Share |

InfoSec News

Ruby on Rails Cross Site Scripting and Cross Request Forgery Vulnerabilities
 
Ruby on Rails Security Bypass and SQL Injection Vulnerabilities
 
rsync Client Incremental File List Remote Memory Corruption Vulnerability
 
Last week, Epsilon Interactive said it leaked a huge cache of names and email addresses. Some say it is the largest breach ever involving this kind of data. Epsilon is downplaying it. How will you respond to the breach?
 
A server breach at Epsilon Interactive exposed the names and email addresses of millions of people. This explainer tells what happened and how you can protect yourself.
 
It was only a drill, but Verizon Communications' emergency response team brought in its serious equipment for a hazardous materials test in Cockeysville, Maryland, Monday and Tuesday.
 
The ever-growing number of non-relational, or NoSQL, databases needs standardization in order to thrive, two Microsoft researchers assert.
 
In a university environment, there is no time for the network to go down. The students and faculty at SUNY Old Westbury, a university located on Long Island, New York, demand 24-7 access to the internet, both on and off campus. And, of course, it isn't enough to simply keep things running, they need to be protected, too.
 
Lawson Software will soon release a specialized analytics application for health care organizations, which make up a significant portion of the ERP (enterprise resource planning) vendor's customer base.
 
Intel may have released 32-nanometer chips first, but rival Advanced Micro Devices has followed suit and is looking to make up some ground.
 

Botnet removal: Detect botnet infection and prevent re-infiltration
SearchSecurity.com
Most of the day-to-day security problems enterprise infosec pros spend their time dealing with -- infected endpoints, spam onslaughts and data leaks or losses -- are caused, at least in part, by botnets. In this tip, we'll briefly discuss how botnets ...

and more »
 
VMware has added another cloud service to its lineup, hiring Mozy's workers and acquiring its assets.
 
The disaster in Japan may lead to an increase in worldwide semiconductor revenue, according to analysts.
 
Gen Y workers are the lazy, entitled ones giving IT the headaches with all that bring-your-own technology, right? Think again. New Forrester research finds that Gen Y isn't all that different from Gen X in its views of IT.
 
A federal judge has tossed a $625.5 million patent infringement judgment against Apple, discarding a 2010 jury verdict that said the company violated patents in its iPhone, iPod, iPad and Mac OS X.
 
A recent article [1] describes a rather neat variation on how fake router advertisements can be used with IPv6 capable hosts to intercept traffic, including tricking hosts to use IPv6 to connect to systems that normally are not reachable via IPv6.
First lets start with the old part of this attack: Fake router advertisements. IPv6 relies a lot more on auto configuration then IPv4. While techniques like zero configuration can be used in IPv4, we usually find DHCP used to configure IPv4 networks. In IPv6, routers are typically used to configure a network via router advertisements. A router advertises which network it is willing to route, and hosts connected to the router will pick an address within this network.
In short, router advertisements can be considered a DHCP lite for IPv6. If I introduce a fake router, I get the same effect as I would get from a fake DHCP server in IPv4. However, as only few networks implement IPv6, a fake IPv6 router is likely to be the only IPv6 router. Hosts which so far had no connectivity to the IPv6 internet will now use this fake router to connect. Fake router advertisement tools are very common, we actually play with one in my IPv6 class (fake_router6 from the THC kit)
Big deal. There are not a lot of IPv6 sites. So why should I care? The reason you may need to care is a protocol called NAT-PT. NAT-PT is an experimental protocol used to connect IPv6 only networks to the legacy IPv4 network. NAT-PT works by returning IPv6 addresses for DNS lookups that would otherwise only return IPv4 addresses. Once a host connects to this mapped IPv6 address, the NAT-PT router will translate the IPv6 connection to an IPv4 connection, much like we are used to from IPv4-to-IPv4 NAT.
By combining the fake RA advertisements with NAT-PT, the attacker has the ability to intercept traffic that would normally use IPv4. To make things more interesting, if a host has IPv6 and IPv4 connectivity, the IPv6 connection is preferred, causing this attack to work even better.
What are the work arounds? How do you defend?
- IPv6 is a wonderful protocol. But if you don't need it: Turn it off. If you need it, then monitor and defend it like IPv4

- the attack does require layer 2 access. Physical access to your network should be restricted

- if you use an open network (e.g. public wifi), use encryption to protect yourself (SSL, IPSec). This attack is not more deadly in this case then other layer 2 attacks.


