Latest Alerts

Syndicate content SANS Internet Storm Center, InfoCON: green
Updated: 35 min 9 sec ago

ISC StormCast for Monday, December 1st 2014 http://isc.sans.edu/podcastdetail.html?id=4255, (Mon, Dec 1st)

Sun, 11/30/2014 - 18:37
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Do you have a Data Breach Response Plan?, (Mon, Dec 1st)

Sun, 11/30/2014 - 16:12

The Ponemon Institute conducted and released a paper in September on its second annual study on data breaches. Some of the data collected shows interesting results. Based on their survey, 68% of respondents dont believe their company would know how to deal with negative public opinion and 67% think their organization does not understands what to do after a data breach occurs.[page 3] If either one occurs, it usually impact the brand, it can lead to lost of customers and shake business partners trust and confidence in the company.

They also found that more companies now have a data breach response plan 73% in 2014 compared to 61% last year. According to this survey, only ~30% of the response plans are effective or very effective.[page 4] The report suggest to be effective, the organization must provide training to its employees, to make them aware of their responsibilities on how to protect customer information when a data breach occurs.

There are several template of data breach response plan freely available to get you started. If you have one in place, how often is it reviewed and exercised? Do your receive training on how to properly safeguard customers sensitive data? The study can be downloaded here.

[1] http://www.experian.com/assets/data-breach/brochures/2014-ponemon-2nd-annual-preparedness.pdf [page 3,4]
[2] https://privacyassociation.org/resources/article/security-breach-response-plan-toolkit/
[3] http://www.cica.ca/resources-and-member-benefits/privacy-resources-for-firms-and-organizations/docs/item48785.pdf
[4] http://www.justice.gov/sites/default/files/opcl/docs/breach-procedures.pdf
[5] http://www.securingthehuman.org

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Lots of Black Friday SPAM & Phishing, (Fri, Nov 28th)

Fri, 11/28/2014 - 15:20

Likely every reader out there, their friends and family, even their pets with email accounts, have received Black Friday SPAM or phishing attempts today. Our own Dr. J sent the handlers an Amazon sample for One Click Black Friday Rewards. Of course, that one click goes no where near Amazon and directs you to the likes of Black Fiday (yes, its misspelled) at hXXp://www.jasbuyersnet.com/cadillac/umbered/sedatest/styes/coleuses/unterrified.htm. Cant speak to the payload there, don">| font-family: ">@holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Syrian Electronic Army attack leads to malvertising, (Thu, Nov 27th)

Thu, 11/27/2014 - 12:33

A number of online services were impacted by what has been referred to by multiple sources as a redirection attack by Syrian Electronic Army (SEA) emanating from the Gigya CDN. The issue was described as follows: Gigya explained that earlier today at 06:45 EST, it noticed sporadic failures with access to our service. The organization than found a breach at its domain registrar, with the hackers modifying DNS entries and pointing them away from Gigyas CDN domain, instead redirecting to their own server, which distributed a socialize.js file, namely the pop-up seen by everyone. Affected sites included Verizon, The Telegraph, The Independent, Forbes, Time Out, PC World, The Evening Standard, CNBC, and others.

The resulting pop-up simply stated Youve been hacked by the Syrian Electronic Army.">| font-family: ">@holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, November 26th 2014 http://isc.sans.edu/podcastdetail.html?id=4253, (Wed, Nov 26th)

Tue, 11/25/2014 - 19:37
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Less is, umm, less?, (Tue, Nov 25th)

Tue, 11/25/2014 - 13:31

Following vulnerabilities discovered in tools many Linux and Information Security enthusiasts use such as the strings command and the bash shell, a new series of issues have been discovered in the less command. Less is used to paginate output, and can be used to view the text contents of a file one page at a time. It can also receive data from a pipe. Examples: less myfile.txt and xxd mybinfile | less">Adrien de Beaupr">Intru-shun.ca Inc.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Security update for Adobe Flash player, (Tue, Nov 25th)

