Hackin9
iPhones, iPads, BlackBerrys, Androids -- learn how to secure whatever smartphones and tablets your employees have
 

Symantec has notice in the last few weeks that there is a significant NTP reflection attacks. NTP is Network time protocol and it’s used to synch the time between client and server, it is a UDP protocol and it’s run on port 123.

In the NTP reflection attack the attacker send a crafted packet which request a large amount of date send to the host.

“In this case, the attackers are taking advantage of the monlist command.  Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server.  For attackers the monlist query is a great reconnaissance tool.  For a localized NTP server it can help to build a network profile.  However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic:”

 

Here is an example of monlist request

 

Ntpdc –n –c monlist 127.0.0.1

 

  And here is the output



Or you can run a nse script which can be found at https://svn.nmap.org/nmap/scripts/ntp-monlist.nse       



And here is the packet capture of the NMAP script request:

And here is the packet capture of the response:

One way of protecting NTP server from such attack is adding

 

disable monitor

 

 To /etc/init.conf file

 And here is the output of the NMAP script after adding this command :



 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Hope you had a fabulous Christmas for those who celebrate it, for those who do not, a hearty cheers to you!

In the spirit of a fabulous weekly service, DRG Weekend Reads, provided by our friends over at the Dragon Research Group, and courtesy of reader and contributor Gebhard, I offer you an additional list of great weekend reading items.

  1. Symantec: Hackers Spend Christmas Break Launching Large Scale NTP-Reflection Attacks
  2. WhiteHat Security: Why com.com Should Scare You
  3. Zscaler: Infection found on ‘feedburner.com’
  4. Ditto Forensic FieldStation, multiple vulnerabilities
  5. Krebs On Security: Who’s Selling Credit Cards from Target?
     
Russ McRee | @holisticinfosec

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Target has confirmed that hackers obtained customer debit card PINs (personal identification numbers) in the massive data breach suffered by the retailer during the busy holiday shopping season, but says customers should be safe, as the numbers were encrypted.
 

Opinion: How infosec training is changing to stay ahead
TechTarget
Infosec professionals have to stay one step ahead, and that requires that they be well educated and as thoroughly trained in the dark art of network security as the bad guys. Institutions of higher learning and professional certification programs are ...

 
A federal judge has ruled that the U.S. National Security Agency's bulk phone record metadata collection efforts are legal, turning aside a lawsuit the American Civil Liberties Union brought against the agency.
 
Zimbra Collaboration Server Unspecified Security Vulnerability
 
BOINC CVE-2013-2298 Multiple Stack Based Buffer Overflow Vulerabilities
 
Microsoft Windows Movie Maker '.wav' File Denial of Service Vulnerability
 
Fat Free CRM Multiple Security Vulnerabilities
 
Chromebooks had a very good year, according to retailer Amazon.com and industry analysts. And that's bad news for Microsoft.
 
A security hole in popular photo messaging service Snapchat could allow attackers to find the phone numbers of many users in a short period of time, according to Gibson Security, a computer security research group.
 
Ruby Nokogiri Gem XML Parsing Multiple Denial of Service Vulnerabilities
 
will_paginate Ruby Gem unspecified Cross Site Scripting Vulnerability
 
Quagga BGP Updates 'bgp_attr.c' Remote Denial Of Service Vulnerability
 

When someone suspecting that a malware activity that may exist in a system or a compromised systemone of the most obvious places to check is the startup locations .In this diary I am going to discuss some of the startup locations in Windows Systems:
1-Startup Folders:
On Windows XP systems:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\%UserName%\Start Menu\Programs\Startup
On Windows Vista/7/8
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\%UserName%\Appdata\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Windows Startup
 

When an executable file (application or batch file) is located in the All Users folder will run for any user when he/she logon, while when it's located in particular user’s folder it will run only for that  user when he/she logon.
Please note that the above locations are the default and it can be changed, I will suggest first to check the following registry keys:
On Windows XP /Windows Vista/7/8 (See figure 2):
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
IBM Web Content Manager 'LIBRARY' Parameter XPath Injection Vulnerability
 
The smartwatch phenomenon promises to blossom in 2014 as experts expect Google to launch a model by summer followed by Apple sometime in the fall. Even Microsoft is reportedly working on one.
 
Amazon.com is offering $20 gift cards and refunds on shipping charges to customers who did not get their Christmas orders on time.
 
OpenSSL 'ssl_get_algorithm2()' Function Remote Denial of Service Vulnerability
 
Mozilla Firefox/SeaMonkey CVE-2013-5612 Cross Site Scripting Vulnerability
 
SEC Consult SA-20131227-0 :: IBM Web Content Manager (WCM) XPath Injection
 
Dell is going private, and that means Michael Dell can stop worrying about shareholders and start focusing on what it will take to make his company grow.
 
Mozilla Firefox and SeaMonkey CVE-2013-6672 Information Disclosure Vulnerability
 

2013: The Year Of Security Certification Bashing
InformationWeek
What can we do to help ourselves? First, we have to act as a community. There definitely are charlatans out there, and maybe places like attrition.org are useful in bringing them to light. But is a public flogging truly the solution? The InfoSec ...

and more »
 

NEC, Mitsubishi Corp. to form information security joint venture
Asahi Shimbun
NEC Corp. and Mitsubishi Corp. said Dec. 25 that the electronics company and the trading house will form a joint venture to strengthen their presence in the rapidly growing cyber-security services field. NEC will acquire a 60-percent equity stake in ...

 
Internet Storm Center Infocon Status