Posts tagged ‘flash’

SANS Internet Storm Center, InfoCON: green: 11 Ways To Track Your Moves When Using a Web Browser, (Tue, Feb 24th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

There are a number of different use cases to track users as they use a particular web site. Some of them are more sinister then others. For most web applications, some form of session tracking is required to maintain the users state. This is typically easily done using well configured cookies (and not the scope of this article). Session are meant to be ephemeral and will not persist for long.

On the other hand, some tracking methodsdo attempt to track the user over a long time, and in particular attempt to make it difficult to evade the tracking. This is sometimes done for advertisement purposes, but can also be done to stop certain attacks like brute forcing or to identify attackers that return to a site. In its worst case, from a private perspective, the tracking is done to follow a user across various web sites.

Over the years, browsers and plugins have provided a number of ways to restrict this tracking. Here are some of the more common techniques how tracking is done and how the user can prevent (some of) it:

1 – Cookies

Cookies are meant to maintain state between different requests. A browser will send a cookie with each request once it is set for a particular site. From a privacy point of view, the expiration time and the domain of the cookie are the most important settings. Most browsers will reject cookies set on behalf of a different site, unless the user permits these cookies to be set. A proper session cookie should not use an expiration date as it should expire as soon as the browser is closed. Most browser do offer means to review, control and delete cookies. In the past, a Cookie2 header was proposed for session cookies, but this header has been deprecated and browser stop supporting it.

https://www.ietf.org/rfc/rfc2965.txt

http://tools.ietf.org/html/rfc6265

2 – Flash Cookies (Local Shared Objects)

Flash has its own persistence mechanism. These flash cookies are files that can be left on the client. They can not be set on behalf of other sites (Cross-Origin), but one SWF scriptcan expose the content of a LSO to other scripts which can be used to implement cross-origin storage. The best way to prevent flash cookies from tracking you is to disable flash. Managing flash cookies is tricky and typically does require special plugins.

https://helpx.adobe.com/flash-player/kb/disable-local-shared-objects-flash.html

3 – IP Address

The IP address is probably the most basic tracking mechanism of all IP based communication, but not always reliable as users IP addresses may change at any time, and multiple users often share the same IP address. You can use various VPN products or systems like Tor to prevent your IP address from being used to track you, but this usually comes with a performance hit. Some modern JavaScript extension (RTC in particular) can be used to retrieve a users internal IP address, which can be used to resolve ambiguities introduced by NAT. But RTC is not yet implemented in all browsers. IPv6 may provide additional methods to use the IP address to identify users as you are less likely going to run into issues with NAT.

http://ipleak.net

4 – User Agent

The User-Agent string sent by a browser is hardly ever unique by default, but spyware sometimes modifies the User-Agent to add unique values to it. Many browsers allow adjusting the User-Agent and more recently, browsers started to reduce the information in the User-Agent or even made it somewhat dynamic to match the expected content. Non-Spyware plugins sometimes modify the User-Agent to indicate support for specific features.

5 – Browser Fingerprinting

A web browser is hardly ever one monolithic piece of software. Instead, web browsers interact with various plugins and extensions the user may have installed. Past work has shown that the combination of plugin versions and configuration options selected by the user tends to be amazingly unique and this technique has been used to derive unique identifiers. There is not much you can do to prevent this, other then minimize the number of plugins you install (but that may be an indicator in itself)

https://panopticlick.eff.org

6 – Local Storage

HTML 5 offers two new ways to store data on the client: Local Storage and Session Storage. Local Storage is most useful for persistent storage on the client, and with that user tracking. Access to local storage is limited to the site that sent the data. Some browsers implement debug features that allow the user to review the data stored. Session Storage is limited to a particular window and is removed as soon as the window is closed.

https://html.spec.whatwg.org/multipage/webstorage.html

7 – Cached Content

Browsers cache content based on the expiration headers provided by the server. A web application can include unique content in a page, and then use JavaScript to check if the content is cached or not in order to identify a user. This technique can be implemented using images, fonts or pretty much any content. It is difficult to defend against unless you routinely (e.g. on closing the browser) delete all content. Some browsers allow you to not cache any content at all. But this can cause significant performance issues. Recently Google has been seen using fonts to track users, but the technique is not new. Cached JavaScript can easily be used to set unique tracking IDs.

http://robertheaton.com/2014/01/20/cookieless-user-tracking-for-douchebags/

http://fontfeed.com/archives/google-webfonts-the-spy-inside/

8 – Canvas Fingerprinting

This is a more recent technique and in essence a special form of browser fingerprinting. HTML 5 introduced a Canvas API that allows JavaScript to draw image in your browser. In addition, it is possible to read the image that was created. As it turns out, font configurations and other paramters are unique enough to result in slightly different images when using identical JavaScript code to draw the image. These differences can be used to derive a browser identifier. Not much you can do to prevent this from happening. I am not aware of a browser that allows you to disable the canvas feature, and pretty much all reasonably up to date browsers support it in some form.

https://securehomes.esat.kuleuven.be/~gacar/persistent/index.html

9 – Carrier Injected Headers

Verizon recently added injecting specific headers into HTTP requests to identify users. As this is done in flight, it only works for HTTP and not HTTPS. Each user is assigned a specific ID and the ID is injected into all HTTP requests as X-UIDH header. Verizon offers a for pay service that a web site can use to retrieve demographic information about the user. But just by itself, the header can be used to track users as it stays linked to the user for an extended time.

http://webpolicy.org/2014/10/24/how-verizons-advertising-header-works/

10 – Redirects

This is a bit a varitation on the cached content tracking. If a user is redirected using a 301 (Permanent Redirect) code, then the browser will remember the redirect and pull up the target page right away, not visiting the original page first. So for example, if you click on a link to isc.sans.edu, I could redirect you to isc.sans.edu/index.html?id=sometrackingid. Next time you go to isc.sans.edu, your browser will automatically go direct to the second URL. This technique is less reliable then some of the other techniques as browsers differ in how they cache redirects.

https://www.elie.net/blog/security/tracking-users-that-block-cookies-with-a-http-redirect

11- Cookie Respawning / Syncing

Some of the methods above have pretty simple counter measures. In order to make it harder for users to evade tracking, sites often combine different methods and respawn cookies. This technique is sometimes refered to as Evercookie. If the user deletes for example the HTTP cookie, but not the Flash Cookie, the Flash Cookie is used to re-create the HTTP cookie on the users next visit.

https://www.cylab.cmu.edu/files/pdfs/tech_reports/CMUCyLab11001.pdf

Any methods I missed (I am sure there have to be a couple…)


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Matthew Garrett: Intel Boot Guard, Coreboot and user freedom

This post was syndicated from: Matthew Garrett and was written by: Matthew Garrett. Original post: at Matthew Garrett

PC World wrote an article on how the use of Intel Boot Guard by PC manufacturers is making it impossible for end-users to install replacement firmware such as Coreboot on their hardware. It’s easy to interpret this as Intel acting to restrict competition in the firmware market, but the reality is actually a little more subtle than that.

