InfoSec News

Posted by InfoSec News on Oct 09


10 October 2012

Members of the RedHack group are facing up to 24 years in prison after
prosecutors qualified their activity as aiding “an armed terrorist
organization.” The defense claims the allegations are part of state
policy of targeting the opposition.

Turkish hacker group RedHack is being held responsible for taking down
the central Turkish police website in February,...

Posted by InfoSec News on Oct 09


By Dan Goodin
Ars Technica
Oct 9, 2012

Security consultants have independently confirmed a serious security
weakness that makes it trivial for hackers with physical control of many
computers sold by Dell, Acer, and at least 14 other manufacturers to
quickly recover Windows account passwords.

The vulnerability is contained in...

Posted by InfoSec News on Oct 09


By Melissa Jenco
Tribune reporter
October 8, 2012

Naperville residents’ credit card information was not compromised by the
virus that has kept the city’s website and email down for nearly a week,
officials said Monday night.

The city has launched a criminal investigation into the breach and has
set up a...

Posted by InfoSec News on Oct 09


By Mathew J. Schwartz
October 08, 2012

The network slowdown was one of the first clues that something was amiss
at GunnAllen Financial, a now defunct broker-dealer whose IT problems
were only a symptom of widespread mismanagement and deeper misconduct at
the firm.

It was the spring of 2005. Over a period of roughly seven...

Posted by InfoSec News on Oct 09


By Ellen Messmer
Network World
October 08, 2012

According to a survey of 56 corporate and governmental organizations
conducted by the Ponemon Institute, the average amount they paid for all
the costs associated with cyberattacks was $8.9 million during the past
year. That's up 6% from the previous year's study.

And for the first time, Ponemon expanded...
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Three U.S.-based service providers that use equipment from Huawei Technologies said on Tuesday they take strong precautions to ensure the security of their networks, responding to a congressional report on Monday that said carriers should not buy from Huawei or ZTE.
Lenovo on Tuesday announced a new range of Windows 8 and RT hybrid computing devices that can function as tablets or laptops.
The new requirements for digital certificates kicks in with the October update, which includes one critical bulletin and six important bulletins.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Sprint said it plans to sell the LG Mach smartphone for use on its 4G LTE network, adding a second slider-style smartphone with a physical qwerty keyboard.
Siemens SIMATIC S7-1200 PLC 'web server' Component Cross Site Scripting Vulnerability
Sprint said it plans to sell the LG Mach smartphone over 4G LTE this fall, adding a second slider-style smartphone with a physical Qwerty keyboard.
IBM has expanded its PureSystems line of pre-integrated systems to include new models to handle business analysis and online transaction processing.
TLS Protocol CVE-2012-4929 Information Disclosure Vulnerability
Verizon Wireless said it will launch faster LTE wireless service in 21 cities on Oct. 18, reaching a total of 410 markets two months ahead of schedule.
Microsoft today patched 20 vulnerabilities in Word, Office, Windows, SharePoint Server, SQL Server and other products in its portfolio, including a critical bug used to attack the company's own online services
Watch out, Pinterest. Facebook is testing a new feature called Collections, which is designed to enable businesses to showcase and sell their products.
Chinese telecommunication equipment vendor Huawei Technologies has dismissed a U.S. House of Representatives report questioning the company's ties to the Chinese government, with a Huawei official suggesting the report was politically motivated.
WingFTP Server Denial of Service Vulnerability
BufferOverflow Vulnerability on Logica HotScan SWIFT Alliance Access Interface
WingFTP Server Denial of Service Vulnerability
In an effort to better acquaint Web developers with the open technologies that can be used to build Web applications, the World Wide Web Consortium (W3C) has launched a Web site with tutorials and other documentation that cover most of today's Web standards, including the emerging HTML5 set of standards. The site has also been designed to provide more user feedback to the developers of the Web standards themselves.
Microsoft SQL Server Report Manager CVE-2012-2552 Cross Site Scripting Vulnerability
Microsoft Windows Kerberos CVE-2012-2551 Denial of Service Vulnerability
[security bulletin] HPSBOV02822 SSRT100966 rev.1 - HP Secure Web Server (SWS) for OpenVMS, Remote Denial of Service (DoS), Unauthorized Access, Disclosure of Information
Privilege Escalation Vulnerability in Microsoft Windows
[SECURITY] [DSA 2558-1] bacula security update
Endpoint Protector v4.0.4.0 - Multiple Web Vulnerabilities
Online social networks are gathering information about their users that those people never intended to disclose, and government regulation may be the only way to stop the practise, a researcher said Tuesday.
Interspire Email Marketer v6.0.1 - Multiple Vulnerabilites
[PRE-SA-2012-07] hostapd: Missing EAP-TLS message length validation
[SECURITY] [DSA 2556-1] icedove security update
Overview of the October 2012 Microsoft patches and their status.