Tue, 11/25/2014 - 13:17

Adobe has released an out of band security update for the Adobe Flash player. This is an additional update for CVE-2014-8439. Everyone either update or double check that Flash either is not installed or cannot be invoked via Internet web sites.">Adrien de Beaupr">Intru-shun.ca Inc.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Guest diary: Detecting Suspicious Devices On-The-Fly, (Tue, Nov 25th)

Tue, 11/25/2014 - 12:27

If you apply classic hardening rules (keep the patch level, use an AV, enable the firewall and use them with due diligence), modern operating systems are more and more difficult to compromise today. Extra tools like EMET could also raise the bar. On the other side, networks are more and more populated with unknown/personal devices or devices which provide multiple facilities like storage (NAS), printers (MFP), VoIP, IP camera, ...

Being easily compromised, they became a very good target to pivot into the network. They run out-of-the-box, just plug the network/power cables and they are ready to go! A classic vulnerability management process will detect such devices but you still have the risk to miss them if you run a monthly scan! To catch new devices on the fly and to have an immediate idea of their attack surface (example: is there a backdoor present), Im using the following toolbox: Arpwatch, Nmap and OSSEC as the conductor.

Arpwatch is a tool for monitoring ARP traffic on a LAN. It can detect new MAC addresses or pairing changes (IP/MAC). Nmap is the most known port scanner and OSSEC is a log management tool with many features like a built-in HIDS.

A first good news is that Arpwatch log entries are processed by default in OSSEC. It has a great feature called Active-Response which allows to trigger actions (read: execute scripts) in specific conditions. In our case," />

The above configuration specifies that nmap-scan.sh will be executed with the argument srcip (reported by Arpwatch) on the agent 001 when the rule 7201 or 7202 will match (when a new host or a MAC address change is detected). The nmap-scan.sh script is based on the existing active-response scripts and spawns a Nmap scan:

nmap -sC -O -oG - -oN ${PWD}/../logs/${IP}.log ${IP} | grep Ports: ${PWD}/../logs/gnmap.log

This command will output interesting information in grepable format to the gnmap.log file: the open ports (if any) of the detected IP like in the example below. One line per host will be generated:

Host: 192.168.254.65 (foo.bar.be) Ports: 22/open/tcp//ssh///, 80/open/tcp///,3306/open/tcp/// ...

OSSEC is a wonderful tool and can decode this by default. Just configure the gnmap.log as a new events source:

And new alerts will be generated:

2014 Oct 27 17:54:23 (shiva) 192.168.254.1-/var/ossec/logs/gnmap.log
Rule: 581 (level 8) - Host information added.
Host: 192.168.254.65 (foo.bar.be), open ports: 22(tcp) 80(tcp) 3306(tcp)

By using this technique, you will immediately detect new hosts connected to the network (or if an IP address is paired with a new MAC address) and youll get the list of the services running on it as well as the detected operating system (if the fingerprinting is successful). Happy hunting!

Xavier Mertens

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Guest diary: Detecting Suspicious Devices On-The-Fly, (Tue, Nov 25th)

Tue, 11/25/2014 - 07:54

If you apply classic hardening rules (keep the patch level, use an AV, enable the firewall and use them with due diligence), modern operating systems are more and more difficult to compromise today. Extra tools like EMET could also raise the bar. On the other side, networks are more and more populated with unknown/personal devices or devices which provide multiple facilities like storage (NAS), printers (MFP), VoIP, IP camera, ...

Being easily compromised, they became a very good target to pivot into the network. They run out-of-the-box, just plug the network/power cables and they are ready to go! A classic vulnerability management process will detect such devices but you still have the risk to miss them if you run a monthly scan! To catch new devices on the fly and to have an immediate idea of their attack surface (example: is there a backdoor present), Im using the following toolbox: Arpwatch, Nmap and OSSEC as the conductor.

