The Microsoft Security Response Center put up a little note reminding people that windows XP will be out of extended support in 12 months time (http://blogs.technet.com/b/msrc/archive/2013/04/09/out-with-the-old-in-with-the-april-2013-security-updates.aspx).  From April next year there will be no more security patches or updates to the operating system.  Reality teaches us that that many organisations will still have Windows XP running within their networks at that time.  So as security professionals we should probably put the risk of an unsupported operating system in the environment in the risk register. 

How big a problem will it be? That will depend on the issues that will no doubt be released in May 2014. With the XP install base still being quite large it is likely that there are vulnerabilities that people are sitting on and may not release until after Microsoft has stopped support.  So we should work on the assumption that:

  1. we wiill still have XP in the environment
  2. there are going to be vulnerabilities that exploit the OS. 

Some of the common techniques that we use today may help address the issue.  Application whitelisting should help protect the operating system, assuming the products will support XP going forwards. Network segmentation will help contain any issues in the environment.  But essentially we are going to have to look at the problem of having known compromised machines in the network that we may not be able to do much about. 

I've put up a poll asking "What are your plans when XP is no longer supported" feel free to provide additional comments in the poll or here. How will your organisation deal with this?

Mark H

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

An article in Linha Defensiva (http://www.linhadefensiva.com/2013/04/brazilian-users-unable-to-boot-windows-after-botched-update/) reports that after applying the update machines were no longer able to boot.  According to the article Microsoft has recognised that there is an issue with the Brazillian version of the OS, but the links in the article do point to other locales having a similar issues. 

I wasn't able to find any futher reference on the microsoft site, but in the mean time if you do approve this KB for deployment make sure you test it thouroughly prior to a production implementation.

If you've had issues with this KB please let us know.

Mark H

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The South Korean government is pointing a finger toward Pyongyang in its assessment of last month's cyber-attacks on banks and media companies that affected thousands of computers and took electronic banking sites and ATM networks offline.

A report by South Korea's Ministry of Science, Information and Computer Technology, and Future Planning found evidence that the attack was carried out by North Korea's military intelligence, otherwise known as its "general reconnaissance bureau." The March 20 attack—which spread "wiper" malware that deleted the master boot record of PCs and attempted to delete volumes from Unix and Linux servers they were connected to—"resembled North Korea's past hacking patterns," a ministry spokesperson said in a Wednesday press briefing.

The attack targeted private citizen's computers as well as the website of an anti-North Korean organization and South Korean broadcaster YTN. Forensic evidence from it pointed directly to North Korean involvement. Six computers located at North Korean IP addresses were involved in the spreading of the malware used in the attacks, either directly or through proxies in China. Based on 76 malware samples collected by the investigation, the attack was planned at least eight months ago, when the code was spread to victims' PCs. This was largely accomplished through e-mail attachments disguised as bank account statements.

Read 1 remaining paragraphs | Comments


It all began with an annoying text message sent to an Ars reader. Accompanied by a Microsoft Office logo, the message came from a Yahoo e-mail address and read, "Hi, Do u want Microsoft Office 2010. I Can Remotely Install in a Computer."

An offer I couldn't refuse.

The recipient promptly answered "No!" and then got in touch with us. Saying the spam text reminded him of the "'your computer has a virus' scam," the reader noted that "this seems to be something that promises the same capabilities, control of your computer and a request for your credit card info. Has anyone else seen this proposal?"

I hadn't seen this particular scam, so there was only one thing to do: take the scammer up on his offer and let him go to town on a spare copy of Windows. Ultimately, I did get that copy of Microsoft Office, and there were no viruses sent my way. Even when I failed to pay the $30 fee we had agreed upon, the scammer didn't bother attacking my computer in any way. He was just a nice guy, basically—making a dishonest living from the comfort of his own home.

Read 21 remaining paragraphs | Comments

Oracle Java SE CVE-2013-1483 JavaFX Remote Security Vulnerability
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Lieberman Software Presents "Common Credentials Dilemma" at InfoSec World
Marketwire (press release)
LOS ANGELES, CA--(Marketwired - April 09, 2013) - Lieberman Software Corporation will showcase its industry-leading privileged identity management technology as a Platinum Sponsor of the InfoSec World Conference and Expo in Orlando, April 15-17.

A "perfect storm" of struggling PC companies, aversion to Windows 8 and wider mobile-device adoption plunged the already struggling PC market into a free fall during the first quarter this year, IDC said.
Oracle and Hewlett-Packard's ongoing legal battle over software for Itanium has run into another delay, and this time there's no telling how long it will last.
CA Technologies is suing a rival in the Application Performance Management market, accusing AppDynamics of using three of CA's patented technologies. The founder and CEO of AppDynamics helped lead software development at an APM company later acquired by CA.
The wealth of personal data that mobile apps collect on their users needs to be conspicuously stated to consumers or developers could face legal heat, California attorney general Kamala D. Harris said Wednesday.
Microsoft has released the latest version of its Desktop Optimization Pack (MDOP) suite of IT management tools, an upgrade that deepens its ability to manage Windows 8 PC deployments.
Oracle's sales force isn't usually seen as the easiest to work with, with customers bombarded by multiple account representatives from different product areas.
A sweeter offer for the merger of T-Mobile USA and MetroPCS reportedly has been approved by T-Mobile parent company Deutsche Telekom.
The U.S. House Intelligence Committee on Wednesday voted 18-2 in favor of a controversial information-sharing bill that was reintroduced in Congress this February after failing last year amid widespread protests from rights group and a White House veto threat.
[ MDVSA-2013:118 ] python-feedparser
DeepSec 2013 - Call for Papers
[ MDVSA-2013:120 ] python-pycrypto
[ MDVSA-2013:119 ] python-httplib2

