InfoSec News

Introducing "Mental authentication" to mend broken passwords
Security Park
“As we approach the InfoSec Show in London and attention once again turns to the latest authentication technologies, our message is that the world needs a more secure mentally-held secret with all the positives that passwords offer, but without any of ...

Nokia said it had discovered a memory management issue on Lumia 900 smartphones offered on AT&T's network, that in some cases could lead to a loss of data connectivity.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Good day readers! I've been playing around with creating unusual file names for a while. (http://vimeo.com/9484706 , http://pauldotcom.com/2011/12/looking-for-stealth-ads-stream.html) For example, did you know you can create a .. (dot dot space) directory on Windows just like you can in Linux? Want to try it? Open up a command prompt and type this:

That's interesting. Notice that our .. (dot dot space) directory is indistinguishable from the normal parent directory and is easily overlooked. Attackers have been hiding in the dot dot space directory for a long time on the Linux platform. Now try this from an administrative command prompt:

We created a . (dot space) directory with a .. (dot dot space) subdirectory. Then we put a copy of netcat in it. (Your path to nc.exe may be different from this example). As you see from the image above you can still execute netcat without any problems if you use a symbolic link. Now try and browse to the c:\temp\ directory using the Windows Explorer GUI. You will notice the SHORTCUT to NC.EXE in our c:\temp directory. Double click on the . (dot space)directory. You might expect that it take you into a directory containing our .. (dot dot space) directory, but it doesn't! Instead we are still in the c:\temp directory with our shortcut to nc.exe! Double click the . (dot space) directory again. This time we DOchange to the directory containing .. (dot dot space). Weird! Now, Double click your .. (dot dot space)directory. Where will that take you? It takes you to the following error message:

Interesting. Now try this. Open your command prompt and change directories to the path c:\temp\2628~1\45AA~1\ and do a directory listing.This strange directory name has been consistent in my limited testing. Is it the same for you? There is your copy of nc.exe! What the heck is that?

Your mission, should you choose to accept it, is to tell me what you can do with this. What causes this behavior? Post a comment!
HEY! I'm teaching SANSSEC560 BOOTCAMP Style in Augusta GA June 11th - 16th. Sign up today! http://www.sans.org/community/event/sec560-augusta-jun-2012
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The Electronic Frontier Foundation will head to court on Friday to push the federal government to establish a process that will enable law-abiding Megaupload users to get their files back.
Intel on Tuesday announced a new suite called Small Business Advantage that takes advantage of specific features baked into the company's Core processors to maintain and secure PCs.
Two U.S. lawmakers pressed a federal agency on Monday to say how much taxpayer money went into testing the proposed LightSquared network, a private 4G system that the FCC ultimately rejected because it would interfere with GPS.
I can think of few hassles as devastating as dropping your cell phone into the sink or letting it take a tumble in the washing machine. These kinds of accidents happen all the time, often with the result of an expensive trip to the store for a replacement. But maybe that doesn't have to be the outcome. A couple years back, we offered some tips for reviving a wet phone, including the ever-popular "submerge it in a bowl of dry rice." But if you want a more robust solution, consider stocking a Bheestie Bag.
Today is the second Tuesday of April, and that means it's Microsoft Patch Tuesday time. This month Microsoft released a total of six new security bulletins, but one in particular deals with a zero-day vulnerability impacting virtually every Microsoft user, which is already being exploited in the wild.
Google Chrome Prior to 18.0.1025.151 Multiple Security Vulnerabilities
Microsoft .NET Framework Parameter Validation Remote Code Execution Vulnerability
Microsoft repaired 11 vulnerabilities in April, including a critical update to its Internet Explorer browser and an ActiveX fix that affects a variety of software and server systems.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Rafal Los, a software security expert and consultant with Hewlett Packard, says humans far outgun automated tools in the hunt for costly application logic flaws.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Adobe Acrobat and Reader (CVE-2012-0777) Memory Corruption Vulnerability
Adobe Acrobat and Reader (CVE-2012-0774) Integer Overflow Vulnerability
Adobe Acrobat and Reader (CVE-2012-0775) Memory Corruption Vulnerability
A casual tweet sparks controversy and confusion over whether BlackBerry PlayBook users will be able to side-load apps apart from RIM's online store. A followup blog post doesn't bring much more clarity.
Nvidia is on the verge of delivering its own homegrown chips for Windows 8 devices, and the company hopes to use its extensive background in graphics to differentiate itself from competitors, according to a company executive.
See if this sounds familiar: Someone e-mails you a document, contract, or whatever that requires your signature. So you print it, sign it, then dust off the fax machine so you can send it back.
Samba - a Windows SMB/CIFS fileserver for UNIX seems to have a serious security vulnerability that samba versions 3.6.3 and all versions prior to it have a vulnerability that allows remote code execution as the root user from an anonymous connection.
Yep, time to upgrade SAMBA.
Hat tip: Charlie

Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Multiple ABB Products ActiveX Control Buffer Overflow Vulnerability
The U.S. Army is having a hard time manning its IT staff because it cannot find military personnel with the right networking and IT security qualifications.
Microsoft today delivered six security updates to patch 11 vulnerabilities in Windows, Internet Explorer, Office and several other products, including one bug that attackers are already exploiting.
Email phishing scams have grown more sophisticated since they first began popping up in corporate inboxes in the 1990s. Early phishing emails were relatively easy to detect as they were characterized by poor grammar and spelling. No legitimate business would send an email to customers chockfull of typos.
Want to unlock your off-contract AT&T iPhone to use with competing GSM carriers such as U.S. Cellular and T-Mobile? As reported last week, now you can, the only hitch is it may take up to a week for AT&T to process the request even though AT&T claims it only takes minutes.
Photon is a futuristic match-three puzzle game designed in the drop-down style of Tetris. Your goal is to clear screens by connecting brightly colored discs with your finger. The app, developed by Bifrost Studios, is free on Google Play but requires an in-app purchase of $0.99 for full functionality. Unfortunately, while Photon is fun and addictive, it suffers from multiple performance issues that its designer needs to address.
SAP made a series of announcements on Tuesday as part of its bid to become a high-profile player in the database market alongside the likes of Oracle and IBM.
In order to stand out in a crowded Android tablet market, Google will need to do more than simply provide top-notch hardware.
GroupWare epesiBIM CRM 1.2.1 - Multiple Web Vulnerabilities
Matterdaddy Market v1.1 - SQL Injection Vulnerabilities

GovInfoSecurity.com (blog)

Dilemma on Reporting Infosec Job Data
GovInfoSecurity.com (blog)
By Eric Chabrow, April 10, 2012. A dearth of information makes tracking employment among IT security professionals difficult. Even the most trustworthy organization in collecting employment data in the United States, the Labor Department's Bureau of ...

and more »
Apple's stock price surged over the $600 mark today, about a month after shooting past $500. For a time, the company's total market capitalization was more than $600 billion.
Tabs opened in the Google Chrome browser will soon travel with the user to other devices so long as the user is signed in, according to a company blog post.
When it comes to cloud storage and file sharing, Dropbox seems to be the undisputed champion on the consumer side. But, for business customers looking for a more robust cloud storage service and better management tools, Box is a clear leader. Egnyte wants to change that, though, and it's going for the jugular with its Box Buster Buyout program.
DARPA has launched a Robotics Challenge, a high-tech contest that will award as much as $34 million in prize money in various categories, for robotics hardware and software development tasks that can be used in emergency response situations.
Cisco and NetApp today announced a new pre-configured FlexPod cloud storage architecture that's designed and priced for smaller workloads.
Maryland's General Assembly Monday passed legislation that bars employers in the state from asking workers and job seekers for access to their personal social media accounts as a condition of employment.
RETIRED: Microsoft April 2012 Advance Notification Multiple Vulnerabilities
Multiple Vendor Products Security Vulnerabilities
RETIRED: Adobe Acrobat and Reader APSB12-08 Advance Multiple Remote Vulnerabilities

GovInfoSecurity.com (blog)

Dilemma on Reporting Infosec Job Stats
GovInfoSecurity.com (blog)
By Eric Chabrow, April 10, 2012. A dearth of information makes tracking employment among IT security professionals difficult. Even the most trustworthy organization in collecting employment data in the United States, the Labor Department's Bureau of ...

and more »
Overview of the April 2012 Microsoft patches and their status.

