Alerts

Windows XP, slow to die :-( , (Wed, Jun 18th)

Latest Alerts - Wed, 06/18/2014 - 05:12

After traveling around the past few months in various countries it looks like getting rid of Windows XP is going to take quite a while.  It is probably due to the fact that it has expired that I noticed it more than usual, but XP is certainly everywhere.  You see it at airports on display boards, Point of Sale systems. In one overseas country the computers in customs as well as the railway displays and control systems and hospitals. 

Having obsolete operating systems in a corporate environment is bad enough, there are still many organisations that utilise XP internally.  However as part of critical infrastructure it worries me slightly more.  Now most of us can't do much outside of our little sphere of influence, but it is time for the operating system to go.  

So if junior needs something to do over the next few weeks set them a challenge. Identify all remaining XP devices connected to the network.  Categorise them into real XP and embedded XP ( Still some support available for those).  Then develop a strategy to get rid of them.  

If getting rid of them is not an option and there will those of you in that situation, at least look for ways of protecting them a bit better. Consider network segmentation, application whitelisting, endpoint solutions (some will still work on XP).  As an absolute minimum at least know where they are and how they are being used.

Seek, identify and remove away.

Mark H  

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

VMSA-2014-0006.2 updates OpenSSL libraries in VMWare, (Wed, Jun 18th)

Latest Alerts - Wed, 06/18/2014 - 04:30

An update was released today addressing the OpenSSL issues in VMWare products. Libraries have been updated to 0.9.8za and 1.0.1h to fix issues.   

You'll want to evaluate and apply the updates as appropriate.  

Mark H

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, June 18th 2014 http://isc.sans.edu/podcastdetail.html?id=4027, (Wed, Jun 18th)

Latest Alerts - Tue, 06/17/2014 - 17:14
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Bro 2.3 released - new here: http://blog.bro.org/2014/06/bro-23-release.html, release notes here: http://www.bro.org/sphinx-git/install/release-notes.html, (Tue, Jun 17th)

Latest Alerts - Tue, 06/17/2014 - 15:46

=============== Rob VandenBrink Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

New Security Advisories / Updates from Microsoft - Heads up for Next Patch Tuesday!, (Tue, Jun 17th)

Latest Alerts - Tue, 06/17/2014 - 11:45


Microsoft has released a number of security advisories and updates to advisories, hopefully they'll all have matching updates next Patch Tuesday

Microsoft Security Advisory 2974294  (just posted today)
Vulnerability in Microsoft Malware Protection Engine Could Allow Denial of Service
https://technet.microsoft.com/library/security/2974294

MS14-036   Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (2967487) (June 10 advsiory, updated today)
https://technet.microsoft.com/library/security/ms14-036

MS14-035    Cumulative Security Update for Internet Explorer (2969262) (June 10 advsiory, updated today)
https://technet.microsoft.com/library/security/ms14-035

You can track June's list as it is built here:
https://technet.microsoft.com/library/security/ms14-JUN

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

New Security Advisories / Updates from Microsoft - Heads up for Next Patch Tuesday!, (Tue, Jun 17th)

Latest Alerts - Tue, 06/17/2014 - 11:45


Microsoft has released a number of security advisories and updates to advisories, hopefully they'll all have matching updates next Patch Tuesday

Microsoft Security Advisory 2974294  (just posted today)
Vulnerability in Microsoft Malware Protection Engine Could Allow Denial of Service
https://technet.microsoft.com/library/security/2974294

MS14-036   Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (2967487) (June 10 advsiory, updated today)
https://technet.microsoft.com/library/security/ms14-036

MS14-035    Cumulative Security Update for Internet Explorer (2969262) (June 10 advsiory, updated today)
https://technet.microsoft.com/library/security/ms14-035

You can track June's list as it is built here:
https://technet.microsoft.com/library/security/ms14-JUN

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Canada's Anti-Spam Legislation (CASL) 2014, (Tue, Jun 17th)

Latest Alerts - Tue, 06/17/2014 - 04:05

Canada recently passed anti-spam legislation.  Starting July 1 2014, organizations now need consent to send unsolicited emails or other electronic communications, which includes text messages, faxes and anything else you might think of.  This doesn't cover just mass marketing, a single email to a single person is covered in this new legislation.

Starting Jan 15,2015, the installation of apps, plug-ins and other programs need similar consent.

With fines up to $1 million for individuals and $10 million for organizations, there's a bit of a scramble to get consent from us Canadians .  Everyone from car companies wanting to send service bulletins to insurance companies who this this applies to emails on our insurance claims are sending "click here to consent" emails.  And of course, a similar scramble for folks that we've bought something from once, who want to send us sales flyers forever.

