Critical BIND vulnerability – Millions of DNS servers around the world affected

Information regarding a highly critical remote BIND issue affecting 9.7, 9.8 and 9.9 has surfaced, affecting millions of DNS servers around the globe. It’s been marked as Critical and is remote exploitable. When exploited, it causes a DoS.

“A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled on Unix and related operating systems, allows an attacker to deliberately cause excessive memory consumption by the named process, potentially resulting in exhaustion of memory resources on the affected server. This condition can crash BIND 9 and will likely severely affect operation of other programs running on the same machine.”

Patching this issue should be on the absolute top of the priority list for anyone running BIND.

More info:

Cisco IOS Multiple DoS Vulnerabilities

Information regarding 7 DoS vulnerabilities for Cisco IOS was released yesterday by Cisco.
All of them are regarding DoS attacks, so it’s recommended to upgrade as soon as possible.

Cisco IOS Software Internet Key Exchange Vulnerability

Cisco IOS Software Smart Install Denial of Service Vulnerability

Cisco IOS Software Zone-Based Policy Firewall Session Initiation

Cisco IOS Software Network Address Translation Vulnerability

Cisco IOS Software Protocol Translation Vulnerability

Cisco IOS Software Resource Reservation Protocol Denial of Service

Cisco IOS Software IP Service Level Agreement Vulnerability

Basefarm SIRT newsletter Week 13

As you can see, this newsletter does not look like the ones before!
From now on, we will post the top 5 links that catch our interest each Friday (or earlier in the week, in case of holidays). Then, on the last week of the month, we will present a more extensive where we go through the major events of the month and present some security tips (much like the previous newsletters).

PS: Those of you who are heading out on the road during the easter holiday can have a look at this blog post for some tips regarding mobile security:

Top 5 links
Web slows under 300Gbit attack

How I became a password cracker

The Four types of Spam Attacks

DDoS: A Brief History

Spear Phishing Cause of South Korean Cyber Attack

Basefarm SIRT Newsletter 2013-03-22

Year – Week: 2013 – 12

Weekly summary
Multiple South Korean banks and broadcasters were hit by a group of unknown hackers going by the name of “Whois Team”, and there are of course rumors going around that they’re originating from North Korea.
In response to the remark made by Google last week Microsoft, too, Says FBI secretly is surveilling their customers.
Krebs followed up on the story he released last week when cyber criminals had targeted him, disclosing how he tracked the attackers and even did an interview with them. NATO also released their Cyber War Manual, detailing rule sets that should be followed in future Cyber Wars. A video has also been floating around, showing a perpetrator in Russia who manages to install and run 3rd party software on an ATM (the choice of software in this case was Angry Birds).

More information:,hacked-atm-plays-angry-birds.aspx

Important Software Security updates
Ruby on Rails

Security tips
Google has released a site with information on what to do if your site has been hacked. It goes through steps to follow in case your site has been hacked and touch base on things such as contacting your hosting company (beginner) to quarantine your site (intermediate) and identifying the vulnerability (advanced).

More information:

Security news
AT&T hacker “Weev” sentenced to 41 months in prison, after obtaining the email addresses of 100,000+ iPad users

TeamSpy snooped on governments, big biz undetected for 10 years

Chameleon botnet grabbed $6m A MONTH from online ad-slingers

California duo charged with selling ready-to-hack Point-of-Sale systems to Subway branches

Researcher sets up illegal 420,000 node botnet for IPv4 internet map

iOS 6.1.3 Released

iOS 6.1.3 has been released, and fixes six security issues (for example the “partly unlock your iphone without entering your code” issue and and a flaw in WebKit that can be used to execute arbitrary code). It’s recommended to update as soon as possible.
You can update by going to Settings, General, Software Update and then download the latest version.

More information:

Ruby on Rails patched to 3.2.13, 3.1.12, and 2.3.1

There are new versions of ruby on rails released, and the version you are running should be updated as soon as possible to avoid malicious users exploiting one or more of known vulnerabilities that are fixed in these releases.

Information from the Rails team:

Hi everyone!

Rails versions 3.2.13, 3.1.12, and 2.3.18 have been released. These releases contain important security fixes. It is recommended users upgrade as soon as possible.

Please check out these links for the security fixes:

CVE-2013-1854 Symbol DoS vulnerability in Active Record
CVE-2013-1855 XSS vulnerability in sanitize_css in Action Pack
CVE-2013-1856 XML Parsing Vulnerability affecting JRuby users
CVE-2013-1857 XSS Vulnerability in the sanitize helper of Ruby on Rails


OS X (v10.8.3), Security update 2013-001 and Safari Webkit updated to 6.0.3

Apple has released security updates for OS X (v10.8.3), security update 2013-001 and security updates for Safari Webkit 6.0.3 to address multiple vulnerabilities. The vulnerabilities could potentially allow remote attackers to execute arbitrary code, bypass authentication, leverage additional attacks, cause a denial-of-service condition, obtain sensitive information or have an unexpected application termination or arbitrary code execution by visiting a maliciously crafted website. It is recommended that you update your software to the latest versions through the use of Software Update.

