Every once in a while, I come across a service that leaves me speechless. This is exactly what happened when I first started using Tackk: It took my breath away. Tackk is a free website maker currently in beta, and will help you create any single-page website (or Tackks) in minutes.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The earthquake and tsunami that demolished northeastern Japan in 2011 left many thousands of its survivors cut off from their homes. But displaced residents of Namie-machi, a small town on the eastern coast of the Pacific that's still in an exclusion zone, can now at least get a present-day glimpse of their neighborhood, thanks to Google.

Vendors audited by Vic Govt infosec chief
SC Magazine Australia
Victoria's data security chief has warned vendors to brush up their security postures if they hope to ply trade with the State Government. Commissioner for Law Enforcement Data Security David Watts will head the state's office of the Privacy and Data ...

and more »
Naxsi 'naxsi_unescape_uri()' Function Security Bypass Vulnerability
Pixman CVE-2013-1591 Stack-Based Buffer Overflow Vulnerability

Sydney Morning Herald

What if they pulled the plug?
Sydney Morning Herald
It was 5.30am on November 22, 2012 when Greg Walsh had his first inkling that the internet had stopped working. As a farm manager near Warrnambool, he had risen early to check his email and send instructions to the farm managers he oversaw. Except on ...

and more »
While some CIOs are rushing to put data into an external cloud, STW Communications Group CIO Tom Ceglarek has taken a different approach.
The Evernote interface for Chinese users—and the gateway to commands for a very sneaky backdoor.

Your average workaday botnet uses a command and control server to give the malware bots on infected PCs their marching orders. But as network security tools begin to block traffic to suspicious domains, some enterprising hackers are turning to communications tools less likely to be blocked by corporate firewalls, using consumer services to deliver their bidding to their digital minions. Today, security researchers at Trend Micro revealed the latest case of the consumerization of botnet IT: malware that uses an Evernote account to communicate.

The backdoor malware, designated as VERNOT.A by Trend Micro, is delivered via an executable file that installs the malware as a dynamic-link library. The installer then ties the DLL into a legitimate running process, hiding it from casual detection. Once up and running, the backdoor starts to collect information about the system it has made its home—the computer's name, the person and organization identified as its registered owners, the operating system version, and its timezone. Then it connects to Evernote—specifically the Chinese interface to the Evernote service—to fetch information from notes saved in an account, including commands to download, run, and rename files on its host system.

According to a blog post by Trend Micro Threat Response Engineer Nikko Tamaña, the backdoor may have also used Evernote as a location to upload stolen data. Fortunately (or unfortunately, depending on how you look at it), the account that was hard-coded into the backdoor's channel to home had already been shut down—ironically, because its password was reset after Evernote's recent security breach.

Read 2 remaining paragraphs | Comments

RETIRED: Jenkins Cross-Site Scripting, Security Bypass, and Denial of Service Vulnerabilities
Cisco Security Advisory: Cisco IOS Software Resource Reservation Protocol Denial of Service Vulnerability
Cisco Security Advisory: Cisco IOS Software Internet Key Exchange Vulnerability
Cisco Security Advisory: Cisco IOS Software Network Address Translation Vulnerability
Anti-spam service Spamhaus has been hit with what several security firms today described as the largest distributed denial of service (DDoS) attacks ever seen.
Epicor is suing IT service provider Alternative Technology Solutions, claiming the company illegally used its ERP (enterprise resource planning) software in order to develop and sell add-ons and services, in a case that has parallels to tussles over third-party software maintenance.
Cisco this week reduced its workforce by about 1% -- or 734 people - as the company realigns to face the advent of software-defined networking, cloud computing and its impact on routing and switching.

Last week, anti-spam organization Spamhaus became the victim of a large denial of service attack, intended to knock it offline and put an end to its spam-blocking service. By using the services of CloudFlare, a company that provides protection and acceleration of any website, Spamhaus was able to weather the storm and stay online with a minimum of service disruptions.

