InfoSec News

Facebook took its App Center live on Thursday at a slick media event in San Francisco, announcing a handful of previously undisclosed features.
Jim posted earlier in the week (https://isc.sans.edu/diary.html?storyid=13387) regarding a bind 9 vulnerability. Whilst possibly unrelated we've had a report regarding a few million DNSresponses with static IDs being sent to an organisation.
If you have something similar happening and you are in a position to capture some packets we'd appreciate it if you could upload some for us to have a look at. Especially of they all have the same ID number.
Mark (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A few weeks ago Iposted a request for packets for the above ports, a big thanks to all that provided information.
Whilst still not 100% confirmed it looks like 8909 and 9415 are associated with open proxies. I've seen some IPs that look for open proxies hit 8909 and 9415 as well as the normal proxy ports.
27977 is still a bit of a mystery, the packets received were all associated with normal traffic that happened to use this port as a source port.
UDP /7 was an interesting one. I only received 8 packets that were relevant and these were interesting. 512 bytes long, After the header the first two bytes count up, the second two bytes count down and the rest of the packet is all 000's. Likely because there was nothing to interact with. Would dearly love some additional packets for this port.
If you can help out submit the packets through the contact form and thanks in advance.
Mark (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
There have been several reports now of PCs on the network printing what looks like an executable to a large number of printers. Several scanning tools will cause this kind of behaviour, but in the instances I know of these tools were not being used on the network at the time. The various AVproducts aren't great at picking this up, yet.
If you have this happen in your network use your logs to determine the sending machine (will be in the print logs) and take it offline for investigation and re-imaging. If you happen to have the actual malware upload it via the contact form and make our malware guys and gals happy.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Law enforcement join LinkedIn in its probe into how 6.5 million passwords were posted to a hacker forum this week. Meanwhile, Facebook reaches out to potential victims.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
In an update that raises more questions than it answers, LinkedIn today assured members that the company is working hard to protect their personal data in the wake of a security breach that exposed about 6.5 million hashed LinkedIn passwords.
Google launched a Trusted Stores program on Thursday that will provide online shoppers with customer satisfaction scores for participating merchants, according to a company blog post.
socat 'xioscan_readline()' Heap Based Buffer Overflow Vulnerability
Linux Kernel CVE-2012-2373 Race Condition Local Denial of Service Vulnerability
Linux Kernel 'mmap()' Failure Local Denial of Service Vulnerability
[SECURITY] [DSA 2480-3] request-tracker3.8 regression update
Microsoft?s June Patch Tuesday includes seven bulletins, three critical, affecting Windows, Internet Explorer and Microsoft Dynamics.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Foursquare on Thursday launched a major redesign of its app for the iPhone and Android devices, incorporating features from social discovery and local search applications, as well as the "like" feature made famous by Facebook.
Google's Gmail webmail service was unavailable for more than 90 minutes on Thursday, an outage that may have affected almost 4.8 million users.
Oracle's decision not to support new development on Itanium appears to be having a spillover effect.
Secunia Research: Network Instruments Observer SNMP OID Processing Denial of Service
Dating site eHarmony said it is resetting a ?small fraction? of accounts after it discovered user passwords among those posted to a Russian hacking website.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Microsoft Data Access Components RDS Buffer Overflow Vulnerability
Samsung NET-i ware Multiple Remote Vulnerabilities
ComSndFTP Server Remote Format String Overflow Vulnerability
Mybb 1.6.8 Sql Injection Vulnerabilitiy
Secunia Research: Network Instruments Observer SNMP Processing Buffer Overflows
Microsoft's decision to switch on the "Do Not Track" by default in Internet Explorer will have to be rethought if the company wants to claim it supports the developing privacy standard.
The idea of a heterogeneous environment remains a very powerful force in IT.
Microsoft plans to deliver seven security updates next week to patch 28 bugs, but its plans to update Windows Update in response to the Flame malware could disrupt this month's patching.
As the use of cloud computing becomes more and more mainstream, serious operational "meltdowns" could arise as end-users and vendors mix, match and bundle services for various means, a researcher argues in a new paper set for discussion next week at the USENIX HotCloud '12 conference in Boston.
The PremierConnect technology network launched today will be available to more than 100,000 healthcare providers, allowing them to securely share patient outcomes, medical data and strategies.
The man who invented the World Wide Web says that the technology is all about being social, so people need to use it stretch themselves and the boundaries of their own personal networks.
ZDI-12-088 : HP DataDirect OpenAccess GIOP Opcode 0x0E Remote Code Execution Vulnerability
ZDI-12-087 : RealNetworks RealPlayer raac.dll stsz Remote Code Execution Vulnerability
ZDI-12-086 : RealNetworks RealPlayer rvrender RMFF Flags Remote Code Execution Vulnerability
ZDI-12-085 : RealNetworks RealPlayer dmp4 esds Width Remote Code Execution Vulnerability
ZDI-12-081 : Oracle Java GlueGen Arbitrary Native Library Loading Remote Code Execution Vulnerability
ZDI-12-080 : Adobe Flash Player MP4 Stream Decoding Remote Code Execution Vulnerability
ZDI-12-079 : Apple QuickTime H264 Picture Width Parsing Remote Code Execution Vulnerability
The creators of the Flame cyber-espionage threat ordered infected computers still under their control to download and execute a component designed to remove all traces of the malware and prevent forensic analysis, security researchers from Symantec said on Wednesday.
Microsoft released its advance notification for next weeks patch tuesday [1]. We should expect a total of 7 bulletins, 3 of which are rated critical, and 4 important. The bulletins cover the standard components (Windows, Office, Internet Explorer, .Net Framework) but also include one bulletin for Dynamics AX. Dynamics AX is part of Microsoft's enterprise resource planing (ERP) solution. I would expect only few users to be affected by this path . From the looks of it, this appears to be an average patch tuesday.

