Government News

SHOCK HORROR: Oz's biggest govt agencies to miss infosec deadline
Australia's largest government agencies will miss a July deadline to implement even basic information security controls. The Australian National Audit Office's (ANAO's) annual report says that the country's biggest government agencies won't deploy ...
Federal agencies miss mandatory infosec deadline: ANAOGovernment News

all 20 news articles »

A new update has been released http://www.vmware.com/security/advisories/VMSA-2014-0007.html  It addresses some struts issues.  

http://www.vmware.com/security/advisories/VMSA-2014-0006.html has also been updated (this was the OpenSSL update).  


(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Looking at DNS traffic it looks like it has been a busy month, but traffic seems to have dropped off. 

port 53 as a target has dropped off and during June there was an increase in traffic with a source port of 53. Something that we've seen on various IDS.  We either see one of two types of packets.  A request for any for a particular domain with the packet size set to 65535 and a spoofed source IP (i.e. the target).  So that accounts for the traffic to port 53.  

The second types of requests we see is from port 53.  Typically with a random source ports and typically to a number of servers in the target network.  The only thing that changes is often the queryid.  So these are likely attempts to poison the cache.  

The third type we see are DNS requests to check for open resolvers and a final type of query we see a lot of are DNS queries with HTTP elements in the traffic.  

There are a few things I'm interested in.  What caused the drop off for port 53 as the target.  What DNS queries are you seeing targetting your environment?  and if you can share, I'd be interested in the actual request itself.  


Mark H

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SPAM SPAM SPAM,  It never fails to entertain.  

Like most of you I get my fair share of SPAM and like a number of you I will happily click links (not a recommendation) and follow the little yellow brick road to whatever malware or "sales" opportunity presents itself.  This one was just a bit more random than others I've received lately.  

A quote for a home security system, great I need one of those the dog is just not interested in chasing away strangers that walk up to the house.  Following the link I end up on the following page, after a redirect from the libbean page. 

Ok, not quite the home security system I was hoping for,  but I like a game as much as the next guy.  Unfortunately hitting the "download for free" button I didn't get the promised flappy birds, but ended up here instead.


Now I don't know if Vox software is just a random landing or the SPAM run was commissioned. If the latter there are organisations that have no problem with using SPAM for "legitimate" advertising or they are just not aware.  Not quite sure which is worse.  

So every now and then SPAM does have some entertainment value, at least to me, didn't get my home security system I was promised though, nor fun game to play, ah well. 


Mark H

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Citizen Lab

On Twitter, it was billed as Qatif Today, a legitimate Android app that provides news and information in Arabic with a focus on the Qatif governorate of Saudi Arabia. But in fact, the shortened link came with a hidden extra—an advanced trojan wealthy nation states use to spy on criminal suspects and political dissidents.

Citizen Lab

Citizen Lab, the University of Toronto group that monitors government surveillance in the digital age, analyzed the recently discovered instance of the fake Qatif Today app in a blog post headlined Police Story: Hacking Team’s Government Surveillance Malware. The account provides a rare glimpse into malware developed by "Hacking Team," a highly secretive outfit based in Italy that charges governments top dollar for extremely stealthy spyware that's often referred to as a "lawful intercept" program.

The trojan is a known as an Android implant because it cloaks itself inside a legitimate third-party app. People who are infected with it must first be tricked into obtaining the Android installation package (APK) from a non-authorized source, which in this case was this now-shuttered Dropbox location. Aside from that, victims may have little indication anything is amiss. To lend it legitimacy, the malicious APK was signed by a digital certificate that appeared to be related to Java and its original creator Sun Microsystems. Citizen Labs identified six other samples signed by the same certificate.

Read 8 remaining paragraphs | Comments

Microsoft has finally fixed an Exchange Online outage that left affected users without access to email for almost nine hours on Tuesday, prompting many to vent their frustration online as they struggled to get their work done.
Dell plans to expand its storage lineup with a series of midsized SAN arrays and a portfolio of software-defined storage systems, furthering two prominent industry trends.
Typically the stuff of mystery, a real flying saucer could appear over the Hawaiian island of Kauai later this week, but it won't be coming from outer space. The rocket-powered, saucer-like craft is part of a NASA project that could aid missions to other planets.
GnuPG 'compress.c' Denial of Service Vulnerability
Microsoft has started to restore email flow to Exchange Online customers affected by an outage that has lasted more than six hours, affecting a big chunk of the U.S. workday on Tuesday.

I was poking around the usual online rags and found a piece on Threat Post. [1]  Mike Mimoso was highlighting the decline of the NTP DDoS hole found earlier in the year.  The ISC covered it in our diary a few months back.  

NTP Reflection Attack 
Ongoing NTP Amplification Attacks
NTP Reflection Attacks Continue

So, I went poking through the port data and noticed a good correlation to the Threat Post story.  The numbers indicate a sharp decrease in vulnerable systems for the NTP monlist issue.   I'd like to suggest that while pundits are citing slow progress for patching Heartbleed, that in actuality, the Heartbleed issue is responsible for the sudden change.  The month of May showed an extensive effort for patching and truing up patch levels because of Heartbleed.  This effort likely assisted in the NTP issue being patched along with it.  The following graph was taken from ISC data gathered here:


Feel free to share your thoughts on this one.

