InfoSec News

We have had several reports regarding a potential issue in the EXIM Mail Transfer Agent (MTA). Thanks John, Greg, Brad Edward.The issue relates to a privilege escalation and through a specially crafted email. You can read the information herehttp://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html#exim-dev
Haven't had a chance to install EXIM and test it myself. If you have let us know. In the mean time you may wish to consider running it in unprivileged mode (probably good practice under any circumstances anyway). Instructions on how to do that can be found herehttp://www.exim.org/exim-html-3.20/doc/html/spec_55.html
Mark H (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The Samsung SF510 undeniably looks good. Its sleek white exterior makes this all-purpose laptop look thinner than it really is, and the light weight doesn't hurt either. Flipping open the lid reveals an LED-backlit, 15.6-inch display and a nearly full size keyboard, complemented by a separate numeric keypad. The unit weighs just 5 pounds, 8 ounces without the power brick and 6 pounds, 3 ounces fully loaded.
 
Real Networks RealPlayer Advance Multiple Remote Vulnerabilities
 
The CR-48 has landed! This morning, we received one of Google's first Chrome OS-powered laptops. As you'll see in our video, the CR-48 looks a lot like an old black Apple MacBook that's trying to sneak past customs -- it's all flat black with no stickers or even product logos anywhere to draw attention.
 
Mozilla Firefox Pseudo URL Same Origin Policy Security Bypass Vulnerability
 
Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2010-74 -82, 84 Multiple Vulnerabilities
 
Drupal Embedded Media Field/Media: Video Flotsam/Media: Audio Flotsam Multiple Vulnerabilities
 
The software giant's last batch of scheduled fixes for 2010 is a "doozy" that will address critical remote code-execution flaws in Windows and IE.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

Infosec Reform Downed by Don't Ask, Don't Tell Filibuster
GovInfoSecurity.com (blog)
A measure to significantly change the way IT security would be governed in the federal government will not become law this year. ...

and more »
 
Having lost to HP in a battle to acquire 3Par earlier this year, Dell announced that it's in talks to acquire its next best option: SAN vendor Compellent. Since Dell's reseller relationship is EMC already strained, experts say this will be the death knell for the pair's longstanding partnership.
 
Google continues its aggressive strategy to poach Exchange customers with the launch on Thursday of a Gmail-based disaster recovery and business continuity service for organizations running the Microsoft e-mail server on premises.
 
Market research firms Gartner and IDC on Thursday said that worldwide semiconductor revenue will slow down next year, putting the brakes on the market's recovery this year from the recession.
 
Online applications vendor Zoho is continuing to bring its CRM (customer relationship management) software up to par with longer-established offerings, announcing this week that it has completed integrations with QuickBooks and a number of telephony systems.
 
The software giant's last scheduled patch of 2010 is a "doozy" that include 17 bulletins, two addressing critical remote code-execution flaws in Windows and IE.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The retaliatory attacks by pro-WikiLeaks activists are growing in strength as hackers add botnets and thousands of people download an open-source attack tool, security researchers said today.
 
Mark Zuckerberg, the billionaire behind Facebook, has pledged to donate a sizable chunk of his fortune to charity.
 
Dutch authorities arrested a 16-year-old boy on Wednesday in relation to the cyberattacks against Visa, MasterCard and PayPal, which were aimed at punishing those companies for cutting off services to WikiLeaks.
 
Microsoft plans to deliver a record 17 security updates next week to patch 40 vulnerabilities in Windows, Internet Explorer (IE), Office, SharePoint and Exchange.
 
Article One Partners offers a reward for researchers who find prior art for three NTP mobile e-mail patents.
 
While we're on the subject of improving Firefox performance (see yesterday's post on clearing the Downloads list), let's talk about old, outdated Java Consoles.
 
The loosely-knit group of hackers dubbed Anonymous today apparently failed in its effort to launch a DDoS attack on Amazon.com.
 
CA20101209-01: Security Notice for CA XOsoft
 
Firefox 3.6.13 pseudo-URL SOP check bug (CVE-2010-3774)
 
Perl CGI.pm Header Values Newline Handling Unspecified Security Vulnerability
 
Apache 'mod_proxy' Remote Denial Of Service Vulnerability
 
Apache 'Options' and 'AllowOverride' Directives Security Bypass Vulnerability
 
Apache APR-util 'apr_strmatch_precompile()' Integer Underflow Vulnerability
 
Computerworld polled readers earlier this year for its annual holiday gift guide, and tablets took center stage. Now it's your turn: What's tops on your holiday tech wish list?
 
Oracle loses the Apache Software Foundation from the Java Community Process
 
Google this week reiterated its interest in being able to give users search results before they even know they want them.
 
Nearly one in 10 American adults who use the Internet are also Twitter users, according to a Pew Research Center survey.
 
The latest version of Core Impact can now scan network devices for security vulnerabilities
 
Apache HTTP Server 413 Error HTTP Request Method Cross-Site Scripting Weakness
 
Apache HTTP Server Arbitrary HTTP Request Headers Security Weakness
 
Microsoft on Wednesday issued an Office for Mac 2008 security update that patched four vulnerabilities the company had disclosed but not addressed last month.
 
Dell said Thursday it is in advanced talks with storage vendor Compellent Technologies regarding a merger that would call for Dell to pay $27.50 per share, or roughly $876 million, for the company.
 
Google continues its aggressive strategy to poach Exchange customers with the launch on Thursday of a Gmail-based disaster recovery and business continuity service for organizations running the Microsoft e-mail server on premises.
 
