Hackin9
RETIRED: HP OneView CVE-2014-2602 Unspecified Remote Privilege Escalation Vulnerability
 

We are announcing a new feature we have been working on for a while, that will display live statistics on passwords used by SSH brute forcing bots. In addition, we also updated our script that will allow you to contribute data to this effort. Right now, we are supporting the kippo honeypot to collect data. This script will submit usernames, passwords and the IP address of the attacker to our system.

To download the script see https://isc.sans.edu/clients/kippo/kippodshield.pl .

The script uses a new REST API to upload logs to our system. To use it, you will need your API key, which you can retrieve from https://isc.sans.edu/myinfo.html (look in the lower half of the page for the "report parameters").

For data we are collecting so far, see https://isc.sans.edu/ssh.html .

If you have any other systems then kippo collecting similar information (we like to collect username, password and IP address), then please let me know and I will see if we can add the particular log format to this client.

By contributing your logs, you will help us better understand who and why these attacks are performed, and what certain "must avoid" passwords are. Note for example that some of the passwords these scripts try out are not necessarily trivial, but they may be common enough to be worth while brute forcing targets.

---

Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

We are announcing a new feature we have been working on for a while, that will display live statistics on passwords used by SSH brute forcing bots. In addition, we also updated our script that will allow you to contribute data to this effort. Right now, we are supporting the kippo honeypot to collect data. This script will submit usernames, passwords and the IP address of the attacker to our system.

To download the script see https://isc.sans.edu/clients/kippo/kippodshield.pl .

The script uses a new REST API to upload logs to our system. To use it, you will need your API key, which you can retrieve from https://isc.sans.edu/myinfo.html (look in the lower half of the page for the "report parameters").

For data we are collecting so far, see https://isc.sans.edu/ssh.html .

If you have any other systems then kippo collecting similar information (we like to collect username, password and IP address), then please let me know and I will see if we can add the particular log format to this client.

By contributing your logs, you will help us better understand who and why these attacks are performed, and what certain "must avoid" passwords are. Note for example that some of the passwords these scripts try out are not necessarily trivial, but they may be common enough to be worth while brute forcing targets.

---

Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The partnership announced last week isn't just about selling more iPhones. It's part of a big push into the Internet of Things.
 
A California court has allowed a privacy class action suit against Google to continue, though only in part.
 
Three new services -- Flow, Glip and Slingshot -- try to enhance the ability of teams to converse and collaborate using a variety of tools.
 
Apple faces in a state court in California a class action suit that its employees were not provided timely meal breaks, rest breaks and final paychecks, according to the lawyer for the employees.
 
A company that specializes in selling information on software vulnerabilities has reignited a debate over the handling of such information, especially when it pertains to privacy-focused tools.
 
Mozilla Firefox/Thunderbird CVE-2014-1559 Security Vulnerability
 
Mozilla Firefox/Thunderbird CVE-2014-1547 Multiple Memory Corruption Vulnerabilities
 
Mozilla Firefox/Thunderbird CVE-2014-1556 Remote Code Execution Vulnerability
 
Mozilla Firefox/Thunderbird CVE-2014-1555 Use After Free Memory Corruption Vulnerability
 
Mozilla Firefox/Thunderbird CVE-2014-1557 Remote Code Execution Vulnerability
 
Apple sold 4.4 million Macs in the June quarter, the most ever for that three-month stretch, with an annual growth rate the rest of the PC industry hasn't seen since 2010.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Microsoft paid more than $7 billion for Nokia's handset and services business, and the jury is still out as to what it means for its future. In the past quarter it boosted Microsoft's revenue but also ate into its profit.
 
Apple reported its quarterly numbers on Tuesday, a mixed bag that saw profits rise up but sales fall short of the mark. Here are five takeaways from the earnings call that followed.
 
Wireless broadband subscriptions now outnumber people in seven countries as consumers continue to snap up smartphones and tablets, according to a new report.
 
Mozilla Firefox/Thunderbird CVE-2014-1544 Use After Free Memory Corruption Vulnerability
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Apple has racked up another hugely profitable quarter on sales of iPhones and Macintosh computers, though its revenue growth was slower than expected.
 
Linux Kernel 'sctp_association_free()' Function Denial of Service Vulnerability
 
Linux Kernel '/fs/aio.c' Local Information Disclosure Vulnerability
 
Oracle is combining its BlueKai consumer data aggregation platform with other parts of its catalog to create Oracle Data Cloud, a data-as-a-service offering aimed at companies that want to reach customers and prospects across multiple channels.
 
Breaking up is hard to do, but could a split be in store soon for EMC and VMware?
 
Strong sales of cloud products to businesses helped lift Microsoft's revenue by 18 percent last quarter, though its profits declined.
 
ARM is developing its second wave of 64-bit processors as it tries to maintain its edge over Intel in smartphones and tablets.
 
Apple has racked up another hugely profitable quarter on sales of iPhones and Macintosh computers, though its revenue growth was slower than expected.
 
Following through on promises from new CEO Satya Nadella, Microsoft continues to add support for non-Microsoft technologies, allowing them to run well on the company's Azure cloud hosting platform.
 
 

Developers of the Tor privacy service say they're close to fixing a weakness that researchers for an abruptly canceled conference presentation said provides a low-cost way for adversaries to deanonymize hundreds of thousands of users.

