Oracle MySQL Server CVE-2013-3783 Remote Security Vulnerability
Symantec Web Gateway CVE-2013-1616 Remote Command Injection Vulnerability
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

One common and stupidly simple way hosts are compromissed is weak SSH passwords. You would think people have learned by now, but evidently there are still enough systems with root passwords like 12345 around to make scanning for them a worthwhile exercise. As a result, one of my favorite honeypot tools is kippo, and we have talked about the tool before. I figured it is a good time again to write a quick update on some recent compromisses

The basic compromisse tends to follow a basic pattern:

- user logs in as root
- looks a bit around the system (uname -a, cpuinfo and the like)
- sometimes performes a bandwidth test by downloading a large file, for example a Windows service pack.
- the installs some kind of rootkit/backdoor/bot
- sometimes adds a user to the system.

Here are some of the recent artifacts:

- a UID 0 user called "cvsroot" (this user CAN be found on normal systems, but not with a UID of 0)
- the usual "hidden" directory name of many spaces (e.g. cd /var/tmp; mkdir "    " )

Here are some of the domains I have seen used to download bots  and other tools from:

bnry.jorgee.nu, anglefire.com/komales88, donjoan.go.ro

One particular interesting attacker actually used a little trick to figure out if the system ran kippo, by installing a non-existing package. If the "apt-get" command is used, kippo will always simulate success, even if the packes wouldn't exist. So our enterprising hacker issued the following command:

apt-get install kippofuck

and of course, kippo pretended to install this package. The attacker of course immediatly disconnected.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

We are always trying to tweak the ISC website a bit to make it more useful. This week, we moved live a couple new features and are looking for feedback. Note that these features do require you to log in to take advantage of them.

- Our news page got reorganized again. I am not sure if we got it "right" yet, but I think it is now more useable. The goal is to allow users to "rank" news to make the feed overall more relevant. Once you are logged in, you will see a "+1" button to add your weight to an article.

- We made the diary comments a bit more interactive by integrating them with a forum to allow for threaded discussions / quotes and the like. There are now also some generic security categories for other discussions and a section to comment on current news.

For any feedback, please use the comment form.



Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Civil rights advocates view Wednesday's narrow defeat of a bill to curtail funds for the National Security Agency's domestic spy program as a sign of the growing opposition within Congress.
The National Oceanic and Atmospheric Administration Thursday switched on two new supercomputers that are expected to improve weather forecasting.
Think software-defined networking will change the industry? You're thinking way too small, according to Cisco CEO John Chambers. In Cisco's strategy, SDN is just a single element in a holistic architecture that brings intelligence, programmability and application awareness to every facet of your infrastructure and spans the data center to the cloud. In this installment of the IDG Enterprise CEO Interview Series, Chambers spoke with Chief Content Officer John Gallant about the power of Cisco's Unified Framework and how delivering on that vision could make Cisco the number one IT company overall. No small ambition there.
Cray is building a supercomputer for the University of Edinburgh in Scotland that will deliver petaflops of performance, which could put it on a future list of top supercomputers.
Indictments filed against five persons charged a massive international hacking scheme indicate that SQL injection vulnerabilities continue to be a security Achilles heel for IT operations.
Chinese TV maker TCL has announced the first 50-in. 4K HDTV for under $1,000 that is expected to be released this fall in the U.S.
Oracle is continuing to crack down on companies it claims are providing support services for its products in an illegal fashion.

Five Eastern European men have been charged with operating a global hacking operation that infiltrated some of the world's biggest financial institutions, pilfered data for more than 160 million credit cards, and created hundreds of millions of dollars in losses.

