InfoSec News

Iran says its infosec defences foiled oil hack
“Iran is claiming to have successfully deflected yet another large scale cyber attack on critical infrastructure in the country, this time targeted at its offshore oil installations. A brief report on the Iranian Students' News Agency site on Monday ...


Next week Microsoft will release 6 new security bullitins. Of the six bulletins, five of them are critical and allow for remote execution of code. The pre-notification information indicates that the vulnerabilities are in Microsoft Office, Windows Server Platforms, the Desktop Platforms and Windows RT (Surface). It looks like next Tuesday will be interesting. Read more about it at the link below.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Students at a U.S. military graduate school in California are mining social media with new methods that may change the way the armed forces collect intelligence overseas.

Have you ever been in this situation? Someone calls you for help and tries to explain their problem. They do such a poor job of explaining what they are seeing that you arent even sure what OS they are using much less how to fix their problem. You wish you had some way of remotely seeing their desktop, but the user is incapable of following instructions required for you to remotely connect to and administer their machine. This is especially frustrating when you are in the identification or containment phase of an incident. Communications is an essential element of handling incidents effectively. When you are in a pinch, here is a new tool to add to your tool belt.

Microsoft Windows 7 has a tool called PSR (Problem Sequence Recorder). PSR will capture screen images, mouse clicks and some keyboard input and put in into a zip file that can be emailed back to you. The information is recorded in the sequence that the user sees it. You can see what they clicked and the order in which they clicked it. You can see what was on their screen and to a very limited extent what they typed. If you just run PSR.EXE it will bring up a GUI (graphical user interface). It is really easy to use. It has a start button and a stop button. When you click stop it prompts you to save a file. It produces a zip file containing the diagnostic information that the user can email to you (assuming that they have SOME connectivity).

While the GUI is pretty simple, PSR has whole bunch of useful CLI (Command Line Interface) options. Instead of having them run the GUI you could have them run the following at the start line (Explorer Run).

psr.exe /start /output \\?\%USERPROFILE%\Desktop\diag.zip /maxsc 100 /sc 1 /gui 0

That will start recording the users screens, keys and clicks. /output path defines the path and file that will contain the screen captures and the rest of the data. /maxsc 100 changes the maximum number of screen captures it will capture from the default of 25 to 100. /sc 1 turns on screen captures. Alternatively if you dont want screen captures you can turn them off with /sc 0. /gui 0 prevents the graphical user interface from displaying. User interactions will be recorded until you run the following:

psr.exe /stop

This will create a file called diag.zip on the users desktop where they can grab it and send it to you. When you open it up you will find a .mth file with lots of useful information. When you open it with Internet Explorer you will see something like this:

The green box shows where the user clicked on the screen. You can use this to see exactly what is on the users screen and make a more informed decision about how to respond.

I first started looking at PSR as a penetration testing tool. As you might imagine, the ability to capture screenshots, mouse clicks and keystrokes invisibly in the background is potentially useful to a penetration tester. However, I think it is more useful as an incident response tool. The screenshots can be useful to a penetration tester, but it doesnt record all the keystrokes. You can include Event Tracing logs with the /arcetl 1 option. Pauldotcom.com readers might know that I am very fond of ETW logs being used as a keylogger in a penetration test.

There are other interesting CLI options. For example, you can specify that you only want to record interactions with a specific process with the /recordpid process id# option. Here is the official list of CLI options from Microsofts website. Examining the binary I notice there is also an undocumented /uisavedir directory option. For more information you can check out Microsofts website at the link below. The list of command line options and examples from the Microsoft website are also below.


PSR Command Line Options

psr.exe [/start |/stop][/output fullfilepath] [/sc (0|1)] [/maxsc value]

[/sketch (0|1)] [/slides (0|1)] [/gui (0|1)]

[/arcetl (0|1)] [/arcxml (0|1)] [/arcmht (0|1)]

[/stopevent eventname] [/maxlogsize value] [/recordpid pid]

/start Start Recording. (Outputpath flag SHOULD be specified)

/stop Stop Recording.

/sc Capture screenshots for recorded steps.

/maxsc Maximum number of recent screen captures.

/maxlogsize Maximum log file size (in MB) before wrapping occurs.

/gui Display control GUI.

/arcetl Include raw ETW file in archive output.

/arcxml Include MHT file in archive output.

/recordpid Record all actions associated with given PID.

/sketch Sketch UI if no screenshot was saved.

/slides Create slide show HTML pages.

/output Store output of record session in given path.

/stopevent Event to signal after output files are generated.