Since then, the attacks have grown to more than 300 Gb/s of flood traffic: a scale that's threatening to clog up the Internet's core infrastructure and make access to the rest of the Internet slow or impossible.

It now seems that the attack is being orchestrated by a Dutch hosting company called CyberBunker. CyberBunker specializes in "anything goes" hosting, using servers in a former nuclear bunker (hence the name). As long as it's not "child porn and anything related to terrorism," CyberBunker will host it. This includes sending spam.

Read 18 remaining paragraphs | Comments

RETIRED: Google Chrome Prior to 26.0.1410.43 Multiple Security Vulnerabilities
ESA-2013-018: EMC Smarts Product - Cross Site Scripting Vulnerability
Cisco Security Advisory: Cisco IOS Software Smart Install Denial of Service Vulnerability
Cisco Security Advisory: Cisco IOS Software Protocol Translation Vulnerability
Cisco Security Advisory: Cisco IOS Software IP Service Level Agreement Vulnerability

[Guest Diary: Stephen Groat] [IPv6 moving target defense]

Today we bring you a second guest diary from Stephen Groat where he speaks about IPv6 moving target defense. By frequency hopping in the large IPv6 address space, we reacquiring the target is infeasible.

MT6D modifies the network and transport layer addresses of the sender and receiver nondeterministically. It is capable of dynamically changing these addresses to hide identifiable information about a host, effectively obscuring communicating hosts from any third-party observer. A key feature of MT6D is that this obscuration can be made mid-session between two hosts without causing the additional overhead of connection reestablishment or breakdown. Changing addresses mid-session protects communicating hosts from an attacker being able to collect all packets from a particular session for the purpose of traffic correlation.

MT6D IIDs are computed using three components obscured by a function, usually a hash. The first component is a value specific to an individual host (e.g. a MAC address). The second component is a secret (e.g. symmetric key) shared by the sender and receiver. The third component is a changing value known by both parties (e.g. time). The only one of these three values that must be kept secret is the shared secret. The function results in a 64-bit output used as the MT6D IID and has the form:

II D = f {IVx*S*CVi}64

where II D represents the obscured IID for host x at xi a particular instance i , IVx represents a value specific to the individual host x , S represents the shared secret, and CVi represents the changing value at instance i. The three components are combing using an operation denoted by * which concatenates. The 64-bit function result is denoted by f{}64.

In our implementation, each packet is encapsulated in User Datagram Protocol (UDP) to prevent Transmission Control Protocol (TCP) connection establishment and termination from occurring every time a MT6D address rotates. Encapsulating packets as UDP has a minimal effect on the transport layer protocol of the original packet. Since transport layer protocols are end-to-end, decapsulation will occur before the host processes the original packet. A session using TCP will still exchange all required TCP-related information. This information will simply be wrapped in a MT6D UDP packet. Additionally, any lost packets that were originally TCP will be retransmitted after retransmission timeout occurs.

MT6D provides the option of encrypting each original packet before appending it

with the MT6D header. By encrypting the original packet, a third party is unable to glean any useful information. For example, if the original packet is sent using TCP, the header gets encrypted so that a third party cannot attempt to correlate network traffic using the TCP sequence numbers. Additionally, the nature of the network traffic is also kept private through encryption.

The architecture of a MT6D device mimics a network bridge. Outbound packets are sent to an encapsulator that constructs a MT6D packet. The MT6D packet contains the entire original packet excluding original addresses. When a MT6D packet arrives at its destination, the packet enters a decapsulator which restores the packet to its original form. The design of MT6D facilitates implementation either embedded directly on components or as stand-alone gateway devices.

Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form


Adam Swanger, Web Developer (GWEB, GWAPT)

Internet Storm Center https://isc.sans.edu
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Panelists at the SANS Cyber Threat Intelligence Summit lament the challenges of using cyber-intelligence to thwart enterprise security threats.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Joel let us know about a new Community rulset for Snort, from Sourcefires VRT group (Vulnerability Research Team).

