Hackin9

Affectionately know as ZAP the OWASP Zed Attack Proxy in an excellent web application testing tool. It finds its way into the hands of experienced penetration testers, newer security administrators, vulnerability assessors, as well as auditors and the curious. One of the reasons for its popularity is the ease of use and the extensive granular capability to examine transactions. While some may know ZAP as a fork or successor to the old Paros proxy,it is so much more. Roughly 20% of the code base remains from Paros, meaning that the remainder is new code! Also, ZAP is one of the most active free open source projects around! There are so many excellent features, for example the automated scanner and the interception proxy. That is just for starters. ZAP is:

•Free, Open source
•Involvement is actively encouraged
•Cross platform
•Easy to use
•Easy to install
•Internationalized
•Fully documented
•Works well with other tools
•Reuses well regarded components.

Did I mention free?

ZAP has many features, some developed in the Google Summer of Code (GSoC) over the years. For penetration testers ZAP has many new features such as Zest support and ZAP integration, Advanced access control testing and user access comparison, Advanced Fuzzing, SOAP web service scanning, and more.

I gave a talk about ZAP at SANSFire recently, the slides can be found at: https://isc.sans.edu/diaryimages/BustacapinawebappwithOWASPZAPSANSFIRE2014.pdf

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

I will be teaching SANS Sec560 Network Penetration testing in Albuquerque, NM

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

ISC reader Frank reports seeing a couple odd DNS names in his DNS resolver log

4e6.1a4bf.565697d.f52e1.306.60ae.766e0.mdleztmxhvxc.speakan.in. A=193.169.245.133  TTL=30 NS=193.169.245.133
3a.276965.3e6b39.cdaf104.da.e018.72c1a.mdleztmxhvxc.speakan.in. A=193.169.245.133  TTL=30 NS=193.169.245.133

As so often, the first step in the infection chain had been a visit to a benign, but unpatched and hacked Wordpress website. It redirected to an intermediary, which in turn redirected to the domains above. The subsequent http connection with Java exploit attempt was stopped by the proxy filters in Frank's case, so no harm done.

But looking at public passive DNS records, it is obvious that "something" is going on, and has been for a long while. Domain names of this pattern have been observed since about November 2013, and are associated with the Magnitude Exploit Kit. Snort and Emergingthreats have decent signatures, and flag the traffic as "MAGNITUDE EK".

The recently used domain names are all within the Indian TLD ".in", and checking the registration information, they were all registered by the same alleged "Ivan Biloev" from Moscow, and all of them via the same registrar (webiq.in). They even suspended a handful of the domains because of abuse, but they apparently continue to let Ivan happily register new addresses. Maybe a registrar might want to have a chat with a customer who had domains revoked, before letting registrations for additional names go through??

Recent Magnitude mal-domains included, only to name a few: speakan.in busyneeds.in chancessay.in futureroll.in loadsbreak.in suchimages.in touchitems.in waysheader.in putsediting.in regionwhole.in resultsself.in unlikesolve.in advisefailed.in closesthotel.in comesexpands.in installseven.in deducecontact.in poundscaptain.in delayattempted.in lawuniversitys.in obviouslyheads.in

Brad over at malware-traffic-analysis.net has a write-up [1] on a recent sample. If you have current intel on Magnitude EK, the domain name patterns, the exploits pushed in the current set, etc, then please share in the comments below or via our contact form.
 

[1]  http://malware-traffic-analysis.net/2014/07/15/index.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
In its quest to help enterprises seek out and neutralize all threats to their Wi-Fi networks, AirMagnet is now looking to the skies.
 
Yahoo has reached an agreement to acquire Flurry, a mobile analytics company, as part of a push to grow its advertising revenue within its mobile products.
 
Google may be among the hopefuls vying to turn the New York City phone booths of the past into "communication points" of the future with free Wi-Fi and cellphone charging.
 
Moving virtual servers around a hybrid cloud environment isn't hard, but managing the data is. That's why NetApp wants to be "the enterprise data-management standard across the enterprise," says CEO Tom Georgens. Network World Editor in Chief John Dix recently caught up with Georgens to get his take on what changes in the cloud computing world.
 
RETIRED: Linux Kernel 'net/l2tp/l2tp_ppp.c' Multiple Local Privilege Escalation Vulnerabilities
 

GAO Identifies Weakness in FDIC InfoSec
BankInfoSecurity.com
Two separate audits by the Government Accountability Office show information security weaknesses at the Federal Deposit Insurance Corp. and significant deficiencies in information system controls at the Treasury Department unit that manages the federal ...

and more »
 
Salesforce.com recently launched a new product called Social Studio in spite of the fact that an existing, competing product had already used that name for years, marketing software vendor StrongView Systems alleges in a new trademark-infringement lawsuit.
 
The World Wide Web Consortium wants to bring the power of social media to the enterprise.
 
Red Alert: Israel is a free app for both iOS and Android that provides real-time alerts when missiles or rockets are fired into Israel. It's also become a specialized kind of social network.
 
Oracle Java SE CVE-2014-2483 Remote Security Vulnerability
 
Oracle Java SE CVE-2014-4227 Remote Security Vulnerability
 
Microsoft decision to ax the feature phone business it got when it bought Nokia's handset business for $7.2 billion shows the investment 'went for naught.'
 
Snoopy 'exec()' Arbitrary Command Execution Vulnerability
 
MakerBot has signed a deal with Home Depot to run a pilot program in a dozen stores to sell the ultimate do-it-yourself product.
 
Advocacy group the Electronic Frontier Foundation wants to address the poor security track record of home routers with a new firmware project that will encourage users to share their Internet connection publicly by setting up guest Wi-Fi networks.
 