The case, brought by US attorneys in Manhattan and New Jersey, is the largest hacking scheme ever prosecuted in the US, Department of Justice officials said. From 2005 to 2012, the four Russian nationals and a Ukrainian penetrated the private networks of the Nasdaq stock exchange, Citibank, PNC Bank, Heartland Payment Systems, 7-Eleven, JCPenney, Hannaford Brothers, and others, prosecutors alleged in indictments unsealed Thursday morning. The hacking gang traded text strings that exploited SQL-injection vulnerabilities in the victim companies' websites to obtain login credentials and other sensitive data, then installed malware that gave them persistent backdoor access to the networks.

"NASDAQ is owned," Aleksandr Kalinin, a 26-year-old resident of St. Petersburg, Russia, allegedly reported in a January 2008 instant message after finally obtaining administrative access to the stock exchange's network. Like a rock climber slowly scaling a craggy cliff, he spent months methodically escalating his access into the highly sensitive system. In an instant message he sent six months earlier, after initially gaining less-privileged access, he said, "30 SQL servers, and we can run whatever on them, already cracked admin PWS but the network not viewable yet. those dbs are hell big and I think most of info is trading histories." "PWS" and "dbs" are presumed to be shorthand for passwords and databases respectively.

Read 5 remaining paragraphs | Comments



A man who has won about $1.5 million in poker tournaments has been arrested and charged with running an operation that combined spam, Android malware, and a fake dating website to scam victims out of $3.9 million, according to Symantec.

Symantec worked with investigators from the Chiba Prefectural Police in Japan, who earlier this week "arrested nine individuals for distributing spam that included e-mails with links to download Android.Enesoluty—a malware used to collect contact details stored on the owner’s device," Symantec wrote in its blog.

Android.Enesoluty is a Trojan distributed as an Android application file. It steals information and sends it to computers run by hackers. It was discovered by security researchers in September 2012.

Read 4 remaining paragraphs | Comments


SanDisk this week released its first wireless external flash drives, offering mobile device users up to 64GB of capacity for streaming movies or storing photos. But only one of the two drives is a clear winner.
Google's new stream-to-TV Chromecast threatens rival Apple's efforts to gain a foothold in the living room, analysts said Wednesday.

How technical monitoring can help defend against insider threats
For more information regarding insider threats and network security, check out the CCNA security course offered by the InfoSec Institute. Remember that every employee has the ability to be an insider threat. The most impactful threats are caused by ...

Microsoft today released a preview of Internet Explorer 11 for Windows 7, making good on a June promise to add Windows' most popular edition to the browser's run list.
Five men from Russia and Ukraine have been indicted in New Jersey for charges they conspired with each other in a worldwide hacking scheme targeting major corporate networks that compromised more than 160 credit card numbers, the U.S. Department of Justice announced.

Closing Arguments in Bradley Manning's Trial (Live Updates)
Major Fein: The government must hold Manning ”accountable for exact training he gave others on this subject matter” (Manning produced presentation on infosec). Fein continued: Manning was a “trained analyst who understood how to assess the enemy and ...

E-book publisher, Penguin has agreed to terminate its agency agreement with Apple and to allow Amazon to set its own prices for e-books in settlement of a European Union antitrust case.
The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology is inviting industry to help address two information technology challenges faced by the energy sector. The center would like ...
One by one, Apple's systems will be restored.

A week after its developer site was accessed by an "intruder," Apple has posted another update about its ongoing process to secure the systems and get them back online. While most of the systems remain down, the update specifies the order in which the services will be resuscitated.

"We plan to roll out our updated systems, starting with Certificates, Identifiers & Profiles, Apple Developer Forums, Bug Reporter, pre-release developer libraries, and videos first," said the update. "Next, we will restore software downloads so that the latest betas of iOS 7, Xcode 5, and OS X Mavericks will once again be available to program members. We’ll then bring the remaining systems online."

Developers interested in tracking Apple's progress can also visit a new system status page, which will be updated as the affected services are brought back up. As of this writing, only two systems—iTunes Connect and the Apple Bug Reporter system—are reportedly up, but the others should follow in the coming days.

