Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Retailers say the real culprit in poor cyber-security is those darned uncooperative credit unions.

Reeling from the bad press associated with an ongoing parade of data breaches caused by criminal infiltration of their payment systems, representatives of six retail industry associations signed a joint open letter that pushes back against a vocal critic of retailers' cyber-security practices—credit union associations.

In the letter addressed to the presidents of the Credit Union National Association (CUNA) and the National Association of Federal Credit Unions (NAFCU), retail industry representatives accused the associations of spreading “a number of misleading and factually inaccurate points… in the media and before Congress in regards to the cyber security in our country.” The industry group executives insisted that retailers already share the burden of dealing with the cost of lost data—at least to the degree that they are contractually obliged by credit card organizations. But given how much they actually do pay, the retailers may protest too much.

Unsafe at any register

The letter is a direct response to comments made in a letter to House Homeland Security Committee chairman Rep. Michael McCaul (R-TX) by Carrie Hunt, the NAFCU’s senior vice president of government affairs, posted on October 28. In her letter, Hunt called out the retail industry for not carrying enough of the burden associated with the loss of customers' financial data.

Read 6 remaining paragraphs | Comments

 

The French Interior Minister told French public radio (Google Translate) on Thursday that the government has begun an investigation into who has been flying drones above as many as 10 nuclear power plants nationwide this month.

"There's a judicial investigation under way," French Interior Minister Bernard Cazeneuve said in an interview on France Info radio. “Measures are being taken to know what these drones are and neutralize them."

Le Monde reported this week that the drones have been variable in size, with some “a few dozen centimeters" in size, while others had a diameter of up to two meters.

Read 3 remaining paragraphs | Comments

 
Linux Kernel KVM 'asm/kvm_host.h' Denial of Service Vulnerability
 
Linux Kernel KVM CVE-2014-3647 Local Denial of Service Vulnerability
 

Indian Express

Expert claims hacking Xiaomi server, firm calls it hoax
Economic Times
We have decided to withhold session till the time Xiaomi investigates data breach and accusations and works with the researcher to fix it," Indian Infosec Consortium CEO Jiten Jain said. The summit's website shows former chief of Indian Army and ...
Taiwanese consultant claims Xiaomi phone data compromisedIndia Today

all 11 news articles »
 

Often the start of a problem and its solution is receiving a call from a manger, project manager or other non-technical decision maker. Youll know going in that the problem is absolutely real, but the information going in might be a total red herring.

Some classic examples are:

The network is slow I ran a speed test, we should being seeing 10x the speed.

This is almost always a math error. The speed was measured in Bytes (upper case B), instead of bits (lower case B). Multiply by 8 and things should look better.

the network is slow our new web server takes 30 seconds to load the lead page

As most of you know, in a modern gigabit network, even on a busy network there just isnt anything on the network that will add a 30 second delay. 30 seconds in particular would have me checking for DNS issues first, especially for a new host or service. However, in this case, the client was loading their entire Java application (including the business logic) before the login page. The appdev answer to this would be to load the login page first, then load the app asynchronously in the background. The security answer to this is to question why you would load the application logic to an untrusted workstation on a hostile network (public internet).

The network is slow it must be a broadcast storm.

Its exceedingly rare to see a broadcast storm. Plus if the switches are configured correctly, if a broadcast storms does occur, it should be contained to a single Ethernet port, and it should either be rate limited or the port should be shut down, depending on your configuration.

When a non-technical person says broadcast storm, it really could mean anything that affects performance. Almost always it will end up being something server side DNS misconfigurations are a common thing (10-30 second delays on the first request), but it could also be an oversubscribed virtual infrastructure, coding errors, out of memory conditions, errors in programming, anything really.

The firewall is blocking our traffic

In some cases, especially if there is an egress filter, this can be the case. However, in many other cases it could be something else entirely. We recently worked on an issue where an AS400 (iSeries now I guess) was not connecting to the server. It turned out that the certificate needed for the connection was incorrect - the vendor had sent us a cert for a different site entirely. Wireshark did a great job in this case of saying LOOK HERE- THE PROBLEM IS HERE by giving us a Bad Certificate error - in bright red - in the main view.

