Slashdot Mirror

We, the public affected by this breach, still have very little information on just what happened or by whom. We have a bit of "how" info, in articles like this, and this shows another penetration in Argentina. "online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”"

With megacorps spanning the world, no one countries data laws are doing shit to stop any of this. Megacorps will just move portals to the easiest country to operate in, and then obfuscate, confuse, and stall any inquiries while they furiously delete off-shore evidence because it's not strictly "illegal" for some separate, non-US company to do so. "the credit bureau took the whole thing offline shortly after being contacted by KrebsOnSecurity this afternoon". My bet is it's more than offline; or offline as in deleted and all servers and backups burned with thermite and dumped into the ocean.

The US government doesn't even consider any of this "Critical infrastructure". This isn't in the same league as these reports, so it's all left up to the "free hand of the market". This attack is affiliated with China and not Russia: "One tool used by the hackers, China Chopper, has a Chinese-language interface but is also in use outside China"

There has been lingering suspicions of internal bad actors in this. "The company hired Susan Mauldin, a former security chief at First Data, to run the global security team. Mauldin introduced herself to colleagues as a card-carrying member of the National Rifle Association, according to a person familiar with the changes." With the current probes pointing towards massive Russian money laundering into the GOP via the NRA, this is very bad. Also, "Overseeing technology for Equifax was David Webb, a Kellogg MBA and Russian-language major hired in 2010 from Silicon Valley Bank, where he had been chief operations officer. "

Most frighteningly, this stolen info has STILL never shown up on the dark web. Looking at the Moloch data, there were two separate teams who spent quite some time on this. Obviously it is an APT, like Shell Crew, or such. This means government sponsored, someone had to pay for all of this and the info wasn't sold off for a profit. This is what happens when "unregulated industry" meets 21st century cyber economic warfare.

You can't think of any other way to determine origin, therefore there is no other way. Typical NPD.

Have a look at the original security alert. It's pretty high level, but it looks at the indicators they used to identify the source of the attacks. It's not just geolocation via IP.

Oh, and your 'Jewish' conspiracy is ridiculous. This sort of behaviour is typical of people who have no real success to justify their sense of self worth, so they have to rely on 'race'. Loser's need to be racist because they have nothing else to be proud of.

Pick three points from your list and I'll disprove them, but I'm not going to wade through your 'gish gallop' of bullshit.

APK. Ignorant. Can't admit it, therefore is never going to learn. Typical NPD. Racist. Typical loser.

https://www.us-cert.gov/ncas/a... Why are US utilities, businesses and government connecting -anything- important to the intertubes? If you have staff on site, why would you connect important industrial/process controls and information, including government/military stuff, to the net, where evil people can access them? Even more, why don't we see any explanation of this issue? We sanction Russia and China for invading our compooter systems, but nobody asks why these systems are accessible offsite. Even power generation systems can be operated, including frequency control, without a physical connection to the net. Of course, my engineering degree is rusty and dusty, I'm retired and old, so I may be totally wrong, but if that's the case, I hope someone below might address this issue. I know no better place to find the right people to ask this.

It's complete garbage excuse. It's not like somebody reads sit on Slashdot and gets an idea to apply a patch. There are bulletins like this https://www.us-cert.gov/ncas/b... that you compare with your inventory. When you find something you open a ticket.... there are probably ways automate this. (I am not a cyber guy)

The US government also issued a notification to not use Internet Explorer due to security vulnerabilities. https://www.us-cert.gov/ncas/c...

Might also have influenced a break in the Microsoft Internet Explorer monopoly.

"...they're going to use Symantec? Score!"

https://www.us-cert.gov/ncas/a...

Recored Future is disputing WaPo's findings: https://www.recordedfuture.com...
Furthermore, the US seems to be on a PR campaign to blame NK. Yesterday, FBI&DHS put out a report claiming that big bad NK was building a botnet. They put out 8-year-old IOCs: https://www.us-cert.gov/ncas/a...
Someone's pushing an agenda here...

