Share |

InfoSec News

Few Fortune 1000 corporations have plans to adopt public cloud storage -- even for their lowest tier of data, a new storage survey shows.
At its users conference this week, Symantec released a slew of upgrades to its midrange backup, enterprise archive and data management products and said it will begin offering a SaaS model.
The U.S. Federal Bureau of Investigation warned computer users Tuesday that messages claiming to include photos and videos of Osama bin Laden's death actually contain a virus that could steal personal information.
Sony executives said an attack on its PlayStation Network systems, also exposed the data of 24.6 million users at its Online Entertainment division.

Add to digg Add to StumbleUpon Add to Add to Google
Startup chip design company Adapteva on Tuesday announced the multicore Epiphany processor, which is designed to accelerate applications in servers and low-power devices such as smartphones and tablets.
Oracle Solaris CVE-2011-0813 Local Kernel Vulnerability
While only a few years ago Linux skills were just one in a series of possible assets for job applicants looking to stand out, in today's fast-paced, highly competitive workforce, it can actually be a make-or-break element.
Xobni is launching an application development platform and store for its popular Microsoft Outlook plug-in, which has about 7 million users.
Hackers today stepped up their use of Osama Bin Laden's death by shoving malware into PCs when users fall for phony claims of photographs and video, security researchers said today.
The FTC proposes settlements with two companies with data breaches in 2009.
Hallmark may need new BI tools to support an ambitious branding camapign that was recently launched.
HTB22964: XSS in SelectaPix Image Gallery
[USN-1129-1] Perl vulnerabilities
HTB22962: Multiple XSS in YaPiG
HTB22963: CSRF (Cross-Site Request Forgery) in SelectaPix Image Gallery
Perl Safe Module 'reval()' and 'rdo()' CVE-2010-1447 Restriction-Bypass Vulnerabilities
Sony executives said an attack on its PlayStation Network systems, also exposed data associated with its Online Entertainment division.

Add to digg Add to StumbleUpon Add to Add to Google
Microsoft's plan to put Bing search and maps in BlackBerry mobile devices by the fall holiday season pits Research In Motion and Microsoft against Google in a massive scramble for mobile search customers.
Verizon Wireless, AT&T and T-Mobile are reportedly blocking access to free phone tethering apps on their wireless networks.
[security bulletin] HPSBMA02661 SSRT100408 rev.2 - HP Proliant Support Pack (PSP) Running on Linux and Windows, Remote Cross Site Scripting (XSS), URL Redirection, Information Disclosure
Revised: Portable OpenSSH security advisory: portable-keysign-rand-helper.adv
[USN-1127-1] usb-creator vulnerability
Oracle Sun Solaris CVE-2011-0829 Local Vulnerability
HTB22967: Multiple SQL Injection in Shutter
Oracle has introduced support for Apple's iPad and iPhone as part of a slew of enhancements to its BI (business intelligence) software, the company announced Tuesday.
A California man faces up to five years in prison on music piracy charges.
Seagate said it has broken a previous areal density benchmark with a line of drives that can hold up to 1TB of data per platter.
Apple today refreshed its iMac desktop line, which now sport Intel's second-generation quad-core processors and the new Thunderbolt connectivity technology that debuted in February on the company's MacBook Pro laptops.
How will the hybrid cloud fit into your future infrastructure architecture? Forrester Research's Galen Schreck explains why he envisions three possible scenarios and shares advice on how to prepare.
The U.S. raid that killed terrorist leader Osama bin Laden in Pakistan Sunday also turned up an "intelligence harvest" of computer-based data, according to media reports.

Hackers take advantage of Royal Wedding interest
That is according to security specialist InfoSec London, which recently carried out a survey regarding the use of the nuptials as a front for illegal online activity. Figures from the study showed that 38 per cent of respondents have witnessed the ...

In a world where we share more information online than ever before, it might seem impossible to disappear completely. But Frank Ahearn can help. A professional skip tracer for many years, he tracked down 'missing' persons for clients who were searching for them for legal or financial reasons. His arsenal included use of public records, credit reports, utility bills, criminal background checks, tax information and other revealing documents.
Microsoft will invest in the BlackBerry platform from Research In Motion, becoming the default search provider in BlackBerry browsers and maps, Microsoft CEO Steve Ballmer said during a surprise keynote appearance at BlackBerry World.
IBM plans to introduce technologies from its Watson computer, which beat humans on the game show "Jeopardy," for information-discovery use in enterprises.

Posted by InfoSec News on May 03

By Dan Goodin in San Francisco
The Register
3rd May 2011

As a penetration tester hired to pierce the digital fortresses of
Fortune 1000 casinos, banks and energy companies, Kevin Finisterre has
hacked electronic cash boxes, geologic-survey equipment, and on more
than one occasion, a client's heating, ventilation, and air-conditioning

But one of his most unusual hacks...

