When ISC reader Michael contacted us about "odd UDP traffic from all over" that he was suddenly seeing in his firewall log, we at first assumed that his Internet connection had "inherited" a dynamic IP address that had before been used by a rampant file sharing user, and that Michael was now seeing the "after glow".

We still asked for a PCAP (tcpdump) file though, and when we looked at what Michael sent back, we saw to our surprise ...

... that Michael's network was responding to the traffic. Hmm. Oops!

Closer inquiry then revealed that they had recently updated the firmware on their QNAP TS-659 NAS (network storage) server .. and this new version came with the ability to act as a media and streaming server. It isn't quite clear if the corresponding functionality had been "on" by default, or had been turned on by accident. But once turned off, the "odd UDP traffic" stopped right away.

Lesson learned - after an upgrade, check if things are still how you expect them to be. While most vendors have thankfully learned to keep new "features" turned off by default, you can't quite rely on it. For home use, investing in a small network tap or hub, and every now and then checking the traffic leaving your house is (a) a good security precaution and (b) helps to keep your Wireshark Packet-Fu skills current :)

And while we are on the topic of NAS and storage servers: A CERT vulnerability note released today states that some versions of Synology DiskStation contain a hard-coded password which can be used by remote attackers to establish a VPN into the DiskStation. I wish vendors - prominently including Cisco - would get their bleeping act together, and, after years of "security advisories" on the subject, eventually stop shipping products with hard coded credentials/backdoors!  Details on the Synology mess here: http://www.kb.cert.org/vuls/id/534284


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Wind River Systems has updated its widely used VxWorks embedded RTOS (real-time operating system) to make it ready for use on impending "Internet of things" systems.
Chrome users are up in arms again, this time over Google's plan to automatically disable some browser add-ons, according to scores of messages posted to Google's support forum.
IBM is laying off employees this week, a job action that began in a curious way, with the announcement with an agreement with New York to maintain minimum staffing levels in the state.

Quite often on many lists we will hear the term Best Current Practice (BCP) 38 bandied about and further recommendations to implement [1] [2][3][4] (See NANOG Mailing list archive) . Some will say ‘it will aid in DDoS mitigation’ and even others will even state ‘All Internet Service Providers (ISP) should implement this." Now before the philosophical discussions ensue in the comments, it might be a good idea to discuss, technically, what it is? And perhaps what it can do?

BCP 38 A.K.A. RFC 2827 (thank you for correction from our readers) [5] is a best practice methodology around ingress traffic filtering. The specific purpose as stated in the RFC abstract “to prohibit DoS attacks which use forged IP addresses to be propagated    from 'behind' an Internet Service Provider's (ISP) aggregation point.” [5]

The BCP 38 outlines the concept of “restricting transit traffic” that comes from a “downstream network to known, and internally advertised prefixes” [5, p.4]. In an overly simplified diagram (My interpretation of the RFC, comments and corrections welcome), it means the ISP says:




Let us know if you are using or have implemented BCP38? We recommend it and do feel that it has technical merit and can help reduce risk!



A reader noted (see comments) that a purposeful effort by NANOG to get more information out can be found at @ http://www.bcp38.info.




[1] https://isc.sans.edu/diary/A+Chargen-based+DDoS%3F+Chargen+is+still+a+thing%3F/15647

[2] https://isc.sans.edu/diary/Disaster+Preparedness+-+Are+We+Shaken+or+Stirred%3F/11431

[3] https://isc.sans.edu/forums/diary/Where+Were+You+During+the+Great+DDoS+Cybergeddon+of+2013+/15496

[4] https://isc.sans.edu/podcastdetail.html?id=3260

[5] http://tools.ietf.org/html/bcp38



Richard Porter

--- ISC Handler on Duty

Twitter: @packetalien

Blog: http://packetalien.com

"Got Packets?"

