At a community college where I'm helping out whenever they panic on security issues, I recently was confronted with the odd reality of a lingering malware infection on their network, even though they had deployed a custom anti-virus (AV) pattern ("extra.dat") to eradicate the problem. Of course, these days, reliance on anti-virus is somewhat moot to begin with, our recent tally of fresh samples submitted to VirusTotal had AV lagging behind about 8 days or so. If you caught a keylogger spyware, 8 days is plenty to wreak havoc. I usually compare today's AV to the coroner in CSI, he can probably tell what killed you, but won't keep you alive.

But back to the college. Turns out they verify on a weekly basis if all the PCs have a current pattern, and they also verified that all their PCs got the "extra" pattern. The only problem was, their definition of "all" relied on the AV-tool itself. Obviously, if a PC doesn't have anti-virus installed, it won't show up on the anti-virus console. Hence, if your AV claims you have 100% compliance, you might want to check an alternate repository, like for example your Active Directory, to compare numbers. When I ran this test at the college, I found that their network/AD had 51 more workstations than their AV knew about. No wonder they still had frequent hits on the IDS for the backdoor traffic.

Never rely on a single security tool to tell you that everything is fine. Throw two or more sets of data against each other, and investigate discrepancies. Like your fishing or drinking or training buddy, security tools lie. Get acquainted with the usual pattern of lies (or obfuscated truths :), and surprises and disappointments will become less frequent.


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The U.S. National Security Agency and Federal Bureau of Investigation have access to servers at Google, Facebook and other major Internet services, collecting audio, video, e-mail and other content for surveillance, the Washington Post reported on Thursday.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Yesterday, a poster to the full disclosure mailing list described a possible new 0-day vulnerability against Plesk. Contributing to the vulnerability is a very odd configuration choice to expose "/usr/bin" via a ScriptAlias, making executables inside the directory reachable via URLs.

The big question that hasn't been answered so far is how common this configuration choice is. Appaerently, some versions of Plesk on CentOS 5 are configured this way, but not necessarily exploitable. The exploit is pretty easy to spot. It sends a heavily URL encoded POST request with a "Googlebot" user agent. Google typically doesn't send POST requests, so they are pretty easy to spot. I found a couple POSTS from "Google" (actually a "random" Chinese IP address, ) in our web logs here.

Masquearding as Google is a common trick among exploit scripts. 

Please verify that your Apache configuration does NOT include this line:


ScriptAlias /phppath/ "/usr/bin/"


Let us know if you spot it in the wild.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The U.S. National Security Agency and Federal Bureau of Investigation have access to servers at Google, Facebook and other major Internet services, collecting audio, video, e-mail and other content for surveillance, the Washington Post reported on Thursday.
Businesses that receive a court order for data similar to the one reportedly handed to Verizon by an intelligence agency have no choice but to comply and to take comfort in their immunity from lawsuits, an expert says.
Facebook is gearing up for a new project to simplify its advertising platform, making it easier for marketers to decide how to place ads across the site.
RETIRED: Google Chrome Prior to 27.0.1453.110 Multiple Security Vulnerabilities

In a coordinated takedown with the FBI and financial institutions, Microsoft on Wednesday dealt a powerful blow to an online fraud syndicate that siphoned more than $500 million out of bank accounts all over the world.

The takedown, dubbed Operation b54, disrupted more than 1,400 botnets based on Citadel, a powerful piece of banking malware available for sale in underground forums. Citadel has been in existence since 2011 and is based on leaked source code from the Zeus banking trojan. Citadel provides criminals with most of what they need to engage in wide-spread banking fraud, including exploits for infecting end users, keyloggers for stealing those end users' bank passwords, and backend code for running the command and control servers that issue malware updates and receive login credentials from infected computers.

Microsoft used civil seizure orders issued by a federal judge in North Carolina to simultaneously cut off communications between 1,462 Citadel botnets and the infected computers that reported to them. The company also filed suit against a currently unknown operator under the name of Aquabox who is suspected to be connected with one or more of the botnets.

