Critical BIND vulnerability – Millions of DNS servers around the world affected

Information regarding a highly critical remote BIND issue affecting 9.7, 9.8 and 9.9 has surfaced, affecting millions of DNS servers around the globe. It’s been marked as Critical and is remote exploitable. When exploited, it causes a DoS.

“A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled on Unix and related operating systems, allows an attacker to deliberately cause excessive memory consumption by the named process, potentially resulting in exhaustion of memory resources on the affected server. This condition can crash BIND 9 and will likely severely affect operation of other programs running on the same machine.”

Patching this issue should be on the absolute top of the priority list for anyone running BIND.

More info: https://kb.isc.org/article/AA-00871

Cisco IOS Multiple DoS Vulnerabilities

Information regarding 7 DoS vulnerabilities for Cisco IOS was released yesterday by Cisco.
All of them are regarding DoS attacks, so it’s recommended to upgrade as soon as possible.

Cisco IOS Software Internet Key Exchange Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-ike

Cisco IOS Software Smart Install Denial of Service Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-smartinstall

Cisco IOS Software Zone-Based Policy Firewall Session Initiation
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-cce

Cisco IOS Software Network Address Translation Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-nat

Cisco IOS Software Protocol Translation Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-pt

Cisco IOS Software Resource Reservation Protocol Denial of Service
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-rsvp

Cisco IOS Software IP Service Level Agreement Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-ipsla

Basefarm SIRT newsletter Week 13

As you can see, this newsletter does not look like the ones before!
From now on, we will post the top 5 links that catch our interest each Friday (or earlier in the week, in case of holidays). Then, on the last week of the month, we will present a more extensive where we go through the major events of the month and present some security tips (much like the previous newsletters).

PS: Those of you who are heading out on the road during the easter holiday can have a look at this blog post for some tips regarding mobile security: http://blog.basefarm.com/blog/2012/12/21/mobile-security/

Top 5 links
Web slows under 300Gbit attack
http://www.telegraph.co.uk/technology/internet-security/9957063/Web-slows-under-biggest-attack-ever.html
http://www.theregister.co.uk/2013/03/27/spamhaus_ddos_megaflood/
http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho

How I became a password cracker
http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/

The Four types of Spam Attacks
http://www.impermium.com/blog/the-four-types-of-spam-attacks

DDoS: A Brief History
http://blog.fortinet.com/ddos-a-brief-history/

Spear Phishing Cause of South Korean Cyber Attack
http://threatpost.com/en_us/blogs/spear-phishing-cause-south-korean-cyber-attack-032513

Basefarm SIRT Newsletter 2013-03-22

BF-SIRT NEWSLETTER
Year – Week: 2013 – 12
https://www.basefarm.com/en/technical-support/Basefarm-SIRT/

Weekly summary
Multiple South Korean banks and broadcasters were hit by a group of unknown hackers going by the name of “Whois Team”, and there are of course rumors going around that they’re originating from North Korea.
In response to the remark made by Google last week Microsoft, too, Says FBI secretly is surveilling their customers.
Krebs followed up on the story he released last week when cyber criminals had targeted him, disclosing how he tracked the attackers and even did an interview with them. NATO also released their Cyber War Manual, detailing rule sets that should be followed in future Cyber Wars. A video has also been floating around, showing a perpetrator in Russia who manages to install and run 3rd party software on an ATM (the choice of software in this case was Angry Birds).

More information:
http://krebsonsecurity.com/2013/03/the-obscurest-epoch-is-today/
http://www.infosecurity.us/2013/03/nato-ccd-coe-tallinn-cyber-war-manual.html
http://www.scmagazine.com.au/News/334005,hacked-atm-plays-angry-birds.aspx
http://www.wired.com/threatlevel/2013/03/microsoft-nsl-revelation/
http://www.nknews.org/2013/03/south-korean-banks-broadcasters-paralyzed-by-cyber-attack/

Important Software Security updates
OS X
Ruby on Rails
iOS

Security tips
Google has released a site with information on what to do if your site has been hacked. It goes through steps to follow in case your site has been hacked and touch base on things such as contacting your hosting company (beginner) to quarantine your site (intermediate) and identifying the vulnerability (advanced).

