Information Security

News aggregatorDELETE

Bugtraq: [SECURITY] [DSA 2989-1] apache2 security update

Linux Security - 1 hour 7 min ago
[SECURITY] [DSA 2989-1] apache2 security update
Categories: Vulnerability Pipes

Vuln: Apache HTTP Server CVE-2014-0117 Remote Denial of Service Vulnerability

Linux Security - Sun, 07/27/2014 - 19:00
Apache HTTP Server CVE-2014-0117 Remote Denial of Service Vulnerability
Categories: Vulnerability Pipes

Vuln: Apache HTTP Server 'mod_status' CVE-2014-0226 Remote Code Execution Vulnerability

Linux Security - Sun, 07/27/2014 - 19:00
Apache HTTP Server 'mod_status' CVE-2014-0226 Remote Code Execution Vulnerability
Categories: Vulnerability Pipes

Friday Squid Blogging: Build a Squid

Bruce Shneier's Blog - Fri, 07/25/2014 - 16:04
An interactive animation from the Museum of New Zealand Te Papa Tongarewa. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Categories: Security News

Building a Legal Botnet in the Cloud

Bruce Shneier's Blog - Fri, 07/25/2014 - 10:33
Two researchers have built a botnet using free anonymous accounts. They only collected 1,000 accounts, but there's no reason this can't scale to much larger numbers....
Categories: Security News

The App I Used to Break Into My Neighbor’s Home

Wired Threat Level - Fri, 07/25/2014 - 05:30
When I broke into my neighbor’s home earlier this week, I didn’t use any cat burglar skills. I don’t know how to pick locks. I’m not even sure how to use a crowbar. It turns out all anyone needs to break into a friend’s apartment is an off switch for their conscience and an iPhone.   […]






Categories: Security News

Vuln: Apache HTTP Server CVE-2014-0118 Remote Denial of Service Vulnerability

Linux Security - Thu, 07/24/2014 - 19:00
Apache HTTP Server CVE-2014-0118 Remote Denial of Service Vulnerability
Categories: Vulnerability Pipes

Vuln: Apache HTTP Server CVE-2014-0231 Remote Denial of Service Vulnerability

Linux Security - Thu, 07/24/2014 - 19:00
Apache HTTP Server CVE-2014-0231 Remote Denial of Service Vulnerability
Categories: Vulnerability Pipes

How Hackers Hid a Money-Mining Botnet in the Clouds of Amazon and Others

Wired Threat Level - Thu, 07/24/2014 - 05:30
Hackers have long used malware to enslave armies of unwitting PCs, but security researchers Rob Ragan and Oscar Salazar had a different thought: Why steal computing resources from innocent victims when there’s so much free processing power out there for the taking? At the Black Hat conference in Las Vegas next month Ragan and Salazar […]






Categories: Security News

Windows Previous Versions against ransomware, (Thu, Jul 24th)

Windows Security - Thu, 07/24/2014 - 02:45

One of the cool features that Microsoft actually added in Windows Vista is the ability to recover previous versions of files and folders. This is part of the VSS (Volume Shadow Copy Service) which allows automatic creation of backup copies on the system. Most users “virtually meet” this service when they are installing new software, when a restore point is created that allows a user to easily revert the operating system back to the original state, if something goes wrong.

However, the “Previous Versions” feature can be very handy when other mistakes or incidents happen as well. For example, if a user deleted a file in a folder, and the “Previous Version” feature is active, it is very easy to restore a deleted file by clicking the appropriate button in the Properties menu of the drive/folder that contained the deleted file. The user can then simply browse through previous versions and restore the deleted file, as shown in the figure below:


You can see in the figure above that there are actually multiple versions of the Desktop folder that were saved by the “Previous Versions” feature. A user can now simply click on any version he/she desires and browse through previous files.

How can this help against Cryptolocker and similar ransomware? Well simply – when such ransomware infects a machine, it typically encrypts all document files such as Word and PDF files or pictures (JPG, PNG …). If the “Previous Versions” feature is running, depending on several factors such as allocated disk space for it as well as the time of last snapshot (since “Previous Versions” saves files comparing to the last snapshot, which would normally take place every day), you just might be lucky enough that *some* of the encrypted files are available in “Previous Versions”.

Monitoring “Previous Versions” activities

As we can see, by using this feature it is very simple to restore previous files. This is one of the reasons why I see many companies using this feature on shared disks – it can be very handy in case a user accidentally deleted a file.

However, there are also security implications here. For example, a user can restore a file that was previously deleted and that you thought is gone. Of course, the user still needs access rights on that file – if the ACL does not allow him to access the file he won’t be able to restore it, but in case an administrator set ACL’s on a directory, which is typically the case, and everything else below it is inherited, the user might potentially be able to access a file that was thought to be deleted.

This cannot be prevented (except by changing ACL’s, of course), so all we can do in this case is to try to monitor file restoration activities. Unfortunately, Windows is pretty (very?) limited in this. The best you can do is to enable Object Access Audit to see file accesses and then see what a particular user accessed. That being said, I have not been able to stably reproduce logs that could tell me exactly what version the user accessed – in some cases Windows created a log such as the following:

Share Information: Share Name: \\*\TEST Share Path: \??\C:\TEST Relative Target Name: @GMT-2014.07.02-11.56.38\eula.1028.txt

This is event 5145 (“A network share object was checked to see whether client can be granted desired access”), and it is visible which copy was accessed but, as I said, I was not able to have this event generated by this constantly.

