Hackin9

InfoSec News


Organisations need to consider the internal as well as external threats to ...
SYS-CON Media (press release) (blog)
DigitalPersona® conducted a survey of nearly 400 IT professionals at InfoSec 2012, highlighting a startling trend - of the 380 respondents, 61% believed that the majority of security breaches are a result of unintentional user activity, ...

and more »
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Most of the jurors in the Oracle v Google trial thought Google's use of 37 Java APIs in Android should be allowed under the doctrine of fair use, one of the jurors revealed Wednesday after the trial had ended.
 
Next-generation CIOs will have to consider how technology affects other corporate departments as well as handle traditional IT management functions, especially those accompanying mobile device management and greater data analysis, according to panelists who spoke at the MIT Sloan CIO Symposium in Cambridge, Massachusetts.
 
Expanding beyond its scientific and engineering number-crunching software, Mathematica maker Wolfram Research released a desktop application for full-scale system modeling and simulation.
 
Google's Android operating system does not infringe Oracle's Java patents, a jury in San Francisco found Wednesday in a setback for Oracle.
 
Hewlett-Packard will trim 27,000 employees as part of its long-term restructuring plan, the company said Wednesday when it announced quarterly financial results.
 
PC malware had its "busiest quarter in recent history," according to McAfee's quarterly security report released Wednesday.
 
Project will share data on malware targeting the Android platform. It has collected 1,200 Android malware samples.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Wireshark DIAMETER Dissector Denial of Service Vulnerability
 
Wireshark Multiple Dissector Denial of Service Vulnerabilities
 
Wireshark Misaligned Memory Denial of Service Vulnerability
 
Google's Android operating system does not infringe Oracle's Java patents, a jury in San Francisco found Wednesday in a setback for Oracle.
 
Microsoft yesterday promised that a feature it's added to Windows 8 will put a stop to endless reboots.
 
U.S. President Barack Obama has ordered all major government agencies to make two key services available on mobile phones within a year, in an effort to embrace a growing trend toward Web surfing on mobile devices.
 

Execs to Study Cyber Security in New NYU-Poly Master's Degree Track
Sacramento Bee
NYU-Poly's cyber security curriculum meets the National Training Standards NSTISSI-4011 (National Training Standard for Information Systems Security — INFOSEC — Professionals), CNSSI-4013 (National Information Assurance Training Standard for System ...

and more »
 
Less than a week after Facebook's initial public offering, the social networking firm's new shareholders Wednesday filed a class action lawsuit against the company, CEO Mark Zuckerberg and Morgan Stanley.
 
An Ohio startup company has raised $200 million to fund gigabit-per-second broadband projects in six university communities across the U.S.
 
feedparser CVE-2012-2921 Denial of Service Vulnerability
 
Taking a step into the social media marketing industry, Oracle is purchasing Vitrue, the two companies announced Wednesday.
 
There is a fair amount of chatter in Microsoft forums regarding problems cause by recent Microsoft patches. [1][2][3][4] From what Ican gather users are repeatedly being prompted to reinstall 3 older .NET patches on some OSdistributions. It looks like MS12-035 was intended to replaced 3 older patches MS11-044, MS11-078 and MS12-016 and something isn't quite right. You may want to hold of deploying that patch until we know more.
Thanks to Dave(ToyMaster) for the heads up and hard work researching the issue. Ithink he has a blog post pending [5] that will explain the issue in more detail. I'll keep you updated here as Ilearn more.
Do you have any more information for us? Leave me a comment or contact us via the handler contact page.
Mark Baggett
@MarkBaggett
http://www.indepthdefense.com

[1] http://social.technet.microsoft.com/Forums/en-US/smallbusinessserver/thread/2f0bbb7d-fc28-4c32-bf63-54cf5a6615d2
[2] http://social.technet.microsoft.com/Forums/en-US/itproxpsp/thread/c7934c6f-0acd-4793-b222-e840eb61b3a6
[3] http://msmvps.com/blogs/bradley/archive/2012/05/21/hang-loose-until-someone-in-redmond-wakes-up-and-fixes-microsoft-update.aspx
[4] http://answers.microsoft.com/en-us/windows/forum/windows_xp-windows_update/kb2633880-kb2518864-kb2572073-installed-but-not/e6ecef19-5551-4925-9d74-43813ba04d3a

[5] http://home.comcast.net/~itdave/site/


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Project will share data on malware targeting the Android platform. It has collected 1,200 pieces of Android malware.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Seagate today announced plans to acquire LaCie, a French maker of external consumer hard drive products, in an all-cash deal worth about $186 million.
 
