(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

I had the pleasure of attending DerbyCon 4.0 (Family Rootz) this past Friday and Saturday and can tell you that if you haven't already attended yourself, plan to do so next year. Aside from the smaller and more encompassing "family" feel, an intentional and protected approach strongly advocated for by @HackingDave and the great @DerbyCon team, you'll also be contributing to Hackers For Charity (HFC). For those of you who couldn't attend but are interested in some of the outstanding content, Adrian Crenshaw (@irongeek_adc) and his team always shoot video of each presentation. For DerbyCon 4.0 they've posted the videos to the Irongeek site here.  

There are so many great talks to choose from but I'll share a few that really resonated with me given current interest or focus areas:

Attacking Microsoft Kerberos: Kicking the Guard Dog of Hades - Tim Medin
Abusing Active Directory in Post-Exploitation – Carlos Perez
Ball and Chain (A New Paradigm in Stored Password Security) – Benjamin Donnelly and Tim Tomes
Third Party Code: FIX ALL THE THINGS – Kymberlee Price and Jake Kouns

You should also, in the simple name of humanity, watch Johnny Long's keynote, Hackers saving the world from the zombie apocalypse.

Great conference, great people, great presentations; take the time to watch as many of the videos as possible, and see if you can get a ticket next year when DerbyCon comes around again.

Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Cisco WebEx Meetings Server CVE-2014-3395 Arbitrary File Download Vulnerabilitiy
GNU Bash CVE-2014-7187 Local Memory Corruption Vulnerability
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

In late September, advertisements appearing on a host of popular news and entertainment sites began serving up malicious code, infecting some visitors' computers with a backdoor program designed to gather information on their systems and install additional malicious code.

The attack affected visitors to The Jerusalem Post, The Times of Israel, The Hindustan Times, Internet music service Last.fm, and India-focused movie portal Bollywood Hungama, among other popular sites. At the center of the malware campaign: the compromise of San Francisco-based Internet advertising network Zedo, an advertising provider for the sites, whose network was then used to distribute malicious ads.

For ten days, the company investigated multiple malware reports, retracing the attacker's digital footsteps to identify the malicious files and shut the backdoor to its systems.

Read 16 remaining paragraphs | Comments

Google Chrome CVE-2014-3179 Multiple Unspecified Security Vulnerabilities
GNU Bash CVE-2014-7186 Local Memory Corruption Vulnerability
GNU Bash CVE-2014-6278 Incomplete Fix Unspecified Remote Code Execution Vulnerability
GNU Bash CVE-2014-6277 Incomplete Fix Remote Code Execution Vulnerability

Over the past few days, Apple, Red Hat, and others have pushed out patches to vulnerabilities in the GNU Bourne Again Shell (bash). The vulnerabilities previously allowed attackers to execute commands remotely on systems that use the command parser under some conditions—including Web servers that use certain configurations of Apache. However, some of the patches made changes that broke from the functionality of the GNU bash code, so now debate continues about how to “un-fork” the patches and better secure bash.

At the same time, the urgency of applying those patches has mounted as more attacks that exploit the weaknesses in bash’s security (dubbed “Shellshock”) have appeared. In addition to the threat first spotted the day after the vulnerability was made public, a number of new attacks have emerged. While some appear to simply be vulnerability scans, there are also new exploit attempts that carry malware or attempt to give the attacker direct remote control of the targeted system.

Stormy weather

On Monday, the SANS Technology Institute’s Internet Storm Center (ISC) elevated its INFOcon threat level—a measure of the danger level of current Internet “worms” and other threats based on Internet traffic—to Yellow. This level indicates an attack that poses a minor threat to the Internet’s infrastructure as a whole with potential significant impact on some systems. Johannes Ullrich, Dean of Research at SANS, noted that six exploits based on Shellshock have been recorded by the ISC’s servers and “honeypot” systems. (A honeypot is a virtual or physical computer system set up to entice attackers and record their actions.)

Read 7 remaining paragraphs | Comments

Google Chrome CVE-2014-3178 Use After Free Remote Code Execution Vulnerability
LinuxSecurity.com: Updated xerces-j2 packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security [More...]
LinuxSecurity.com: New bash packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. [More Info...]
LinuxSecurity.com: Several security issues were fixed in LibVNCServer.
LinuxSecurity.com: Updated perl-XML-DT package fixes security vulnerability: The mkxmltype and mkdtskel scripts provided in perl-XML-DT allow local users to overwrite arbitrary files via a symlink attack on a /tmp/_xml_##### temporary file (CVE-2014-5260). [More...]
London DEFCON - September 30th 2014
[slackware-security] bash (SSA:2014-272-01)

Posted by InfoSec News on Sep 30


By William Knowles @c4i
Senior Editor
InfoSec News
September 30, 2014

AB Acquisition LLC and Supervalu Inc. are the newest group of retailers
that have been hit by security breaches this year. This includes Aaron
Brothers, Bartell Hotels, CVS, eBay, Goodwill Industries International
Inc., Home Depot, Jimmy...

Posted by InfoSec News on Sep 30


By Mathew J. Schwartz
Bank Info Security
September 29, 2014

Distributed-denial-of-service attacks that target the Bash flaws known as
Shellshock have spiked in recent days.

"We're seeing north of 1.5 million #shellshock attacks across the
@CloudFlare network daily," says Matthew Prince, CEO of the content
delivery network and DDoS defense firm CloudFlare....

Posted by InfoSec News on Sep 30


By Yoon Min-sik

The government hosted Monday a public hearing to gather suggestions on its
plan to revise the resident registration number system.

The overhaul comes after a series of data breaches raised concerns about
the 13-digit numbers that are issued to every Korean citizen at birth, and
are commonly used for identification throughout their lives.


Posted by InfoSec News on Sep 30


By Charlie Osborne
Zero Day
ZDNet News
September 30, 2014

The FBI's Malware Investigator portal will soon be available to security
researchers, academics and businesses.

As reported by Threatpost, the US law enforcement agency's tool is akin to
systems used by cybersecurity companies to upload suspicious files. Once a
file is uploaded,...

Posted by InfoSec News on Sep 30


By Grant Gross
IDG News Service
Sept 29, 2014

The CEO of a Pakistani company has been indicted in the U.S. for selling a
product called StealthGenie that buyers could use to monitor calls, texts,
videos and other communications on other people's mobile phones, the U.S.
Department of Justice said.

The indictment of Hammad Akbar, 31, of...
Node.js 'lib/send.js' Directory Traversal Vulnerability
Node.js syntax-error module 'eval()' Function Arbitrary Code Execution Vulnerability
Node.js qs Module Denial of Service Vulnerability
[ MDVSA-2014:191 ] perl-XML-DT
Linux Kernel CVE-2014-3185 'whiteheat.c' Buffer Overflow Vulnerability
Linux Kernel Magic Mouse HID Device Driver CVE-2014-3181 Stack-Based Buffer Overflow Vulnerability
Internet Storm Center Infocon Status