# SANS ISC

# threatpost.com

  • Signal 2.0 Brings Encrypted Messaging to iPhone Mon, 02 Mar 2015 20:22:26 +0000
    Signal 2.0 is available from Open WhisperSystems, and brings encrypted messaging to the iPhone.
  • D-Link Routers Haunted by Remote Command Injection Bug Mon, 02 Mar 2015 19:02:37 +0000
    Some D-Link routers contain a vulnerability that leaves them open to remote attacks that can give an attacker root access, allow DNS hijacking and other attacks. The vulnerability affects affects a number of D-Link’s home routers and the key details of the flaw have been made public by one of the researchers who discovered it. […]
  • Older Keen Team Use-After-Free IE Exploit Added to Angler Exploit Kit Mon, 02 Mar 2015 18:58:16 +0000
    Attackers behind one of the more popular exploit kits, Angler, have added a tweaked version of an exploit from last fall, a use after free vulnerability in Microsoft's Internet Explorer browser.
  • Mozilla Pushes Hot Fix to Remove Superfish Cert From Firefox Mon, 02 Mar 2015 14:53:20 +0000
    Mozilla has issued a hot fix for Firefox that removes the Superfish root certificate from the browser’s trusted root store. The patch only removes the certificate if the Superfish software has been removed from the machine already, however. The Superfish adware performs SSL interception–essentially running man-in-the-middle attacks on connections to secure sites–in the name of […]
  • Seagate Business NAS Firmware Vulnerabilities Disclosed Mon, 02 Mar 2015 14:43:00 +0000
    Remote code execution vulnerabilities in Seagate Business NAS firmware were disclosed after a 100-plus day deadline passed without a fix from the vendor.
  • Uber Announces Breach of ‘Partner’ Information Mon, 02 Mar 2015 14:32:23 +0000
    Uber announced that attackers had compromised databases containing current and former driver partner names and license numbers.
  • Pharming Attack Targets Home Router DNS Settings Fri, 27 Feb 2015 19:07:25 +0000
    A pharming attack has been detected targeting home routers distributed from Brazil's largest telco, a rare instance of a web-based attack changing DNS settings in order to redirect traffic.
  • Threatpost News Wrap, February 27, 2015 Fri, 27 Feb 2015 16:30:39 +0000
    Mike Mimoso and Dennis Fisher discuss the news of the last week, including the Superfish fiasco, the Gemalto SIM hack controversy and the continuing NSA drama.
  • Video: Vitaly Kamluk on The Equation Group APT Fri, 27 Feb 2015 16:17:46 +0000
    Kaspersky Lab researcher Vitaly Kamluk discusses the Equation Group, claiming it is the most sophisticated advanced persistent threat group in the world.
  • Twitter Changes Abuse Reporting Process to Address Doxing Fri, 27 Feb 2015 16:11:32 +0000
    Twitter has revised and simplified its rules and process for reporting abusive behavior on the service, and users now have the ability to report people who are posting their personal information. The change essentially gives Twitter users a method to combat doxing, which is the process of dumping a victim’s personal information online. This often […]

# Reddit netsec

  • /r/netsec's Q1 2015 Information Security Hiring Thread Tue, 13 Jan 2015 01:40:17 -0800
    Overview

    If you have open positions at your company for information security professionals and would like to hire from the /r/netsec user base, please leave a comment detailing any open job listings at your company.

    We would also like to encourage you to post internship positions as well. Many of our readers are currently in school or are just finishing their education.

    Please reserve top level comments for those posting open positions.

    Rules & Guidelines
    • Include the company name in the post. If you want to be topsykret, go recruit elsewhere.
    • Include the geographic location of the position along with the availability of relocation assistance.
    • If you are a third party recruiter, you must disclose this in your posting.
    • Please be thorough and upfront with the position details.
    • Use of non-hr'd (realistic) requirements is encouraged.
    • While it's fine to link to the position on your companies website, provide the important details in the comment.
    • Mention if applicants should apply officially through HR, or directly through you.
    • Please clearly list citizenship, visa, and security clearance requirements.

    You can see an example of acceptable posts by perusing past hiring threads.