Google yesterday revealed that the two researchers who cracked Chrome in March at the company's inaugural "Pwnium" hacking contest used a total of 16 zero-day vulnerabilities to win $60,000 each.
 

Organisations need to consider the internal as well as external threats to ...
RealWire (press release)
DigitalPersona® conducted a survey of nearly 400 IT professionals at InfoSec 2012, highlighting a startling trend - of the 380 respondents, 61% believed that the majority of security breaches are a result of unintentional user activity, ...

and more »
 

Execs to Study Cyber Security in New NYU-Poly Master's Degree Track
MarketWatch (press release)
NYU-Poly's cyber security curriculum meets the National Training Standards NSTISSI-4011 (National Training Standard for Information Systems Security -- INFOSEC -- Professionals), CNSSI-4013 (National Information Assurance Training Standard for System ...

and more »
 
Adobe Flash Player CVE-2012-0779 Object Type Confusion Remote Code Execution Vulnerability
 
Using overlapping IP fragmentation to avoid detection by an IDS has been around for a long time. We know how to solve this problem. The best option in my opinion is to use a tool such as OpenBSD's pf packet filter [1] to scrub our packets eliminating all the fragments (pfSense [2] makes this easy to deploy). However, this option is not without its caveats [3]. You could simply configure your IDS to alert for and/or drop any overlapping fragmented packets. Overlapping fragments should not exist in normal traffic. Another option is to configure the IDS to reassemble the packets the same way the endpoint reassembles them. Snort's frag3 preprocessor will reassemble the packets based on the OS of the target IP and successfully detect any fragmented attacks that would work against a given target host. Problem solved right? There is another opportunity for attackers to use differences in the fragmentation reassembly engines to his advantage. What happens when the IDS analyst turns to their full packet capture to understand the attack? If the analyst's tools reassemble the packets differently than the target OS the analyst may incorrectly dismiss the TRUE positive as a FALSE positive.

Today, with the low cost of disk drives, more and more organizations can afford to maintain full packet captures of everything that goes in and out of their network. If you are not running full packet capture, you really should look into it. I don't think there is a better way to understand attacks on your network then having full packet captures. One great option is to install Daemonlogger [4] on the Linux/BSD distribution of your choice. This was an option I used for many years. Today, I use the Security Onion distro [5] by Doug Burks. If you want a free IDS with full packet capture that you can quickly and easily deploy, Security Onion is a great option.
Once you have the full packet capture, how do you find the fragmented attacks? You could try reassembling them with Wireshark. Let's check that out and see what happens. Security Onion has scapy installed so let's use that to generate some overlapping fragments. I'll generate the classic overlapped fragment pattern illustrated by the paper Active Mapping: Resisting NIDS Evasion Without Altering Traffic by Umesh Shankar and Vern Paxson [6] and then further explained in Target Based Fragmentation Assembly by Judy Novak [7].

Now open up our fragmentpattern.pcapwith Wireshark and see what we see.



If you compare the reassembled pattern to what was outlined in Judy Novak's paper you will recognize the BSD reassembly pattern. So you will see all the attack packets that are targeted at a host using the BSD reassembly methodology, but not ones targeted at other reassembly policies (First, Last, BSD-Right andLinux). You would not see overlapping fragmentation attacks targeted at both Windows and Linux. However, Security Onion now (as of build 20120518 [8] ) has a Python script called reassembler.py. If you provide reassembler.py with a pcap that contains fragments, it will reassemble the packets using each of the 5 reassembly engines and show you the result. It will even write the 5 versions of the packets to disk so you can examine binary payloads as the target OS would see them. Let's see what reassembler does with the fragmented packets we just created.

Now you can see exactly what the IDSsaw and make the correct decision when analyzing your packet captures. If using the Onion isn't an option for you, you can download reassembler.py direct from my SVN http://baggett-scripts.googlecode.com/svn/trunk/reassembler/. How do you handle this? What are some other ways to solve this problem? Leave a comment.


