Hackin9
Microsoft said Thursday it plans eventually to patch a vulnerability in Internet Explorer 8 that it's known about for seven months, but it didn't say when.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Hewlett-Packard reported increased profits Thursday as its PC business turned in a strong quarter, but the company will slash thousands more jobs to reduce costs.
 
Juniper Junos 'SRX Series Services' Gateway Denial of Service Vulnerability
 
T-Mobile USA has rolled out voice over LTE in its home base of Seattle, offering high-definition voice and promising benefits to subscribers from a technology that in time could save carriers a lot of money.
 
Wearable devices are hot right now, but will slow down for a time before rebounding again, market research firm NPD is forecasting.
 
Hewlett-Packard reported increased profits Thursday as its PC business turned in a strong quarter, but the company will slash thousands more jobs to reduce costs.
 
The ultimate eavesdropping solution for people who want to see what their employees, kids or spouse are doing on their Android (or jailbroken iPhone) smartphone.
 
RSA BSAFE Micro Edition Suite CVE-2014-0628 Denial of Service Vulnerability
 
RSA BSAFE Micro Edition Suite CVE-2014-0636 Chain Processing Vulnerability
 
An HP bug bounty program has published information about a critical vulnerability in Internet Explorer 8 because Microsoft did not meet its patch-or-we-go-public deadline.
 
A printer that connects to the Web may pose as great a risk to enterprise security as an OS vulnerability, but yet companies worry about the latter and too often ignore the former, said a CTO during a discussion at MIT.
 
The U.S. military is just weeks away from getting a prototype for an Iron Man-like suit that would make soldiers stronger, give them real-time battlefield information, monitor their vital signs and even stop their bleeding.
 
Cisco TelePresence System HTTPS Communication Information Disclosure Vulnerability
 
Advantech WebAccess CVE-2014-0773 Security Bypass Vulnerability
 
Advantech WebAccess CVE-2014-0772 Information Disclosure Vulnerability
 
AT&T wants to tap the open-source community to develop cool applications for connected wearables, mobile devices, home appliances and cars.
 

eBay has finally stopped burying its own advisory to change passwords following a major hack on its corporate network by adding an important password update to the top of its home page. Now, engineers should turn their attention to flaws on the site's password reset page that may prevent users from choosing passcodes that are truly hard to crack.

When strong is weak

Chief among the imperfections is eBay's meter that labels chosen passwords as "weak," "medium," or "strong" depending on their resistance to common cracking techniques. It showed "Stlk/v/FqSx"lireFTzidyS/m" (minus the beginning and ending quotation marks) as being weak, even though the password has 25 characters that include a mix of upper- and lower-case letters and symbols, plus it isn't included any obvious dictionary or word list. (Thanks to @digininja for the example.) That means the only likely way to crack it is to employ a brute force technique in which an attacker tries every possible combination. The involved "keyspace"—that is, the number of possible combinations of a 25-character string with upper- and lower-case letters with special characters—is 8525, which is calculated by adding the number of possible letters (52) and the number of possible symbols (33) and raising the sum to the power of the password length (25).

It would take huge amounts of time and computation power to crack the password, and yet for some unexplained reason, eBay is telling users it's weak. The site's password meter similarly grades as weak the inversion, "m/SydizTFeril"xSqF/v/kltS", as well as smaller subsets. It also gave a "weak" mark to the password choices of "bEDl(<y|" and ">advice to eBay customers—as medium strength.

Read 3 remaining paragraphs | Comments

 
Adobe Reader CVE-2014-0512 Security Bypass Vulnerability
 
The U.S. House of Representatives has approved a bill that would limit the National Security Agency's bulk collection of domestic phone records, even as several civil liberties and tech groups withdrew their support after last-minute changes.
 
Companies that want to migrate large numbers of users from Windows XP, which Microsoft stopped supporting last month, now have some help with a free tool from CA Technologies.
 
Facebook is adding tools to helps its users to stop over-sharing their personal posts with total strangers.
 
During this Sunday's Indy 500, Verizon Wireless, Ericsson and other tech companies will be focused less on the drivers and more on a racetrack demonstration of new wireless technology called LTE Multicast that would used for transmitting video to smartphones and tablets.
 
