Over the last month weve had three requests to remove a particular link belonging to a specific security vendor. Were a nice enough bunch and if theres a good, honest reason to remove a link, well consider it. What make this interesting is that the requests werent from the company or any of its staff and finally, the reason why the removal was requested. We did contacted the target company and let them know this was happening but as the third request has only just come in, its worth bring to your attention.

The emails looked like a reasonable, if somewhat odd, request as normally the more links back to your companys site, the better your ranking (a super simple explanation of search engines ranking I know - but just go with it). As most web masters are super sensitive to Google rule changes, they may have automatically complied, thinking this was something new.

Ive changed the well-known security firms name, removed the single link they referenced on the ISC site and heres the first request sent Fri 8/03/2013

Subject: Link Removal Request


I am the webmaster for www.targetedsecurityproduct.com

In light of Googles newest algorithm change, I need to request that you remove every link to www.targetedsecurityproduct.com from your website.

Below is our link location:. http://ISC.Removed

I would greatly appreciate your immediate cooperation.

If it is not too much of a hassle, I would appreciate you letting me know once it has been removed. Thank you in advance for your cooperation.

Thank You

Leslie keemen

The email sender, allegedly leslie.keemen at gmail.com, is a red flag straight way as its not a company address, plus the email was sent from and home broadband ISP in New Delhi, India. Not the country this company is based in or has office in either. Being good sports we responded with a polite Please confirm this request from a company email address and well thin about it and surprise, surprise no response, while talking to the targeted company to let them know about this email. Ten days later, Mon 18/03/2013, we received an identical request again from the same email and home broadband ISP in New Delhi, India. This one we ignored.

it was sign by Matt and the email sender address was spoofed as [email protected] Happily for us it was still from the same home broadband ISP in New Delhi, India.

Im making an assumption this is an attempt at removing this company from search engine ranking as part of some search engine optimisation (SEO) campaign. Whether the company employing the SEO firm using Indian resources to make this unethical approach has approved these dubious methods or not, it worthwhile keeping an eye out your companys web ranking (if they are important to the business) for attacks like these. And, if this happening to me, I would classify this as a form of attack and start up incident response case.

Has anyone else seen these shady tactics been used against them or have an insight in to what the actual end goal of these types of fake requests are?

Either write in tohttps://isc.sans.edu/contact.html#contact-formor reply below, Id love to hear your thoughts on this.

Chris Mohan --- Internet Storm Center Handler on Duty
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Chris Mohan --- Internet Storm Center Handler on Duty
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Chris Mohan --- Internet Storm Center Handler on Duty
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft has relaxed a Windows 8 certification requirement to allow devices with lower resolutions, a move analysts said means Microsoft could soon join the shift to smaller, less expensive tablets.
Not fazed by a takeover battle looming on the sidelines, members of Dell's research division are putting together the pieces for prototype ARM supercomputers that could be deployed in the future.
SAP has filed a court action against patent holder Pi-Net International, which it says has filed patent infringement lawsuits against a number of SAP customers.
The Samsung Galaxy S4 will ship to 155 countries by the end of next month, and its real-time voice translation to help people communicate across borders may be one of its most ambitious features.
Microsoft earlier this week quietly issued its first security update for one of its Windows 8 apps, patching a link-spoofing vulnerability in Mail.
Though IT trailed other sectors as market indices rose to milestone highs this quarter, some bright spots in earnings and market research reports this week indicate continuing confidence that things will go better for tech this year than in 2012.
Rack 'lib/rack/multipart.rb' CVE-2012-6109 Denial of Service Vulnerability
Rack 'multipart/parser.rb' CVE-2013-0183 Denial of Service Vulnerability
Rack 'Rack::Auth::AbstractRequest' CVE-2013-0184 Denial of Service Vulnerability
A flaw in the widely used BIND DNS (Domain Name System) software can be exploited by remote attackers to crash DNS servers and affect the operation of other programs running on the same machines.
Talk that Facebook is developing its own smartphone is spreading again.

Sprint Nextel and its new owner will limit their use of technology made by Chinese companies, and allow US national security officials to monitor changes to their equipment. The pending agreement will help them gain US approval of SoftBank's $20 billion acquisition of Sprint.

US officials have accused Chinese firms Huawei and ZTE of having close ties with the Chinese government and military. They claim the companies' equipment raises the threat of "cyber-espionage" or attacks on US communications networks, although a White House review last year found no clear evidence that Huawei spied for China.

