North Korea Experiencing Internet Outages, Raising Questions About US Retaliation

Is it coincidence, or is a DDoS on North Korea's Internet infrastructure a "proportional response" by the US?

Cluster of Tor servers taken down in unexplained outage

On Friday, a warning of a possible effort to hijack significant portions of the anonymizing Tor network was leaked to the Tor Project. And over the weekend, a cluster of servers in a Netherlands' data center that were used as Tor “exit nodes” and as mirrors for two Tor Project services were taken offline. However, it’s not clear who took the servers down or if law enforcement was involved.

Thomas White, an operator of a large cluster of servers providing an exit point for Tor traffic in the Netherlands, reported to a Tor news list that there was suspicious activity overnight on the servers. The servers, according to DNS data, were hosted in a data center in Rotterdam.

“I have now lost control of all servers under the ISP and my account has been suspended,” White wrote late on Sunday, December 21, in his first message on the takedown. “Having reviewed the last available information of the sensors, the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken. From experience I know this trend of activity is similar to the protocol of sophisticated law enforcement who carry out a search and seizure of running servers.”

Read 7 remaining paragraphs | Comments

Madonna turns to the sneakernet after album leak

Sony Pictures isn’t the only entertainment giant dealing with a massive breach.

Music icon Madonna quickly released six tracks from her latest album last week after someone stole 13 prereleased recordings—reportedly the entire album—and leaked them to the Internet. The Material Girl is now keeping all of her production material off the networks, requiring her production crew to avoid wireless and deliver files by hand-carrying hard drives, according to an interview with Billboard magazine published on December 21.

“We don’t put things up on servers anymore,” she said. “Everything we work on, if we work on computers, we’re not on WiFi, we’re not on the Internet, we don’t work in a way where anybody can access the information.”

Read 7 remaining paragraphs | Comments

Monday review – the hot 25 stories of the week

From Sony through Pirate Bay to the latest evolution of banking malware... Here's our weekly roundup so you can catch up easily.

#1337day Varnish Cache CLI Interface Remote Code Execution Exploit [remote #exploits #0day #Exploit]

#1337day Ettercap 0.8.0 / 0.8.1 Denial Of Service Exploit CVE-2014-6395 [dos #exploits #0day #Exploit]

#1337day Cacti Superlinks 1.4-2 Code Execution / LFI / SQL Injection Vulnerabilities [#0day #Exploit]

Attack code exploiting critical bugs in net time sync puts servers at risk

Several critical vulnerabilities in the protocol used to synchronize clock settings over the Internet are putting countless servers at risk of remote hijacks until they install a security patch, an advisory issued by the federal government warned.

The remote-code execution bugs reside in versions of the network time protocol prior to 4.2.8, according to an advisory issued Friday by the Industrial Control Systems Cyber Emergency Response Team. In many cases, the vulnerabilities can be exploited remotely by hackers with only a low level of skill.

"Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code with the privileges of the [network time protocol daemon] process," the advisory warned. Exploit code that targets the vulnerabilities is publicly available. It's not clear exactly what privileges NTP processes get on the typical server, but a handful of knowledgeable people said they believed it usually involved unfettered root access. Even if the rights are limited, it's not uncommon for hackers to combine exploits with privilege elevation attacks, which increase the system resources a targeted app has the ability to control.

Read 2 remaining paragraphs | Comments

#1337day vBulletin 4.2.2 Moderator Control Panel 4.2.2 CSRF Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]

#1337day Apple OS X GateKeeper Bypass Vulnerability CVE-2014-4391 [remote #exploits #Vulnerability #0day #Exploit]

#1337day ProjectSend – Cross Site Scripting Vulnerability CVE-2014-1155 [webapps #exploits #Vulnerability #0day #Exploit]

#1337day GQ File Manager 0.2.5 Sql Injection / Cross Site Scripting Vulnerabilities [#0day #Exploit]

#1337day Codiad 2.4.3 Cross Site Scripting / Local File Inclusion Vulnerabilities [#0day #Exploit]

#1337day Piwigo 2.7.2 SQL Injection / Cross Site Scripting Vulnerabilities [webapps #exploits #Vulnerabilities #0day #Exploit]

Malware believed to hit Sony studio contained a cocktail of badness

The highly destructive malware believed to have hit the networks of Sony Pictures Entertainment contained a cocktail of malicious components designed to wreak havoc on infected networks, according to new technical details released by federal officials who work with private sector security professionals.

