Talk about disappointments. The US government's much-anticipated analysis of Russian-sponsored hacking operations provides almost none of the promised evidence linking them to breaches that the Obama administration claims were orchestrated in an attempt to interfere with the 2016 presidential election.

The 13-page report, which was jointly published Thursday by the Department of Homeland Security and the FBI, billed itself as an indictment of sorts that would finally lay out the intelligence community's case that Russian government operatives carried out hacks on the Democratic National Committee, the Democratic Congressional Campaign Committee, and Clinton Campaign Chief John Podesta and leaked much of the resulting material. While security companies in the private sector have said for months the hacking campaign was the work of people working for the Russian government, anonymous people tied to the leaks have claimed they are lone wolves. Many independent security experts said there was little way to know the true origins of the attacks.

Sadly, the JAR, as the Joint Analysis Report is called, does little to end the debate. Instead of providing smoking guns that the Russian government was behind specific hacks, it largely restates previous private-sector claims without providing any support for their validity. Even worse, it provides an effective bait and switch by promising newly declassified intelligence into Russian hackers' "tradecraft and techniques" and instead delivering generic methods carried out by just about all state-sponsored hacking groups.

Read 8 remaining paragraphs | Comments

Piwigo CVE-2016-10085 Remote File Include Vulnerability
Piwigo 'admin/plugin.php' Cross Site Scripting Vulnerability
Piwigo CVE-2016-10084 Remote File Inclusion Vulnerability

Following up on yesterdays diary on an increase in Protocol 47 traffic. Thanks to everyone who sent the ISC PCAPs and more information.

Current speculation is the Protocol 47 uptick is backscatter from a DDOS containing GRE traffic and using random source IPs.

While all of the packets appear to be IPv4packets encapsulated in GRE, there are two flavors of packets involved. The smaller packets are consistently 66 bytes long and contain" />

The larger packets vary in size, but are typically in the high 500s of bytes and contain512 bytes of data. " />

While the sources show IPs from over 50 countries, about 55% of the source IPs in my data were from Taiwan, presumably these IPs are the primary attack targets. ">"> Brazil Duarte DiasEletroeletronicosLtda"> Brazil NettelTelecomunicaes"> Taiwan SAVECOM-TW"> Bulgaria BTC-AS"> USA ASN-CXA-ALL-CCI-22773-RDC
">">However I can find no indication of an ongoing DDOSagainst Taiwan or Chungwa Telecom.">">So while we have gotten further into the mystery, we still dont have the whole picture. Anybody have any ideas, or further information? ">">UPDATE 1919 UTC: Someone pointed out that there has been another, if smaller uptick against other protocols as well. My data shows that Protocols 132 and 255 are showing some traffic as well.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Linux Kernel CVE-2013-6282 Local Privilege Escalation Vulnerabilities
GStreamer Bad Plug-ins CVE-2016-9812 Denial of Service Vulnerability
GStreamer Bad Plug-ins CVE-2016-9445 Integer Overflow Vulnerability
IBM WebSphere Application Server CVE-2016-5983 Remote Code Execution Vulnerability
Lenovo Transition CVE-2016-8227 Local Privilege Escalation Vulnerability
GStreamer Good Plug-ins CVE-2016-9807 Denial of Service Vulnerability
Internet Storm Center Infocon Status