Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

(credit: Garrett Ewald)

The investigation into the attempted $1 billion electronic heist at the Bangladesh central bank has expanded to as many as 12 more banks that all use the SWIFT payment network.

Security firm FireEye, investigating the hack, has been contacted by numerous other banks, including some in New Zealand and the Philippines. While most of the attempted transfers in the original heist were cancelled, some $81 million was sent to the Philippines and subsequently laundered through casinos. The SWIFT organization in a statement said that some of these reports may be false positives, and that banks should rigorously review their computing environments to look for hackers.

Symantec, meanwhile, has corroborated earlier claims from BAE Systems that the hackers that stole from the Bangladesh central bank are linked to the hackers that have attacked targets in the US and South Korea since 2009, and that hacked Sony Pictures in 2014. The FBI claimed that those hackers were North Korean. Symantec's rationale is the same as that of BAE; malware found at the bank, Sony, and other victims, all appears to share common code for securely deleting files to cover its tracks.

Read 1 remaining paragraphs | Comments

 

Enlarge

As Microsoft pats itself on the back for its crackdown on easily cracked passwords, keep this in mind: a quick check shows users still have plenty of leeway to make poor choices. Like "Pa$$w0rd1" (excluding the quotation marks).

As a Microsoft program manager announced earlier this week, the Microsoft Account Service used to log in to properties such as Xbox Live and OneDrive Azure has been dynamically banning commonly used passwords during the account-creation or password-change processes. Try choosing "12345678," "password," or "letmein"—as millions of people regularly do—and you'll get a prompt telling you to try again. Microsoft is in the process of adding this feature to the Azure Active Directory so enterprise customers using the service can easily stop employees from taking security shortcuts, as well.

But a quick check finds it's not hard to get around the ban. To wit: "Pa$$w0rd1" worked just fine. And in fairness to Microsoft, Google permitted the same hopelessly weak choice.

Read 6 remaining paragraphs | Comments

 

Security Awareness 101: Peerlyst's Tips for Programs that Work
SYS-CON Media (press release)
With an audience of more than half a million and more than 10,000 posts by security experts, Peerlyst is the preeminent platform for spreading InfoSec news, asking a question, finding an expert, or offering product insight. For more information, email ...

and more »
 

Expert Q&A: Marketing to IT Professionals With Rich Media
Business 2 Community
Other key infosec topics that are in the news on a daily basis such as cyber warfare and the big breaches (i.e. Ashley Madison, Panama Papers, etc.) are sparking a lot of debate and discussion on BrightTALK. These hyper-public, newsworthy stories are ...

 
[CVE-2016-4434] Apache Tika XML External Entity vulnerability
 
ESA-2016-061: EMC Isilon OneFS SMB Signing Vulnerability
 

Techworm

A Linux distro specifically for students, Birds Linux 8.0 launched with Kernel 4.5
Techworm
Birds Linux 8.0 might have been in development for the past 3 months, but during this period, the developer has managed to update most of the core components to their latest versions. One of the things that you will notice after is that the ...

 

US-CERT warns of domain name collision
IT World Canada
Any collision is a bad thing, especially when it happens in a computer system. The U.S. Computer Emergency Readiness Team (CERT) this week warned infosec teams of a vulnerability Web Proxy Auto-Discovery (WPAD) protocol, which could involve a ...

and more »
 

Enlarge (credit: Hanno Böck)

Dozens of HTTPS-protected websites belonging to financial services giant Visa are vulnerable to attacks that allow hackers to inject malicious code and forged content into the browsers of visitors, an international team of researchers has found.

In all, 184 servers—some belonging to German stock exchange Deutsche Börse and Polish banking association Zwizek Banków Polskich—were also found to be vulnerable to a decade-old exploit technique cryptographers have dubbed the "forbidden attack." An additional 70,000 webservers were found to be at risk, although the work required to successfully carry out the attack might prove to be prohibitively difficult. The data came from an Internet-wide scan performed in January. Since then, Deutsche Börse has remedied the problem, but, as of Wednesday, both Visa and Zwizek Banków Polskich have allowed the vulnerability to remain and have yet to respond to any of the researchers' private disclosures.