Arpwatch is a tool for monitoring ARP traffic on a LAN. It can detect new MAC addresses or pairing changes (IP/MAC). Nmap is the most known port scanner and OSSEC is a log management tool with many features like a built-in HIDS.

A first good news is that Arpwatch log entries are processed by default in OSSEC. It has a great feature called Active-Response which allows to trigger actions (read: execute scripts) in specific conditions. In our case, I just created an active-response configuration to trigger a Nmap scan of any new device reported by Arpwatch:

The above configuration specifies that nmap-scan.sh will be executed with the argument srcip (reported by Arpwatch) on the agent 001 when the rule 7201 or 7202 will match (when a new host or a MAC address change is detected). The nmap-scan.sh script is based on the existing active-response scripts and spawns a Nmap scan:

nmap -sC -O -oG - -oN ${PWD}/../logs/${IP}.log ${IP} | grep Ports: ${PWD}/../logs/gnmap.log

This command will output interesting information in grepable format to the gnmap.log file: the open ports (if any) of the detected IP like in the example below. One line per host will be generated:

Host: 192.168.254.65 (foo.bar.be) Ports: 22/open/tcp//ssh///, 80/open/tcp///,3306/open/tcp/// ...

OSSEC is a wonderful tool and can decode this by default. Just configure the gnmap.log as a new events source:


nmapg
/var/ossec/logs/gnmap.log

And new alerts will be generated:

2014 Oct 27 17:54:23 (shiva) 192.168.254.1-/var/ossec/logs/gnmap.log
Rule: 581 (level 8) - Host information added.
Host: 192.168.254.65 (foo.bar.be), open ports: 22(tcp) 80(tcp) 3306(tcp)

By using this technique, you will immediately detect new hosts connected to the network (or if an IP address is paired with a new MAC address) and youll get the list of the services running on it as well as the detected operating system (if the fingerprinting is successful). Happy hunting!

Xavier Mertens

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, November 25th 2014 http://isc.sans.edu/podcastdetail.html?id=4251, (Tue, Nov 25th)

Mon, 11/24/2014 - 19:46
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Someone is using this? PoS: Compressor, (Mon, Nov 24th)

Mon, 11/24/2014 - 06:44

Hello Dear Readers,

This diary comes to you by way of the real world and was taken very recently. Has anyone seen anything like this before? This handler was stunned into silence before the years of cynicism took over and I started breathing again. I was about to leave the convenience store, as I had passengers and they were in a hurry, but instead got out and took this picture. There were no cameras monitoring it, the position as you can tell, was around the side of the store, the placement in the area was convenient for drivers to use but terrible for monitoring. I could see someone driving up to use this, and then perhaps making a modification to it for say skimming or repeat after me boys and girls? Can we say pivot" />

Quick poll for the comments: I would never use this (Agree/Disagree) This is risky (Agree/Disagree)

===

Richard Porter

@packetalien

rporter at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Craigslist Outage, (Mon, Nov 24th)

Sun, 11/23/2014 - 20:49

We were notified this evening by Matt H. that Craigslist is suffering an outage of some sort. Briefly checking the sitefrom the west coast I am finding web access basically unavailable, and access via their app intermittent. The website downdetector.com shows a period of outage reports increasing over the last 5 hours. We will continue to monitor, and ask if anybody has information on what is happening, wed appreciate getting the word out.

tony d0t carothers --gmail

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, November 24th 2014 http://isc.sans.edu/podcastdetail.html?id=4249, (Mon, Nov 24th)

Sun, 11/23/2014 - 17:06
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

More Trouble For Hikvision DVRs, (Mon, Nov 24th)

Sun, 11/23/2014 - 16:43

The Internet of Things is turning against us once more. Rapid 7 is reporting how HikvisionDVRs are vulnerable to at least 3 different remote code execution vulnerabilities. Metasploit modules are available to take advantage of them, a patch is not available.