The talk previously scheduled for next month's Black Hat security conference in Las Vegas was titled "You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget." The abstract said that the hack cost less than $3,000 and could uncloak hundreds of thousands of users. On Monday, Black Hat organizers said the presentation was canceled at the request of attorneys from Carnegie Mellon University (CMU), where the researchers were employed, as well as the Software Engineering Institute (SEI). The attorneys said only that the materials to be presented "have not yet been approved by CMU/SEI for public release." Researchers Alexander Volynkin and Michael McCord have yet to explain why their talk was pulled.

Tor officials responded by saying that they're working on an update for individual Tor relay nodes that will close the unspecified security hole.

Read 6 remaining paragraphs | Comments

 

Now that the XMLRPC "pingback" DDoS problem in WordPress is increasingly under control, the crooks now seem to try brute force password guessing attacks via the "wp.getUsersBlogs" method of xmlrpc.php. ISC reader Robert sent in some logs that show a massive distributed (> 3000 source IPs) attempt at guessing passwords on his Wordpress installation. The requests look like the one shown below

and are posted into xmlrpc.php. Unfortunately, the web server responds with a 200-OK in all cases, because the post to xmlrpc.php actually WAS successful. The expected "403 - Not Authorized" error is part of the XML message that the server returns as payload. Hence, to determine what is going on, relying on simple HTTP web server logs is not sufficient. One of the problems with this is that "traditional" means of curbing brute force attacks in WordPress, like using BruteProtect, are less effective, because most of these add-ons tend to watch only wp_login.php and the associated wp_login_failed result, which does not trigger in the case of an xmlrpc login error.

If you are seeing similar attacks, and have found an effective way of thwarting them, please share in the comments below.

 

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Cisco says small cell technology is primed for explosive growth as it plans to connect 3G and LTE cellular networks to Wi-Fi access points that are already widely deployed in many enterprise facilities.
 
The 300-pound humanoid robot working on the International Space Station is in the midst of getting a series of upgrades, including new processors and software in preparation of having a pair of legs attached to it.
 
Apple today will reveal its Q2 revenue and device sales during a conference call with Wall Street. Here's what to listen out for.
 
Google is trying out a new Google Maps feature said to provide people with more information about their destinations, or about nearby points of interest, reports say.
 
An industrious design graduate from the University of Edinburgh has posted a 3D printing CAD file for a wrist ban that allows users to insert an iPod Nano, which can act as a watch, music player and more.
 
The U.S. Patent and Trademark Office served up further evidence on Tuesday that Apple is designing a smart watch when it awarded the company a patent for a wrist-worn gadget with a touchscreen and ability to communicate with a smartphone.
 
Intel today unveiled its Pro 2500 series of flash drives, which include 2.5-in. drives and M.2 flash cards for mobile devices.
 
Developers of Tor software believe they've identified a weakness that was scheduled to be revealed at the Black Hat security conference next month that could be used to de-anonymize Tor users.
 
Teradata has bought the assets of Revelytix and Hadapt in a bid to grow out its capabilities for the Hadoop big-data processing framework.
 
[security bulletin] HPSBMU03071 rev.1 - HP Autonomy IDOL, Running OpenSSL, Remote Unauthorized Access, Disclosure of Information
 
Barracuda Networks Spam&Virus Firewall v6.0.2 (600 & Vx) - Client Side Cross Site Vulnerability
 
Chinese smartphone maker Xiaomi jokes that its newest handset, built out of stainless steel, is like a "kitchen knife," but iPhone-esque might be the better comparison.
 
I'd never confuse Amazon, Facebook or doubleClick with the NSA, but I still don't like being tracked online. Tracking is more than just annoying; it lets unscrupulous companies that scarf up user data turn around and sell your information --A and despite statements to the contrary, the collection isn't always done anonymously.
 
Apache HTTP Server CVE-2014-0117 Remote Denial of Service Vulnerability
 
Web Login Bruteforce in Symantec Endpoint Protection Manager 12.1.4023.4080
 
Cross-site Scripting in EventLog Analyzer 9.0 build #9000
 
[oCERT-2014-004] Ansible input sanitization errors
 
Call for Papers / Speakers for ISACA Ireland Conference on 3rd Oct in Dublin
 

ISC reader James had just installed "Foxit Reader" on his iPhone, and had answered "NO" to the "In order to help us improve Foxit Mobile PDF, we would like to collect anonymous usage data..." question, when he noticed his phone talking to China anyway. The connected-to site was alog.umeng.com, 211.151.151.7. Umeng is an "application telemetry" and online advertising company. Below is what was sent (some of the ids are masked or have been obfuscated)

I particularly like the "is_pirated: No". It goes well with "is_snooping: Yes" that is though missing from the exchange...

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Record numbers of new tablet users, and the first rise in fixed-line revenue in seven years, drove Verizon Communications' second-quarter revenue up 5.7 percent year on year, it reported Tuesday.
 
LinuxSecurity.com: Updated java-1.6.0-openjdk packages that fix multiple security issues and one bug are now available for Red Hat Enterprise Linux 5, 6, and 7. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Updated java-1.6.0-sun packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: CUPS could be made to expose sensitive information, leading to privilegeescalation.
 
Internet Storm Center Infocon Status