PSR Usage Examples:


psr.exe /start /output fullfilepath.zip /sc1 /gui 0 /record PID /stopevent eventname /arcetl 1

psr.exe /start /output fullfilepath.xml /gui 0 /recordpid PID /stopevent eventname

psr.exe /start /output fullfilepath.xml /gui 0 /sc 1 /maxsc number /maxlogsize value /stopevent eventname

psr.exe /start /output %temp%\%computername%_PSR.zip /sc 1 /gui 1 /arcetl 1 /arcxml 1 /sketch 1 /slides 1

psr.exe /stop

Join me in San Antonio Texas November 27th for SANS504 Hacker Techniques, Exploits and Incident Response! Register Today!!

Follow me on Twitter @MarkBaggett

Mark Baggett
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft's November 2012 Patch Tuesday release will include four critical bulletins to fix flaws in Windows 8 and other products.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
At a panel discussion on cyberespionage and critical infrastructure protection, Huawei CSO Andy Purdy said his firm would help find solutions to the problem.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
The Netatmo Weather Station is described as "the first personal weather station for iPhone & iPad." The Weather Station itself consists of two pieces of hardware, and the company provides a free iOS app for accessing weather data from these devices.

Rumor has it that there is an Adobe Reader (PDF) zero-day. Google Group IB zero day, and youll find all the news outlets quoting each other. We dont have a sample PDF yet. If you have one, please share. Needless to say that a PDF exploit is serious, and if indeed embedded in the Blacole exploit kit, is even more serious. Not that the bad guys need PDF though .. it looks to me like 70% of the Internet is anyway still vulnerable to CVE2012-4681 (Java JRE), which has been in Blacole since late August.

Not a rumor: Flash Player has a couple of serious vulnerabilities, and Adobe has the patches: https://www.adobe.com/support/security/bulletins/apsb12-24.html Not that this is news, really. Adobe browser plugin products NOT having serious vulnerabilities for a change .. now THAT would be news.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
AT&T has reversed its decision to allow Apple iPhone and iPad owners to use Apple's FaceTime videoconferencing application only on the carrier's most expensive data plans or if they are connected to Wi-Fi.
The traffic anonymisation tool TOR can leave confidential data like passwords in the system memory due to usage of a function that is not always used by all compilers

OpenStack Glance CVE-2012-4573 Arbitrary File Deletion Vulnerability
Microsoft will issue six security updates next week, including three for Windows 8 and its tablet spin-off Windows RT.
Our penchant for speaking euphemistically about those we believe to be responsible for cyberattacks has led to a state of utter confusion. It's time to stop.
Google wants to optimize its search pages for its growing base of mobile users, and it's a pretty subtle shift.
A federal judge has temporarily blocked enforcement of a provision in a just-enacted California state law that requires all registered sex-offenders to immediately turn over the all of their Internet identifiers and the names of their Internet service providers to local police or sheriff's departments.
Respondents largely opted for tablets over PCs in a survey asking which computer they had on their holiday wish list.
The release of the fourth-generation iPad so soon after the third-generation iPad may have come as a surprise to even diehard Apple watchers, but the device itself won't.
MantisBT 'delete_attachments_threshold()' Function Security Bypass Vulnerability
MantisBT Multiple Security Bypass Vulnerabilities
Smartphone and tablet users helped both presidential candidates raise funds and support in 2012, while mobile computing contributed directly to President Barack Obama's edge in Tuesday's presidential election.
Vulnerability Report on AWCM 2.2
Working with Xsens Technologies, STMicroelectronics next week demonstrating the world's first wearable wireless 3D body motion-tracking system based on consumer-grade sensors.

Infosec predictions for 2013? Shoot me, please
CSO (blog)
Welcome to my third annual plea for security vendors to put away those self-evident New Year predictions. Today seems like the right time to do this. I've gotten three prediction emails since firing up the laptop. I've never been a fan of security ...

Hewlett-Packard (HP) has advised consumer customers not to downgrade new PCs equipped with Windows 8 to the earlier Windows 7.
The Messaging, Malware and Mobile Anti-Abuse Working Group has published seven recommended best practices for administrators and organisations regarding the vulnerability that was recently discovered in digital signatures for emails (DKIM)

Twitter appears to have reset the passwords for an undetermined portion of its user base because of a possible security breach.
Despite a recent Windows 8 zero-day vulnerability, security vendors say the new Microsoft platform is the most secure OS on the market.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Analysts predict that cloud computing will play a larger role in mobility and consumerization of IT, Windows Phone and Android tablet sales will grow and there will more hot-desking in large organisations in 2013.
Oracle on Thursday said it has agreed to acquire PPM software vendor Instantis, in a move that will build upon its past acquisition of Primavera.
APPLE-SA-2012-11-07-1 QuickTime 7.7.3
Cisco Security Advisory: Cisco Secure Access Control System TACACS+ Authentication Bypass Vulnerability
Cisco Security Advisory: Cisco Nexus 1000V Series Switch Software Release 4.2(1)SV1(5.2) Virtual Security Gateway Bypass Issue
xlockmore 'dclock' Mode Security Bypass Vulnerability
According to a Russian security firm, the current version of Reader contains a critical hole that allegedly even allows attackers to break out of the application's sandbox. A suitable exploit is also said to be available for about $30,000 to $50,000