UEFI Secure Boot as a specification is still unbroken, which makes attacking the underlying firmware much more attractive. We’ve seen several presentations at security conferences lately that have demonstrated vulnerabilities that permit modification of the firmware itself. Once you can insert arbitrary code in the firmware, Secure Boot doesn’t do a great deal to protect you – the firmware could be modified to boot unsigned code, or even to modify your signed bootloader such that it backdoors the kernel on the fly.

But that’s not all. Someone with physical access to your system could reflash your system. Even if you’re paranoid enough that you X-ray your machine after every border crossing and verify that no additional components have been inserted, modified firmware could still be grabbing your disk encryption passphrase and stashing it somewhere for later examination.

Intel Boot Guard is intended to protect against this scenario. When your CPU starts up, it reads some code out of flash and executes it. With Intel Boot Guard, the CPU verifies a signature on that code before executing it[1]. The hash of the public half of the signing key is flashed into fuses on the CPU. It is the system vendor that owns this key and chooses to flash it into the CPU, not Intel.

This has genuine security benefits. It’s no longer possible for an attacker to simply modify or replace the firmware – they have to find some other way to trick it into executing arbitrary code, and over time these will be closed off. But in the process, the system vendor has prevented the user from being able to make an informed choice to replace their system firmware.

The usual argument here is that in an increasingly hostile environment, opt-in security isn’t sufficient – it’s the role of the vendor to ensure that users are as protected as possible by default, and in this case all that’s sacrificed is the ability for a few hobbyists to replace their system firmware. But this is a false dichotomy – UEFI Secure Boot demonstrated that it was entirely possible to produce a security solution that provided security benefits and still gave the user ultimate control over the code that their machine would execute.

To an extent the market will provide solutions to this. Vendors such as Purism will sell modern hardware without enabling Boot Guard. However, many people will buy hardware without consideration of this feature and only later become aware of what they’ve given up. It should never be necessary for someone to spend more money to purchase new hardware in order to obtain the freedom to run their choice of software. A future where users are obliged to run proprietary code because they can’t afford another laptop is a dystopian one.

Intel should be congratulated for taking steps to make it more difficult for attackers to compromise system firmware, but criticised for doing so in such a way that vendors are forced to choose between security and freedom. The ability to control the software that your system runs is fundamental to Free Software, and we must reject solutions that provide security at the expense of that ability. As an industry we should endeavour to identify solutions that provide both freedom and security and work with vendors to make those solutions available, and as a movement we should be doing a better job of articulating why this freedom is a fundamental part of users being able to place trust in their property.

[1] It’s slightly more complicated than that in reality, but the specifics really aren’t that interesting.

comment count unavailable comments

LWN.net: Security advisories for Monday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Debian has updated liblivemedia
(code execution), libxml2
(regression/incomplete fix in previous update), and ntp (incomplete fix in previous update).

Debian-LTS has updated krb5
(multiple vulnerabilities), libxml2
(regression/incomplete fix in previous update), ntp (multiple vulnerabilities), sympa (information disclosure), unzip (two vulnerabilities), and wpasupplicant (command execution).

Fedora has updated e2fsprogs
(F21: code execution), jasper (F21;
F20: two vulnerabilities), kernel (F20: two vulnerabilities),
mantis (F21; F20: multiple vulnerabilities), maradns (F20: security hardening), postgresql (F21: multiple vulnerabilities), and websvn (F21; F20: information disclosure).

Gentoo has updated adobe-flash
(multiple vulnerabilities), antiword
(denial of service), bind (denial of
service), libav (multiple vulnerabilities),
libevent (code execution), mediawiki (multiple vulnerabilities), nginx (information disclosure), and tcpdump (multiple vulnerabilities).

Mageia has updated flash-player-plugin (multiple vulnerabilities).

openSUSE has updated flash-player (13.2, 13.1; 11.4:
multiple vulnerabilities), privoxy (13.2,
13.1: multiple vulnerabilities), unzip
(13.2, 13.1: code execution), virtualbox
(13.2, 13.1: multiple vulnerabilities), and vorbis-tools (13.2, 13.1: denial of service).

Red Hat has updated flash-plugin
(RHEL5,6: multiple vulnerabilities).

SUSE has updated flash-player
(SLE12: multiple vulnerabilities) and flash-player, flash-player-gnome,
flash-player-kde4
(SLE11 SP3: multiple vulnerabilities).

Raspberry Pi: Xenon Death Flash: a free physics lesson

This post was syndicated from: Raspberry Pi and was written by: Liz Upton. Original post: at Raspberry Pi

If you own a Raspberry Pi 2, congratulations: you’re also the proud owner of an elegant demonstration of the photoelectric effect!

At the weekend, Peter Onion, a veteran of our forums and of Raspberry Jams in Cambridge, Bletchley and surrounding areas (visible, costumed, in the background of this photo at the Christmas CamJam), discovered what we think might be the most adorable bug we’ve ever come across.

The Raspberry Pi 2 is camera-shy.

Peter’s bug report came via our forums. He’d been proudly photographing his new Raspberry Pi 2, and had discovered something peculiar: every time the flash on his camera went off, his Pi powered down.

The blip you're seeing here is what happens when you point a xenon flash at a Pi 2.

The blip you’re seeing here is what happens when you point a xenon flash at a Pi 2.

Jonathan has spent much of the morning emitting flashes and poking an oscilloscope. We’ve found out what’s going on, and the good news is that it’s completely benign: your Pi will not suffer any permanent effects from being flashed at.

More good news: the effect only happens under VERY specific circumstances. Flashes of high-intensity, long-wave light – so laser pointers or xenon flashes in cameras – cause the device that is responsible for regulating the processor core power (it’s the chip marked U16 in the silkscreening on your Pi 2, between the USB power supply and the HDMI port – you can recognise it because it’s a bit shinier than the components around it) to get confused and make the core voltage drop. Importantly, it’s ONLY really high-intensity bursts like xenon flashes and laser pointers that will cause the issue. Other bright lights – even camera flashes using other technologies – won’t set it off. You can take your naked Pi 2 in the sunshine for a picnic or take it to a rave, and it’ll be perfectly solid. Just don’t take it on the red carpet at the Oscars. Jon is currently shining an 1800-lumen led light at a Pi 2 on his desk: not a wobble.

This component that’s causing the issue is in a WL-CSP package: a bare silicon die which has solder balls attached. This is a picture of the underside of a similar package (enormously magnified) – each circle is a minuscule ball of solder:

underside balls

WL-CSP packaging is a common technique for more high-tech electronics parts, as it means no further packaging of the device is required. It is also the smallest physical package possible, which designers of mobile things (and people making very tiny computers) really care about.

What’s causing the component to behave so oddly? It’s the photoelectric effect, where metals emit electrons when hit by light. The video below is a really good tutorial on how that works.

What you’re seeing with Pi 2 and xenon flashes is the same effect, but in semiconductor material, not metal. Semiconductors, like metals, have free electrons which can be ‘knocked off’ by photons. Photodiodes, solar cells and phototransistors all use this effect to function. If you’d like to learn more about how a solar cell works, there’s a nice explanation here at Physics.org

Silicon junctions (the types that are responsible for making diodes and transistors and other such electronic miracles function) can be ‘upset’ by this photoelectric effect if it is large enough (i.e. if enough light of the right energy [i.e. colour] is fired at them). This seems to be what is happening to our power supply chip – somewhere in the complex silicon chip circuitry there are some transistors or diodes that malfunction when hit by high energy bursts of light, causing the power supply to ‘drop out’, so the Pi reboots.