[1]http://resources.infosecinstitute.com/slaac-attack/
And also see our IPv6 Security Summit in July
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
It's been more than a year since I initially looked at USB 3.0 as it relates to portable external storage, and many more devices have hit the market. More importantly, we're finally seeing some notebooks that include USB 3.0 ports (some call them SuperSpeed ports) on them, eliminating the need for users to connect the drive through an ExpressCard slot.
 
The new version of Microsoft DaRT allows administrators to remotely reboot a desktop computer
 
Intel on Tuesday announced the Xeon E7 series of chips with 10 cores, which the company said could help cut power and maintenance costs in data centers while adding more processing power.
 
Linux Kernel 'ethtool.c' Information Disclosure Vulnerability
 

SailPoint CTO to Speak at CSO Perspectives, InfoSec World and the European ...
SYS-CON Media (press release)
SailPoint's CTO, Darran Rolls, will be discussing how organizations are effectively addressing these challenges at three upcoming key industry conferences: CSO Perspectives, InfoSec World and the European Identity Conference. ...

and more »
 
iPhone owners on AT&T experience two-and-a-half times the number of dropped calls than do users of Apple's smartphone on Verizon, a market research company said today.
 
Nokia Beta Labs has released Drop, an application that allows users to send images and links from a browser to a Symbian smartphone, according to a Tuesday blog post.
 
Novell has released to worldwide general availability its Web-hosted Vibe Cloud enterprise social collaboration suite, which adapts for workplace use a variety of social networking features made popular in consumer-oriented sites like Facebook and Twitter.
 
A crane lifts a huge clump of mud and drops it into a truck. Moments later another truck rolls by carrying the remains of a mangled car. This is the scene at Sony's Sendai Technology Center on the afternoon of April 1, three weeks to the day since a tsunami washed through the area.
 
logrotate Insecure Default File Permissions Information Disclosure Vulnerability
 
logrotate 'shred_file()' Log Filename Command Injection Vulnerability
 
logrotate 'writeState()' Function Logfile Name Local Denial of Service Vulnerability
 
[ MDVSA-2011:065 ] logrotate
 
StartSite.ir Cross-site Scripting Vulnerability
 
[security bulletin] HPSBMA02652 SSRT100432 rev.2 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Information Disclosure
 
HTB22911: XSS in Eleanor CMS
 
Isis will pilot its mobile commerce program based on Near Field Communications technology in Salt Lake City in early to mid-2012.
 
STEC's new flash products carry a five-year warranty, as they are said to last longer.
 
HTB22913: Multiple CSRF (Cross-Site Request Forgery) in UseBB
 
HTB22914: Local File Inclusion in UseBB
 
Joomla! Prior to 1.5.23 Unspecified Information Disclosure Vulnerability
 
At least 50 banks, retailers and other firms are affected by a major email breach at a Texas-based data management firm that provided marketing email services.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
phpThumb() 'fltr[]' Parameter Command Injection Vulnerability
 
Micron will begin shipping a new enterprise-class SSD based on the PCIe expansion card standard and the industry's smallest NAND flash circuitry -- 20 nanometers.
 
SugarCRM acquires vendor of customer relationship management software for IBM Lotus Notes, and adds social CRM features for iPad and other devices
 
SNIA plans to add up to six times the number of online video tutorials for storage IT administrators, and it has partnered with CompTIA to distribute its online IT certification courses internationally.
 
