InfoSec News

Amazon has updated its Cloud Player service to work with the iPad, hoping to reel in users of the Apple device before Apple launches its competing iCloud service later this year.
There really are some free lunches in the cloud, but they're not going to last forever.
QEMU KVM 'virtio_queue_notify()' Local Privilege Escalation Vulnerability
Yesterday's story on delayed patching or situations where patching is blocked by policy created a lot of discussion, and I thought it was worth another go, from a different perspective.
There are lots of things we use daily that have an OS, applications and security issues that we NEVER patch. Sometimes because we don't think of it, sometimes because we are denied by regulations. Very often we don't patch them because the manufacturer treats them as throwaway devices - there simply are no patches.
What especially brings this to mind is that I was that after yesterday's story, I was explaining the concept of malware to my son (he's 10). My explanation was that it was software that someone wrote, to make a system do something that it wasn't intended to do. Pretty much straight out of my SEC504 notes come to think of it (thanks, Ed!)
Anyway, that brought a few examples to mind - I'll list a few:
Windows (and other) hosts in the Pharmaceutical industry:
Machines used in pharmaceutical manufacturing need to be re-certified after every change. This confuses me somewhat, since the owner of the unit defines the testing procedure for re-certification (things like copy a file, do a transaction etc), so it should be easy right? Long story short, this recert process tends to freeze things in time on devices that are directly involved in manufacturing of pharmaceuticals. I cringe whenever I walk past that Windows 95 machine at one customer of mine
Embedded LINUX (and *nix) OS devices:
We tend to think of these the same way we think of lightswitches, but in most cases they run a full Linux OS. Nothing too critical, you know, trivial things like elevator controls, security cameras, HVAC (Heating/Ventilation/Air Conditioning) Systems come to mind for instance.
Embedded Devices in Healthcare (both Windows and Linux)
Again, we think of these as devices rather than computers. Things like IV pumps, controls for X-RAY and CAT-Scan machines, Ultrasounds and the like. There have been very public disclosures (and responses to yesterday's post) about Conficker and other malware running on gear of this type, and as far as I can tell neither the manufacturers or the regulators are too-too excited about it, and I think they should be - the hospital system administrators sure aren't happy about it.
Prosthetics are getting more and more complex - huge advances in prosthetic limbs, hearing and sight aids all involve computers embedded in the device.
And even simple devices like pacemakers are re-programmed remotely (and wirelessly). When my dad told me how cool getting his unit re-calibrated was, I couldn't help but see the down side (but didn't discuss it with him). Do you want to take bets on how many heads of state, or CEOs for that matter have a pacemaker? Or how much a well placed cardiac incident might influence global or financial affairs?
It's a good thing that there's no direct transport for malware across the silicon / carbon unit boundary. One day we'll go to the hospital for a simple procedure, and instead of worrying about MRSA or C-DIF, we'll worry about catching CONFICKER-YYZ instead !
And a lot closer to home ... Did you drive to work today?
Aside from your entertainment system, your car has a fully documented, unsecured network and operating system with an open and documented API (google ODB II sometime). Even better, by law this unsecured network and OS has a wireless link in it (your tire pressure sensors are short range, remotely activated wireless transmitters). No risk there if someone else started a remote control session on your car between the house and the grocery store - this might seem over the top, but not by too much
We talk about protecting our nations critical infrastructure, but I think we're missing the boat on loads of critical infrastructure that doesn't involve generating electricity, pumping oil or running water systems. Remember that definition of malware above, and remember (not too far back) that STUXNET was targeted and written to make nuclear plant systems behave to make a system do something it wasn't intended to do.
I think we don't need to think much harder to make a long, long list of critical systems that we'd have a hard time dealing with if they stopped working properly.
Again, I invite you, our readers to comment - describe any devices or systems that we deal with on a daily basis, that we wouldn't normally patch or update, or cannot patch or update. Extra points for critical type devices, but if your toaster has a USB port that's sure interesting as well (I want one !)

