Hackin9

InfoSec News

libxml2 CVE-2012-2807 Multiple Integer Overflow Vulnerabilities
 
Blizzard Entertainment, maker of popular multiplayer online games such as World of Warcraft, Diablo and Starcraft, warned on Thursday that its internal network was breached, revealing scrambled passwords and email addresses.
 
James brought this to my attention shortly after I checked in for my shift: http://us.blizzard.com/en-us/securityupdate.html
There are a few more details here: http://us.battle.net/support/en/article/important-security-update-faq
I'm going to repeat a little of what they said about what was accessed:

Here's a summary of the data that we know was illegally accessed:
North American-based accounts, including players from Latin America, Australia, New Zealand, and Southeast Asia

Email addresses
Answers to secret security questions
Cryptographically scrambled versions of passwords (not actual passwords)
Information associated with the Mobile Authenticator
Information associated with the Dial-in Authenticator
Information associated with Phone Lock, a security system associated with Taiwan accounts only

Accounts from all global regions outside of China (including Europe and Russia)

Email addresses

China-based accounts

Unaffected

At this time, theres no evidence that financial information of any kind has been accessed.
This includes credit cards, billing addresses, names, or other payment information.

Note the bit in bold: Answers to secret security questions. As we saw with Mat Honan's ordeal earlier this week (http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard) the secret question isn't much of a barrier in an attack, and when they have the actual answer, password resets aren't much of a challenge.
So, Blizzard's recommendation to change your password is largely ineffective for North American customers. If you're concerned about your account, change your security questions, and go with their two-factor solution too.
UPDATE: After spending 15 minutes on the battlenet website I couldn't find an easy way to change/update the security question. The best I could do was add SMSalerts to authorize any password resets. (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Cloud storage provider Livedrive introduced an app for Google's Chromebook on Thursday that is designed to give Livedrive customers access to their files stored online, which can total as much as 5TB.
 
Ushahidi Multiple Security Vulnerabilities
 
Samsung could face penalties from the U.S. District Court in Northern California after one of its lawyers involved in the patent battle against Apple admitted that she hadn't file the paperwork necessary to practice law in front of the court.
 
Microsoft said it would address ten vulnerabilities in the August 2012 Patch Tuesday, including flaws in Internet Explorer.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Tilon is related to the Silon malware detected in 2009. It uses a man-in-the-browser attack to capture form submissions and steal credentials.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Samsung could face penalties from the U.S. District Court in Northern California after one of its lawyers involved in the patent battle against Apple admitted that she hadn't file the paperwork necessary to practice law in front of the court.
 
Picture doing a remote software upgrade. Now picture doing it when the machine you're upgrading is a robotic rover sitting 350 million miles away, on the surface of Mars
 
Google Chrome OS Prior to 21.0.1180.50 Multiple Security Vulnerabilities
 
Although analysts say Google's $22.5 million fine from the FTC is a simple slap on the wrist, they argue that the publicity about it may still push the company to change.
 
Microsoft will patch at least 14 vulnerabilities next week, including four in Internet Explorer (IE), making it three months in a row that the company has plugged holes in its browser.
 
Salesforce.com is planning to up its stake in human resources software with the unveiling of a new service called Work.com next month during the Dreamforce event in San Francisco.
 
Alligra Calligra Heap Based Buffer Overflow Vulnerability
 
]Google will pay a historic fine to settle U.S. government charges that it violated privacy laws when it tracked via cookies users of Apple's Safari browser.
 
Federal watchdog calls on FCC to reassess and update radiation exposure and testing standards for mobile devices.
 
Bitcoin WxBitcoin and Bitcoind CVE-2010-5137 Denial of Service Vulnerability
 

Pro-Israel hacker tells how he brought down dozens of Iranian sites
InfoWorld
He then went on to entirely delete all of the sites, according to an email sent to InfoWorld and at least one other tech publication, InfoSec Island. "All the sites were deleted today (del *.* :-). I had a console backdoor on the server ... the DNS ...

and more »
 
Pinterest, a social pinboard site, threw open its doors to anyone who wants to join.
 
]Google will pay a historic fine to settle U.S. government charges that it violated privacy laws when it tracked via cookies users of Apple's Safari browser.
 
A sophisticated cyber surveillance tool that monitors financial transactions with Middle Eastern banks was probably built by or under the auspices of a government, security researchers said today.
 
Ruby on Rails CVE-2012-2694 Unsafe SQL Query Generation Vulnerability
 
Ruby on Rails CVE-2012-2660 SQL Injection Vulnerability
 
[HITB-Announce] HITB Magazine Issue 009 - Call for Submissions
 
Arasism (IR) CMS - File Upload Vulnerability
 
Joomla com_fireboard - SQL Injection Vulnerability
 
With no budget, our manager has to devise a security awareness and training program on his own.
 
Facebook has confirmed that four high-ranking managers are moving on from the company, news that will fuel speculation that the social networking giant may suffer a talent drain in the wake of its IPO.
 