Read 4 remaining paragraphs | Comments

XPIENT IRIS CVE-2013-2571 Security Bypass Vulnerability
Compliance practitioners say new mandates like the HIPAA Omnibus Rule and Obamacare are making enterprise compliance management even harder.
President Obama wants the nation's students to have access to faster broadband in their schools and libraries.
SAP is at work on a new product called Sentinel that is supposed to be "nothing less than the Amazon for Stocks and the Facebook for Investors," according to a job posting associated with the project.
A hacker released what he claims is a zero-day exploit for older versions of the Parallels Plesk Panel, a popular Web hosting administration software package, that could allow attackers to inject arbitrary PHP code and execute rogue commands on Web servers.
Although U.S. government officials said the NSA's efforts to secretly collect phone records of millions of Verizon customers is nothing new, reports about its size confirmed long-standing fears among privacy and civil rights advocates.
Sprint and LG Electronics announced that the LG Optimus F3 smartphone will go on sale online starting June 14 for $29.99, after rebate, with a two-year agreement.
BlackBerry Messenger, a free messaging and social networking app for BlackBerry devices, will arrive at iOS and Android app stores at some point, but not on June 27 as tweeted by T-Mobile UK early Thursday.
With the new Remote Wipe feature, both business and individual users can remove all of their synced files from a PC or Mac in the event of a loss or theft.
Microsoft today said it will ship just five security updates next week, the fewest in any month so far this year, to patch 23 vulnerabilities in Internet Explorer, Windows and Office.
Microsoft's announcement Wednesday that it will add Outlook to Office on Windows RT says as much about the company's app problem as it does about customers clamoring for a business-grade email client.
Three U.S. lawmakers have introduced legislation that would allow President Barack Obama's administration to deny U.S. travel visas to cyberattackers sponsored by foreign governments and to freeze their U.S.-based assets.
RETIRED: Apple Mac OS X Security Update 2013-002 Multiple Security Vulnerabilities
RETIRED: Apple Safari Prior to 6.0.5 Multiple Security Vulnerabilities
Spending on cloud services is so far just a fraction of total IT spending -- roughly 3% -- but the market is growing. IT pros explain what they like about their favorite cloud-based security, storage and management services.
X.Org libXxf86dga CVE-2013-2000 Multiple Remote Code Execution Vulnerabilities
X.Org libXxf86dga CVE-2013-1991 Multiple Remote Code Execution Vulnerabilities
Surging tablet sales and the muted response to Windows 8 have opened the door for Android at this year's Computex and exposed deeper cracks in the Wintel powerhouse of Windows software and Intel chips.
With Operation b54, Microsoft has conducted its seventh major campaign against botnets. Citadel botnets have infected five million computers and stolen half a billion US dollars; in fighting them, the company had the support of the FBI and the financial sector

Lenovo will enter the cloud storage market with a service that offers a single sign-on ID to access social networks, favorite applications, as well as a file manager with a search engine to help users find files, photos and other digital media.
The business intelligence software market cooled off a bit in 2012 after "a few historic banner years" of spending growth, due to difficult economic conditions and confusion over industry buzzwords such as "big data," according to analyst firm Gartner.

The smartcards used to pay for public transportation in the Netherlands may now be hacked with an Android phone, according to a report from NOS.nl. The crack requires two free apps that allow the cracker to load the card with money and travel without paying anything.

NOS carries little detail on the nature of the hack, but Dutch hackers appear to have a somewhat long and storied history of cracking Netherlands’ smartcard, the OV-Chipkaart. The chip inside the card has been modified repeatedly by the card creator, Trans Link, but there is no shortage of tutorials on how to hack them, and there are plenty of stories about hacks that have taken place. There are also less technical Android apps to circumvent paying for transport, like OV Hacker, which plays the tone a Chipkaart would make when successfully scanned in order to trick bus drivers.

A research article from 2009 laid out how the RFID chip inside the card can be read with an NFC reader, decrypted with one application, and then reloaded with the desired amount by another application. The chip has been modified since then, but there’s at least one thread on the xda-developers forums where a user notes that his Android smartphone was able to read out the (encrypted) contents of his OV-Chipkaart with the NFC reader inside his phone.

Read 4 remaining paragraphs | Comments

Patches for BIND versions 9.6-ESV-R9, 9.8.5 and 9.9.3 close a vulnerability that allows an attacker to crash the DNS server by sending a query for a specially crafted zone to a recursive resolver

CORE-2013-0517 - Xpient Cash Drawer Operation Vulnerability
SEC Consult SA-20130605-0 :: Multiple vulnerabilities in CTERA Portal
[ANN] Struts GA (fast-track) release available
CVE-2013-3734 - JBoss AS Administration Console - Password Returned in Later Response

Sausage Love: Ethical Lennox-Addington eMarketing India Rope Data Mining ...
I've been fielding traffic regarding some deeper sources for the #InfoSec curious irregulars visiting here. There are a lot of great sites, but I recommend both Cyber War News and illSecure for top quality 21st century electric Sausage. Also, Friday ...

