Hackin9

The number of drive-by malware attacks that exploit vulnerabilities in Microsoft's Silverlight application framework may be surpassing those that abuse Oracle's Java framework, according to a recent analysis of one popular hack-by-numbers tool kit.

Since April 23, the Angler exploit kit has shown a significant uptick in attacks that target Silverlight users, according to a blog post published Monday by Levi Gundert, technical lead in Cisco Systems' threat research group. While the Silverlight exploits were accompanied by attacks that also targeted Adobe's Flash player, the recent campaign failed to trigger vulnerabilities in Oracle's Java framework, which over the past couple of years, has become widely targeted by malicious hackers who surreptitiously install malware by exploiting vulnerable software on end users' computers.

To succeed, the Angler campaign observed by Gundert had to exploit two Silverlight vulnerabilities, one that Microsoft patched 14 months ago and the other that was fixed in October. CVE-2013-0074 gave attackers the ability to remotely execute malicious code, while CVE-2013-3896 provided the means to bypass data execution prevention, a security mitigation added to most Microsoft applications in recent years. The measure prevents most data loaded into memory from being executed.

Read 2 remaining paragraphs | Comments

 
Cisco IOS XR Software DHCPv6 Packet Handling CVE-2014-3271 Denial of Service Vulnerability
 
Cisco Unified Web and E-Mail Interaction Manager Session Identifiers Security Bypass Vulnerability
 

Bill Aims to Strengthen DHS InfoSec Staff
GovInfoSecurity.com
A Senate committee is set to debate and vote on a bill to help beef up the Department of Homeland Security's cybersecurity workforce. The DHS Cybersecurity Workforce Recruitment and Retention Act of 2014, if enacted, would give the department the ...

and more »
 
Andrew 'weev' Auernheimer, whose struggles with U.S. prosecutors have fueled calls for reforming the Computer Fraud and Abuse Act, wants the government to pay him $13 million for imprisoning him for the past three years.
 

A malicious app targeting Android users has grown so fully featured that researchers said it has become one of the most expensive pieces of malware available in underground markets. The story helps demonstrate the high potential of Android-based trojans as operators of traditional PC-based fraud search for ways to bypass the increasing use of two-factor authentication.

Not long ago, the so-called iBanking malware package offered little more than a way for traditional PC trojans that target online bank accounts to bypass two-factor authentication protections. While the interception of incoming and outgoing SMS messages remains the main selling point, iBanking has morphed into the Swiss Army knife of Android malware. Included in the $5,000 fee is the ability to redirect incoming voice calls, covertly capture sounds within range of the device's microphone, track geolocation, access the file system, and remotely corral the device into sprawling mobile botnets that use either HTTP or SMS to communicate, depending on the current network status of the infected handset.

An analysis published Tuesday by researchers from Symantec explained:

Read 6 remaining paragraphs | Comments

 
Cisco IOS Software LLDP Request Processing Denial of Service Vulnerability
 
Cisco IOS XR Software DHCPv6 Packet Handling CVE-2014-3270 Denial of Service Vulnerability
 
Adobe Flash Player and Adobe AIR CVE-2014-0510 Heap Based Buffer Overflow Vulnerability
 
Cisco Email Security Appliance Remote Security Bypass Vulnerability
 
The troubled Windows RT operating system got nary a mention at Microsoft's Surface event today, but don't plan for RT's funeral just yet.
 
Anticipating a storage crunch spurred by big data, IBM and Fujifilm are advancing magnetic tape with a prototype capable of storing 85.9 billion bits of data per square inch.
 
Google is hoping to lure users to spending more time on its social network with a new photo playback feature for Google+ called "Stories."
 
Customer satisfaction with Microsoft's software -- primarily Windows, but also Office -- climbed slightly in the last year, according to the American Customer Satisfaction Index.
 
Republican legislators don't even want the U.S. Federal Communications Commission to think about reclassifying broadband as a utility -- a route the regulator could take in order to reinstate net neutrality rules.
 
Less than a week after Russia threatened to stop its work on the International Space Station (ISS), NASA's chief said work on the orbiter will continue on with, or without, Russia's cooperation.
 
