Share |

InfoSec News

Immediately after Steve Jobs introduced the iPad 2 Wednesday at the Yerba Buena Theater in San Francisco, California, he invited members of the media to visit a special hands-on area right behind the theater--the same set-up Apple used a year ago to introduce the original iPad. While the iPad 2 won't be available until March 11, we were able to spend some quality time with the iPad 2 today. Here's what we found.
 
If you're a mobile worker and like to go online using public Wi-Fi services, like those in coffee shops, you probably don't realize how insanely reckless you're being.
 
Apple iTunes JPEG Image Heap-Based Buffer Overflow Vulnerability
 
WebKit Multiple Memory Corruption Vulnerabilities
 
After making its first appearance in the iPad 2, the next stop for Apple's A5 chip could be in the next version of the iPhone, where it would bring a significant boost in graphics and application performance without compromising battery life, analysts said.
 
Macworld editorial director Jason Snell and senior associate editor Dan Moren take a look at the iPad 2 at today's launch event.
 
A new program funded by a U.S. agency and private money aims to bring supercomputing resources to small manufacturers.
 
libxml2 'XPATH' Expressions Memory Corruption Vulnerability
 

Apple's Product Security have sent notification that a new version of iTunes is out and the security fixes in this update.
They list the security fixes here:
http://lists.apple.com/archives/security-announce/2011/Mar/msg00000.html
We'd recommend you update as soon as possible.

Today is a great day to check if all those other applications on your machine need an update.

Chris Mohan --- Internet Storm Center Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

GovInfoSecurity.com

DHS Seeks More Infosec Funds for 2012
GovInfoSecurity.com
Homeland Security Secretary Janet Napolitano, testifying before the Senate Appropriations Committee Wednesday, characterized securing and safeguarding cyberspace as one of the department's six primary missions. "Today's threat picture features an ...

and more »
 
Tatanarg combines a man-in-the-browser attack with the capability of detecting and disabling Zeus on an infected system.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Documents obtained under a Freedom of Information Act request show that DHS has signed contracts for mobile systems that may scan pedestrians without their knowledge.
 
By the time that Apple CEO Steve Jobs wrapped up today's launch of a revamped iPad, analysts were already calling it "incremental" and pointing out that it the new tablet delivers "no surprises."
 
Pango 'hb_buffer_ensure()' Buffer Overflow Vulnerability
 

The great IT risk measurement debate, part 2
IDG News Service
Since there hasn't been anything like that for infosec yet that I'm aware of, the other approach is component testing: We can at least be sure whether or not the gears of the clock work. Hutton: That's where I was going to go. That's one of the reasons ...

and more »
 
Apple has launched the next generation of its tablet computer, the iPad 2. Computerworld has it covered.
 
Federal and state agencies target several companies pitching bogus money-making programs or job opportunities.
 
Qualcomm said it is stepping up its software efforts as its chips begin supporting more operating systems, including Microsoft's upcoming Windows OS, which will be targeted at mobile devices, tablets and PCs.
 
CubeCart 2.0.6 SQL injection / Cross Site Scripting
 
Prestashop Cartium 1.3.3 Multiple Cross Site Scripting (XSS)
 
WebKit ':visited' CSS Pseudo-class Information Disclosure Vulnerability
 
PhotoPost PHP 4.8c (showgallery.php) Cross Site Scripting
 
Three days after Google's Gmail first suffered a service disruption, some users still don't have their service back.
 
Apple today unveiled the second-generation iPad, which uses a dual-core A5 processor and offers much improved graphics performance. Oh, and it's thinner than its predecessor.
 
In the quest to cut down on shipping waste Taiwan's Asus has a novel idea: What if the shipping container became the PC case?
 
Apple CEO Steve Jobs today took the stage in San Francisco to introduce his company's new iPad 2, which is faster, thinner and lighter than its predecessor.
 
