InfoSec News

ISC BIND 9 Unspecified Packet Processing Remote Denial of Service Vulnerability
 
I recently had a routine can you help our business partner type call from a client. Their business partner could receive email from them, but could not send email to them.
After a bit of digging in the SMTP header of a failed note, it turned out that the business partner was running a very old version of QMAIL, which has a problem with ESMTP and DNS responses larger than 512 bytes. My client (the destination for the email) had recently gone to an email scanning service, so the total return on an MX record request was well over 1.5kb.
So far, not so exciting, you say - patch the server and be done with it! So why am I writing this up on isc.edu?
This is where it gets interesting. I called the business partner, and their verbatim response was Gee, I don't know. Applying that patch will involve taking the mail server down, our CEO won't approve that. Is there some other way to do this?
Wait, what? Did I hear that right? Let me check my watch - what century is this again? This is a patch from 2007 for goodness sake! I can see needing to follow a change control procedure, schedule an outage, maybe for after-hours, but they are an application development shop, not the Department of Defense! If they're running a mail system that hasn't been patched in 4 years, chances are that someone else already owns them, and they've got bigger problems than just this.
Anyway, after a frank and honest (and tactful, though that part was a bit more difficult) discussion, they did apply the needed patch, along with a truckload of other system updates that had been delayed since forever.
I've encountered a few situations where it makes some snse for system admins to defer patching for extended periods of time:
Servers that support military personnel in active operations are often mandated by policy as frozen. In our current global environment, these freeze periods can extend into months and years.
Servers that support long-range space exploration missions will often end up running operating systems that are no longer supported, on hardware that has been end-of-lifed years ago, or on hardware or OS's that were one-shot custom efforts. In cases like this, the hardware is generally air-gapped or otherwise isolated from sources of attack.
Some servers in support-challenged situations might also be frozen for specified periods of time - if I remember correctly, the servers in some of the Antarctic missions (really, no pun!) are in this category. (If I'm mistaken on this example, I know that sysadmin for those systems is a reader, please correct me!)

So the question I have for our readers is: What situations or applications have you seen that might defer patches and updates for an extended periods of time? Did you consider those reasons or policies to be legitimate? Did you come up with a compromise or workaround to get patches applied, or did you have to follow policy and not apply updates? Did this end up with a system compromise, and if so, did the policy protect the system administrator, or did they end up taking the blame anyway?
I'm really looking forward to feedback from our readers on this, please use the contact form to let us know what you've seen!

===============
Rob VandenBrink Metafore (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Last week, Facebook CEO Mark Zuckerberg said that his company will be "launching something awesome" on Wednesday. Little additional information is available about what it could be, although we can take some educated guesses based on Facebook's priorities and plans.
 
Oracle Java SE and Java for Business CVE-2011-0814 Remote Java Runtime Environment Vulnerability
 
Wish you were on Google's new social networking service, Google+? Well, you're not alone. And some are looking to make a little cash on people's desire to get in to some Google+ circles.
 
Google has asked a California court to throw out the testimony of an expert witness who said Google should pay Oracle as much as US$6 billion for allegedly infringing on Java patents and copyright.
 
Texas Instruments on Tuesday said its OMAP chip had been certified to unlock full 1080p movies from Netflix for smartphones and tablets based on Google's Android 2.3 operating system.
 
Linux Kernel 'execve()' Memory Expansion 'OOM-killer' Local Denial of Service Vulnerability
 
ISC BIND 9 RPZ Configurations Remote Denial of Service Vulnerabilities
 
For multimedia buffs, the XPS 15 (model L502X) is a generally solid addition to Dell's line of consumer laptops with a little added oomph in performance. Even the basic, most inexpensive model--our review unit costs $799--has discrete Nvidia GeForce 525M graphics with 1GB of memory, a 15.6-inch widescreen LED-backlit display, and JBL-designed speakers, all of which make watching videos and listening to music quite delightful; it also produced better-than-average scores on our gaming tests, compared with other laptops at this cost level.
 
Thirty-eight percent of all smartphone users in the U.S. used Android-based devices in the three months ending in May, ComScore reported.
 