Posted by InfoSec News on May 03

By Ted Samson
May 03, 2011

Apple has been cashing in on the increased attention it's garnered from
the business and consumer worlds in recent years. Unfortunately, the
ne'er-do-wells of the technology world continue to step up their
attempts to get a piece of the action, targeting malware squarely at Mac

IT security experts,...

Posted by InfoSec News on May 03

By Jason Schreier
Game Life
May 2, 2011

It’s bad news piled on top of bad news for Sony.

Hackers may have stolen the personal information of 24.6 million Sony
Online Entertainment users, the company said on Monday. More than 20,000
credit card and bank account numbers were also put at risk. This is in
addition to the recent leak of over 70 million accounts...

Posted by InfoSec News on May 03


Open Security Foundation - DataLossDB Weekly Summary
Week of Sunday, April 24, 2011

25 Incidents Added.


DataLossDB is a research project aimed at documenting known and reported
data loss incidents world-wide. The Open Security Foundation asks for
contributions of new incidents and new data for...

Posted by InfoSec News on May 03

US-CERT Current Activity

Osama Bin Laden's Death Email Scams, Fake Antivirus, and Phishing Attack Warning

Original release date: May 2, 2011 at 2:17 pm
Last revised: May 2, 2011 at 2:17 pm

Users should be aware of potential email scams, fake antivirus, and phishing
attacks regarding Osama Bin Laden's death. Email scams may contain links or
attachments that may direct...

Posted by InfoSec News on May 03


The assault force of Navy SEALs snatched a trove of computer drives and
disks during their weekend raid on Osama bin Laden’s compound, yielding
what a U.S. official called “the mother lode of intelligence.”

The special operations forces grabbed personal computers, thumb drives
and electronic equipment during the lightning raid that killed bin...
The 128GB Lexar Echo MX flash drive offers a thousandfold increase in capacity compared with the 128MB USB thumb drives I thought capacious ten years ago. Ain't technology amazing? Of course, flash memory this small isn't cheap--the 128GB Echo MX will set you back a hefty $400 (price as of 5/2/2011). Add in that the online portion of the backup software was problematic in my testing, and the drive's value becomes a big question mark.
While there are plenty of ways to protect your iPad and its data from ne’er do wells, one way is of specific interest to business users: the virtual private network or VPN.
Apple announced a new generation of iMac models, running at speeds up to 3.4 GHz and powered by the next generation of Intel Core i5 and Core i7 processors.
Becoming a manager means bringing a new perspective to everything you do.
Nortel Networks has obtained court approval to accept a $900 million bid from Google for the entirety of its remaining patent portfolio, it said Monday.
Was InfoWorld's article on
The Teredo protocol [1], originally developed by Microsoft but since adopted by Linux and OS X under the name miredo has been difficult to control and monitor. The protocol tunnels IPv6 traffic from hosts behind NAT gateways via UDP packets, exposing them via IPv6 and possibly evading commonly used controls like Intrusion Detection Systems (IDS), Proxies or other network defenses.
As of Windows 7, Teredo is enabled by default, but inactive [2]. It will only be used if an application requires it. If Teredo is active, ipconfig will return a Tunnel Adapter with an IP address starting with 2001:0:
A teredo connection in default configuration starts with the client (your desktop), connecting to a Teredo server on UDPport 3544. Initially, the client and the server will perform a handshake to determine the connection parameters and the IPv6 address. After the handshake is complete, the connection may be handed off to a relay.
Wireshark and tshark are perfectly fine in detecting and analyzing the initial handshake. However, the actual data connection after the handshake is complete is usually missed as it may use arbitrary UDP ports. You have to manually determine the UDP ports involved and configure wireshark (or tshark) to analyze the respective traffic as Teredo.

[ tshark too complex?-) ... watch this video to learn how to use Wireshark to do all this ]
Lets look at the respective traffic from a Windows 7 system using tshark (to make this more readable, I replace my local network with x)
First, we do have the name lookup for the teredo server (

x.135 - x.2 DNS Standard query A
x.2 - x.135 DNS Standard query response CNAME A

Next, Teredo is going through it's setup procedure. tshark will show this as IPv6 traffic by default, but it is really IPv6 encapsulated in IPv4/UDP. The traffic will be directed at the Teredo server at, so we can use as filter

tshark -r teredo.pcap '' fe80::ffff:ffff:fffe - ff02::2
ICMPv6 Router solicitation
fe80::8000:f227:bec8:6189 - fe80::ffff:ffff:fffe ICMPv6 Router advertisement
2001::4137:9e76:1488:16cf:aabb:ccdd - 2001:4860:8003::93
Teredo Direct IPv6 Connectivity Test
2001::4137:9e76:1488:16cf:aabb:ccdd - 2001:4860:8003::93
Teredo Direct IPv6 Connectivity Test
2001::4137:9e76:1488:16cf:aabb:ccdd - 2001:4860:8003::93
Teredo Direct IPv6 Connectivity Test
2001::4137:9e76:1488:16cf:aabb:ccdd - 2001:4860:8003::93
Teredo Direct IPv6 Connectivity Test
fe80::98f4:bbf1:cf8c:1c - 2001::4137:9e76:1488:16cf:aabb:ccdd
IPv6 IPv6 no next header