Microsoft picked the wrong screen size for its new Surface Pro 3 if it really plans to push the hybrid device as a replacement for premium-priced notebooks, a retail analyst said.
 
WebKit CVE-2013-2927 Use After Free Remote Code Execution Vulnerability
 
WebKit CVE-2013-2875 Out of Bounds Memory Corruption Vulnerability
 
A collaborative, nonprofit foundation has been started by a group of technology companies to boost the adoption of the MIPS processor architecture.
 
China is threatening to block companies from selling IT products in the nation if they fail to pass a new "cybersecurity vetting system" meant to weed out secret spying and surveillance activities.
 
LinuxSecurity.com: Xalan-Java could be made to load arbitrary classes or access externalresources.
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: An updated rubygem-openshift-origin-node package that fixes one security issue is now available for Red Hat OpenShift Enterprise 2.1. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: An updated rubygem-openshift-origin-node package that fixes one security issue is now available for Red Hat OpenShift Enterprise 2.0. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: lxml could allow cross-site scripting (XSS) attacks.
 

Many years ago, when the internet was still a different place before Twitter, RSS and browser notifications, Tom Liston was kind enough to write a very compact task bar application displaying the current "Incocon". The application, also known as "blinky globe thing", was mostly known for its impeccable implementation of the color orange. 

However, the application uses a non-standard RSS feed, and does not speak SSL. We recently changed our site to SSL only, breaking the current "blinky globe" to only show blue. Also, there are now a number of other more standard ways to receive notifications about infocon changes. As a result, I decided to stop supporting "ISCAlert". If you still use it, please uninstall it. 

For alternatives, please see our notification system: https://isc.sans.edu/notify.html . We currently offer "SMS compatible" e-mail notifications and will soon have browser notifications (part of this is already live). We do also have a number of RSS feeds, simple text feeds (e.g.. https://isc.sans.edu/infocon.txt ) and Twitter to notify you of impeding doom.

For more about the Infocon, see https://isc.sans.edu/infocon.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The Fuss About Dark Wallet
 

So after yesterday's news that eBay had been compromised, and that the compromise was in play for a good 2-3 months (short in comparison to many), I decided it was time to change my passwords.  Yes - ALL of them.

Don't get me wrong, I do change my passwords - really.  Not as frequently as I should, but it happens.  I decided to use my little "make me a random string" character generator script, and set them all to 32 char gobbledygook.  Except for the ones that have 10, 16 or 20 character maximums that is (really? that limit was a good idea why?)

So I dug through all my applets, "saved password" tabs and saved notepads to find them all, and change them all.  It's amazing how many logins you can accumulate over the years.  It's also amazing how many of these logins have my credit card info (eeps).  eBay, Paypal, Apple, travel sites - it really starts to add up.

What did I find when I got going on this?

  • For starters, since the last time I reset almost EVERY site has let their marketing and "design" folks at their site layout.  The password change is almost universally hidden 4-10 or more clicks and menus deep in the interface.  
  • Many sites now disable the "paste" function.  So if you have a complex password, you can't cut and paste it - you have to type it from the keyboard.  This also breaks many "password keeper" applications.  So what does this encourage?  Simple passwords, that's what.  Just because you can enable a neat feature doesn't meant that it's helpful.
  • Don't even get me started on Facebook.  I'm not even sure how i got to the menu (it took a while), but when I did, password change was under "General" instead of "Security".  Like so many other sites, "security" to Facebook is about Authorization (who can see me) rather than Authentication (credentials).  And the 3rd A" in "AAA" - Accounting - is not available to the end user, only to the system administrators.  So if someone has attacked and/or compromised your account, the only folks who see that are the ones who review the logs.  Oh - and I guess that's a problem too. 
  • Facebook does have a nice "log me out of other devices" option during the password change though.  So if it's an attacker who's compromised your account, they can punt you offline as they change your password.  They phrased it the other way though - I guess it's a race to see who gets to the password change page first.
  • I'm still working on my Apple password.  Apparently they've decided that my favourite book as a child doesn't meet their literary standards, so they've changed it.  More likely, what I typed in is still there and is case sensitive - and knowing me, it's either all lower case, or the one Cap in the phrase is accidental.  Long story short, I can't answer the challenge phrases.  And the "send me an email" trapdoor didn't work - no email yet. 

