java SE CVE-2013-5888 Local Security Vulnerability
 
Oracle Java SE CVE-2013-5878 Remote Security Vulnerability
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status