Birebin.com for Android CVE-2014-2993 X.509 Certificate Validation Security Bypass Vulnerability
 
Adobe Reader and Acrobat CVE-2014-0527 Use After Free Remote Code Execution Vulnerability
 
Microsoft today doubled down on its strategy of pushing the Surface tablet as a 2-in-1 device that does duty as laptop or tablet, serving not consumers but business customers.
 
A new solar power project will provide HP's Palo Alto headquarters with 20% of its power and save it $1 million over the next 20 years.
 
Microsoft Internet Explorer CVE-2014-0310 Memory Corruption Vulnerability
 

Usually, your operating system will be assigned a DNS server either via DHCP (or RAs in IPv6) or statically. The resolver library on a typical workstation will then go forward and pass all DNS lookups to this set of DNS servers. However, malware sometimes tries to use its own DNS servers, and blocking outbound port 53 traffic (udp and tcp) can help identify these hosts.

Brent, one of our readers, does just that and keeps finding infected machines that way. Just now, he is investigating a system that attempted to connect to the following name servers:

101.226.4.6
114.114.114.114
114.114.115.115
123.125.81.6
140.207.198.6
202.97.224.69
211.98.2.4
218.30.118.6
14.33.133.189

He has not identified the malware behind this yet, but no other system he is using ("we are running bluecoat web filter AND we're using OpenDNS AND I'm running snort"). Brent uses oak (http://ktools.org/oak/) to help him watch his logs and alert him of issues like this.

According to the Farsight Security passive DNS database, these IPs resolve to a number of "interesting" hostnames. I am just showing a few here (the full list is too long)

ns-facebook-[number]-[number].irl-dns.info   <- the [number] part appears to be a random number
*.v9dns.com    <- '*' to indicate various host names in this domain.
v2.3322pay.com
bjcgsm.com
sf5100.com
 


------------------
Johannes B. Ullrich, Ph.D.

SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Microsoft Silverlight vulnerabilities are increasingly being exploited in drive-by download attacks to infect computers with malware, especially through malicious ads.
 
Collabtive 'desc' Parameter HTML Injection Vulnerability
 
The latest version of Microsoft's tablet, the Surface Pro 3, eliminates the need for users to also have a laptop, the company said Tuesday at a launch event.
 
Verizon Wireless launched XLTE network coverage in more than 250 U.S. cities on Monday, promising its customers twice the 4G LTE bandwidth and "faster peak speeds" in those areas.
 

A security study drawing data from more than 1,600 networks over a six-month period found that 97 percent of the networks experienced some form of breach—despite the use of multiple layers of network and computer security software. The study, performed by analysts from security appliance vendor FireEye and its security consulting wing Mandiant, compared current network defenses to the Maginot Line, the infamous French fortress chain that the Germans bypassed during their May 1940 invasion.

The data collected from network and e-mail monitoring appliances from October 2013 to March 2014 also showed that three-quarters of the networks had command-and-control traffic indicating the presence of active security breaches connected to over 35,000 unique command-and-control servers. Higher-education networks were the biggest source of botnet traffic.

FireEye and Mandiant analyzed real-time data from 1,614 FireEye appliances that had been placed on networks as part of “proof of value” trials; the devices provided monitoring. Each of the networks already had a “defense in depth” architecture, combining firewalls, intrusion detection and prevention systems, and antivirus software. Despite that, the appliances detected over 208,000 malware downloads across the monitored networks, of which 124,000 were unique malware variants.

Read 2 remaining paragraphs | Comments

 
Apple Mac OS X CVE-2014-1318 Remote Security Bypass Vulnerability
 
Multiple Apple Products CVE-2014-1320 Local Security Bypass Vulnerability
 

The Chinese government has banned the installation of Windows 8 on government PCs, reports Re/code. The Central Government Procurement Center issued a directive last week barring the use of Microsoft's latest operating system as an energy-saving measure, according to Re/code.

State news agency Xinhua gave a different reason for the ban: it's to ensure system security after Microsoft ended support for Windows XP. The unsupported operating system is still estimated to be used on as much as half of the Chinese desktop market.

