Information Security News

The most successful wearable devices will be ones that can work without a phone, and AT&T will have at least one of them by the end of this year, the man who manages the carrier's partnerships said.

Mark Karpeles, CEO of the now-bankrupt Bitcoin exchange Mt. Gox, is auctioning off Bitcoins.com, a site Karpeles launched last year to provide information around the digital currency.

Here's one way how to get at sensitive data that seems to be making a comeback. Already in the olden days, it was popular with the crooks to register domain names that only differed by a typo from the name of a legitimate high traffic site. Googl.com, for example. The crooks would then run web pages with lots of advertisements on these domains, and live happily ever after from the ad revenue that the misdirected typo traffic alone brought their way.

Google put a stop to this by registering, for themselves, pretty much all typos of their brand that you can imagine. Not all companies have done so, and with the increased use of smart phones with annoyingly fumbly keyboards (and often autocorrect, as well), typos are making a comeback. As do the typo harvesting sites. This time though, it looks as if they are not after ad clicks -- instead, we see an increase of typo domains that publish an MX record, and thus receive all the mail that was meant for the attacked company, but where the @domain portion of the address contained a typo.

I was recently participating in the analysis of data taken from such a server that the crooks had used to collect other people's mail. One thing that particularly stood out was that a lot of the harvested emails actually came from within the attacked real estate company, and contained rather sensitive internal mails. In other words, say, an employee @samplecompany.com had wanted to send something to a coworker, but typed [email protected]maplecompany.com instead on her (not-so)smartphone. As a result, instead of getting delivered internally, the email took the Internet route, and ended up on the server that the crooks had set up.

For every email address with a typo that came from a customer or other external sender, we found a dozen or so of mails that were intended to be from and to an internal employee. What made matters worse is that some of the mobile phones that the company employees used were helpfully "remembering" previously typed email addresses, so once a typo had been made, the fix was in, and the problem persisted until/unless the user noticed that his colleague never answered.

If you don't own the most likely permutations and typos of your main email domain for yourself, you might want to check who does. And if they publish an MX record for these domains, you might want to check your outbound email log to see how much of your intended internal email has typos, and is leaking out.

Update: ISC reader Jerry points out that according to RFC 5321, if no MX record is returned, the A record will be tried instead. So don't count only on the presence of MX records in typo squatting domains to determine if your email is being siphoned off, if in doubt, check their port 25 as well.

Â

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

A proposal by U.S. Federal Communications Commission Chairman Tom Wheeler to pump billions of dollars into Wi-Fi deployment at schools and libraries has run into a snag, with the commission's two Republican suggesting the money will come from U.S. residents' pocketbooks.

Another month of security updates from Microsoft means, once again, another round of fixes for the company's Internet Explorer (IE) Web browser, as well as a set of updates for the Windows operating system, for both the server and desktop editions.

Google has big hopes for its Glass head-mounted computer, chief among them a desire to make the unit smaller and more comfortable to wear.

Facebook has grown and evolved in recent years. In addition to connecting people online, it bombards users with unnecessary ads and useless sponsored stories. And it runs experiments on its users. Columnist Alex Burinskiy is not amused.

Python has surpassed Java as the top language used to introduce U.S. students to programming and computer science, according to a recent survey posted by the Association for Computing Machinery (ACM).

The rumors of the PC's demise have been greatly exaggerated, analysts say.

While Google's Chrome and Microsoft's IE10 and IE11 browsers will automatically update to the latest version of Adobe Flash, anyone using Safari, Firefox, Opera or older versions of IE must do so manually.

With the DARPA robotics challenge finals less than a year away, roboticists at Worcester Polytechnic Institute are already working on the robot they hope will not only win the challenge but one day act as a search and rescue worker.

The recent arrest of a Russian hacker by the US Department of Homeland Security is stirring up diplomatic difficulties.

The suspect, 30-year-old Roman Valerevich Seleznev, is the son of a Russian lawmaker. The Russian Foreign Ministry, which says he was arrested in an airport in the Maldives, has condemned the tactics used by the US. Seleznev has now been transported to Guam, where he has made his first court appearance.

"We consider this as the latest unfriendly move from Washington," stated the Ministry, according to a Reuters report. The Russian Foreign Ministry's statement (Russian) describes the event as a "kidnapping."