Rob VandenBrink

Metafore (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
QEMU KVM Virtio Component 'virtqueue' Local Privilege Escalation Vulnerability
The Acer TimelineX 5830TG sets itself apart from the 15-inch laptop crowd with its angular good looks. But it's also a solid performer and a decent gaming machine, and--with 8 hours, 17 minutes of battery life--a long-distance runner. At a penny less than $800 (as of July 6, 2011), the 5830TG is a great deal, but you'll need to spend some time culling the software herd for optimal results.
The recent hijacking and misuse of a Fox News Twitter account by unknown attackers highlights some of the risks enterprises run when using services such as those offered by the popular microblogging site.
Dokuwiki 'url' HTML Injection Vulnerability
Linux Kernel 'nfs-utils' Remote Unauthorized Access Vulnerability
A little more than a week after Google unveiled its own social network, Facebook responded by announcing a partnership with Skype in an attempt to curb growing enthusiasm for the Google+ project.
A government test that found some workers plugging found USB drives into work computers and others who provided passwords to fake support people shows how inadvertent employee miscues are often at the center of security breaches.
Developers today said they used a pair of unpatched vulnerabilities in Apple's iOS to "jailbreak" the iPhone and iPad, including the first-ever hack of the iPad 2.
Mozilla Firefox/Thunderbird/SeaMonkey XUL Document Handling Remote Code Execution Vulnerability
Over the last few years we've seen an explosion of online or "cloud" storage services and with that market expansion the inevitable has happened: Prices have fallen, features have improved, and the target markets have expanded from enterprise to SMB to consumers.
Apple is set to roll out Mac OS X Lion, and in a first it will be delivered online only. Will Lion's download-only install make you think twice about upgrading?
The Department of Energy's Pacific Northwest National Laboratory is working on restoring Internet connectivity and email services after being hit by a "sophisticated cyberattack" five days ago.
Facebook on Wednesday announced a new video chat capability it will roll out in conjunction with Skype, in what the social-networking giant said is the first of many announcements of new applications to come in the next couple of months.
The University of Nebraska is dumping Lotus Notes for Microsoft's Office 365, and getting $250,000 from Microsoft to help make the move.
Italian police have reported 15 suspected members of the Italian branch of the Anonymous hacker group to the judiciary for investigation on charges of illegally accessing IT systems, damaging IT systems and interrupting a public service, Italian media reported Wednesday.
Set-top boxes supplied by cable companies are likely using more power than desktop and laptop computers, and about 25% of the power used by a two-socket server.
Cisco Security Advisory: Cisco Content Services Gateway Denial of Service Vulnerability
Re: SEC Consult SA-20110701-0 :: Multiple SQL injection vulnerabilities in WordPress
Re: [Full-disclosure] Ubuntu: reseed(8),, and HTTP request

Google+ tips and tricks Facebook should use
Good Gear Guide
Right now, I have all kinds of lists in Facebook--Family, High School, Air Force, Infosec, etc.--which help me cut down the noise on the incoming stream by letting me view individual lists, but when I write my own post I can only choose between ...

and more »
Facebook today said it is teaming up with Skype to bring video chat capabilities to users of the world's largest social network.
Mobile games are growing more popular and more addictive for smartphone users -- especially among iPhone users, who play games twice as many hours as the average smartphone user, according to new Nielsen Research.
Facebook on Wednesday announced a new video chat capability it will roll out in conjunction with Skype, in what the social-networking giant said is the first of many announcements of new applications to come in the next couple of months.
Re: in_midi multiple vulnerabilities in Winamp 5.61
aTube Catcher ActiveX Control Insecure Method
IDrive Online Backup ActiveX control Insecure Method
Re: [Full-disclosure] Ubuntu: reseed(8),, and HTTP request
No botnet is invulnerable, a Microsoft lawyer involved with the Rustock take-down said, countering claims that another botnet was "practically indestructible."
MITKRB5-SA-2011-005 FTP daemon fails to set effective group ID [CVE-2011-1526]
NGS00060 Technical Advisory: Blue Coat BCAAA Remote Code Execution Vulnerability
Integer overflow in foobar2000 1.1.7
Blue Coat BCAAA Stack Buffer Overflow Vulnerability
[SECURITY] [DSA 2272-1] bind9 security update
Google's new social networking site Google+, built to beat Facebook primarily on privacy features, has several privacy bugs the company is working to fix. and PayPal UK Twitter accounts get hijacked by anonymous groups.

Hackers took control of two prominent Twitter accounts recently, posting false messages to followers of the accounts of and PayPal UK.