This morning many users in my city woke up with supposedly good news from a resume they sent to google looking for open positions:

Google SCAM

Of course this scam does not have anything new and innovative to cause a massive impact, but here is the catch: in this part of the world, people love P2P networks and love to download unlicensed content like Windows Operating Systems, music and paid programs so they don't have to pay a cent for it. Since standard security controls like antivirus and Host IPS shows those programs like malicious and then block most of its functionality, there are a huge number of people that disregard such measures to access freely those unlicensed contents.

The file referenced in the e-mail is zip compressed, MD5 4e85b6c9e9815984087f6722498a6dfc. Once uncompressed, you get document.exe, MD5 3e41ab7c70701452d046b93f764564ec. This file is widely recognized by VirusTotal with a 40/46 detection radio. It is a mass mailer with backdoor capabilities. The mass mailer malware description can be found at http://home.mcafee.com/virusinfo/virusprofile.aspx?key=153521#none and the backdoor description can be found at http://home.mcafee.com/virusinfo/virusprofile.aspx?key=100938.

This little thing caused lots of help desk calls this morning to my company because people complained about very slow internet links without performing any download operations. If you were affected by this malware, please keep in mind the following recommendations:

  • Do not *ever* open attachments from not reliable sources, specially zipped files that have inside exe files. Nothing good can come from it.
  • Do not disable any security controls inside your computer like host IPS, antivirus and personal firewall. If you require to work with software that is blocked by any of these controls and there is no way no enable it through them, it is definitely something you should consider not to use.
  • Malware can control your machine and handle your machine as desired, affecting confidentiality, integrity, availability, traceability and non repudiation of your information. Avoid  performing actions that could materialize such risks like dealing with p2p software.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
STORServer, a maker of backup appliances, announced private and public cloud backup services.
President Barack Obama's federal budget, released Wednesday, calls for increases in federal research and development spending. The overall spending increase, though shows a decline when adjusted for inflation.
NASA's proposed $17.7 billion budget includes plans to capture and redirect an asteroid into orbit around Earth so astronauts can study it.
A purported Microsoft roadmap for future releases of its Office suite showed a fall 2014 launch date for Office on Apple's iOS and Google's Android mobile operating systems, an online report said today.
[ MDVSA-2013:111 ] openslp
[ MDVSA-2013:110 ] openjpeg
[ MDVSA-2013:113 ] perl
Dropbox, whose cloud storage and file-sharing application has been adopted by millions of consumers, will add single sign-on (SSO), its latest feature for businesses as it seeks to penetrate the workplace market.
Stormed by a shift to tablets and smartphones, and threatened, even in its enterprise bastion, by new demands from workers, Microsoft may lose its place at the table reserved for major technology players, an analyst argued today.
Multiple Asterisk Products CVE-2013-2264 Multiple Information Disclosure Vulnerabilities
[ MDVSA-2013:112 ] otrs
[ MDVSA-2013:109 ] open-iscsi
[ MDVSA-2013:108 ] openconnect
[ MDVSA-2013:107 ] ocaml-xml-light
PCs and mobile devices connected to peripherals via USB ports will in the future be able to transfer data at twice the speed possible today.
'Improving user experience is not justification for using consumer information in Big Data projects, says top European data protection officials.
First up, serious networking stuff concerning Apple and how iOS supports VPNs and how it won't in future.
After dumping Facebook a little less than a year ago, General Motors is back, running an advertising test on the social network.
LinuxSecurity.com: Updated openjpeg packages fix security vulnerability: An out-of heap-based buffer bounds read and write flaw, leading to invalid free, was found in the way a tile coder / decoder (TCD) implementation of OpenJPEG, an open-source JPEG 2000 codec written in [More...]
LinuxSecurity.com: Updated openslp packages fix security vulnerability: The extension parser in slp_v2message.c in OpenSLP 1.2.1 allows remote attackers to cause a denial of service (infinite loop) via a packet with a next extension offset that references this extension [More...]
LinuxSecurity.com: Updated otrs package fixes security vulnerabilities: Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.13, 3.0.x before 3.0.15, and 3.1.x before 3.1.9, and OTRS ITSM 2.1.x before 2.1.5, [More...]
LinuxSecurity.com: Updated open-iscsi package fixes security vulnerability: Colin Watson discovered that iscsi_discovery in Open-iSCSI did not safely create temporary files. A local attacker could exploit this to overwrite arbitrary files with root privileges (CVE-2009-1297). [More...]
LinuxSecurity.com: Updated openconnect packages fix security vulnerability: A stack-based buffer overflow flaw was found in the way OpenConnect, a client for Cisco's AnyConnect VPN, performed processing of certain host names, paths, or cookie lists, received from the VPN gateway. A [More...]
LinuxSecurity.com: Updated ocaml-xml-light packages fix security vulnerability: OCaml Xml-Light Library before r234 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service [More...]
LinuxSecurity.com: Updated nss-pam-ldapd packages fixes the following security vulnerability: Garth Mollett discovered that a file descriptor overflow issue in the use of FD_SET() in nss-pam-ldapd can lead to a stack-based buffer [More...]
LinuxSecurity.com: Updated munin packages fix security vulnerabilities: The qmailscan plugin for Munin before 2.0 rc6 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names (CVE-2012-2103). [More...]
LinuxSecurity.com: Updated mosh package fixes security vulnerability: Mosh versions 1.2 and earlier allow an application to cause the mosh-server to consume large amounts of CPU time with a short ANSI escape sequence. In addition, a malicious mosh-server can cause the [More...]
LinuxSecurity.com: Updated mesa packages fix security vulnerability: The glsl shaders are vulnerable to a buffer overrun in parcel_out_uniform_storage::visit_field. When too many uniforms are used, the error will now be caught in check_resources [More...]
LinuxSecurity.com: Updated mariadb packages includes fixes for the following security vulnerabilities: Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.26 and earlier allows remote attackers to affect integrity [More...]
LinuxSecurity.com: Updated lynx package fixes security vulnerability: Lynx does not verify that the server's certificate is signed by a trusted certification authority, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate, related to [More...]
UK-based hacker Ryan Ackroyd and another member of the LulzSec hacker group have pleaded guilty for the first time. This means that the four UK-based members of the LulzSec hacker group can now be sentenced