    Feedback

    Feedback and suggestions are welcome, but please don't hijack this thread (use moderator mail instead.)

    submitted by sanitybit
    [link] [104 comments]
  • Google's Pwnium V: the never-ending* Pwnium ... "For those who are interested in what this means for the Pwnium rewards pool, we crunched the numbers and the results are in: it now goes all the way up to $∞ million*." Mon, 02 Mar 2015 19:56:18 +0000
    submitted by error9900
    [link] [2 comments]
  • Boston Key Party CTF 2015 write-ups Mon, 02 Mar 2015 12:58:49 +0000
    submitted by mathiasbynens
    [link] [4 comments]
  • Samba _netr_ServerPasswordSet Expoitability Analysis (CVE-2015-0240) Mon, 02 Mar 2015 18:25:57 +0000
    submitted by digicat
    [link] [comment]
  • How to catch integer overflows with template metaprogramming (Cap'n Proto Security Advisory) Tue, 03 Mar 2015 03:35:41 +0000
    submitted by edanite
    [link] [comment]
  • LogPOS - New Point of Sale Malware Using Mailslots Tue, 03 Mar 2015 02:02:41 +0000
    submitted by HectaMan
    [link] [1 comment]
  • Ubuntu Cloud PRNG seed Sun, 01 Mar 2015 22:23:41 +0000
    submitted by johnmountain
    [link] [70 comments]
  • ENISA Workshop on EU Threat Landscape (lots of slides) Mon, 02 Mar 2015 20:09:23 +0000
    submitted by digicat
    [link] [comment]
  • Advisory: Seagate NAS Remote Code Execution Vulnerability (multiple CVEs) Sun, 01 Mar 2015 04:29:05 +0000
    submitted by TheColonial
    [link] [22 comments]
  • Abusing RFC 5227 to DoS Windows hosts Sun, 01 Mar 2015 19:12:05 +0000

    RFC 5227 introduces a DoS vector for any host that honors the rules it defines, specifically section 2.1.1. This appears to apply to Windows Vista and later.

     

    When the host connects a new NIC to the network with TCP/IP it either attempts to use a statically configured IP address or requests one from an available DHCP server.

     

    In either case, once the host has an IP address it wants to use it broadcasts an ARP probe. The purpose of the probe is to determine if the IP address is free to use or if it has already been claimed on the local network segment.

     

    The ARP probe is a layer 2 broadcast with following criteria:

    • The ARP source MAC is the MAC of the interface
    • The ARP source IP is 0.0.0.0
    • The ARP destination MAC is 00:00:00:00:00:00
    • The ARP destination IP is the IP address the host NIC is attempting to use

     

    When an ARP probe is broadcast all other hosts on that network become aware that the sender intends to use this IP address. There is then a short time period where the sender will wait.

     

    From all other host’s perspectives the IP address defined in the ARP probe has effectively been claimed by the sender, although the sender has not yet decided for itself. During this time the sender is vulnerable to attack.

     

    If all other hosts interpret this ARP probe as the sender effectively having this IP address, should the sender receive an ARP probe from another host claiming the same IP then the original sender would consider this other host to be using it and an IP conflict to exist.

     

    The RFC defines how the host should handle this in section 2.1.1: (https://tools.ietf.org/html/rfc5227 ):

    If during this period, from the beginning of the probing process until ANNOUNCE_WAIT seconds after the last probe packet is sent, the host receives any ARP packet (Request or Reply) on the interface where the probe is being performed, where the packet's 'sender IP address' is the address being probed for, then the host MUST treat this address as being in use by some other host, and should indicate to the configuring agent (human operator, DHCP server, etc.) that the proposed address is not acceptable.

     

    In the case where the host is using DHCP to obtain an address, the host will proceed to request another IP from the DHCP server should it encounter this issue.

     

    In the case where the host is using a statically defined address, it will need to revert to a 169.254.x.x/16 link local address.

     

    In each of these cases an ARP probe is also broadcast for the new address.

     

    Some malicious host need only send an ARP to a vulnerable host at the correct time to effectively deny network service.

     

    For a malicious host to attempt to hide from a network administrator it could implement the following as part of the malicious ARP:

    • Set the source MAC address to anything other than itself.
      It might be best to set the source MAC as the destination MAC so that a switch administrator would have a difficult time finding which port it is coming from.
    • Implement a probability mechanism where malicious ARPs are not sent for every instance.
    • Send the malicious ARP probe to the target host as an L2 unicast rather than a broadcast.
    • Deny the use of a link local address through the same ARP mechanism so that it is less obvious that there was an address conflict.

