Latest Alerts

Syndicate content SANS Internet Storm Center, InfoCON: green
Updated: 24 min 36 sec ago

Webcast Briefing: Bash Code Injection Vulnerability, (Thu, Sep 25th)

Thu, 09/25/2014 - 14:13

I created a quick Youtube video to summarize the impact of the vulnerability. The tricky part is that there is a huge vulnerable population out there, but the impact is limited as in most cases, the vulnerability is not exposed.

Feel free to share the video or the slides. I am making PPT and PDF versions available below

PDF Version of Slides
PPT Version of Slides (coming soon. not uploaded yet)

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, September 25th 2014 http://isc.sans.edu/podcastdetail.html?id=4163, (Thu, Sep 25th)

Wed, 09/24/2014 - 18:07
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Attention *NIX admins, time to patch!, (Wed, Sep 24th)

Wed, 09/24/2014 - 08:05

Over the past years, we became used to Microsoft Patches, the important, critical ones that would render your system fully vulnerable if you didn't apply them. We probably became so used that sometime we forget that our Linux servers also need patches.

Today I've learned about a critical Bash patch, that addresses the CVE-2014-6271. According the advisory:

"A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue."

The patches are already ready for most of the Linux distros, like RedHat and Debian, so waste no time.

---

Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, September 24th 2014 http://isc.sans.edu/podcastdetail.html?id=4161, (Wed, Sep 24th)

Tue, 09/23/2014 - 17:32
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

jQuery.com Compromise: The Dangers of Third Party Hosted Content, (Tue, Sep 23rd)

Tue, 09/23/2014 - 15:29

jQuery is a popular Javascript framework, used by many websites (including isc.sans.edu) . jQuery provides many features, like easy access to webservices as well as advanced user interface features. When using jQuery, sites have the option to download and host the complete code, or let jQuery.com and it's CDN (Content Delivery Network) host the code.

There are two advantages in allowing jQuery.com to host the code:

  • Performance: Code is typically delivered faster, and a user may already have the code cached if they visited another site that used the CDN hosted copy of jQuery.
  • Automatic Updates: Updates to jQuery are pushed to the CDN by the jQuery developers, and a website using it will automatically receive the latest copy.

On the other hand, there is an important drawback, and the main reason why the jQuery code for isc.sans.edu is hosted on our own servers: With code being "blindly" included from 3rd party sites, it is possible that a compromise of this 3rd party site will affect your site's security.

Sadly, just this happened according to RiskIQ with jQuery.com [1]. The web site was compromised and malicious code was injected redirecting users to a malicious site. Luckily, the jQuery library was NOT affected. Otherwise, many additional sites would have been exposed and visitors to these sites would have been affected. This is in particular fortunate as the attack appears to be targeted. The redirection domain used in this attack was jquery-cdn.com . That domain was registered on the day the attack was first noticed.

Particulary concerning is the fact that I am unable to find any statement about the attack on jQuery.com . If someone has a link, please let me know.

[1] http://www.net-security.org/malware_news.php?id=2869

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, September 23rd 2014 http://isc.sans.edu/podcastdetail.html?id=4159, (Tue, Sep 23rd)

Mon, 09/22/2014 - 16:53
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Fake LogMeIn Certificate Update with Bad AV Detection Rate, (Mon, Sep 22nd)

Mon, 09/22/2014 - 07:47

I just receive a pretty "plausible looking" e-mail claiming to originate from Logmein.com. The e-mail passed the first "gut check".

  • The "From" address is auto-mailer@logmein.com.
  • It was sent to an address I have used for Logmein in the past
  • The only link inside the e-mail went to a legit Logmein URL.

Of course, the .zip attachment did set off some alarm bells, in particular as it unzipped to a .scr (Screen Saver).

According to VirusTotal, AV detection is almost non-existant at this point:

LogmeIn does publish a SPF record, and the e-mail did not originate from a valid LogmeIn mail sender, so it should be easy to descriminate against these emails using a standard spam filter.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

iOS 7.1.x Exploit Released (CVE-2014-4377), (Mon, Sep 22nd)

Mon, 09/22/2014 - 05:41

Haven't upgraded to iOS 8 yet? Aside from a lot of new features, Apple also fixed a number of security vulnerabilities in iOS 8. For example CVE-2014-4377, a memory corrupion issue in iOS's core graphics library. An exploit is now available for this vulnerability.

NOTE: I have not verified yet that the exploit is working / genuine. We will not link at this point to the exploit code, but basic Google Fu should allow you to find it.

The author claims that the exploit is "compleatly reliable and portable on iOS 7.1.x". The exploit comes in the form of a malformed PDF, which would usually be delivered as an image inside an HTML page.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Cyber Security Awareness Month: What's your favorite/most scary false positive, (Mon, Sep 22nd)

Sun, 09/21/2014 - 17:19

As in prior years, we would like to use a theme for our October diaries, in order to participate in Cyber Security Awareness Month. This month, we are looking for "False Positives". One issue we are running into a lot is users who are new to security and start looking at logs, only to be confronted with unparsable, "scary" messages. But even as an experienced security practitioners, you can run into a an indicator that may initially get you to believe that your system is compromised only to learn later that there was nothing to worry about. 