A survey of IT managers who attended Storage Networking World showed that 57% plan to deploy a cloud infrastructure over the next couple of years to increase efficiency and agility in deploying services.
 

Windows PCs can be compromised by an IPv6 flaw
Inquirer
Alec Waters of the Infosec Institute showed off a proof of concept attack that targeted Windows 7 systems, but said it could apply in theory to any operating system with IPv6 installed and operational. The attack physically needs rogue hardware, ...

and more »
 
AT&T has confirmed that it will boost the price of iPhone upgrades by $50 for customers that haven't reached the end of their contracts starting on Sunday.
 
A survey of IT managers from Storage Networking World showed that 57% plan to deploy a cloud infrastructure over the next couple of years to increase efficiency and agility in deploying services.
 
InfoSec News: Hacker erased a season's worth of 'Zodiac Island': http://www.latimes.com/entertainment/sns-rt-television-us-zodiactre72u7xk-20110331,0,7230801.story
By Eriq Gardner Hollywood Reporter Los Angeles Times March 31, 2011
New York -- The producer of the syndicated children's TV series "Zodiac Island" claims that an entire season of the show has been wiped out thanks to a fired employee at its data-hosting company who hacked into networked computers and destroyed its work.
"Zodiac Island" has run on more than 100 U.S. TV stations around the country, including ABC, NBC, Fox, and CBS affiliates. The show is produced by Hawaii-based WER1 World Network, which signed up with Wisconsin-based ISP and data-hosting company, CyberLynk.
According to a lawsuit that was filed last week in Hawaii District Court, a man named Michael Scott Jewson was terminated from CyberLynk.
[...]
intentionally wiped it out. Jewson is alleged to have been charged in February with a federal computer crime violation and admitted his guilt in a plea agreement.
The data breach allegedly knocked out 6,480 WER1 electronic files, or 300 gigabytes of data, comprising two years of work from hundreds of contributors globally, including animation artwork and live action video production.
[...]
 
InfoSec News: About 50 clients hit by Epsilon e-mail marketing breach: http://www.computerworld.com/s/article/9215488/About_50_clients_hit_by_Epsilon_e_mail_marketing_breach
By Robert McMillan IDG News Service April 4, 2011
About 50 companies were affected by a major security breach at e-mail service provider Epsilon Interactive that caused many U.S. [...]
 
InfoSec News: [Dataloss Weekly Summary] Week of Sunday, March 27, 2011: ========================================================================
Open Security Foundation - DataLossDB Weekly Summary Week of Sunday, March 27, 2011
40 Incidents Added.
======================================================================== [...]
 
InfoSec News: Comodo hacker says he's protesting U.S. policy: http://news.cnet.com/8301-31921_3-20050581-281.html
By Declan McCullagh Privacy, Inc. CNET News April 4, 2011
After a hacker obtained fraudulent digital certificates that could be used to impersonate Google, Yahoo, Skype, and other major Web sites, the [...]
 
InfoSec News: Bank Fraud Continues To Plague Businesses, Study Says: http://www.darkreading.com/smb-security/167901073/security/news/229400830/bank-fraud-continues-to-plague-businesses-study-says.html
By Tim Wilson Darkreading April 04, 2011
Business banking fraud -- particularly in small and midsize companies -- is still causing major problems for both the businesses and the banks that serve them, according to a study published today.
The "2011 Business Banking Trust Study," a follow-up to a similar study conducted last year, was written by Ponemon Institute and sponsored by Guardian Analytics. This year's numbers suggest that the banking fraud situation has not improved since 2010.
"The industry has not moved the needle in addressing the corporate account takeover and fraud plaguing SMBs and their financial institutions," the report states. "The data shows that fraud is still pervasive, money is leaving accounts unnoticed at an alarming rate, and businesses will leave their banks because of it."
Fifty-six percent of businesses experienced fraud in the past 12 months, according to the study. Of those that experienced fraud, 61 percent were victimized more than once. Seventy-five percent of the victims experienced online account takeover and/or online fraud. These figures are nearly the same as last year's, the researchers say.
[...]
 
