Hackin9

Nathan reported today that he has been seeing a new trend of web scanning against his webservers looking for /info/whitelist.pac. The scanning he has observed is over SSL. He has been observing this activity since the 22 Aug.

[22/Aug/2014:18:55:32 -0500]    xx.12.93.178    GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[...]
[14/Sep/2014:11:10:05 -0500]    xx.216.137.7    GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[14/Sep/2014:13:16:19 -0500]    xx.174.190.254 GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[14/Sep/2014:14:03:48 -0500]    xx.252.188.49   GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[14/Sep/2014:17:10:40 -0500]    xx.17.199.47     GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[14/Sep/2014:21:10:26 -0500]    xx.13.136.13     GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[16/Sep/2014:06:30:15 -0500]    xx.10.51.74       GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[16/Sep/2014:14:03:54 -0500]    xx.240.174.203  GET /info/whitelist.pac HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Is anyone else seeing similar activity against their webservers?

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

The cybercriminals that compromised Home Depot's network and installed malware on the home-supply company's point-of-sale systems likely stole information on 56 million payment cards, the company stated on Thursday.

In the first details revealed in its investigation of the breach, the company said the malicious software that compromised those payment systems had been custom-built to avoid triggering security software. The breach included stores in the United States and Canada and appears to have compromised transactions that occurred between April and September 2014.

"To protect customer data until the malware was eliminated, any terminals identified with malware were taken of out service, and the company quickly put in place other security enhancements," Home Depot said in its statement. "The hacker's method of entry has been closed off, the malware has been eliminated from the company's systems, and the company has rolled out enhanced encryption of payment data to all U.S. stores."

Read 6 remaining paragraphs | Comments

 

With today being "buy an Apple phone" day it should not be surprising that there are already some phishing emails going around to try and take advantage of the publicity.  

Jan sent this in this morning (thanks):

-------------
Dear Client,

We inform you that your account is about to expire in less 48 hours, it's imperative to update your information with our audit forms, otherwise your session and/or account will be a limited access.

just click the link below and follow the steps our request form

Update now...

This is an automatically generated message. Thank you not to answer.  If you need help, please visit the Apple Support.

Apple Client Support.
-------------

A variation on the many phishing emails we see regularly, just taking advantage of two public events, the celebrity photos and the release of the new phone.

Maybe a reminder to staff as well as friends and family to ignore emails that say "click here"

Happy buying a phone day or if not phonically inclined, happy talk like a pirate day, or just plain enjoy your Friday. 

Mark 

 

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Multiple Apple Products CVE-2014-4377 PDF Handling Integer Overflow Vulnerability
 
CloudFlare has developed a way to separate SSL from private crypto keys, making it easier for companies to use the cloud to protect their networks.

Content delivery network and Web security company CloudFlare has made a name for itself by fending off denial-of-service attacks against its customers large and small. Today, it's launching a new service aimed at winning over the most paranoid of corporate customers. The service is a first step toward doing for network security what Amazon Web Services and other public cloud services have done for application services—replacing on-premises hardware with virtualized services spread across the Internet.

Called Keyless SSL, the new service allows organizations to use CloudFlare’s network of 28 data centers around the world to defend against distributed denial of service attacks on their websites without having to turn over private encryption keys. Keyless SSL breaks the encryption “handshake” at the beginning of a Transport Layer Security (TLS) Web session, passing part of the data back to the organization’s data center for encryption. It then negotiates the session with the returned data and acts as a gateway for authenticated sessions—while still being able to screen out malicious traffic such as denial of service attacks.

In an interview with Ars, CloudFlare CEO Matthew Prince said that the technology behind Keyless SSL could help security-minded organizations embrace other cloud services while keeping a tighter rein on them. “If you decide you’re going to use cloud services today, how you set policy across all of these is impossible," he said. "Now that we can do this, fast forward a year, and we can do things like data loss prevention, intrusion detection… all these things are just bytes in the stream, and we’re already looking at them.”

Read 13 remaining paragraphs | Comments

 

Tackle Information Security from the Ground Up with "The InfoSec Handbook ...
DigitalJournal.com
"The InfoSec Handbook" is co-written by Umesh Hodeghatta Rao and Umesha Nayak. Professor Rao is on the faculty in the field of Information Systems at Xavier Institute of Management, Bhubaneswar, India. He has more than twenty years of experience in IT ...

and more »
 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Posted by InfoSec News on Sep 18

http://www.csoonline.com/article/2685234/data-protection/fixing-healthcare-gov-security.html

By Antone Gonsalves
CSO
Sep 17, 2014

While the security weaknesses found in HealthCare.gov by a U.S. government
watchdog need to be addressed, they are not unusual for sites as complex
as the federal insurance exchange, experts say.

In a report released Tuesday, the Government Accountability Office found
problems in the "technical controls...
 

Posted by InfoSec News on Sep 18

http://www.washingtontimes.com/news/2014/sep/17/chinese-hackers-successfully-attacked-military-con/

By Douglas Ernst
The Washington Times
September 17, 2014

A yearlong investigation into cyberattacks on U.S. military contractors
for U.S. Transportation Command found that 50 such incidents occurred over
the 12 months beginning June 1, 2012.

“These peacetime intrusions into the networks of key defense contractors
are more evidence of...
 

Posted by InfoSec News on Sep 18

http://arstechnica.com/tech-policy/2014/09/senior-it-worker-at-top-tech-law-firm-arrested-for-insider-trading/

By Joe Mullin
Ars Technica
Sept 17 2014

A senior IT employee with the law firm Wilson Sonsini Goodrich & Rosati
has been arrested for grabbing the firm's confidential client information
and using it to trade stocks.

FBI agents arrested 41-year-old Dimitry Braverman at his San Mateo,
California, home on Tuesday morning,...
 

Posted by InfoSec News on Sep 18

http://blogs.wsj.com/digits/2014/09/18/siemens-backs-israeli-predictive-malware-cyber-firm-cyactive/

By CHRISTOPHER ALESSI
Wall Street Journal - Digits
Sept 18, 2014

The venture capital unit of German industrial giant Siemens said Thursday
it was investing an undisclosed sum in Israeli cyber-security startup
CyActive.

Launched in 2013, CyActive gained traction earlier this year when it was
accepted into the Cyber Labs startup incubator, an...
 

Posted by InfoSec News on Sep 18

http://english.peopledaily.com.cn/n/2014/0918/c90780-8784206.html

Global Times
September 18, 2014

According to foreign media outlets, Ma Jisheng, who served as Chinese
ambassador to Iceland, was allegedly arrested by the Ministry of State
Security earlier this year on suspicion of passing intelligence to Japan.
In recent years, we have frequently witnessed vicious incidents where top
Chinese diplomats, military officers and senior research...
 
Internet Storm Center Infocon Status