Jonathan is actively investigating exactly what happens when U16 is flashed with a high energy pulse from a xenon flash tube, and we are also looking at possible ways to make future production Pis immune to this issue if we can – we know you like to take pictures of them.

We have found no evidence that ‘flashing’ your Pi2 with a xenon flash can cause any real damage, but we still don’t recommend doing it (it will crash or reboot, and this means you may corrupt your SD card). I’ve said it above, but it bears repeating, because I’ve seen some of you mention this in the forums and in comments sections elsewhere: common everyday light sources – e.g. bright sunlight, indoor lighting, angry cyclists* – don’t cause this to happen, so please don’t worry! 

If you need to use your Pi 2 in a situation where it might be flashed at, our advice is to cover U16 (make sure you get the sides too) – the current easy fix is to use a small blob of Sugru or Blu-Tak covering the whole component (someone in the forums used a pellet of bread: the first yeasted bug fix we have encountered), or simply put the Pi in an opaque case.

Secretly, I’m kind of hoping for another (similarly benign) bug this abstruse. I love writing this sort of post.

*Note to the paranoid on Twitter: I wasn’t clear enough here. We are referring to ourselves, not dissing you and your bike. We’re in Cambridge, and a lot of us cycle (aggressively) to and from work: we’ve been shining our bike lights at Pis for much of this morning, because they’re the brightest lights any of us own.

Krebs on Security: China To Blame in Anthem Hack?

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Bloomberg reports that U.S. federal investigators probing the theft of 80 million Social Security records and other sensitive data from insurance giant Anthem Inc. are pointing the finger at state-sponsored hackers from China. Although unconfirmed, that suspicion would explain a confidential alert the FBI circulated last week warning that Chinese hackers were targeting personally identifiable information from U.S. commercial and government networks.

According to this story from Bloomberg’s Michael Riley and Jordan Robertson, “the attack appears to follow a pattern of thefts of medical data by foreigners seeking a pathway into the personal lives and computers of a select group — defense contractors, government workers and others, according to a U.S. government official familiar with a more than year-long investigation into the evidence of a broader campaign.”

While the story is light on details, it adds a bit more context to an FBI “flash alert” that KrebsOnSecurity obtained independently last week. The alert said the FBI has received information regarding a group of cyber actors who have compromised and stolen sensitive business information and Personally Identifiable Information (PII) from US commercial and government networks through cyber espionage.”

fbi-pandaflash

The alert notes that analysis of malware samples used in the attack indicate a significant amount of the computer network exploitation activities emanated from infrastructure located within China. The FBI said the tools used in the attack were referenced in open source reports on Deep Panda, a claim that also shows up in the Bloomberg piece. That story references data about Deep Panda from Atlanta-based cybersecurity firm CrowdStrike, which specializes in attributing nation state-level attacks.

According to the FBI, Deep Panda has previously used Adobe Flash zero-day exploits in order to gain initial access to victim networks. While it may be unrelated, it’s worth noting that in the past two weeks alone, Adobe has shipped no fewer than three unscheduled, emergency updates to address Flash Player vulnerabilities that were being exploited in active attacks at the time Adobe released patches.

The FBI’s flash advisory continues:

“Information obtained from victims indicates that PII was a priority target. The FBI notes that stolen PII has been used in other instances to target or otherwise facilitate various malicious activities such as financial fraud though the FBI is not aware of such activity by this group. Any activity related to this group detected on a network should be considered an indication of a compromise requiring extensive mitigation and contact with law enforcement.”

deeppanda-cs

In its own writeup on Deep Panda from mid-2014, CrowdStrike notes that “for almost three years now, CrowdStrike has monitored DEEP PANDA targeting critical and strategic business verticals including: government, defense, financial, legal, and the telecommunications industries. At the think tanks, [we have] detected targeting of senior individuals involved in geopolitical policy issues, in particular in the China/Asia Pacific region. DEEP PANDA presents a very serious threat not just to think tanks, but also multinational financial institutions, law firms, defense contractors, and government agencies.”

Leaving aside the question of whether state-sponsored Chinese hackers were in fact behind the Anthem breach, there are still many unanswered questions about this incident, such as when did Anthem find out about it? How long did the breach last? How did the attackers break in? What can other businesses learn from this incident to protect themselves?

Steve Ragan, a journalist who writes the Salted Hash blog for CSO Online, references a document he received from a trusted source that was reportedly sent as a memo from Anthem to its clients. That memo notes that the unauthorized activity seems to date back to at least December 10, 2014. That activity apparently continued undetected until January 27, 2015, meaning the attackers had access to Anthem’s customer database for more than a month before they were discovered.

A memo sent from Anthem to its associates. Credit: Salted Hash.

A memo sent from Anthem to its associates. Credit: Salted Hash.

The memo explains:

“On January 27, 2015, an Anthem associate, a database administrator, discovered suspicious activity – a database query running using the associate’s logon information. He had not initiated the query and immediately stopped the query and alerted Anthem’s Information Security department. It was also discovered the logon information for additional database administrators had been compromised.”

The notice from Anthem to its clients concludes that “the attacker had proficient understanding of the data platforms and successfully utilized valid databaes administrator logon information.”

As for how the attackers broke in, perhaps the FBI’s Flash warning on Deep Panda (PDF) holds some clues.

Incidentally, infosec professionals take note: Anthem is hiring. On Feb. 4, the same day that Anthem disclosed a breach at its “database warehouse” may have affected as many as 80 million consumers, it also posted a help wanted ad for a “Cloud Encryption Security Professional.”

Krebs on Security: Yet Another Flash Patch Fixes Zero-Day Flaw

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

For the third time in two weeks, Adobe has issued an emergency security update for its Flash Player software to fix a dangerous zero-day vulnerability that hackers already are exploiting to launch drive-by download attacks.

brokenflash-aThe newest update, version 16.0.0.305, addresses a critical security bug (CVE-2015-0313) present in the version of Flash that Adobe released on Jan. 27 (v. 16.0.0.296). Adobe said it is are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.

Adobe’s advisory credits both Trend Micro and Microsoft with reporting this bug. Trend Micro published a blog post three days ago warning that the flaw was being used in malvertising attacks – booby-trapped ads uploaded by criminals to online ad networks. Trend also published a more in-depth post examining this flaw’s use in the Hanjuan Exploit Kit, a crimeware package made to be stitched into hacked Web sites and foist malware on visitors via browser plug-in flaws like this one.

To see which version of Flash you have installed, check this link. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash. Google Chrome version 40.0.2214.111 includes this update, and is available now. To check for updates in Chrome, click the stacked three bars to the right of the address bar in Chrome, and look for a listing near the bottom that says “Update Chrome.”

As I noted in a previous Flash post, short of removing Flash altogether — which may be impractical for some users — there are intermediate solutions. Script-blocking applications like Noscript and ScriptSafe are useful in blocking Flash content, but script blockers can be challenging for many users to handle.

My favorite in-between approach is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. With click-to-play, users who wish to view the blocked content need only click the boxes to enable Flash content inside of them (click-to-play also blocks Java applets from loading by default).

