Hackin9
Microsoft has disclosed that it recently fell victim to the same type of cyberattack that targeted Apple and Facebook.
 

CorreLog Announces Sponsorship of Infosec World Conference and Expo 2013 ...
PR Web (press release)
CorreLog, the leader in software solutions for IT security event correlation, today announced it has secured a sponsorship for Infosec, MIS Training Institute's (MISTI) flagship event for audit and information security training. With offices in the ...

and more »
 
Even though PC giants Hewlett-Packard and Dell reported significant year-over-year sales declines, tech stocks, buoyed by signs of confidence from other IT vendors, started to rise again Friday after slumping for most of the week.
 
Smartphones and tablets with the emerging Wi-Fi wireless networking technology, 802.11ac, will arrive early in the second half of this year, a Qualcomm executive said.
 
Facebook is working to correct a series of technical glitches it recently discovered in its Page Insights service causing erroneous activity data to be reported for administrative pages on the site.
 
Facebook has patched a serious vulnerability that could have allowed attackers to easily gain access to private user account data and control accounts by tricking users into opening specifically crafted links, a Web application security researcher said late Thursday.
 
An Illinois state senator who introduced a bill that would have required anonymous online posters to reveal their true identities plans to withdraw the bill after taking intense criticism from those who opposed to it.
 
Less than a week after Microsoft began taking reservation orders for its 128GB Surface Pro tablet, the company has again slapped a sold-out sign on its website.
 

CorreLog Announces Sponsorship of Infosec World Conference and Expo 2013 ...
Virtual-Strategy Magazine (press release)
CorreLog, the leader in software solutions for IT security event correlation, today announced it has secured a sponsorship for Infosec, MIS Training Institute's (MISTI) flagship event for audit and information security training. With offices in the ...

and more »
 

Going over some data earlier today, I noted that a few days ago, we had a notable spike of port scans from Iran in our DShield database. Iran is spiking at times, in part because we figure only a relative number of actors are scanning from Iran. So lets see what was going on. First, a plot of the activity from Iran for February:



Click on the image for the full size. This data is fairly rough as it is just counting number of dropped packets. This could be one host sending the same packet over and over to the same target. (ok... about 2-3 Million times on the peak days)

Lets look at the ports affected next. Below you will see the data for February 16th:



+------+--------+
| port | count |
+------+--------+
| 21 | 466735 |
| 53 | 465751 |
| 23 | 458511 |
| 22 | 457712 |
| 80 | 455077 |
| 179 | 453416 |
| 3389 | 5750 |
| 445 | 4926 |
| 4614 | 4721 |
| 5900 | 356 |

This is getting a bit more interesting. the top 6 ports have almost the same number of hits, and they are well known server ports. 179 (BGP) is in particular interesting as it is not scanned a lot and more of an infrastructure port. But one could expect routers to respond on 23, 22 and 80 as well. 21 and 53? Not exactly router ports.

One host that sticks out for port 179 scans that day (port 179 is easier to investigatate as there are less scans for this port then the others), is213.217.37.102 .

Scans originating from this particular host confirm the original picture:



+------------+---------+---------+
| targetport | reports | targets |
+------------+---------+---------+
| 21 | 386903 | 368 |
| 22 | 379809 | 363 |
| 23 | 380493 | 365 |
| 53 | 387051 | 365 |
| 80 | 374014 | 360 |
| 179 | 378105 | 366 |
+------------+---------+---------+

Interesting that the number of reported targets is rather small. Each target IP receives about 1,000 packets. But not all submitters report distinct target IPs and rather include a dummy target IP instead.



Sadly, we don-) and let us know what you find.





------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The U.S. Federal Trade Commission has reached a settlement with HTC America over security holes in the company's smartphone and tablet software that left millions of users' personal information at risk.
 
In the their first Google+ hangout, astronauts onboard the International Space Station said they didn't panic when their communication link to the ground was cut off for three hours this week.
 
OSEC-2013-01: nagios metacharacter filtering omission
 
TeamSHATTER Security Advisory: SQL Injection in Oracle EM (Resource Manager) (CVE-2013-0358)
 
TeamSHATTER Security Advisory: Cross-site scripting in Oracle EM (advReplicationAdmin) (CVE-2013-0355)
 
TeamSHATTER Security Advisory: Oracle EM Segment Advisor Arbitrary URL redirection/phishing (CVE-2012-3219)
 
TeamSHATTER Security Advisory: SQL Injection in Oracle EM (streams queue) (CVE-2013-0373)
 
Love it or hate it, Windows 8 is the bellwether for PCs. Where Microsoft goes, PCs follow. And now Microsoft is making a grab for the mobile market, too. The latest version of Windows is designed with touchscreens in mind, and one bright side of that evolution is the addition of features that make Windows more intuitive and easier to use on all devices.
 
Last week I showed you how to connect your Mac to the Internet and to a local network. Now that your computer is on speaking terms with other devices and services, let's examine exactly how you can put those powers of communication to use for sharing the devices and files associated with your Mac.
 
CVE-2013-0162 rubygem-ruby_parser: incorrect temporary file usage / Public Service Announcement
 
TeamSHATTER Security Advisory: SQL Injection in Oracle EM (SCPLBL_COLLECTED parameters) (CVE-2013-0353)
 
TeamSHATTER Security Advisory: HTTP Response Splitting in Oracle EM (policyViewSettings) (CVE-2013-0354)
 
TeamSHATTER Security Advisory: Oracle Database GeoRaster API overflow (CVE-2012-3220)
 

NOTE: The site is STILL compromissed right now. DO NOT VISIT.

