InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
AT&T will pay TiVo at least US$215 million to settle pending patent litigation relating to digital video recorder technology.
Siemens Automation License Manager Buffer Overflow and Denial of Service Vulnerabilities
WordPress 'wp-comments-post.php' Cross Site Scripting Vulnerability
WinMount 'WMDrive.sys' Driver IOCTL Handling Local Denial of Service Vulnerability
phpMyAdmin Prior to 3.4.9 Multiple Cross Site Scripting Vulnerabilities
OpenEMR Multiple SQL Injection Vulnerabilities
30 Days With the Cloud: Day 20
It's a stretch to call 2011 a truly transformative year for enterprise software, given all the old warts that remain, from large-scale IT project failures to creaky legacy systems that will take years and great expense to replace with the latest-and-greatest.
Google has acquired more IBM patents, adding more than 200 to approximately 2,000 patents it had previously bought from IBM.
Sprint Nextel has given LightSquared another month to gain FCC approval for its planned 4G network, extending a deal in which LightSquared would use Sprint's Network Vision infrastructure and save an estimated $13 billion in deployment costs.
VLC Media Player TiVo Demuxer Remote Heap-Based Buffer Overflow Vulnerability
MaraDNS Hash Collision Denial Of Service Vulnerability
Symphony Multiple SQL Injection and Cross Site Scripting Vulnerabilities
Apple will probably highlight changes to iBooks this month, an analyst said, citing his own sources and rumors of an impending event the Cupertino, Calif. company will host.
Just in time for Tuesday's Iowa caucus, Google launched a political hub site to help users get information, discuss issues and track candidates' popularity.
cApexWEB 'dfuserid' and 'dfpassword' Parameters Multiple SQL Injection Vulnerabilities
Siemens Automation License Manager 'almaxcx.dll' ActiveX Arbitrary File Overwrite Vulnerability
Re: PHP Booking Calendar 10e XSS
SQL Injection Vulnerability in OpenEMR 4.1.0


Infosec & AntiSec Trends in 2011 Usher in Cybersecurity and Cyberwar
Infosec & AntiSec movements have had a crazy year in trends in 2011. With talk of cyber war, cyber espionage and hacking gone wild in governments and institutions around the world, it's hard to keep up with it all. Costin Raiu who is the director of ...

[SE-2011-01] Security vulnerabilities in a digital satellite TV platform
[RT-SA-2012-001] Bugzilla: Cross-Site Scripting in Chart Generator
mavili guestbook - SQL Injection and XSS Vulnerabilities
Tinyguestbook XSS
Microsoft today said its campaign to drive Internet Explorer 6 (IE6) into extinction had done its job in the U.S., where fewer than 1% of users ran the decade-old browser last month.
Online giants Google and Facebook came out as the most-visited websites of 2011, according to a Nielsen report.
OpenKM 5.1.7 Privilege Escalation
BigACE CMS - XSS Vulnerabilities
Survey finds most Americans don't foresee an all-electronic U.S. society.
Online giants Google and Facebook came out as the most-visited Web sites of 2011, according to a Nielsen report.
At Utah Valley University, 120 computers are now working to decode encrypted passwords revealed by the hack of Stratfor Global Intelligence, one of the most significant data breaches of last year.
Mozilla's upgrade call last month pushed more Firefox 3.6 users to grab a newer edition than any month since June 2011, a Web metrics company said over the weekend.
Linux Kernel 'SG_IO IOCTL' SCSI Request Local Privilege Escalation Vulnerability
I ended last year with a death-of-the-Internet column, and I'm starting off the new year with a death-via-the-Internet one.
RETIRED: Computer Associates ARCserve D2D and ARCserve Backup Arbitrary Code Execution Vulnerability
Microsoft ASP.NET Hash Collision Denial Of Service Vulnerability

Got feelings on the state of the infosec profession? Here's a survey!
CSO (blog)
by CSO, Salted Hash – IT security news analysis, over easy! Note: A good friend from the security community asked me to spread the word about this survey. What follows is completely stolen from him. --Bill Brenner Your feedback is important to us in ...

CIOs and their fellow executives have conflicting priorities on cost and competitors, says our 2012 State of the CIO survey. Insider (registration required)
Waste Management's new e-commerce site creates additional revenue streams for the company and gives its IT team sales quotas to fill. Insider (registration required)
The most business-savvy CIOs tend to report to the CEO, lead a non-IT area, and make more money than average CIOs Insider (registration required)
With 2011 behind us, what do the top tech companies have up their sleeves? Though a few have already made big announcements, most of what we think is coming is based on rumors. With that in mind, your business should watch for these potential developments from five of the top tech companies in 2012.
You can blame the iPhone, Salesforce.com, and Facebook, but the truth is that business itself has driven the shift to employee-directed tech
[ MDVSA-2012:002 ] t1lib

Stratfor so very, very sorry in wake of mega-hack
The exact motives of the attack are unclear, but the fact that Stratfor provides intelligence services for law enforcement, among others, made them target for anti-sec hacktivists, who delight in exposing the security failings of White Hat infosec ...

and more »
Samsung Electronics has launched the Android-based Galaxy Ace Plus, which has more memory, a faster processor and a slightly larger screen compared to its predecessor, the company said on Thursday.
The Application Developers Alliance would enable collaboration and provide education, cloud access, and lobbying efforts
2012 is poised to go down in Internet history as one of the most significant 12-month periods from both a technical and policy perspective since the late 1990s, when this network-of-networks stopped being a research project and became an engine of economic growth.