Windows users also should take full advantage of the Enhanced Mitigation Experience Toolkit(EMET), a free tool from Microsoft that can help Windows users beef up the security of third-party applications.

SANS Internet Storm Center, InfoCON: green: Adobe Flash Player Update Released, Fixing CVE 2015-0313, (Thu, Feb 5th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

An update has been released for Adobe Flash that fixes according to Adobe the recently discovered and exploited vulnerability CVE-2015-0313. Currently, the new version of Flash Player is only available as an auto-install update, not as a standalone download. To apply it, you need to check for updates within Adobe flash. (personal note: on my Mac, I have not seen the update offered yet).

The new Flash player version that fixes the problem is 16.0.0.305. The old version is 16.0.0.296.

Adobe updated its bulletin to note the update:https://helpx.adobe.com/security/products/flash-player/apsa15-02.html


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: green: Exploit Kit Evolution – Neutrino, (Wed, Feb 4th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

This is a guest diary submitted by Brad Duncan.

In September 2014 after the Neutrino exploit kit (EK) had disappeared for 6 months, it reappeared in a different form. It was first identified as Job314 or Alter EK before Kafeine revealed in November 2014 this traffic was a reboot of Neutrino [1].

This Storm Center diary examines Neutrino EK traffic patterns since it first appeared in the Spring of 2013.

Neutrino EK: 2013 through early 2014

Neutrino was first reported in March 2013 by Kafeine on his Malware Dont need Coffee blog [2]. It was also reported by other sources, like Trend Micro [3].

Heres a sample of Neutrino EK from April 2013 using HTTP over port 80:

Shown above: Neutrino EK traffic from April 2013.

By the summer of 2013, we saw Neutrino use HTTP over port 8000, and the traffic patterns had evolved. Heres an example from June 2013, back when I first started blogging about malware traffic [4]:

Shown above: Neutrino EK traffic from June 18th, 2013.

In October 2013, Operation Windigo (an on-going operation that has compromised thousands of servers since 2011) switched from using the Blackhole EK to Neutrino [5].

Before Neutrino EK disappeared in March of 2014, I usually found it in traffic associated with Operation Windigo. Here are two examples from February and March 2014 [6] [7]:

Shown above: Neutrino EK traffic from February 2nd, 2014.

Shown above: Neutrino EK traffic from March 8th, 2014.

March 2014 saw some reports about the EKs author selling Neutrino [8]. Later that month, Neutrino disappeared. We stopped seeing any sort of traffic or alerts on this EK.

Neutrino EK since December 2014

After Kafeine made his announcement and EmergingThreats released new signatures for this EK, I was able to infect a few VMs. Heres an example from November 2014 [9]:

Shown above: Neutrino EK traffic from November 29th, 2014.

Traffic patterns have remained relatively consistent since Neutrino reappeared. I infected a VM on February 2nd, 2015 using this EK. Below are the HTTP requests and responses to Neutrino EK on vupwmy.dout2.eu:12998.

  • GET /hall/79249/card/81326/aspect/sport/clear/16750/mercy/flash/clutch/1760/
    absorb/43160/conversation/universal/
  • HTTP/1.1 200 OK (text/html) – Landing page
  • GET /choice/34831/mighty/drift/hopeful/19742/fantastic/petunia/fine/12676/
    background/76767/seal/74018/street/20328/
  • HTTP/1.1 200 OK (application/x-shockwave-flash) – Flash exploit
  • GET /nowhere/44312/clad/29915/bewilder/career/pass/sinister/
  • HTTP/1.1 200 OK (text/html) – No actual text, about 25 to 30 bytes of data, shows up as Malformed Packet in Wireshark.
  • GET /marble/1931/batter/21963/dear/735/yesterday/6936/familiar/37370/
  • smart/8962/move/37885/
  • HTTP/1.1 200 OK (application/octet-stream) – Encrypted malware payload
  • GET /lord.phtml?horror=64439push=75359pursuit=washfond=monsieur
    wooden=forevercontent=21179despite=libertystalk=shiverfaithful=10081
    bold=35942
  • HTTP/1.1 404 Not Found OK (text/html)
  • GET /america/86960/seven/quiet/blur/belong/traveller/12743/gigantic/96057/
    trunk/69375/await/30077/cunning/39832/betray/638/
  • HTTP/1.1 404 Not Found OK (text/html)

The malware payload sent by the EK is encrypted.

Shown above: Neutrino EK sends the malware payload.

I extracted the malware payload from the infected VM. If youre registered with Malwr.com, you can get a copy from:

https://malwr.com/analysis/NjFjNjQyYjBkMzVhNGE4MWE4Mjc1Mzk2NmQxNjFjM2E/

This malware is similar to previous Vawtrak samples Ive seen from Neutrino and Nuclear EK last month [10] [11].

Closing Thoughts

Exploit kits tend to evolve over time. You might not realize how much the EK has changed until you look back through the traffic. Neutrino EK is no exception. It evolved since it first appeared in 2013, and it significantly changed after reappearing in December 2014. It will continue to evolve, and many of us will continue to track those changes.

———-

Brad Duncan is a Security Researcher at Rackspace, and he runs a blog on malware traffic analysis at http://www.malware-traffic-analysis.net

References:

[1] http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html

[2] http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html

[3] http://blog.trendmicro.com/trendlabs-security-intelligence/a-new-exploit-kit-in-neutrino/

[4] http://malware-traffic-analysis.net/2013/06/18/index.html

[5] http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf

[6] http://malware-traffic-analysis.net/2014/02/02/index.html

[7] http://malware-traffic-analysis.net/2014/03/08/index.html

[8] http://news.softpedia.com/news/Neutrino-Exploit-Kit-Reportedly-Put-Up-for-Sale-by-Its-Author-430253.shtml

[9] http://www.malware-traffic-analysis.net/2014/12/01/index.html

[10] http://malware-traffic-analysis.net/2015/01/26/index.html

[11] http://www.malware-traffic-analysis.net/2015/01/29/index.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

LWN.net: Security advisories for Monday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Debian has updated chromium-browser (eol on 7.0 “wheezy”) and vlc (multiple vulnerabilities).

Debian-LTS has updated php5 (multiple vulnerabilities).

Fedora has updated clamav (F21; F20: heap
overflow), firefox (F21: backed out the
flash click-to-play setup), and patch (F21:
multiple vulnerabilities).

Mageia has updated bugzilla (command injection), icu (multiple vulnerabilities), kdebase4-runtime (misuse of crypto), and libvirt (information leak).

openSUSE has updated glibc (12.3:
code execution), hivex (13.2, 13.1:
privilege escalation), java-1_7_0-openjdk
(13.2: multiple vulnerabilities), libmspack
(13.2, 13.1: denial of service), polarssl
(13.2: code execution), seamonkey (13.2,
13.1: multiple vulnerabilities), and xdg-utils (13.2: command execution).

SUSE has updated firefox
(SLE11 SP3: multiple vulnerabilities).

