.CN DDoS and DNS Hijacking
Do you want to hear about the week’s biggest InfoSec news, while learning a few security tips in the process? Well this is the weekly vlog for you.
In today’s video, I share a potential cause for China’s recent distributed denial of service (DDoS) attack, warn about a serious vulnerability in Cisco’s ACS, and explain how a hacktivist group took down the New York Times. I even throw in a bit of Friday fun at the end. Watch the video below, and remember to check out the references for links to other stories.
(Episode Runtime: 10:20)
Direct YouTube Link: http://www.youtube.com/watch?v=cyQX4J0OEyo
Episode References:
- Huge DDoS attack affects China’s .CN ccTLD – WSJ Blog
- Chinese government site confirms the DDoS (translated) – CINIC
- Critical Cisoc ACS security advisory – Cisco
- Great post on how SEA took down NYT – Cloudflare
- MelbourneIT credentials stolen due to phishing – Network World
- John McAfee releases another “interesting” video – Who is McAfee
Extras:
- NSA accused of cracking encryption for UN teleconferencing system – Computer World
- PayPal fixes account deleting flaw – The Register
- Java 6 flaw exploited in the wild. Upgrade to 7 – Information Week
- Pinterest email harvesting flaw fixed – Network World
- Google’s Palestinian site defaced – ZDNet
- Hacked cell phone can jam other cellular devices – Threatpost
- Researchers reverse Dropbox and find flaws (requires local access) – USENIX
- Attacker pleads guilty to selling super computer logins – Ars Technica
— Corey Nachreiner, CISSP (@SecAdept)
Vulnerability in Cisco secure access control server (EAP-FAST authentication) attracts my attention this time. Thinking logically: if execution of arbitrary commands is possible due to improper parsing of user identities – they are (Cisco), most likely, talking about Phase 1 of EAP-FAST, then system makes use of “protected access credential” (PAC files) to establish a TLS tunnel. Although EAP-FAST can be used without PAC files – “vulnerability is only present when Cisco Secure ACS is configured as a RADIUS server”. If it’s RADIUS – then some attributes should be passed by using port 812 (or UDP 1645 in that case), including credentials (PAC). So, in that case, I suspect that user credentials are provisioned in a PAC form without involving server certificate in a process, because otherwise “allow an unauthenticated (!), remote attacker to execute arbitrary commands” and exploitation of “improper parsing of user identities” (with specially crafted packets) together is hardly-hardly-hardly possible… Besides, if we are coming to “remote attacker to execute arbitrary commands” – that means that it is possible memory corruption or buffer overflow issue… but not sure about the last one.
I all the time used to read paragraph in news papers
but now as I am a user of net thus from now I am using net for posts, thanks to web.