Report from the actual FBI on it.

IP Address listed, check. Which IP Address, they don't even make the claim it was a Russian IP Address. lols

Yes, I included the ACTUAL GIVEN EVIDENCE to date. The term IP Address is in there, but no claims of a Russian IP address being used. In fact they use the name GRIZZLY STEPPE, and them putting that name in the report apparently proves it was Russia. Not sure who Grizzly Steppe is, if they are related to Russia or not, or any evidence Grizzly was even involved.

So other than there being absolutely no evidence given to date, EVERY single leak is by an "anonymous source", and not a single intelligence official claiming anything when under oath, sure there is a ton of evidence. Not a single piece of which could be used in a court of law, but I get the distinct feeling you don't care if its true or not, you seem to be willing to accept made up evidence.

Regardless of IPv4 or IPv6 you're not generally going to know that a given IP address is associated with somesitethensacaresabout.net - that only happens if there's a PTR record telling you that. Most hosting companies (including Amazon) set up PTR records for their address space using their own infrastructure names, e.g.: ip-10-10-10-10.us-west-1.compute.amazon.com. Those usually only get changed if the customer is running a mail server on those addresses and makes the appropriate requests.

US Cert apparently thought HTTPS Interception bad enough to issue Alert (TA17-075A) HTTPS Interception Weakens TLS Security about it earlier this year.

Which is why I am advising all my corporate clients that do SSL intercept to...

...stop that insecure crap immediately, because you take security seriously and don't want to weaken their defenses. Right?

This report is related to the DNC leaks which alleged the presence of RATs, etc. being found after an investigation caused by the emails being leaked to Wikileaks. Podesta was phished in a completely separate incident.

Actually, the report details both hacks. Take a look at the diagrams, they show APT28 using a spear phishing email to get into "Recipient"'s email.

https://www.us-cert.gov/sites/...

The second diagram in the report is what is talking about the spear phishing email.

This report was ripped to shreds yesterday.

It's mostly OWASP copypasta with recommended mitigations and a few interesting tidbits.

I'm also not clear on why this submission linked to a copy of the report. Best compare it with the original report in case there are any differences..

Here's evidence... https://www.us-cert.gov/sites/... Pleeennty of "evidence".
This really is getting disgraceful for US...

Here's the evidence... https://www.us-cert.gov/sites/... It'll impress the technically illiterate mebbe... looks like a pile of fluff to me...

Here's their "evidence"... https://www.us-cert.gov/sites/...

Here ya go... https://www.us-cert.gov/sites/...

I don't even think it's that good...
https://www.us-cert.gov/sites/...

https://www.us-cert.gov/sites/...
I'm no expert in all this but is this the best they've got...?
Reported Russian Military and Civilian Intelligence Services (RIS)
Alternate Names
APT28 APT29 Agent.btz BlackEnergy V3 BlackEnergy2 APT CakeDuke Carberp CHOPSTICK ...etc.etc... Waterbug X-Agent
A list of "reported" Russian hackers? I'm not real impressed...

Guess what? Electric grids were already hacked in what appears to be one of the first more or less real cyber-wars (previous - Estonia 2007, Georgia 2008 - were primarily powerful DDoS attacks to either disrupt services or cut off the country from the rest of the world).

The hacking happened in December 2015, in Ukraine. The attack was a sophisticated APT attack from Russia.

You can find more by following description in IR-ALERT-H-16-056-01 or reading the Wired article by Kim Zetter.

And, by the way, malware did find its way into nuclear power plants (though not control systems).

http://www.dshield.org/diary/W...
http://tech.slashdot.org/story...
http://cr.yp.to/djbdns/forgery...
http://it.slashdot.org/story/1...
http://www.dshield.org/diary/R...
http://www.microsoft.com/techn...
http://www.microsoft.com/techn...
https://www.us-cert.gov/ncas/a...
http://www.theregister.co.uk/2...
http://www.dshield.org/diary/D...
http://www.dshield.org/diary/N...
http://www.dshield.org/diary/U...
http://www.dshield.org/diary/M...
http://www.dshield.org/diary/D...
http://tech.slashdot.org/story...
http://www.theregister.co.uk/2...

APK

P.S.=> Next is GLibC faults, DNSAPI.DLL alteration attack, FastFlux/DynDNS attacks, DNS misconfiguration, DNS DDoS attacks, DNS amp attacks, DNSSEC fails, OpenDNS resolver problems, DNS IP spoofing, Ghost Domains due to DNS, router DNS issues, Rogue DNS servers abused, DNS serving up malware + SO MUCH MORE it will finish your DNS BS w/ ease - then it's onto Antivirus!

It's such a fuckup that even disabling it in the registry, in Windows 7, it still executes the autorun on a "CD" if you double click it, or go start-run-d:
And it is very easy to make a maliceous thumb drive appear as a CD drive to bypass autorun

This tweak basically disables autorun.inf completely:
https://www.us-cert.gov/ncas/a...

My process for disabling autorun consists of:
Start-search for "Autoplay"
Shutdown autoplay completely.

Add this file to the registry:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NoDriveTypeAutoRun = 000000FF
NoDriveAutoRun=03FFFFFF

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NoDriveTypeAutoRun = 000000FF
NoDriveAutoRun=03FFFFFF

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

There are also some IP network connected medical devices with virtually zero security. Check this out. This was definitely a WTF moment.
https://ics-cert.us-cert.gov/a...
https://web.nvd.nist.gov/view/...
and http://www.securityweek.com/se...

Which is what makes it a lot more dangerous. I'll just leave these here for your perusal. Oh and be sure to respond with a typical fanboy "but but but those don't count!" just like the Apple iHeads did when MacDefender came out and they went from "Apple doesn't get viruses" to "that doesn't count because its technically not a virus, its a trojan!" LOL.

That's CERT. This article is about US-CERT and if you go to their website there's a nice banner at the very top that reads "Official website of the Department of Homeland Security," the DHS seal is next to the US-CERT title, and at the very bottom there's text that says "US-CERT is part of the Department of Homeland Security."

Not the same thing at all.

Riiiight, I'll just leave these here then.

The US Gov knew and published this on the 28th. Way to be 3 days late, an no doubt why /. is more than a dollar short.

https://www.us-cert.gov/ncas/current-activity

The "government" is proactive!. Cool.

Soon we'll all have flying cars for sure (or, flying SUVs with in-dash McD snack printers and heavy-duty conveyor belts in place of door-steps).

The US Gov knew and published this on the 28th. Way to be 3 days late, an no doubt why /. is more than a dollar short.

https://www.us-cert.gov/ncas/current-activity

>> if security and privacy are a concern, maybe iPhone isn't really such a bad option

Dude, is Google down today? http://lmgtfy.com/?q=iphone+ma...

Then look up WireLurker. Then MASQUE-D. And if you jailbreak a phone, pretty much all bets are off.

WireLurker looks to be pretty nasty, that's for sure. But it's also only on a GreyWare "App Store", NOT available through legit channels.

And MASQUE-D is such a threat (NOT!) that I had to try two different search terms to even FIND a reference on Google. Plus, it again is a Trojan, that has to entice the user to install it from a non-legitimate "App" site.

And as far as JailBreaking your iOS device, you get what you deserve, period.

So, thanks for proving the point that the "Walled Garden" actually WORKS. If you want to spend the extra effort to step outside into the Methane-Gas atmosphere, then don't complain when you start choking...

Next!

did you read the fucking article?

follow the link moron:

https://www.us-cert.gov/ncas/a...

And notice that the US-Cert alert (TA15-051A) is not for the spyware by itself, it is because the superfish is vulnerable...

It's idiotic to have pre-installed certificates. It implies admitting total ignorance on what trust is and what it implies.

As omnichad indicated, hosts files will not help you prevent DNS amplification attacks as the requests are not coming from your network.

https://www.us-cert.gov/ncas/a...