An advisory published Friday by the US Computer Emergency Readiness Team said the central malware component was a worm that propagated through the Server Message Block protocol running on Microsoft Windows networks. The worm contained brute-force cracking capabilities designed to infect password-protected storage systems. It acted as a "dropper" that then unleashed five components. The advisory, which also provided "indicators of compromise" that can help other companies detect similar attacks, didn't mention Sony by name. Instead, it said only that the potent malware cocktail had targeted a "major entertainment company." The FBI and White House have pinned the attack directly on North Korea, but so far have provided little proof.

"This worm uses a brute force authentication attack to propagate via Windows SMB shares," Friday's advisory stated. "It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2."

Read 3 remaining paragraphs | Comments

Cyber espionage targets Syrian activists, linked to ISIS

A cyber espionage campaign targeting activist groups in Syria is likely the work of the Islamic State of Iraq and Syria (ISIS), according to a report published on Thursday by CitizenLab, a research group at the University of Toronto’s Munk School of Global Affairs.

The attacks have targeted a group of Syrian activists, Raqqah Is Being Slaughtered Silently (RSS), that focuses on documenting human rights abuses in the northern Syrian city of Ar-Raqqah, which is currently occupied by ISIS, according to the analysis. The attacks used a tailored e-mail message to direct targeted users to an infected slideshow, purported showing locations of ISIS forces and U.S. airstrikes, but which, in reality, compromises the victim’s computer.

The attack does not result in remote access to a victim’s computer, but does result in a malicious program sending out occasional e-mail messages with data about the victim’s system and location, including the Internet protocol (IP) address, CitizenLab said in its analysis.

Read 10 remaining paragraphs | Comments

Hackers tell Sony “The Interview may release now”—with edits

In a message sent to company executives, someone claiming to represent the hacker group calling itself the Guardians of Peace has given Sony Pictures Entertainment the go-ahead to release the film The Interview—with some minor caveats. First of all, they want any death scene for Kim Jong-un dropped from the film.

"This is GOP. You have suffered through enough threats," the message, which was also posted to Pastebin, read. "The interview may release now. But be careful. September 11 may happen again if you don't comply with the rules: Rule #1: no death scene of Kim Jong Un being too happy;  Rule #2: do not test us again ; Rule #3: if you make anything else, we will be here ready to fight."

Sony dropped plans for the release of the film following the cancellation of screenings by major theater chains.

Read 3 remaining paragraphs | Comments

Computer intrusion inflicts massive damage on German steel factory

A German steel factory suffered significant damage after attackers gained unauthorized access to computerized systems that help control its blast furnace, according to a report published Friday by IDG News.

The attackers took control of the factory's production network through a spear phishing campaign, IDG said, citing a report published Wednesday by the German government's Federal Office for Information Security. Once the attackers compromised the network, individual components or possibly entire systems failed. IDG reporter Loek Essers wrote:

Due to these failures, one of the plant’s blast furnaces could not be shut down in a controlled manner, which resulted in “massive damage to plant,” the BSI said, describing the technical skills of the attacker as “very advanced.”

The attack involved the compromise of a variety of different internal systems and industrial components, BSI said, noting that not only was there evidence of a strong knowledge of IT security but also extended know-how of the industrial control and production process.

The incident is notable because it's one of the few computer intrusions to cause physical damage. The Stuxnet worm that targeted Iran's uranium enrichment program has been dubbed the world's first digital weapon, destroying an estimated 1,000 centrifuges. Last week, Bloomberg News reported that a fiery blast in 2008 that hit a Turkish oil pipeline was the result of hacking, although it's not clear if the attackers relied on physical access to computerized controllers to pull it off. The suspected sabotage of a Siberian pipeline in 1982 is believed to have used a logic bomb. Critics have long argued that much of the world's factories and critical infrastructure aren't properly protected against hackers.

Read on Ars Technica | Comments

Time to Rethink Patching Strategies

In 2014, the National Vulnerability Database is expected to log a record-breaking 8,000 vulnerabilities. That's 8,000 reasons to improve software quality at the outset.

Bitcoin-based messaging could slip past censors

A computer science student has built a way to weave messaging into the underpinnings of Bitcoin that's both cheap and resistant to censorship.

