Information Security News
Thanks to an alert reader for sending us a few odd packets with "port 0" traffic. In this case, we got full packet captures, and the packets just don't make sense.
The TTL of the packet changes with source IP address, making spoofing less likely. The TCP headers overall don't make much sense. There are packets with a TCP header length of 0, or packets with odd flag combinations. This could be an attempt to fingerprint, but even compared to nmap, this is very noisy. The packets arrive rather slow, far from DDoS levels.
Here are a couple samples (I anonymised the target IP). Any hints as to what could cause this are welcome.
IP truncated-ip - 4 bytes missing! (tos 0x0, ttl 52, id 766, offset 0, flags [DF], proto TCP (6), length 88) 184.108.40.206.0 > 10.10.10.10.0: tcp 68 [bad hdr length 0 - too short, < 20] 0x0000: 4500 0058 02fe 4000 3406 91f1 5e66 3f37 0x0010: 0a0a 0a0a 0000 0000 55c3 7203 0000 0000 0x0020: 0c00 0050 418b 0000 6e82 ef01 0000 0000 0x0030: 25b0 ce4b 0000 0000 a002 3cb0 9a8b 0000 0x0040: 0204 0f2c 0402 080a 0005 272d 0005 272d 0x0050: 0103 0300
IP truncated-ip - 4 bytes missing! (tos 0x10, ttl 47, id 28629, offset 0, flags [DF], proto TCP (6), length 60) 220.127.116.11.0 > 10.10.10.10.0: Flags [P.UW] [bad hdr length 56 - too long, > 40]
0x0000: 4510 003c 6fd5 4000 2f06 68cf 2e89 306b 0x0010: 0a0a 0a0a 0000 0000 51a9 89b8 0000 0000 0x0020: e6b8 0050 b315 0000 ec67 0d66 0000 0000 0x0030: 0000 0000 0000 0000
IP truncated-ip - 4 bytes missing! (tos 0x80, ttl 51, id 45284, offset 0, flags [DF], proto TCP (6), length 60) 18.104.22.168.0 > 10.10.10.10.0: Flags [SUW], seq 1603085765, win 27016, urg 0, options [[bad opt] 0x0000: 4580 003c b0e4 4000 3306 1416 baca b363 0x0010: 0a0a 0a0a 0000 0000 5f8d 25c5 0000 0000 0x0020: aba2 6988 23fa 0000 f271 af2a 0000 0000 0x0030: 0000 0000 0000 0000
Fraudsters who use remote desktop support programs while scamming their victims have made it difficult for at least one legitimate IT company to convince users that it's not trying to steal their money.
As we've written on numerous occasions, scammers have made an estimated tens of millions of dollars by tricking computer users into thinking their PCs are infected. The scammers cold call people, tell them that harmless error messages in the Windows Event Viewer are actually signs of a major problem, and then convince them to install a remote desktop program that gives the scammer access to their computer. The scammers pretend to fix the computer and charge its owner for the unnecessary and imaginary service. The same tricks can be used to steal users' passwords and private information.
Commonly used remote desktop programs include TeamViewer and LogMeIn, the latter of which posts a warning telling customers to beware of "malicious third parties posing as LogMeIn."
Engineers at content delivery network CloudFlare have released open source encryption software that's designed to prevent rogue employees from accessing sensitive information by decrypting data only when two or more people provide keys.
The open source software combines known cryptographic protections with the so-called "two-man rule," which militaries have relied on for decades to prevent the accidental or unauthorized launching of nuclear weapons. Just as armaments of mass destruction can be unleashed only when two authorized service members turn their unique keys at the same time, the data encrypted by the CloudFlare tool can be unlocked only when two or more employees provide passwords that briefly unlock their private cryptographic keys. The software has been dubbed "Red October," a nod to a key scene in the Tom Clancy novel and movie The Hunt for Red October.
The aim of Red October is to fuse trusted cryptographic algorithms with a front-end programming interface that makes them work only when keys possessed by multiple people are presented. It assigns each user a randomly generated 2048-bit RSA key pair. Each user's private key is then encrypted using a separate key based on the 128-bit AES algorithm and a user-chosen password that is cryptographically salted and then stored as a cryptographic hash using the scrypt key derivation function.
Posted by InfoSec News on Nov 25https://medium.com/quinn-norton/654abf6aeff7
Posted by InfoSec News on Nov 25http://online.wsj.com/news/articles/SB20001424052702304607104579214673029584730
Posted by InfoSec News on Nov 25http://www.timesargus.com/article/20131123/NEWS03/709239846
Posted by InfoSec News on Nov 25http://www.independent.co.uk/news/obituaries/obituary-mavis-batey-8960761.html
Posted by InfoSec News on Nov 25http://arstechnica.com/information-technology/2013/11/presidents-tech-council-plays-sad-trombone-for-federal-cyber-security/