Read 1 remaining paragraphs | Comments


PayPal is opening up its bug bounty program to individuals aged 14 and older, a move intended to reward younger researchers who are technically ineligible to hold full-fledged PayPal accounts.
Google Analytics lets organizations of all shapes and sizes measure the performance of their websites. There's a lot of data in there--and even more that you can do with that data once you've extracted it. These tips will help you get started with Google Analytics.
Smartphone and tablet chip vendor MediaTek has unveiled an octo-core processor it says can run all eight cores simultaneously when active.

Infosec volver a marcar el mes de la ciberseguridad
Pysn Pueblo y Sociedad Noticias
largo de la semana, entre el 7 y 11 de octubre, tendrá lugar en las iniciativas integradas INFOSEC semana. . El 7 y 11 de octubre allí para ver una serie de intervenciones con conexión. De lunes a viernes también dará lugar a una serie de talleres ...

Sharp makes multi-hued HD displays for iPhones and TVs, but it has had unexpected success at home with a simple, monochrome device it calls a "digital notepad," a small tablet with a lined screen and stylus for easily scribbling handwritten notes.
Amazon Web Services filed a complaint in federal court after the Government Accountability Office sustained in part a protest by IBM against the award of a contract by the CIA for a cloud computing project.
Instagram users fretting about ads clogging up their image feed can breath easy, at least for now. Facebook said Wednesday it has no immediate plans to put ads in its photo-sharing app -- though make no mistake, they are coming eventually.

Infosec volta a assinalar mês da cibersegurança
A terceira edição do InfoSec Day decorre na Universidade Lusófona em Lisboa. As inscrições para assistir às intervenções que compõem o evento já estão abertas, tal como as inscrições para a formação ModSecurity, que decorre nos dias 7 e 8 de outubro ...

In the downtown of the nation's capital there is a magnificent building of steel and glass that is now home to what may be a remarkable tech experiment.
The U.S. Army wants to move from using robots as tools to creating a human-robot cooperative that will make machines trusted members of the military.
Cisco Video Surveillance Manager CVE-2013-3430 Remote Authentication Bypass Vulnerability
Cisco Video Surveillance Manager CVE-2013-3431 Remote Authentication Bypass Vulnerability
[security bulletin] HPSBGN02905 rev.1 - HP LoadRunner, Remote Code Execution and Denial of Service (DoS)
[security bulletin] HPSBGN02906 rev.1 - HP Application Lifecycle Management Quality Center (ALM), Remote Cross Site Scripting (XSS)
iPic Sharp v1.2.1 Wifi iOS - Persistent Foldername Web Vulnerability
Basic Forum by JM LLC - Multiple Vulnerabilities
Cisco Security Advisory: Multiple Vulnerabilities in the Cisco Video Surveillance Manager
Easy Blog by JM LLC - Multiple Vulnerabilities

Posted by InfoSec News on Jul 25


By David Shamah
The Times of Israel
July 25, 2013

Every single network protection system, even the most sophisticated, has
chinks in its armor. The proof, said Comsec CEO Moshe Ishai, is that his
company’s new security stress testing system, the Comsimulator, was
successful in breaching the defenses of 100 percent of systems tested for
resistance to DDOS...

Posted by InfoSec News on Jul 25


By Dan Goodin
Ars Technica
July 24, 2013

The upcoming version of Google's Android operating system offers several
enhancements designed to strengthen handset security, particularly in
businesses and other large organizations. Ars will be giving the
just-unveiled version 4.3 a thorough review in the coming days. In the...

Posted by InfoSec News on Jul 25


By Bill Gertz
Washington Free Beacon
July 24, 2013

Renegade National Security Agency contractor Edward Snowden has applied to join
a group of former Russian intelligence and security officials, according to the
group's director.

Participation in a union of former KGB security, intelligence, and police
officials, would likely change Snowden’s status from that of...
Internet Storm Center Infocon Status