Contra Indications - KB
Known Exploits
Microsoft rating(**)
ISC rating(*)


Remote Code Execution Vulnerability in Microsoft Word

(ReplacesMS12-029 MS10-079 MS12-050 )



KB 2742319

Exploitability: 1

Remote Code Execution Vulnerability in Microsoft Works

(ReplacesMS12-028 )


KB 2754670

Exploitability: 2

Elevation of Privilege Vulnerability via XSS in HTML Sanitation Component

(ReplacesMS12-039 )

HTML Sanitation

KB 2741517
Yes (limited).

Exploitability: 1

Oracle outside/in and advanced filter pack for FAST Search Server Code Execution Vulnerabilities

FAST Search Server 2010 (SharePoint)













KB 2742321

Exploitability: 1

Privilege Escalation in Windows Kernel

(ReplacesMS09-058 MS10-021 MS11-068 MS11-098 MS12-042 )


KB 2724197

Exploitability: 3

Denial of Service Vulnerability in Kerberos

(ReplacesMS11-013 )


KB 2743555

Exploitability: 1

Reflective XSS Vulnerability in SQL Server

(ReplacesMS09-062 MS11-049 )



KB 2754849

Exploitability: 1

We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
Important: Things where more testing and other measures can help.
Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.

The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.


Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft's new Surface tablet, slated to ship later this month, will be priced between $399 and $499, an analyst said today.
Sprint will offer four new devices this fall for high-speed LTE networks, including the Samsung Galaxy Tab 2 10.1 tablet and the LG Optimus G smartphone.
Accounting firm McGladrey LLP rolled out 6,500 tablets recently to all of its workers in less than two months using AT&T's mobility services expertise, AT&T said Tuesday.
Veritas Cluster Server now monitors applications running in virtual machines, and can take action to recover them if they go down as well as migrate VMs without downtime.
Google upgraded its Search Appliance for the enterprise in an effort to help workers find information stored anywhere in their organizations.
The CloudStack open source cloud management platform, donated by Citrix to Apache Software Foundation, has a critical vulnerability in all versions which could let an attacker take control of a system and delete all virtual machines on a cloud

Perl HTML::Template::Pro Module Cross Site Scripting Vulnerability
Apache CXF SOAP Action Spoofing Security Bypass Vulnerability
utempter allows fake host setting
Blender 2.63 Exploitable User Mode Write AV
A cybergang in Eastern Europe revealed plans to attack U.S. banks with a Gozi-like Trojan, according to RSA.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
[SECURITY] [DSA 2557-1] hostapd security update
[ MDVSA-2012:161 ] html2ps
[ MDVSA-2012:160 ] imagemagick
[ MDVSA-2012:150-1 ] java-1.6.0-openjdk
Cybercriminals are using computers infected with a particular piece of malware to power a commercial proxy service that funnels potentially malicious traffic through them, according to security researchers from Symantec.
Box announced on Tuesday an HTML5 framework that makes it possible for customers and other vendors to fully integrate features of its file sharing and cloud storage software into websites and enterprise applications.
In order to keep hackers at bay there must be changes in security budgets and privacy regulations, RSA Executive Chairman Art Coviello said Tuesday.
Hitachi Data Systems said that it is offering a pre-tested architecture that combines storage, servers, networking switches and virtualization software
[ MDVSA-2012:151-1 ] ghostscript
Team SHATTER Security Advisory: Java Operating System command execution
Team SHATTER Security Advisory: Multiple SQL Injection in Oracle Enterprise Manager (SQL Tunning Sets components)
Team SHATTER Security Advisory: XML file disclosure vulnerability via GET_WRAP_CFG_C and GET_WRAP_CFG_C2
The latest version of the Firefox extension which automatically redirects users to more secure HTTPS connections now supports more than twice as many web sites as the previous stable releases

