Information Security News
by Cyrus Farivar
On Tuesday, WikiLeaks published five top secret documents definitively showing that the National Security Agency has been spying on French President François Hollande, and his two immediate predecessors, Nicolas Sarkozy, and Jacques Chirac, among other top officials.
The documents, as WikiLeaks released them, include excerpts of five intelligence briefs, that contain descriptions of what was intercepted, "taken from various editions of the National Security Agency's Top Secret Global SIGINT Highlights executive briefings." This wording suggests that WikiLeaks has even more complete intelligence briefs that it did not publish, an unusual move for the group. WikiLeaks also published a chart showing a list of redacted phone numbers of those officials.
One, dated March 24, 2010, includes notes from a conversation between two top French officials:
Posted by InfoSec News on Jun 23http://www.wired.com/2015/06/airlines-security-hole-grounded-polish-planes/
-Kevin -- ISC Handler on Duty(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
by Sean Gallagher
Despite reaching its official end of life over a year ago, Microsoft's Windows XP is still bringing the company some significant revenue—largely because Department of Defense and government customers can't seem to get rid of it. And the Navy is one of Microsoft's best custom-support customers.
The US Navy's Space and Naval Warfare Systems Command (SPAWAR) has closed a $9.1 million contract extension with Microsoft that the agency originally announced in April to further extend custom support for the venerable Windows XP operating system, as well as the Office 2003 suite and Exchange 2003 e-mail. According to a Navy contracting announcement, "Across the United States Navy, approximately 100,000 workstations currently use these applications. Support for this software can no longer be obtained under existing agreements with Microsoft because the software has reached the end of maintenance period."
The renewal, according to SPAWAR officials, will buy the Navy "time to migrate from its existing reliance on the expiring product versions to newer product versions approved for use in Ashore and Afloat networks, and will provide hotfixes to minimize risks while ensuring support and sustainability of deployed capabilities." Many of the systems are in shipboard administrative networks that have not been available for extended periods of maintenance; the Navy is also playing catch-up on its land-based network upgrades as the result of the long delays in the service's Next Generation Network (NGEN) contract—the follow-up to the outsourced Navy and Marine Corps Intranet (NMCI).
Posted by InfoSec News on Jun 23http://www.networkworld.com/article/2939254/the-us-navys-warfare-systems-command-just-paid-millions-to-stay-on-windows-xp.html
Posted by InfoSec News on Jun 23http://www.washingtonpost.com/sf/business/2015/06/22/net-of-insecurity-part-3/
Posted by InfoSec News on Jun 23http://www.cnn.com/2015/06/22/politics/opm-hack-18-milliion/index.html
Posted by InfoSec News on Jun 23http://www.csoonline.com/article/2936175/security-leadership/do-cruises-and-clouds-help-security-pros-relax-on-vacation.html
Posted by InfoSec News on Jun 23http://carnal0wnage.attackresearch.com/2015/06/hard-to-sprint-when-you-have-two-broken.html
Posted by InfoSec News on Jun 23Forwarded from: Antriksh Shah <antriksh (at) payatu.com>
I have struggled over the past recent months with a clients environment becoming infected and reinfected with an XOR DDOS trojan. The disruption and reinfection rates were costly at times. The client in question is asmall business with limited resources. Since the systems would get reinfected, a baited system was eventually put into place to determine the incoming vector. It was not proven, but believed that ssh brute force was the incoming vector of attack. Once the attackerswere onto the server, a root kit trojan was used. A very intelligent one. I highly recommend that anyone that gets nabbed by this trojan or one like it reinstall your operating system as soon as possible and executemy prevention steps outlined below.
However, there are some circumstances that require mitigation before available resources can be used for reinstall/replacement and prevention measures. The client was in a situation where taking the system offline was not an immediate option. I placedsome really great links below.    Theyreview, analyze and fully confirm what wewere experiencing was the same. There were some minor differences. However, they never really offered a short term mitigation path to follow. Only somewhere in a comment on a forum (possibly one of the three articles below), did someone make a suggestion to change the file/directory attributes to assist in mitigation. It was only a suggestion with no further follow-up. Mitigation of this trojanwas difficult as it was intelligent enough to always restart when it was killed, which includedhelp from crontab entries every three minutes.">The victim server was CentOS 6.5 system with a basic LAMP setup, that offered ssh and VSFTP services. Iptables was in use, but NOT SELinux. It is my untested claim that SELinux likely would have prevented this trojan from taking hold. I am not an SELinux user/expert so I was unable to take time to add it to this environment. ">/lib/libgcc4.so . This exe was perpetuatedvia cron"> /etc/crontab every three minutes. ">(*/3 * * * * root /etc/cron.hourly/udev.sh )
If crontab gets cleaned and an executable is still running, then the crontab will be repopulated on Friday night around midnight. ">/etc/init.d/* . ">ls -lrt /etc/init.d/* to discover some evidence. ">top utility, you can determine how many are running. If the startups are deleted, then more executables and startup scripts will be created and begin to run as well.
The malware itself was used as a DDOSagent. It took commands from a CC. The IP addresses it would communicate with were available from the strings output of the executable. When the malware agentwas called into action, the entire server and local pipe was saturated and consequently cut off from service.
The following steps were taken for mitigation. ">chattr command. ">/lib directories were helpful in preventing the malware from repopulating. I put together the following for loop script and added the following IP addresses to IP tables to drop all communication. The for loop consists of clean up of four running processes. ">PID">kill command. ">for f in zyjuzaaame lcmowpgenr belmyowxlc aqewcdyppt
mv /etc/init.d/$f /tmp/ddos/
rm -f /etc/cron.hourly/udev.sh
rm -f /var/run/udev.pid
mv /lib/libgcc4.so /tmp/ddos/libgcc4.so.$f
chattr -R +i /lib
chattr -R +i /etc/init.d
">IP Addresses to drop all traffic: ">18.104.22.168 ">Prevention
I now keep the immutable bit set on /lib on a clean system. It turn it off before patching and software installs, in the event the /lib directory is needed for updating.
I also recommend installing fail2ban and configuring it to watch many of your services. I have it currently watching apache logs, ssh, vsftp, webmail, etc. It really seems to be hitting the mark for prevention. There is a whitelist feature to ignore traffic from a given IP or IP range. This helps to keep the annoying customers from becoming a nag.
If you have experienced anything like the above, then please feel free to share. This analysis is only scratching the surface. The links below do a much deeper dive on this piece of malware.
ISC Handler on Duty