Hey Big Spenders: Federal Infosec Market Poised for a Growth Spurt
CRM Buyer
... topics including energy, finance, environment and government policy. In his current freelance role, he reports mainly on government information technology issues for ECT News Network. Hey Big Spenders : Federal Infosec Market Poised for a Growth Spurt.

and more »
IT leader Doug Beebe also has advice on what qualities are lacking in new hires and the wisdom of pursuing an MBA.
Tienda Virtual 'art_detalle.php' SQL Injection Vulnerability
Gartner says global IT spending growth will be essentially flat in 2012. IDC is more bullish, estimating 6.9% growth, driven by investments in smartphones, media tablets, mobile networks, social networking, and big data analytics.
Big changes in IT are spawning a new class of tech job titles. Here are a few up-and-comers -- and a rundown of the skills you need to land these positions.
Belarus has introduced a law that imposes restrictions on citizens and residents in the country visiting or using foreign websites, according to Global Legal Monitor, an online publication of the Law Library of Congress.
Cloud computing poses unique security challenges. Here's how cloud-specific 'security incident-response teams' could help governments and large enterprises respond to malicious activity and make the cloud more trustworthy. Insider (registration required)
What better way to start a new year than with some JavaScript deobfuscation!
Couple of weeks ago, one of our readers, Rick, found a compromised server with an interesting addon planted by the attacker. The attacker added a relatively simple PHP script nothing we have not seen before. The PHP script was more or less standard for such attacks: the first part checks the submitted User Agent as well as if the request came from a list of predefined network ranges (you probably guessed it those that belong to search engines and AV companies). If this is true, the PHP script just displays a fake 404 not found error page.
You can see that part of the code, which is self explanatory in the picture below:

Now, if this test passed, an interesting part comes. The PHP script simply prints a huge, heavily obfuscated and very nasty JavaScript blob.
This huge part is about 300 kb in size (!!!) so, as the first thing when encountering such JavaScript, I always try to use the wonderful Wepawet service (available at http://wepawet.iseclab.org/). In case you arent familiar with Wepawet, it allows you to submit JavaScript (and PDF and Flash) files for automatic analysis. During years, Wepawet became increasingly good in deobfuscation of such files so I was surprised to see that it failed to analyze the submitted JavaScript file. VirusTotal was no good either (as expected, 0/42). So time for some hacking ...
After trying typical tricks with defining parts of the document object (see more about these methods in Lennys diary at http://isc.sans.edu/diary.html?storyid=12157) I noticed that the JavaScript file I was analyzing depended on way too many properties/methods from the document object. While it is certainly possible to define all them, I decided to skip that tedious part and go directly with a debugger after all, nothing gives you more thrills than the possibility to infect your own machine :) (of course, this was done in an isolated VM).
While people usually do not like analyzing such potentially malicious JavaScript files in Internet Explorer, I have to admit that I like the Internet Explorers developer tools addon *a lot*. So, to get this into a debugger, I normally paste the JavaScript file into a very simple HTML document that just defines the body. I also add the keyword to make sure that the debugger will stop at the beginning (so I dont end up infecting my own machine). After this has been done, we just need to start debugging and open the HTML file in Internet Explorer. The Developer Tools will automatically break at the beginning:

We can now easily go through the code, setup further break points and use all the Developer Tools powerful debugging options such as variable and call stack inspection. When I reached the end I was a bit disappointed the JavaScript file tried to retrieve an URL that was not available any more. It also depended on certain elements in the original web page which was unavailable to me as well.
Back to obfuscation while it managed to evade analysis in Wepawet, I remember that Ive seen such methods before. If you have been a constant reader of SANS ISC you maybe remember the diary I wrote back in 2009: http://isc.sans.edu/diary.html?storyid=6142. The attackers used the same method here very, very long and complex if/then/else statements which end up calling various DOM methods and properties. While this method has been known for a while, it is obviously still very effective, especially since it allows practically unlimited combinations that an attacker can use in order to obfuscate their malicious JavaScript code.



(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Java Hash Collision Denial Of Service Vulnerability
V8 JavaScript Engine Hash Collision Denial Of Service Vulnerability
Internet Storm Center Infocon Status