What does this all add up to?  Web designers really have made it increasingly difficult for us to protect our credentials.  Almost every site has emphasised the "friends and sharing" functions, and this has crowded the "protect your credentials" stuff into the background.  Challenge phrases are great I suppose, but making challenge phrases case sensitive is a really bad idea.  Not a single site in my list had a periodic password change requirement.

The other big conclusion?  It'd be nice if more sites implemented two factor authentication - that way a password breach wouldn't be such an emergency or such big news.

Long story short, when sites say "we've been breached, please change your password", I think that's in the nature of a dare or a challenge - it's not as easy as it sounds.

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

The Zero Day Initiative has published a new and unpatched IE 0-Day that was originally reported to them (and by extension, Microsoft) in October 2013.  In essence, a victim has to go to a crafted webpage that takes advantage of handling of CMarkup objects which ultimately can be used to execute code with the permissions of the web browser process.  Microsoft says the EMET will mitigate this vulnerability and at least Tipping Point claims protection with their devices.  At this point, there is no indication that it is being used in the wild.  The interesting thing here is the timeline between initial report and there being no patch.

This diary will be updated as the situation warrants.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

--

John Bambenek

bambenek \at\ gmail /dot/ com

Bambenek Consulting

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Usually, your operating system will be assigned a DNS server either via DHCP (or RAs in IPv6) or statically. The resolver library on a typical workstation will then go forward and pass all DNS lookups to this set of DNS servers. However, malware sometimes tries to use its own DNS servers, and blocking outbound port 53 traffic (udp and tcp) can help identify these hosts.

Brent, one of our readers, does just that and keeps finding infected machines that way. Just now, he is investigating a system that attempted to connect to the following name servers:

101.226.4.6
114.114.114.114
114.114.115.115
123.125.81.6
140.207.198.6
202.97.224.69
211.98.2.4
218.30.118.6
14.33.133.189

He has not identified the malware behind this yet, but no other system he is using ("we are running bluecoat web filter AND we're using OpenDNS AND I'm running snort"). Brent uses oak (http://ktools.org/oak/) to help him watch his logs and alert him of issues like this.

According to the Farsight Security passive DNS database, these IPs resolve to a number of "interesting" hostnames. I am just showing a few here (the full list is too long)

ns-facebook-[number]-[number].irl-dns.info   <- the [number] part appears to be a random number
*.v9dns.com    <- '*' to indicate various host names in this domain.
v2.3322pay.com
bjcgsm.com
sf5100.com
 


------------------
Johannes B. Ullrich, Ph.D.

SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

A couple weeks ago, Dropbox announced that it invalidated some old "shared links" users used to share confidential documents, like tax returns [1] . The real question here is of course, how did these tax returns get exposed in the first place. 

Dropbox usually requires a username and a password to access documents, and even offers a two-factor solution as an option. But regardless, the user may allow a document to be access by others, who just know the "secret" link.

As we all know, the problem is "secret" links easily leak. But as users rely more on cloud services to share files, and passwords for each shared file are way too hard to set up, this is going to happen more and more. Dropbox isn't the only such service that offers this feature. In a recent discussion with some banks, the problem came up in that more and more customers attempt to share documents with the bank for things like mortgage applications. While the banks do refuse to accept documents that way, the pressure exists and I am sure other businesses with less regulatory pressure, will happily participate.

For a moment, lets assume the cloud service works "as designed" and your username and password is strong enough. Cloud services can be quite useful as a cheap "offsite backup", for example to keep a list of serial numbers of your possessions in case of a burglary or catastrophic event like a fire. But as soon as you start sharing documents, you run the risk of others not taking care of them as well as you would. May it be that their passwords are no good, or maybe they will let the "secret link" you gave them wander. 

Confidential personal, financial or medical information should probably not go into your cloud account. And if they do, encrypt before uploading them. 

