Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×

Submission + - Attacks against Juniper Firewalls Well Under Way (sans.edu)

UnderAttack writes: The SANS Internet Storm Center is reporting that it is seeing a a big increase in connections to its honeypots using the Juniper backdoor password. They are also looking for volunteers who are willing to provide Juniper devices as honeypots.

Submission + - Learn More About Who Is Attacking You (sans.edu)

UnderAttack writes: Firewall and similar logs can be hard to understand, and it is difficult to figure our which IP addresses are "good" or "bad". A new tool will make it pretty easy to better understand your logs, by just copy/pasting them. The "Color My Logs" tool will color IP addresses based on their risk level and provide more details about each IP address. Pretty nice free tool, and written with privacy in mind.

Submission + - Firefox and Safari Still Render Mixed Language International Domain Names (xn--comindex-634g.jp)

UnderAttack writes: As soon as registrars allowed domain names with non-English characters to be registered, security experts noted that it will be possible to create look-alike domain names. A domain name like "example.com" may be registered using the Russian letter "a" instead of the English one, creating a domain that looks confusingly similar. Internet Explorer and Google Chrome decided in response to not show international characters if the domain name uses a mix of different languages. Firefox, on the other hand, uses a long white list of top-level domains for which it displays international characters (e.g. .org is on the list, but not .com). The result is that users of these browsers can still be fooled into trusting look-alike sites. The SANS Internet Storm Center now set up a neat test page to experiment. The domain name used is "com/index.jp". The "/" is a Japanese character, but its similarity to the English slash allows one to impersonate arbitrary .com domains.

Submission + - Netatmo Weather Station Sends WPA Password To Manufacturer (sans.edu)

UnderAttack writes: The SANS Internet Storm Center is writing that Netatmo weather stations will send the users WPA password in the clear back to Netatmo. Netatmo states that this is some forgotten debug code that was left in the device. Overall, the device doesn't bother with encryption, but sends all data, not just the password, in the clear.

Submission + - DVRs Used to Attack Synology Disk Stations and Mine Bitcoin (sans.edu)

UnderAttack writes: The SANS Internet Storm Center got an interesting story about how some of the devices scanning its honeypot turned out to be infected DVRs. These DVRs are commonly used to record footage from security cameras, and likely got infected themselves due to weak default passwords (12345). Now they are being turned into bots (but weren't they bots before that?) and are used to scan for Synology Disk Stations who are vulnerable. In addition, these DVRs now also run a copy of a bitcoin miner. Interestingly, all of this malware is compiled for ARM CPUs, so this is not a case of standard x86 exploits that happen to hit an embedded system/device.

Submission + - Linksys Routers Exploited by "TheMoon" (sans.edu)

UnderAttack writes: A vulnerability in many Linksys routers, allowing for unauthenticated code execution, is used to mass-exploit various Linksys routers right now. Infected routers will start scanning for vulnerable systems themselves, leading to a very fast spread of this "worm".

Submission + - Scammers Intercept E-Mail in Targeted Attacks (sans.edu)

UnderAttack writes: In the old days, financial fraud usually relied on banking malware like Zeus. But as organizations become more aware of these threats, scammers bypass all the fancy anti-malware tools by going straight to the person with the money. In this case document by the Internet Storm Center, a scammer was able to view/intercept an e-mail exchange about a payment, and slipped in a note requesting the account number for the payment to be updated. These scams become more common as miscreants look for new ways to a get to a companies money

Submission + - Uptick in TOR traffic: More Privacy or more Malware? (sans.edu)

An anonymous reader writes: A number of sources commented on the significant uptick in TOR users in the middle of August. The uptick coincided with yet another set of leaks from Edward Snowden about internet wide spying, and the release of some new privacy tools. But can this explain the uptick? Or is it just some new malware that uses TOR as a C&C channel?
Security

Submission + - Why you should wipe the drive after a compromise (sans.edu)

UnderAttack writes: "After a malware infection, or a compromise of the system in a more targeted attack, there is always a push to get "back into business" as quickly as possible. The malware artifact is quickly removed and the system is put back into service without too much scrutiny. Sadly, this way backdoors and other hidden gifts the attacker left behind are frequently overlooked. The result is that the system is compromised again quickly. The only real solution is wiping the drive and starting from scratch (and hoping that you have decent backups). This two part series by Mark Bagget makes this point by outlining some of the tricks an attacker may use to hide backdoors and to have them automatically executed on a system. Part 1 talks about how to usurp the windows update process to reinstall malware, and Part 2 shows how to use the unescaped space bug and the service restart tool to get the malware to start."
Networking

Submission + - Is your network managed by a "Slumlord"? (forbes.com)

UnderAttack writes: "The “Section 8 Bible”, a must read book for aspiring landlords, introduces a simple rule to deal with broken equipment in the apartment: If law does not require it, remove it. Don’t fix it. For example, interior doors are not necessarily required and can be removed. Network security professionals frequently follow similar guidance: If there is no business requirement, disable it. The rule assumes that minimizing features minimizes exposure. The fewer lines of code we run, the less likely are we going to be vulnerable to a bug.

How valid is slumlord network security? Can it really protect a network? Does it do more harm then good?"

Government

Submission + - A Reporter's Doubts About AntiSec's Claim of Hacking Apple Data from FBI (cio.com)

Curseyoukhan writes: "AntiSec says they got it from Christopher K. Stangl, an agent featured in a 2009 recruitment video titled “Wanted by the FBI: Cyber Security Experts.” Not saying it didn't happen but the irony level is so high it should make you suspicious. That's not the only oddly perfect claim AntiSec made, either."

Comment Report it to DShield.org (Score 5, Informative) 241

"Random" attacks can be reported to DShield.org . They have a number of scripts to automatically submit firewall logs (including from Linux firewalls). See http://www.dshield.org/howto.html . Once set up, it just "runs" and DShield aggregates the data, uses it for research and reports worst offenders to ISPs and other contacts.

Security

Submission + - Is Your Network Security Guy a "Slumlord"? (forbes.com) 1

UnderAttack writes: "The “Section 8 Bible”, a must read book for aspiring landlords, introduces a simple rule to deal with broken equipment in the apartment: If law does not require it, remove it. Don’t fix it. For example, interior doors are not necessarily required and can be removed. Network security professionals frequently follow similar guidance: If there is no business requirement, disable it. The rule assumes that minimizing features minimizes exposure. The fewer lines of code we run, the less likely are we going to be vulnerable to a bug. Is your network like that? Does it work for or against security?"
Security

Submission + - IPMI: Hack a server that is turned "off" (sans.edu)

UnderAttack writes: "A common joke in infosec is that you can't hack a server that is turned off. You better make sure that the power cord is unplugged too. Otherwise, you may be exposed via IPMI, a component present on many servers for remote management that can be used to flash firmware, get a remote console and power cycle the server even after the normal power button has been pressed to turn the server off."

Slashdot Top Deals

You know you've landed gear-up when it takes full power to taxi.

Working...