All three vulnerabilities were found in the code dealing with RTSP requests. The vulnerabilities are simple buffer overflows.

Hikvision DVRs were already in the news earlier this year, when we found many of them being exploited by The Moon worm, bitcoin miners, and code scanning for Synology disk stations. Back then, the main exploit vector was the default root password of 12345 which never got changed.

At this point, device manufacturers just dont get it. The vulnerabilities found in devices like the Hikvision DVRs are reminiscent of 90s operating systems and server vulnerabilities. Note that many devices are sold under various brandnames and Hikvision may not be the only vulnerable brand.

[1] https://community.rapid7.com/community/metasploit/blog/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities
[2]https://isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Summary+What+we+know+so+far/17633/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, November 21st 2014 http://isc.sans.edu/podcastdetail.html?id=4247, (Fri, Nov 21st)

Thu, 11/20/2014 - 19:30
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Google Web "Firing Range" Available, (Thu, Nov 20th)

Thu, 11/20/2014 - 12:03

Google has released a Firing Range for assessing various web application scanners, with what looks like a real focus on Cross Site Scripting. The code was co-developed by Google and Politecnico di Milano

Targets include:

  • Address DOM XSS
  • Redirect XSS
  • Reflected XSS
  • Tag based XSS
  • Escaped XSS
  • Remote inclusion XSS
  • DOM XSS
  • CORS related vulnerabilities
  • Flash Injection
  • Mixed content
  • Reverse ClickJacking

Source code is on github at https://github.com/google/firing-range

App Engine deploy is at http://public-firing-range.appspot.com/

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Critical WordPress XSS Update, (Thu, Nov 20th)

Thu, 11/20/2014 - 11:42

Today, Wordpress4.0.1 was released, which addresses a critical XSS vulnerability (among other vulnerabilities). [1]

The XSS vulnerability deserves a bit more attention, as it is an all too common problem, and often underestimated. First of all, why is XSS Critical? It doesnt allow direct data access like SQL Injection, and it doesnt allow code execution on the server. Or does it?

XSS does allow an attacker to modify the HTML of the site. With that, the attacker can easily modify form tags (think about the login form, changing the URL it submits its data to) or the attacker could use XMLHTTPRequest to conduct CSRF without being limited by same origin policy. The attacker will know what you type, and will be able to change what you type, so in short: The attacker is in full control. This is why XSS is happening.

The particular issue here was that Wordpress allows some limited HTML tags in comments. This is always a very dangerous undertaking. The word press developers did attempt to implement the necessary safeguards. Only certain tags are allowed, and even for these tags, the code checked for unsafe attributes. Sadly, this check wasnt done quite right. Remember that browsers will also parse somewhat malformed HTML just fine.

A better solution would have probably been to use a standard library instead of trying to do this themselves. HTML Purifier is one such library for PHP. Many developer shy away from using it as it is pretty bulky. But it is bulky for a reason: it does try to cover a lot of ground. It not only normalizes HTML and eliminates malformed HTML, but it also provides a rather flexible configuration file. Many lightweight alternatives, like the solution Wordpress came up with, rely on regular expressions. Regular expressions are typically not the right tool to parse HTML. Too much can go wrong starting from new lines and ending somewhere around multi-bytecharacters. In short: Dont use regular expressions to parse HTML (or XML), in particular for security.

[1] https://wordpress.org/news/2014/11/wordpress-4-0-1/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, November 20th 2014 http://isc.sans.edu/podcastdetail.html?id=4245, (Thu, Nov 20th)

Wed, 11/19/2014 - 16:51
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

"Big Data" Needs a Trip to the Security Chiropracter!, (Wed, Nov 19th)

Wed, 11/19/2014 - 11:18

When the fine folks at Portswigger updated Burp Suite last month to 1.6.07 (Nov 3), I was really glad to see NoSQL injection in the list of new features.