SANS Internet Storm Center, InfoCON: green: New Adobe Flash Vulnerability – CVE-2015-0313, (Mon, Feb 2nd)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

For those of you who are loosing track, yet another Adobe Flash vulnerability has been unleashedon their unsuspecting users. I am sure we all know the wording off by heart now, but incase:

Vulnerability identifier: APSA15-02

CVE number : CVE-2015-0313

Platform: All Platforms

Quote: A critical vulnerability (CVE-2015-0313) exists inAdobe Flash Player 16.0.0.296and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. “>1.”>2.” target=”_blank”>http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-new-adobe-flash-zero-day-exploit-used-in-malvertisements/

Steve Hall ISC Handler www.tarkie.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: The Internet of Dangerous Things

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Distributed denial-of-service (DDoS) attacks designed to silence end users and sideline Web sites grew with alarming frequency and size last year, according to new data released this week. Those findings dovetail quite closely with the attack patterns seen against this Web site over the past year.

Arbor Networks, a major provider of services to help block DDoS assaults, surveyed nearly 300 companies and found that 38% of respondents saw more than 21 DDoS attacks per month. That’s up from a quarter of all respondents reporting 21 or more DDoS attacks the year prior.

KrebsOnSecurity is squarely within that 38 percent camp: In the month of December 2014 alone, Prolexic (the Akamai-owned company that protects my site from DDoS attacks) logged 26 distinct attacks on my site. That’s almost one attack per day, but since many of the attacks spanned multiple days, the site was virtually under constant assault all month.

Source: Arbor Networks

Source: Arbor Networks

Arbor also found that attackers continue to use reflection/amplification techniques to create gigantic attacks. The largest reported attack was 400 Gbps, with other respondents reporting attacks of 300 Gbps, 200 Gbps and 170 Gbps. Another six respondents reported events that exceeded the 100 Gbps threshold. In February 2014, I wrote about the largest attack to hit this site to date — which clocked in at just shy of 200 Gbps.

According to Arbor,  the top three motivations behind attacks remain nihilism vandalism, online gaming and ideological hacktivism— all of which the company said have been in the top three for the past few years.

“Gaming has gained in percentage, which is no surprise given the number of high-profile, gaming-related attack campaigns this year,” the report concludes.

DDoS Attacks on KrebsOnSecurity.com, logged by Akamai/Prolexic between 10/17/14 - 1/26/15.

DDoS Attacks on KrebsOnSecurity.com, logged by Akamai/Prolexic between 10/17/14 – 1/26/15.

Longtime readers of this blog will probably recall that I’ve written plenty of stories in the past year about the dramatic increase in DDoS-for-hire services (a.k.a. “booters” or “stressers”). In fact, on Monday, I published Spreading the Disease and Selling the Cure, which profiled two young men who were running both multiple DDoS-for-hire services and selling services to help defend against such attacks.

The vast majority of customers appear to be gamers using these DDoS-for-hire services to settle scores or grudges against competitors; many of these attack services have been hacked over the years, and the leaked back-end customer databases almost always show a huge percentage of the attack targets are either individual Internet users or online gaming servers (particularly Minecraft servers). However, many of these services are capable of launching considerably large attacks — in excess of 75 Gbps to 100 Gpbs — against practically any target online.

As Arbor notes, some of the biggest attacks take advantage of Internet-based hardware — everything from gaming consoles to routers and modems — that ships with networking features that can easily be abused for attacks and that are turned on by default. Perhaps fittingly, the largest attacks that hit my site in the past four months are known as SSDP assaults because they take advantage of the Simple Service Discovery Protocol — a component of the Universal Plug and Play (UPnP) standard that lets networked devices (such as gaming consoles) seamlessly connect with each other.

In an advisory released in October 2014, Akamai warned of a spike in the number of UPnP-enabled devices that were being used to amplify what would otherwise be relatively small attacks into oversized online assaults.

Akamai said it found 4.1 million Internet-facing UPnP devices were potentially vulnerable to being employed in this type of reflection DDoS attack – about 38 percent of the 11 million devices in use around the world. The company said it was willing to share the list of potentially exploitable devices to members of the security community in an effort to collaborate with cleanup and mitigation efforts of this threat.

That’s exactly the response that we need, because there are new DDoS-for-hire services coming online every day, and there are tens of millions of misconfigured or ill-configured devices out there that can be similarly abused to launch devastating attacks. According to the Open Resolver Project, a site that tracks devices which can be abused to help launch attacks online, there are currently more than 28 million Internet-connected devices that attackers can abuse for use in completely anonymous attacks.

Tech pundits and Cassandras of the world like to wring their hands and opine about the coming threat from the so-called “Internet of Things” — the possible security issues introduced by the proliferation of network-aware devices — from fitness trackers to Internet-connected appliances. But from where I sit, the real threat is from The Internet of Things We Already Have That Need Fixing Today.

To my mind, this a massive problem deserving of an international and coordinated response. We currently have global vaccination efforts to eradicate infectious and communicable but treatable diseases. Unfortunately, we probably need a similar type of response to deal with the global problem of devices that can be conscripted at a moment’s notice to join a virtual flash mob capable of launching attacks that can knock almost any target offline for hours or days on end.

Anyone who needs a reminder of just how bad the problem is need only look to the attacks of Christmas Day 2014 that took out the Sony Playstation and Microsoft Xbox gaming networks. Granted, those companies were already dealing with tens of millions of new customers that very same day, but as I noted in my Jan. 9 exclusive, the DDoS-for-hire service implicated in that attack (or at least the attackers) was built using a few thousand hijacked home Internet routers.

[Author’s note: The headline for this post was inspired by Glenn Fleishman‘s excellent Jan. 13, 2015 piece in MIT Technology Review, An Internet of Treacherous Things.]

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated kernel (C6:
two vulnerabilities) and libyaml (C6:
denial of service).

Debian has updated virtualbox
(two denial of service flaws with no details).

Debian-LTS has updated jasper
(two vulnerabilities), libksba (denial of
service), privoxy (three vulnerabilities),
python-django (multiple vulnerabilities),
and rpm (multiple vulnerabilities, some
from 2012 and 2013).

Fedora has updated drupal7-context (F21; F20: open
redirect), suricata (F21; F20: denial of service), and unzip (F21: unspecified impact).

openSUSE has updated flash-player
(12.3: multiple vulnerabilities), git
(13.2, 13.1: code execution), glibc (11.4:
code execution), and libpng16 (13.2, 13.1:
two vulnerabilities).

Oracle has updated kernel (OL7; OL6:
multiple vulnerabilities) and libyaml (OL7; OL6:
denial of service).

Red Hat has updated glibc (RHEL4:
code execution),
kernel (RHEL7: multiple vulnerabilities), libyaml (RHEL6&7: denial of service), and
ntp (RHEL6.5: multiple code execution flaws).

Scientific Linux has updated kernel (SL7: multiple vulnerabilities) and libyaml (SL6&7: denial of service).

Slackware has updated glibc (code
execution).

SUSE has updated firefox (SLE11SP2, SLE11SP1; SLE10SP4: multiple vulnerabilities) and flash-player (SLE11SP3: multiple vulnerabilities).