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Since disclosing last fall that an internal research team is developing an open hardware platform for creating highly modular smartphones, Google has offered few details of the effort, dubbed Project Ara.
As the 25th anniversary of the World Wide Web approaches, 87% of U.S. adults use the Internet, according to a Pew Research Center survey.
Belkin Wemo Home Automation Devices CVE-2013-6951 Remote Code Execution Vulnerability
Belkin Wemo Home Automation Devices 'peerAddresses' API XML External Entity Injection Vulnerability

Richard Porter --- ISC Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
When the CEO asks the CIO to find a way to attract the business units to the IT function, with the ultimate goal of increasing revenue, the CIO realizes his staff is going to need some new skills.
U.K. intelligence agency GCHQ captured and stored still webcam images of millions of Yahoo users including substantial quantities of sexually explicit material, the Guardian newspaper reported Thursday.
A major Oracle PeopleSoft ERP (enterprise resource planning) software project in California led by Accenture is running well over schedule and budget, according to the state's auditor.
LinuxSecurity.com: File could be made to crash if it processed a specially crafted file.
LinuxSecurity.com: A vulnerability in pidgin-knotify might allow remote attackers to execute arbitrary code.
pidgin-knotify 'notify()' Remote Command Injection Vulnerability

InfoSec and Privacy Advisory Board Meet
SUMMARY: The Information Security and Privacy Advisory Board (ISPAB) will meet Wednesday, March 12, 2014, from 8:00 a.m. until 5:00 p.m. Eastern Time, Thursday, March 13, 2014, from 8:00 a.m. until 5:00 p.m. Eastern Time, and Friday, March 14, 2014, ...

At the heart of the $19B WhatsApp acquisition may be Facebook's continuing desire to take over your mobile phone.
Google yesterday gave Chrome extension developers another two months to register their work with the browser's online store, after which the company will throw a "kill switch" on most add-ons installed from other sources.
Atlassian Crucible Unauthorized Access Vulnerability
MODx 'header.tpl' Cross Site Scripting Vulnerability
Google has been scrambling for more than 24 hours to unclog a queue of messages sent to Gmail users that its Postini email filter incorrectly labeled as spam and quarantined.
Intel won't be releasing an SSD whose performance can be customized by overclocking after all. Instead, it announced plans today to overclock a new flagship drive and begin selling that in March.
A screenshot showing redacted contents of a database included with the smartphone app for attendees of this week's RSA security conference in San Francisco.

After learning about a smartphone app dedicated solely to this week's RSA security conference in San Francisco, I publicly questioned why anyone would install it. After all, RSA's recently discovered history of either deliberately or unknowingly seeding its trusted products with dangerous code developed by the National Security Agency has left many people suspicious.

A day later, researchers have uncovered two vulnerabilities in the app that make it hard for me to resist the urge to say "I told you so." One of them discloses the name, surname, title, employer, and nationality of people who have installed the app, according to Gunter Ollmann, a researcher at security firm IOActive. For reasons unknown, the information resides in an SQLite database file that's bundled with the app. Opening it and reading the contents are trivial.

"I have no idea why the app developers chose to do that, but I'm pretty sure that the folks who downloaded and installed the application are unlikely to have thought that their details [were] being made public and published in this way," he wrote in a blog post published Wednesday morning. "Marketers love this kind of information though!"

Read 5 remaining paragraphs | Comments

SEC Consult SA-20140227-0 :: Local Buffer Overflow vulnerability in SAS for Windows (Statistical Analysis System)
Oracle Outside In Technology CVE-2013-5879 Local Security Vulnerability
File Utility CVE-2014-1943 Remote Code Execution Vulnerability