How the ban makes sense, either as a security measure or an energy-saving one, isn't clear. Lest there be any doubt, the solution to Windows XP's security problems—it's vulnerable to a number of unpatched flaws already—is to stop using it. Not ban the use of an actively supported operating system.

Read on Ars Technica | Comments

 
IBM has acquired virtual assistant software startup Cognea, with plans to roll its capabilities into the Watson cognitive computing platform.
 
China has banned the use of Windows 8 on government computers, a move officials there claimed was a reaction to the end of Windows XP's support.
 
SAP is scooping up SeeWhy, maker of real-time targeted marketing software, in a bid to flesh out the omni-channel commerce platform it gained through last year's acquisition of Hybris.
 

A couple weeks ago, Dropbox announced that it invalidated some old "shared links" users used to share confidential documents, like tax returns [1] . The real question here is of course, how did these tax returns get exposed in the first place. 

Dropbox usually requires a username and a password to access documents, and even offers a two-factor solution as an option. But regardless, the user may allow a document to be access by others, who just know the "secret" link.

As we all know, the problem is "secret" links easily leak. But as users rely more on cloud services to share files, and passwords for each shared file are way too hard to set up, this is going to happen more and more. Dropbox isn't the only such service that offers this feature. In a recent discussion with some banks, the problem came up in that more and more customers attempt to share documents with the bank for things like mortgage applications. While the banks do refuse to accept documents that way, the pressure exists and I am sure other businesses with less regulatory pressure, will happily participate.

For a moment, lets assume the cloud service works "as designed" and your username and password is strong enough. Cloud services can be quite useful as a cheap "offsite backup", for example to keep a list of serial numbers of your possessions in case of a burglary or catastrophic event like a fire. But as soon as you start sharing documents, you run the risk of others not taking care of them as well as you would. May it be that their passwords are no good, or maybe they will let the "secret link" you gave them wander. 

Confidential personal, financial or medical information should probably not go into your cloud account. And if they do, encrypt before uploading them. 

Here are a couple of steps to de-cloud your life:

- setup an "ownCloud" server. It works very much like Dropbox with mobile clients available for Android and iOS. But you will have to run the server. I suggest you make it accessible via a VPN connection only. Sharepoint may be a similar solution for Windows folks.

- run your own mail server: This can be a real pain and even large companies move mail services to cloud providers (only to regret it later ...?). But pretty much all cloud mail providers will store your data in the clear, and in many ways they have to. Systems to provide real end-to-end encryption for cloud/web-based e-mail are still experimental at this point.

- Offsite backup at a friends/relatives house. With wide spread use of high speed home network connections, it is possible to setup a decent offsite backup system by "co-locating" a simple NAS somewhere. The disks on the NAS can be encrypted and the connection can use a VPN again.

- For Apple users, make local backups of your devices instead of using iCloud. iCloud stores backups unencrypted and all it takes for an attacker to retrieve a backup is your iCloud username/password.

Any other tips to de-cloud?

[1] https://blog.dropbox.com/2014/05/web-vulnerability-affecting-shared-links/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
In the age of "Penguin," "Panda," "Hummingbird" and other big Google algorithm updates, winning the search engine optimization (SEO) game means publishing high-quality content that earns links. But all the quality content in the world won't help your search rankings if your site has structural or other technical issues.
 
In this month's Resume Makeover, career expert and certified professional resume writer Laura Smith-Proulx unearths highlights from under a mountain of detail.
 
Despite competitors and politicians lining up to complain about Google, the EU's Competition Commissioner on Tuesday defended his decision to settle an antitrust case against the search giant.
 
Researchers at Sandia National Laboratories are working on a computer that can tackle real-world situations in real-time and can run on the same power as a 20-watt light bulb.
 
t2'14: Call for Papers 2014 (Helsinki / Finland)
 
Construtiva CIS Manager CMS POST SQLi
 
[SECURITY] [DSA 2934-1] python-django security update
 
[security bulletin] HPSBGN03007 rev.1 - HP IceWall MCRP and HP IceWall SSO, Remote Denial of Service (DoS)
 
China's state-controlled media released Tuesday a report that claims the U.S. hacked into Chinese systems using phishing attacks.
 