SANS Internet Storm Center, InfoCON: green: Adobe Flash Update Available for CVE-2015-0311 & -0312, (Wed, Jan 28th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Adobe has released an update to the Flash vulnerability CVE-2015-0311 discussed earlier this week here on the ISC. The update released from Adobe addresses Flash vulnerabilities documented in CVE-2015-0311 CVE-2015-0312, which now has exploits being seen in the wild. Given that we are seeing exploits in the wild, the criticality of this exploit should be re-evaluated for prioritization and implementation. “>tony d0t carothers –gmail

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

LWN.net: Security advisories for Wednesday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

CentOS has updated glibc (C7; C6; C5: code execution).

Debian-LTS has updated eglibc (code execution).

Mageia has updated busybox
(arbitrary module loading), flash-player-plugin (multiple vulnerabilities), php (multiple vulnerabilities), privoxy (multiple vulnerabilities), and python-pillow (denial of service).

Oracle has updated glibc (OL7; OL6; OL5: code execution).

Red Hat has updated chromium-browser (RHEL6 Supplementary:
multiple vulnerabilities), flash-plugin
(RHEL5,6 Supplementary: multiple vulnerabilities), glibc (RHEL6,7; RHEL5; RHEL5.6,
5.9, 6.2, 6.4, 6.5
: code execution), and kernel (RHEL6: denial of service).

Scientific Linux has updated glibc (SL6,7; SL5:
code execution) and kernel (SL6: denial of service).

SUSE has updated glibc (SLE11,
SLE10: code execution).

Ubuntu has updated eglibc (12.04,
10.04: code execution), openjdk-6 (12.04,
10.04: multiple vulnerabilities), and openjdk-7 (14.10, 14.04: multiple vulnerabilities).

Linux How-Tos and Linux Tutorials: Embedded Development with ARM mbed on Linux

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Ben Martin. Original post: at Linux How-Tos and Linux Tutorials

mbedA microcontroller contains a processor, some memory, and usually has some connections for interacting with external hardware. You might want to use a microcontroller to turn a small servo motor, or connect some buttons and a screen to build a custom calculator, for example. A microcontroller may not run any operating system at all, and simply start executing a single program soon after power is applied.

The mbed platform is an open source environment which allows you to write control programs in C/C++ and deploy them to many ARM Cortex-M based microcontroller boards.

The ARM CPU used in the BeagleBone Black and other single board computers is designed to interface with half to a few gigabytes of RAM and allow a full operating system such as Linux to be run on the computer. (See my long series of reviews on Linux.com of ARM-based computers that run Linux). By contrast the ARM Cortex-M is a microcontroller level chip which might run at 16-100Mhz, contain 2-100kb of RAM, and some flash memory to contain only the program that you want to execute.

You can, however, set up your Linux machine to write control programs for an ARM-based microcontroller using the mbed platform. The mbed IDE can be accessed through a web browser or downloaded to your Linux desktop (see instructions on this, below.)

This setup offers some advantages to embedded developers using microcontrollers. Many readers will likely be familiar with the Arduino environment and have probably used it with the Atmel 328 microcontroller. The mbed platform offers a bit more flexibility by letting you pick both your microcontroller board to best suit your application, as well as allowing you to choose which compiler will best suit your project.

For example, you might have a small program that only needs to use 3-4 pin and a single SPI bus, so a more economic chip is all you will need. On the other hand, you might be running a screen, some DSP code, need some more processing power and want to have around 100kb of memory on board. With mbed you can select a more capable microcontroller that will better handle that application.

Writing programs

The IDE for mbed runs in the Web browser. When you log in you select the target board that you have, open or write a program, compile it, and download the binary to install onto your hardware. When you plug in an mbed microcontroller to your Linux desktop you will see one or more storage devices. These storage devices can be shown in a similar way to a USB flash drive. If there is more than one storage device shown by your Linux desktop, one will likely be very small and one will be around the right size for the flash memory on your mbed hardware.

To install a new program that you downloaded from the mbed IDE just open the storage device and copy the firmware file you downloaded using your Web browser to the mbed device. This avoids the frustration that plagues some embedded environments which want to use /dev/ttyUSBX or an /dev/ACM device files to upload new firmware and the devices do not always show up or appear in menus.

My first thoughts when playing around with mbed were about how well additional hardware was supported. The popularity and years that Arduino has been around have blessed it with a large library base for interacting with various hardware. My initial testing was for the popular Nordic Semiconductor rf24 chips. There are many libraries to support that chip on mbed, including a port of the Maniacbug’s nRF24L01+ Arduino library to mbed.

I actually had quite a time initially getting rf24 communications to work. I was using two Nucleo F401RE boards, and the website for them mentions that you should upgrade their firmware. I had a look over the firmware upgrade page but didn’t see anything that might have caused an issue that I was seeing. I went and performed the firmware upgrade anyway and afterwards the rf24 communication worked well. It is unfortunate that at the moment upgrading the core firmware on the ST Nucleo F401RE was not supported from Linux.

Second on my testing with mbed was a RePaper display with version 1 breakout board. In initial testing with the Nucleo F401RE I could manage to get a single image displayed but was never able to update the display to a second image. Unfortunately, switching over to an NXP LPC1768 based Arch Pro board left me unable to render even an initial image. The same display using the drivers on a BeagleBone Black allowed the screen to be run normally. So it is likely to be an issue with the combination of hardware and epaper library that I was using for mbed.

Bringing the IDE to the Linux desktop

While the online IDE might be sufficient for some, there are also likely to be many developers who have their editor of choice and want to be free of the Web browser.

To develop locally, download the GCC ARM Embedded toolchain, for example, gcc-arm-none-eabi-4_9-2014q4-20141203-linux.tar.bz2 and expand it to /usr/local. Then add the new executables to your PATH, in this case the directory /usr/local/gcc-arm-none-eabi-4_9-2014q4/bin. Then to bring a project to the local machine from the online IDE, right click on the project and select the board you are wanting to use, and GCC (ARM Embedded) as the export toolchain. This will result in a zip file being offered by the Web browser for download.

Expand that zip file somewhere convenient, change directory into the base directory of the newly expanded files. This will be a directory with the same name as the project you right clicked on in the online IDE. Then, with the GCC ARM Embedded toolchain in your PATH you can just type make to build the new bin file to copy to your hardware.

One file that is likely to be of great interest in your local filesystem is, for example, the mbed/TARGET_NUCLEO_F401RE/TARGET_STM/TARGET_NUCLEO_F401REw/PinNames.h file. The TARGET directory names will be different for different hardware boards. Being able to see that the Arduino pin D2 is also PA_10 and that LED1 through LED4 all map to PA_5 for the F401RE will likely help while you are writing your programs.

Capable hardware and persistance

There are APIs for SPI, TWI, digital and analog IO for mbed. The syntax for digital IO is much more terse than that for the Arduino IDE. In mbed each pin can be toggled using simple assignment and where modes are used the pin object itself has support method to be set to input or output. The mbed environment also supports advanced features like threading and TCP/IP interaction including HTTP, WebSockets, as well as NTP and SMTP clients.

The mbed environment supports a range of microcontroller boards and makes it fairly simple to get up to speed and start using a new mbed compatible board. Having capable hardware such as the ST Nucleo F401RE available for a little over $10 makes having a tinker with embedded hardware fairly inexpensive. Although I had a mixed result with the ePaper display, sometimes hardware tinkering is all about persistence no matter what platform you are using.