Despite waning 2014 RSA Conference boycott, infosec giants on the defensive
In this special issue, we are revealing the winners of our Security 7 awards. Discover which outstanding information security professionals were recognized for their contributions. Download Now! Premium Editorial ...
The look and feel of RSA Conference 2014Help Net Security

all 168 news articles »
Fourteen prominent security and cryptography experts have signed an open letter to technology companies urging them to take steps to regain users' trust following reports over the past year that vendors collaborated with government agencies to undermine consumer security and facilitate mass surveillance.
Financial data and news company Bloomberg has developed in-house access controls and embraced several other technological fixes after it emerged last year that the company's journalists had routinely accessed data on how Wall Street clients were using the company's computer terminals.
Linux Kernel CVE-2012-6538 Local Information Disclosure Vulnerability
Multiple Vulnerabilities in VideoWhisper Live Streaming Integration WP Plugin
Update: CVE-2014-0053 Information Disclosure when using Grails
Office 365 - Account Hijacking Cookie Re-Use Flaw, extended
CIO's Publisher Adam Dennison nominates the CIO as the best 'pathfinder' to help C-suite execs move confidently toward digital business, and provides a link to the CIO Executive Council's new digital readiness survey.
Age really is just a number. If you're keeping current on new technologies and advancement, and show a willingness to keep learning and growing, there's no reason it should be an impediment to your job search.
Apache Tomcat JULI Logging Component Default Security Policy Vulnerability
Barracuda Networks Backup Appliance Application - Persistent Web Vulnerability
Apache Tomcat CVE-2007-6286 Duplicate Request Processing Security Vulnerability
The number of vulnerabilities found in Microsoft's Windows 7 and XP operating systems doubled last year over 2012, with the highest number of flaws reported in Windows 8, according to new research from Secunia.
Apache Tomcat Directory Host Appbase Authentication Bypass Vulnerability
Oracle Database Mobile/Lite Server CVE-2013-0366 Remote Vulnerability
The U.S. government has asked a secret surveillance court to allow it to hold telephone metadata for a period beyond the current five-year limit, for use as potential evidence in civil lawsuits regarding the collection of the data.
An appeals court in the U.S. ruled that YouTube must take down the controversial "Innocence of Muslims" video that sparked off violence in many countries in 2012, reversing a district court's denial of an injunction against the video sharing site and its owner Google.
If you want to find out how the so-called Internet of things is shaking up the tech industry, Mobile World Congress in Barcelona is the place to be this week.
Even as server shipments went up, revenue in the market declined in last year's fourth quarter, as demand for higher-end systems remained weak, according to research firm IDC.
Using an infrared laser, ST Microelectronics' new proximity detector for mobile phones can measure distances to within a centimeter or two.
Security concerns should not deter enterprises from using public cloud technologies when it makes business sense.
POSH '/portal/scr_authentif.php' Remote Information Disclosure Vulnerability
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted by InfoSec News on Feb 27


Feb 27, 2014

Authorities said yesterday that they have arrested three hackers suspected
of leaking the personal data of 17 million people from 225 websites.

The Incheon Metropolitan Police Agency announced yesterday that it had
arrested the trio, who stole personal data from Korean websites and sold
it to loan lenders and chauffeur...

Posted by InfoSec News on Feb 27


By Violet Blue
February 26, 2014

The RSA security conference (where the world's security companies come to
do business with each other), opened its doors this week in San Francisco
to a wide range of protests by security professionals who would otherwise
be attending and speaking at the conference.

The protests might be...

Posted by InfoSec News on Feb 27


Times of Israel
February 27, 2014

WASHINGTON -- US Jewish groups face "a more concerted and aggressive
effort" from Internet hackers, the national community’s security arm said
in an alert.

"It is imperative that all IT departments understand how to mitigate the
threat and are up-to-date on the necessary technologies and processes to

Posted by InfoSec News on Feb 27


By Patrick Ouellette
Health IT Security
February 26, 2014

The HIMSS14 Conference down in Orlando this week will present an
opportunity for vendors of all different sizes and specialties to display
their offerings to their user audience. New technologies are being
announced on what seems like an hourly basis and organizations are
implementing them...

Posted by InfoSec News on Feb 27


By Jaikumar Vijayan
February 26, 2014

SAN FRANCISCO -- In the battle between enterprises and malicious hackers,
the bad guys are clearly winning, judging by the sheer number of people
and exhibitors at the RSA security conference going on here this week.

With an estimated 30,000 attendees and more than 400 exhibitors, RSA 2014
is the...
Internet Storm Center Infocon Status