[1] http://threatpost.com/dramatic-drop-in-vulnerable-ntp-servers-used-in-ddos-attacks/106835

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The smartphone kill switch appears to be on its way to every handset sold in the U.S. So what's all the fuss about? Here's a look at the main points of the technology.
A facial recognition trade group's proposals for privacy standards are an "extreme" departure from U.S. expectations on how personal data should be handled, a privacy advocate said Tuesday.
Oracle's pending acquisition of retail and hospitality technology vendor Micros is its biggest since scooping up Sun Microsystems in 2010, which begs questions about why it's willing to pay so much.
Man, this quiz sure could use more Game of Thrones characters.

A normal browsing session on Buzzfeed may include GIF-filled lists, quick news blurbs, and a zillion pop-culture quizzes, but what can the site do once it tells you which 30 Rock character you are? According to a British e-commerce specialist, the answer is quite a bit, as Buzzfeed users are coughing up a lot more personal information than they may realize.

In another reminder that everything you do on the Internet leaves a clicktrail, a post at Dan Barker's personal blog opened by picking through the default Buzzfeed browsing data sent to Google Analytics. That data included whether users have connected Facebook to Buzzfeed, how often they've shared Buzzfeed stories to social media, their gender and age (if those have been publicly disclosed), their location, and more.

All of that data was assigned to a "username" value, which Barker noted was the same across multiple browsers on the same PC. Barker analyzed the site's many quizzes, where he found that each quiz answer he chose (or didn't choose) was tracked alongside all of that other potentially personally identifiable information.

Read 2 remaining paragraphs | Comments

Microsoft's newest Android smartphone, the Nokia X2, relies on Opera as the pre-installed default browser. But Opera defaults to using Google's search engine, not Microsoft's own Bing.
As an industry, we have been looking at cloud-based technologies both from private and public structure and how best to optimize design, engineer and develop such technologies to better optimize the world of wireless and the Internet of Everything.
Gartner's annual Magic Quadrant is a sort of who's who of the cloud computing market. And while VMware made the company's most recent list, it didn't receive the highest of marks.
A growing backlash threatens to thwart the BYOD trend. The CIO of a large electrical contractor explains why his company will "never have a BYOD environment.'
Congress needs to do more to protect private data of U.S. citizens from government surveillance and the misuse of technology by companies, a top Microsoft executive said Tuesday.
Expected news around smartwatches, health systems and Android-connected devices at Google's I/O conference, which starts Wednesday, is sure to draw attention from consumers as the search giant tries to connect a wide range of home and personal devices.
Exchange Online went offline today, affecting businesses that had shifted to the off-premises email service. Microsoft confirmed the outage and said it's working on a fix.
Samsung's tablet lineup can feel a bit crowded--But the Galaxy Tab S 8.4 and 10.5 are among Samsung's best tablets yet.

Corporate spies have found an effective way to plant their malware on the networks of energy companies and other industrial heavyweights—by hacking the websites of software companies and waiting for the targets to install trojanized versions of legitimate apps.

That's what operators of the Havex malware family have done with aplomb, according to a report published Tuesday by researchers from antivirus provider F-Secure. Over the past few months, the malware group has taken a specific interest in the types of industrial control systems (ICS) used to automate everything from switches in electrical substations to sensitive equipment in nuclear power plants. In addition to the normal infection channels of spam e-mail, the malware operators have added a new tack—replacing the normal installation files of third-party software with tainted copies that surreptitiously install a remote access trojan (RAT) on the computers of targeted companies.

"It appears the attackers abuse vulnerabilities in the software used to run the websites to break in and replace legitimate software installers available for download to customers," F-Secure researchers Daavid Hentunen and Antti Tikkanen wrote. "Our research uncovered three software vendor sites that were compromised in this manner. The software installers available on the sites were trojanized to include the Havex RAT. We suspect more similar cases exist but have not been identified yet."

Read 5 remaining paragraphs | Comments


Chris LaPoint on Infosec and Automation in Government IT
ExecutiveBiz (blog)
“We've had past discussions around the need for automation of infosec disciplines via continuous monitoring and I think this underscores that need,” LaPoint told Josh Davis on the DLT Solutions blog. According to the executive, one way for IT to evolve ...

and more »


HTCIA CISO Summit 2014 in Texas Tackles Issues Facing InfoSec Professionals
ROSEVILLE, Calif. /eNewsChannels/ — NEWS: The High Technology Crimes Investigation Association (HTCIA) will host its 2nd HTCIA CISO Summit on August 28, 2014 at the Hyatt Lost Pines Resort and Spa in Austin, Texas directly following the ...

and more »