     

    As a proof of concept I developed an application which does the above. It has two modes of operation, one which sends attacks whenever an ARP probe is detected on the network, and one which sends one attack ARP with the specified criteria.

     

    I tested this on Windows 7 and Windows 2008 R2 – both were vulnerable. My iPhone 5s with iOS 7.1.2 was no affected.

     

    As a recommended solution for system administrators who don’t want to pull their hair out trying to find something like this you can edit a registry key to disable the IP address conflict detection feature.
    http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1028373

     

    Cisco IOS with the IPDT feature enabled could cause similar IP DoS issues. Cisco has it documented on their website

     

    Screenshots

    • Command line showing a listening attack.
      The program listens for all ARP probes and automatically DoS's the host sending them.
      The program receives an ARP probe from 00:0c:29:de:45:e8 indicating the host is turning up a NIC to use IP 192.168.100.23.
      The program sends a unicast ARP probe back to 00:0c:29:de:45:e8 saying that it is doing the same thing.

     

     

     

     

    Source code
    This code requires libpcap, but that should be it. I tested it on Linux but it should run on any unix-like machine.

    Available here: https://github.com/MJL85/rfc5227/blob/master/rfc5227.c

    This code is intended for educational purposes only.

    submitted by MichaelL85
    [link] [3 comments]

# Krebs On Security

  • Natural Grocers Investigating Card Breach Mon, 02 Mar 2015 05:07:08 +0000
    Sources in the financial industry tell KrebsOnSecurity they have traced a pattern of fraud on customer credit and debit cards suggesting that hackers have tapped into cash registers at Natural Grocers locations across the country. The grocery chain says it is investigating "a potential data security incident involving an unauthorized intrusion targeting limited customer payment card data."
  • Spam Uses Default Passwords to Hack Routers Thu, 26 Feb 2015 17:06:08 +0000
    In case you needed yet another reason to change the default username and password on your wired or wireless Internet router: Phishers are sending out links that, when clicked, quietly alter the settings on vulnerable routers to harvest online banking credentials and other sensitive data from victims. Sunnyvale, Calif. based security firm Proofpoint said it recently detected a four-week spam […]
  • Webnic Registrar Blamed for Hijack of Lenovo, Google Domains Thu, 26 Feb 2015 06:41:30 +0000
    Two days ago, attackers allegedly associated with the fame-seeking group Lizard Squad briefly hijacked Google's Vietnam domain (google.com.vn). On Wednesday, Lenovo.com was similarly attacked. Sources now tell KrebsOnSecurity that both hijacks were possible because the attackers seized control over Webnic.cc, the Malaysian registrar that serves both domains and 600,000 others.