Whats NoSQL you ask? If your director is talking to you about Big Data or your Marketing is talking to you about customer metrics, likely what they mean is an app with a back-end database that uses NoSQL instead of real SQL.

Im tripping over this requirement this month in the retail space. Ive got clients that want to track a retail customers visit to the store (tracking their cellphones using the store wireless access points), to see:

  • if customers visit store sections where the sale items are?
  • or, if customers visit area x, do they statistically visit area y next?
  • or, having visited the above areas, how many customers actually purchase something?
  • or, after seeing a purchase, how many feature sale purchases are net-new customers (or repeat customers)

In other words, using the wireless system to track customer movements, then correlating it back to purchase behaviour to determine how effective each feature sale might be.

So what database do folks use for applications like this? Front-runners in the NoSQL race these days include MongoDB and CouchDB. Both databases do cool things with large volumes of data.">Ensure that MongoDB runs in a trusted network environment and limit the interfaces on which MongoDB instances listen for incoming connections. Allow only trusted clients to access the network interfaces and ports on which MongoDB instances are available.

CouchDB has a similar statement at http://guide.couchdb.org/draft/security.html ">it should be obvious that putting a default installation into the wild is adventurous

So, where do I see folks deploying these databases? Why, in PUBLIC CLOUDs, thats where!" />

And what happens after you stand up your almost-free database and the analysis on that dataset is done? In most cases, the marketing folks who are using it simply abandon it, in a running state. What could possibly go wrong with that? Especially if they didnt tell anyone in either the IT or Security group that this database even existed?

Given that weve got hundreds of new ways to collect data that weve never had access to before, its pretty obvious that if big data infrastructures like these arent part of our current plans, they likely should be. All I ask is that folks do the risk assessments tha they would if this server was going up in their own datacenter. Ask some questions like:

  • What data will be on this server?
  • Who is the formal custodian of that data?
  • Is the data covered under a regulatory framework such as HIPAA or PCI? Do we need to host it inside of a specific zone or vlan?
  • What happens if this server is compromised? Will we need to disclose to anyone?
  • Who owns the operation of the server?
  • Who is responsible for securing the server?
  • Does the server have a pre-determined lifetime? Should it be deleted after some point?
  • Is the developer or marketing team thats looking at the dataset understand your regulatory requirements? Do they understand that Credit Card numbers and Patient Data are likely bad candidates for an off-prem / casual treatment like this (hint - NO THEY DO NOT).

Smartmeter applications are another big data thing Ive come across lately. Laying this out end-to-end - collecting data from hundreds of thousands of embedded devices that may or may not be securable, over a public network to be stored in an insecurable database in a public cloud. Oh, and the collected data impinges on at least 2 regulatory frameworks - PCI and NERC/FERC, possibly also privacy legislation depending on the country. Ouch!

Back to the tools to assess these databases - Burp isnt your only option to scan NoSQL database servers - in fact, Burp is more concerned with the web front-end to NoSQL itself. NoSQLMAP (http://www.nosqlmap.net/) is another tool thats seeing a lot of traction, and of course the standard usual suspects list of tools have NoSQL scripts, components and plugins - Nessus has a nice set of compliance checks for the database itself, NMAP has scripts for both couchdb, mongodbb and hadoop detection, as well as mining for database-specific information. OWASP has a good page on NoSQL injection at https://www.owasp.org/index.php/Testing_for_NoSQL_injection, and also check out http://opensecurity.in/nosql-exploitation-framework/.

Shodan is also a nice place to look in an assessment during your recon phase (for instance, take a look at http://www.shodanhq.com/search?q=MongoDB+Server+Information )

Have you used a different tool to assess a NoSQL Database? Or have you had - lets say an interesting conversation around securing data in such a database with your management or marketing group? Please, add to the story in our comment form!

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, November 19th 2014 http://isc.sans.edu/podcastdetail.html?id=4243, (Wed, Nov 19th)

Tue, 11/18/2014 - 19:28
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts