(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

If you've been meaning to disable Adobe Flash, now might be a good time. Attacks exploiting a critical vulnerability in the latest version of the animation software have been added to a popular exploitation kit, researchers confirmed. Attackers often buy the kits to spare the hassle of writing their own weaponized exploits.

Prolific exploit sleuth Kafeine uncovered the addition to Angler, an exploit kit available in underground forums. The zero-day vulnerability was confirmed by Malwarebytes. Malwarebytes researcher Jérôme Segura said one attack he observed used the new exploit to install a distribution botnet known as Bedep.

Adobe officials say only that they're investigating the reports. Until there's a patch, it makes sense to minimize use of Flash when possible. AV software from Malwarebytes and others can also block Angler attacks.

Read on Ars Technica | Comments


Last week's arrest of a man alleged to help run the Silk Road 2.0 online drug bazaar has touched off speculation he was identified using a controversial attack that for six months last year systematically worked to deanonymize users of the Tor privacy service.

In a search warrant affidavit filed earlier this month, a special agent with the Department of Homeland Security said the Silk Road follow-on site was accessible only as a hidden service on Tor, a measure that typically would have made it impossible to identify the IP addresses hosting the underlying servers, as well as IPs used by end users who accessed them. Despite the use of Tor, FBI investigators were able to identify IP addresses that allegedly hosted and accessed the servers, including the Comcast-provided IP address of one Brian Farrell, who prosecutors said helped manage SR2. In the affidavit, DHS special agent Michael Larson wrote:

From January 2014 to July 2014, a FBI NY Source of Information (SOI) provided reliable IP addresses for TOR and hidden services such as SR2, which included its main marketplace URL (silkroad6ownowfk.onion), its vendor URL (vx3w763ohd256iyh.onion), its forum URL (silkroad5v7dywlc.onion) and its support interface (uz434sei7arqunp6.onion). The SOI's information ultimately led to the identification of SR2 servers, which led to the identification of at least another seventeen black markets on TOR.

The SOI also identified approximately 78 IP addresses that accessed a vendor .onion address. A user cannot accidentally end up on the vendor site. The site is for vendors only, and access is only given to the site by the SR2 administrators/moderators after confirmation of a significant amount of successful transactions. If a user visits the vendor URL, he or she is asked for a user name and password. Without a user name and password, the vendor website cannot be viewed.

The timeframe of the information leak bears a striking resemblance to a deanonymization attack uncovered in July by Tor officials. For six months, the people behind the campaign exploited a previously unknown vulnerability in the Tor protocol to carry out two classes of attack that together may have been enough to uncloak people using Tor Hidden Services. The decloaking effort began in late January 2014 and ran until early July when Tor officials shut it down. The Tor officials said the characteristics of the attack resembled those discussed by a team of Carnegie Mellon University researchers who a few weeks earlier canceled a security conference presentation on a low-cost way to deanonymize Tor users. The Tor officials went on to warn that an intelligence agency from a global adversary also might have been able to capitalize on the vulnerability.

Read 4 remaining paragraphs | Comments

The Election Assistance Commission (EAC) and the National Institute of Standards and Technology (NIST) are sponsoring a two-day symposium to explore emerging trends in voting. The symposium will take place Feb. 9 and 10, 2015, at the ...
Oracle Java SE CVE-2015-0412 Remote Java SE Vulnerability
Oracle Java SE CVE-2015-0383 Local Java SE, Java SE Embedded, JRockit Vulnerability
Oracle Java SE CVE-2014-6591 Remote Java SE Vulnerability
Oracle Java SE CVE-2015-0407 Remote Java SE Vulnerability
Oracle Java SE CVE-2014-6585 Remote Java SE Vulnerability
Oracle Java SE CVE-2015-0410 Remote Java SE, Java SE Embedded, JRockit Vulnerability
Oracle Java SE CVE-2014-6601 Remote Java SE Vulnerability

Developers of the Firefox browser want to better protect user privacy by limiting the amount of data contained in Referer headers.

The "meta referrer," as the new feature is dubbed, is aimed at stemming the ballooning amount of information many sites stuff into Referer headers, Mozilla Security and Privacy Engineer Sid Stamm wrote in a blog post published Wednesday. Referer headers started out as a way for website operators to know what external link users clicked on to arrive the page they are currently viewing. Over time, the information contained in such links has mushroomed and often includes usernames, site preferences, and other data that reveals personal information. Some sites have worked around this privacy invasion by erecting an elaborate set of redirects that strip some of that data out of Referer headers.