InfoSec News: Former Gucci Employee Charged in Computer Hacking Case: http://online.wsj.com/article/SB10001424052748703712504576243312850500374.html
By Chad Bray The Wall Street Journal April 5, 2011
NEW YORK -- A former Gucci America Inc. computer network engineer was charged with remotely taking over the company's computers, shutting down [...]
 
InfoSec News: [HITB-Announce] HITBSecConf2011 - Malaysia Call for Papers Now Open: Forwarded from: Hafez Kamal <aphesz (at) hackinthebox.org>
The Call for Papers for the 9th annual HITBSecConf in Malaysia is now open! The event takes place from the 10th - 13th of October at the new Intercontinental Kuala Lumpur.
As always the first two days will be dedicated to hands on technical training sessions followed by a 2-day quad track conference featuring keynote speaker Kenneth Geers (CCD CoE) and Jennifer Granick (Attorney, Zwilinger Genetski LLP).
This years conference will also feature a brand new attack-only Capture The Flag - Tower of Hackf00 Madness, an updated lock picking village set up and run by members from TOOOL US (now includes impressioning!), an industry exhibition and technology showcase and last but not least the HITB Labs and SIGINT sessions.
==
As always, talks that are more technical or that discuss new and never before seen attack methods are of more interest than a subject that has been covered several times before.
Submissions are due _no later than 15th July 2011_ HITB CFP: http://cfp.hackinthebox.org/
===
Topics of interest include, but are not limited to the following:
# Cloud Security # 3G/4G/WIMAX Security # File System Security # SS7/GSM/VoIP Security # Smart Card and Physical Security # Network Protocols, Analysis and Attacks # Applications of Cryptographic Techniques # Side Channel Analysis of Hardware Devices # Data Recovery, Forensics and Incident Response # Analysis of Malicious Code / Viruses / Malware # Windows / Linux / OS X / *NIX Security Vulnerabilities # Next Generation Exploit and Exploit Mitigation Techniques # WLAN, GPS, HAM Radio, Satellite, RFID and Bluetooth Security
Each non-resident speaker will receive accommodation for 3 nights / 4 days and travel reimbursement up to EUR1200.00.
Your submission will be reviewed by The HITB CFP Review Committee which includes:
Charlie Miller (Principal Analyst, Independent Security Evaluators) Jeremiah Grossman (Founder, Whitehat Security) Red Dragon Thanh (THC, VNSECURITY, Intel Corp) Mark Curphey (Director, Microsoft Corp) Cesar Cerrudo (Founder / CEO ArgenISS) Saumil Shah (Founder CEO Net-Square) Shreeraj Shah (Founder, BlueInfy) Fredric Raynal (Sogeti/Cap Gemini) Robert Hansen (rsnake) (SecTheory) Alexander Kornburst (Red Database) Emmanuel Gadaix (Founder, TSTF) Andrea Barisani (Inverse Path) Ed Skoudis (InGuardians) Haroon Meer (Thinkst) Chris Evans (Google) Philippe Langlois (TSTF) Skyper (THC)
NOTE: We do not accept product or vendor related pitches. If you would like to showcase your company's products or technology, please contact us for further participation opportunities.
===
Event Website: http://conference.hackinthebox.org/hitbsecconf2011kul/
We look forward to receiving your submissions and to seeing you in Malaysia in October (or in May at HITB2011AMS!)
- The HITB.my Team
Tel: +603-20394724 Fax: +603-20318359
 