Information-stealing ‘Vawtrak’ malware evolves, becomes more evasive

SophosLabs has recently observed some cunning changes made by the authors of the dangerous banking malware 'Vawtrak'. James Wyke explains.

Critical Git bug allows malicious code execution on client machines

Developers who use the official Git client and related software are being urged to install a security update that kills a bug that could allow attackers to hijack end-user computers.

The critical vulnerability affects all Windows- and Mac-based versions of the official Git client and related software that interacts with Git repositories, according to an advisory published Thursday. The bug can be exploited to give remote code execution when the client software accesses booby-trapped Git repositories.

"An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine," Thursday's advisory warned. "Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive filesystem."

Read 1 remaining paragraphs | Comments

[dos] – Ettercap 0.8.0-0.8.1 – Multiple Denial of Service Vulnerabilities

Ettercap 0.8.0-0.8.1 - Multiple Denial of Service Vulnerabilities

[webapps] – Cacti Superlinks Plugin 1.4-2 RCE(LFI) via SQL Injection Exploit

Cacti Superlinks Plugin 1.4-2 RCE(LFI) via SQL Injection Exploit

#1337day ProjectSend r-561 – Arbitrary File Upload Exploit [webapps #exploits #0day #Exploit]

#1337day SQL Buddy Remote Code Execution Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]

12 million home and business routers vulnerable to critical hijacking hack

More than 12 million routers in homes and small offices are vulnerable to attacks that allow hackers anywhere in the world to monitor user traffic and take administrative control over the devices, researchers said.

The vulnerability resides in "RomPager" software, embedded into the residential gateway devices, made by a company known as AllegroSoft. Versions of RomPager prior to 4.34 contain a critical bug that allows attackers to send simple HTTP cookie files that corrupt device memory and hand over administrative control. Attackers can use that control to read plaintext traffic traveling over the device and possibly take other actions, including changing sensitive DNS settings and monitoring or controling Web cams, computers, or other connected devices. Researchers from Check Point's malware and vulnerability group have dubbed the bug Misfortune Cookie, because it allows hackers to determine the "fortune" of an HTTP request by manipulating cookies. They wrote:

If your gateway device is vulnerable, then any device connected to your network—including computers, phones, tablets, printers, security cameras, refrigerators, toasters or any other networked device in your home or office network—may have increased risk of compromise. An attacker exploiting the Misfortune Cookie vulnerability can easily monitor your Internet connection, steal your credentials and personal or business data, attempt to infect your machines with malware, and over-crisp your toast.

Determining precisely what routers are vulnerable is a vexing undertaking. Devices frequently don't display identifying banners when unauthenticated users access them, and when such banners are presented, they often don't include information about the underlying software components. Beyond that, some device manufacturers manually patch the bug without upgrading the RomPager version, a practice that may generate false positives when automatically flagging all devices running versions prior to 4.34. To work around the challenges, Check Point researchers performed a comprehensive scan of Internet addresses that probed for vulnerable RomPager services. The results showed 12 million unique devices spanning 200 different models contained the bug. Manufacturers affected included Linksys, D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL.

Read 5 remaining paragraphs | Comments

#1337day Papoo CMS 6.0.0 Rev. 4701 – Stored XSS Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]

#1337day miniBB 3.1 Blind SQL Injection Vulnerability CVE-2014-9254 [webapps #exploits #Vulnerability #0day #Exploit]

#1337day GLPI 0.85 – Blind SQL Injection Vulnerability CVE: 2014-9258 [webapps #exploits #Vulnerability #0day #Exploit]

#1337day E-Journal Multiple Vulnerabilities [webapps #exploits #Vulnerabilities #0day #Exploit]

SSCC 177 – Will Sony’s breach be the never ending story? [PODCAST]

Here's the latest episode of our regular security podcast. Enjoy!

Vawtrak: Crimeware Made-To-Order

A compartmentalized botnet with a wide selection of specialized web injects makes it easier to attack bank accounts across the globe.

Don’t let the Grinch steal Christmas: how to avoid festive fraudsters

Take a little more time to record what you've bought, from who or where, and how much it cost - and don't let your guard slip at this hectic time of year.

Teenager pleads guilty to massive Spamhaus DDoS attack

A 17-year-old has pleaded guilty to taking part in the 2013 DDoS attack - the largest ever - against Spamhaus and internet exchanges.