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
ZDI-12-078 : Apple QuickTime SVQ3 Codec mb_skip_run Parsing Remote Code Execution
ZDI-12-075 : Apple Quicktime RLE Sample Decoding Remote Code Execution Vulnerability
Re: rssh security announcement
The CEO of French vulnerability research firm Vupen Security today dismissed reports suggesting hackers had broken into the company's systems and stolen information on as many as 130 zero-day vulnerabilities.
Here's some information on the apparent major LinkedIn breach for members of the social network, and for all Internet users.
One of the challenge in managing large server farms remotely is how to deal with crashed / hanging servers once the operating system no longer responds. The classic answer is usually a mix of serial consoles, maybe KVM over IP devices and remote power switches. This equipment isn't just expensive, it also takes up valuable rack space, requires power and lots and lots of extra messy cables.
To make things easier, Intel came up with IPMI. the Intelligent Platform Management Interface. Typically found in servers, versions of it can also be found in desktops targeting enterprise deployments. IPMI is by no means new, an the attack described here isn't new, but I still find that many system admins are not aware of the potential of modern implementations of IPMI (good or bad).
Over the years, there have been a number of different IPMI revisions. How much functionality you get depends on the motherboard vendor and the firmware you are using. But there are a few features that are common to pretty much all IPMI implementations:

IPMI is active once the server is connected to power. It does not depend on the server to be actually switched on.
IPMI is implemented as a specific circuit on the motherboard. Sometimes, you may find it on an optional plugin board. But it does not require CPU, RAM or other components
It may use an existing network card, and doesn't necessarily need a dedicated network card

If your operating system supports IPMI, you can use special software on the server to connect to it and use it for example to read the status of various sensors. Check the openipmi or freeipmi tools if you don't already have them installed.
IPMI is useful locally, but its real power comes to play remotely. IPMI version 1.0 was used over serial ports. Its main feature was to be able to remote power cycle as system. You can probably compare this to a kind of Wake on LAN but over serial with the ability to turn power off, not just on. This eliminated the need for remote power controllers. As of version 1.5, it was possible to send IPMI messages over IP. The latest version, 2.0, includes support for blade servers, vLans and a number of additional features commonly found in modern networks.
In a current server implementing IPMI, you may find a full blown web server able to control the system remotely, including advanced features like flashing firmware. This pretty much does away with the need for a serial interface. However, you will lose the out of band character of a serial connection, that many of us count on for security. There are a couple basic steps you can use to secure IPMI:

setup a dedicated management network, and limit IPMI to the network card connected to the management network.
review the BIOS configuration option for IPMI. If you can't have a physical management network, at least try to use a VLAN if supported.
keep IPMI firmware up to date. It may be included in motherboard firmware updates or delivered as a distinct package.
eliminate IPMI access over insecure protocols like HTTP. Use HTTPS with proper certificates, or SSH
do not use default passwords
try to integrate IPMI authentication with existing authentication systems. Options typically include RADIUS and AD.
review hardening options your IPMI implementation provides. You may be able to limit access from IP addresses, or turn off various features you do not need
inventory servers with IPMI capability

Finally as a bonus, a little video showing one recent IPMI implementation:


Johannes B. Ullrich, Ph.D.

SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Unemployment is at 0% for information security professionals! This good news was reported this spring in CompTIA’s 9th annual Information Security Trends report. The report cited U.S. Bureau of Labor Statistics (BLS) research conducted in the spring of 2011, which also noted the unemployment rate at just under 4% for the IT industry overall. Clearly, skilled security professionals should have no trouble getting information technology security jobs right now.

But companies are having trouble filling those jobs. According to CompTIA’s survey of 500 IT and business executives in the U.S., conducted at the end of 2011, 40% of companies are having difficulty hiring IT security specialists.

During a recent conversation with Todd Thibodeaux, president and CEO of CompTIA, I asked him why companies are having hiring problems, and I expected his answer would relate to the need for more CompTIA certifications. Or perhaps he’d say companies can’t pay enough to hire the talent they need. But Thibodeaux’s response brought up another perspective on the hiring challenge. He believes organizations are having trouble hiring IT security pros in the U.S. partly because of depressed housing values.

“The challenge is recruiting within physical regions,” Thibodeaux said. “Organizations don’t want to outsource their security, and they certainly don’t want to off-shore their security. So they need to hire locally.”

Yet with many IT professionals’ homes underwater with their mortgages right now, would-be employees are not able to move to take new jobs. So even though hiring organizations are willing to pay good salaries, they are largely at the mercy of larger economic forces beyond their control.

This phenomenon is more noticeable in some parts of the country, Thibodeaux said. Areas with high concentrations of technology companies are fortunate enough to have a larger pool of IT professionals from which to hire. But for companies not located in high-tech regions, it appears hiring has stalled. Companies and employees alike are waiting for home values to rise so people can move to fill IT security job gaps.

Is the answer simply to wait out the housing market? Thibodeaux believes a better answer may lie in college education. “Many colleges want to teach, not train,” Thibodeaux said. “But companies need people coming out of college who have been trained in technical skills.”

Perhaps this unusual situation of low unemployment in IT security combined with low home values will motivate some U.S. colleges to beef up their IT security courses with more hands-on training. Sure, that will take time — at least four years if incoming freshmen start now. But with home values inching back up slowly, those four years may turn out to be the quicker fix.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Google will now include additional provisions in its Apps sales contracts with E.U. customers to offer more assurances about the data they store in Google data centers.
When Microsoft slayed the notorious botnet Rustock, which had been sending as much as 40 percent of all spam worldwide, in March 2011, it forced the volume of spam into a decline from which it has never fully recovered.
Virgin Mobile USA will offer Apple's iPhone 4 and iPhone 4S to prepaid customers starting June 29.
Dell on Thursday announced the creation of a $100 million credit fund aimed at giving startups the "financial and scalable technology resources they need to maximize potential for innovation, speed to market and job creation."
Citrix Systems has acquired privately owned Bytemobile, which develops data and video optimization products for mobile network operators, the company said on Thursday.
More than 60% of the unique hashed passwords that were accessed by hackers from a LinkedIn password database and posted online this week have already been cracked, according to security firm Sophos.
Serendipity 'functions_trackbacks.inc.php' SQL Injection Vulnerability
Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form


Adam Swanger, Web Developer (GWEB, GWAPT)

Internet Storm Center https://isc.sans.edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Samsung Electronics is investing $1.92 billion to expand its mobile processor manufacturing capabilities, the company said on Thursday.
One thing apparent at Computex this week is that computer makers really aren't sure what consumers want in a PC, and they're throwing everything at the wall to see what sticks.
A Taiwanese company is demonstrating two-way touch charging this week at the Computex exhibition, using a new chip that allows two people to share one phone's battery by holding their devices together.
Microsoft appears to agree with experts that the exploit of its Windows Update system by the Flame cyber espionage malware was a 'significant' event in the history of Windows hacking.
Or is this open source 'cloud operating system' just a launching pad for a million new cloud businesses? Either way, the excitement is contagious
Like Larry Ellison's yacht, the RDBMS is sailing into the sunset. But if NoSQL is to take its place, a standard query language and APIs must emerge soon
Savvy business leaders are starting to recognize the paybacks of helping all their business groups work from the same data.
Real Networks RealPlayer 'rvrender' RMFF Flags Remote Code Execution Vulnerability


Email a Friend
When London data centre operator City Lifeline sits down to work out its annual marketing budget, it's sure to factor in considerable investment in trade shows, such as Internet World, InfoSec and Data Centre World. 'Trade shows are a huge part of the ...

The online dating site eHarmony confirmed late Wednesday that passwords for its members were exposed in a breach, a second major compromise following LinkedIn's password exposure.
Internet Storm Center Infocon Status