[ISN] NSA Hackers Get the ‘Ungettable’ With Rich Catalog of Custom Tools

http://www.wired.com/threatlevel/2013/12/nsa-hacking-catalogue/ By Kim Zetter Threat Level Wired.com 12.30.13 While most Americans spend their time shopping Amazon, Target and Apple.com, the National Security Agency’s elite team of hackers spends its time shopping a secret high-end catalog of custom tools designed to subvert firewalls, servers, and routers made by U.S. firms, impersonate a GSM base station to intercept mobile phone calls, or siphon data from a wireless network. Hackers in the Tailored Access Operations division get the “ungettable” data the NSA can’t otherwise obtain from tapping undersea cables or collecting bulk data from companies like Yahoo and Google. They do this by by installing backdoors and other implants remotely or by physically intercepting hardware being delivered to customers and planting backdoors in firmware, der Spiegel reports, citing newly disclosed documents from NSA whistleblower Edward Snowden. “For nearly every lock, ANT seems to have a key in its toolbox,” der Spiegel writes. “And no matter what walls companies erect, the NSA’s specialists seem already to have gotten past them.” With names like PICASSO, IRATEMONKEY, COTTONMOUTH, and WATERWITCH, the various tools allow NSA snoops to map networks and not only monitor data but surreptitiously divert it or modify it. […]


[ISN] Target confirms customer PINs were taken in breach, maintains data is safe

http://www.computerworld.com/s/article/9245053/Target_confirms_customer_PINs_were_taken_in_breach_maintains_data_is_safe By Chris Kanaracus IDG News Service December 27, 2013 Target has confirmed that hackers obtained customer debit card PINs (personal identification numbers) in the massive data breach suffered by the retailer during the busy holiday shopping season, but says customers should be safe, as the numbers were encrypted. Some 40 million customer debit and credit cards were affected by the breach, but until now it wasn’t clear that PINs were part of the hackers’ massive haul. “While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed,” Target said in a statement on its website Friday. “We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.” When Target customers use their debit cards, the PIN is secured with Triple DES encryption at the checkout keypads, according to the statement. “Target does not have access to nor does it store the encryption key within our system,” it adds. “The PIN information is encrypted within Targets systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the ‘key’ necessary to decrypt that data has never existed within Targets system and could not have been taken during this incident.” […]


[ISN] China Is the Top Foreign Investor in U.S. Firms Critical to National Security

http://www.defenseone.com/threats/2013/12/china-top-foreign-investor-us-firms-critical-national-security/75899/ By Tim Fernholz Quartz December 23, 2013 China overtook the United Kingdom last year as the country that received the most scrutiny of its US investments, according to the US government. The Committee on Foreign Investment in the US (CFIUS) is charged with reviewing mergers, acquisitions, and other transactions where a foreign entity might take control of a US firm that makes “critical technology,” provides services to the government or military, accesses classified information, or might otherwise provide malicious actors with some way to hurt the US. Since 2010, CFIUS has reviewed 318 proposed transactions, most of which were in the manufacturing sector; 40 were withdrawn after reviews began. President Obama only weighed in on one decision, terminating a transaction where a Chinese-controlled corporation could build a wind farm near a US naval weapons research facility. The increase in attention to China likely reflects growing investment, not a pattern of targeting sensitive businesses, the declassified report suggests. But it is notable that among the top ten economies investing in firms covered by CFIUS, China is the only one that is not explicitly a US ally. […]