Here are a couple of steps to de-cloud your life:

- setup an "ownCloud" server. It works very much like Dropbox with mobile clients available for Android and iOS. But you will have to run the server. I suggest you make it accessible via a VPN connection only. Sharepoint may be a similar solution for Windows folks.

- run your own mail server: This can be a real pain and even large companies move mail services to cloud providers (only to regret it later ...?). But pretty much all cloud mail providers will store your data in the clear, and in many ways they have to. Systems to provide real end-to-end encryption for cloud/web-based e-mail are still experimental at this point.

- Offsite backup at a friends/relatives house. With wide spread use of high speed home network connections, it is possible to setup a decent offsite backup system by "co-locating" a simple NAS somewhere. The disks on the NAS can be encrypted and the connection can use a VPN again.

- For Apple users, make local backups of your devices instead of using iCloud. iCloud stores backups unencrypted and all it takes for an attacker to retrieve a backup is your iCloud username/password.

Any other tips to de-cloud?

[1] https://blog.dropbox.com/2014/05/web-vulnerability-affecting-shared-links/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Fresh off our discussion regarding PowerShell, now for something completely different. In order to bring balance to the force I felt I should share with you my recent use of sed, "the ultimate stream editor" and awk, "an extremely versatile programming language for working on files" to solve one of fourteen challenges in a recent CTF exercise I participated in.

The challenge included only a legitimate bitmap file (BMP) that had been modified via least siginficant bit (LSB) steganography and the following details. The BMP was modified to carry a message starting at the 101st byte and only in every 3rd byte thereafter. The challenge was therefore to recover the message and paste it as the answer for glory and prizes (not really, but pride points count). What was cool about this CTF is that while a number of my associates participated not one of us approached the challenge the same way. One used Excel with VB, another used AutoIT, and yet another wrote his own C#. Since I'm not as smart as any of these guys, I opted to trust the force and use our good and faithful servants sed and awk on my SIFT 3.0 VM along with a couple of my preferred editors (010 and TextPad) on my Windows host. I know, I know, "WTF, Russ, just do it on one system." I can say only that I am fixed in my ways and like to do certain things with certain tools, so I'm actually faster bouncing back and forth between systems. Here's what I did in seven short steps, with some details and screenshots. Note: I share this because it worked and I enjoyed it, not because I'm saying it's an optimal or elegant method.

1) I opened the .bmp in 010 Editor and first deleted bytes 1 through 100 given that the message starts at the 101st byte. Remember, if you choose to do this by offset the first byte is offset 0 and the 101st is the 100th offset. This critical point will be pounded (literally) into your head by Mike Poor when taking the GCIA track, which I can't recommend enough. Then under View chose Edit As and switched from Hex to Binary (remember we're working with the least significant bit). I then selected all binary, chose Copy As, and selected Copy As Binary Text which I saved as challenge13binaryRaw.txt.

010 Editor hex to binary

2) I opened challenge13binaryRaw.txt in TextPad because I love its replace functionality. The binary text output from 010 Editor is separated by a space every 8 bits/1 byte. In TextPad I used a regular expression replacement to convert the text to a single column (replaced every space with a newline \n), which I saved as challenge13binaryRaw-column.txt.

TextPad regex replace

3) I then used sed on challenge13binaryRaw-column.txt to print only every third byte, described in the challenge description as those containing the message, and saved it to every3rd.txt as follows: sed -n '1~3p' challenge13binaryRaw-column.txt > every3rd.txt. In this syntax, sed simply starts at the 1st line then prints every 3rd ('1~3p').

4) To then grab the least significant bit from each line of every3rd.txt I used awk as follows: awk '{print substr($0,8)}' every3rd.txt > lsb.txt. This tells awk to grab the 8th character of each line and print it out to lsb.txt, the 8th character representing the least significant bit in each 8 bit byte.

5) lsb.txt now contains only the message but I need to format it back into machine readable binary for translation to human readable text. Back to TextPad where I used another regex replacement to convert a long column of single bits back to one line and save it as lsb-oneline.txt. Replacing a carriage return (\r) with nothing will do exactly that.