The Electronic Frontier Foundation, a digital privacy rights group, has released a downloadable plugin for Chrome and Firefox designed to stop third parties from tracking people's Web browsing.
 
Oracle Java SE CVE-2014-2490 Remote Code Execution Vulnerability
 
Western Digital is shipping two new 6TB hard drives as it tries to make its highest-capacity storage products affordable.
 
Microsoft will hold next year a new conference that encompasses its enterprise IT products, including the productivity and server Office software, IT management wares and development tools, and replaces several shows that are narrower in scope.
 
Zdziarski

Apple has endowed iPhones with undocumented functions that allow unauthorized people in privileged positions to wirelessly connect and harvest pictures, text messages, and other sensitive data without entering a password or PIN, a forensic scientist warned over the weekend.

Jonathan Zdziarski, an iOS jailbreaker and forensic expert, told attendees of the Hope X conference that he can't be sure Apple engineers enabled the mechanisms with the intention of accommodating surveillance by the National Security Agency and law enforcement groups. Still, he said some of the services serve little or no purpose other than to make huge amounts of data available to anyone who has access to a computer, alarm clock, or other device that has ever been paired with a targeted device.

Zdziarski said the service that raises the most concern is known as com.apple.mobile.file_relay. It dishes out a staggering amount of data—including account data for e-mail, Twitter, iCloud, and other services, a full copy of the address book including deleted entries, the user cache folder, logs of geographic positions, and a complete dump of the user photo album—all without requiring a backup password to be entered. He said two other services dubbed com.apple.pcapd and com.apple.mobile.house_arrest may have legitimate uses for app developers or support people but can also be used to spy on users by government agencies or even jilted ex-lovers. The Pcapd service, for instance, allows people to wirelessly monitor all network traffic traveling into and out of the device, even when it's not running in a special developer or support mode. House_arrest, meanwhile, allows the copying of sensitive files and documents from Twitter, Facebook, and many other applications.

Read 8 remaining paragraphs | Comments

 
Skybox Security Multiple Denial of Service Vulnerabilities
 
[SECURITY] [DSA 2983-1] drupal7 security update
 
Apple likely sold more Macs than it did in the same quarter last year, keeping its better-than-the-industry sales pace going.
 
Cybercriminals are spreading a new file-encrypting ransomware program that's more powerful and resilient than Cryptolocker, a threat recently shut down by the U.S. Department of Justice.
 
Advantech WebAccess CVE-2014-2365 Remote Code Execution Vulnerability
 
[SECURITY] [DSA 2982-1] ruby-activerecord-3.2 security update
 
KL-001-2014-003 : Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation
 
KL-001-2014-002 : Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation
 
CVE-2014-4326 Remote command execution in Logstash zabbix and nagios_nsca outputs.
 
BlackBerry has recruited a new chief operating officer, Marty Beard, recently CEO of cloud customer service company LiveOps and before that an executive at Sybase.
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 
Advantech WebAccess CVE-2014-2366 Remote Information Disclosure Vulnerability
 
My last couple of columns have addressed cloud adoption patterns by IT organizations. Has Cloud Computing Been A Failed Revolution discussed the seeming ennui regarding cloud computing on the part of IT groups a that they seem less interested in the field, despite the belief on the part of vendors that the cloud represents tomorrow's technology infrastructure. Most recently, The Real Cloud Computing Revolution described three real-world examples of companies using cloud computing to solve problems they couldn't have addressed in the infrastructure models of traditional IT.
 
Apache HTTP Server 'mod_status' CVE-2014-0226 Remote Code Execution Vulnerability
 
Open Handset Alliance Android SSL Certificate Spoofing Vulnerability
 
Advantech WebAccess CVE-2014-2367 Remote Authentication Bypass Vulnerability
 
China's rush to the Internet is slowing, with the country adding only 14.4 million new Internet users in the first half of 2014, the lowest half-year growth in eight years.
 
Apple recently unveiled Swift, a new language to replace Objective-C for OS X and iOS application development. Apple won't accept submissions built using Swift to the iOS or Mac App Store until the fall, when iOS 8 and the next version of OS X (Yosemite) ship, so there's still some time to learn the ins and outs of this new programming language.
 
It's up to each one of us to figure out what in the daily surge of data is useful, what's crap and what's truly valuable.
 
Remember when "green computing" was all the rage? Companies competed for green awards, virtualized their data centers, set up e-waste committees, launched double-sided printing initiatives and activated power management features on PCs.
 
Advantech WebAccess CVE-2014-2364 Multiple Remote Stack Based Buffer Overflow Vulnerabilities
 
Blender CVE-2010-5105 Insecure Temporary File Creation Vulnerability
 
Advantech WebAccess CVE-2014-2368 Unsafe ActiveX Control Remote Security Weakness
 
A New York judge defended a controversial order that gave the government access to all content of the Gmail account of a target in a money laundering investigation, holding that courts have long recognized the practical need for law enforcement to seize documents if only to determine whether they fall within the warrant.
 
Lenovo has stopped sales of its existing small-screen Windows tablets in the U.S., but plans a new model for release by the end of the year.
 
Google last week said that it was finally ditching a 30-year-old technology to display fonts on Web pages in its Chrome browser for Windows.
 
China's rush to the Internet is slowing, with the country adding only 14.4 million new Internet users in the first half of 2014, the lowest half-year growth in eight years.
 
Four companies that have been at BYOD for a while talk about how their programs have changed with the times. One key takeaway: Don't expect to save bundles of money. Insider (registration required)
 
Ruby on Rails 'ActiveRecord' CVE-2014-3483 SQL Injection Vulnerability
 
Drupal Multiple Remote Security Vulnerabilities
 
IBM Storwize V7000 Unified CVE-2014-3043 Unspecified Privilege Escalation Vulnerability
 
Internet Storm Center Infocon Status