The New York Times last night quoted anonymous government officials as saying that Sprint Nextel and the Japanese SoftBank "are expected to enter an agreement with American law enforcement officials that will restrict the combined company’s ability to pick suppliers for its telecommunications equipment and systems." Further, "The agreement would allow national security officials to monitor changes to the company’s system of routers, servers and switches, among other equipment and processes, the officials said. It would also let them keep a close watch on the extent to which Sprint and SoftBank use equipment from Chinese manufacturers, particularly Huawei Technologies."

Read 1 remaining paragraphs | Comments

The Russian Soyuz spacecraft, carrying a NASA astronaut and two cosmonauts, successfully rendezvoused and docked with the International Space Station late last night.
In the midst of going private, Dell executives said today they've already consolidated their three storage product divisions into one, they are working on merging their system management interfaces, and they have a number of new products coming out over the next year.
Chinese authorities are investigating Apple for violations in its customer service, after state-run media ran reports critical of the company's warranty policies in the country.
LinuxSecurity.com: New libssh packages are available for Slackware 14.0, and -current to fix a security issue. [More Info...]
LinuxSecurity.com: Updated bind97 packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Updated bind packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Several cross-site-scripting and denial of service vulnerabilities were discovered in Ruby on Rails, a Ruby framework for web application development. [More...]
LinuxSecurity.com: libxml2 could be made to hang if it received specially crafted input.
A flaw in PostgreSQL, which will be fixed in the forthcoming 4 April release of the software, is severe enough that the developers have locked down the source code repositories and issued a notice that users should install the update as soon as it is released

IBM Tivoli Storage Manager for Space Management Multiple Unauthorized Access Vulnerabilities
AV popularity, Crypto answers, plain text spooks, encrypted iOS chat and asking Mozilla's security anything – just some of the things that caught The H's eye over the past seven days

Microsoft will start selling the Surface Pro tablet in China next week, the company said yesterday.
Linux and Unix versions of BIND are vulnerable to a denial of service attack using malicious regular expressions that can also starve other software running on the same server of memory. Applications that use BIND's libdns library are also affected

Bitcoin exchange Mt. Gox faced a distributed denial-of-service attack late Thursday, at a time the digital currency is seeing an upward swing.
Chinese authorities are investigating Apple for violations in its customer service, after state-run media ran reports critical of the company's warranty policies in the country.
Much of the news reporting about the massive denial-of-service attack against anti-spam service Spamhaus over the past week or so went way too far in describing it as creating a slowdown on the Internet itself, says one company monitoring website performance.
Drupal Rules Module HTML Injection Vulnerability
Drupal Commons Wikis Privilege Escalation and Access Bypass Vulnerabilities
Drupal Commons Groups Privilege Escalation and Access Bypass Vulnerabilities
Drupal Zero Point Module Unspecified Cross Site Scripting Vulnerability
ALLMediaServer SEH Buffer Overflow Vulnerability

Posted by InfoSec News on Mar 29


The New York Times
March 28, 2013

American Express customers trying to gain access to their online
accounts Thursday were met with blank screens or an ominous ancient type
face. The company confirmed that its Web site had come under attack.

The assault, which took American Express...

Posted by InfoSec News on Mar 29


By Jeremy Kirk
IDG News Service
March 28, 2013

A piece of malicious software spotted by Trend Micro uses the
note-taking service Evernote as a place to pick up new instructions.

The malware is a backdoor, or a kind of software that allows an attacker
to execute various actions on a hacked computer. Trend Micro found it
tries to connect...

Posted by InfoSec News on Mar 29


By Peter Bright
Ars Technica
Mar 28 2013

Over the last ten days, a series of massive denial-of-service attacks
has been aimed at Spamhaus, a not-for-profit organization that describes
its purpose as "track[ing] the Internet's spam operations and sources,
to provide dependable realtime anti-spam protection for Internet
networks." These...

Posted by InfoSec News on Mar 29


By Bill Gertz
The Washington Times
March 27, 2013

Cyberwarfare is the hot topic in military and intelligence circles at
the Pentagon amid unrelenting cyberattacks from China, Russia, Iran and

But for the super-secret National Security Agency, cyberwarfare is
nothing new.

The electronic spying and code-breaking agency provided a rare public
look at...
Sven Olaf Kamphuis waving the Pirate Party flag in front of CyberBunker's nuclear bunker.