Two anonymous hacking groups claimed responsibility for the attacks. One group posted six false messages on the account, giving followers a phony news item that U.S. President Barack Obama had been shot dead. The move reportedly prompted an investigation by the Secret Service.

News Corp, acknowledged that the account had been hijacked and removed the false messages. A Fox News spokeswoman said Twitter suspended the account once the account hijacking was detected.

Like many news organizations, accounts to Twitter, Facebook and other social networks are often shared between editors. Security experts said the attacks highlight the need for better password management. Twitter told Reuters that it monitors its systems to detect brute-force log-in attempts, but compromises due to “off-site behavior” can still take place.

PayPal U.K had its account hijacked late Tuesday. The account has about 17,000 followers. The messages appeared to come from an angry customer who sent out a message: “PAYPAL FROZE ALL MY MONEY FOR NO REASON…” PayPal reportedly confirmed that its account was hijacked. The messages were deleted by the company.

The two groups involved are from the so-called “anti-sec” hactivist movement.

Chester Wisniewski of security firm Sophos said the password problem stems from organizations giving access to the account to multiple employees. The passwords are typically easy to guess and are often stored on the computers used by the employee and in some cases are frequently emailed.

“Most social networks were designed for use by individuals and don’t offer enterprise-grade security options with granular permission controls. If the password is shared with enough people, someone will misplace it or use something “everyone can remember.”

Attackers also take advantage of password reuse, Wisniewski said. People often use the same password for multiple accounts. Once one account has been compromised, an attacker can attempt to gain access to other online accounts. If the attacker can also obtain the victim’s email address, they can also attempt to reset the password, he said.

A number of password management tools exist to help users follow better password practices. I wrote about the password management tools in February after attackers stole account credentials from users of a popular torrent site for movies to gain access to their Twitter account for spamming.

Poor password use at Twitter

Twitter expects its users to better protect their account credentials, but the company has also been the victim of poor password practices. Twitter has had to deal with a myriad of security issues ever since its service grew in popularity. In 2010 the social networking giant settled Federal Trade Commission charges that it deceived consumers and put their privacy at risk.

The charges stem from incidents that took place between January and May 2009, when hackers gained administrative control of Twitter and were able to view nonpublic user information, gain access to direct messages and protected tweets and reset any user’s password and send authorized tweets from any user account. Those security lapses were the result of employees storing admin passwords.

Add to digg Add to StumbleUpon Add to Add to Google
Before hitching up with Windows Phone and Windows 8, Microsoft's cross-platform rich Internet application framework gets a modest upgrade

Google's public-only, profile policy: An opportunity, not a punishment
Geek Shui Living
From an Infosec standpoint, full disclosure of your information on any site, to include those with supposed 'private' profiles, is never recommended. Whether publicly available on the web or hidden from general view, the data you input and files you ...

and more »
Twitter is the perfect social network for today's ADHD world--messages are short, sweet, and constantly pouring in. But how do you make yourself known when your 140-character tweets of genius are constantly supplanted by other people's inane thoughts? Here are some tips on how to gain legions of Twitter followers.
Compuware announced Wednesday it has purchased application performance monitoring vendor dynaTrace for $256 million in cash, a move that builds upon its 2009 acquisition of Gomez and places it in closer competition with rivals such as CA Technologies and BMC.
A group of hackers going by the name of the "Inj3ct0r Team" are claiming they've compromised a NATO server.
phpMyAdmin Prior to and Multiple Remote Vulnerabilities
Cisco has announced a new Wi-Fi access point and stadium antenna that covers a smaller cell area for use in arenas and large venues to help improve user access and wireless speeds.
Business intelligence can make a real difference in some midsize firms. But IT pros warn that it still requires dedicated resources to yield a return.
A group of GPS vendors and users has challenged mobile startup LightSquared's credibility in a response to the company's new plan for a hybrid satellite and LTE mobile network.
Many Minnesota state government IT workers have been furloughed due to a shutdown caused by a budget impasse.
The cyber attacks that paralyzed a handful of major South Korean websites earlier this year were almost certainly carried out by North Korea or parties allied with the country, computer security company McAfee said Tuesday in a report.
Multiple DMXReady Products 'ItemId' Parameter SQL Injection Vulnerability
Internet Storm Center Infocon Status