VidiScript (index.php) Cross Site Scripting
 
[USN-1082-1] Pango vulnerabilities
 
WebKit 'execCommand()' Function Clipboard Overwrite Security Weakness
 
WebKit HTTP Redirects Information Disclosure Vulnerability
 
Google has pulled more than 50 malware-infected apps from its Android Market, but hasn't yet triggered automatic uninstalls of those programs from users' phones, security experts said today.
 
Apple is holding a special event today at which it is expected to unveil a new iPad tablet. Macworld is liveblogging the event as it happens.
 
New Jersey's single largest healthcare provider, Saint Barnabas Health Care System, is rolling out a major data-loss prevention (DLP) initiative that will enforce new content-control restrictions on more than 10,000 laptops, tablets and desktop PCs used by its medical staff.
 
WebKit Right-to-Left Displayed Text Handling Memory Corruption Vulnerability
 
WebKit CVE-2010-1386 Information Disclosure Vulnerability
 
If they could change one thing to improve IT security, the assembled experts on a panel at Cebit would better educate their users.
 
More than 50 startups launched products and services at DEMO Spring 2011, all hoping to become the next Facebook, Twitter or Salesforce.com, or to attract just enough venture funding or press coverage to continue their dreams. All of the products or services were cool in their own way, but here (in no particular order) are my picks for the ones I found most useful, cool or awesome.
 
Egypt's revolution was heralded as a success story for social media services such as Twitter and Facebook. Western journalists fawned over every rare example of social media, ignoring the more mundane but far more nt communication services such as cellular phone calls and text messaging. The really interesting story out of Egypt, and more recently Libya, Iran and other places was the communications blackouts imposed by each regime. While the west focused on layer-7 technologies, the tyrants were smart enough to strike at the root of their citizens efforts: layer-1 physical layer connectivity for phones.
 

The Android applications contained hidden Trojan called DroidDream that attempted to gain root access to the smartphone to view sensitive data and download additional malware.

Google has pulled at least 21 free applications from its Android Market late Tuesday after software developers found hidden malware aimed at gaining access to sensitive data.

The free applications included variety of games and were removed after bloggers questioned hidden malcode in them that attempted to gain root access to the user’s smartphone. Google removed the apps and references to their publisher, Myournet. within minutes of being informed of the problem.

According to Aaron Gingrich, who writes for the Andoid Police blog, the apps contained a variety of hidden features, including the ability to contact a remote server to download more malware.

“I asked our resident hacker to take a look at the code himself, and he’s verified it does indeed root the user’s device,” Gingrich wrote.

“But that’s just the tip of the iceberg: it does more than just yank IMEI and IMSI. There’s another APK hidden inside the code, and it steals nearly everything it can: product ID, model, partner (provider?), language, country, and userID. But that’s all child’s play; the true pièce de résistance is that it has the ability to download more code. In other words, there’s no way to know what the app does after it’s installed, and the possibilities are nearly endless.”

The malware has been analyzed by mobile malware researchers at Lookout Inc. Called DroidDream, the malware has been discovered in more than 50 applications in the official Andoid Market. In an update on the Lookout blog, the company said Google is actively working on the issue. The Lookout DroidDream blog post also lists all the affected applications.

We originally reported that Google removed the apps from devices, but we recently learned that the remote removal system has not yet been engaged for these applications because they are under active investigation.

Up until now malware has been surfacing on apps on third-party Android app repositories. Google and Apple have removed Android and iPhone apps in the past for failing to comply with certain standards. While both mobile giants check apps for software quality and interaction with the smartphone OS, experts point out that they do not closely scrutinize applications for hidden malicious code and other security issues.



Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Have you ever wanted a do-over? Ever wished that you could just erase the day and pretend it never happened? Well, human time travel still exists only in science fiction, so you'll have to wait for theoretical physicists to figure out how to make it work--but your Windows PC can do something similar right now with System Restore.
 
Criminals have gotten pretty good at making fake Web sites (for PayPal, eBay, Facebook, etc.) look like the real thing. But what they can't fake quite as easily is the location of the Web server that's hosting their fradulent site. You might be looking at a perfect replica of, say, Bank of America, but if the site is hosted in Uzbekistan, it's a good bet you shouldn't input your password. Read "Seven HInts to Stay Safe Online" for details on this sort of scam, and some ways to protect yourself.
 
