Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Submission + - Microsoft Delays February Patch Tuesday Indefinitely (sans.edu) 1

UnderAttack writes: Microsoft today announced that it had to delay its February patch Tuesday due to issues with a particular patch. This was also supposed to be the first patch Tuesday using a new format, which led some to believe that even Microsoft had issues understanding how the new format is exactly going to work with no more simple bulletin summary and patches being released as large monolithic updates.

Submission + - New 0-Day Exploit Affecting All Windows Versions Including Windows 10 (sans.edu)

UnderAttack writes: The Internet Storm Center is reporting that a new 0-day exploit was released to GitHub that causes current versions of Windows, including Windows 10, to crash. The exploit does require SMBv3, which is not supported on older versions of Windows. So your Windows XP system is likely still safe. The sad part is that this is a very simple missing length check, something that should have been avoided if any kind of QC would have been done on the code.

Submission + - SPAM: Realtors Targeted in Phishing Scams

UnderAttack writes: The SANS Internet Storm Center has an interesting story about how realtors are being targeted in phishing scams lately. The bad part is that these phishing e-mails are very plausible, and pretty much fly in the face of common security awareness training. The attacker will first send some benign messages to introduce themselves, then later the phishing email. The problem: Realtors often deal with large wire transfers and the attacker can now redirect that money with a simple e-mail sent as the realtor. This, and recent ransomware attacks where the attacker is first calling the victim to tell them about the attachment they are soon about to receive make it very hard to come up with meaningful awareness training.
Link to Original Source

Submission + - "Domaincop" malicious abuse notifications (sans.edu)

UnderAttack writes: An outfit by the name of "domaincops.net" apparently harassed domain owners with malware loaded spam. The spam claimed to include an abuse notification, and the domain name "domaincops.net" made them more plausible. Properly DKIM signed, these notes may have even slipped through many spam filters, and the site was (while it was still up) protect by Cloudflare.

Submission + - Thieves Find New Ways to Bypass iOS Activation Lock (sans.edu)

UnderAttack writes: Apple's effort to make its product jailbreak prove are often justified with attempting to secure the product from theft. For example, the iOS activation lock appears to have caused a significant drop in the number of stolen iOS devices. But thieves are adapting, and finding ways to bypass activation lock with some nifty social engineering and phishing tricks. This article summarizes some of the tricks that thieves are currently employing.

Submission + - The Dark Side Of Certificate Transparency (sans.edu)

UnderAttack writes: Certificate Transparency is a system promoted by companies like Google that requires certificate authorities to publish a log of all certificates issued. With certificate transparency, you can search these logs for any of the domains you own, to find unauthorized certificates. However, certificates are not only used for public sites. And with all certificates being published, some include host names that are not meant to be publicly known. An update of the standard is in the works to allow entities to obfuscate the host name, but until then, certificate transparency logs are a good recognizance source.

Submission + - Hiding Commands in AAAA DNS Records for Covert Command and Control Channels (sans.edu)

UnderAttack writes: DNS makes for a great command and control channel. Pretty much all systems are able to reach the global DNS infrastructure via recursive name servers. The other advantage of DNS is that any operating system includes tools to perform DNS lookups on the command line. To exfiltrate data, a simple "A" record lookup for a hostname can be used like 4111111111111111.evilexample.com to exfiltrate a credit card number. But to send commands back to the system, many covert channels use "TXT" records, which are much less common and easily detected or blocked.

The script prevented here uses a simple bash script to instead encode commands in AAAA records, and use them to send command back to the compromised systems. AAAA records hold 16 bytes per record, and due to them being displayed in hex, are easily decoded with tools like xxd.

Submission + - Attacks against Juniper Firewalls Well Under Way (sans.edu)

UnderAttack writes: The SANS Internet Storm Center is reporting that it is seeing a a big increase in connections to its honeypots using the Juniper backdoor password. They are also looking for volunteers who are willing to provide Juniper devices as honeypots.

Submission + - Learn More About Who Is Attacking You (sans.edu)

UnderAttack writes: Firewall and similar logs can be hard to understand, and it is difficult to figure our which IP addresses are "good" or "bad". A new tool will make it pretty easy to better understand your logs, by just copy/pasting them. The "Color My Logs" tool will color IP addresses based on their risk level and provide more details about each IP address. Pretty nice free tool, and written with privacy in mind.

Submission + - Firefox and Safari Still Render Mixed Language International Domain Names (xn--comindex-634g.jp)

UnderAttack writes: As soon as registrars allowed domain names with non-English characters to be registered, security experts noted that it will be possible to create look-alike domain names. A domain name like "example.com" may be registered using the Russian letter "a" instead of the English one, creating a domain that looks confusingly similar. Internet Explorer and Google Chrome decided in response to not show international characters if the domain name uses a mix of different languages. Firefox, on the other hand, uses a long white list of top-level domains for which it displays international characters (e.g. .org is on the list, but not .com). The result is that users of these browsers can still be fooled into trusting look-alike sites. The SANS Internet Storm Center now set up a neat test page to experiment. The domain name used is "com/index.jp". The "/" is a Japanese character, but its similarity to the English slash allows one to impersonate arbitrary .com domains.

Submission + - Netatmo Weather Station Sends WPA Password To Manufacturer (sans.edu)

UnderAttack writes: The SANS Internet Storm Center is writing that Netatmo weather stations will send the users WPA password in the clear back to Netatmo. Netatmo states that this is some forgotten debug code that was left in the device. Overall, the device doesn't bother with encryption, but sends all data, not just the password, in the clear.

Submission + - DVRs Used to Attack Synology Disk Stations and Mine Bitcoin (sans.edu)

UnderAttack writes: The SANS Internet Storm Center got an interesting story about how some of the devices scanning its honeypot turned out to be infected DVRs. These DVRs are commonly used to record footage from security cameras, and likely got infected themselves due to weak default passwords (12345). Now they are being turned into bots (but weren't they bots before that?) and are used to scan for Synology Disk Stations who are vulnerable. In addition, these DVRs now also run a copy of a bitcoin miner. Interestingly, all of this malware is compiled for ARM CPUs, so this is not a case of standard x86 exploits that happen to hit an embedded system/device.

Submission + - Linksys Routers Exploited by "TheMoon" (sans.edu)

UnderAttack writes: A vulnerability in many Linksys routers, allowing for unauthenticated code execution, is used to mass-exploit various Linksys routers right now. Infected routers will start scanning for vulnerable systems themselves, leading to a very fast spread of this "worm".

Slashdot Top Deals

There are running jobs. Why don't you go chase them?