"This HTTP header has become quite problematic and not very useful, so we're working to make it better," Stamm wrote.

Read 3 remaining paragraphs | Comments


Oracle released its critical patch update. This quarters CPU fixes a total of 169 vulnerabilities across the entire Oracle product portfolio.

For end users, Java is probably the most important part of this update. This time around, 13 Java vulnerabilities are patched that allow remote code execution.

None of the vulnerabilities in Oracle, the flagship database product, are remotely exploitable without authentication. But in particular one bug got some press as it exposes a rather simple configuration issues in Oracles database allowing for privilege escalation within the database.

Yesterday, we talked about privilege escalation in Linux. But similar problems exist in databases. Your end-user application (often a web application) should only connect back to the database using a user with carefully tailored permissions. However, all users need to have limited access to some system tables, for exampleto be able to find tables they have access to.

In this case, the table in question is called DUAL. This table has only one column, and one value: X. Itsysdate isnt an actual column, but by using the DUAL table we can make this look like a normal SQL query.

Given this, the DUAL table doesnt really need any indexes. In particular since it only contains one value. Nevertheless, Oracle allows all users to create indexes on this table. For the non-oracle DBA, this may not sound that bad. But Oracle has a neat feature to use user defined functions to create indexes. This can lead to more efficient indexes if specific functions are used to query the table.

An attacker can nowdefine a function that would give the attacker DBA privileges, and then ask the database to create an index using this function. By creating the index, the function that grants DBA privileges is executed.


Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The Angler exploit kit is a tool frequently used in drive-by download attacks to probe the browser for different vulnerabilities, and then exploit them to install malware. The exploit kit is very flexible and new exploits are added to it constantly.

However, the blog post below shows how this exploit kit is currently using an unpatchedFlash 0-day to install malware. Current versions of Windows (e.g. Window 8 + IE 10) appear to be vulnerable. Windows 8.1, or Google Chrome do not appear to be vulnerable.

This is still a developing story, but typically we see these exploits more in targeted attacks, not in widely used exploit kits. This flaw could affect a large number of users very quickly. Please refer to the original blog for details.

[1] http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: New samba packages are available for Slackware 14.1 and -current to fix a security issue. [More Info...]
LinuxSecurity.com: Security Report Summary

Infosec management strategies and the modern CTO
Help Net Security
Lumenta recently appointed Brandon Hoffman as their new CTO. We took this opportunity to get his perspective on the management strategies that are essential in the information security industry. He also offers advice to those stepping into the CTO role ...


Posted by InfoSec News on Jan 21


By Sweta Killa
Jan 20, 2015

The cyber security industry has gained immense popularity in recent years
and is the fastest-growing corner of the broad technology space. This is
because cyber-attacks on enterprises and government agencies are
widespread with growing Internet usage, raising the need for more
stringent cyber security from hackers.


Posted by InfoSec News on Jan 21


By Kelly Jackson Higgins
Dark Reading

Startup's "power fingerprinting" approach catches Stuxnet infection within
seconds in DOE power grid test bed.

A security startup launching early next week uses trends in power
consumption activity, rather than standard malware detection, to spot...

Posted by InfoSec News on Jan 21


By John E Dunn
Jan 20, 2015

Security experts seem no nearer to confirming the nation state behind the
long-running Uroburos (aka ‘Snake’ or ‘Turla’) cyberweapon (Russia) but
according to German security firm G Data its developers are still hard at

The rootkit’s existence was firmed up...

Posted by InfoSec News on Jan 21


By David Kravets
Ars Technica
Jan 20, 2015

Update: This post was updated Tuesday evening to reflect comments the
president made during his State of the Union address:

President Barack Obama urged Congress and the American public to embrace
cyber security legislation during his State of the Union address Tuesday
evening. The Cyber...

Posted by InfoSec News on Jan 21


By Lucian Constantin
IDG News Service
Jan 20, 2015

Oracle's monster batch of security updates expected Tuesday will include a
fix for a serious misconfiguration issue in its E-Business Suite product
that can give hackers access to databases full of sensitive business

Renowned database...
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status