Dual-processor Dell PowerEdge R715 scores big on performance, features, and bang for the buck
 
[ MDVSA-2011:039 ] webkit
 
[USN-1081-1] Linux kernel vulnerabilities
 
[SECURITY] [DSA 2176-1] cups security update
 
[USN-1080-1] Linux kernel vulnerabilities
 
IBM's Tivoli cloud management tool upgrade includes the ability to deploy virtual machines in seconds, but there's potential for frustration as well. Its list of supported platforms includes some notable absences.
 
Facebook has acquired the mobile messaging company Beluga, according to a note on Beluga's website. Financial details were not disclosed.
 
There are times as a security professional you have to roll up the sleeves and get your hands dirty to make sure some of the basics are applied to the environment were looking after. As a common example, most of us have had to patch the odd Windows machine, or three, to help out a friend to make sure theyre safe and up to date from the various nasties out there.


What happens when youre presented with forty seven Windows XP computers: all networked, in a Windows workgroup, have varying levels of patches installed, hardly any internet connectivity and a limited time frame to get them to a current patch level? Now throw in every machine is infected and the infections is causing embarrassing and crippling problems to the users.


Here if you have a better one, or helpful pointers, feel free to comment.


- Assess the situation, explain the discovered risks to the business and come up with a plan of attack.
Uncovered background on the problem

Tech support for the network is one poor soul that is good with computers but its not their primary job
The same antivirus software (AV) was on all machines, but the definitions were totally out of date
The admin password for all of the machines is the same
Switched fast Ethernet network linked the machines
The internet link was very expensive, very limited and only used for email
The machines were riddled with malware - Conficker being the most obvious
The file server was another XP machine used to store all the data
This is a favour to a friend so no budget and had to be done over an evening
Business owner had signed off on the risk of patching everything in one go
These machine were on four different floors (lots of running around), but only one network
Random application software installed
Did I mention no budget for anything IT, including support or training

Leaving aside the bigger picture of no security policies or procedures and a total lack of fundamental IT management, it was important to get to a measured and consistence baseline where the users could actually work.

The aim was to bring a standard, baseline patch level to the Windows machines, avoid full rebuilds and purge the main malware problems.
Here's my quick five steps :

Back up the file server, verifying data copy is malware-free and valid
Get the current service pack installed
Get all the current hotfixes installed
Check that all the machines are patched
Get all machines to the current AV definition level, scan and clean any malicious activity on the machines

Faced with a very hostile network, trusting one of the existing machines was not any option.
Thankfully virtualisation provides a great option to plug in a machine and dispose/revert it if this type of situation arises. I also happen to have a Windows server virtual machine (VM) with Windows Server Update Service (WSUS) [5] installed on my laptop, that had been recently synced with the latest updates.*


Step 1: Backup the critical data off the XP file server is a copy an external USB drive
The drive was then plugged in to secured machine with a current AV. The autorun nasties were removed from the drive, the data was scanned and cleaned from all know problems. Then someone from the company confirmed the data was good.


Step 2: Create a share on the virtual machine for XP SP3 and deploy it to all machines
The wonderful PSEXEC [1] comes to the rescue as it can be used to deploy and execute the SP3 patch from the VM's share. Smarter scripting techniques [2] with PSEXEC mean you can automate this process for deployment.

As an example, this command copies SP3 to the target machine, then silently starts the installation and forces a reboot once the SP3 has been installed.

psexec computer -c -f -s servershareWindowsXP-KB936929-SP3-x86-ENU.exe / quiet /forcerestart



Step 3: Deploy all current patches
Having a WSUS server as a virtual machine means fast, portable patch management with reporting. Using PSEXEC to deploy registry keys [3] to point all the XP machines to my WSUS VM, this forced all the machines to register and download the current updates. This proved a log of all the machines that connected, and what Windows patch level they were at.