More information: http://www.google.com/webmasters/hacked/

Security news
AT&T hacker “Weev” sentenced to 41 months in prison, after obtaining the email addresses of 100,000+ iPad users
http://nakedsecurity.sophos.com/2013/03/19/att-hacker-weev-prison/

TeamSpy snooped on governments, big biz undetected for 10 years
http://www.theregister.co.uk/2013/03/21/teamspy_cyber_espionage/

Chameleon botnet grabbed $6m A MONTH from online ad-slingers
http://www.theregister.co.uk/2013/03/19/chameleon_botnet/

California duo charged with selling ready-to-hack Point-of-Sale systems to Subway branches
http://nakedsecurity.sophos.com/2013/03/18/california-duo-charged-with-selling-ready-to-hack-pos-systems/

Researcher sets up illegal 420,000 node botnet for IPv4 internet map
http://www.theregister.co.uk/2013/03/19/carna_botnet_ipv4_internet_map/

iOS 6.1.3 Released

iOS 6.1.3 has been released, and fixes six security issues (for example the “partly unlock your iphone without entering your code” issue and and a flaw in WebKit that can be used to execute arbitrary code). It’s recommended to update as soon as possible.
You can update by going to Settings, General, Software Update and then download the latest version.

More information:
http://support.apple.com/kb/ht1222
http://nakedsecurity.sophos.com/2013/02/15/unlock-iphone-without-password/

Ruby on Rails patched to 3.2.13, 3.1.12, and 2.3.1

There are new versions of ruby on rails released, and the version you are running should be updated as soon as possible to avoid malicious users exploiting one or more of known vulnerabilities that are fixed in these releases.

Information from the Rails team:

Hi everyone!

Rails versions 3.2.13, 3.1.12, and 2.3.18 have been released. These releases contain important security fixes. It is recommended users upgrade as soon as possible.

Please check out these links for the security fixes:

CVE-2013-1854 Symbol DoS vulnerability in Active Record
CVE-2013-1855 XSS vulnerability in sanitize_css in Action Pack
CVE-2013-1856 XML Parsing Vulnerability affecting JRuby users
CVE-2013-1857 XSS Vulnerability in the sanitize helper of Ruby on Rails

Source: http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/

OS X (v10.8.3), Security update 2013-001 and Safari Webkit updated to 6.0.3

Apple has released security updates for OS X (v10.8.3), security update 2013-001 and security updates for Safari Webkit 6.0.3 to address multiple vulnerabilities. The vulnerabilities could potentially allow remote attackers to execute arbitrary code, bypass authentication, leverage additional attacks, cause a denial-of-service condition, obtain sensitive information or have an unexpected application termination or arbitrary code execution by visiting a maliciously crafted website. It is recommended that you update your software to the latest versions through the use of Software Update.

More information:
http://www.apple.com/softwareupdate/
http://support.apple.com/kb/HT5671
http://support.apple.com/kb/HT5672

Basefarm SIRT Newsletter 2013-03-15

BF-SIRT NEWSLETTER
Year – Week: 2013 – 11
https://www.basefarm.com/en/technical-support/Basefarm-SIRT/

Weekly summary
The big headlines this week has been how security expert Brian Krebs was targeted by criminals who amongst other things took down his site and had police raid his house. Google has also released information on how FBI is secretly spying on some of its customers, and a Reuters Editor has been indicted for allegedly helping hackers break into Tribune Co. Facebook also released information on how the hack didn’t have as much impact as it could have had – due to the amount of preparations they had taken for these occurances.

http://threatpost.com/en_us/blogs/how-facebook-prepared-be-hacked-030813
http://www.wired.com/threatlevel/2013/03/google-nsl-range/
http://threatpost.com/en_us/blogs/reuters-editor-indicted-helping-hackers-break-tribune-co-031413

Important Software Security updates
Adobe Flash Player

Security tips
The tip of this week is to turn on “Click-to-play”. This means that in order to have a Flash video or Java applet run on a website, you’ll need to press a button to confirm you want to run this. This means that no hidden flash objects or java applets that can cause issues on your computer will launch automatically.

More information: http://krebsonsecurity.com/2013/03/help-keep-threats-at-bay-with-click-to-play/

Security news
Security expert Brian Krebs targeted by angry criminals out for revenge – causing simultaneous fake take-down letters to his ISP, DDOS of his website and a fake distress call leading to an armed police raid of his home.
http://krebsonsecurity.com/2013/03/the-world-has-no-room-for-cowards/

Crown casino hi-tech scam nets $32 million
http://www.heraldsun.com.au/news/law-order/crown-casino-hi-tech-scam-nets-32-million/story-fnat79vb-1226597666337

February 2013 Cyber Attacks Statistics
http://hackmageddon.com/2013/03/08/february-2013-cyber-attacks-statistics/

Researchers Find 25 Countries Using Surveillance Software
http://bits.blogs.nytimes.com/2013/03/13/researchers-find-25-countries-using-surveillance-software/

Sinkholing of Trojan Downloader Zortob.B reveals fast growing malware threat
http://www.welivesecurity.com/2013/03/08/sinkholing-trojan-downloader-zortob-b-reveals-fast-growing-malware-threat/

Adobe Flash Player 11.6.602.171 for Windows and Adobe Flash Player 11.2.202.273 for Linux

Adobe has released security updates for Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.273 and earlier versions for Linux, Adobe Flash Player 11.1.115.47 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.43 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe recommends users update their product installations to the latest versions.

