(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Millions of Android phones, including the entire line of Nexus models, are vulnerable to attacks that can execute malicious code and take control of core functions almost permanently, Google officials have warned.

The officials have already uncovered one unidentified Google Play app that attempted to exploit the vulnerability, although they said they didn't consider the app to be doing so for malicious purposes. They are in the process of releasing a fix, but at the moment any phone that hasn't received a security patch level of March 18 or later is vulnerable. The flaw, which allows apps to gain nearly unfettered "root" access that bypasses the entire Android security model, has its origins in an elevation of privileges vulnerability in the Linux kernel. Linux developers fixed it in April 2014 but never identified it as a security threat. For reasons that aren't clear, Android developers failed to patch it even after the flaw received the vulnerability identifier CVE-2015-1805 in February 2015.

"An elevation of privilege vulnerability in the kernel could enable a local malicious application to execute arbitrary code in the kernel," an Android security advisory published Friday stated. "This issue is rated as a critical severity due to the possibility of a local permanent device compromise and the device would possibly need to be repaired by re-flashing the operating system."

Read 4 remaining paragraphs | Comments

[SECURITY] [DSA 3525-1] pixman security update

Enlarge (credit: GHETTO UBER DRIVER)

Over the past decade, there's been an explosion of bug bounty programs that pay hackers big cash rewards for finding vulnerabilities in applications and Web services. On Tuesday, ride-hailing service Uber became the latest company to embrace the trend with the unveiling of its own program.

In most respects, the program is similar to those offered by Google, Facebook, and so many other companies. It pays as much as $10,000 for the most critical vulnerabilities and provides a public forum to acknowledge the smarts of researchers who privately report bugs that no one inside the company was able to identify. Still, there are a few features that its designers say make it stand out from what's been done so far.

For instance, the Uber bounty program comes with a technical treasure map of sorts that's intended to help researchers find high-severity bugs quickly. The treasure map included with Tuesday's announcement enumerates some of the company's most security-sensitive subdomains, along with a brief description of types of assets that are at stake and the types of vulnerabilities that might threaten them. A description of partners.uber.com, for instance, describes it as the place driver partners visit to access private driver documents, payment statements, tax information, and other highly sensitive data.

Read 10 remaining paragraphs | Comments

[RT-SA-2016-002] Cross-site Scripting in Securimage 3.6.2

ek, I was in Germany to attend the TROOPERS security conference and I had the opportunity to follow Chris Truncers talk about passive intelligence gathering. Passive intelligence is a must-do when you need to collect information about a target (when working from the offensive side) or an attacker (from the defensive side). It helps to collect as much information as possible and relies often on OSINT (Open Source INTelligence -publicly available data). From a defensive point of view, the first step is to collect logs (as much as you can). And what do we find in logs? MostlyIP addresses! We can have tons of IP addresses collected every day. The next step is to get more information about them and it is often a pain. During his talk, Chris presented histool (called Just-Metadata) thathelps to collect and manage information on IP addresses. This is performed via">When I tested the tool, I was surprised to not see any module for DShield! As we have a nice database of IP addresses and reputation, why not use it from Just-Metadata? The tool being very modular, it waseasy to add an extramoduleto gather information from our database and a simple reporting module."> [] Please enter a command: list gatherShodan = Requests Shodan for information on provided IPsGeoInfo = This script gathers geographical information about the loaded IP addressesDShield = This module checks DShield for hits on loaded IPsWhois = This module gathers whois informationFeedLists = This module checks IPs against potential threat listsMyWOT = Requests MyWOT for domain reputation information on provided domainsVirusTotal = This module checks VirusTotal for hits on loaded IPsAll = Invokes all of the above IntelGathering modules"> [] Please enter a command: list analysisTopNetBlocks = Returns the top X number of most seen whois CIDR netblocksKeys = Returns IP Addresses with shared public keys (SSH, SSL)FeedHits = Lists IPs being tracked in threat listsDShield = Returns IP addresses with results in DShieldPortSearch = Returns the top X number of most used portsTopPorts = Returns the top X number of most used portsCountry = Search for IPs by country of originMyWOTDomains = Parse mywot domain reputation resultsGeoInfo = Analyzes IPs geographical/ISP informationVirustotal = Returns IP addresses with results in VirusTotalAll = Invokes all of the above Analysis modules"> [] Please enter a command: load ip.txt[*] Loaded 5 systems[] Please enter a command: gather allQuerying Shodan for information about Shodan for information about Shodan for information about Shodan for information about Shodan for information about info on... info on... info on... info on... info on... found on found on information within DShield for information within DShield for found on whois information about whois information about whois information about whois information about whois information about list of TOR exit nodes..Grabbing attacker IP list from the Animus project...Grabbing EmergingThreats list...Grabbing AlienVault reputation list...Grabbing Blocklist.de info...Grabbing DragonResearchs SSH list...Grabbing DragonResearchs VNC list...Grabbing NoThinkMalware list...Grabbing NoThinkSSH list...Grabbing Feodo list...Grabbing antispam spam list...Grabbing malc0de list...Grabbing MalwareBytes list...Information found on found on found on found on found on[] Please enter a command: save">Then, you can use analyzis modules to build intelligence from the collected data. Here is a sample"> [] Please enter a command: analyse dshield 10********************************************************************** IPs and Detected Counts********************************************************************** 832 count(s) 596 count(s) 186 count(s)********************************************************************** IPs and Attacked Targets********************************************************************** 270 target(s) 119 target(s) 7 target(s)********************************************************************** IPs and Detected Risk**********************************************************************">I sent a pull request to Chris yesterday and he already merge it. The tool is available on his githubrepository.Its easy to set up, does not have lot of dependencies andit runs smoothly in">Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
APPLE-SA-2016-03-21-6 Safari 9.1
APPLE-SA-2016-03-21-5 OS X El Capitan 10.11.4 and Security Update 2016-002
APPLE-SA-2016-03-21-2 watchOS 2.2
APPLE-SA-2016-03-21-1 iOS 9.3
APPLE-SA-2016-03-21-7 OS X Server 5.1
APPLE-SA-2016-03-21-4 Xcode 7.3
Internet Storm Center Infocon Status