Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

On Tuesday the Canadian Broadcasting Corporation reported that it had “inadvertently” received 18 pages of “detailed tax information” pertaining to hundreds of primarily rich and famous Canadians.

The records were from a Canada Revenue Agency spreadsheet spanning from 2008 to 2013, and they included home addresses and information about tax credits granted for charitable donations.

According to the CBC, which says it is withholding some information for privacy purposes, tax details were found for prominent Canadians such as “author Margaret Atwood, former prime minister Jean Chrétien, grocery magnate Frank Sobey, cartoonist Lynn Johnston, pollster Allan Gregg, financier Stephen Bronfman, former CBC executive Richard Stursberg, Olympics chief Richard Pound, and many others.”

Read 4 remaining paragraphs | Comments

 

Adobe has released an out of band security update for the Adobe Flash player. This is an additional update for CVE-2014-8439. Everyone either update or double check that Flash either is not installed or cannot be invoked via Internet web sites.">Adrien de Beaupr">Intru-shun.ca Inc.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Following vulnerabilities discovered in tools many Linux and Information Security enthusiasts use such as the strings command and the bash shell, a new series of issues have been discovered in the less command. Less is used to paginate output, and can be used to view the text contents of a file one page at a time. It can also receive data from a pipe. Examples: less myfile.txt and xxd mybinfile | less">Adrien de Beaupr">Intru-shun.ca Inc.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Slider Revolution/Showbiz Pro shell upload exploit
 
[security bulletin] HPSBST03148 rev.1 - HP StoreOnce Gen 2 Backup Systems running Bash Shell, Remote Code Execution
 
[security bulletin] HPSBMU03214 rev.1 - HP Systinet running SSLv3, Remote Disclosure of Information
 
Direct Web Remoting CVE-2014-5325 XML External Entity Injection Vulnerability
 
Squid CVE-2014-7142 Unspecified Security Vulnerability
 

Home Depot announced that it is facing “at least 44 civil lawsuits” in the United States and Canada stemming from 56 million customers' data being stolen and exposed earlier this year.

According to the disclosure, which was published Tuesday as part of the company’s quarterly earnings report, “We are also facing investigations by a number of state and federal agencies. These claims and investigations may adversely affect how we operate our business, divert the attention of management from the operation of the business, and result in additional costs and fines.”

One of the lawsuits, a proposed class-action suit filed in late September in federal court in San Francisco, alleged that Home Depot “failed to properly encrypt its customers’ data in violation of the [Payment Card Industry Data Security Standard].” That same month, former Home Depot security employees told The New York Times that the company repeatedly ignored warnings and undertook poor security for years.

Read 1 remaining paragraphs | Comments

 
Asterisk Open Source PJSIP Channel Driver Denial of Service Vulnerability
 
Asterisk Open Source 'res_pjsip_acl' Module Security Bypass Vulnerability
 
Multiple Asterisk Products Access Control List Security Bypass Vulnerability
 
Multiple Asterisk Products 'funcs/func_db.c' Remote Privilege Escalation Vulnerability
 
Asterisk 'res_pjsip_refer' Module Denial of Service Vulnerability
 
Multiple Asterisk Products ConfBridge Dialplan Functions Remote Privilege Escalation Vulnerability
 
Multiple Asterisk Products ConfBridge Denial of Service Vulnerability
 
Imagemagick CVE-2014-8354 Out of Bounds Local Memory Corruption Vulnerability
 
ImageMagick 'jpeg' File Denial of Service Vulnerability
 
Imagemagick CVE-2014-8355 Out of Bounds Local Memory Corruption Vulnerability
 
[ MDVSA-2014:227 ] ffmpeg
 

If you apply classic hardening rules (keep the patch level, use an AV, enable the firewall and use them with due diligence), modern operating systems are more and more difficult to compromise today. Extra tools like EMET could also raise the bar. On the other side, networks are more and more populated with unknown/personal devices or devices which provide multiple facilities like storage (NAS), printers (MFP), VoIP, IP camera, ...

Being easily compromised, they became a very good target to pivot into the network. They run out-of-the-box, just plug the network/power cables and they are ready to go! A classic vulnerability management process will detect such devices but you still have the risk to miss them if you run a monthly scan! To catch new devices on the fly and to have an immediate idea of their attack surface (example: is there a backdoor present), Im using the following toolbox: Arpwatch, Nmap and OSSEC as the conductor.

Arpwatch is a tool for monitoring ARP traffic on a LAN. It can detect new MAC addresses or pairing changes (IP/MAC). Nmap is the most known port scanner and OSSEC is a log management tool with many features like a built-in HIDS.

A first good news is that Arpwatch log entries are processed by default in OSSEC. It has a great feature called Active-Response which allows to trigger actions (read: execute scripts) in specific conditions. In our case," />

The above configuration specifies that nmap-scan.sh will be executed with the argument srcip (reported by Arpwatch) on the agent 001 when the rule 7201 or 7202 will match (when a new host or a MAC address change is detected). The nmap-scan.sh script is based on the existing active-response scripts and spawns a Nmap scan:

nmap -sC -O -oG - -oN ${PWD}/../logs/${IP}.log ${IP} | grep Ports: ${PWD}/../logs/gnmap.log

This command will output interesting information in grepable format to the gnmap.log file: the open ports (if any) of the detected IP like in the example below. One line per host will be generated:

Host: 192.168.254.65 (foo.bar.be) Ports: 22/open/tcp//ssh///, 80/open/tcp///,3306/open/tcp/// ...

OSSEC is a wonderful tool and can decode this by default. Just configure the gnmap.log as a new events source:

And new alerts will be generated:

2014 Oct 27 17:54:23 (shiva) 192.168.254.1-/var/ossec/logs/gnmap.log
Rule: 581 (level 8) - Host information added.
Host: 192.168.254.65 (foo.bar.be), open ports: 22(tcp) 80(tcp) 3306(tcp)

By using this technique, you will immediately detect new hosts connected to the network (or if an IP address is paired with a new MAC address) and youll get the list of the services running on it as well as the detected operating system (if the fingerprinting is successful). Happy hunting!

Xavier Mertens

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
LinuxSecurity.com: The system could be made to deny write access to files.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Updated libXfont packages that fix three security issues are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Updated chromium-browser packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Multiple vulnerabilities has been discovered and corrected in ffmpeg: The decode_init function in libavcodec/huffyuv.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via a crafted width in huffyuv data with the predictor set to median and [More...]
 
LinuxSecurity.com: Updated imagemagick packages fix security vulnerabilities: ImageMagick is vulnerable to a denial of service due to out-of-bounds memory accesses in the resize code (CVE-2014-8354), PCX parser (CVE-2014-8355), DCM decoder (CVE-2014-8562), and JPEG decoder [More...]
 
LinuxSecurity.com: Updated ruby packages fix security vulnerabilities: Will Wood discovered that Ruby incorrectly handled the encodes() function. An attacker could possibly use this issue to cause Ruby to crash, resulting in a denial of service, or possibly execute arbitrary [More...]
 
Apache Qpid CVE-2014-3629 XML External Entity Injection Vulnerability
 
[ MDVSA-2014:226 ] imagemagick
 
[ MDVSA-2014:225 ] ruby
 
[oCERT 2014-008] libFLAC multiple issues
 
phpSound CVE-2014-8954 Multiple HTML Injection and Cross Site Scripting vulnerabilities
 
Internet Storm Center Infocon Status