Conclusion

The “Previous Versions” feature is very handy in cases when you need to restore a file that was accidentally deleted or modified and can sometimes even help when a bigger incident such as a ransomware infection happened. Make sure that you use this feature if you need it, but also be aware of security implications – such as the fact that it automatically preserves deleted files and their modified copies.

Finally, for some reason Microsoft decided to remove, actually modify this feature in Windows 8. The “Previous Versions” tab does not any more exist in Explorer (actually it does, but you need to access files over a network share). For saving local files Windows 8 now use a feature called “File History”. It needs to be manually setup and it needs to have an external HDD which will be used to save copies of files. This is definitely better since, if your main HDD dies, you can restore files off the external one, but keep in mind that it needs to be setup manually. Finally, if you use EFS to encrypt files, the “File History” feature will not work on them.

--
Bojan
​bojanz on Twitter
INFIGO IS

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Vulnerability Pipes

Security Vulnerability in the Tails OS

Bruce Shneier's Blog - Wed, 07/23/2014 - 11:58
I'd like more information on this....
Categories: Security News

How Thieves Can Hack and Disable Your Home Alarm System

Wired Threat Level - Wed, 07/23/2014 - 05:30
When it comes to the security of the Internet of Things, a lot of the attention has focused on the dangers of the connected toaster, fridge and thermostat. But a more insidious security threat lies with devices that aren’t even on the internet: wireless home alarms. Two researchers say that top-selling home alarm setups can […]






Categories: Security News

Securing the Nest Thermostat

Bruce Shneier's Blog - Tue, 07/22/2014 - 10:06
A group of hackers are using a vulnerability in the Nest thermostat to secure it against Nest's remote data collection....
Categories: Security News

Bugtraq: KL-001-2014-003 : Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation

Windows Security - Tue, 07/22/2014 - 08:08
KL-001-2014-003 : Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation
Categories: Vulnerability Pipes

Bugtraq: KL-001-2014-002 : Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation

Windows Security - Tue, 07/22/2014 - 08:08
KL-001-2014-002 : Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation
Categories: Vulnerability Pipes

Hackers Could Take Control of Your Car. This Device Can Stop Them

Wired Threat Level - Tue, 07/22/2014 - 05:30
David Schwen | Wheel: Getty Hackers Charlie Miller and Chris Valasek have proven more clearly than anyone in the world how vulnerable cars are to digital attack. Now they’re proposing the first step towards a solution. Last year the two Darpa-funded security researchers spent months cracking into a Ford Escape and a Toyota Prius, terrifying […]






Categories: Security News

Ivan's Order of Magnitude, (Tue, Jul 22nd)

Other Security - Mon, 07/21/2014 - 20:33

ISC reader Frank reports seeing a couple odd DNS names in his DNS resolver log

4e6.1a4bf.565697d.f52e1.306.60ae.766e0.mdleztmxhvxc.speakan.in. A=193.169.245.133  TTL=30 NS=193.169.245.133
3a.276965.3e6b39.cdaf104.da.e018.72c1a.mdleztmxhvxc.speakan.in. A=193.169.245.133  TTL=30 NS=193.169.245.133

As so often, the first step in the infection chain had been a visit to a benign, but unpatched and hacked Wordpress website. It redirected to an intermediary, which in turn redirected to the domains above. The subsequent http connection with Java exploit attempt was stopped by the proxy filters in Frank's case, so no harm done.

But looking at public passive DNS records, it is obvious that "something" is going on, and has been for a long while. Domain names of this pattern have been observed since about November 2013, and are associated with the Magnitude Exploit Kit. Snort and Emergingthreats have decent signatures, and flag the traffic as "MAGNITUDE EK".

The recently used domain names are all within the Indian TLD ".in", and checking the registration information, they were all registered by the same alleged "Ivan Biloev" from Moscow, and all of them via the same registrar (webiq.in). They even suspended a handful of the domains because of abuse, but they apparently continue to let Ivan happily register new addresses. Maybe a registrar might want to have a chat with a customer who had domains revoked, before letting registrations for additional names go through??

Recent Magnitude mal-domains included, only to name a few: speakan.in busyneeds.in chancessay.in futureroll.in loadsbreak.in suchimages.in touchitems.in waysheader.in putsediting.in regionwhole.in resultsself.in unlikesolve.in advisefailed.in closesthotel.in comesexpands.in installseven.in deducecontact.in poundscaptain.in delayattempted.in lawuniversitys.in obviouslyheads.in

Brad over at malware-traffic-analysis.net has a write-up [1] on a recent sample. If you have current intel on Magnitude EK, the domain name patterns, the exploits pushed in the current set, etc, then please share in the comments below or via our contact form.
 

[1]  http://malware-traffic-analysis.net/2014/07/15/index.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Vulnerability Pipes

Fingerprinting Computers By Making Them Draw Images

Bruce Shneier's Blog - Mon, 07/21/2014 - 15:34
Here's a new way to identify individual computers over the Internet. The page instructs the browser to draw an image. Because each computer draws the image slightly differently, this can be used to uniquely identify each computer. This is a big deal, because there's no way to block this right now. Article. Hacker News thread. EDITED TO ADD (7/22): This...
Categories: Security News

Bugtraq: Microsoft MSN HBE - Blind SQL Injection Vulnerability

Windows Security - Mon, 07/21/2014 - 08:07
Microsoft MSN HBE - Blind SQL Injection Vulnerability
Categories: Vulnerability Pipes

Friday Squid Blogging: Squid Dissection

Bruce Shneier's Blog - Fri, 07/18/2014 - 16:35
A six-hour video of a giant squid dissection from Auckland University of Technology. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Categories: Security News
Syndicate content