We need port 443 open, in both directions

This is NEVER the case, but is commonly seen in vendor documentation. Either you need an outbound port (possibly an update to the egress filter), or an inbound port open. There are very few in both directions requirements - special cases like IPSEC VPNs encapsulated in UDP (NAT-T) for instance will have both a source and destination port of udp/500. In most cases, when the requirement is in both directions or bidirectional, its a bit of a treasure hunt to figure out what they mean (usually its outbound).

The moral of the story? I guess the first one is that if somebody tells you that the problem is the network, 70% of the time its not the network. More importantly though, is that if you get a business problem from a business person, its not something to minimize. You might not be able to count on all the information you get going in, but if they tell you something is slow or not usable, its their system, they are usually correct in at least identifying that the problem is real.

Please, use our comment form and fill us in on any recent false positives from a non-technical source that youve seen. Extra points if it was a real problem, but the initial info started you off in the wrong direction.

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

=============== Rob VandenBrink Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
[security bulletin] HPSBUX03159 SSRT101785 rev.2 - HP-UX kernel, Local Denial of Service (DoS)
 
[SECURITY] [DSA 3059-1] dokuwiki security update
 
Call for Papers - WorldCIST'15 - Azores, Deadline: November 23
 
[slackware-security] wget (SSA:2014-302-01)
 

Posted by InfoSec News on Oct 30

http://www.bloomberg.com/politics/articles/2014-10-30/security-firms-tie-russian-government-to-utilities-hacks

By Michael A. Riley and Jordan Robertson
Bloomberg.com
October 23, 2014

North American utilities are scouring their systems for signs of Russian
malware that the U.S. government has warned could give hackers control of
water treatment facilities and parts of the electrical grid.

The U.S. Department of Homeland Security issued alerts...
 

Posted by InfoSec News on Oct 30

http://www.forbes.com/sites/thomasbrewster/2014/10/30/did-drupal-drop-the-ball-users-who-didnt-update-within-7-hours-should-assume-theyve-been-hacked/

By Thomas Fox-Brewster
Forbes.com
10/30/2014

Hackers are remarkably quick off the mark. Drupal, the creator of the
eponymous content management system that millions use the world over, now
knows that all too well. In mid-October it patched a SQL injection flaw,
which could be exploited by...
 

Posted by InfoSec News on Oct 30

http://www.defenseone.com/threats/2014/10/cyber-attack-will-cause-significant-loss-life-2025-experts-predict/97688/

By Patrick Tucker
Defense One
October 29, 2014

A major cyber attack will happen between now and 2025 and it will be large
enough to cause “significant loss of life or property losses/damage/theft
at the levels of tens of billions of dollars,” according to more than 60
percent of technology experts interviewed by the Pew...
 

Posted by InfoSec News on Oct 30

http://www.wired.com/2014/10/facebook-builder-osquery/

By Cade Metz
Enterprise
Wired.com
10.29.14

Facebook chief security officer Joe Sullivan says that people like Mike
Arpaia are hard to find.

Arpaia is a security engineer, but he’s not the kind who spends his days
trying to break into computer software, hoping he can beat miscreants to
the punch. As Sullivan describes him, he’s a “builder”—someone who creates
new tools capable...
 
LinuxSecurity.com: A denial of service issue was fixed in systemd-shim.
 
LinuxSecurity.com: Updated v8314-v8 packages that fix multiple security issues are now available for Red Hat Software Collections 1. Red Hat Product Security has rated this update as having Moderate security [More...]
 
LinuxSecurity.com: Several security issues were fixed in PHP.
 
LinuxSecurity.com: New wget packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. [More Info...]
 
LinuxSecurity.com: Security Report Summary
 
McAfee Network Data Loss Prevention Logs Local Information Disclosure Vulnerability
 
McAfee Network Data Loss Prevention Local Security Bypass Vulnerability
 
McAfee Network Data Loss Prevention 'Domain' Field Local Denial of Service Vulnerability
 
McAfee Network Data Loss Prevention Local Information Disclosure Vulnerability
 
DokuWiki Information Disclosure Vulnerability
 
DokuWiki LDAP and AD Authentication Multiple Security Bypass Vulnerabilities
 
Internet Storm Center Infocon Status