See the problem yet?  There was a clue in the note above

In this onslaught of "Click here" notes, it's oh-so-easy to slip in a few malicious emails, and of course if you do click in those notes, there's some special malware just for you!

To make things more interesting, many of the legit emails of this type are loaded with graphics with the links point to third party sites, so they also look like malicious content all on their own.

So in an effort to protect us Canadians from our collective compulsion to open every email and click every link (this isn't confined to just Canadians mind you), this legislation is actually resulting in a new "easy button" attack vector, so we have a spike of the very activity this is trying to prevent!

I wonder if the folks in Ottawa who wrote this legislation realize that this also applies to their campaign material at election time?  Or if they understand that a telephone call is also "electronic communication"?  <Just the first two gotcha's that came to mind>

If you've seen malware in email of this type, or if you have a slow day and want to read the legislation and look for similar "oops" situations, please share using our comment form !

http://www.crtc.gc.ca/eng/casl-lcap.htm
http://fightspam.gc.ca

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, June 17th 2014 http://isc.sans.edu/podcastdetail.html?id=4025, (Tue, Jun 17th)

Latest Alerts - Mon, 06/16/2014 - 17:05
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, June 16th 2014 http://isc.sans.edu/podcastdetail.html?id=4023, (Mon, Jun 16th)

Latest Alerts - Sun, 06/15/2014 - 16:21
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

A welcomed response, PF Chang's, (Fri, Jun 13th)

Latest Alerts - Fri, 06/13/2014 - 08:10
UPDATE:

http://pfchangs.com/security/

PF Chang's has posted a public response. In Summary, Secret Service contacted them June 10th, they have confirmed the breach. Time to change CC number... 'again' :(

 

-------

 

Krebs is running a story about the recent data breach that has happened to restaurant chain PF Chang's [1]. As it so happens we decided to have lunch there today and I polled one of the managers if she had been briefed on the breach. She had been informed. 

I observed two things of note at lunch, one people were still paying with credit cards but what returned was a pleasant and welcome surprise. The bar tender placed the bill down along with a manually run credit card from one of the ole'school card imprinters [2].

The extent of the breach is still under investigation according to the general manager of the PF Chang's we frequent, and it is time to change the CC ... again ...

Maybe we should keep a breach causes CC change score board :( [3]

 

[1] http://krebsonsecurity.com/2014/06/banks-credit-card-breach-at-p-f-changs/

[2] http://www.amazon.com/Addressogragh-Bartizan-4000-Imprinter-Without/dp/B0057YIHMM

​[3] https://www.privacyrights.org/

 

Richard Porter

--- ISC Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, June 13th 2014 http://isc.sans.edu/podcastdetail.html?id=4021, (Fri, Jun 13th)

Latest Alerts - Thu, 06/12/2014 - 19:05
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Wireshark Patches. And Wireshark 1.8.x EOL announced. Check http://www.wireshark.org/docs/relnotes/ or http://www.wireshark.org/download.html, (Thu, Jun 12th)

Latest Alerts - Thu, 06/12/2014 - 15:28
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Wireshark Patches. And Wireshark 1.8.x EOL announced. Check http://www.wireshark.org/docs/relnotes/ or http://www.wireshark.org/download.html, (Thu, Jun 12th)

Latest Alerts - Thu, 06/12/2014 - 15:28
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Made any new friends lately?, (Thu, Jun 12th)

Latest Alerts - Thu, 06/12/2014 - 14:36


Earlier this week, we were testing the security aspects of an application that integrates with LinkedIn. Given that I do not own a LinkedIn account, I had to create one temporarily, to be able to test. I used a throw-away email address, and did not add any personal data, but I happened to connect to LinkedIn from the business where we were performing the work.

When I connected back, two days later, from home, to delete the temporary account, I was surprised that LinkedIn suggested "people you could know". And lo and behold, I actually knew some of them. They were employees of the company where we had conducted the test.

The only conceivable link, as far as we could determine, is the IP address. Those other users, company employees, might have logged in to LinkedIn before from at work, and this seems to be a data point that LinkedIn remembers, and uses, in determining "connections" between members.

Nothing much wrong with that - LinkedIn is mostly transparent in their declaration of what data mining they do, the privacy policy clearly states "We collect information from the devices and networks that you use to access LinkedIn. This information helps us improve and secure our Services".  Of course the IP address is a data point that is visible to them, and it makes $$$ sense to store and use it. But, call me naïve, seeing it used so blatantly still caught me by surprise.