Cisco, Ericsson and Fujitsu earn top honors for their efforts in climate solutions, remote collaboration and telecommuting offerings.
 
VMware Hosted Products VMware Tools Command Injection Vulnerability
 
We're at an awkward stage as the age of network-streamed multimedia matures. Broadband and cell providers have only recently realized the public's enormous appetite for streaming video, VoIP, and the combination of both.
 
Things will get rowdier for vendors of cloud collaboration, communication and office productivity applications now that Microsoft plans to unleash a take-no-prisoners assault on the market with Office 365.
 
[ MDVSA-2010:250 ] perl-CGI-Simple
 
[USN-1030-1] Kerberos vulnerabilities
 
XSRF (CSRF) in CMScout
 
XSS vulnerability in Diferior
 
U.S. IT job loss may level off in coming years, but the likelihood that corporate IT will ever contribute to job creation again is minimal, according to a recent study by the Hackett Group. CIO.com talked to Hackett's lead researchers about what's driving IT jobs offshore, what roles will remain stateside, and why some American IT professionals may have to send their resumes to China.
 
Dell said Thursday it is in advanced talks with storage vendor Compellent Technologies regarding a merger that would call for Dell to pay US$27.50 per share, or roughly $876 million, for the company.
 
WordPress 'xmlrpc.php' Remote Security Bypass Vulnerability
 

King's Lynn & West Norfolk borough council moves to GCSx and CoCo compliance ...
SC Magazine UK
Implementing LogLogic's log management solutions and specific GCSx reporting packages, the council will now be helped by LogLogic with the CESG Infosec ...

 
Indian outsourcer Satyam Computer Services plans to offer cloud-based services as one of many plans to recover ground it lost during a financial scandal.
 
Joomla! JXtended Comments Component Multiple Cross-Site Scripting Vulnerabilities
 
Amazon retailers are being targeted by fraudsters who have created a custom-built a program that generates fakes receipts for nonexistent orders, according to researchers from GFI Software.
 
A leaked U.S. State Department cable published by WikiLeaks on Monday indicated that Estonia told U.S. diplomats that circumstantial evidence linked the Russian government to 2007 cyberattacks against the country.
 
Amazon Web Services is making it possible for developers to directly integrate mobile applications for Apple's iPhone, iPad, and iPod Touch, and also apps for Android-based smartphones.
 
IBM WebSphere Commerce Outbound Messaging System Information Disclosure Vulnerability
 

With the current wikileak driven DDOS attacks I thought I'd have a closer look at the tool being used to conduct the attack.
The tool that is being distributed if you wish to partake in the attack (and no that is not an invitation or endorsement) is an application called javaLOIC a Java port of Low Orbit Ion Cannon. A tool that can be used to test a site's resilience to DOS attacks. But obviously if you point it at someone else's the effect can be quite damaging.

To be honest there isn't really much to the application. A pretty screen with some buttons to press and a flood module that crafts some packets to send to the target to deal with.





You enter the twitter ID that has been communicated to you and then once you enter it on the screen you click the Get Orders button and when ready you click the Fire!! button. Other than that there isn't really that much to the application.
The application uses a hardcoded URL with an interchangeable twitter ID. It pulls a json file down and parses it for target, protocol and port information. When the Fire!!! Button is pressed a number of sessions are established with the target server (in my test cases 7 sessions were established). The string hihihihihihihihihihihihihihihihi is sent to the port (I assume this may be configurable). And that is basically it. The flood module cranks out multiple requests at a time and the target server gets busy





So in essence it is a whole bunch of people requesting a resource that is not available on the server. When you get enough people doing this, something has to give. In this case the web sites of the targets. If they have an IPS in place it may be as simple as looking for the above string to help slow the attack and keep the site up.

The twitter angle in this application piqued my interest, it is using the twitter API in a new and creative way, certainly one that hadn't readily occurred to me. However, I guess easy enough for twitter to deal with, but then it likely becomes a game of wack-a-mole of find the evil twitter account being used this time round.

Cheers

Mark H
UPDATE




A Java Script version of LOIC is also being used (thanks Jeff). As you can see from the screen shot it comes pre targeted, in this case paypal. There is also a mobile version which doesn't look as pretty and is currently not pre-targeted and uses the same http requests.
From the code it does a HTTP request from the target site and has some elements in the code as to not adversely affect the browser being used. Target changes are communicated via the IRC channel to participants. From the looks of it the code could easily be modified to autofire rather than require a user to chose to participate.





(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
PayPal's website was hit late Wednesday by two botnets as online activists continued their Web attacks on companies that have severed their relationships with WikiLeaks.
 
The recession that officially ended last year hit tech workers wages across the U.S., with Silicon Valley workers seeing the biggest drop.
 
These utilities will help you create a faster, more productive Windows environment
 
Citrix Web Interface Unspecified Cross-Site Scripting Vulnerability
 
Abtp Portal Project 'ABTPV_BLOQUE_CENT' Parameter Local and Remote File Include Vulnerabilities
 

Sydney Morning Herald

Visa, MasterCard hit by Payback DDoS
ZDNet Australia
My ramble on the attacks. http://bit.ly/fwdRBY #infosec So I guess it's official: the enemies of #Wikileaks are the enemy of #Anonymous. ...
PayPal, PostFinance Hit by DoS Attacks, Counter-Attack in ProgresseWeek

all 2,957 news articles »
 

PayPal releases frozen Wikileaks money
ZDNet Australia
My ramble on the attacks. http://bit.ly/fwdRBY #infosec So I guess it's official: the enemies of #Wikileaks are the enemy of #Anonymous. ...

and more »
 


Internet Storm Center Infocon Status