Hackin9
Cybercriminals are increasingly using the "Blackshades" malware program whose source code was leaked three years ago, according to an analysis by Symantec.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
 
BlackBerry's chief operating, marketing and financial officers are leaving as recently appointed CEO John Chen makes his mark on the struggling mobile vendor.
 
Salesforce.com has come under fire from critics who say the 'hackathon' it held at last week's Dreamforce conference was judged unfairly, and CEO Marc Benioff is now promising a thorough investigation.
 
Problems that put the Mars rover Curiosity out of commission for six days have been fixed so the vehicle, and its robotic arm, are now back at work.
 
yaSSL CVE-2013-1492 Remote Buffer Overflow Vulnerability
 
Trek Bicycle has turned to high performance computers to help develop new bicycles, and the effort is seeing results.
 
Researchers say they have built a flying robot that mimics the movements of a swimming jellyfish.
 
ManageEngine DesktopCentral AgentLogUploadServlet Arbitrary File Upload Vulnerability
 
Zabbix 'cnf' Parameter Authentication Bypass Vulnerability
 
Zabbix CVE-2013-5572 Information Disclosure Vulnerability
 

Thanks to an alert reader for sending us a few odd packets with "port 0" traffic. In this case, we got full packet captures, and the packets just don't make sense.

The TTL of the packet changes with source IP address, making spoofing less likely. The TCP headers overall don't make much sense. There are packets with a TCP header length of 0, or packets with odd flag combinations. This could be an attempt to fingerprint, but even compared to nmap, this is very noisy. The packets arrive rather slow, far from DDoS levels.

Here are a couple samples (I anonymised the target IP). Any hints as to what could cause this are welcome. 

IP truncated-ip - 4 bytes missing! (tos 0x0, ttl 52, id 766, offset 0, flags [DF], proto TCP (6), length 88)
    94.102.63.55.0 > 10.10.10.10.0:  tcp 68 [bad hdr length 0 - too short, < 20]

0x0000:  4500 0058 02fe 4000 3406 91f1 5e66 3f37
0x0010:  0a0a 0a0a 0000 0000 55c3 7203 0000 0000
0x0020:  0c00 0050 418b 0000 6e82 ef01 0000 0000
0x0030:  25b0 ce4b 0000 0000 a002 3cb0 9a8b 0000
0x0040:  0204 0f2c 0402 080a 0005 272d 0005 272d
0x0050:  0103 0300

IP truncated-ip - 4 bytes missing! (tos 0x10, ttl 47, id 28629, offset 0, flags [DF], proto TCP (6), length 60)
    46.137.48.107.0 > 10.10.10.10.0: Flags [P.UW] [bad hdr length 56 - too long, > 40]
0x0000:  4510 003c 6fd5 4000 2f06 68cf 2e89 306b
0x0010:  0a0a 0a0a 0000 0000 51a9 89b8 0000 0000
0x0020:  e6b8 0050 b315 0000 ec67 0d66 0000 0000
0x0030:  0000 0000 0000 0000

IP truncated-ip - 4 bytes missing! (tos 0x80, ttl 51, id 45284, offset 0, flags [DF], proto TCP (6), length 60)
    186.202.179.99.0 > 10.10.10.10.0: Flags [SUW], seq 1603085765, win 27016, urg 0, options [[bad opt]

0x0000:  4580 003c b0e4 4000 3306 1416 baca b363
0x0010:  0a0a 0a0a 0000 0000 5f8d 25c5 0000 0000
0x0020:  aba2 6988 23fa 0000 f271 af2a 0000 0000
0x0030:  0000 0000 0000 0000

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Rumors aside, Microsoft's board of directors has done a good job of keeping the lid on its search for a CEO to replace Steve Ballmer, a public relations expert said.
 
The automobile security company Lojack plans new products for parents, insurance companies and auto dealers to track vehicle location, use and reliability.
 