The vulnerability stems from implementations of the transport layer security protocol that incorrectly reuse the same cryptographic nonce when data is encrypted. TLS specifications are clear that these arbitrary pieces of data should be used only once. When the same one is used more than once, it provides an opportunity to carry out the forbidden attack, which allows hackers to generate the key material used to authenticate site content. The exploit was first described in comments submitted to the National Institute of Standards and Technology. It gets its name because nonce uniqueness is a ground rule for proper crypto.

Read 8 remaining paragraphs | Comments

 

Security Awareness 101: Peerlyst's Tips for Programs that Work
SYS-CON Media (press release)
... build their professional reputations. With an audience of more than half a million and more than 10,000 posts by security experts, Peerlyst is the preeminent platform for spreading InfoSec news, asking a question, finding an expert, or offering ...

and more »
 

l version="1.0" encoding="UTF-8" standalone="no"?-->
Do you know the amount of Tor traffic hitting your network? Do you know what people are doing from this anonymized network?Most IDS solutions have built-in rules to report traffic generated from/toTor exit">alert ip [185.97.32.18,186.212.145.191,187.20.170.159,188.120.231.199,188.126.81.155,188.129.46.116,188.138.1.217,188.138.9.41,188.138.9.49,188.209.52.109] any - $HOME_NET any (msg:ET TOR Known Tor Exit Node Traffic group 29">This is very interesting to know when sometraffic is coming (or leaving)your infrastructure from the Tor network. Tortrafficcan be completely legit (more and more people take care of their privacy) butit can also be a sign of reconnaissance or ongoing attack from bad guys.IDS are usually deployed behind firewalls (internal side) and do not see the traffic dropped by the firewall. The dropped traffic has a real value from a security point of view. If most next-generation firewalls are able todetect Tor traffic, they do not report the traffic from/to Tor exit nodes by default. I was curiousto know how my own infrastructure was reached by such hosts. It means many public resources,servers, VPS and my home network.How to achieve this?I performed this with Splunk but the same is easilydoable within">">The first step is to get a list of the Tor nodes. This list ischanging all the time and sites providethis data for free. Im using:https://www.dan.me.uk/torlist/?exit.">Keep in mind that for performance reason, you are rate-limited (no need to fetch the list every x minutes). In my case I setup an hourly cron job that generates"> #!/bin/bashURL=https://www.dan.me.uk/torlist/?exitOUTPUT=/opt/splunk/var/run/splunk/tor_exit_nodes.csvecho src_ip,desc $OUTPUTwget -O - $URL 2/dev/null | while read Ldo echo $L,TorExitNode $OUTPUTdone">Note: I add asecond field desc with a default value TorExitNode">">The next step is to configure Splunk and create a lookup table to search for IP addresses from the CSV files. With the huge amount of IP addresses in the CSV, I decided to use a KV (keyword-value lookup table) to speed upsearches. Have a look at the Splunk documentationfor details."> index=firewall |dedup src_ip |lookup tor_exit_nodes src_ip |where desc=TorExitNode"> index=firewall |lookup tor_exit_nodes src_ip |where desc=TorExitNode|stats count by src_ip"> index=firewall | lookup tor_exit_nodes src_ip | where desc=TorExitNode| iplocation src_ip | ">And finally, more important: which"> index=firewall | lookup tor_exit_nodes src_ip | where desc=TorExitNode| stats count by dest_port
">Finally, we can get info about a specific protocol (ex: HTTP). Here we see all HTTP errors (code ">">You can imagine plenty of useful queries to get extra values from your logs. If yourweb server is scanned, something weird may occur but it it">">Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Techworm

Top 9 Free Phishing Simulators for hackers and security researchers
Techworm
In our attempt to make this world free from cyber criminals, we have brought out different articles about hacking tools and apps. The attempt of putting such articles in public domain is to educate readers about the clear and present dangers about ...

 
Internet Storm Center Infocon Status