Am I Sending Traffic to a “Sinkhole”? | Diary Discussions | Community Forums | SANS Internet Storm Center; Cooperative Network Security Community – Internet Security

The data collected by sinkholes is typically used for research purposes, and to notify infected users. How well this notification works depends largely on the collaboration between the sinkhole operator and your ISP.

via Am I Sending Traffic to a \”Sinkhole\”? | Diary Discussions | Community Forums | SANS Internet Storm Center; Cooperative Network Security Community – Internet Security.

via Am I Sending Traffic to a “Sinkhole”? | Diary Discussions | Community Forums | SANS Internet Storm Center; Cooperative Network Security Community – Internet Security.

Advertisements

Sagan as a Log Normalizer | Diary Discussions | Community Forums | SANS Internet Storm Center; Cooperative Network Security Community – Internet Security

Using Sagan is another way of leveraging a Snort IDS database infrastructure to collect, correlated and monitor suspicious events via syslog. For additional information on Sagan, check the Sagan Wiki.

[1] http://sagan.quadrantsec.com/

[2] https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganMain

[3] https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganRuleReference

[4] https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganInstall

[5] http://sagan.quadrantsec.com/rules/

[6] https://github.com/beave/sagan

via Sagan as a Log Normalizer | Diary Discussions | Community Forums | SANS Internet Storm Center; Cooperative Network Security Community – Internet Security.

via Sagan as a Log Normalizer | Diary Discussions | Community Forums | SANS Internet Storm Center; Cooperative Network Security Community – Internet Security.

The Security Impact of HTTP Caching Headers | Diary Discussions | Community Forums | SANS Internet Storm Center; Cooperative Network Security Community – Internet Security

Mobile phone browsers and older browsers seem to like to cache content regardless of HTTPS. We have this problem with PDF\’s of people\’s statements wanting to be stored locally even though we explicitly send all the right headers to prevent it.

via The Security Impact of HTTP Caching Headers | Diary Discussions | Community Forums | SANS Internet Storm Center; Cooperative Network Security Community – Internet Security.

via The Security Impact of HTTP Caching Headers | Diary Discussions | Community Forums | SANS Internet Storm Center; Cooperative Network Security Community – Internet Security.

Linux backdoor squirts code into SSH to keep its badness buried • The Register

The unknown cybercrooks or cyberspies behind that attack apparently targeted customer record information such as usernames, emails, and passwords using the subtle and stealthy malware, according to an analysis of the backdoor by security researchers at Symantec.

via Linux backdoor squirts code into SSH to keep its badness buried • The Register.

via Linux backdoor squirts code into SSH to keep its badness buried • The Register.

Linux backdoor planted on company network to monitor traffic, steal data – SC Magazine

While investigating the breach of a large internet hosting provider, researchers discovered a Linux backdoor capable of stealing login credentials from secure shell (SSH) connections.

via Linux backdoor planted on company network to monitor traffic, steal data – SC Magazine.

via Linux backdoor planted on company network to monitor traffic, steal data – SC Magazine.

Security forum website targeted in drive-by attack leveraging IE zero-day – SC Magazine

The operators of the affected security website, which became the drive-by attack against visitors, has asked FireEye not to reveal its URL, Mike Scott, senior staff threat analyst at FireEye, told SCMagazine.com on Monday.

The zero-day takes advantage of a timestamp vulnerability affecting IE 7 and 8 on Windows XP and IE 9 on Windows 7, according to the post, which states that a memory access vulnerability designed to work with IE 7 and 8 on Windows XP and Windows 7 is also abused.

“The exploit targets the English version of Internet Explorer, but we believe the exploit can be easily changed to leverage other languages,” according to the post. “Based on our analysis, this vulnerability affects IE 7, 8, 9, and 10.

via Security forum website targeted in drive-by attack leveraging IE zero-day – SC Magazine.

via Security forum website targeted in drive-by attack leveraging IE zero-day – SC Magazine.

Mathy Vanhoef: Unmasking a Spoofed MAC Address

Vulnerability Details

When a MAC address is spoofed the driver does not simply update the mainmac register. Instead the mainmac register will still contain the original MAC address, and macmask will contain the bits where the original and spoofed MAC agree (see previous section). The wireless chip will acknowledge frames sent to the spoofed MAC addresses, and the operating system will include the spoofed MAC address in all packets, so everything will seem to work properly. Unfortunately this method allows an attacker to uncover the original MAC address bit by bit (given the spoofed MAC address). Specifically we can determine the value of any bit of the original MAC address as follows:

Flip the bit in the spoofed MAC address and send a packet to the modified MAC address.

We now have two cases:

The device replies with an ACK: This means the mask for this bit is zero, thus the bit in the spoofed MAC address was different than the original MAC address.

Device doesn\’t reply: This means the mask for this bit is one, so the bit we are guessing was identical to the bit in the spoofed MAC

By doing this for each bit, we eventually learn the complete original MAC address.

The vulnerability has been successfully exploited against AR7010 and AR9271 chipsets (which use the ath9k_htc driver) under following operating systems:

Debian 7.2.0 amd64 and i386

Kali 1.0.5 amd64 and i386

Ubuntu 13.10 amd64 and i386

The ath5k, ath9k, and ath10k drivers might also be vulnerable, unfortunately I cannot perform tests against these drivers because I do not have the appropriate hardware. Other drivers also capable of creating multiple virtual interfaces with different MAC addresses, on a single device, might also be susceptible to the same vulnerability (so feel free test your device and post results).

Exploit

A proof of concept has been implemented in python using scapy. Given a MAC address that you suspect to be spoofed the tool will attempt to uncover the original MAC address. In case the tool returns the same MAC address as you entered, it means the target is not susceptible to the attack, or that the target is using the default MAC address of the device.

Patch

We are not yet aware of an official patch (the ath9k-devel mailing list has been notified of this issue).

Final Remarks

Though spoofing a MAC address can be done securely by simply updating mainmac, an attacker can use the same technique to learn that two virtual MAC addresses actually belong to the same user. So if you put up several virtual interfaces (possibly with random MAC addresses) they can be easily linked back together (again, that\’s if your device uses a method similar to the one described above). This flaw is inherent to usage of macmask and, at first sight, seems difficult to fix.

via Mathy Vanhoef: Unmasking a Spoofed MAC Address.

via Mathy Vanhoef: Unmasking a Spoofed MAC Address.