Cloud and SaaS services, more than any other recent development, let business units get exactly the IT they want without having to ask IT first. Here are five creative ways IT can remain relevant, meet business users' needs and keep the enterprise secure in the age of cloud computing.
 
Deloitte Consulting is fighting an attempt by Marin County, Calif., to bring allegations over a failed ERP software project before a jury, calling it a tactical ploy to gain publicity and avoid a skeptical judge.
 
Microsoft today said the coordinated take-down of the Rustock botnet and follow-up efforts had purged the malware from over half of the PCs once controlled by Russian hackers.
 
In another milestone, the White House will hold its first Twitter Town Hall on Wednesday.
 
Google has temporarily suspended its Realtime Search service, and neither Google nor Twitter will say if theyre working toward re-establishing an agreement that will have Twitter onboard when the service comes back online.
 
Data reduction software is an essential part of any computer forensics process. Expert Richard W. Walker looks at data reduction software tools and processes and the role they play.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
A proposal to force employers to use the federal E-Verify system to vet new and current workers has stoked widespread privacy concerns.
 
Gibbs is sold on the iPad.
 
One of Microsoft's hottest new profit centers is a smartphone platform you've definitely heard of: Android.
 
Members of the European Parliament have demanded to know what lawmakers intend to do about the conflict between the European Union's Data Protection Directive and the U.S. Patriot Act.
 
As expected, Verizon Wireless this week will drop unlimited data plans for its smartphone users in favor of a tiered pricing schedule.
 
Mobile broadband startup LightSquared has raised another $265 million that it can use for building its 4G LTE network, despite the uncertainty of that network being approved by the FCC.
 
Name: Venkat Prabhala
 
SAP's Business One suite for small businesses will now be available in a new subscription-based, hosted offering through SAP partners, the company announced.
 
Server virtualization is being deployed on an almost universal basis to reduce costs and fully utilize data center resources. With the progression to powerful multi-core servers, greater memory capacities and higher bandwidth network pipes, it has become necessary to rethink I/O optimization.
 
The latest version of the MacBook Air, the release of which is rumored to be imminent, will feature Toggle DDR 2.0 flash memory with up to 400Mbps performance.
 
----

Raul Siles

Founder and Senior Security Analyst with Taddong

www.taddong.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Infosecurity Europe Joins Forces with Infosecurity Magazine & Online News Site ...
Infosecurity Magazine
For further information please visit www.infosec.co.uk Infosecurity Magazine is devoted to the strategy and technique of Information Security and it is distributed to IT security professionals in the UK and US. Editorial coverage includes all the top ...

and more »
 
Microsoft is set to retire 2001's Office XP and the first service pack for Windows Vista next week.
 
Hewlett-Packard announced its "most compact" multifunction laser printer, which prints documents from smartphones and tablets.
 
News Script PHP 'fckeditor' Arbitrary File Upload Vulnerability
 
vsftpd Compromised Source Packages Backdoor Vulnerability
 
Bad habits picked up on the job may be keeping you from being as productive and effective as you'd like. Here's how to change your ways.
 
Get used to it: Malware can't be completely blocked or eliminated. But you can manage your PCs, mobile devices, and networks to function despite being infected
 
It may be just days before Apple releases Mac OS X 10.7, known as Lion, but you can prep your Mac now to make the upgrade go and faster and more smoothly.
 
Sorinara Streaming Audio Player '.m3u' File Remote Stack Buffer Overflow Vulnerability
 
Joomla! 'com_jr_tfb' Component 'controller' Parameter Local File Include Vulnerability
 
A new publication from the National Institute of Standards and Technology (NIST) provides technical guidance to government agencies and other organizations interested in mitigating risks with WiMAX (Worldwide Interoperability for ...
 
Researchers at the National Institute of Standards and Technology (NIST) have released an updated version of a computer system testing tool that can cut costs by more efficiently finding flaws. A tutorial on using the tool accompanies ...
 
This simulation depicts flow in a rheometer, as its rotating vanes blade begins to stir a suspension of particles. Colors represent the quadrant where the particles are initially positioned. Such simulations can be used to link ...
 
The National Institute of Standards and Technology (NIST) has joined in a new public-private partnership to spur cybersecurity innovation in the financial services sector. Through a memorandum of understanding signed on Dec. 6, 2010, ...
 
