(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
file 'readelf.c' Out-of-Bounds Read Vulnerability
 
file 'src/readelf.c' Denial of Service Vulnerability
 

Enlarge / Illustration of USBee, in which an ordinary, unmodified USB drive (A) transmits information to a nearby receiver (B) through electromagnetic waves emitted from the drive data bus. (credit: Guri et al.)

In 2013, a document leaked by former National Security Agency contractor Edward Snowden illustrated how a specially modified USB device allowed spies to surreptitiously siphon data out of targeted computers, even when they were physically severed from the Internet or other networks. Now, researchers have developed software that goes a step further by turning unmodified USB devices into covert transmitters that can funnel large amounts of information out of similarly "air-gapped" PCs.

The USBee—so named because it behaves like a bee that flies through the air taking bits from one place to another—is in many respects a significant improvement over the NSA-developed USB exfiltrator known as CottonMouth. That tool had to be outfitted with a hardware implant in advance and then required someone to smuggle it into the facility housing the locked-down computer being targeted. USBee, by contrast, turns USB devices already inside the targeted facility into a transmitter with no hardware modification required at all.

"We introduce a software-only method for short-range data exfiltration using electromagnetic emissions from a USB dongle," researchers from Israel's Ben-Gurion University wrote in a research paper published Monday. "Unlike other methods, our method doesn't require any [radio frequency] transmitting hardware since it uses the USB's internal data bus."

Read 7 remaining paragraphs | Comments

 

My Twitter feed brought a good paper to my attention, courtesy of Andrew Case @attrc, that is appropriate for your consideration, Storm Center readers.

@Cyber_IR_UK stated that its the best paper Ive ever read for Intrusion detection with Windows Events!" /> Heres the abstract:

Nowadays computer attacks and intrusions have become more common affecting confidentiality, integrity or the availability of computer systems. They are more sophisticated making the job of the information security analysts more complicated, mainly because of the attacking vectors are more robust and complex to identify. One of the main resources that information security people have on their disposition are Indicators of Compromise (IOCs), which allow the identification of potentially malicious activity on a system or network. Usually IOCs are made off virus signatures, IP addresses, URLs or domains and some others elements, which are not sufficient to detect an intrusion or malicious activity on a computer system. The Windows event logs register different activities in a Windows operating system that are valuable elements in a forensic analysis process. IOCs can be generated using Windows event logs for intrusion detection, improving Incident Response (IR) and forensic analysis processes. This paper presents a procedure to generate IOCs using Windows event logs to achieve a more efficient diagnostic computer system for IR.

You can grab the paper from ThinkMind here: http://www.thinkmind.org/index.php?view=articlearticleid=icimp_2016_2_20_30032

Using IOC Editor and Splunk, the authors asserted a reasonable approach to IOC development with logical operators connecting Event IDs based on kill chain concepts.

I plan to test this approach further, and will advise readers regarding success. Additionally, if you">|">@holisticinfosec (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 

Enlarge / An FBI "Flash" memorandum on state Board of Elections site warns of attacks on two states so far and asks for other states to check their logs.

Someone using servers in the US, England, Scotland, and the Netherlands stole voter registration from one state's Board of Elections website in June and  attacked another state's elections website in August, according to a restricted "Flash" memorandum sent out by the FBI's Cyber Division. The bureau issued the alert requesting other states check for signs of the same intrusion.

The "Flash" memo, obtained by Yahoo News, was published three days after Secretary of Homeland Security Jeh Johnson offered state officials assistance in securing election systems during a conference call. According to Yahoo's Michael Isikoff, government officials told him that the attacks were on voter registration databases in Illinois and Arizona. The Illinois system had to be shut down in July for two weeks after the discovery of an attack; the registration information of as many as 200,000 voters may have been exposed. No data was stolen in the Arizona attack, but malware was reportedly planted on the site.

While saying the Department of Homeland Security was unaware of any specific threat to election systems, Johnson offered states assistance from the National Cybersecurity and Communications Integration Center (NCCIC) "to conduct vulnerability scans, provide actionable information and access to other tools and resources for improving cybersecurity," a DHS spokesperson said, describing the conference call. "The Election Assistance Commission, NIST, and DOJ are available to offer support and assistance in protecting against cyber attacks."

Read 3 remaining paragraphs | Comments

 
Oracle Fusion Middleware CVE-2016-3590 Remote Security Vulnerability
 
Oracle Fusion Middleware CVE-2016-3595 Remote Security Vulnerability
 
Oracle Fusion Middleware CVE-2016-3591 Remote Security Vulnerability
 
Oracle Fusion Middleware CVE-2016-3593 Remote Security Vulnerability
 
Linux Kernel Local Security Bypass Vulnerability
 
Subrion CMS ' front/actions.php ' Arbitrary File Deletion Vulnerability
 
Multiple F5 BIG-IP Products CVE-2016-5023 Denial of Service Vulnerability
 
Internet Storm Center Infocon Status