Step 4: Check that all the machines are patched
Microsofts free tool Microsoft Baseline Security Analyzer (MBSA) [5] is a quick and effective way to verify that all the machines are up to the correct patch level, as it can reference the portable WSUS server at the patch baseline for each machine.

296861

[5] http://technet.microsoft.com/en-us/security/cc184924

[6] http://technet.microsoft.com/en-us/windowsserver/bb332157


*Doesnt everyone? Well if youre building machines and travelling to places with poor internet access all the time, it makes patching a darn sight easier!


Chris Mohan --- Internet Storm Center Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Ten things we hate about Trade shows - even Infosec
MicroScope (blog)
A company called EventGenie says its can take the pain out of IT exhibitions like Cebit, Infosec and Embedded World. (If they can make Embedded World fun, they can do anything) OK, then, EventGenie, how are you going to make Infosuck any less than a ...

 
IBM's Tivoli cloud management tool upgrade includes the ability to deploy virtual machines in seconds, but there's potential for frustration as well. Its list of supported platforms includes some notable absences.
 
Intel on Tuesday provided further details about its Atom N570 chip and said netbooks with the processor will ship later this month.
 
When Leo DeFault had what should have been a fatal heart attack, it was an intensive care physician 25 miles away who helped save his life. That kind of remote healthcare technology is gaining ground quickly.
 
A growing number of utility companies have begun implementing data warehousing and analytics technologies to handle smart grid data.
 
The European Union’s competition regulators carried out unannounced inspections into various companies that sell digital books on Tuesday on suspicion of operating a cartel and engaging in other banned business practices.
 
Mozilla on Tuesday fixed 11 security flaws in Firefox, following in rival Google's footsteps in patching its browser before a hacking contest kicks off next week.
 
InfoSec News: Computer hackers a top concern for Homeland Security: http://www.latimes.com/news/nationworld/nation/la-na-homeland-security-20110302,0,2881352.story
By Julie Mianecki Washington Bureau Los Angeles Times March 1, 2011
Cyber security is a potential "nightmare" for the Department of Homeland Security in the years ahead, as are concerns about homegrown terrorists and intelligence sharing, officials said Tuesday at a seminar marking the department's eighth anniversary.
"The nightmare that the DHS has," said Stewart Baker, a former head of policy at the department, "is that a very sophisticated hacker, perhaps working for Hezbollah, manages to infiltrate our electric grid and to bring down power to a portion of the United States, not for an hour or two, but for days or weeks. This would create a major humanitarian crisis."
Homeland Security Secretary Janet Napolitano said the rapid pace of change is the biggest issue with technology.
"The problem with cyber is almost by the time you're talking about something, they're on to the next thing," Napolitano said. "It is really a fast-moving field that, quite frankly, probably none of us are as good at understanding as somebody who's 20 years old, so this is an area where we're really trying to hire people. And if there are students in the audience that have any cyber interest, I would ask them to see me after."
[...]
 
InfoSec News: Anonymous Member Says Palantir Not Off the Hook: http://www.darkreading.com/database-security/167901020/security/attacks-breaches/229219613/anonymous-member-says-palantir-not-off-the-hook.html
By Kelly Jackson Higgins Darkreading Mar 01, 2011
Fallout from the Anonymous group's cyberattack on security firm HBGary [...]
 
InfoSec News: LayerOne 2011: Call for Papers: Forwarded from: LayerOne Call For Papers <layeronecfp (at) gmail.com>
Call for Papers
LayerOne 2011 Security Conference
May 28-29, 2011 Anaheim, California (Anaheim Marriott)
http://layerone.org/
The seventh annual LayerOne security conference is now accepting [...]
 
InfoSec News: Vodafone reviews security systems after burglary causes network outage: http://www.computerweekly.com/Articles/2011/02/28/245653/Vodafone-reviews-security-systems-after-burglary-causes-network.htm
By Jenny Williams ComputerWeekly.com 28 February 2011
Vodafone is reviewing its security systems after the burglary at one of [...]
 
