John Bambenek

bambenek \at\ gmail /dot/ com

Fidelis Cybersecurity

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Enlarge / Obama just left Donald Trump a nice little inauguration present—a fresh pack of sanctions against Russia and evidence of Russian interference in the presidential election. (credit: Win McNamee/Getty Images)

In an executive order issued today, President Barack Obama used his emergency powers to impose sanctions on a number of Russian military and intelligence officials and also to eject 35 Russians labeled by the administration as intelligence operatives. The order was issued as a response to the breach of the Democratic National Committee's network and the targeted intrusion into e-mail accounts belonging to members of Hillary Clinton's presidential campaign.

Obama made the sanctions an extension of an April 2015 executive order "to take additional steps to deal with the national emergency with respect to significant malicious cyber-enabled activities."

The order is being accompanied by the publication of data from US intelligence communities bolstering findings that the breaches were part of an information operation to manipulate the results of the US presidential election. The data, released by the Department of Homeland Security and Federal Bureau of Investigation as a Joint Analysis Report (JAR), contains "declassified technical information on Russian civilian and military intelligence services’ malicious cyber activity, to better help network defenders in the United States and abroad identify, detect, and disrupt Russia’s global campaign of malicious cyber activities," according to an Obama administration statement. "The JAR includes information on computers around the world that Russian intelligence services have co-opted without the knowledge of their owners in order to conduct their malicious activity in a way that makes it difficult to trace back to Russia." Some of the data had been previously published by cyber-security firms, but in some cases the data is newly declassified government data.

Read 7 remaining paragraphs | Comments


Enlarge / Will Barack Obama order a major cyber-reprisal against Russia for election hacks before he leaves office? A CNN report suggests the response will be a softball. (credit: Photo by Carsten Koall/Getty Images)

Updated 2:20pm ET (7:20pm UK): The Obama administration has announced sanctions against Russia, including the ejection of 35 Russian intelligence operatives from the US, and legal and financial sanctions against Russia's GRU and FSB intelligence services and top military officers. More details will follow in a separate story.

Original story

According to a CNN report, officials within the Obama administration have said that retaliatory measures against Russia for interference in the US election will happen very soon—perhaps as early as today. But the response is expected to be "proportional" and include diplomatic measures and sanctions. It's not clear whether there will be any sort of response in kind against the Russian leadership's computer systems and data.

A proportional response, however, likely won't do anything to deter future efforts to use hacking and information campaigns to affect US politics or other aspects of government. That's according to Dave Aitel, the founder of the security firm Immunity and a former NSA research scientist. In a recent interview with Ars, Aitel said he believed that the US would take some sort of retaliatory action in the final weeks of Obama's presidency. "We're in a unique position where [President Barack] Obama can lay a haymaker down," he said, "and then Trump has to stand up. And Obama has nothing to restrain him."

Read 7 remaining paragraphs | Comments


ISC reader Scott has indicated that starting on December 27th he has seen a significant increase in Protocol 47 traffic being denied by his firewalls. He has seen this trafficincreasing from a baseline of near zero to20,000 to 50,000 deniesper day. Protocol 47 traffic is not normally tracked by the ISC, so none of our sensors had detected this uptick. However a little investigation reveals that firewalls I have access to are also seeing this increase.">">is GRE (Generic Route Encapsulation) . It is commonly used as a Virtual Private Network(VPN). Essentially, GRE can be used to encapsulate any other">over IPv4. Sometimes it is used for IPv6 tunneling (instead of the more common IPv6 over IPv4,">41), and some anti-DDoS mitigation systems use it to route cleaned">I am showing this traffic originating from more than 100 unique sources. I would like to dig deeper into this, but unfortunately I dont have access to packet captures to take a closer look at the traffic. If you could let us know whether you are seeing the same thing, or better yet, have access to captures of this traffic, and could share it with us, it would be appreciated.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
PHP CVE-2016-7480 Remote Code Execution Vulnerability

(credit: Ashley Madison)

On December 14, 2016, the Federal Trade Commission settled a complaint with the company running the adult finder site Ashley Madison over the 2015 data breach that exposed the personal data of more than 36 million users and highlighted the site’s unfair and deceptive practices.

This complaint and settlement is important, but not for the obvious reasons. Yes, the breach had an outsized reach, much like the Target and Home Depot breaches preceding it. Yes, the breach involved poor security practices and deceptive promises about the site’s privacy protections. The Ashley Madison complaint follows a long line of actions brought by the FTC to combat unfair and deceptive data protection practices. The site’s exploitation of users’ desperation, vulnerability, and desire for secrecy is exactly the sort of abuse of power the Federal Trade Commission was created to mitigate.

But there are five key lessons that should not be missed in discussions about the agency’s settlement of the case. This complaint and settlement are more than just business as usual—they reflect a modern and sustainable way to think about and enforce our privacy in the coming years.

Read 15 remaining paragraphs | Comments

Swiftmailer CVE-2016-10074 Remote Code Execution Vulnerability
GStreamer Bad Plug-ins CVE-2016-9809 Denial of Service Vulnerability
Oracle Fusion Middleware CVE-2016-5578 Remote Security Vulnerability
Pivotal MySQL for PCF CVE-2016-0898 Information Disclosure Vulnerability
Oracle Fusion Middleware CVE-2016-5579 Remote Security Vulnerability
Oracle Fusion Middleware CVE-2016-5588 Remote Security Vulnerability
Oracle Fusion Middleware CVE-2016-5577 Remote Security Vulnerability
Oracle Fusion Middleware CVE-2016-5558 Remote Security Vulnerability
IBM License Metric Tool and BigFix Inventory CVE-2016-8966 Information Disclosure Vulnerability
IBM AIX CVE-2016-8972 Local Privilege Escalation Vulnerability
PHPMailer CVE-2016-10045 Incomplete Fix Remote Code Execution Vulnerability
Internet Storm Center Infocon Status