AusCERT Week in Review for 22nd March 2013

Date: 22 March 2013 Original URL: http://www.auscert.org.au/render.html?cid=7066&it=17251 AusCERT Week in Review for 22nd March 2013 Greetings, It seems that both North and South Korea have been experiencing many IT related issues throughout the past two weeks. North Korea’s Internet connectivity was down for 36 hours last week and the country’s official media cited international hacking as the cause of the outage. More recently, South Korea has experienced a dreadful number of issues including outages to major banks (Shinhan Bank and NongHyup Bank) and television networks (YTN, MBC and KBS) as well as distributed denial of service attacks and machines being infected by malware that deletes master boot records. The SANS Internet Storm Center has published a small write-up which attempts to clarify all of the different issues. With all these issues going on, it is hard to know if there is only a single culprit/group of culprits, if this is a coordinated attack, or if this just a string of unlucky coincidences. Security researcher Brian Krebs from krebsonsecurity.com has been known for creating aliases in the hacker underground in order to gain insider information and be able to check the latest trends and techniques that hackers use. Last weekend he posted a blog post on a frightening experience that happened to him on the Thursday of that week, where he found himself surrounded by police officers with guns pointed at him. Brian was not unsettled as he had already predicted that he might be a victim of what is called SWATing, a practice that seems to be not too uncommon in the hacker community. Brian even went to the extent of sending a letter to his local police force warning that this situation may happen. An individual had spoofed his phone number and called emergency services stating that it was Brian on the phone and that his wife was currently held hostage by Russian mafia. Not only does this practice put in danger the victim’s life but it also puts a big strain on the already busy emergency services that have to respond to these fake reports. Brian’s website was also the target of a distributed denial of service throughout the day of the incident. Thankfully Brian was not hurt. My little tip of the week: If you have ever wondered about whether or not your SSL web server was correctly configured, Qualys has an amazing SSL server test service. This service even gives your SSL configuration a grade ranging from A to F; it will also tell you if you are vulnerable to the BEAST and CRIME attacks. It bases the score on four categories: details about the certificate, the protocols supported (or not), the key’s negotiation protocols and the ciphers supported (including the order of preference of those ciphers). Here is this week’s list of security bulletins that the CC team felt important to highlight: 1/ ESB-2013.0407 - [Apple iOS] iOS: Multiple vulnerabilities Apple fixed six security vulnerabilities including the known passcode flaw. Unfortunately, a new vulnerability concerning the passcode lock screen has already been found in iOS 6.1.3. 2/ ESB-2013.0402 - [Cisco] Cisco IOS and Cisco IOS XE: Reduced security - Remote/unauthenticated Cisco has released a security notice regarding a bug in their type 4 password encryption. This encryption scheme was supposed to be using an 80 bit salt and hash the passwords 1000 times using the PBKDF2 function with SHA-256 but in reality it was only producing a single unsalted SHA-256 iteration on the password. 3/ ESB-2013.0405 - [RedHat] kernel: Root compromise - Existing account A local unprivileged user could use a flaw in the Red Hat Kernel to escalate their privileges, potentially gaining root type access. This should be patched as soon as possible if it has not already been done. Stay safe, stay patched and have a good weekend! Ananda.