Twitter
LinkedIn
RSS

App "telemetry", (Tue, Jul 22nd)

ISC reader James had just installed “Foxit Reader” on his iPhone, and had answered “NO” to the “In order to help us improve Foxit Mobile PDF, we would like to collect anonymous usage data…” question, when he noticed his phone talking to China anyway. The connected-to site was alog.umeng.com, 211.151.151.7. Umeng is an “application telemetry” and online advertising company. Below is what was sent (some of the ids are masked or have been obfuscated)

I particularly like the “is_pirated: No”. It goes well with “is_snooping: Yes” that is though missing from the exchange…

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The original article/video can be found at App "telemetry", (Tue, Jul 22nd)

Securing the Nest Thermostat

A group of hackers are using a vulnerability in the Nest thermostat to secure it against Nest’s remote data collection.

The original article/video can be found at Securing the Nest Thermostat

Alleged Stormbot Source Code Advertised for Sale on YouTube

2 retweets 1 favorites

The original article/video can be found at Alleged Stormbot Source Code Advertised for Sale on YouTube

#infosec tool "web2intel": Script to fetch malicious domain, URLs from sites that publish RSS feeds or raw HTML pages

5 retweets 7 favorites

The original article/video can be found at #infosec tool "web2intel": Script to fetch malicious domain, URLs from sites that publish RSS feeds or raw HTML pages

Card Breach at Goodwill Industries, likely over 21 US States since mid-2013

7 retweets 4 favorites

The original article/video can be found at Card Breach at Goodwill Industries, likely over 21 US States since mid-2013

IBM Fixes Code Execution, Cookie-Stealing Vulnerabilities in Switches, open since May and Dell might have a few too

4 retweets 1 favorites

The original article/video can be found at IBM Fixes Code Execution, Cookie-Stealing Vulnerabilities in Switches, open since May and Dell might have a few too

EFF Releases Open Wireless Router Firmware – try it out on a Netgear WNDR3800 if you like. Might save the world…

10 retweets 2 favorites

The original article/video can be found at EFF Releases Open Wireless Router Firmware – try it out on a Netgear WNDR3800 if you like. Might save the world…

ISC StormCast for Tuesday, July 22nd 2014 http://isc.sans.edu/podcastdetail.html?id=4071, (Tue, Jul 22nd)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The original article/video can be found at ISC StormCast for Tuesday, July 22nd 2014 http://isc.sans.edu/podcastdetail.html?id=4071, (Tue, Jul 22nd)

Ivan’s Order of Magnitude, (Tue, Jul 22nd)

ISC reader Frank reports seeing a couple odd DNS names in his DNS resolver log

4e6.1a4bf.565697d.f52e1.306.60ae.766e0.mdleztmxhvxc.speakan.in. A=193.169.245.133  TTL=30 NS=193.169.245.133
3a.276965.3e6b39.cdaf104.da.e018.72c1a.mdleztmxhvxc.speakan.in. A=193.169.245.133  TTL=30 NS=193.169.245.133

As so often, the first step in the infection chain had been a visit to a benign, but unpatched and hacked WordPress website. It redirected to an intermediary, which in turn redirected to the domains above. The subsequent http connection with Java exploit attempt was stopped by the proxy filters in Frank’s case, so no harm done.

But looking at public passive DNS records, it is obvious that “something” is going on, and has been for a long while. Domain names of this pattern have been observed since about November 2013, and are associated with the Magnitude Exploit Kit. Snort and Emergingthreats have decent signatures, and flag the traffic as “MAGNITUDE EK”.

The recently used domain names are all within the Indian TLD “.in”, and checking the registration information, they were all registered by the same alleged “Ivan Biloev” from Moscow, and all of them via the same registrar (webiq.in). They even suspended a handful of the domains because of abuse, but they apparently continue to let Ivan happily register new addresses. Maybe a registrar might want to have a chat with a customer who had domains revoked, before letting registrations for additional names go through??

Recent Magnitude mal-domains included, only to name a few: speakan.in busyneeds.in chancessay.in futureroll.in loadsbreak.in suchimages.in touchitems.in waysheader.in putsediting.in regionwhole.in resultsself.in unlikesolve.in advisefailed.in closesthotel.in comesexpands.in installseven.in deducecontact.in poundscaptain.in delayattempted.in lawuniversitys.in obviouslyheads.in

Brad over at malware-traffic-analysis.net has a write-up [1] on a recent sample. If you have current intel on Magnitude EK, the domain name patterns, the exploits pushed in the current set, etc, then please share in the comments below or via our contact form.
 

[1]  http://malware-traffic-analysis.net/2014/07/15/index.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The original article/video can be found at Ivan’s Order of Magnitude, (Tue, Jul 22nd)

OWASP Zed Attack Proxy, (Mon, Jul 21st)

Affectionately know as ZAP the OWASP Zed Attack Proxy in an excellent web application testing tool. It finds its way into the hands of experienced penetration testers, newer security administrators, vulnerability assessors, as well as auditors and the curious. One of the reasons for its popularity is the ease of use and the extensive granular capability to examine transactions. While some may know ZAP as a fork or successor to the old Paros proxy,it is so much more. Roughly 20% of the code base remains from Paros, meaning that the remainder is new code! Also, ZAP is one of the most active free open source projects around! There are so many excellent features, for example the automated scanner and the interception proxy. That is just for starters. ZAP is:

•Free, Open source
•Involvement is actively encouraged
•Cross platform
•Easy to use
•Easy to install
•Internationalized
•Fully documented
•Works well with other tools
•Reuses well regarded components.

Did I mention free?

ZAP has many features, some developed in the Google Summer of Code (GSoC) over the years. For penetration testers ZAP has many new features such as Zest support and ZAP integration, Advanced access control testing and user access comparison, Advanced Fuzzing, SOAP web service scanning, and more.

I gave a talk about ZAP at SANSFire recently, the slides can be found at: https://isc.sans.edu/diaryimages/BustacapinawebappwithOWASPZAPSANSFIRE2014.pdf

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

I will be teaching SANS Sec560 Network Penetration testing in Albuquerque, NM

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The original article/video can be found at OWASP Zed Attack Proxy, (Mon, Jul 21st)