Another DDOSslipped by almost unnoticed (thanks Arnt). A report in Datanews (http://datanews.rnews.be/nl/ict/nieuws/nieuwsoverzicht/2011/04/04/botnet-viseert-belgie/article-1194984299269.htm# in Dutch) mentions that the .be domain was under attack last Sunday. Requests were being made of the servers relating to MX records for other domains. The .be name servers do not look after this information and correctly responded. However the end result was that two out of the 8 servers were overloaded. Even should the other servers be overloaded the TLD is anycast hosted and another 41 or so servers could jump into action. Hence the attack went largely unnoticed by the public.
Mark H (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The Anonymous group is currently utilising LOICto DDOSSony infrastructure. It seems that it is partially successful with a few Sony sites being unavailable at the moment.
Mark H (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Data threats spur demand for security
Omaha World-Herald
With increasing reports of big companies such as Google, DuPont, GE and Johnson & Johnson being targeted by hackers, the “infosec” career field is growing “as fast as online computing is expanding,” said Weaver, 33. As new technologies spread, ...

 

Posted by InfoSec News on Apr 04

http://www.computerworld.com/s/article/9215488/About_50_clients_hit_by_Epsilon_e_mail_marketing_breach

By Robert McMillan
IDG News Service
April 4, 2011

About 50 companies were affected by a major security breach at e-mail
service provider Epsilon Interactive that caused many U.S. corporations
to warn their customers of online attacks Monday.

Epsilon first warned of the incident Friday, saying that someone had got
into company systems and...
 

Posted by InfoSec News on Apr 04

========================================================================

Open Security Foundation - DataLossDB Weekly Summary
Week of Sunday, March 27, 2011

40 Incidents Added.

========================================================================

DataLossDB is a research project aimed at documenting known and reported
data loss incidents world-wide. The Open Security Foundation asks for
contributions of new incidents and new data for...
 

Posted by InfoSec News on Apr 04

http://news.cnet.com/8301-31921_3-20050581-281.html

By Declan McCullagh
Privacy, Inc.
CNET News
April 4, 2011

After a hacker obtained fraudulent digital certificates that could be
used to impersonate Google, Yahoo, Skype, and other major Web sites, the
security company that issued them blamed the Iranian government.

There is only "one conclusion," Comodo, the Jersey City, N.J.-based
issuer of digital certificates said in a report...
 

Posted by InfoSec News on Apr 04

http://www.darkreading.com/smb-security/167901073/security/news/229400830/bank-fraud-continues-to-plague-businesses-study-says.html

By Tim Wilson
Darkreading
April 04, 2011

Business banking fraud -- particularly in small and midsize companies --
is still causing major problems for both the businesses and the banks
that serve them, according to a study published today.

The "2011 Business Banking Trust Study," a follow-up to a...
 

Posted by InfoSec News on Apr 04

http://online.wsj.com/article/SB10001424052748703712504576243312850500374.html

By Chad Bray
The Wall Street Journal
April 5, 2011

NEW YORK -- A former Gucci America Inc. computer network engineer was
charged with remotely taking over the company's computers, shutting down
servers and deleting emails, Manhattan prosecutors said on Monday.

Sam Chihlung Yun, 34 years old, allegedly created an account in the name
of a fictional employee...
 

Posted by InfoSec News on Apr 04

Forwarded from: Hafez Kamal <aphesz (at) hackinthebox.org>

The Call for Papers for the 9th annual HITBSecConf in Malaysia is now
open! The event takes place from the 10th - 13th of October at the new
Intercontinental Kuala Lumpur.

As always the first two days will be dedicated to hands on technical
training sessions followed by a 2-day quad track conference featuring
keynote speaker Kenneth Geers (CCD CoE) and Jennifer Granick...
 

Posted by InfoSec News on Apr 04

http://www.latimes.com/entertainment/sns-rt-television-us-zodiactre72u7xk-20110331,0,7230801.story

By Eriq Gardner
Hollywood Reporter
Los Angeles Times
March 31, 2011

New York -- The producer of the syndicated children's TV series "Zodiac
Island" claims that an entire season of the show has been wiped out
thanks to a fired employee at its data-hosting company who hacked into
networked computers and destroyed its work....
 


Internet Storm Center Infocon Status