For more details, and how it might affect your Snort build, find his article here: http://blog.snort.org/2013/03/the-sourcefire-vrt-community-ruleset-is.html


Rob VandenBrink

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Thanks Jim, for forwarding a whole raft of Cisco Alerts on DOS issues affecting various features within IOS. The alerts can be found here:








JIm (whos last name starts with a C) generally gets these about 12 hours before I do (Im a V), so thanks again for forwarding them along !


Rob VandenBrink Metafore
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft trumpeted Office 365 customer successes at its U.S. Public Sector CIO Summit on Tuesday, but some of those otherwise happy clients have a wish list of features and enhancements they'd like to see in the vendor's cloud email and collaboration suite.
A distributed denial-of-service (DDoS) attack of unprecedented scale that targeted an international spam-fighting organization last week ended up causing problems for Internet users around the world, experts say.
Anti-spam service Spamhaus has been hit with what several security firms today described as the largest distributed denial of service (DDoS) attacks ever seen.
A West Virginia state legislator is looking to amend a no-texting-while-driving law by also banning drivers from using computerized glasses.
Analysts offered divergent opinions of T-Mobile USA's "uncarrier" initiatives for no-contract service and low subsidies for mobile devices announced this week.
The U.S. Patent and Trademark Office yesterday awarded Microsoft 13 design patents for its Surface line of tablets, including their innovative Touch keyboards-slash-covers, according to published documents.
Almost unnoticed by the public, the most aggressive DDoS attack in the history of the internet was carried out last week. Up to 300 GBits/s of data traffic was unleashed on Spamhaus

MongoDB CVE-2013-1892 Remote Code Injection Vulnerability
Multiple HP ProCurve Switches CVE-2012-5216 Cross Site Request Forgery Vulnerability
Google shook things up last week when it dusted off its old Notebook service and relaunched it as Keep. Google's new software muscles in on the space currently dominated by Microsoft OneNote and Evernote, two note-taking apps that save your text, Web links, photos, audio recordings, and more, helping to keep your life organized.
Google said Wednesday that it will reach out to "several thousand" people through Twitter and its Google+ social network to take part in its Explorer project for trying out its computerized eyewear.
Microsoft yesterday confirmed Windows "Blue," an upgrade to Windows 8, but analysts remained uneasy about how the faster release cadence that Blue represents will be digested by businesses.
McAfee Virtual Technician ActiveX Control Insecure Method
[slackware-security] bind (SSA:2013-086-01)
[slackware-security] dhcp (SSA:2013-086-02)
Re: Report OWASP WAF Naxsi bypass Vulnerability
[SECURITY] [DSA 2653-1] icinga security update
Google Chrome Prior to 26.0.1410.43 CVE-2013-0921 Unspecified Security Vulnerability
Apache Commons FileUpload CVE-2013-0248 Insecure Temporary File Creation Vulnerability
Path Traversal in AWS XMS

I recently had the privilege of advising on a SANS Gold Paper (GCIA) for Michael Dyrmose, titled Beating the IPS ( http://www.sans.org/reading_room/whitepapers/intrusion/beating-ips_34137 ). In the paper, Micheal uses basic IPS evasion techniques to test the capabilities of many of the major vendor IPS Systems. To be as fair as possible, Michael targeted the MS08-067 vulnerability, the security flaw that Conficker took advantage of - every IPS on the planet should be able to handle that, right?

The verdict? If you are running a penetration test (and so have permission), once you realize that theres an IPS in play, evading it is as simple as trying. Without exception, if the first evasion method didnt succeed, the second method did. And remember, this is against one of the most well-known vulnerabilities there is.

What this illustrates is that IPS systems give you decent protection against scripted/automated attacks. Against a determined, knowledgable attacker who has the time and resources, on a good day what an IPS system does is buy you time. Time to shore up your defences, perhaps shun or otherwise ACL the attackers address (if theyre coming from a single IP), or to deploy additional defences or countermeasures - your IPS does not (or rather, should not) stand alone as a single defence mechanism against all attacks. To that end, Im really looking forward to John Strands Offensive Countermeasures class at SANSFIRE this year!