LWN.net: Tuesday’s security updates

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

CentOS has updated java-1.6.0-openjdk (C7; C6; C5: multiple vulnerabilities).

Debian has updated eglibc (multiple vulnerabilities), wireshark (denial of service), and xen (multiple vulnerabilities).

Fedora has updated python-django
(F20: multiple vulnerabilities) and python-django14 (F20: multiple vulnerabilities).

openSUSE has updated flash-player (13.2, 13.1; 11.4: code execution).

Oracle has updated java-1.6.0-openjdk (OL7; OL6; OL5: multiple vulnerabilities).

Red Hat has updated java-1.6.0-openjdk (RHEL5,6,7: multiple
vulnerabilities) and java-1.6.0-sun
(RHEL5,6,7: multiple vulnerabilities).

Scientific Linux has updated java-1.6.0-openjdk (SL5,6: multiple vulnerabilities).

SUSE has updated flash-player
(SLE12: code execution).

Ubuntu has updated oxide-qt
(14.10, 14.04: multiple vulnerabilities) and firefox (14.10, 14.04, 12.04: regression in
previous update).

Krebs on Security: Yet Another Emergency Flash Player Patch

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

For the second time in a week, Adobe has issued an emergency update to fix critical security flaws that crooks are actively exploiting in its Flash Player software. Updates are available for Flash Player on Windows and Mac OS X.

brokenflash-aLast week, Adobe released an out-of-band Flash Patch to fix a dangerous bug that attackers were already exploiting. In that advisory, Adobe said it was aware of yet another zero-day flaw that also was being exploited, but that last week’s patch didn’t fix that flaw.

Earlier this week, Adobe began pushing out Flash v. 16.0.0.296 to address the outstanding zero-day flaw. Adobe said users who have enabled auto-update for Flash Player will be receiving the update automatically this week. Alternatively, users can manually update by downloading the latest version from this page.

Adobe said it is working with its distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. Google Chrome version 40.0.2214.93 includes this update, and is available now. To check for updates in Chrome, click the stacked three bars to the right of the address bar in Chrome, and look for a listing near the bottom that says “Update Chrome.”

To see which version of Flash you have installed, check this link. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Krebs on Security: Spreading the Disease and Selling the Cure

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

When Karim Rattani isn’t manning the till at the local Subway franchise in his adopted hometown of Cartersville, Ga., he’s usually tinkering with code. The 21-year-old Pakistani native is the lead programmer for two very different yet complementary online services: One lets people launch powerful attacks that can knock Web sites, businesses and other targets offline for hours at a time; the other is a Web hosting service designed to help companies weather such assaults.

Grimbooter

Grimbooter

Rattani helps run two different “booter” or “stresser” services – grimbooter[dot]com, and restricted-stresser[dot]info. He also works on TheHosted[dot]me, a Web hosting firm marketed to Web sites looking for protection from the very attacks he helps to launch.

As part of an ongoing series on booter services, I reached out to Rattani via his Facebook account (which was replete with images linking to fake Youtube sites that foist malicious software disguised as Adobe’s Flash Player plugin). It turns out, the same Google Wallet is used to accept payment for all three services, and that wallet traced back to Rattani.

In a Facebook chat, Rattani claimed he doesn’t run the companies, but merely accepts Google Wallet payments for them and then wires the money (minus his cut) to a young man named Danial Rajput — his business partner back in Karachi. Rajput declined to be interviewed for this story.

The work that Rattani does for these booter services brings in roughly $2,500 a month — far more than he could ever hope to make in a month slinging sandwiches. Asked whether he sees a conflict of interest in his work, Rattani was ambivalent.

“It is kind of [a conflict], but if my friend won’t sell [the service], someone else will,” he said.

Rattani and his partner are among an increasing number of young men who sell legally murky DDoS-for-hire services. The proprietors of these services market them as purely for Web site administrators to “stress test” their sites to ensure they can handle high volumes of visitors.

But that argument is about as convincing as a prostitute trying to pass herself off as an escort. The owner of the attack services (the aforementioned Mr. Rajput) advertises them at hackforums[dot]net, an English language forum where tons of low-skilled hackers hang and out and rent such attack services to prove their “skills” and toughness to others. Indeed, in his own first post on Hackforums in 2012, Rajput states that “my aim is to provide the best quality vps [virtual private server] for ddosing :P”.

Damon McCoy, an assistant professor of computer science at George Mason University, said the number of these DDoS-for-hire services has skyrocketed over the past two years. Nearly all of these services allow customers to pay for attacks using PayPal or Google Wallet, even though doing so violates the terms of service spelled out by those payment networks.

“The main reason they are becoming an increasing problem is that they are profitable,” McCoy said. “They are also easy to setup using leaked code for other booters, increasing demand from gamers and other customers, decreasing cost of attack infrastructure that can be amplified using common DDoS attacks. Also, it is relatively low-risk to operate a booter service when using rented attack servers instead of botnets.”

The booter services are proliferating thanks mainly to free services offered by CloudFlare, a content distribution network that offers gratis DDoS protection for virtually all of the booter services currently online. That includes the Lizardstresser, the attack service launched by the same Lizard Squad (a.k.a. Loser Squad) criminals whose assaults knocked the Microsoft Xbox and Sony Playstation networks offline on Christmas Day 2014.

The sad truth is that most booter services probably would not be able to remain in business without CloudFlare’s free service. That’s because outside of CloudFlare, real DDoS protection services are expensive, and just about the only thing booter service customers enjoy attacking more than Minecraft and online gaming sites are, well, other booter services.

For example, looking at the (now leaked) back-end database for the LizardStresser, we can see that TheHosted and its various properties were targeted for attacks repeatedly by one of the Loser Squad’s more prominent members.

The Web site crimeflare.com, which tracks abusive sites that hide behind CloudFlare, has cataloged more than 200 DDoS-for-hire sites using CloudFlare. For its part, CloudFlare’s owners have rather vehemently resisted the notion of blocking booter services from using the company’s services, saying that doing so would lead CloudFlare down a “slippery slope of censorship.”

As I observed in a previous story about booters, CloudFlare CEO Matthew Prince has noted that while Cloudflare will respond to legal process and subpoenas from law enforcement to take sites offline, “sometimes we have court orders that order us to not take sites down.” Indeed, one such example was CarderProfit, a Cloudflare-protected carding forum that turned out to be an elaborate sting operation set up by the FBI.

I suppose it’s encouraging that prior to CloudFlare, Prince was co-creators of Project Honey Pot, which bills itself as the largest open-source community dedicated to tracking online fraud and abuse. In hacking and computer terminology, a honeypot is a trap set to detect, deflect or otherwise counteract attempts at unauthorized use or abuse of information systems.

It may well turn out to be the case that federal investigators are allowing these myriad booter services to remain in operation so that they can gather copious evidence for future criminal prosecutions against their owners and users. In the meantime, however, it will continue to be possible to purchase powerful DDoS attacks with little more than a credit card or prepaid debit card.

LWN.net: Security advisories for Monday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

CentOS has updated jasper (C7: multiple vulnerabilities).

Debian has updated jasper (multiple vulnerabilities), mysql-5.5 (multiple vulnerabilities), polarssl (code execution), squid (denial of service), and websvn (information disclosure).