XiVO 'id' Parameter Arbitrary File Download Vulnerability
Citrix Systems and NetApp have jointly developed a software and hardware package optimized for Citrix's ShareFile with StorageZones.
Cybercriminals are using a new PDF exploit that bypasses the sandbox security features in Adobe Reader X and XI, in order to install banking malware on computers, according to researchers from Russian security firm Group-IB.
Lenovo's CEO said on Thursday he expects the market will gradually move away from entertainment-focused tablets in favor for convertible PCs, which he said can strike a balance between the functions of touch-based tablets and the productivity of a laptop.
Sony said Thursday that the executive in charge of its online products, and linking them up to its broad hardware holdings, will leave the company at the end of the year.
Lenovo said Thursday its net profit for the fiscal second quarter increased by only 13% year-over-year, marking a shift from the high profit growth the company has previously seen.
Software made by Siemens and targeted by the Stuxnet malware is still full of other dangerous vulnerabilities, according to Russian researchers whose presentation at the Defcon security conference earlier this year was cancelled following a request from the company.
The 2012 presidential campaign was focused on serious stuff, but that doesn't mean there wasn't room for fun. That's where social networks came in, and their users quickly seized on verbal slip-ups, comical photos and missteps by the candidates.
HDS's new flash module is built specifically for enterprise-class workloads. The 1.6TB module fits in an 8U flash chassis. Each enclosure can scale from 6.4TB up to 76.8TB.
Verizon said it is extending its managed services offering for Microsoft Lync Server to its business customers by adding the ability to operate, monitor and manage unified communications and collaboration servers and functions.
Many large enterprises gravitate to the cloud as an escape hatch for overworked and out-of-room data centers -- and then come to love it.
Version 7.7.3 of Apple's QuickTime media player for Windows addresses nine security vulnerabilities, all of which could be exploited to crash the application or execute arbitrary code

The latest beta uses a built-in list of domains, such as paypal.com, where it will force the browser to only use encrypted connections. This is designed to prevent man-in-the-middle attacks overriding HSTS headers

For its next generation of supercomputers, Cray has focused on radically improving the I/O (input/output) of individual nodes. The new XC30 supercomputer will feature a new interconnect, called Aries, and a new routing topology that together promise to dramatically improve internal bandwidth.

Posted by InfoSec News on Nov 08


[Buy it: http://www.amazon.com/exec/obidos/ASIN/1468063871/infosecnews-20
or via http://www.shopinfosecnews.org/ - WK]

By Michael D. Peters
November 07, 2012

This book includes a comprehensive set of policies based on
international standards of best practice. The global standard that comes
closest to hitting...

Posted by InfoSec News on Nov 08


By Mathew J. Schwartz
November 07, 2012

Sophos has patched seven vulnerabilities in its antivirus software,
including bugs that could be used by an attacker to take control of a
Windows, Mac, or Linux system.

By exploiting the vulnerabilities, an attacker may be able to gain
control of the system, escalate privileges,...

Posted by InfoSec News on Nov 08


By Dan Goodin
Ars Technica
Nov 7 2012

Adobe officials say they're investigating claims of a recent attack. A
newly published report claims the latest versions of the widely used
Reader document viewer are under attack by exploit code that targets a
previously unknown vulnerability.

The particular exploit is available in underground...

Posted by InfoSec News on Nov 08


By Sharon D. Nelson & John W. Simek
Wisconsin Lawyer
Vol. 85, No. 11, November 2012

Another day, another data breach. Data breaches have proliferated with
amazing speed. Here is the roundup of some of the largest victims in
2011 alone: Tricare, Nemours, Epsilon, WordPress, Sony, HB Gary,
TripAdvisor, Citigroup, NASA,...

Posted by InfoSec News on Nov 08


November 7, 2012

The number of taxpayers affected by the massive data hacking at the
state Department of Revenue has risen by 200,000 to 3.8 million, S.C.
officials told The State on Tuesday.

Meanwhile, South Carolina was expecting a much larger price tag to help
protect consumers in the days just...
A federal court in the U.S. on Wednesday temporarily restrained law officials in California from enforcing new provisions that allegedly violate the free speech rights of sexual offenders.
Internet Storm Center Infocon Status