Hackin9
Google executive chairman Eric Schmidt may end up selling 42 percent of his shares in the company under a new stock trading plan designed to diversify his investment portfolio.
 
Broadcom UPnP Stack 'SetConnectionType()' Function Format String Vulnerability
 
Multiple users on Apple's iPhone support forum are reporting big drops in battery life after upgrading their handsets to version 6.1 of the iOS operating system.
 
Oracle Java SE CVE-2013-0433 Remote Java Runtime Environment Vulnerability
 
Oracle Java SE CVE-2013-0443 Remote Java Runtime Environment Vulnerability
 
Oracle Java SE CVE-2013-0426 Remote Java Runtime Environment Vulnerability
 
Dell's decision to go private has led to mixed reaction from the company's customers, who are watching developments closely as they consider the next steps in their product procurement plans.
 
LinkedIn has shut off its API access to "Bang With Professionals," a Web service that was intended to facilitate more, say, intimate connections among users of the business-oriented social networking site.
 

Looks like next tuesday will be a busy patch tuesday. Expect 11 bulletins fixing 57 vulnerabilities. Most of the bulletins affect Windows, but we also got one for Office, two affecting Internet Explorer and one affecting server software. It is a bit odd to see two bulletins affecting Itnernet Explorere instead of just one roll up patch. 5 of the bulletins are ratesd critical.

Also note that Microsoft released an update for the Flash Player for Internet Explorer 10 today, in sync with Adobes update for flash player [2].

[1] http://technet.microsoft.com/en-us/security/bulletin/ms13-feb

[2]http://technet.microsoft.com/en-us/security/advisory/2755801



------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
California has terminated its contract with SAP in connection with a $371 million software system that was supposed to overhaul the state's payroll system but instead ended up mired in major delays and cost overruns.
 
Like its desktop cousin, Innovationbox's PassLocker for iOS offers a simple and streamlined interface for managing your logins and passwords. Instead of going for lots of features like its many competitors, the app focuses solely on storing your credentials and helping you retrieve them quickly.
 
U.S. companies shouldn't be able to get patents on abstract ideas when they combine those ideas with a computer process, a lawyer argued in an appeals court Friday.
 
Running the world's most popular website, Google engineers know a thing or two about keeping a site responsive under very high demand. In the latest issue of the Association for Computer Machinery monthly magazine, Google reveals a few secrets to maintaining speedy operations on large-scale systems.
 
In another illustration of the diminishing importance of the PC, a research firm today said that more than a third of surveyed consumers who once used personal computers to access content have switched to tablets and smartphones.
 
Microsoft today announced its cloud storage service now has one billion documents stored and said it has added new features to quickly save documents and get a link to share with others.
 
Oracle isn't done releasing patches for Java SE this month, as another batch will arrive Feb. 19, according to a company blog post.
 
When there's a blizzard approaching, people flock to grocery stores for bread and milk, test their generators...and nowadays take to Twitter and Facebook.
 
Microsoft's highly anticipated Surface Pro with Windows 8 will be on sale Saturday starting at US$899 and will test the company's viability in the tablet market after the failure of the Surface RT.
 
T-Mobile USA plans to lure new business customers with shared data plans and no early termination fees, similar to some recent steps the carrier announced for consumers.
 
Rackspace plans to add 1,000 people to its staff of about 5,000 over the next two years. It is doing so under an agreement with the state of Texas, which will help train its workers.
 
The company that publishes books under the Macmillan imprint has agreed to allow discounting of its electronic books as part of a settlement with the U.S. Department of Justice over price-fixing in the fast-growing e-book market.
 
Intel is looking to capture and more of the SSD market with the release of its 525 Series mSATA drives. These tiny storage devices deliver respectable performance at good prices. The new 525 Series is based on Intel's 25nm NAND memory and LSI Logic's SandForce SF-2281 controller. They measure approximately 3.7mm thick by 51mm long by 30mm wide (full-size mSATA) and come in 30GB, 60GB, 90GB, 120GB, 180GB, and 240GB capacities.
 
Six years after its long-delayed but well-publicized release, Windows Vista now accounts for less than 6% of all Windows machines, according to Net Applications.
 
Don't let the Windows 8 haters brainswash you: Microsoft actually introduced a few great features in its new operating system, some of which will help keep you safer from malware and other security threats. Though most of these security enhancements are active by default, you still must be proactive to get the most from them. Also, one new Windows 8 feature presents specific security concerns that must be addressed to keep your PC--and your data--as safe as possible. Let's jump in and investigate.
 
A hacker using the online handle 'Guccifer' claims to have gained access to email accounts belonging to family members and friends of former Presidents George H.W. Bush and George W. Bush and exposed personal emails, photos and other sensitive data.
 
A critical buffer overflow vulnerability patched this week in the widely used open-source cURL library (libcurl) has the potential to expose a large number of applications and systems to remote code execution attacks.
 
Mathematica9.0.1 on Linux /tmp/MathLink vulnerability
 

#FFSec, Feb. 8: Five infosec pros who stand out
CSO (blog)
@mckeay: Many of you know Martin McKeay from his infosec blog and podcast. I've known the man for a long time and one of the most enjoyable experiences I've had as a podcaster was teaming up with him on a two-part panel debate about PCI DSS. He's a ...

 
Next Patch Tuesday will see 12 bulletins to fix 57 holes in various Microsoft products, including critical vulnerabilities in Windows and IE


 
The widely used file transfer library can be tricked into downloading and executing arbitrary code with the combination of a HTTP redirect and a maliciously crafted POP3 service


 
[slackware-security] curl (SSA:2013-038-01)
 
[SECURITY] [DSA 2618-1] ircd-hybrid security update
 
DIMVA 2013 - Extended deadline for paper submission: February 17, 2013!
 