Adobe Flash Player and AIR CVE-2013-1379 Memory Corruption Vulnerability
Adobe Flash Player and AIR CVE-2013-1380 Memory Corruption Vulnerability
Adobe Flash Player and AIR CVE-2013-1378 Memory Corruption Vulnerability


Addressing the InfoSec Staffing Crisis
The IT security industry faces a major staffing crisis, according to the latest research. But what can schools, businesses and industry associations actually do to start addressing the problem? The new Global Information Security Workforce Study from ...

Eyeing the sometimes considerable data roaming bills that companies receive, a startup called Wandera launched a service Wednesday that promises to cut down on roaming data use.
There are more IT managers working today than two years ago, but their unemployment rate is rising as well. It's a paradox of government data, but there are theories for the apparent discrepancy.
An IDC study has found sweeping changes in how mobile display advertisements are sold, with Facebook, Pandora and Twitter successfully wresting away control from advertising networks over the last year.
A popular widget plugin for WordPress blogs recently had code added to it which injected advertisments into sites but which could have been used to cause far more damage. The plugin has been removed and sites are advised to find alternatives

Hacker shells, hacking cowboys, reverse engineering on Stack Exchange, ponies on the desktop, an Evernote trojan, a Secure Boot leak that wasn't a leak, and swearing in passwords

The VirtualDJ software comes unstuck on encountering specially crafted ID3 tags in MP3s. The problem can cause crashes and worse; an exploit for the buffer overflow is already in circulation

Nine bulletins address holes in Internet Explorer, Windows and even Microsoft's Defender, but the Pwn2Own holes will have to wait. Adobe has its own spring bouquet: a bunch of three updates for Flash, Shockwave and ColdFusion

Adobe Flash Player and AIR CVE-2013-2555 Remote Integer Overflow Vulnerability
RETIRED: Adobe Flash Player and AIR CVE-2013-2555 Remote Integer Overflow Vulnerability
RETIRED: Adobe Shockwave Player APSB13-12 Multiple Security Vulnerabilities
To make server upgrades easier, Intel introduced a rack reference architecture that speeds up data throughput while reducing energy and maintenance costs in data centers.
Experts say the language should crib app isolation, locality, and automated parallelism from more modern sources
Intel announced new server chips on Tuesday, including the latest Xeon E3, which is the first server processor based on the company's latest Haswell microarchitecture.
Intel's upcoming 'Bay Trail' Atom processor is aimed at the low-end market, and promises to deliver convertible PCs and notebooks with all-day battery life at budget prices, the company said on Wednesday.
T-Mobile USA is trying to boost the number of iPhone users on its network by offering the iPhone 5 without down payment to people who bring in their iPhone 4 and 4S smartphones for a trade-in which could also earn them up to $120 in credits.
phpMyAdmin 'tbl_gis_visualization.php' Multiple Cross Site Scripting Vulnerabilities
EMC Mutiple Smarts Products Unspecified Cross-Site Scripting Vulnerability
Adobe ColdFusion CVE-2013-0632 Authentication Bypass Vulnerability
Internet Storm Center Infocon Status