Information Security News
When ISC reader Michael contacted us about "odd UDP traffic from all over" that he was suddenly seeing in his firewall log, we at first assumed that his Internet connection had "inherited" a dynamic IP address that had before been used by a rampant file sharing user, and that Michael was now seeing the "after glow".
We still asked for a PCAP (tcpdump) file though, and when we looked at what Michael sent back, we saw to our surprise ...
... that Michael's network was responding to the traffic. Hmm. Oops!
Closer inquiry then revealed that they had recently updated the firmware on their QNAP TS-659 NAS (network storage) server .. and this new version came with the ability to act as a media and streaming server. It isn't quite clear if the corresponding functionality had been "on" by default, or had been turned on by accident. But once turned off, the "odd UDP traffic" stopped right away.
Lesson learned - after an upgrade, check if things are still how you expect them to be. While most vendors have thankfully learned to keep new "features" turned off by default, you can't quite rely on it. For home use, investing in a small network tap or hub, and every now and then checking the traffic leaving your house is (a) a good security precaution and (b) helps to keep your Wireshark Packet-Fu skills current :)
And while we are on the topic of NAS and storage servers: A CERT vulnerability note released today states that some versions of Synology DiskStation contain a hard-coded password which can be used by remote attackers to establish a VPN into the DiskStation. I wish vendors - prominently including Cisco - would get their bleeping act together, and, after years of "security advisories" on the subject, eventually stop shipping products with hard coded credentials/backdoors! Details on the Synology mess here: http://www.kb.cert.org/vuls/id/534284
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Quite often on many lists we will hear the term Best Current Practice (BCP) 38 bandied about and further recommendations to implement   (See NANOG Mailing list archive) . Some will say ‘it will aid in DDoS mitigation’ and even others will even state ‘All Internet Service Providers (ISP) should implement this." Now before the philosophical discussions ensue in the comments, it might be a good idea to discuss, technically, what it is? And perhaps what it can do?
BCP 38 A.K.A. RFC 2827 (thank you for correction from our readers)  is a best practice methodology around ingress traffic filtering. The specific purpose as stated in the RFC abstract “to prohibit DoS attacks which use forged IP addresses to be propagated from 'behind' an Internet Service Provider's (ISP) aggregation point.” 
The BCP 38 outlines the concept of “restricting transit traffic” that comes from a “downstream network to known, and internally advertised prefixes” [5, p.4]. In an overly simplified diagram (My interpretation of the RFC, comments and corrections welcome), it means the ISP says:
Let us know if you are using or have implemented BCP38? We recommend it and do feel that it has technical merit and can help reduce risk!
A reader noted (see comments) that a purposeful effort by NANOG to get more information out can be found at @ http://www.bcp38.info.
--- ISC Handler on Duty
"Got Packets?"(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Richard Porter --- ISC Handler on Duty(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
InfoSec and Privacy Advisory Board Meet
SUMMARY: The Information Security and Privacy Advisory Board (ISPAB) will meet Wednesday, March 12, 2014, from 8:00 a.m. until 5:00 p.m. Eastern Time, Thursday, March 13, 2014, from 8:00 a.m. until 5:00 p.m. Eastern Time, and Friday, March 14, 2014, ...
After learning about a smartphone app dedicated solely to this week's RSA security conference in San Francisco, I publicly questioned why anyone would install it. After all, RSA's recently discovered history of either deliberately or unknowingly seeding its trusted products with dangerous code developed by the National Security Agency has left many people suspicious.
A day later, researchers have uncovered two vulnerabilities in the app that make it hard for me to resist the urge to say "I told you so." One of them discloses the name, surname, title, employer, and nationality of people who have installed the app, according to Gunter Ollmann, a researcher at security firm IOActive. For reasons unknown, the information resides in an SQLite database file that's bundled with the app. Opening it and reading the contents are trivial.
"I have no idea why the app developers chose to do that, but I'm pretty sure that the folks who downloaded and installed the application are unlikely to have thought that their details [were] being made public and published in this way," he wrote in a blog post published Wednesday morning. "Marketers love this kind of information though!"
Despite waning 2014 RSA Conference boycott, infosec giants on the defensive
In this special issue, we are revealing the winners of our Security 7 awards. Discover which outstanding information security professionals were recognized for their contributions. Download Now! Premium Editorial ...
The look and feel of RSA Conference 2014
Posted by InfoSec News on Feb 27http://koreajoongangdaily.joins.com/news/article/Article.aspx?aid=2985550
Posted by InfoSec News on Feb 27http://news.cnet.com/8301-1009_3-57619614-83/rsa-protests-by-def-con-groups-code-pink-draw-ire/
Posted by InfoSec News on Feb 27http://www.timesofisrael.com/hackers-aggressively-targeting-us-jewish-groups/
Posted by InfoSec News on Feb 27http://healthitsecurity.com/2014/02/26/factoring-new-technologies-in-healthcare-risk-analysis/
Posted by InfoSec News on Feb 27http://www.computerworld.com/s/article/9246607/Huge_turnout_at_RSA_shows_hackers_are_winning