Controversial quantum device maker D-Wave is hoping to find a home for its cutting-edge technology in the high-performance computing (HPC) market.
 
 
Nanosystems

Fraudsters who use remote desktop support programs while scamming their victims have made it difficult for at least one legitimate IT company to convince users that it's not trying to steal their money.

As we've written on numerous occasions, scammers have made an estimated tens of millions of dollars by tricking computer users into thinking their PCs are infected. The scammers cold call people, tell them that harmless error messages in the Windows Event Viewer are actually signs of a major problem, and then convince them to install a remote desktop program that gives the scammer access to their computer. The scammers pretend to fix the computer and charge its owner for the unnecessary and imaginary service. The same tricks can be used to steal users' passwords and private information.

Commonly used remote desktop programs include TeamViewer and LogMeIn, the latter of which posts a warning telling customers to beware of "malicious third parties posing as LogMeIn."

Read 11 remaining paragraphs | Comments


    






 

Engineers at content delivery network CloudFlare have released open source encryption software that's designed to prevent rogue employees from accessing sensitive information by decrypting data only when two or more people provide keys.

The open source software combines known cryptographic protections with the so-called "two-man rule," which militaries have relied on for decades to prevent the accidental or unauthorized launching of nuclear weapons. Just as armaments of mass destruction can be unleashed only when two authorized service members turn their unique keys at the same time, the data encrypted by the CloudFlare tool can be unlocked only when two or more employees provide passwords that briefly unlock their private cryptographic keys. The software has been dubbed "Red October," a nod to a key scene in the Tom Clancy novel and movie The Hunt for Red October.

The aim of Red October is to fuse trusted cryptographic algorithms with a front-end programming interface that makes them work only when keys possessed by multiple people are presented. It assigns each user a randomly generated 2048-bit RSA key pair. Each user's private key is then encrypted using a separate key based on the 128-bit AES algorithm and a user-chosen password that is cryptographically salted and then stored as a cryptographic hash using the scrypt key derivation function.

Read 3 remaining paragraphs | Comments


    






 
389 Directory Server CVE-2013-4485 Denial of Service Vulnerability
 
Fcron 'fcrontab' Symbolic Link Arbitrary File Access Vulnerabilities
 
OpenStack Ceilometer CVE-2013-6384 Local Information Disclosure Vulnerability
 
Nokia Solutions and Networks (NSN) and Korean operator SK Telecom have demonstrated the potential for virtualizing the core of a mobile network, which will make it easier for operators to roll out new services.
 
Twitter experts, marketing pros and business leaders share their top tips on how to turn 140 characters into online marketing gold.
 
Linux Kernel CVE-2013-4563 Remote Denial of Service Vulnerability
 
LinuxSecurity.com: Updated perl-HTTP-Body package fixes security vulnerability: Jonathan Dolle reported a design error in HTTP::Body, a Perl module for processing data from HTTP POST requests. The HTTP body multipart parser creates temporary files which preserve the suffix of the [More...]
 
LinuxSecurity.com: Updated nginx package fixes security vulnerability: Ivan Fratric of the Google Security Team discovered a bug in nginx, which might allow an attacker to bypass security restrictions in certain configurations by using a specially crafted request, or might [More...]
 
Moodle Spellcheck Remote Command Execution Vulnerability
 
YUI 'uploader.swf' Cross Site Scripting Vulnerability
 
Western Digital has unveiled its WD Black Dual Drive, which allows users to access ether a 120GB SSD for performance or a 1TB hard drive for archiving massive amounts of data.
 
The National Security Agency reportedly hacked into more than 50,000 computer networks around the world as part of its global intelligence gathering efforts, and also taps into large fiber-optic cables that transport Internet traffic between continents at 20 different major points.
 
Samsung Electronics has upgraded its large-screen smartphone, the Galaxy Grand, with a quad-core processor and an even bigger, HD screen.
 
