(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Cisco Identity Services Engine CVE-2016-1485 Cross Site Scripting Vulnerability
 
Fortinet FortiGate Cookie Parser Buffer Overflow Vulnerability
 
Huawei Policy Center Cross Site Scripting Vulnerability
 
GnuPG and Libgcrypt CVE-2016-6313 Local Predictable Random Number Generator Weakness
 
Huawei AnyOffice SecureApp Remote Denial of Service Vulnerability
 
Huawei E9000 Chassis CVE-2016-6898 XML External Entity Injection Vulnerability
 

Enlarge / From an upcoming paper laying out a new attack against 64-bit block ciphers used by HTTPS and OpenVPN. (credit: Karthikeyan Bhargavan and Gaëtan Leurent)

Researchers have devised a new attack that can decrypt secret session cookies from about 1 percent of the Internet's HTTPS traffic and could affect about 600 of the Internet's most visited sites, including nasdaq.com, walmart.com, match.com, and ebay.in.

The attack isn't particularly easy to carry out because it requires an attacker to have the ability to monitor traffic passing between the end user and one of the vulnerable websites and to also control JavaScript on a webpage loaded by the user's browser. The latter must be done either by actively manipulating an HTTP response on the wire or by hosting a malicious website that the user is tricked into visiting. The JavaScript then spends the next 38 hours collecting about 785GB worth of data to decrypt the cookie, which allows the attacker to log into the visitor's account from another browser. A related attack against OpenVPN requires 18 hours and 705GB of data to recover a 16-byte authentication token.

Impractical no more

Despite the difficulty in carrying out the attack, the researchers said it works in their laboratory and should be taken seriously. They are calling on developers to stop using legacy 64-bit block-ciphers. For transport layer security, the protocol websites use to create encrypted HTTPS connections, that means disabling the Triple DES symmetric key cipher, while for OpenVPN it requires retiring a symmetric key cipher known as Blowfish. Ciphers with larger block sizes, such as AES, are immune to the attack.

Read 7 remaining paragraphs | Comments

 

Enlarge (credit: The Last Ship, Warner Bros Television)

A massive leak of documents on India’s new military submarines from French shipbuilder DCNS is the result of a hack, the country's defence minister said on Wednesday.

Manohar Parrikar claimed, according to local reports, that the entire designs of its Scorpene submarines hadn't been disclosed. “First step is to identify if its related to us, and anyway its not all 100 percent leak,” he was quoted as saying.

The documents were made public by The Australian on Tuesday, which described the breach as an “Edward Snowden-sized leak.”

Read 6 remaining paragraphs | Comments

 
WordPress Mail Masta Plugin 'count_of_send.php' Local File Include Vulnerability
 
Linux Kernel 'ovl_copy_up_locked()' Local Denial of Service Vulnerability
 
WordPress Zero Spam Plugin SQL Injection Vulnerability
 
YoruFukurou CVE-2016-4852 Denial of Service Vulnerability
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

When responding to incidents, its easy to go down a rabbit hole that likely wont produce results to the questions we are always after: How did the attacker get in? What information is contained on the system? And What information was accessed?

">To streamline analysis we need to determine what information is most useful for each incident classifications, this gives more flexibility to SOPs by pulling these into a methodology depending on the investigation. Rather than adding these processes over and over into different procedures documents (which all may not get updated) you can link to one process from the methodology.

">Additionally, you can chart out specific items (e.g. determine logged-in username for computer) similar to the SANS forensics poster for where to get specific data for user activity. (P is primary source. S is secondary)


padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">">Cpadding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">padding:7px 7px 7px 7px">">

">Do anyone else use a similar process or have a better one?Leave a comment.

--

Tom Webb

@twsecblog

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
nullcon 8-bit Call for Papers is open
 
[slackware-security] gnupg (SSA:2016-236-01)
 
Internet Storm Center Infocon Status