Two new publications from the National Institute of Standards and Technology (NIST) are intended to help developers of software and computer systems for doctors offices, clinics, and hospitals improve the ease of use of electronic health ...
 
Two new draft publications from the National Institute of Standards and Technology (NIST) provide the groundwork for a three-tiered risk-management approach that encompasses computer security risk planning from the highest levels of ...
 
As the day draws nearer for the world to run out of the unique addresses that allow us to use the Internet-now predicted to happen by the end of 2012-researchers at the National Institute of Standards and Technology (NIST) have issued a ...
 
On Dec. 9, 2010, the National Institute of Standards and Technology (NIST) announced the selection of five finalists in its ongoing competition to select a new cryptographic hash algorithm standard, one of the fundamental security tools ...
 
Palo Alto, Calif. ndash As part of a meeting today with local industry and academic leaders in Silicon Valley, at Stanford University, U.S. Commerce Secretary Gary Locke and White House Cybersecurity Coordinator Howard A. Schmidt will ...
 
At a forum with Silicon Valley business and academic leaders at Stanford University, U.S. Commerce Secretary Gary Locke and White House Cybersecurity Coordinator Howard A. Schmidt today announced plans to create a National Program Office ...
 
At a January 7, 2011 forum with Silicon Valley business and academic leaders at Stanford University, U.S. Commerce Secretary Gary Locke and White House Cybersecurity Coordinator Howard Schmidt announced plans to create a National Program ...
 
The Information Technology Laboratory of the National Institute of Standards and Technology (NIST) is pleased to announce that Jeremy Grant is joining the NIST team as a senior executive advisor. Mr. Grant has been selected to manage the ...
 
Destiny Media Player '.m3u' File Remote Stack Buffer Overflow Vulnerability
 
As you already know, recently gaming companies have been the target of different attacks and compromises. It seems this time the target has been Riot Games, owners of the League of Legendsgame. Still not a lot of details are known about this breach (it seems that the North America servers were affected, and the chat system), but some information is leaking through the forums:

@Riot / Ymir -- NA Servers got hacked:http://eu.leagueoflegends.com/board/showthread.php?t=303964
Your Credit Card Information Is More Than Likely Secure : http://www.leagueoflegends.com/board/showthread.php?t=923156

Thanks Lee for the heads up.
Users can see some weird behavior when they leave the game, such as random notifications on the client (pvp.net) and messages about a group called (League of)NoS, and links to something like www.freeriotpoints... or ...leagueofNoS.com. Free riot points are the in-game currency. The websites try to install a keylogger.
The common end-user recommendations apply, such as keeping an eye on any related transactions with the account and personal data provided to the target gaming company, changing the user profile password to a new and different one (do not reuse passwords) now and once the breach is contained, in-depth cleanup if you visited the websites with the keylogger, and waiting for more details to really confirm when the breach occurred and what user information was really exposed.
Keep an eye on it as well as the other breaches of the week, where once again, personal information might be exposed: Dropbox and Apple survey server.
----

Raul Siles

Founder and Senior Security Analyst with Taddong

www.taddong.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
If you follow SANS Application Security blog (aka as the SANSApplication Security Street Fighter blog) you know about an initiative focused on helping developers to understand security while having fun. Security challenges are a very didactic tool for this specific purpose.
The Spot the Vuln blog (by Brett Harding Billy Rios) ...uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning (8:00am PST) a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday (8:00am PST), a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.
What about including these weekly challenges in your software security program, so that developers, development managers, and QA staff can test their source code analysis skills and enjoy security by solving them? This week challenge is about... Imagination.
Most challenges up to now have covered different programming languages (PHP, Java, JavaScript, ActionScript)and multiple security vulnerabilities (XSS, SQLi, LDAPi, RFI/LFI, CRLFi, redirections...).
----

Raul Siles

Founder and Senior Security Analyst with Taddong

www.taddong.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The Ruckus Wireless ZoneFlex Smart WiFi system is designed to be a stable, easy to manage and highly secure wireless networking solution for the enterprise. The heart of the system is the ZoneDirector controller, which can communicate with up to 500 ZoneFlex access points.
 
Internet Storm Center Infocon Status