More information:

Basefarm SIRT Newsletter 2013-03-15

Year – Week: 2013 – 11

Weekly summary
The big headlines this week has been how security expert Brian Krebs was targeted by criminals who amongst other things took down his site and had police raid his house. Google has also released information on how FBI is secretly spying on some of its customers, and a Reuters Editor has been indicted for allegedly helping hackers break into Tribune Co. Facebook also released information on how the hack didn’t have as much impact as it could have had – due to the amount of preparations they had taken for these occurances.

Important Software Security updates
Adobe Flash Player

Security tips
The tip of this week is to turn on “Click-to-play”. This means that in order to have a Flash video or Java applet run on a website, you’ll need to press a button to confirm you want to run this. This means that no hidden flash objects or java applets that can cause issues on your computer will launch automatically.

More information:

Security news
Security expert Brian Krebs targeted by angry criminals out for revenge – causing simultaneous fake take-down letters to his ISP, DDOS of his website and a fake distress call leading to an armed police raid of his home.

Crown casino hi-tech scam nets $32 million

February 2013 Cyber Attacks Statistics

Researchers Find 25 Countries Using Surveillance Software

Sinkholing of Trojan Downloader Zortob.B reveals fast growing malware threat

Adobe Flash Player 11.6.602.171 for Windows and Adobe Flash Player for Linux

Adobe has released security updates for Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh, Adobe Flash Player and earlier versions for Linux, Adobe Flash Player and earlier versions for Android 4.x, and Adobe Flash Player and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe recommends users update their product installations to the latest versions.

More information:

Basefarm SIRT Newsletter 2013-03-08

Year – Week: 2013 – 10

Weekly summary
Evernote was the highest profile victim of an attack this week. The attack on their systems meant that 50 million account names and encrypted passwords were stolen.
USA has also become the world’s leading spam-relayer. This most likely doesn’t mean that there is a kingpin spammer in USA, but what it does show is that there is a large amount of hijacked computers being used for this. USA it’s not the number one malware infected country (China was 2012 according to PandaLabs), but there are reasons such as IPs from USA is less likely to be blacklisted as easily as well as speeds between email providers are likely to be higher from USA than China.
More information about the zero-day-exploiting malware MiniDuke has also surfaced. It appears that MiniDuke has been running its cyber-espionage campaign around since mid 2011, and appears to have targeting governments in countries such as Belgium, Unites States and Ireland.
The Dubai Police made arrests this with in regards to a cyber crime gang who were able to transfer more than $2m from Dubai Exchange companies’ accounts, while Bank Muscat in Oman was hit by $39m ATM cash-out heist which most likely happened due to the hackers being able to duplicate a set of pre-paid Travel Cards.
The first couple of days of the Pwn2Own has also taken place. Pwn2Own, which is being co-sponsored by HP this year, is a yealy competition where security researchers attempt to be the first to exploit software, with resulting prize money for doing so. So far, over $270K has been given out to people who managed to exploit IE10, Chrome 25, Firefox 19, and Java 7.


Important Software Security updates

Security tips
We’d like to remind everyone of the importance of not reusing any of your passwords. Doing so could mean that you end up losing a great deal of things.
Let’s say I’m using X and I have the same password on my email account Z and Website X.
I signed up to Website X with my email account, which means that if Website X is hacked and my password decrypted (it’s not even certain they will have encrypted my password) then that means that they will be able to access my email account as well from there.
By having access to my email account they could for example gain further access to other services by doing password resets or pretend to be me and send out malware.

This is one of the reasons why we suggest that you create complex and unique passwords for every site you use.
It’s understandable that you can’t remember these kind of passwords, but don’t worry – there are tools for this which means you only have to remember one single passphrase in order to gain access to your password vault.

My personal preference is 1Password Pro which has got a stand-alone client as well as a web interface. It also got plugins for IE, Chrome and Firefox which makes signing into accounts a breeze.
Those who prefer to use free and open source can use KeePass Password Safe. I believe it lacks a bit of functionality, but it’s got a lot of plugins/extensions that you can use to further its use.

More information:

Security links
16-28 February 2013 Cyber Attacks Timeline

Hacking the Mind: How & Why Social Engineering Works

The web won’t be safe or secure until we Break it

Jailed cybercriminal hacked into his own prison’s computer system after being put in IT class

The Life Cycle of Web Server Botnet Recruitment

Security Blogger Award Winners 2013