Debian-LTS has updated libevent (denial of service) and websvn (information disclosure).

Fedora has updated docker-io
(F20: multiple vulnerabilities), grep (F21:
heap buffer overrun), java-1.7.0-openjdk
(F20: multiple vulnerabilities), java-1.8.0-openjdk (F21; F20:
multiple vulnerabilities), kde-runtime
(F20: misuse of crypto), kernel (F21:
restriction bypass), python-django (F21:
multiple vulnerabilities), and xdg-utils
(F21: command injection).

Mageia has updated aircrack-ng (multiple vulnerabilities), chromium-browser-stable (multiple vulnerabilities), jasper (multiple vulnerabilities), and java-1.7.0-openjdk (multiple vulnerabilities).

openSUSE has updated Firefox
(11.4: multiple vulnerabilities), libevent
(13.2, 13.1: denial of service), openssl
(13.2, 13.1: multiple vulnerabilities), shotwell, vala (13.2: heap buffer overflow),
and thunderbird (13.2, 13.1: multiple vulnerabilities).

SUSE has updated flash-player
(SLED11 SP3: unspecified vulnerability) and vsftpd (SLES11 SP3: unauthorized access).

Ubuntu has updated ghostscript
(10.04: multiple vulnerabilities), jasper
(14.10, 14.04, 12.04: multiple vulnerabilities), and unbound (14.10, 14.04: denial of service).

SANS Internet Storm Center, InfoCON: green: Adobe updates Security Advisory for Adobe Flash Player, Infocon returns to green, (Mon, Jan 26th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

On Saturday, 24 JAN 2015, Adobe updated their Security Advisory for Adobe Flash Player specific to CVE-2015-0311. From the update:

Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post.

To that end we”>GREEN. Please ensure you apply updates as soon as possible and stay tuned here as additional related information”>|”>@holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: yellow: “Stealth” Update for Flash from Adobe, (Sat, Jan 24th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: yellow and was written by: SANS Internet Storm Center, InfoCON: yellow. Original post: at SANS Internet Storm Center, InfoCON: yellow

[Update] Adobe now updated its advisory and confirmed that version 16.0.0.296 fixes the o-day vulnerability (CVE-2015-0311). [2][3]

Adobe apparently just released Flash version 16.0.0.296. There is nothing on Adobes website if this is a patch. As a matter of fact, Adobe still lists 16.0.0.287 as the most recent version [1]. You can download 16.0.0.296 if you manually check for updates using Flash.

This article will be updates as we learn more. I have NO IDEA if this new version fixes the current vulnerability, but given that this is a surprise weekend release, chances are that it was released in response to the vulnerability. Apply this update at your own risk.

Thanks to Christopher for noticing!

[1]http://www.adobe.com/software/flash/about/

[2]http://helpx.adobe.com/security/products/flash-player/apsa15-01.html

[3]http://blogs.adobe.com/psirt/?p=1160


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: yellow: Infocon change to yellow for Adobe Flash issues, (Fri, Jan 23rd)

This post was syndicated from: SANS Internet Storm Center, InfoCON: yellow and was written by: SANS Internet Storm Center, InfoCON: yellow. Original post: at SANS Internet Storm Center, InfoCON: yellow

We have decided to change the Infocon 1to yellow in order to bring attention to the multiple recentAdobe Flash Player vulnerabilities2 that are being actively exploited. There have been 3 patchedvulnerabilities thathave an update and applying themis highly recommended. 1 of the vulnerabilities has not yet been patched, and is expected to be released as an OOB (Outof Band) next week by Adobe 3.

Our reasoning is that the Adobe Flash Player is very widely installed, the vulnerability affects multiple platforms, remote code execution gives the attacker complete control of the system, the patch is not yet available, it affects both organizational IT systems as well as home or soho users, a crimeware kit is actively exploiting the vulnerabilities, people might mistakenly believe that the patch from yesterday fixes all of the issues, and last but not least mitigation through the use of EMET or other tools/means is not normally feasible for home users or quick deployment in enterprise environments without testing. In short, the high impact of these vulnerabilities being exploited warrants raising the Infoconfrom now until Monday.

1-https://isc.sans.edu/infocon.html

2-https://isc.sans.edu/forums/diary/Flash+0Day+Deciphering+CVEs+and+Understanding+Patches/19223/

3-“>Adrien de Beaupr”>My SANS teaching schedule

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

LWN.net: Friday’s security updates

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

CentOS has updated jasper
(C6: multiple vulnerabilities).

openSUSE has updated dbus-1
(13.1, 13.2: multiple vulnerabilities), elfutils (13.1, 13.2: directory traversal),
flash-player (13.1, 13.2: memory randomization circumvention), otrs (13.1, 13.2: authentication bypass), roundcubemail (13.2: cross-site request forgery), strongswan (13.1, 13.2: denial of service), and wireshark (13.1, 13.2: multiple vulnerabilities).

Oracle has updated jasper (O6; O7: multiple vulnerabilities).

Red Hat has updated jasper
(RHEL6,7: multiple vulnerabilities), java-1.7.0-oracle (multiple vulnerabilities), and java-1.8.0-oracle (RHEL6: multiple vulnerabilities).

Scientific Linux has updated jasper (SL6,7: multiple vulnerabilities).

SUSE has updated flash-player (memory randomization circumvention) and rpm (SLE12: multiple vulnerabilities).

Ubuntu has updated elfutils
(directory traversal), mysql-5.5 (12.04,
14.04, 14.10): multiple vulnerabilities, and samba (14.04, 14.10: privilege escalation).

SANS Internet Storm Center, InfoCON: yellow: Flash 0-Day: Deciphering CVEs and Understanding Patches, (Fri, Jan 23rd)

This post was syndicated from: SANS Internet Storm Center, InfoCON: yellow and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: yellow

(updated with Jan 24thupdate)

The last two weeks, we so far had two different Adobe advisories (one regularly scheduled, and one out of band), and three new vulnerabilities. I would like to help our readers deciphering some of the CVEs and patches that you may have seen.

CVE Fixed in Flash Version”>yes APSA15-01

So in short: There is still one unpatchedFlash vulnerability. System running Windows 8 or below with Firefox or Internet Explorer are vulnerable. You are not vulnerable if you are running Windows 8.1 and the vulnerability is not exposed via Chrome. EMET appears to help, so may other tools like Malwarebytes Anti-Exploit.


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: green: OOB Adobe patch!, (Thu, Jan 22nd)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Adobe has released an advisory regarding an out of band security update for Flash, APSB15-021. It is a fix forCVE-2015-0310, which is reserved but for which there is little additional information at the NIST or Mitre sites. Most likely this is the previously reported 0day 2. There are reports that this vulnerability is actively being exploited, and that it is part of a crimewarekit. This would be a highly recommended patch! If you have the Adobe Flash Player installedapply the update. All versions on all platforms appear to be vulnerable.

1-http://helpx.adobe.com/security/products/flash-player/apsb15-02.html

2- https://isc.sans.edu/forums/diary/Flash+0Day+Exploit+Used+by+Angler+Exploit+Kit/19213/

Cheers,
Adrien de Beaupr
Intru-shun.ca Inc.
My SANS teaching schedule

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.