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
In this edition: the exciting history of SSL/TLS, a UPnP exploit, analogue sounds, behind the scenes of a jailbreak, a free book, and a fond memory of Internet Explorer 6


 
RETIRED: MatrixSSL TLS Implementation Information Disclosure Vulnerability
 
Multiple TLS And DTLS Implementations CVE-2013-0169 Information Disclosure Vulnerability
 
Microsoft Windows CVE-2013-0008 Local Privilege Escalation Vulnerability
 
Professor Kenneth Paterson and graduate student Nadhem AlFardan have discovered a TLS attack that tracks the timing of error messages to reveal plaintext.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Intel Capital has invested in software-defined networking company Big Switch Networks, as it hopes to help the company change the way data centers are networked.
 
Financial malware authors are trying to evade new online banking security systems by returning to more traditional phishing-like credential stealing techniques, according to researchers from security firm Trusteer.
 
CHICKEN Multiple Local Security Vulnerabilities
 
RoundCube Webmail Cross Site Scripting Vulnerability
 
Toshiba has started shipping the first NAND flash chips to support Universal Flash Storage, a new standard that is 50 percent faster than current technology.
 
Despite the launch of the iPhone 5 in December in China, Apple's smartphone market share in the nation barely grew during last year's fourth quarter, according to research firm Canalys.
 
A bug redirected people from third-party websites integrated with Facebook to Facebook.com. for a short period of time, the social networking website said Thursday.
 
Hewlett-Packard has issued new guidelines to limit the use of student labor at its supplier factories in China, in what it claimed was the first of its kind for the IT industry.
 
GNU libc glob(3) 'GLOB_LIMIT' Remote Denial of Service Vulnerability
 
Adobe Flash Player CVE-2013-0633 Buffer Overflow Vulnerability
 

Naked Security

Infosec pros give verdict on EU's new cybersecurity strategy: "Nice try"
Naked Security
The European Commission on Wednesday launched a proposal for a new cybersecurity strategy with good intentions and great fuzziness, as some dissatisfied infosec professionals see it. The EC worked with the High Representative of the Union for Foreign ...

and more »
 
Adobe Flash Player CVE-2013-0634 Remote Memory Corruption Vulnerability
 
cURL/libcURL 'Curl_sasl_create_digest_md5_message()' Stack Buffer Overflow Vulnerability
 
CIO.com's Al Sacco shares a handful of valuable BlackBerry Z10 and BlackBerry 10 tips including how to capture a screen shot, how to instantly launch voice control, a variety of keyboard shortcuts and more.
 
On the anniversary of John Perry Barlow's issuing 'A Declaration of the Independence of Cyberspace,' a response and alternate call to action.
 
Applications for domestic drone licenses are increasing steadily, even as privacy concerns related to their use over the U.S. continue to mount. Some states are even moving to ban them all together.
 
Adobe updated Flash Player to patch a pair of zero-day vulnerabilities that hackers were already using to hijack Windows PCs and Macs.
 
Michael Messner has been busy – he has posted details of further vulnerabilities in Linksys, Netgear and, once again, D-Link routers on his blog. The manufacturers were informed months ago, but most of vulnerabilities remain wide open


 
Adobe has released emergency updates for Flash Player to close two zero day holes. The holes appear to be being exploited in industrial espionage related attacks on Windows and Mac systems


 

The Friend

Does anyone have a friend that regularly still sends you crap via email that usually includes a link or some pics? We are all IT security professionals here and know the preachers drill on this topic. Really, we do not like wasting our time on the junk that is sent to us. Delete, Delete, Delete.

BUT, we are also human. We are the weakest link! So, today that one friend sends something over to us. This friend has a great knack for sending water cooler stuff that can warrant a look see. This friend always plants the seed of curiosity. Today, we check our email and there it is, in our inbox. Our guard is down and the flower of curiosity is opening up. In an instant, we click...wait...No. Damn!.







The page loads...










Now. We Need To Know



Did we just infect our system?



We need to know. It is time to act fast. Get to a shell and pull that page down with a text browser ala wget or curl. It is possible for this page to disappear quickly. This sample was sent in by a reader who acted fast. By the time I got around to verifying some things on this sample, the below pasted code was gone.



There are many diaries posted about javascript obfuscation over the years. The two that rise to the top are from Tom Liston [1] and Daniel Wesemann [2] . If your interested in understanding this process further by diving in deeper, I recommend those diaries as required reading.







The Lazy Liston



I deployed a mixture of Toms method and Daniels lazy method. (see diaries mentioned above for more info)



I stripped the HTML, reformatted the Javascript, and added some useful lines for debugging. The image is highlighted with red showing my additions, blue showing unnecessary HTML, and black showing the javascript code that gets debugged.




I used jsc to help me out with the prepared script above. jsc is a command line utility that allows you to run javascript interactively. I inserted a debug and a couple of readline statements to assist. The readline allows me to pause the script to view the output. Pressing enter continues it.

Below is a snapshot of the jsc run of script.js. I pasted and circled the obfuscated strings and the decoded pieces. Note the url listed matches the browser shot up above.



In summary, my diagnosis of the original email and sample with the clickable link, is it is only a spoofed email and intended to be spam. I humbly encourage all to offer any feedback to counter my assessment or offer any added value to it. Many thanks to Lode V. for sending it in!



[1] https://isc.sans.edu/diary.html?storyid=1917

[2] https://isc.sans.edu/diary.html?storyid=2268





-Kevin



--

ISC Handler on Duty
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status