Forensic IT specialists can use libfvde to decrypt and read hard disks and images that are secured with Mac OS X 10.7 Lion's FileVault2 whole-disk encryption program


 
The Chrome developers, working with Adobe, have significantly improved the sandboxing of the Flash plugin in Chrome to improve its security. These improvements have now arrived in the Windows version of Chrome


 
Kaspersky Lab has exposed a new cyberespionage toolkit it says is used in nation-state-sponsored attacks targeting people in the Middle East.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Device loss tops a growing list of concerns, but the potential for malware and data leakage fuels interest in platforms to control personal devices.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Google will pay a historic fine to settle U.S. government charges that it violated privacy laws when it tracked via cookies users of Apple's Safari browser.
 
[ MDVSA-2012:128 ] bash
 
Flogr v2.5.6 & v2.3 - Cross Site Script Vulnerabilities
 
Unless you are reading this from the Olympic Village in London, I'm going to guess that the odds of you one day enjoying Olympic glory are several hundredths of a decimal point removed from "minimal." Not to worry: Flick Champions World Edition gives you a chance to enjoy some time on the medal stand, and the only muscles you'll need to exert reside within your index finger.
 
China and the U.S. were the two largest sources of Internet-attack traffic in the first quarter of 2012, increasing to account for 16 percent and 11 percent respectively, according to Akamai Technologies.
 
With its rugged-looking interface and sample videos depicting slowed-down mountain biking and ski jump shots, SloPro seems to cater to a particular set of X Games surf/snowboard/skater enthusiasts. But even if you don't generally shoot fast action sports videos, SloPro is fun to use. With a few taps, you can speed up or slow down video of any subject--from a passing cityscape to a child blowing out her birthday candles--without relying on desktop video-editing software like iMovie or Final Cut Pro. There are some limitations to what you can accomplish with SloPro, and editing can be annoying, but the app produces cool results.
 
Flogr 'tag' Parameter Multiple Cross Site Scripting Vulnerabilities
 

Extreme Negative SEO: Know Your Vulnerabilities
Search Engine Watch
Blackhat and Defcon are what are professionally known as InfoSec (Information Security) conferences – or "hacking" conferences to the rest of us. Why would an SEO need to attend a conference about security, exploitation and hacking? What would you hope ...

 
Open source NoSQL database will get schema change and virtual node capabilities, and query improvements are also eyed
 
Digia has acquired the Qt framework from Nokia, giving it full control over the application framework, and now plans to expand support to more platforms, it said on Thursday.
 
Some are bad habits to overcome; some are poor decisions forced by managers who don't know what they're doing. Read 'em ... and weep
 
Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form

--

Adam Swanger, Web Developer (GWEB, GWAPT)

Internet Storm Center https://isc.sans.edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
New York City is using a new data aggregation and real-time analytics tool to combat crime and terror threats in the city.
 
Apple continues to narrow the gap between supply and demand for its high-priced, high-resolution Retina MacBook Pro and looks to be on track to make good on the CEO's promise last month.
 
A judge in California has vacated a July jury decision that Research In Motion pay $147.2 million in damages to Mformation Technologies to settle a patent dispute.
 
It's lacking enough functionality to make it worth waiting for subsequent versions, Jonathan Hassell says, unless you're building Azure apps right now.
 
Lenovo announced the ThinkPad Tablet 2, which has a 10.1-inch screen, and kicks off a new generation of the company's PCs and devices with Microsoft's upcoming Windows 8 operating system.
 
NetDecision TFTP Server Directory Traversal Vulnerability
 
According to some new sources (thanks Alexander) a trojan is doing the rounds in the Netherlands at the moment causing major issues within organisations.
The web sites http://webwereld.nl/nieuws/111424/nieuwe-trojan-grijpt-wild-om-zich-heen-in-nederland.html and http://nos.nl/artikel/404668-computervirus-treft-ook-venlo.html (both in Dutch) report that a trojan is affecting a number of organisations. According to the article the trojan affects already Zeus infected machines. Fox-it has an analysis here http://blog.fox-it.com/2012/08/09/xdoccryptdorifel-document-encrypting-and-network-spreading-virus/ and some of the original information can be found here http://www.damnthoseproblems.com/?lang=en
According to the analysis the malware encrypts files which will be a problem for those without proper backups.
If you have samples feel free to upload them to our contact form (ziped up with a password of infected please).
Mark
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The Indian offshoring giant Infosys ran a "full-throated campaign of retaliation" against employees to deter them from cooperating with federal authorities investigating visa fraud, according to a new lawsuit.
 
President Obama is exploring the option of using his executive authority to get government agencies and critical infrastructure owners to implement better controls for protecting their computer networks.
 
Wearable technology today mainly covers healthcare products and wellness applications. But, the market is expected to explode from 14 million devices sold this year to as many as 171 million in 2016, mostly from the entertainment and fitness industries.
 