Bitcoin scored several big wins this week, including endorsements from federal officials and Virgin Group founder Richard Branson, signaling its progress toward wider acceptance.
 
Twitter has implemented new security measures that should make it much more difficult for anyone to eavesdrop on communications between its servers and users, and is calling on other Internet companies to follow its lead.
 
Here are two new devices that can help improve audio quality for voice calls, whether you're in the office or out on the road.
 
Apple has acquired PrimeSense, a developer of 3-D sensors that allow devices to respond to the environment in three dimensions.
 
Microsoft says the launch of the Xbox One on Friday has been the most successful yet for its Xbox gaming console family.
 
Not happy with the Google Analytics interface? We show you how to use a programming language like R to bypass Google Analytics and retrieve the data you want.
 
Sybase Adaptive Server Enterprise (ASE) Multiple Security Vulnerabilities
 
SAP NetWeaver 'SRTT_GET_COUNT_BEFORE_KEY_RFC()' Function SQL Injection Vulnerability
 
CPAN HTTP::Body::MultiPart Module CVE-2013-4407 Remote Command Injection Vulnerability
 
Pacemaker CVE-2013-0281 Remote Denial of Service Vulnerability
 
Augeas Multiple Insecure Temporary File Creation Vulnerabilities
 
OpenStack Dashboard (Horizon) Instance Name HTML Injection Vulnerability
 
[ MDVSA-2013:279 ] wireshark
 
[ MDVSA-2013:280 ] memcached
 
[ MDVSA-2013:281 ] nginx
 
Defense in depth -- the Microsoft way (part 14): incomplete, misleading and dangerous documentation
 

Posted by InfoSec News on Nov 25

https://medium.com/quinn-norton/654abf6aeff7

By Quinn Norton
Medium.com
November 22, 2013

Jeremy Hammond, Sabu, and the Intelligence-Industrial Complex

First, an introduction: I write about hackers, and for the past few years
that has meant I write about Anonymous. At the time of the Stratfor hack I
was working for Wired covering Anonymous — notably the antics of Antisec
anons much of the time. I had missed the Lulzsec period, which I...
 

Posted by InfoSec News on Nov 25

http://online.wsj.com/news/articles/SB20001424052702304607104579214673029584730

By SIOBHAN GORMAN
The Wall Street Journal
Nov. 25, 2013

WASHINGTON -- Shortly after former government contractor Edward Snowden
revealed himself in June as the source of leaked National Security Agency
documents, the agency's director, Gen. Keith Alexander, offered to resign,
according to a senior U.S. official.

The offer, which hasn't previously been...
 

Posted by InfoSec News on Nov 25

http://www.timesargus.com/article/20131123/NEWS03/709239846

November 23,2013

MONTPELIER -- Officials overseeing the Vermont Health Connect website
confirmed Friday there was a security breach on the system last month in
which one user got improper access to another user’s Social Security
number and other data.

A report from state to federal officials overseeing the health insurance
exchanges set up under the Affordable Care Act said a...
 

Posted by InfoSec News on Nov 25

http://www.independent.co.uk/news/obituaries/obituary-mavis-batey-8960761.html

By MARTIN CHILDS
independent.co.uk
24 November 2013

Mavis Batey was a garden historian and conservationist, but unknown to
many until recently, was also one of the leading female Bletchley Park
codebreakers whose skills in decoding the German Enigma ciphers proved
decisive at various points of the war. On the outbreak of war she broke
off her German studies to...
 

Posted by InfoSec News on Nov 25

http://arstechnica.com/information-technology/2013/11/presidents-tech-council-plays-sad-trombone-for-federal-cyber-security/

By Sean Gallagher
Ars Technica
Nov 22 2013

The President's Council of Advisors on Science and Technology (PCAST)
released a report on the state of the nation's cybersecurity today. The
report's first finding: the US government is terrible at cybersecurity.

"The Federal Government rarely follows...
 
Internet Storm Center Infocon Status