More information:
http://www.adobe.com/support/security/bulletins/apsb13-09.html

Basefarm SIRT Newsletter 2013-03-08

BF-SIRT NEWSLETTER
Year – Week: 2013 – 10
https://www.basefarm.com/en/technical-support/Basefarm-SIRT/

Weekly summary
Evernote was the highest profile victim of an attack this week. The attack on their systems meant that 50 million account names and encrypted passwords were stolen.
USA has also become the world’s leading spam-relayer. This most likely doesn’t mean that there is a kingpin spammer in USA, but what it does show is that there is a large amount of hijacked computers being used for this. USA it’s not the number one malware infected country (China was 2012 according to PandaLabs), but there are reasons such as IPs from USA is less likely to be blacklisted as easily as well as speeds between email providers are likely to be higher from USA than China.
More information about the zero-day-exploiting malware MiniDuke has also surfaced. It appears that MiniDuke has been running its cyber-espionage campaign around since mid 2011, and appears to have targeting governments in countries such as Belgium, Unites States and Ireland.
The Dubai Police made arrests this with in regards to a cyber crime gang who were able to transfer more than $2m from Dubai Exchange companies’ accounts, while Bank Muscat in Oman was hit by $39m ATM cash-out heist which most likely happened due to the hackers being able to duplicate a set of pre-paid Travel Cards.
The first couple of days of the Pwn2Own has also taken place. Pwn2Own, which is being co-sponsored by HP this year, is a yealy competition where security researchers attempt to be the first to exploit software, with resulting prize money for doing so. So far, over $270K has been given out to people who managed to exploit IE10, Chrome 25, Firefox 19, and Java 7.

Sources:
http://blog.basefarm.com/blog/2013/03/02/fifty-million-evernote-usernames-out-in-the-wild/
http://blog.basefarm.com/blog/2013/02/08/basefarm-sirt-weekly-newsletter-2/
http://www.theregister.co.uk/2013/03/07/spam_relay_chart/
http://analysisintelligence.com/cyber-defense/meet-miniduke-espionage-malware-hitting-european-governments/
http://www.theregister.co.uk/2013/03/01/bank_muscat_atm_mega_fraud/
http://www.ehackingnews.com/2013/03/cyber-crime-gang-arrested-for-hacking.html
http://www.networkworld.com/news/2013/030713-researchers-rake-in-280k-at-267468.html

Important Software Security updates
Java: http://blog.basefarm.com/blog/2013/03/05/java-7-update-17-java-6-update-43/

Security tips
We’d like to remind everyone of the importance of not reusing any of your passwords. Doing so could mean that you end up losing a great deal of things.
Let’s say I’m using X and I have the same password on my email account Z and Website X.
I signed up to Website X with my email account, which means that if Website X is hacked and my password decrypted (it’s not even certain they will have encrypted my password) then that means that they will be able to access my email account as well from there.
By having access to my email account they could for example gain further access to other services by doing password resets or pretend to be me and send out malware.

This is one of the reasons why we suggest that you create complex and unique passwords for every site you use.
It’s understandable that you can’t remember these kind of passwords, but don’t worry – there are tools for this which means you only have to remember one single passphrase in order to gain access to your password vault.

My personal preference is 1Password Pro which has got a stand-alone client as well as a web interface. It also got plugins for IE, Chrome and Firefox which makes signing into accounts a breeze.
Those who prefer to use free and open source can use KeePass Password Safe. I believe it lacks a bit of functionality, but it’s got a lot of plugins/extensions that you can use to further its use.

More information:
https://agilebits.com/onepassword
http://keepass.info/

Security links
16-28 February 2013 Cyber Attacks Timeline
http://hackmageddon.com/2013/03/04/16-28-february-2013-cyber-attacks-timeline/

Hacking the Mind: How & Why Social Engineering Works
http://www.veracode.com/blog/2013/03/hacking-the-mind-how-why-social-engineering-works/

The web won’t be safe or secure until we Break it
http://queue.acm.org/detail.cfm?id=2390758

Jailed cybercriminal hacked into his own prison’s computer system after being put in IT class
http://nakedsecurity.sophos.com/2013/03/04/jailed-hack-prison/

The Life Cycle of Web Server Botnet Recruitment
http://blog.spiderlabs.com/2013/03/the-life-cycle-of-web-server-botnet-recruitment.html

Security Blogger Award Winners 2013
http://www.ashimmy.com/2013/03/security-blogger-award-winners-2013.html