So, which IPS is the best? The one you spend the time configuring and tuning for your environment. The one you are monitoring, so that you know that you are under a targetted attack. If youve configured and are monitoring an IPS, its now an application that you know well, and can manipulate as conditions and attacks change.

What does this imply? That there is an ongoing time commitment to maintaining and monitoring the IPS. Too many times I see organizations install an IPS as a tick-box in their audit requirements, a one time capital expendiature with no ongoing time commitment. I try to get folks to see that they should budget at least a few weeks to get everything just so, then 4-8 (or more) days per month forever, even for a simple IPS. For a more complex environment, it might be a full person-year, or a full team required for ongoing care and feeding of the IPS and other associated protections in front of your digital crown jewels

What Id be really interested in is how you see those time estimates? If you have an IPS infrastructure, how much time per week do you commit to it? If thats not enough time, how much time do you thing would be more appropriate? Please take our survey here - http://www.surveymonkey.com/s/HD65GQC. Ill summarize the results and post them in a couple of weeks.

For a personal preference on which IPS Id prefer, youll need to contact me off list (hopefully over beverages), but if weve met you likely dont need to ask!

You can find more quality papers like this one in the SANS Reading Room == http://www.sans.org/reading_room/


Rob VandenBrink

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Silver Peak Systems announced a new virtual application designed to dramatically speed up data duplication for disaster recovery without the purchase of additional hardware.
apt CVE-2013-1051 Security Bypass Vulnerability
Google Chrome CVE-2013-0919 Use-After-Free Memory Corruption Vulnerability
V8 JavaScript Engine JavaScript Processing Denial of Service Vulnerability
OpenStack Nova CVE-2013-0335 Security Bypass Vulnerability
In a bid to improve data security, Amazon Web Services (AWS) has launched AWS CloudHSM, which uses a separate appliance to protect cryptographic keys used for encryption.
LinuxSecurity.com: New bind packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix a security issue. [More Info...]
LinuxSecurity.com: New dhcp packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix a security issue. [More Info...]
LinuxSecurity.com: It was discovered that Icinga, a host and network monitoring system, contains several buffer overflows in the history.cgi CGI program. For the stable distribution (squeeze), this problem has been fixed in [More...]
LinuxSecurity.com: Updated perl packages that fix multiple security issues now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Several security issues were fixed in the kernel.
Ganglia Web 'view_name' Parameter Cross Site Scripting Vulnerability
Apache CXF WS-SecurityPolicy Authentication Bypass Vulnerability
Facebook has started displaying targeted ads in some users' desktop News Feeds in a test of Facebook Exchange ad delivery system.
The Google update also addresses two high severity, four medium severity and five low severity security issues in its latest "major" update to the browser. Also added, shortcut profiles on Windows and asynchronous DNS on Mac and Linux

Students at the University of Hannover have analysed password managers for Android smartphones. They found them to be user-friendly, but also found that they failed to adequately secure passwords

Foxconn's Hon Hai Precision Industry Co. said it was still committed to buying a stake in Japanese display maker Sharp, and expects an investment could be completed within three months if a price can be agreed on.
A judge in New York has recommended that a lawsuit filed by Paul D. Ceglia, claiming half ownership of Facebook, should be dismissed.
Combining the ad-hoc nature of social media with the more structured world of enterprise apps such as CRM is often the best of both worlds, implementers say.
In the midst of its latest campaign to fight piracy in China, Microsoft has signed an agreement with Lenovo to ensure that its PCs ship with licensed versions of Windows software on its computers
While Samsung's latest smartphone, the Galaxy S4, uses the Qi standard for wireless charging, the company will continue to push the Alliance for Wireless Power's specification as the future standard for mobile devices.
Puppet is model-driven, Ruby is procedural, and both are large, messy, open source ecosystems plagued with pitfalls
Internet Storm Center Infocon Status