Lesson learned: If you create a LinkedIn account, don't do so from the public WiFi at the pub or brothel or bank branch that you frequent -- you might end up with friend suggestions that link you to unsavory characters ;).

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Metasploit now includes module to exploit CVE-2014-0195 (OpenSSL DTLS Fragment Vuln.), (Thu, Jun 12th)

Latest Alerts - Thu, 06/12/2014 - 05:30

The latest release of Metasploit released today includes a module to ease exploitation of CVE-2014-0195. This vulnerability in the DTLS implementation of OpenSSL was patch last week and didn't get the attention the MitM vulnerability got that was patched at the same time. It is absolutely critical that you patch and/or firewall your DTLS services. This is complicated buy the fact that many of them are part of embeded devices like routers and switches (SNMPv3) or VoIP systems. Your web servers are NOT affected by this.

The Metasploit module in its current form does NOT allow for code execution, but instead will just crash the service. The vulnerablity could however be used to execute code on the target device.

Here again a quick rundown of possibly affected protocols:

SNMPv3 (161/UDP), LDAP over SSL (636/UDP), DTLS-SRP (VoIP, WebRTC, various ports), OpenVPN (1194/UDP) 

DTLS uses UDP over various ports. Some of the protocols listed above, e.g. DTLS-SRP, use various ports that are negotiated between the endpoints dynamically. DTLS can also use port 4433 for some applications.

[1] http://www.rapid7.com/db/modules/auxiliary/dos/ssl/dtls_fragment_overflow

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

VMware Address OpenSSL Security Vulnerabilities for ESXi 5.5 prior to ESXi550-201406401-SG - http://www.vmware.com/security/advisories/VMSA-2014-0006.html, (Thu, Jun 12th)

Latest Alerts - Thu, 06/12/2014 - 02:19

----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

BIND Security Update for CVE-2014-3859, (Thu, Jun 12th)

Latest Alerts - Thu, 06/12/2014 - 02:16

BIND has released a security update (CVE-2014-3859) for versions 9.10.0-p2, 9.9.5-p1, 9.8.7-p1. The update is available for download here.

[1] https://kb.isc.org/article/AA-01166/74/CVE-2014-3859%3A-BIND-named-can-crash-due-to-a-defect-in-EDNS-printing-processing.html
[2] http://www.isc.org/downloads/

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, June 12th 2014 http://isc.sans.edu/podcastdetail.html?id=4019, (Thu, Jun 12th)

Latest Alerts - Wed, 06/11/2014 - 19:08
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Pay attention to Cryptowall!, (Wed, Jun 11th)

Latest Alerts - Wed, 06/11/2014 - 19:02

CryptoLocker might be pretty much off the radar. But Cryptowall is alive and kicking, and making the bad guys a ton of money. It mainly spreads by poisoned advertisements and hacked benign websites, and then sneaks its way onto the PCs of unsuspecting users by means of Silverlight, Flash and Java Exploits.

Somewhat unexpectedly, Java is NOT the most prominent for a change. It looks like the Silverlight sploits are currently the most successful.

If you're "had", Cryptowall encrypts all the files that you possible could want to keep (images, documents, etc), and then asks for a 500$ ransom. If you don't pay up quick, the ransom doubles. And after a while of not paying, well, the suckers delete the key. As far as we know, there is not way yet to recover the encrypted data, because the private key is not really present on the infected machine. I hope you have a recent backup.

Last week's batch of infections for example had "food.com" as a prominent source. As far as I can tell, they are cleaned up by now, but we have several samples in the database that show pages like http://www.food[dot]com/recipe/pan-fried-broccoli-226105, http://www.food[dot]com/recipe/barefoot-contessas-panzanella-salad-135723, etc, as the last referer before the exploit triggered.

The domains last week were following the pattern [a-f0-9]{6,8}\.pw and [a-f0-9]{6,8}\.eu, but this is obviously changing all the time. Still, it probably doesn't hurt to check your DNS or proxy logs for the presence of (especially) .pw domains. Yes, I had to look it up as well ... .pw is Palau. A bunch of islands in the South Pacific. It is safe to assume that most of the web sites with this extension are not actually about or in Palau.

More info: Ronnie has an outstanding write-up at http://phishme.com/inside-look-dropbox-phishing-cryptowall-bitcoins/ . Cisco's blog has a lot of IOCs: https://blogs.cisco.com/security/rig-exploit-kit-strikes-oil

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, June 11th 2014 http://isc.sans.edu/podcastdetail.html?id=4017, (Wed, Jun 11th)

Latest Alerts - Tue, 06/10/2014 - 18:43
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts
Syndicate content