Read 8 remaining paragraphs | Comments

Linux Kernel 'shmem.c' CVE-2014-4171 Local Denial of Service Vulnerability

Microsoft Internet Explorer CVE-2014-1775 Remote Memory Corruption Vulnerability

Update: Almost four hours after this article went live, a Tumblr spokeswoman e-mailed Ars to say the site has been patched against the Rosetta Flash attack.

A serious attack involving a widely used Web communication format is exposing millions of end users' authentication credentials on sites including eBay, Tumblr, and Instagram, a well-respected security researcher said Tuesday.

The exploit—which stems from the ease of embedding malicious commands into Adobe Flash files before they're executed—has been largely mitigated by a Flash security update Adobe released Tuesday morning to coincide with a technical analysis of the threat, including proof-of-concept exploit code. It will take days or weeks for a meaningful percentage of end users to install the fix, so the researcher who wrote the advisory is warning engineers at large websites to make server-side changes that will minimize the damage attackers can inflict on visitors. eBay, Tumblr, Instagram, and Olark are known to be vulnerable to attacks that can intercept authentication cookies or other data they send end users. Until recently, both Twitter and a wide range of Google services were also susceptible to the exploit. The common identifier assigned to the exploit is CVE-2014-4671.

Read 11 remaining paragraphs | Comments

Microsoft Internet Explorer Multiple Arbitrary Code Execution Vulnerabilities

IBM AIX CVE-2014-3074 Temporary File Creation Vulnerability

[ MDVSA-2014:126 ] phpmyadmin

CVE-2014-3074 - Runtime Linker Allows Privilege Escalation Via Arbitrary File Writes in IBM AIX

Apple has begun replacing Google Maps with its own mapping technology on iCloud.com, specifically in the Web-based "Find My iPhone" service.

LinuxSecurity.com: Several security issues were fixed in DBus.

LinuxSecurity.com: Multiple vulnerabilities has been discovered and corrected in phpmyadmin: Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.2.x before 4.2.4 allow remote authenticated users to inject arbitrary web [More...]

LinuxSecurity.com: Security Report Summary

Overview of the July 2014 Microsoft patches and their status.

#	Affected	Contra Indications - KB	Known Exploits	Microsoft rating(**)	ISC rating(*)
#	Affected	Contra Indications - KB	Known Exploits	Microsoft rating(**)	clients	servers
MS14-037	Cumulative Security Update for Internet Explorer
MS14-037	Microsoft Windows, Internet Explorer CVE-2014-1763 CVE-2014-1765 CVE-2014-2785 CVE-2014-2786 CVE-2014-2787 CVE-2014-2788 CVE-2014-2789 CVE-2014-2790 CVE-2014-2791 CVE-2014-2792 CVE-2014-2794 CVE-2014-2795 CVE-2014-2797 CVE-2014-2798 CVE-2014-2800 CVE-2014-2801 CVE-2014-2802 CVE-2014-2803 CVE-2014-2804 CVE-2014-2806 CVE-2014-2807 CVE-2014-2809 CVE-2014-2813 CVE-2014-1763 CVE-2014-1765 CVE-2014-2783 CVE-2014-2785 CVE-2014-2786 CVE-2014-2787 CVE-2014-2788 CVE-2014-2789 CVE-2014-2790 CVE-2014-2791 CVE-2014-2792 CVE-2014-2794 CVE-2014-2795 CVE-2014-2797 CVE-2014-2798 CVE-2014-2800 CVE-2014-2801 CVE-2014-2802 CVE-2014-2803 CVE-2014-2804 CVE-2014-2806 CVE-2014-2807 CVE-2014-2809 CVE-2014-2813	KB 2975687	Yes!	Severity:Critical Exploitability: 1	Critical	Important
MS14-038	Vulnerability in Windows Journal Could Allow Remote Code Execution
MS14-038	Microsoft Windows CVE-2014-1824	KB 2975689	No	Severity:Critical Exploitability: 1	Critical	Critical
MS14-039	Vulnerability in On-Screen Keyboard Could Allow Elevation of Privilege
MS14-039	Microsoft Windows CVE-2014-2781	KB 2975685	No	Severity:Important Exploitability: 1	Important	Important
MS14-040	Vulnerability in Ancillary Function Driver
MS14-040	Microsoft Windows CVE-2014-1767	KB 2975684	No	Severity:Important Exploitability: 1	Important	Important
MS14-041	Vulnerability in DirectShow Could Allow Elevation of Privilege
MS14-041	Microsoft Windows CVE-2014-2780	KB 2975681	No	Severity:Important Exploitability: 1	Important	Important
MS14-042	Vulnerability in Microsoft Service Bus Could Allow Denial of Service
MS14-042	Microsoft Server Software CVE-2014-2814	KB 2972621	Yes!	Severity:Moderate Exploitability: 1	Less Urgent	Less Urgent

