IBM Security Privileged Identity Manager Virtual Appliance Information Disclosure Vulnerability
IBM Security Privileged Identity Manager CVE-2016-5963 Security Bypass Vulnerability
IBM Security Privileged Identity Manager CVE-2016-5970 Directory Traversal Vulnerability
Multiple IBM Products CVE-2016-5943 Security Bypass Vulnerability

I have been tracking DDOSs for a number of years, and quite frankly, it has become boring. Dont get me wrong, I am not complaining, just stating a fact. A number of factors seem tohave contributed to its fall from mainstream consciousness. somewhat better filtering practices, more awareness of timely patching, and probably the most significant being the novelty has worn off. Occasionally I will still see a multi-Gbps DDOS, but mostly it has been relegated to booter traffic which is not even a nuisance for most providers.

Over the last few days though there have been two very significant DDOS events. Firstly, on Tuesday,Sep 20, hosting company OVH was hit with DDOSwhich peaked near the 1Tbpsrange, and also onTuesday evening (Sep 20), InfoSec journalist Brian Krebs website was hit with a DDOS peaking at over600 Gbps.

These are believed to be the two largest DDOS on record and significantly exceed what it was believed could be achieved by any one DDOS group.

While the nature of the DDOS attack traffic usedagainst OVH has not been revealed, the attack against Brian Krebs site is unusual in that the traffic is not your typical reflective UDPDDOStraffic, but rather TCP traffic that made connections with the web server and GRE (generic routing encapsulation) packets. The reason why this is unusual is that this traffic cannot be spoofed, but rather an analysis of the traffic should reveal which devices were used to launch the attack.

Is this a sign that big DDOS is making a comeback or just a couple of isolated attacks?

UPDATE: It appears Akamaiis not happy with the extra excitement hostingBrian Krebssite is bringing them. Brian is looking for a new hosting provider.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

It looks like Yahoo! is the latest victim of a large scale data breach. It looks like the released data dates back to at least 2014 and contains more than 500 Million user accounts, so if you havent changed your Yahoo! password in the last couple of years then it is time.

As one of the other ISC Handlers pointed out...not all Yahoo! customers may know they are Yahoo! customers. Yahoo! whitelabels email services on behalf of ISPs and email providers. I assume those white label providers will need to do notifications to their customers as well?

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
ImageMagick 'coders/psd.c' Heap Buffer Overflow Vulnerability
[SECURITY] [DSA 3673-1] openssl security update
ImageMagick CVE-2016-7513 Denial of Service Vulnerability
Exponent CMS Arbitrary Code Execution and File Upload Vulnerabilities
Google Chrome Logic Error Security Bypass Vulnerability

(credit: Photograph by Randy Stewart)

At least half a billion Yahoo accounts have been breached by what investigators believe is a nation-sponsored hacking operation. Attackers probably gained access to a wealth of holders' personal information, including names, e-mail addresses, phone numbers, birth dates, answers to security questions, and cryptographically protected passwords.

Yahoo Chief Information Security Officer Bob Lord dropped that bombshell announcement on Thursday afternoon, several hours after news site Recode reported the company was poised to disclose a compromise affecting several hundred million accounts. With at least 500 million accounts included in Yahoo's official statement, the breach is among the biggest ever to hit a single Web property.

"We have confirmed, based on a recent investigation, that a copy of certain user account information was stolen from our networks in late 2014 by what we believe is a state-sponsored actor," Lord wrote. "The account information may have included names, e-mail addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt), and, in some cases, encrypted or unencrypted security questions and answers."

Read 8 remaining paragraphs | Comments

PHP 'ext/spl/spl_array.c' Use After Free Remote Code Execution Vulnerability
PHP 'ext/zip/php_zip.c' Use After Free Remote Code Execution Vulnerability
Multiple Huawei Products CVE-2016-8277 Denial of Service Vulnerability
Cisco Application Policy Infrastructure Controller Local Privilege Escalation Vulnerability
Fwd: BT Wifi Extenders - Cross Site Scripting leading to disclosure of PSK

In the security weeds? Yahoo won't yet comment. (credit: Neon Tommy)

[Update, 3:30 PM ETYahoo has revealed that "information associated with at least 500 million user accounts was stolen" in late 2014, and the company believes the data was stolen by a "state actor." See Dan Goodin's report on the breach for more details. Our original story continues below.]

In August, a dealer in stolen data who goes by the online moniker "Peace"—the person or persons who previously sold data from the accounts of MySpace and LinkedIn users—announced that the results of another "megabreach" were for sale. This time, it's the account information of 200 million Yahoo users. According to a report by Recode's Kara Swisher, Yahoo is preparing to confirm the four-year-old breach, potentially creating problems for the company's planned $4.8 billion acquisition by Verizon.

A previous examination of a sample of the data obtained by Motherboard was inconclusive. There has been a number of other claimed breaches of Yahoo's account data, including a claim of 40 million Yahoo accounts among a total of 272 million alleged stolen credentials reported in May. But that data that may have just as easily been stolen from other sources.

Read 3 remaining paragraphs | Comments

WordPress W3 Total Cache Plugin 'admin.php' Cross Site Scripting Vulnerability
Irssi Heap Buffer Overflow and Denial of Service Vulnerabilities
Fatek Automation PM Designer Remote Code Execution Vulnerability

As announced earlier this week,OpenSSLreleased an update today for all currently supported versions (1.0.1, 1.0.2, 1.1.0).

The update fixes 14 different vulnerabilities. Only one vulnerability is rated High. This vulnerability,CVE-2016-6304, can lead to memory exhaustion and a denial of service if the client sends multiple largeOCSP">OCSP">">">SWEET32">">OOB write in">">MalformedSHA512">">">">Pointer arithmetic undefinedbehaviour">">">">">">">">Excessive allocation of memory in">">">x

Johannes B.Ullrich, Ph.D.

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Libav 'libavcodec/aacsbr.c' Divide-By-Zero Denial of Service Vulnerability
Drupal Core Multiple Access Bypass and Cross Site Scripting Vulnerabilities
IE11 is not following CORS specification for local files
JCraft JSch CVE-2016-5725 Directory Traversal Vulnerability
Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla
[security bulletin] HPSBHF03646 rev.1 - HPE Comware 7 (CW7) Network Products running NTP, Multiple Remote Vulnerabilities
[slackware-security] irssi (SSA:2016-265-03)
[security bulletin] HPSBGN03645 rev.2 - HPE Helion OpenStack Glance, Remote Access Restriction Bypass, Unauthorized Access
[SECURITY] [DSA 3672-1] irssi security update
[slackware-security] pidgin (SSA:2016-265-01)
Libav 'ff_put_pixels8_xy2_mmx()' Function NULL Pointer Dereference Denial of Service Vulnerability
Internet Storm Center Infocon Status