InfoSec News: Self-erasing flash drives destroy court evidence: http://www.theregister.co.uk/2011/03/01/self_destructing_flash_drives/
By Dan Goodin in San Francisco The Register 1st March 2011
The inner workings of solid state storage devices are so fundamentally different from traditional hard drives that forensic investigators can [...]
 
Magic Music Editor '.cda' File Remote Denial of Service Vulnerability
 
Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2011-01 through -10 Multiple Vulnerabilities
 
GNU Mailman 'Full name' Field Multiple Cross Site Scripting Vulnerabilities
 

Posted by InfoSec News on Mar 01

http://www.latimes.com/news/nationworld/nation/la-na-homeland-security-20110302,0,2881352.story

By Julie Mianecki
Washington Bureau
Los Angeles Times
March 1, 2011

Cyber security is a potential "nightmare" for the Department of Homeland
Security in the years ahead, as are concerns about homegrown terrorists
and intelligence sharing, officials said Tuesday at a seminar marking
the department's eighth anniversary.

"The...
 

Posted by InfoSec News on Mar 01

http://www.darkreading.com/database-security/167901020/security/attacks-breaches/229219613/anonymous-member-says-palantir-not-off-the-hook.html

By Kelly Jackson Higgins
Darkreading
Mar 01, 2011

Fallout from the Anonymous group's cyberattack on security firm HBGary
Federal just keeps on coming: Anonymous is cranking up the pressure on
another security vendor whose name came up in the leaked emails from
HBGary Federal -- Palantir...
 

Posted by InfoSec News on Mar 01

http://www.computerweekly.com/Articles/2011/02/28/245653/Vodafone-reviews-security-systems-after-burglary-causes-network.htm

By Jenny Williams
ComputerWeekly.com
28 February 2011

Vodafone is reviewing its security systems after the burglary at one of
its exchange facilities left thousands of UK users without phone or
text-messaging services.

Between 1am and 2am, thieves stole specialist network equipment and IT
hardware after breaking down...
 

Posted by InfoSec News on Mar 01

http://www.theregister.co.uk/2011/03/01/self_destructing_flash_drives/

By Dan Goodin in San Francisco
The Register
1st March 2011

The inner workings of solid state storage devices are so fundamentally
different from traditional hard drives that forensic investigators can
no longer rely on current preservation techniques when admitting
evidence stored on them in court cases, Australian scientists said in a
research paper.

Data stored on...
 

Posted by InfoSec News on Mar 01

Forwarded from: LayerOne Call For Papers <layeronecfp (at) gmail.com>

Call for Papers

LayerOne 2011 Security Conference

May 28-29, 2011
Anaheim, California (Anaheim Marriott)

http://layerone.org/

The seventh annual LayerOne security conference is now accepting
submissions for topic and speaker selection. As always, we are
interested seeing a broad range of pertinent topics, and encourage all
submissions. Some of our past presentations...
 
Linux Kernel TCP_MAXSEG Local Denial of Service Vulnerability
 
Microsoft have moved their Windows Autorun V2.1 [1] (967940) update patch from optional updates to automatic updates.
This is the same patch that was released in last months patch Tuesday. WhenWindows update is next run, this patch will automatically be selected to apply to your machine. This is more likely to affect home users, as companies should be using group policies to control how USB autorun settings operate.
Expect one or two calls from confused family members on why their favourite autorun USB stick application has stopped working.
[1] http://www.microsoft.com/technet/security/advisory/967940.mspx
Chris Mohan --- Internet Storm Center Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Fresh from the Mozilla team Firefox 3.6.14/3.5.17 and Thunderbird 3.1.8 fixing a number of security issues:
http://www.mozilla.org/security/known-vulnerabilities/

Adobe have released Flash v10.2.152.32
Update: This is not a security fix for Flash, simply an update for flex/flash dev - Thanks to Brad Arkin for the clarification.

And last, but not least, the Wireshark team have published 1.4.4

Get them while they're hot!

Thank you to a couple of readers for writing in with these updates

Chris Mohan --- Internet Storm Center Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 


Internet Storm Center Infocon Status