Hackin9

I was asked by a reporter a few days ago what I thought the top cybersecurity story of 2015 will be. 2014 saw some big stories, Target (and the myriad of PoS breaches), Heartbleed/Shellshock/et al, Sony...

Will it be the year people finally get serious about cybersecurity or will the status quo prevail? Leave your thoughts in the comment section below and will follow up next week.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

The growth of malware families using algorithms to generate domains in 2014 has been somewhat substantial. For instance, P2P Gameover Zeus, Post-Tovar Zeus and Cryptolocker all used DGAs. The idea is that code generates domains (usually but not always) by taking the data and running it throw some magic math to come up with a list of many domains per day. This allows the attacker to avoid static lists of domains for callbacks in their code and allow them additional flexibility to make takedowns a little more difficult. Instead of getting one domain suspects, now you have to get thousands suspended. And if you think the good guys are on to you, you can change your encryption seed and get a new list of domains.

That said, its also a double edged sword. If you can get the algorithm, you can proactively block an entire family in one foul swoop. Take, for instance, hesperbot. Garage4Hackers has a nice write up on how they reverse engineered the DGA and providea helpful script at the end.

This particular DGA doesnt generate many domains, but it provides a good example. From the word go, you can simply dump the list of domains into RPZ or another DNS blocking technology. Thats nice, but what if you wanted to do some threat intelligence ninjitsu instead?

You can take that list of domains, attempt to resolve them and then dump the active IPs and domains into a feed. Now you have data you can pivot off of, throw into CIF, or make available as OSINT to get mad love from your peers.

Currently I track 11 families this way and process about 200,000 domains every 10 minutes to generate feeds (my New Years goal is to increase that tenfold). That brings an interesting scalability problem to the fore... how to lookup that many hosts in parallel instead of serial. For that I use two linux commands: parallel (self-explanatory) and adns-tools. Adns-tools is a suite that allows for asynchronous DNS lookups across many hostnames. As long as you have a friendly DNS resolver that doesnt mind your unmitigated complete assault of its sensibilities, youre good to go.

Doing this allows patterns to emerge pretty quickly... usually it is the same IP addresses involved, typically they have a dedicated domain that does authoritative DNS for all the DGA-ized domains, and you can assess what nationality the actors are by what holidays they take from registering domains. :)

All for the price of learning a little bit of python, you can set up a homebrew malware surveillance system.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
 
Network Time Protocol CVE-2014-9296 Unspecified Security Vulnerability
 
[slackware-security] xorg-server (SSA:2014-356-03)
 
[slackware-security] php (SSA:2014-356-02)
 
[slackware-security] ntp (SSA:2014-356-01)
 
[oCERT-2014-011] UnZip input sanitization errors
 
Cisco Prime Infrastructure CVE-2014-8007 Password Disclosure Vulnerability
 
Cisco Enterprise Content Delivery System (ECDS) CVE-2014-8019 Arbitrary File Access Vulnerability
 
Network Time Protocol CVE-2014-9295 Multiple Stack Based Buffer Overflow Vulnerabilities
 

JPMorgan Chase was among five banks that were reported to have been hacked earlier this year, and details have emerged on how the hack took place.

When news first broke in August, it was believed that a zero-day Web server exploit was used to break into the bank's network. Now, however, The New York Times is reporting that the entry point was much more mundane: a JPMorgan employee had their credentials stolen.

This shouldn't have been a problem. JPMorgan uses two-factor authentication, meaning that a password alone isn't sufficient to log in to a system. Unfortunately, for an unknown reason one of the bank's servers didn't have this enabled. It allowed logging in with username and password alone, and this weak point in the bank's defenses was sufficient for hackers to break in and access more than 90 other servers on the bank's network.

Read 2 remaining paragraphs | Comments

 

After being hacked, threatened, chastised, and then apparently forgiven, beleaguered Sony Pictures is expected to announce that it will in fact go ahead with a theatrical and video-on-demand release of its hot-button film The Interview on Christmas Day, according to numerous sources (including the Twitter accounts of various theater chains).

The stoner comedy, which stars James Franco and Seth Rogan as reporters who are tasked with killing North Korean "dear leader" Kim Jong-un in a weed-fueled assassination plot, was originally shelved by Sony Pictures after the "Guardians of Peace" group claiming responsibility for Sony Pictures’ hack made terrorist-style threats against theaters that dared to show the movie. However, The Wrap now claims that Sony Pictures has fully recanted and will make an announcement today about a Christmas Day theatrical release for The Interview, as well as distribution on an unspecified video-on-demand service.

It’s unknown if Sony Pictures’ decision has anything to do with the statement issued last Friday by Guardians of Peace consenting to the movie’s release—on the condition that the scene in which Kim Jong-un is actually killed be excised (or at least toned down so that it isn’t "too happy;" the exact intent of the language is unclear).

Read 1 remaining paragraphs | Comments

 

Most OS X security updates are issued alongside other fixes via the Software Update mechanism, and these require some kind of user interaction to install—you've either got to approve them manually or tell your Mac to install them automatically. Apple does have the ability to quietly and automatically patch systems if it needs to, however, and it has exercised that ability for the first time to patch a critical flaw in the Network Time Protocol (NTP) used to keep the system clock in sync.

This security hole became public knowledge late last week and affects all operating systems running versions of NTP4 prior to 4.2.8. When exploited, the NTP flaw can cause buffer overflows that allow remote attackers to execute code on your system. If you allow your system to "install system data files and security updates" automatically (checked by default), you've probably already gotten the update and seen the notification above. If not, Mountain Lion, Mavericks, and Yosemite users should use Software Update to download and install the update as soon as possible. The flaw may exist in Lion, Snow Leopard, and older OS X versions, but they're old enough that Apple isn't providing security updates for them anymore.

While this was the first time this particular auto-update function has been used, Apple also automatically updates a small database of malware definitions on all Macs that keeps users from installing known-bad software. That feature, dubbed "XProtect," was introduced in Snow Leopard in response to the Mac Defender malware and has since expanded to include several dozen items.

Read on Ars Technica | Comments

 
LinuxSecurity.com: New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: New xorg-server packages are available for Slackware 14.1 and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Multiple vulnerabilities have been found in PowerDNS Recursor, the worst of which may allow execution of arbitrary code.
 
LinuxSecurity.com: Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 5.6 Long Life. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 6.4 Extended Update Support. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 5.9 Extended Update Support. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 6.2 Advanced Update Support. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: A vulnerability in sendmail could allow a local attacker to obtain sensitive information.
 

Help Net Security

Infosec: More than reindeer games
Help Net Security
As CEO of XMAS Inc., the leading manufacturing and shipping enterprise, you face extraordinary pressure to deliver joy on Christmas morning to billions of kids around the world. In fact, it's hard to think of any other top business leader who is ...

and more »
 
Internet Storm Center Infocon Status