Over the last ten days, a series of massive denial-of-service attacks has been aimed at Spamhaus, a not-for-profit organization that describes its purpose as "track[ing] the Internet's spam operations and sources, to provide dependable realtime anti-spam protection for Internet networks." These attacks have grown so large—up to 300Gb/s—that the volume of traffic is threatening to bring down core Internet infrastructure.

The New York Times reported recently that the attacks came from a Dutch hosting company called CyberBunker (also known as cb3rob), which owns and operates a real military bunker and which has been targeted in the past by Spamhaus. The spokesman who the NYT interviewed, Sven Olaf Kamphuis, has since posted on his Facebook page that CyberBunker is not orchestrating the attacks. Kamphuis also claimed that NYT was plumping for sensationalism over accuracy.

Sven Olaf Kamphuis is, however, affiliated with the newly organized group "STOPhaus." STOPhaus claims that Spamhaus is "an offshore criminal network of tax circumventing self declared internet terrorists pretending to be 'spam' fighters" that is "attempt[ing] to control the internet through underhanded extortion tactics."

Read 40 remaining paragraphs | Comments


A little more than a year ago, details emerged about an effort by some members of the hacktivist group Anonymous to build a new weapon to replace their aging denial-of-service arsenal. The new weapon would use the Internet's Domain Name Service as a force-multiplier to bring the servers of those who offended the group to their metaphorical knees. Around the same time, an alleged plan for an Anonymous operation, "Operation Global Blackout" (later dismissed by some security experts and Anonymous members as a "massive troll"), sought to use the DNS service against the very core of the Internet itself in protest against the Stop Online Piracy Act.

This week, an attack using the technique proposed for use in that attack tool and operation—both of which failed to materialize—was at the heart of an ongoing denial-of-service assault on Spamhaus, the anti-spam clearing house organization. And while it hasn't brought the Internet itself down, it has caused major slowdowns in the Internet's core networks.

DNS Amplification (or DNS Reflection) remains possible after years of security expert warnings. Its power is a testament to how hard it is to get organizations to make simple changes that would prevent even recognized threats. Some network providers have made tweaks that prevent botnets or "volunteer" systems within their networks to stage such attacks. But thanks to public cloud services, "bulletproof" hosting services, and other services that allow attackers to spawn and then reap hundreds of attacking systems, DNS amplification attacks can still be launched at the whim of a deep-pocketed attacker—like, for example, the cyber-criminals running the spam networks that Spamhaus tries to shut down.

Read 16 remaining paragraphs | Comments

WordPress podPress Plugin 'playerID' Parameter Cross Site Scripting Vulnerability
[SECURITY] [DSA 2655-1] rails security update
WordPress podPress Plugin XSS in SWF
Workshop Proposal/Paper Submission Deadlines
AST-2013-003: Username disclosure in SIP channel driver
RoundCube Webmail 'generic_message_footer' Value Arbitrary File Access Vulnerability

With the continual cycle of systems being compromised and customer data being stolen, using email notification is a fast, easy and direct method to send out warnings and advice to the unfortunate victims. Its the one way, other than physical interaction (Phone calls, personal visits while offering a warm cup of tea and a sad smile or hiring street criers calling out the names of the afflicted in every town in the land) that means all the right people do get notified, well, if they read their emails. Its a defacto standard to communication so surely weve worked out how to use it properly.

One group that uses email to great success are phishers. Here at the ISC, we get plenty phishing emails: Reader submitted and those sent directly to us, from the nonsensical, incoherent jibber-jabber to those carefully and professional crafted. The recent Mandiant report [1] goes to highlighting that even the top end of attackers uses phishing emails, making awareness programmes [2] to anyone that has an email address something that needs tick off the to do list one of these days.

So what this got to do with breach notification emails? Glad you asked.

If youre a security professional charged with protecting systems, networks or organisations your incident response plan should have a thought through section on communications before, during and after an incident. So if one or one million customer/user details suddenly appear on the pastebin.com youve advised on the pre-written notification email management/PR/marketing are about to send out right?

Tragically that doesnt seem to be the case. If you received an Oops! Some bad has happened to your account/details the link may direct to a reset password page, more information on what happen or even an apology. Heres the but: With so many social engineered phishing emails why add a hyperlink at all? Why not stick with a clear statement to connect to the web site and follow the instructions on the /Security page.