The router advertisement packet is actually a bit more complex. It does include a Teredo header indicating the source from which the teredo server received the packet. The complete packet consists of

IPv4 Header
UDP Header
Teredo Authentication Header
Teredo Origin Header
IPv6 Header
ICMPv6 Header
Router Advertisement

Using tshark in verbose mode yields all the details (only the Teredo headers are shown. My public IPv4 address is obfuscated):

Teredo Authentication header
Client identifier length: 0
Authentication value length: 0
Nonce value: 027ed9846d66944e
Confirmation byte: 00
Teredo Origin Indication header
Origin UDP port: 59696
Origin IPv4 address: a.b.c.d (a.b.c.d)

The initial router advertisement advertises the network address to use, which is derived from the teredo servers IPv4 address. In this case, the subnet is 2001:0:4136:9e76::/64. 0x41 0x36 0x9e 0x76 is our teredo servers IPv4 address ( routers lifetime is set to infinite. Using the prefix and the Teredo Origin Indication Header, our host knows everything it needs to know to assemble its Teredo IPv6 address.
The connectivity test is just a simple ICMPv6 echo request.
finally, the packet labeled IPv6 no next header above is actually interesting for its Teredo header. It includes a Teredo Origin Indication Header, which will direct us to a different server. Teredo servers typically only deal with the initial connection setup and then hand us over to a different server to actually send data. In our case, this header looks like:

Teredo Origin Indication header
Origin UDP port: 3545
Origin IPv4 address: (

Now our connection switches to this server (and port) to continue. One tshark filter that can be used to find this packet and extract the new destination address and port
One tshark command to extract the new destination port and address (again: a.b.c.d is our public IPv4 address. we have to exclude it to eliminate origin headers sent as part of the connection setup)

tshark -r teredo.pcap -T fields -e teredo.orig.port -e teredo.orig.addr
'teredo.orig.port !(teredo.orig.addr == a.b.c.d)'
And we can use this information to now have tshark decode the remaining teredo traffic for us:

tshark -r teredo.pcap -d udp.port==3545,teredo ''

or extract the IPv6 packet data in hexadecimal:

tshark -e data -T fields -r teredo.pcap
' and udp.port==3545'



Also see

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter 39E7KUWGJQRV (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
So far, we have seen very little Osama Bin Laden themed malware. The most prominent case that was discussed by a number of sites took advantage of facebook.
The page asks the user to copy / paste javascript into the URL. This technique isn't new, and it is still amazing what people will do to watch videos. The javascript wil... you guessed it... load more javascript.
Here a quick rundown of what the javascript will do:
- Send a message See the OsamaBin Laden EXECUTIONVideo! (full URL omited)

- add a message to your status pointing to the video
Some of the domain names and IPaddresses involved in this scam:
- (see code below)

- and (URL shorteners used by the scam. not all URLs at these domains are malicious)

- (tries to download a file called laden.png. However, this file no longer appears to be available)

- (a non-malicious newspaper site. Only used to downlaod a Loading indicator)

- - hosting an HTML page shown after the script runs


Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Motorola Solutions Tuesday unveiled four 802.11 access points and a wireless LAN controller based on its WiNG 5 architecture.
Mobile data users still overwhelmingly prefer USB modems for keeping PCs and other devices connected on the go, but they may turn more to built-in cellular radios and portable Wi-Fi hotspots over the next five years, according to ABI Research.
libxslt 'generate-id()' Function Information Disclosure Vulnerability
Mozilla Firefox/SeaMonkey CVE-2011-0066 Memory Corruption Vulnerability
Mozilla Firefox/SeaMonkey CVE-2011-0073 Memory Corruption Vulnerability
Police in South Korea said they raided Google's Korea head office in Seoul on Tuesday on suspicion that the subsidiary of the search engine company had illegally collected location data from application subscribers.
Can a chief information security officer (CISO) help prevent the kind of massive data breach that occurred in the Sony PlayStation network breach last month in which attackers grabbed personal information on an estimated 77 million customers of the PlayStation and Qriocity online games?
Hard-dollar ROI savings on desktop virtualization haven't yet materialized for The Co-operative Group, but the grocer should realize them by the end of the second year, after full migration.
Businesses are finding that the benefits of hosted virtual desktops are more nuanced than those for server virtualization. The advantages may be harder to quantify and harder to justify based purely on traditional ROI calculations. Here's an in-depth look at what you need to know.

Interview: John Colley of (ISC)²
Infosecurity Magazine
You'd be hard pressed to find anyone in the UK infosec industry who doesn't know of John Colley. He is to infosec what Simon Cowell is to the music industry – a true figurehead (albeit, less scary). He doesn't attribute his high profile to his ...

Web Auction 'lang' Parameter Cross Site Scripting Vulnerability

Internet Storm Center Infocon Status