To help us out, please send us your favorite scary, but in the end bening, lot message or other error/system message. Please include a few details stating why you initially thought that there was a problem and how you came to believe that the message was nothing to worry about. We hope to cover about 1 message for each work day (5 / week). Please include how you would like to be identified (usually we use submitters first name)

 

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, September 22nd 2014 http://isc.sans.edu/podcastdetail.html?id=4157, (Mon, Sep 22nd)

Sun, 09/21/2014 - 17:18
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

New OWASP Testing guide version 4! Check https://www.owasp.org/images/1/19/OTGv4.pdf, (Sat, Sep 20th)

Sat, 09/20/2014 - 07:57

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Strange ICMP traffic seen in destination, (Sat, Sep 20th)

Sat, 09/20/2014 - 07:45

Reader Ronnie provided us today a packet capture with a very interesting situation:

  1. Several packets are arriving, all ICMP echo request from unrelated address:
  2. All ICMP packets being sent to the destination address does not have data, leaving the packet with the 20 bytes for the IP header and 8 bytes for the ICMP echo request without data
  3. All the unrelated address sent 6 packets: One with normal TTL and 5 with incremental TTL:

Seems to be those packets are trying to map a route, but in a very particular way. Since there are many unrelated IP addresses trying to do the same, maybe something is trying to map routes to specific address to do something not good. The destination IP address is an ADSL client.

Is anyone else seeing these kind of packets? If you do, we definitely want to hear from you. Let us know!

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

PHP Fixes Several Bugs in Version 5.4 and 5.5, (Fri, Sep 19th)

Fri, 09/19/2014 - 15:41

PHP announced the released of version 5.5.17 and 5.4.33. Ten bugs were fixed in version 5.4.33 and 15 bugs were fixed in version 5.5.17. All PHP users are encouraged to upgrade.The latest version are available for download here.

[1] http://php.net/ChangeLog-5.php#5.4.33
[2] http://php.net/ChangeLog-5.php#5.5.17
[3] http://windows.php.net/download

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

CipherShed Fork from TrueCrypt Project, Support Windows, Mac OS and Linux - https://ciphershed.org, (Fri, Sep 19th)

Fri, 09/19/2014 - 15:23

 

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Web Scan looking for /info/whitelist.pac, (Fri, Sep 19th)

Thu, 09/18/2014 - 17:37

Nathan reported today that he has been seeing a new trend of web scanning against his webservers looking for /info/whitelist.pac. The scanning he has observed is over SSL. He has been observing this activity since the 22 Aug.

[22/Aug/2014:18:55:32 -0500]    xx.12.93.178    GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[...]
[14/Sep/2014:11:10:05 -0500]    xx.216.137.7    GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[14/Sep/2014:13:16:19 -0500]    xx.174.190.254 GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[14/Sep/2014:14:03:48 -0500]    xx.252.188.49   GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[14/Sep/2014:17:10:40 -0500]    xx.17.199.47     GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[14/Sep/2014:21:10:26 -0500]    xx.13.136.13     GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[16/Sep/2014:06:30:15 -0500]    xx.10.51.74       GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[16/Sep/2014:14:03:54 -0500]    xx.240.174.203  GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Is anyone else seeing similar activity against their webservers?

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, September 19th 2014 http://isc.sans.edu/podcastdetail.html?id=4155, (Fri, Sep 19th)

Thu, 09/18/2014 - 17:34
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Added today in oclhashcat 131 Django [Default Auth] (PBKDF2 SHA256 Rounds Salt) Support - http://hashcat.net/hashcat/, (Fri, Sep 19th)

Thu, 09/18/2014 - 16:40

----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Apple Phishing emails, (Thu, Sep 18th)

Thu, 09/18/2014 - 15:58

With today being "buy an Apple phone" day it should not be surprising that there are already some phishing emails going around to try and take advantage of the publicity.  

Jan sent this in this morning (thanks):

-------------
Dear Client,

We inform you that your account is about to expire in less 48 hours, it's imperative to update your information with our audit forms, otherwise your session and/or account will be a limited access.

just click the link below and follow the steps our request form

Update now...

This is an automatically generated message. Thank you not to answer.  If you need help, please visit the Apple Support.

Apple Client Support.
-------------

A variation on the many phishing emails we see regularly, just taking advantage of two public events, the celebrity photos and the release of the new phone.

Maybe a reminder to staff as well as friends and family to ignore emails that say "click here"

Happy buying a phone day or if not phonically inclined, happy talk like a pirate day, or just plain enjoy your Friday. 

Mark 

 

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Apple Releases OS X 10.9.5 / Safari 6.2 and 7.1 with several security fixes http://support.apple.com/kb/HT1222, (Thu, Sep 18th)

Thu, 09/18/2014 - 06:54

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, September 18th 2014 http://isc.sans.edu/podcastdetail.html?id=4153, (Thu, Sep 18th)

Wed, 09/17/2014 - 18:37
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts