Last Updated: 2013-10-01 20:01:35 UTC
by Adrien de Beaupre (Version: 1)
Today is the beginning of Cyber Security Awareness Month. Apparently the month's official theme is "Our Shared Responsibility," We at the SANS Internet Storm Center want your logs! Send us packets, malware, all your logs, log snippets, observations, things that go bump on the 'net, things that make you go HMMMM, or just send us email to discuss InfoSec. What can we do as individuals to increase information security and encourage secure practices among co-workers, friends, and family? Let us know via our Contact Us page, or the comments below.
This year our theme is 'wierd. wonderful, and interesting stuff in logs'. In past years here have been some of our themes:
https://isc.sans.edu/tag.html?tag=Cyber%20Security%20Awareness%20Month%202010 - awareness
https://isc.sans.edu/tag.html?tag=Cyber%20Security%20Awareness%20Month%202011 - critical controls
https://isc.sans.edu/tag.html?tag=Cyber%20Security%20Awareness%20Month%202012 - theme was "standards"
You can watch NCSAM in the USA go live at the following Facebook URI: https://www.facebook.com/staysafeonline/app_142371818162
Let's be careful out there!
Adrien de Beaupré
My SANS Teaching Schedule
Last Updated: 2013-10-01 19:57:14 UTC
by John Bambenek (Version: 2)
Metasploit has just released a module to exploit the currently unpatched CVE-2013-3893 vulnerability in Internet Explorer. This vulnerability can be used for remote code execution if you can get a user to go to a specifically crafted webpage. Microsoft has released a FixIt that should be deployed for this vulnerability for 32-bit versions of IE. EMET is also available as a mitigating control.
With a metasploit module out there, we can now expect commodity exploitation out there available to the low-rent script kiddie community.
See our previous handlers diary on the subject by Russ McRee here.
UPDATED 2000 UTC by John Bambenek: Threatpost has three different attacks using the IE vulnerability which will widen the field of tools used.
bambenek \at\ gmail /dot/ com
Last Updated: 2013-10-01 12:55:28 UTC
by Johannes Ullrich (Version: 1)
A host may now add a new subflow, and this subflow will be authenticated using a hash derived from the keys exchanged earlier, and nonces that are unique to each new subflow. The MP_JOIN option is used to carry this data. Throughout the connection, hosts may inform each other of newly acquired addresses and they may use the for new subflows. Since each subflow has its own set of sequence numbers, "Data Sequence Signals" are used to communicate how the sequence numbers in the subflow map to the combined data flow. The protocol has a lot of little details that make it well suited for hosts connected to multiple wireless networks. For example, different subflows may have different priorities. One usage scenario is a cell phone connected to a Wifi as well as a cellular network, and roaming between the two. For example, you start a TCP connection at home, and continue using it as you leave the house and your phone switches to the cellular network. As long as both networks are available for a while, MPTCP may drop the Wifi connection and exclusively use the cell phone data connection until you reach another WiFi network. But enough about how the protocol works, here are some packets. A quick BPF to capture these packets (for example with tcpdump):
It is not perfect, but because the options involved are rather large, you will find MPTCP packets by looking for larger TCP header sizes. This filter looks for a header size of 56 and above, with 60 being the maximum (you don't really need the bitmask for the filter). Wireshark and tshark deal rather well with MPTCP. For example, tshark displays for the TCP options:
Multipath TCP: Multipath Capable Kind: Multipath TCP (30) Length: 12 0000 .... = Multipath TCP subtype: Multipath Capable (0) .... 0000 = Multipath TCP version: 0 Multipath TCP flags: 0x01 0... .... = Checksum required: 0 .... ...1 = Use HMAC-SHA1: 1 Multipath TCP Sender's Key: 8848941202347829228
16:44:15.681318 IP 220.127.116.11.57799 > 18.104.22.168.443: Flags [S], seq 847601216, win 65535, options [mss 1460,nop,wscale 3,Unknown Option 3000017acdc123cc42a7ec,nop,nop,TS val 102569696 ecr 0,sackOK,eol], length 0