There's a big showdown coming in IT pitting no-name hardware with overlaid software against purpose-built architectures that stretch from data centers to the edges of networks, Cisco CEO John Chambers says.
 
Apple and Samsung Electronics told a court in California that they had failed to reach a settlement in their patent dispute, suggesting that a deal akin to that between Google and Apple may not be on the cards anytime soon.
 
Symantec's latest product, Norton Small Business, is perhaps the most well-rounded offering the company has inserted into its product array for small companies.
 
The NRA and other gun right advocacy groups say they have no problem with adding technology to guns, as German-based Armatix has now done. But legislation mandating the technology will mean a fight.
 
Years of striving for IT/business alignment have resulted in a service provider mentality within IT, one that casts the business as the customer who's always right. Some analysts are exhorting CIOs to grasp the reins of leadership instead.
 
FTP Rush: missing X.509 validation (FTP with TLS)
 
[SECURITY] [DSA 2933-1] qemu-kvm security update
 
JavaMail SMTP Header Injection via method setSubject [CSNC-2014-001]
 

Posted by InfoSec News on May 20

http://www.theregister.co.uk/2014/05/19/lifelock_yanks_mobile_app/

By John Leyden
The Register
19 May 2014

LifeLock has withdrawn its Wallet App and deleted user data over concerns
the technology falls short of user data protection rules under the payment
card industry's Data Security Standard (PCI DSS).

In a statement Todd Davis, chairman and chief exec of LifeLock, said it
was suspending the app as a precaution - not in response to a...
 

Posted by InfoSec News on May 20

http://www.whig.com/story/25558098/mark-twain-casino-among-11-casinos-reporting-security-breach

By Edward Husar
Herald-Whig Staff Writer
May 19, 2014

LaGRANGE, Mo. -- Affinity Gaming, which owns Mark Twain Casino in LaGrange
and 10 other casinos in four states, has confirmed that its credit and
debit card system for non-gaming purchases has been hacked.

In a press release, the Las Vegas-based corporation said the security
breach...
 

Posted by InfoSec News on May 20

http://www.haaretz.com/news/diplomacy-defense/.premium-1.591665

By Gili Cohen
Haaretz.com
May 20, 2014
Iyyar 20, 5774

Speaking at the CyberNight conference at the Shamoon College of
Engineering in Be’er Sheva, Maj. A., the Military Intelligence legal
adviser, described the role of legal consulting in the era of cybernetic
warfare, saying that “Although the field is not regulated – and because
the field is not regulated – the legal...
 

Posted by InfoSec News on May 20

http://www.darkreading.com/risk/how-to-talk-about-infosec-to-your-board-of-directors/a/d-id/1251100

By Steve Durbin
Dark Reading
5/19/2014

In our global economy, the rapid evolution of technology has caused a
massive shift in the information security landscape. Businesses are
finding that they have more limited resources than ever before which must
be prioritized to areas of greatest need or return. The task of
determining priorities is...
 

Posted by InfoSec News on May 20

http://www.infosecnews.org/u-s-department-of-justice-indicts-five-members-of-the-chinese-pla-unit-61398-for-cyber-espionage/

By William Knowles
Senior Editor
InfoSec News
May 19, 2014

For the first time ever, a U.S. grand jury in the Western District of
Pennsylvania has indicted five Chinese military hackers for computer
hacking, economic espionage, trade secret theft, aggravated identity
theft, and other offenses directed at six American...
 
Cisco Unified Web and E-Mail Interaction Manager CVE-2014-2192 Cross Site Scripting Vulnerability
 
Cisco IOS XR Software CVE-2014-3269 SNMP Request Processing Denial of Service Vulnerability
 

Radical or Lazy, what type of info sec practitioner are you?
CSO Magazine (blog)
Matt Tett is the Managing Director of Enex TestLab, an independent testing laboratory with over 22 years history and a heritage stemming from RMIT University. Matt holds the following security certifications in good standing CISSP, CISM, CSEPS and CISA.

 
Symantec Workspace Streaming XMLRPC Unauthorized Access Vulnerability
 
Internet Storm Center Infocon Status