This is more of an awareness item to show to coworkers and relatives that you cant be careful enough. bible . org is a site that offers as the name implies access to the bible and related commentary as well as translations. Sadly, earlier this week the site go appearantly compromissed. The owner was notified, but didnt have the means or skills to clean the site so far.

Like in so many cases, the exploit inserts javascript at the very top of the page. Likely this may have happened via a compromised configuration file. But right now, we dont know. The malicious content is only shown to some browsers based on the user agent string. So a plain wget or curl wont get you the malware. You need to specify the user agent string (for wget, setup a .wgetrc file to do this automatically, or use the -U switch).

The exploit inserts an iframe with changing URL following the pattern http://[random string].ddns.name/b6noxa1/counter.php?fid=2 (the domains I saw have been reported to changeip.com ).

The wepawet analysis [1] shows that at least one Adobe PDF vulnerability is being exploited, luckily an older one (CVE-2010-0188), but there is an additional PDF that webawet didnt analyse. It can be tricky to retrieve all components of these exploit kits from a non-vulnerable or simulated browser.

[1]http://wepawet.iseclab.org/view.php?hash=ae81a29e04bd93994c1f92411e58975at=1361545134type=js

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google yesterday released Chrome 25, patching 22 vulnerabilities and debuting a new security feature that blocks silent installations of add-ons.
 
AV firm Eset has discovered a range of trojans that were signed with a valid certificate; that certificate was issued by the DigiCert Certificate Authority – to a company that ceased to exist a long time ago


 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0782 Remote Code Execution Vulnerability
 
Alcatel-Lucent's board has appointed Michel Combes as the company's new Chief Executive Officer, following Ben Verwaayen's recent resignation.
 
The HP StoreEasy 5530 puts serious muscle behind Windows file serving, Hyper-V virtualization, and SQL Server workloads
 
Samsung Safe aims to make Android phones better for the enterprise, but using the least secure mobile OS out there and ignoring the IT-ready BlackBerry might not be a good move.
 
Today: Bad news on the BKA trojan front, hackers who want to emigrate to China and an alleged iCloud security hole


 
VMware has patched security vulnerabilities in its vCenter Server, ESXi and ESX products. The security holes affect its Network File Copy (NFC) protocol, Java and OpenSSL


 
General malware continues to focus mainly on Windows systems, but targeted attacks aim at whatever system the intended victim is using, and this is bringing Macs increasingly into the firing line


 

Users of tumblr, and likely the other sites mentioned in the subject line, received an e-mail informing them of a breach of a company called Zendesk. Like myself, you may not have heard of Zendesk before, but they appearantly process customer support e-mail for these sites, including like in the Tumblr case, e-mail to aliases like [email protected] and [email protected] According to Zendesk, the attacker retrieved email addresses and subject lines, not e-mail bodies. According to the Zendesk home page, there are many other namebrand companies that are using Zendesk, but the breach notification mentions only the three I listed in the subject.

Lessons learned:


yet another internet chokepoint nobody thought about. A company like Zendesk, dealing with customer support for several large internet properties is a great point to monitor and collect intelligence as well as spreading malware. None of this has happened here.

Limit confidential information in customer support e-mails. NEVER mention a password. But other information should be limited to what is necessary to describe the problem. Of course, this may have to include sensitive data (account numbers, software versions and configurations.


Opinion

With all the Bad stuff happending, we dodged some bad bullets this week. The NBC compromisse only led users to a rather old exploit. This Zendesk exploit didnt get very far (no e-mail bodies). The Bit9 exploit, even though it lasted for 6 months or so, was only used against 3 targets. Facebook/Apple developer compromisse didnt lead to backdoored code (we hope).

I think in particular the use of a lame exploit in the NBC case kind of points to another problem: It was probably pretty easy to deface the site.

/Opinion

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
PayPal will introduce a mobile chip-and-PIN version of its payments service in Europe, starting with a selection of U.K. businesses over the coming months.
 
An Apple supplier known for making iPads has been penalized by Chinese authorities for turning a nearby river in Shanghai "white" after dumping pollutants during the nation's Spring Festival holiday.
 
Intel has acquired appMobi's HTML5 developer tools division and hired its tools-related technical staff, to likely boost its presence in the mobile apps developer market.
 
A recorded music industry association in the U.S. said Google's policy to demote pirate websites in search rankings was not working.
 
The US TV network NBC had its NBC.com site, and other associated sites, hacked and modified to distribute malware. Facebook, Google and Bit.ly all moved rapidly to warn about the infection source


 
Linux Kernel CVE-2013-0871 Local Privilege Escalation Vulnerability
 
China has been developing an IT outsourcing industry aimed at bringing in business from the U.S. and Europe. It has succeeded, but then again it hasn't thrived and now may face more barriers.
 

VMware has released the following new and updated security advisories:

New:

VMSA-2013-0003 http://www.vmware.com/security/advisories/VMSA-2013-0003.html

Updated:

VMSA-2012-0018 http://www.vmware.com/security/advisories/VMSA-2012-0018.html

VMSA-2013-0001 http://www.vmware.com/security/advisories/VMSA-2013-0001.html



Chris Mohan --- Internet Storm Center Handler on Duty
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Zendesk said Thursday a hacker gained access to support information for some customers of its online help desk software.
 
Internet Storm Center Infocon Status