InfoSec World 2015: Announces Date and Call for Papers
PR Newswire (press release)
The 2015 InfoSec World conference will return to Disney's Contemporary Resort in Orlando, FL from March 23-25, 2015. We are putting together a dynamic lineup of practitioners and experienced speakers that will cover sessions and workshops dedicated to ...

and more »
Following its success with Amazon Web Services, MongoDB's namesake database can now run on cloud services from Microsoft and Google.
Resume expert Cheryl Lynch-Simpson helps an early career project manager develop her personal brand in this month's CIO.com Resume Makeover.
DevOps is all about collaboration between operations teams and development teams. And the increase in collaboration should help enterprises to become more agile, eliminate waste, and automate, while also creating a more reliable infrastructure. It's about rapidly iterating, continuously improving, and being more competitive.
China is propping up its local chip manufacturing industry with new policies and financial support intended to turn the country into a semiconductor-making powerhouse by 2030.
Python JSON Module '_json.c' Local Information Disclosure Vulnerability
Developers have Wear smartwatches, a stable version of the Android Studio development environment and a lightweight programming language on their wish lists ahead of the Google I/O conference.
During April's Boston Marathon, police in Brookline, Mass., piloted a wireless system that let undercover police and supervisors use ordinary iPhones and Android devices to communicate with rugged Land Mobile Radios over LTE and other commercial cellular networks.
Unanimous decision won't shut down patent trolls, but it will curb worst abuses.
A malware threat previously used in attacks against energy sector companies is now being aimed at organizations that use or develop industrial applications and machines.
Many companies look to the public cloud to cut costs, overhead and time to deployment. However, businesses need to understand how dramatically a move to the cloud will affect a key constituency: The IT department.
Rackspace jclouds Insecure Temporary File Creation Vulnerability
Boolean algebra and CSS history theft
LinuxSecurity.com: Several security issues were fixed in PHP.
LinuxSecurity.com: USN-2232-1 introduced a regression in OpenSSL.
LinuxSecurity.com: LibreOffice would unconditionally execute certain VBA macros.
LinuxSecurity.com: Security Report Summary
Android KeyStore Stack Buffer Overflow (CVE-2014-3100)
Analyzing encrypted Web traffic can potentially reveal highly sensitive information such as medical conditions and sexual orientation, according to a research paper that forecasts how privacy on the Internet may erode.
Microsoft is continuing Nokia's Android experiment by adding a new smartphone to the Nokia X series. The next-generation model due in July will feature even more Microsoft software.
Microsoft may pitch its Surface Pro 3 as a notebook replacement, but to do-it-yourselfers, it's a tablet pure and simple, iFixit concluded today.
If you fancy yourself as a .guru or any other newfangled Internet address, Google wants you to try out its new domain name registration service.
Google's annual I/O conference kicks off tomorrow amid widespread expectations that a new version of the Android OS will be unveiled, along with discussions of smartwatches and, perhaps, security.
D-Link DIR-645 Multiple Buffer Overflow and Cross Site Scripting Vulnerabilities

Government News

Federal agencies miss mandatory infosec deadline: ANAO
Government News
At least seven major federal agencies and departments will miss a mandatory security compliance deadline to bolster defences against cyber attacks that is due come into effect on 1st July 2014, according to a new report from the Australian National ...

and more »
Google-owned Nest is letting its products get cozy with other devices and apps like health trackers, home appliances, even cars.

Posted by InfoSec News on Jun 24


By Violet Blue
Zero Day
June 23, 2014

Proving that no one learned from Snapchat's security and privacy
spectacle, people invested $1.2 million in an app that had essentially no

Despite the news it was hacked only days after its media fanfare, Yo still
isn't coming clean.

Last week free Android and iOS app "Yo"...

Posted by InfoSec News on Jun 24


By Lucian Constantin
IDG News Service
June 23, 2014

Despite a great start, the rate of patching OpenSSL servers against the
critical Heartbleed vulnerability has slowed down to almost a halt. Around
300,000 servers remain vulnerable and many of them are unlikely to get
patched anytime soon.

Over the past month only around...

Posted by InfoSec News on Jun 24


By Brian Krebs
Krebs on Security
June 23, 2014

An investigation into a string of credit card breaches at dozens of car
wash locations across the United States illustrates the challenges facing
local law enforcement as they seek to connect the dots between cybercrime
and local gang activity that increasingly cross multiple domestic and
international borders.


Posted by InfoSec News on Jun 24


By Aliya Sternstein
June 23, 2014

A defensewide system that simulates hacks is reliant on Lockheed Martin's
trade secrets and expertise, Pentagon officials said in a redacted
justification for awarding an $82.5 million to develop and manage the
so-called cyber range.

In May, officials said they were awarding Lockheed a...

Posted by InfoSec News on Jun 24


By Grant Hatchimonji
CSO Online
June 23, 2014

Physical perimeter security can differ from facility to facility, with
myriad factors playing into what exactly is implemented, including budget
and the assets that are being protected.

But what about geographical location and, subsequently, culture?

It's not one of the more obvious aspects that...
Internet Storm Center Infocon Status