You should probably remove that from your list of things hosts files do, a host file cannot block traffic originating on the internet, only your own name resolution traffic. If you would like to test it out, I am sure the Lizard Squad would be more than willing to test it for you.

Link to the actual US-CERT alert:

US-CERT TA14-353A

POODLE is not an implementation problem. It's a protocol problem.

https://www.us-cert.gov/ncas/alerts/TA14-290A

"There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol"

It's an implementation problem if you're speaking abstractly about the application of crypto. But we're talking about "SSL", a protocol.

since when does the govt issue virus alerts?

Since at least 2009,, possibly earlier.

since when does the govt issue virus alerts?

Since at least 2009,, possibly earlier.

That honor goes to US-CERT.

https://www.us-cert.gov/ncas/a...

> may use infected Linux systems to launch DDoS attacks against the entertainment industry...

WHERE IS THE DOWNLOAD LINK?

It's behind a registration form so that the fine folks at Prolexic can get your PII for marketing purposes. One of the *many* benefits is that once you register, nice folks from Prolexic will send you emails and maybe even call you on the phone to let you know about all the wonderful products and services you can buy from them.

So many vendors just report this kind of stuff to CERT so it gets assigned a stupid CVE number and all the details are then available without the consumer of information giving up any PII that can be used to sell them stuff. Stupid vendors!

Prolexic is using a real vulnerability to enhance their contacts DB and increase the surface area of their sales efforts. Disgusting.

> Seems the left hand doesn't know what the right hand is doing, or wants!

DHS includes a LOT of hands that don't know what the others are doing. This is a high-level overview of a few of the major sections within DHS:
http://www.dhs.gov/xlibrary/as...

You'll notice it includes agencies as diverse as the Coast Guard, FEMA, health stuff ...

The $60 billion budget for all of the different agencies within DHS is 10% of the total non-defense operational budget of the entire government. So anything the government does, there's a reasonably good chance it's part of DHS.

US-CERT is now part of DHS, and of course US-CERT is the #1 information security organization. One thing CERT is doing is dispensing DHS grant money to pay universities to develop free cybersecurity courses http://niccs.us-cert.gov/ . Some of the courses are quite good.

For those, like yourself, that don't already know CERT is now under DHS. CERT has some pretty big credibility.

I never got E-mails from Micro$oft about updates, vulnerabilities, etc. Instead, I have an RSS feed from US-CERT (computer emergency response team), an agency of the U.S. Department of Homeland Security. (Yes, they do have a few useful functions.) US-CERT not only notifies me about Micro$oft's alerts and provides links to them, but that agency also notifies me of alerts from other companies.

The link to subscribe to the RSS feed is http://www.us-cert.gov/ncas/cu....

I think it is funny that you put a $ sign in Microsoft with annual income of about 100 billion while you give the US government a pass with annual income of over 3 trillion.

I never got E-mails from Micro$oft about updates, vulnerabilities, etc. Instead, I have an RSS feed from US-CERT (computer emergency response team), an agency of the U.S. Department of Homeland Security. (Yes, they do have a few useful functions.) US-CERT not only notifies me about Micro$oft's alerts and provides links to them, but that agency also notifies me of alerts from other companies.

The link to subscribe to the RSS feed is http://www.us-cert.gov/ncas/cu....

I noticed that US-CERT changed it site. It said "the complete compromise", but now the web site says "could allow unauthorized remote code execution."

It said "US-CERT recommends that users and administrators enable Microsoft EMET where possible and consider employing an alternative web browser until an official update is available. ", now it says "US-CERT recommends that users and administrators review Microsoft Security Advisory 2963983 for mitigation actions and workarounds. Those who cannot follow Microsoft's recommendations, such as Windows XP users, may consider employing an alternate browser."

Check the Google cache against the versus actual site.

"US-CERT recommends that users and administrators review Microsoft Security Advisory 2963983 for mitigation actions and workarounds."
But don't confuse that with recommending not to use the browser.

But, regardless of the root cause (intentional malice or just sloppiness) I'm glad eyes have been checking these code bases with more diligence over the past several months. In the end it means more security for us users, regardless of our platform of choice.

Thank you again, Edward Snowden, for the collective wake up call!

Now if we could just get our governing officials to fix some of these egregious laws...

Can we please stop crediting the NSA leaks for (among other things) security researchers looking for bugs in obscure things like... commonly used crypto libraries? It's starting to sound a little pathetic. This is what these people do for their day jobs, and it's hardly the first time we've had to run around patching our OpenSSL libraries.

US-CERT

There are serious doubts as to Japanese law enforcement's abilities to deal with the technical issues involved.

Surprisingly, this is correct. The National Police Agency, as of last summer, was just setting up their computer crime unit. It's mostly aimed at infrastructure protection. The Tokyo Metropolitan Police also set up a cybercrime squad in 2013. So they're just getting started on this.

For better or worse, security paranoia after 9/11 has funded substantial computer crime analysis capabilities in the US. Japan's JPCERT is a small industry-funded nonprofit. US CERT was a small nonprofit before 9/11. It's now part of Homeland Security's empire. The Secret Service and the FBI also have big computer crime units.

What makes you think he has " intimate detailed knowledge of the internal workings of POS systems"? Sorry, that was a trick question. He doesn't care how POS systems work, or how sophisticated they may be. He only cares what credit card mag stripe data looks like. His malware scrapes the RAM of the process looking for the tell-tale patterns of mag stripe data, and grabs it. See http://www.us-cert.gov/ncas/alerts/TA14-002A , which says "There are several types of POS malware in use, many of which use a memory scraping technique to locate specific card data. Dexter, for example, parses memory dumps of specific POS software related processes looking for Track 1 and Track 2 data. "

The track data just has to be in the RAM of the process, and this software finds it and logs it.

http://ics-cert.us-cert.gov/advisories/ICSA-13-291-01

Right now there are some large DNS amplification attacks going on. Set up a PC as a DMZ and run ethereal as others suggested, and see if it is excessive UDP traffic on port 53. If it is, it is probably botnets attempting to leverage a DNS server or forwarder on your network to flood their target. Of course, the botnets do not care whether or not you are actually running a public DNS; since it costs the operators nothing to fuck with your connection they are indiscriminate, and ISPs seem to not care about the issue.

DNS amplification: https://www.us-cert.gov/ncas/alerts/TA13-088A

The problem is while you can mitigate it somewhat by not serving up root DNS requests, DNS servers will still send a 16-byte NXDOMAIN response, not completely ignore the requests. To add to the problem you can't really block the requests (short of capturing the packets and reading them yourself) since the packets are spoofed; what appears to be the source is the client IP, which is actually their target. You can use either iptables or DNS rate limiting to limit the traffic you are sending out to their clients, but the incoming requests will still be coming in and there is no real way to stop that (they'll still be hitting either your router or DNS server). Here is a list of the iptables rules to drop the packets for these attacks:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

The list is updated regularly but again the packets will keep hitting your IP; the best you can do is implement those rules to not compound the problem.

Many of the people using Tor in restrictive countries won't have the luxury of switching away from Windows. Even if they don, they won't necessarily know how.

You know, if Linux still installed from 30 floppies or needed Loadlin, I would agree but installing Ubuntu takes like 11 freakin mouse clicks now. Anyone concerned with security, and still using Windows, is either a helpless victim of Lock-in, or just too damn change-resistant for their own good.

Windows is actually one of the better operating systems security wise these days.

No, actually it's not. Historically and subjectively, each release of Windows has been prone to the same old problems as the previous releases. Internet Explorer/ Active-X/ Application specific exploits both on removable media or over the network. We won't even start with the Abysmal practice of Domain Admin passwords stored on laptops Still using stupid hashing algorithms

bring on the irrational arguments and Microsoft hate.

Not trying to be irrational or hateful -- it's all fact dude. Open your eyes.