Security Onion creator Doug Burks and I are teaching together in Augusta GA June 11th - 16th. Come take SEC503 Intrusion Detection In-Depth from Doug or SEC560 Network Penetration Testing and Ethical Hacking from me BOOTCAMP style! Sign up today! [9]
Mark Baggett
@MarkBaggett
http://www.indepthdefense.com
[1] http://www.freebsd.org/doc/handbook/firewalls-pf.html

[2] http://www.pfsense.org/

[3] http://sysadminadventures.wordpress.com/2010/11/02/why-pfsense-is-not-production-ready/

[4] http://www.snort.org/snort-downloads/additional-downloads

[5] http://securityonion.blogspot.com/

[6] http://www.icir.org/vern/papers/activemap-oak03.pdf

[7] http://www.snort.org/assets/165/target_based_frag.pdf

[8] http://securityonion.blogspot.com/2012/05/security-onion-20120518-now-available.html

[9] http://www.sans.org/community/event/sec560-augusta-jun-2012

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
An often-repeated concern that the U.S. Patriot Act gives the U.S. government unequaled access to personal data stored on cloud services is incorrect, with several other nations enjoying similar access to cloud data, according to a study released Wednesday.
 
VMware has acquired Wanova, a developer of software used to centralize and simplify image management on physical and virtual desktops, the company said Tuesday.
 
The U.S. Department of Justice said Tuesday it was looking into the unauthorized access of a website server in its statistics wing, after hacker group Anonymous claimed to have collected and released 1.7GB of data from it.
 
Lenovo's net profit for its fiscal fourth quarter grew by 59 percent, as the world's second largest PC maker saw continued growth in sales across both mature and emerging markets.
 

Posted by InfoSec News on May 23

https://www.computerworld.com/s/article/9227387/Banking_malware_spies_on_victims_by_hijacking_webcams_microphones_researchers_say

By Lucian Constantin
IDG News Service
May 22, 2012

A new variant of SpyEye malware allows cybercriminals to monitor
potential bank fraud victims by hijacking their webcams and microphones,
according to security researchers from antivirus vendor Kaspersky Lab.

SpyEye is a computer Trojan horse that specifically...
 

Posted by InfoSec News on May 23

http://www.wired.com/threatlevel/2012/05/nsa-college-students/

By Kim Zetter
Threat Level
Wired.com
May 22, 2012

The National Security Agency is partnering with select universities to
train students in cyber operations for intelligence, military and law
enforcement jobs, work that will remain secret to all but a select group
of students and faculty who pass clearance requirements, according to
Reuters.

The cyber-operations curriculum is...
 

Posted by InfoSec News on May 23

http://news.techworld.com/security/3359074/security-vulnerability-reporting-framework-upgraded-for-researchers/

By John E Dunn
Techworld
21 May 2012

The security industry’s Common Vulnerability Reporting Framework (CVRF)
framework for reporting and sharing security vulnerabilities in a
machine-readable format has been given a promised revamp to make it
easier to use for third-party researchers.

Managed by industry body, the Industry...
 

Posted by InfoSec News on May 23

http://arstechnica.com/security/2012/05/anatomy-of-a-hack-6-separate-bugs-needed-to-bring-down-google-browser/

By Dan Goodin
Ars Technica
May 22 2012

An exploit that fetched a teenage hacker a $60,000 bounty targeted six
different security bugs to break out of the security sandbox fortifying
Google's Chrome browser.

The extreme lengths taken in March by a hacker identified only as Pinkie
Pie underscore the difficulty of piercing this...
 

Posted by InfoSec News on May 23

http://www.csoonline.com/article/706824/new-white-house-cybersecurity-chief-largely-an-unknown

By Taylor Armerding
CSO
May 21, 2012

Named late last week to replace Howard Schmidt as the top White House
cybersecurity adviser, Michael Daniel is a 17-year veteran of the Office
of Management and Budget (OMB) and has been its intelligence branch
chief for the past 11 years. But he has stayed largely under the radar,
even in the cybersecurity...
 

Enigma Machine Original Demonstrated At Conference
ITProPortal
A real-life enigma machine used in World War II was on display at the Earls Court InfoSec Conference. Dr James Grime of Cambridge University explained how the iconic device was used by Nazi Germany to send secret messages during the conflict.

 
Riverbed Steelhead with RiOS 7 takes a huge bite out of UDP, video, and VDI traffic over the WAN, adding to its excellent TCP and file access optimizations
 
Physicians who use social networks to share clinical experiences risk violating patient privacy. A niche industry of private social network providers has cropped up to address the desire to communicate.
 
Google on Tuesday hauled out a tool it last used nearly a year ago to warn users infected with the "DNSChanger" malware.
 
Microsoft Windows Local Privilege Escalation Vulnerability
 
Internet Storm Center Infocon Status