The popularity and influence of social media continues to increase at lightning speed, and recent events bear evidence to the impact -- both positive and negative --this medium presents. As the tragedy of the Boston Marathon bombing unfolded, millions of people turned to social media for information, and government officials and law enforcement used it to keep the public informed and solicit their help.
Infamous hacker KingCope has popped up again, publishing an exploit that supposedly remotely injects PHP code into Plesk servers


Big Hollywood

'InJustice' Review: Lawsuit Abuse Exposed in Must-See Documentary
Big Hollywood
The new documentary examines the damage tort lawyers, particularly the so-called King of Torts Dickie Scruggs, have had on our culture. In short, they've seriously damaged the public's trust in our courts, bludgeoned the economy and sent thousands of ...

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Intel is showing off what it called the 'world's fastest thumb drive' which uses Thunderbolt technology to provide breakthrough data transfer speeds compared to flash drives that plug into USB ports.
Hackers would face a minimum two-year prison sentence under a new European Union law approved by the European Parliament's civil liberties committee on Thursday.
LinuxSecurity.com: Several security issues were fixed in libxi.
LinuxSecurity.com: Several security issues were fixed in libxvmc.
LinuxSecurity.com: Several security issues were fixed in libxres.
LinuxSecurity.com: Several security issues were fixed in libxt.
LinuxSecurity.com: Several security issues were fixed in libxext.
LinuxSecurity.com: Several security issues were fixed in libxfixes.
LinuxSecurity.com: Several security issues were fixed in libxinerama.
LinuxSecurity.com: Several security issues were fixed in libxcursor.
LinuxSecurity.com: Several security issues were fixed in libdmx.
LinuxSecurity.com: Several security issues were fixed in libxrender.
LinuxSecurity.com: Several security issues were fixed in libxxf86dga.
LinuxSecurity.com: Several security issues were fixed in libxxf86vm.
X.Org libXxf86vm 'XF86VidModeGetGammaRamp()' Function Remote Code Execution Vulnerability
X.Org libXi CVE-2013-1998 Multiple Remote Code Execution Vulnerabilities
The Internet Systems Consortium, the organization that develops and maintains the widely used BIND DNS software, has patched a publicly disclosed vulnerability that can be used to remotely crash DNS servers running recent releases of BIND 9.
Red Hat has put out a beta release of Software Collections 1.0, in a bid to let developers use newer versions of languages such as Ruby and Python with support.
How to quickly delete incriminating video footage from a surveillance camera or copy a colleague's backup files remotely via the network? With many of QNAP's NAS and video surveillance systems, this has been found to be alarmingly easy

After three and a half years in operation, the Amazon Web Services RDS database is finally generally available. Users can also get a service-level agreement if they choose to run the database in multiple places.
X.Org libXt CVE-2013-2005 Multiple Memory Corruption Vulnerabilities
X.Org libXt '_XtResourceConfigurationEH()' Function Remote Code Execution Vulnerability

The Guardian

How much would a security breach cost your business? – infographic
The Guardian
Infosec breaches 2013 infographic View larger picture. Click to enlarge the infographic above. An in-depth study of the state of information security by the Department for Business, Innovation & Skills (BIS) has highlighted the scale of information ...

In part 1 of our hands-on series, we explain why R's a great choice for basic data analysis and visualization work, and how to get started.
Rakuten, Japan's largest online retailer, is acquiring a U.S. logistics firm as it continues to build out its infrastructure to compete with foreign rivals like Amazon.com.
The percentage of IT employees interested in getting a new job is rising, even as they lose confidence in the economic outlook, new survey data shows.
From books to videos to online tutorials -- most free! -- here are plenty of ideas to burnish your R skills.
Why x=3 doesn't always mean what you think it should, about data types and more.
From no-frills graphics to adding color and labeling your data, here's what you need to know.
From getting subsets of your data to pulling basic stats from your data frame, here's what you need to know.
Whether it's local or from the Web, there are several ways to get data into R for further work.
The U.S. National Security Agency has been allowed by a court order to collect phone records of a large number of customers of Verizon, according to a report in the Guardian on Thursday.
Acer is breaking Android out of its comfort zone and has installed the operating system on a 21.5-inch all-in-one desktop PC that is expected on sale in the U.S. later this year.
X.Org libXrender CVE-2013-1987 Multiple Remote Code Execution Vulnerabilities
LinkedIn has followed many other services' example and is now offering a two-factor authentication feature. The million-dollar lawsuit concerning the password leak that occurred in summer 2012 was dismissed earlier this year

Microsoft Internet Explorer CVE-2013-1311 Use-After-Free Remote Code Execution Vulnerability
Red Hat Certificate System CVE-2013-1885 Multiple Cross Site Scripting Vulnerabilities
Red Hat Certificate System CVE-2013-1886 Format String Vulnerability
X.Org libXtst CVE-2013-2063 Remote Code Execution Vulnerability
Internet Storm Center Infocon Status