(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


The world has seen the most unsettling attack yet resulting from the so-called Rowhammer exploit, which flips individual bits in computer memory. It's a technique that's so surgical and controlled that it allows one machine to effectively steal the cryptographic keys of another machine hosted in the same cloud environment.

Until now, Rowhammer has been a somewhat clumsy and unpredictable attack tool because it was hard to control exactly where data-corrupting bit flips happened. While previous research demonstrated that it could be used to elevate user privileges and break security sandboxes, most people studying Rowhammer said there was little immediate danger of it being exploited maliciously to hijack the security of computers that use vulnerable chips. The odds of crucial data being stored in a susceptible memory location made such hacks largely a matter of chance that was stacked against the attacker. In effect, Rowhammer was more a glitch than an exploit.

Now, computer scientists have developed a significantly more refined Rowhammer technique they call Flip Feng Shui. It manipulates deduplication operations that many cloud hosts use to save memory resources by sharing identical chunks of data used by two or more virtual machines. Just as traditional Feng Shui aims to create alignment or harmony in a home or office, Flip Feng Shui can massage physical memory in a way that causes crypto keys and other sensitive data to be stored in locations known to be susceptible to Rowhammer.

Read 10 remaining paragraphs | Comments

Multiple Huawei Products Information Disclosure Vulnerability
Huawei FusionAccess HTTP Header Injection Vulnerability
Cisco Security Advisory: Cisco Small Business 220 Series Smart Plus Switches SNMP Unauthorized Access Vulnerability
Cisco Security Advisory: Cisco Small Business SPA3x/5x Series Denial of Service Vulnerability
Cisco Security Advisory: Cisco WebEx Meetings Player Arbitrary Code Execution

With a name or just a general description of some generic event, researchers were able to "spear-phish" half of their test subjects. (credit: Wikipedia)

Security experts often talk about the importance of educating people about the risks of "phishing" e-mails containing links to malicious websites. But sometimes, even awareness isn't enough. A study by researchers at a university in Germany found that about half of the subjects in a recent experiment clicked on links from strangers in e-mails and Facebook messages—even though most of them claimed to be aware of the risks.

The researchers at the Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, led by FAU Computer Science Department Chair Dr Zinaida Benenson, revealed the initial results of the study at this month's Black Hat security conference. Simulated "spear phishing" attacks were sent to 1,700 test subjects—university students—from fake accounts.

The e-mail and Facebook accounts were set up with the ten most common names in the age group of the targets. The Facebook profiles had varying levels of publicly accessible profile and timeline data—some with public photos and profile photos, and others with minimal data. The messages claimed the links were to photos taken at a New Year's Eve party held a week before the study. Two sets of messages were sent out: in the first, the targets were addressed by their first name; in the second, they were not addressed by name, but more general information about the event allegedly photographed was given. Links sent resolved to a webpage with the message "access denied," but the site logged the clicks by each student.

Read 4 remaining paragraphs | Comments


We have had a report from one of our readers (thanks Andrew)indicating that they are seeing Angler Exploit Kit attempts in the past 2 days appearing to be tied to Heart Internet.I am not seeing any activity in my logs.

Is anyone else seeing this type of activity in your weblogs?

Deb Hale

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

If you use any of these Cisco Devices please take recommended action.

WebEx Player - http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160831-meetings-player

Cisco Small Business 220 Series Smart Plus (Sx220) Switches- " times="">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160831-spa

Deb Hale

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
MAC-Telnet 'mactelnet.c' Buffer Overflow Vulnerability

Dropbox has just been added to the myriad of sites that have been hacked. It seems that back in 2012 there was a breach and around 60 million accounts were stolen. There is now evidence surfacing that the details from the accounts are out there. Dropbox is forcing password changes for a number of users that have been affected.