# Bruce Schneier's blog

  • The Democratization of Cyberattack Mon, 02 Mar 2015 06:49:13 -0600
    The thing about infrastructure is that everyone uses it. If it's secure, it's secure for everyone. And if it's insecure, it's insecure for everyone. This forces some hard policy choices. When I was working with the Guardian on the Snowden documents, the one top-secret program the NSA desperately did not want us to expose was QUANTUM. This is the NSA's...
  • Friday Squid Blogging: Humboldt Squid Communicate by Flashing Each Other Fri, 27 Feb 2015 16:00:16 -0600
    Scientists are attaching cameras to Humboldt squid to watch them communicate with each other. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
  • Data and Goliath Book Tour Fri, 27 Feb 2015 14:32:59 -0600
    Over the next two weeks, I am speaking about my new book -- Data and Goliath, if you've missed it -- in New York, Boston, Washington, DC, Seattle, San Francisco, and Minneapolis. Stop by to get your book signed, or just to say hello....
  • Everyone Wants You To Have Security, But Not from Them Thu, 26 Feb 2015 06:47:07 -0600
    In December, Google's Executive Chairman Eric Schmidt was interviewed at the CATO Institute Surveillance Conference. One of the things he said, after talking about some of the security measures his company has put in place post-Snowden, was: "If you have important information, the safest place to keep it is in Google. And I can assure you that the safest place...
  • Snowden-Greenwald-Poitras AMA Wed, 25 Feb 2015 13:54:15 -0600
    Glenn Greenwald, Laura Poitras, and Edward Snowden did an "Ask Me Anything" on Reddit. Point out anything interesting in the comments. And note that Snowden mentioned my new book: One of the arguments in a book I read recently (Bruce Schneier, "Data and Goliath"), is that perfect enforcement of the law sounds like a good thing, but that may not...
  • "Surreptitiously Weakening Cryptographic Systems" Wed, 25 Feb 2015 06:09:12 -0600
    New paper: "Surreptitiously Weakening Cryptographic Systems," by Bruce Schneier, Matthew Fredrikson, Tadayoshi Kohno, and Thomas Ristenpart. Abstract: Revelations over the past couple of years highlight the importance of understanding malicious and surreptitious weakening of cryptographic systems. We provide an overview of this domain, using a number of historical examples to drive development of a weaknesses taxonomy. This allows comparing different...
  • Twitpic Tue, 24 Feb 2015 13:17:04 -0600
    On Monday, I asked Adm. Rogers a question. EDITED TO ADD: The question....
  • AT&T Charging Customers to Not Spy on Them Tue, 24 Feb 2015 06:33:04 -0600
    AT&T is charging a premium for gigabit Internet service without surveillance: The tracking and ad targeting associated with the gigabit service cannot be avoided using browser privacy settings: as AT&T explained, the program "works independently of your browser's privacy settings regarding cookies, do-not-track and private browsing." In other words, AT&T is performing deep packet inspection, a controversial practice through which...
  • Cell Phones Leak Location Information through Power Usage Mon, 23 Feb 2015 10:30:57 -0600
    New research on tracking the location of smart phone users by monitoring power consumption: PowerSpy takes advantage of the fact that a phone's cellular transmissions use more power to reach a given cell tower the farther it travels from that tower, or when obstacles like buildings or mountains block its signal. That correlation between battery use and variables like environmental...
  • Friday Squid Blogging: Squid Can Recode Their Genetic Makeup Fri, 20 Feb 2015 16:06:33 -0600
    This is freaky: A new study showcases the first example of an animal editing its own genetic makeup on-the-fly to modify most of its proteins, enabling adjustments to its immediate surroundings. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