Regex Replace Carriage Return

6) In order for machine translation to successfully read the newly compiled message traffic, we now need to reintroduce a space between every 8 bits/ 1 byte which we can again accomplish with sed and save it to finalBinary.txt as follows: sed 's/\(.\{8\}\)/\1 /g' lsb-oneline.txt > finalBinary.txt

7) I then copied the content from finalBinary.txt into a binary translator and out popped the message.

It was actually the same short message looped many times through the BMP but I went for overkill extracting it not knowing the parameters other than those defined by the challenge description (no mention of how long the message was). A bit clunky to be sure but for you forensicators looking for ways to pull out messages or content embedded via LSB steganography, this approach might be useful. And no, I'm not telling you what the message was or sharing the BMP file in case the CTF administrators wish to use it again. :-) You'll want to brush up on your regex; one of my favorite resources is here.

Cheers and enjoy.

Russ McRee | @holisticinfosec

 

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2014-1531 Use After Free Memory Corruption Vulnerability
 
APPLE-SA-2014-05-21-1 Safari 6.1.4 and Safari 7.0.4
 
[KIS-2014-07] Dotclear <= 2.6.2 (categories.php) SQL Injection Vulnerability
 
[KIS-2014-06] Dotclear <= 2.6.2 (Media Manager) Unrestricted File Upload Vulnerability
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

The Zero Day Initiative has published a new and unpatched IE 0-Day that was originally reported to them (and by extension, Microsoft) in October 2013.  In essence, a victim has to go to a crafted webpage that takes advantage of handling of CMarkup objects which ultimately can be used to execute code with the permissions of the web browser process.  Microsoft says the EMET will mitigate this vulnerability and at least Tipping Point claims protection with their devices.  At this point, there is no indication that it is being used in the wild.  The interesting thing here is the timeline between initial report and there being no patch.

This diary will be updated as the situation warrants.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

--

John Bambenek

bambenek \at\ gmail /dot/ com

Bambenek Consulting

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
China is threatening to block companies from selling IT products in the nation if they fail to pass a new 'cybersecurity vetting system' meant to weed out secret spying and surveillance activities.
 
Japanese researchers have developed a new type of lithium-ion conductor that could help prevent the kind of lithium-ion battery fires that grounded the Boeing 787 Dreamliner aircraft last year.
 
The dispute between Oculus VR, a wearable virtual reality technology company that Facebook is acquiring, and ZeniMax Media reached court Wednesday.
 
For small retailers, the relationship between the number of store visits and actual sales can be foggy. A new tracking device aims to provide clarity.
 
Microsoft Wednesday kicked off pre-sales of its new Surface Pro 3 tablet, but some of those orders won't be fulfilled until the end of summer.
 
Chalk up another victory for corporate surveillance: Five years after advocates came up with an easy way to let you browse the Web with just a little privacy, the Do Not Track system is in tatters and that pair of boots you looked at online last month is still stalking you from website to website.
 
Cisco Systems hinted at future plans for the Internet of Things on Wednesday even as its former IoT chief joined a Shanghai-based startup that plans to use sensors and big data for renewable energy.
 
BlackBerry says it can take back-end software development off the to-do lists of enterprises that want to take advantage of the Internet of Things.
 
Full Disclosure - DIR-652/DIR-835/DIR-855L/DGL-5500/DHP-1565 - Clear Text Password/XSS/Information Disclosure
 
[security bulletin] HPSBMU03044 rev.1 - HP Business Process Monitor, running OpenSSL, Remote Disclosure of Information
 
[security bulletin] HPSBMU03042 rev.1 - HP Operations Manager i, Execution of Arbitrary Code
 
SEC Consult SA-20140521-0 :: Multiple critical vulnerabilities in CoSoSys Endpoint Protector 4
 
SAP AG Thursday announced the general availability of SAP Mobile Platform 3.0, a common software development kit (SDK) for developers to build apps for use by consumers, business partners as well as employees.
 
Summary goes here and here and here
 
Google Chrome CVE-2013-2927 Use After Free Remote Code Execution Vulnerability
 
Microsoft Internet Explorer CVE-2014-1770 Remote Code Execution Vulnerability
 
Cisco Security Manager CVE-2014-3267 Cross Site Request Forgery Vulnerability
 
Internet Storm Center Infocon Status