The Internet Engineering Task Force (IETF) is the main standard body for Internet related protocols. As far as standard bodies go, the IETF is probably the most open. Standards are discussed on mailing lists, and all you need to do is sign up for a mailing list and chime in, or attend one of the IETF meetings or both. There is no membership and standards usually require aconsensus.
The RFC Process
RFCs are not only published by the IETF, but the Internet Architecture Board (IAB) and Internet Engineering Steering Group (IESG). Not all RFCs are standards. Some just document best practices or just informational (for example RFC1796: Not all RFCs are Standards). There are three distinct sub-series: Standards (STD), Best Current Practice (BCP) and Informational (FYI).
The RFC process itself is regulated by RFCs. RFCs start out as Internet Drafts. These drafts have a limited lifetime (default is 6 months) and are discarded unless they are selected to become an RFC by the IESG.
Once an RFC is published, it's content can no longer be changed. Once in a while you will see erratas that are added to RFCs. But for the most part, to update an RFC, a new RFC needs to be published. When researching RFCs, it is VERY important to make sure it hasn't been updated by a newer RFC (I prefer the listing athttp://tools.ietf.org/html/ as it links to updates)
There is no enforcement of RFCs, other then peer pressure. For the most part, if you want stuff to work, you better follow RFCs. Until about a week ago, one of the expressions of the peer pressure aspect of the RFC system was rfc-ignorant.org . The site listed networks that choose not to obey some RFCs, in particular related to spam and abuse reporting.
RFCs and Security
All RFCs should have a security sections. It will summarize any security impact the particular RFC may have. In addition, there are a good number of RFCs that deal with security issues. I recommend taking a look at new RFCs regularly. Internet standards are very dynamic and assumptions you make based on old standards can be dangerous, or you are not taking advantage of some of the newer features.
IETF also publishes a list of security related RFCs here:http://www.apps.ietf.org/rfc/seclist.html


Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Setting up a robust Wi-Fi network for your business doesn't have to be a nerve-wrecking experience. CIO.com looks at seven key factors you need to consider, including access points, frequency bands, network management and the forthcoming 802.11ac standard.
Intel, as in Wintel, says Windows 8 won't be ready when it ships. But since when did anyone believe Windows 8 would ever be ready to ship?
Adobe has released patches for 25 critical security vulnerabilities and Microsoft and Google have updated their browsers and their embedded Flash players. The updates came the day before Patch Tuesday though

PhpTax 'drawimage.php' Remote Arbitrary Command Execution Vulnerability


Infosec: One Step Forward, One Step Back
Infosec pros take note: As the overall number of "true exploits" have decreased, targeted ones - especially those initiated by criminals or nation states - are becoming harder to detect, say IBM's Rick Miller. His conclusion is based on IBM's recently ...

Reader Amy Campbell has all the right reasons for extracting data from an iPhone. She writes:
An American and a Frenchman have won the 2012 Nobel Prize for Physics for their work on quantum optics, which could one day lead to faster computer processors, better telecommunications or more accurate timepieces.
Acer on Tuesday assigned a starting price of $499 for its new Iconia W510 tablets, which will have Windows 8 and Intel's Atom chip code-named Clover Trail.
Linux Kernel Netlink Message Handling Local Privilege Escalation Vulnerability
Adobe Flash Player and AIR APSB12-22 Multiple Remote Vulnerabilities
Advanced Micro Devices renewed its attempt to make an impact in the tablet market, this time with its new dual-core Z-60 chip which the company introduced on Tuesday.
Alcatel-Lucent has upgraded its implementation of the VDSL2 vectoring noise cancellation technology in order to make it easier to implement, and as a result let operators offer higher broadband speeds over phone lines to more users.
Windows 7's malware infection rate climbed by as much as 182% this year, Microsoft said today.
Content delivery accelerator Akamai Techologies has launched a service for adapting websites to the device used to access them, which it says also simplifies the upgrade to IPv6.

Tales of Infosec Embarrassment from the US Presidential Election
Infosecurity Magazine (blog)
You are here: Home; /; Blog; /; Tales of Infosec Embarrassment from the US Presidential Election. Share. More services. Drew Amorosi. Job title: Deputy Editor, Infosecurity Magazine. Biography: Drew is the Deputy Editor of Infosecurity magazine and has ...

A U.S. House Intelligence Committee report warning that two Chinese networking companies are posing security risks to the country also includes allegations of job bias and visa fraud at one of the firms, Huawei Technologies.
Avaya IP Office Customer Call Reporter 'ImageUpload.ashx' Remote Code Execution Vulnerability
The Sality botnet systematically searched through the entire internet last year, looking for vulnerable VoIP endpoints. And it went about it very cautiously, according to researchers

IBM has teamed with AT&T to offer secure shared cloud services to customers over private networks rather than the public Internet, the companies said Tuesday.
Facebook has proposed a revised settlement in a lawsuit in which it was alleged to have used the names and likeness of the plaintiffs without their prior consent in "Sponsored Stories" advertisements shown to their online friends on the social networking website.
Internet Storm Center Infocon Status