# WIRED Threat Level

# exploit-db.com

# Securiteam

  • CURL/libcURL Curl_easy_duphandle() Information Disclosure Vulnerabilities Fri, 27 Feb 2015 00:00 GMT
    The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP POST data for an easy handle, which triggers an out-of-bounds read that allows remote web servers to read sensitive memory information.
  • EGroupware Admin.uiaccounts.add_user Menu Cross-Site Request Forgery Vulnerabilities Fri, 27 Feb 2015 00:00 GMT
    Multiple cross-site request forgery (CSRF) vulnerabilities in EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allow remote attackers to hijack the authentication of administrators for requests
  • Espo CRM 'install/index.php' Cross Site Scripting Vulnerabilities Fri, 27 Feb 2015 00:00 GMT
    Cross-site scripting (XSS) vulnerability in EspoCRM before 2.6.0 allows remote attackers to inject arbitrary web script or HTML via the desc parameter in an errors action to install/index.php.
  • F5 BIG-IP XML Information Disclosure Vulnerabilities Fri, 27 Feb 2015 00:00 GMT
    Multiple XML External Entity (XXE) vulnerabilities in the Configuration utility in F5 BIG-IP LTM, ASM, GTM, and Link Controller 11.0 through 11.6.0 and 10.0.0 through 10.2.4, AAM 11.4.0 through 11.6.0, ARM 11.3.0 through 11.6.0, Analytics 11.0.0 through 11.6.0, APM and Edge Gateway 11.0.0 through 11.6.0 and 10.1.0 through 10.2.4, PEM 11.3.0 through 11.6.0, PSM 11.0.0 through 11.4.1 and 10.0.0 through 10.2.4, and WOM 11.0.0 through 11.3.0 and 10.0.0 through 10.2.4 and Enterprise Manager 3.0.0 through 3.1.1 and 2.1.0 through 2.3.0 allow remote authenticated users to read arbitrary files and cause a denial of service via a crafted request, as demonstrated using (1) viewList or (2) deal elements.
  • Ghostscript Library Search Path Local Privilege Escalation Vulnerabilities Fri, 27 Feb 2015 00:00 GMT
    Untrusted search path vulnerability in Ghostscript 8.62 allows local users to execute arbitrary PostScript code via a Trojan horse Postscript library file in Encoding/ under the current working directory
  • GNU Wget Symlink Vulnerabilities Fri, 27 Feb 2015 00:00 GMT
    Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.
  • Incredible PBX 11 'reminders/index.php' Remote Command Execution Vulnerabilities Fri, 27 Feb 2015 00:00 GMT
    reminders/index.php in Incredible PBX 11 2.0.6.5.0 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the (1) APPTMIN, (2) APPTHR, (3) APPTDA, (4) APPTMO, (5) APPTYR, or (6) APPTPHONE parameters.
  • LibreOffice Use After Free Remote Code Execution Vulnerabilities Fri, 27 Feb 2015 00:00 GMT
    Use-after-free vulnerability in the socket manager of Impress Remote in LibreOffice 4.x before 4.2.7 and 4.3.x before 4.3.3 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request to TCP port 1599.
  • Linux Kernel KVM Denial Of Service Vulnerabilities Fri, 27 Feb 2015 00:00 GMT
    Race condition in the __kvm_migrate_pit_timer function in arch/x86/kvm/i8254.c in the KVM subsystem in the Linux kernel through 3.17.2 allows guest OS users to cause a denial of service (host OS crash) by leveraging incorrect PIT emulation.
  • Microsoft Internet Explorer Privilege Escalation Vulnerabilities Fri, 27 Feb 2015 00:00 GMT
    Microsoft Internet Explorer 10 and 11 allows remote attackers to gain privileges via a crafted web site, aka "Internet Explorer Elevation of Privilege Vulnerability,"
  • Microsoft Office Invalid Pointer Memory Corruption Vulnerabilities Fri, 27 Feb 2015 00:00 GMT
    Microsoft Word 2007 SP3, Word Viewer, and Office Compatibility Pack SP3 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Microsoft Office Invalid Pointer Remote Code Execution Vulnerability."
  • Microsoft SharePoint Server Privilege Escalation Vulnerabilities Fri, 27 Feb 2015 00:00 GMT
    Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Foundation 2010 SP2 allows remote authenticated users to inject arbitrary web script or HTML via a modified list, aka "SharePoint Elevation of Privilege Vulnerability."
  • OpenStack Horizon Network Name HTML Injection Vulnerabilities Fri, 27 Feb 2015 00:00 GMT
    Cross-site scripting (XSS) vulnerability in horizon/static/horizon/js/horizon.instances.js in the Launch Instance menu in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to inject arbitrary web script or HTML via a network name.
  • OpenStack Horizon Resource Name Cross Site Scripting Vulnerabilities Fri, 27 Feb 2015 00:00 GMT
    Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in the Horizon Orchestration dashboard in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2, when used with Heat, allows remote Orchestration template owners or catalogs to inject arbitrary web script or HTML via a crafted template
  • Pandora FMS 'index.php' Cross Site Scripting Vulnerabilities Fri, 27 Feb 2015 00:00 GMT
    Cross-site scripting (XSS) vulnerability in the Page visualization agents in Pandora FMS 5.1 SP1 and earlier allows remote attackers to inject arbitrary web script or HTML via the refr parameter to index.php.
  • PHP 'date_from_ISO8601()' Function Buffer Overflow Vulnerabilities Fri, 27 Feb 2015 00:00 GMT
    Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding.
  • Ruby Incomplete Fix XML External Entity Denial Of Service Vulnerabilities Fri, 27 Feb 2015 00:00 GMT
    The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack
  • Samsung Mobile Devices Remote Controls Feature Denial Of Service Vulnerabilities Fri, 27 Feb 2015 00:00 GMT
    The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.
  • Tcpdump 'geonet_print()' Function Denial Of Service Vulnerabilities Fri, 27 Feb 2015 00:00 GMT
    Multiple Integer underflows in the geonet_print function in tcpdump 4.5.0 through 4.6.2, when in verbose mode, allow remote attackers to cause a denial of service (segmentation fault and crash) via a crafted length value in a Geonet frame.
  • TestLink 'execSetResults.php' PHP Object Injection Vulnerabilities Fri, 27 Feb 2015 00:00 GMT
    lib/execute/execSetResults.php in TestLink before 1.9.13 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the filter_result_result parameter.