I dont use dropbox but have a number of our employees that do so I went to www.haveibeenpwned.com to check their accounts. Sure enough I had a couple that were included in the list. I immediately notified the users to change their dropbox passwords. Out of curiosity I checked my email addresses I use several for security purposes. I found that 3 of mine were listed. One was for a potential breach at Logmein.com. They notified me several weeks ago and when I logged in I was forced to change my password. I felt pretty good about that. However, what I discovered today is that I also had a potential breach from Adobe.com which I was not notified of on 2 of my email addresses. I forgot that I had even setup an account on the one email address. I also discovered that I had a potential breach on an email address that I no longer use for myspace.com. Of course, no way to change this password because that email address has been done away with. I requested my account to be removed. Hopefully, they will take care of that. Interesting that I have a subscription to one of the so-called financial protection sites that are supposed to be watching for these and notifying me when it happens. I was notified by them about 6 weeks after I received the email from Logmein that I may have been breached. They have never notified me of the others. I guess I will keep an eye on my email addresses using the previously mentioned website.

I then started looking at some key email addresses here in the company. One of them had a potential breach on linkedin.com. I notified the user and his response was so why would they steal LinkedIn information. My response, not sure Perhaps they are banking on people using the same password for other accounts such as banking/credit card accounts. If they happen on to the email address in some other breach (such as your bank or your credit card) they will try the password. His response was might be a good time to change some passwords.

An article on Motherboard concerning the breach states:

This is just the latest so-called mega-breach to be revealed. This summer, hundreds of millions of records from sites such as LinkedIn, MySpace, Tumblr, and VK.com from years-old data breaches were sold and traded amongst hackers.

Perhaps it is a good time to change those passwords as well. I try not to use the same password for multiple sites and I strive to use good strong passwords. I have devised a scheme in creating my passwords that allows me to recall the password from any site even though all of the passwords are different.

Many thanks to Troy for the haveibeenpwned.com website.

For more information about the Dropbox breach see



Deb Hale

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(credit: Jim Barton)

Dropbox hurriedly warned its users last week to change their passwords if their accounts dated back prior to mid-2012. We now know why: the cloud-based storage service suffered a data breach that's said to have affected more than 68 million accounts compromised during a hack that took place roughly four years ago.

The company had previously admitted that it was hit by a hack attack, but it's only now that the scale of the operation has seemingly come to light.

Tech site Motherboard reported—citing "sources in the database trading community"—that it had obtained four files, totalling 5GB in size, which apparently contained e-mail addresses and hashed passwords for 68,680,741 Dropbox users.

Read 7 remaining paragraphs | Comments

QEMU File Handling Multiple Directory Traversal Vulnerabilities
Multiple Pulse Secure Products CVE-2016-2408 Local Privilege Escalation Vulnerability

Since Edward Snowden stepped into the limelight from a hotel room in Hong Kong three years ago, use of the Tor anonymity network has grown massively. Journalists and activists have embraced the anonymity the network provides as a way to evade the mass surveillance under which we all now live, while citizens in countries with restrictive Internet censorship, like Turkey or Saudi Arabia, have turned to Tor in order to circumvent national firewalls. Law enforcement has been less enthusiastic, worrying that online anonymity also enables criminal activity.

Tor's growth in users has not gone unnoticed, and today the network first dubbed "The Onion Router" is under constant strain from those wishing to identify anonymous Web users. The NSA and GCHQ have been studying Tor for a decade, looking for ways to penetrate online anonymity, at least according to these Snowden docs. In 2014, the US government paid Carnegie Mellon University to run a series of poisoned Tor relays to de-anonymise Tor users. A 2015 research paper outlined an attack effective, under certain circumstances, at decloaking Tor hidden services (now rebranded as "onion services"). Most recently, 110 poisoned Tor hidden service directories were discovered probing .onion sites for vulnerabilities, most likely in an attempt to de-anonymise both the servers and their visitors.

Cracks are beginning to show; a 2013 analysis by researchers at the US Naval Research Laboratory (NRL), who helped develop Tor in the first place, concluded that "80 percent of all types of users may be de-anonymised by a relatively moderate Tor-relay adversary within six months."

Read 62 remaining paragraphs | Comments

[security bulletin] HPSBGN03637 rev.1 - HP Operations Manager for Unix, Solaris, and Linux, Remote Cross-Site Scripting (XSS)
Internet Storm Center Infocon Status