Contra Indications - KB
Known Exploits
Microsoft rating(**)
ISC rating(*)


Cumulative update for Internet Explorer adding fixes for 5 more random code execution vulnerabilities with the rights of the logged-on user.

Replaces MS12-010.






KB 2675157
No publicly known exploits.


An input validation vulnerability in the parsing of the signatures on executable files allows random code execution with the rights of the logged on user.

Replaces MS10-019.

Windows Authenticode

KB 2653956
No publicly known exploits.


An input validation failure in the .NETframework allows random code execution with the rights of the logged on user. This not only affects users browsing websites but also IISservers running ASP.NET in e.g. a web hosting scenario.


KB 2671605
No publicly known exploits


Vulnerabilities in Forefront UAG(Unified Access Gateway) allow unfiltered access to internal resources and spoofing of the UAGwebserver (directing the visitor to malicious sites instead of the UAGserver, potentially compromising their login credentials).

Forefront UAG


KB 2663860

No publicly known exploits


A vulnerability in Windows Common Controls [ActiveX] allows random code execution with the rights of the logged-on user. Attack vectors include websites and email attachments. Also affects a whole lot of other Microsoft software such as SQLserver, Commerce Server, Visual FoxPro, Visual Basic runtime aside of Microsoft Office.

Windows Common Controls

KB 2664258

Microsoft claims to be aware of limited targeted attacks using this.


An input validation vulnerability in the .wps converter allows random code execution with the rights of the logged on user.

Replaces MS09-024 and MS10-105.

Office - works

KB 2639185

No publicly known exploits


We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
Important: Things where more testing and other measures can help.
Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.

The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.


Swa Frantzen -- Section 66
NOTE: These security updates also included an update for Windows 8 Customer Preview. Updates for Windows 8 are available through the operating systems Windows Update. (Thanks Rene! - Mark Baggett) (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The U.S. Department of Justice and U.S. Immigration and Customs Enforcement have seized more than $896,000, plus the domain names of seven websites accused of selling counterfeit sports apparel, the two agencies announced Tuesday.
Adobe released its Black Tuesday bulletin too: apsb12-08.html announcing updates of Adobe Reader and Adobe Acrobat to versions 9.5.1 and 10.1.3.
They're fixing 4 vulnerabilities:

CVE-2012-0774: integer overflow in the True Type Font (TTF) handling
CVE-2012-0775: memory corruption in the JavaScript handling
CVE-2012-0776: security bypass via the Adobe Reader installer
CVE-2012-0777: memory corruption in the JavaScript API

All allowing to random code execution.
This update also incorporates the recent changes to flash for the version X (10.1.3).

Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The Federal Communications Commission and the CTIA Wireless Association are joining hands in an attempt to take a bite out of smartphone crime.
I recently offered some advice on how to configure an old iPad for a child, and while the subsequent reaction was largely positive, there were the few (and expected) replies that suggested exposing a child to an iPad would lead to a machine-dependent future, devoid of fresh air, firm muscle tone, and true human interaction.
Toshiba on Tuesday announced Satellite laptops starting at US$399 that will have upcoming processors from Intel and Advanced Micro Devices, which are due to become available in the next few months.
Microsoft is shifting Windows Vista into what it calls extended support.
Five U.S. mobile phone carriers will launch databases allowing customers to report stolen phones and prevent them from being reactivated, in a wide-ranging effort also supported by the U.S. Federal Communications Commission and police chiefs to attack a growing problem of smartphone thefts.
Virtualization and cloud computing offer the promise of cost savings, efficiency and flexibility, but organizations must plan their transitions carefully or risk finding themselves stuck with a bundle of sunk costs and no path forward.
If you've played "Fruit Ninja," "Cut the Rope" or any number of games on your iPhone, you probably aren't very impressed with their graphical capabilities, especially when compared with modern games such as "Gears of War" and "Skyrim." But as one panel on mobile gaming at PAX East 2012 this year demonstrated, you should probably be thankful for what you've got.
News of the Mac malware dubbed Flashback continues to spread, trailing on the heels of the exploit itself. A security firm has uncovered statistics about the Flashback infection, as well as providing tools to detect and remove the infection.
Cybercriminals are using the Zeus online banking malware to target companies that use cloud-based payroll services, researchers from security firm Trusteer said Monday.
Intel on Tuesday announced a reference design for a new 7-inch education tablet, which will rekindle the chip maker's rivalry with nonprofit organization One Laptop Per Child in the area of providing computing devices as learning tools.
Oracle VM VirtualBox CVE-2012-0105 Local Vulnerability
Oracle VM VirtualBox CVE-2011-2300 Local Vulnerability
Hewlett-Packard announced a series of open-source-based cloud offerings and added network automation capabilities to its hardware products in an attempt to carve out its piece of a market currently topped by Amazon Web Services.
Verizon Wireless, Sprint, AT&T and T-Mobile are joining forces with the U.S. Federal Communications Commission to work on curbing phone thefts using a central database that will store information about stolen phones, according to reports.
All organizations want to get better at managing innovation. Social computing may be the key.
When Apple introduced iTunes in 2001, it served one purpose: As a music jukebox app. Later that year, it added its most important feature: The ability to sync tracks with the just-introduced iPod. Originally, you could just drag tracks onto your iPod and they'd copy over. iTunes had automatic music-sync features that were rudimentary, but they did the job.
If your business has kept pace with changes in wireless networking, you've deployed dual-band routers and client adapters that can stream encrypted data over the airwaves at speeds greater than 100 megabits per second at relatively close range.
[SECURITY] [DSA 2448-1] inspircd security update
When you're trapped atop a lofty spire, surrounded by killer robots that have just slaughtered every other living being on the planet, it's not a matter of if you'll survive the onslaught but how long you can stave off the inevitable. Such is the thrill of Ziggurat, an iPhone and iPad game that's all about taking out as many of the mechanical jerks as you can before they inevitably rip you to shreds.
Photos and the Internet go together like peanut butter and jelly. For as long as there have been web browsers, people have generously posted photos online--which other people have then downloaded and used for their own purposes, whether or not they've actually asked for permission. To make it easier to legally and ethically reuse photos posted online, the Creative Commons license was created. I first mentioned Creative Commons in "Your Photos, Your Rights, and the Law." This week let's learn a little more about Creative Commons--both how you can use it to share your own photos and how to use other peoples' works.
InspIRCd Heap Memory Corruption Vulnerability
Microsoft Windows Vista was your full name. Internally you identified yourself as windows 6.0. Most would call you simply Vista. You were never liked all that much. In part this was due to your security inspired nanny attitude. Despite that, you carried a lot of essential and long overdue security improvements. Improvement which allowed e.g. the practical removal of administrator rights without impacting the users of software written under the false presumption that users should have administrative rights.
The market has rejected you and killed you off. Your last copies went over the counter in October 2011 according to your maker. And finally, today that same maker buries you too: Microsoft is stopping support for Windows Vista today.
There is some hope that consumer rights groups will fight such a short lifespan of support and patches (e.g. in Europe there 's a mandatory 2 year warranty requirement for products sold to consumers), but overall and for all practical purposes, you're about to be forgotten by all but a handful who'll send significant donations to your maker.
So you will nonetheless live on for a while -for a maximum of 5 more years- through extended support as well as through your technically very closely related sibling Windows 7 (which identifies itself internally as windows 6.1 in a sort of tribute to you), and which was given a bit better of an education on how to interact with the public by the maker's marketing department.
Still those that have you will now have to decide to bury you in the trashcan or pay for extended support.

- Hat Tip: Rene

- I hope this doesn't offend any of our readers. it's only meant to be a bit sarcastic and to lighten up the rainy day a bit.

Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
As of today, mainstream support ends for Windows Vista. From today on, only commercial customers with specific support agreements with Microsoft will get any kind of support for Vista from Microsoft. Security patches will still be released, but don't expect any bug fixes beyond security issues.
Just as a reminder: If you still got Windows XP around, you got 2 years until you will no longer receive any security patches (end of extended support)
For details, see:http://windows.microsoft.com/en-us/windows/products/lifecycle

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Earthwave, a managed security services provider, is pioneering a much faster way for large companies and service providers to create a security operations center that meets a high standard for security.
Tape-storage administrators will be able to get performance information and immediate directions to prevent data loss in new management software, called StorageTek Tape Analytics, that Oracle introduced on Monday.
Twitter has released some of the tweaks it has made to MySQL, potentially bringing greater scalability to the open-source relational database management system.
India got its first 4G service with the country's largest mobile services provider Bharti Airtel launching services Tuesday based on the TD-LTE technology in the north-eastern city of Kolkata.
Global mining consultant GMC has gone live with a cloud-based business software deployment from NetSuite to serve its roaming employees.
NEC has begun sales of new software to quickly find video clips in large archives, which is well-suited for finding illegal content on video sharing websites, it said Tuesday.
Sony expects its net loss for the fiscal year ending March 31 will be more than double what it forecast two months ago.
Microsoft yesterday kicked off what it called a "two-year countdown" to the death of Windows XP and Office 2003.
Interest in computer science continues to grow among undergrad students, who pushed enrollments up nearly 10% in the 2011-12 academic year. This marks the fourth straight year of increases.


Infosec needs an injection of honesty
“We desperately need to inject honesty (and some knowledge) into the vendor space because, as an industry, infosec is still largely driven by vendor supply.” Meer says problems arise because vendors simply sell the products they have (even if they ...

and more »
IBM Tivoli Provisioning Manager Express ActiveX Control Remote Code Execution Vulnerability

Street survey Infosecurity Europe : working from home reaches a new dimension ...
Security Park
Of those admitting that they worked in bed, nearly three quarters (73%) were men The survey was commissioned by Infosecurity Europe in the run up to the 2012 event taking place from the 24th – 26th April 2012, in Earls Court, London www.infosec.co.uk.

and more »

Posted by InfoSec News on Apr 09


By Gregg Keizer
April 9, 2012

A Mac developer has posted a tool that detects a Flashback malware
infection on Apple's computers.

The tiny tool -- it's just a 38KB download -- was created by Juan Leon,
a software engineer at Garmin International, the Kansas-based company
best known for its GPS devices.

Ars Technica...

Posted by InfoSec News on Apr 09


By Kevin McCaney
April 06, 2012

Customs and Border Protection blocked access to a contracting Web page,
and later moved its location, after it had inadvertently posted
documents containing commercial trade secrets as part of a solicitation
for a video surveillance project on the U.S.-Mexico border in Arizona.

In addition to blocking further access to the...

Posted by InfoSec News on Apr 09


By Kim Zetter
Threat Level
April 9, 2012

Think twice if you live outside the U.S. and plan to sell your used
gaming console.

The Department of Homeland Security has launched a research project to
find ways to hack into gaming consoles to obtain sensitive information
about gamers stored on the devices.

One of the first contracts for the project was awarded last week to...

Posted by InfoSec News on Apr 09


By Aliya Sternstein

Facebook frequently takes flack for privacy invasions, but the next
controversial byproduct of the social network may be cyber espionage,
according to security researchers.

Status updates on Facebook posted by friends and family of government
officials or the officials' own unencrypted Facebook activities can be
used to gather intelligence such...

Posted by InfoSec News on Apr 09


By Lisa Rein
The Washington Post
April 9, 2012

The virus struck in an e-mail 81 days ago, flagged by a federal team
that monitors cyberthreats. The target was a small job-development
bureau in the Commerce Department. The infiltration was so vicious it
put Commerce’s entire computer network at risk.

To avert a...
Internet Storm Center Infocon Status