[ISN] Attackers Wage Network Time Protocol-Based DDoS Attacks

http://www.darkreading.com/attacks-breaches/attackers-wage-network-time-protocol-bas/240165063 By Kelly Jackson Higgins Dark Reading December 30, 2013 Attackers have begun exploiting an oft-forgotten network protocol in a new spin on distributed denial-of-service (DDoS) attacks, as researchers spotted a spike in so-called NTP reflection attacks this month. The Network Time Protocol, or NTP, syncs time between machines on the network, and runs over port 123 UDP. It’s typically configured once by network administrators and often is not updated, according to Symantec, which discovered a major jump in attacks via the protocol over the past few weeks. “NTP is one of those set-it-and-forget-it protocols that is configured once and most network administrators don’t worry about it after that. Unfortunately, that means it is also not a service that is upgraded often, leaving it vulnerable to these reflection attacks,” says Allan Liska, a Symantec researcher in blog post last week. Attackers appear to be employing NTP for DDoSing similar to the way DNS is being abused in such attacks. They transmit small spoofed packets requesting a large amount of data sent to the DDoS target’s IP address. According to Symantec, it’s all about abusing the so-called “monlist” command in an older version of NTP. Monlist returns a list of the last 600 hosts that have connected to the server. “For attackers the monlist query is a great reconnaissance tool. For a localized NTP server it can help to build a network profile. However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic,” Liska explains in the post. […]


[ISN] BBC server took over by Russian cybercriminal

http://news.techworld.com/security/3495137/bbc-server-took-over-by-russian-cybercriminal/ By Sam Shead Techworld 30 December 2013 A Russian hacker gained access to a BBC server over the Christmas period and attempted to sell access to it to other cybercriminals, reports suggest. US firm Hold Security told Reuters and the Financial Times that it had spotted the hacker advertising the exploit on an underground cybercrime forum. The BBC’s security team responded to the incident on Saturday and told Reuters that they have since secured the site. However, it’s not clear whether a sale was made before the exploit was addressed. The media organisation refused to discuss the breach, claiming that it does not comment on security issues. […]


Optimized Squid 3.3.8 Config.conf

After upgrading I struggled to get a working refresh rules set. For now, this works for me….

#Recommended minimum configuration:
#always_direct allow all

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src
acl localnet src fc00::/7
acl localnet src fe80::/10 # RFC1918 possible internal network
acl Safe_ports port 1-65535 # RFC1918 possible internal network
acl CONNECT method GET POST HEAD CONNECT PUT DELETE # RFC1918 possible internal network
acl block-fnes urlpath_regex -i .*/fnes/echo # RFC 4193 local private network range
acl noscan dstdomain .symantecliveupdate.com liveupdate.symantec.com update.immunet.com psi3.secunia.com # RFC 4291 link-local (directly plugged) machines

acl video urlpath_regex -i \.(mpa|m2a|mpe|avi|mov|mpeg|m1s|mp2v|m2v|m2s|wmx|rm|rmvb|3pg|3gpp|omg|ogm|asf|asx|mp2|mp3|mp4|wmvm3u8|flv|ts)

# Recommended minimum Access Permission configuration:
# Only allow cachemgr access from localhost

no_cache deny noscan
always_direct allow noscan
always_direct allow video

# Deny requests to certain unsafe ports

# Deny CONNECT to other than secure SSL ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on .localhost. is a local user
#http_access deny to_localhost

#cache_peer parent 8080 0 default no-query no-digest no-netdb-exchange
#never_direct allow all

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

http_access allow all

# allow localhost always proxy functionality

# And finally deny all other access to this proxy

# Squid normally listens to port 3128
http_port intercept disable-pmtu-discovery=transparent

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
cache_dir aufs /ssd/squid/cache0 80000 32 256
cache_dir aufs /ssd/squid/cache1 80000 32 256


# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern -i \.(gif|gif\?|png|png\?|jpg|jpg\?|jpeg|jpeg\?|ico|bmp|tiff|webp|bif|ver|pict|pixel|pixel\?) 220000 90% 300000 override-expire reload-into-ims ignore-reload ignore-no-cache ignore-private ignore no-store store-stale refresh-ims max-stale=150000 ignore-auth
refresh_pattern -i \.(swf|js|wav|css|class|dat|zsci|do|ver|advcs|woff|eps|ttf|svg|svgz|ps|acsm) 220000 90% 300000 override-expire reload-into-ims ignore-reload ignore-no-store ignore-private refresh-ims store-stale max-stale=150000
refresh_pattern -i \.(html|html\?|htm|htm\?|crl) 9440 90% 100000 override-expire reload-into-ims ignore-reload ignore-no-store ignore-private ignore-must-revalidate store-stale max-stale=100000
refresh_pattern -i \.(xml|flow) 0 90% 100000 reload-into-ims
refresh_pattern -i \.(json|json\?) 1440 90% 5760 reload-into-ims
#refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern -i ^http:\/\/liveupdate.symantecliveupdate.com.*\(zip) 0 0% 0
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i \.(bin|deb|rpm|drpm|exe|zip|tar|tgz|bz2|ipa|bz|ram|rar|bin|uxx|gz|crl|msi|dll|hz|cab|cab\?|psf|vidt|apk|wtex|hz) 220000 90% 500000 override-expire reload-into-ims ignore-reload ignore-no-store ignore-private store-stale max-stale=300000
refresh_pattern -i \.(ppt|ppt\?|pptx|pptx\?|doc|doc\?|docx|docx\?|pdf|pdf\?|xls|xls\?|xlsx|xlsx\?|csv|txt) 220000 90% 200000 override-expire reload-into-ims ignore-reload ignore-no-store ignore-private refresh-ims store-stale max-stale=100000
refresh_pattern -i ^ftp: 66000 90% 200000
refresh_pattern -i ^gopher: 1440 0% 1440
#refresh_pattern -i . 0 90% 5760
log_icp_queries off
icp_port 0
htcp_port 0
snmp_port 0
ignore_expect_100 on
minimum_object_size 0 KB
buffered_logs on
pipeline_prefetch on
cache_effective_user squid
#header_replace User-Agent Mozilla/5.0 (X11; U;) Gecko/20080221 Firefox/
maximum_object_size 512 MB
maximum_object_size_in_memory 32 KB
cache_mem 384 MB
cache_swap_low 85
cache_swap_high 90
visible_hostname yourhostname
unique_hostname yourhostname2
shutdown_lifetime 0 second
request_header_max_size 256 KB
half_closed_clients off
max_filedesc 65535
connect_timeout 15 second
cache_effective_group squid
#access_log /var/log/squid/access.log squid
access_log daemon:/var/log/squid/access.log
client_db off
logformat syslog local0.info
check_hostnames off
forwarded_for delete
via off
pinger_enable off
memory_replacement_policy heap GDSF
cache_replacement_policy heap LRU
memory_pools on
reload_into_ims on
vary_ignore_expire on


[ISN] Happy Holidays To All!

Merry Holidays to everyone reading InfoSec News! In the coming days as we enjoy our holiday festivities with friends and family, I ask that you take the time to remember the soldiers, support workers, and security personnel that work tirelessly to protect us. For as long as I can remember, there have always been members of the Armed Forces working on Christmas in places so far removed from the comfort and safety of their homes, and this year is no exception. As you and I open presents, these brave men and women have only the memories of holidays past to get them through the season. As we prepare for our own holiday celebrations, the staff of InfoSec News will take the time to reflect on all those who work to serve us so valiantly and all those who made the greatest sacrifice of all to guarantee our freedom. One doesn’t need to be a Christian to enjoy the message of the season. Have a safe, secure and happy holiday. Best wishes for a happy and healthy new year! William Knowles InfoSec News www.infosecnews.org


[ISN] Inside knowledge likely in Target breach, experts say

http://www.csoonline.com/article/744905/inside-knowledge-likely-in-target-breach-experts-say By Antone Gonsalves csoonline.com December 19, 2013 The Target security breach that left millions of debit and credit card holders at risk of becoming victims of fraud left experts pondering the question of how such a massive theft might have occurred. Theories varied, but the scant details released by the retailer Thursday left some experts believing the criminals had to have some inside knowledge of the company’s point-of-sale system in order to compromise it so effectively. Either people inside the organization were involved or, “at the very least, (the thieves) had sophisticated knowledge and a clear understanding of the cardholder data flows, in order to pinpoint where to steal this very specific data and then exfiltrate it,” Mark Bower, director of information protection solutions at Voltage Security, said. Target reported Thursday that card data, including customer name, credit or debit card number and the card’s expiration date and CVV code, had been stolen from 40 million accounts used for shopping between Nov. 27 and Dec. 15. The CVV code is the three-digit security number found on the back of cards. […]