For years weve being trying to teach anyone that will listen to do - at minimum - hover over the hyperlink and it looks suspicious then dont click on the link, so why in such a crucial message does it suddenly become okay to drop a link in and expect the recipient to obediently click on it?

No, it is not. Its yet another way to desensitize and normalising bad practices in the sake of making the already exploited victim feel they have a quick way to fix their issue. In the best case scenario lets pretend that when the recipient checks the link it, shows https: //myhackedsite.com.au\wearereallysorry\honest\passwdreset.html which matches the company that sent out the notification. Surely this couldnt get any worst?

Oh, dear reader, you know better than that! Amazingly some notifications take that one step further and making an even bigger mistake. The hyperlinks in the email look something like this for our fictional site myhackedsite.com.au: http:// myhackedsite-domain.informuz.net/r/ukidDinGcjUucD9taT0zXYzwMjA1JnA9MSZ1PTEwUTUwMzA1MDAmbGk9MTU1NTQxNjU/index.html

Lets pause for a moment and enjoying the pure insanity and listen to the sounds of the phishers , cackling incredulously then frantically rushing to be the first flood inboxes with cloned copies to take advantage of a second round of pillaging against those that have already been victimized.

I can only subscribe this madness to marketing/customer relation team attempting to outsource the notification process and simultaneously track those poor souls that decide to click on the link in some form of lets see how many people this really hit so we can follow up with jolly marketing spam.

If you receive one of these poorly thought through emails, a polite, but firm, note to those that send it and their support desk asking if they think it looks like a phishing email and would they click on the link given youve lost my details once already?

Im going to protect the guilty parties that send out poorly conceived breach notifying hyperlinked email but if you become a recipient Id heartily recommend you raise the issue and created a conversation to stop this madness re-occurring endlessly.

At NO point I am I suggesting flashy HMTL marketing designed emails with hyperlinks that link to an exact location or the perfect thing you have to buy should be banned or outlawed. Who doesnt love knowing what great offers on the stuff you might possibly like some Cyber Cloud AI-like entity has picked for you?

Breach notification emails telling something bad has happened and you need to take urgent action should require the victim to go to the web site by typing in the URL by hand, not this downward, spiring mistake of send them easy to use hyperlinks. As any good penetration tester will tell you It only takes one click to own the network [3] but remember there always a person behind that decision to click. Let get rid of one daft way of making a bad situation worse and ditch those hyperlinked breach notification emails.

[1] http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

[2] As an example http://www.securingthehuman.org/resources/planning

[3] http://www.slideshare.net/brycegalbraith/why-are-our-defenses-failing-one-click-is-all-it-takes

Chris Mohan --- Internet Storm Center Handler on Duty
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


John Bambenek

bambenek \at\ gmail /dot/ com

Bambenek Consulting
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft could rake in more than $1 billion in revenue in the first year after launching Office for Apple's iOS and Google's Android platforms, an analyst said today.
In this exclusive interview with MIS Asia, Scott Totzke, senior vice president for BlackBerry Security, talks about the smartphone maker's enterprise strategy, the effect of BYOD and regaining market share in Asia.
If you're in the San Francisco Bay Area and order something from Target or Walgreens, Google might deliver your purchases right to your house for free.
Maggie Perkins was mulling whether to give up her gym membership when she tried out Wello, whose fitness trainers offer workouts through live two-way video feeds. Four months later, she has no regrets about her decision to forego the gym.
Microsoft today launched a searchable list of its complete patent portfolio as part of its defense of the patent system, particularly software patents.
Sprint Nextel and Softbank have pledged to keep Huawei Technologies products out of the Sprint network and try to replace Huawei gear that is already in Clearwire's network, according to a U.S. lawmaker.
NASA and its commercial allies are on track to launch astronauts into space from U.S. soil by 2017, unless the government's sequester delays their efforts.
An American astronaut and two Russian cosmonauts blasted off on what is expected to be the fastest trip to the International Space Station in the history of space flight.
Amazon.com will acquire Goodreads, a website that recommends books.
These days, you'll find many Bluetooth speakerphone makers extolling the hands-free virtues of their in-car devices. Certainly, the $89 SuperTooth HD Voice allowed me to navigate calls using my voice, as opposed to constantly fumbling for controls by feel alone or----egads----taking my eyes off the road to pinpoint a button's precise location.
Internet Storm Center Infocon Status