: center;">We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urgent: Practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

--
Alex Stanford - GIAC GWEB,
Research Operations Manager,
SANS Internet Storm Center

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

In April, Google launched "Glass at Work," a program that certifies Glass-related products and services from third-party vendors for use in enterprise environments. The company last month announced its first five official "Glass at Work" partners and took some significant steps toward legitimizing its Glass smartglasses in the enterprise.

In today's business environment, organizations are increasingly demanding advanced analytics that allow them to use large volumes and diverse types of data to discover patterns and anomalies and predict outcomes.

Abusing Oracle's CREATE DATABASE LINK Privilege for fun and Profit

[security bulletin] HPSBGN03050 rev.1 - HP IceWall SSO Dfw and HP IceWall MCRP running OpenSSL, Remote Denial of Service (DoS), Code Execution, Security Restriction Bypass, Disclosure of Information, or Unauthorized Access

[SECURITY] [DSA 2973-1] vlc security update

Microsoft has jumped in with both feet with the release to Preview of a new Microsoft Azure-based tool that helps organizations do Machine Learning and predictive analysis all from a Web console.

Trimble Sketchup CVE-2013-3664 Stack Based Buffer Overflow Vulnerability

Cisco Small Cell DHCP Message Processing Remote Arbitrary Command Execution Vulnerability

Hoping to win new business and build loyalty among existing customers, business intelligence software vendor MicroStrategy has broadly revamped its pricing and packaging structure.

Storage vendor EMC has scooped up cloud storage management company TwinStrata, the companies announced Tuesday.

Goldman Sachs is taking Google to court to force the cloud vendor to delete an email accidentally sent to a Gmail user. The consequences of a ruling for Goldman would be devastating.

OCS Inventory NG Multiple Unspecified HTML Injection Vulnerabilities

WordPress Easy Banners Plugin 'easy-banners.php' Cross Site Scripting Vulnerability

WordPress Custom Banners Plugin 'options.php' Cross Site Scripting Vulnerability

Microsoft will require companies to file individual claims if they want a service credit for the Exchange Online outage of last month.

There are several deployment choices, but none is overly complex to set up.

Some top hardware companies have established a new Internet of Things consortium to create standards so that billions of devices can connect to each other.

An antispam organization is pushing for quick law enforcement action against five people it alleges took part in one of the largest cyberattacks on record that caused Internet outages throughout Europe early last year.

Update: Cert.org corrected it's advisory. The GS105PE is affected, not the GS108PE as indicated earlier. The NVD CVE entry still lists the old model number [2].

Yet another hard coded password. This time it's Netgear's Prosafe Switch (GS105PE) running firmware version 1.2.0.5 and earlier [1]. The pre-configured username is "ntgruser" and the password is "debugpassword". If you have any Netgear equipment, it may be worthwhile checking for this username and password even if your device isn't listed as vulnerable.

Sadly, at this point there doesn't appear to be a solution to the problem, other then returning the switch to the store and buying another one if you can.

CVE Number: CVE-2014-2969 [2]

Â

[1] http://www.kb.cert.org/vuls/id/143740
[2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2969

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Multiple Yokogawa Products 'BKFSim_vhfd.exe' Stack Based Buffer Overflow Vulnerability

Cisco Cloud Portal CVE-2014-3297 Multiple Information Disclosure Vulnerabilities

Cisco Cloud Portal Form Data Viewer Multiple Information Disclosure Vulnerabilities

LZ4 Memory Corruption Vulnerability

Cacti CVE-2014-4002 Unspecified Cross Site Scripting Vulnerability