Just as a quick follow up on Daniel's diary from last week (https://isc.sans.edu/diary.html?storyid=13813)regarding the liluhophilupop SQL injection run which has started up again as of approximately the 1st of August.
This particular run is very similar to the one back in December 2011 with one minor variation, so far. The platform being attacked is still applications with MSSQL as the backend. The target is to inject a php script which redirects, etc, etc (the usual rabbit hole). The main difference between the two attacks is that this time many different domains are being injected rather than the one main domain as was the case in December. Some of the comments on the previous diary entry provided some of the domains. These are the ones I have found so far.

lasimp04risoned.rr.nu
eighbo02rsbarr.rr.nu
reque83ntlyin.rr.nu
tentsf05luxfig.rr.nu
andsto57cksstar.rr.nu
brown74emphas.rr.nu
tartis78tscolla.rr.nu
senior78custome.rr.nu
sfl20ewwa.rr.nu
ksstar.rr.nu
enswdzq112aazz.com
www.bldked98f5.com
www1.mainglobilisi.com
xinthesidersdown.com
inglon03grange.rr.nu
senior78custome.rr.nu

rr.nu seems to be a nice spot for malicious domains.
The attack is ramping up slightly with search engines reporting approximately 235K pages infected at the moment. BTW previous sites that were affected back in December are being revisited as part of this run. So if that was you, then you may wish to check your log files to make sure you haven't been affected again.
If you look through your logs look for

--snip-- /somedirectory/somepage.asp somevar=38272%27+declare+%40s+varchar% --snip--

(I usually just grep/search for declare, or varchar or char, that usually does the trick)

If that does not find it look for large URL queries (say longer than 1000 chars) or 500 errors

identify the injection variable used, in this case somevar=38272

When you look through your previous logs you will find entries similar to these.

--snip-- /somedirectory/somepage.asp somevar=38272%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40v --snip--

--snip-- /somedirectory/somepage.asp somevar=38272%27%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%4 --snip--

--snip-- /somedirectory/somepage.asp somevar=38272%27%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40 --snip--
These are a initial tests to see if the application has some ready injection points.
Take the IP address from these log lines and check your web logs again for those IP addresses and you will find other activities. The user agent string is also good to use, as often these stay the same even though different IP addresses are being used.
When you are doing remediation make sure the developers understand that any input that results in a SQL query can be used to inject, It does not have to be a form variable, any variable is fair game. All input must be validated prior to being used (and not just at the client end either).
Thanks to those that provided some log records. Happy logging
Mark H



(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Posted by InfoSec News on Aug 08

http://www.thestar.com/business/article/1239150--canadian-hacker-dupes-wal-mart-to-win-def-con-prize

By Jessica McDiarmid
Staff Reporter
TheStar.com
August 8, 2012

It was an elaborate yarn, weeks in the making.

"Gary Darnell" from Wal-Mart's home office in Bentonville, Ark., called
a store in Western Canada. He lamented having to work the weekend.

He explained that NATO was shopping around for a private retailer who
could...
 

Posted by InfoSec News on Aug 08

Forwarded from: Hafez Kamal <aphesz (at) hackinthebox.org>

This is a call for article submissions for Issue 009 of HITB's quarterly
magazine - http://magazine.hitb.org/ which will be released alongside
#HITB2012KUL - The 10 year anniversary of the HITB Security Conference
series in Malaysia.

HITB Magazine is a deep-knowledge technical publication and we are only
interested in article submissions that are a.) highly technical or...
 

Posted by InfoSec News on Aug 08

http://www.cso.com.au/article/433128/crowdstrike_boss_explains_offensive_security_targeted_attacks/

By Liam Tung
CSO Online (Australia)
09 August, 2012

Data forensics are not enough for security pros looking to fend off
targeted attacks, according to CrowdStrike chief and co-founder George
Kurtz, who says companies want to take the fight to the adversary.

Defence, detection and details are not enough, Kurtz tells CSO.com.au,
claiming...
 

Posted by InfoSec News on Aug 08

https://www.nytimes.com/2012/08/08/us/pacifists-who-broke-into-nuclear-weapon-facility-due-in-court.html

By MATTHEW L. WALD and WILLIAM J. BROAD
The New York Times
August 7, 2012

WASHINGTON -- An 82-year-old nun and two fellow pacifists who penetrated
the defenses of one of the nation’s most important nuclear weapons
facilities last week are due in federal court in Knoxville, Tenn., on
Thursday to face charges of trespassing and...
 

Posted by InfoSec News on Aug 08

http://www.informationweek.com/big-data/news/software-platforms/240005132/hadoop-security-some-enterprises-miss-risks

By Jeff Bertolucci
InformationWeek
August 08, 2012

Hadoop has plenty of advocates, most of whom praise the open-source
framework's speedy data processing and analytics capabilities for
organizations that manage huge volumes of data. But many enterprises
don't understand how to secure Hadoop, some Hadoop community...
 
Internet Storm Center Infocon Status