InfoSec News

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The first release candidate for Internet Explorer 9 is here, five months after IE9 first went into public beta. IE9 is Microsoft's attempt to bring support newer, more modern Web technology to its browser. If you haven't used IE9 before, take a moment to read our prior review of the public beta.
 
The fast, high-capacity Wi-Fi that users have been enjoying for a few years in laptops is now due to hit smartphones and tablets in a big way, with two major Wi-Fi chip makers announcing products that use IEEE 802.11n with multiple antennas.
 
President Obama outlined his administration's plan on Thursday to deliver high-speed mobile broadband to 98% of U.S. residents within five years. Is the proposal realistic?
 
While the new Verizon iPhone 4 has better signal strength, especially in certain areas, it may not be faster than the AT&T version.
 
VLC Media Player MKV File Parsing Remote Code Execution Vulnerability
 
As the first service packs for Windows 7 and Windows Server 2008 R2 ship Feb. 22, they will bring better virtualization capabilities to the operating systems.
 
Linux Kernel 'ib_uverbs_poll_cq()' Integer Overflow Vulnerability
 
Linux Kernel 'drivers/media/dvb/ttpci/av7110_ca' IOCTL Local Privilege Escalation Vulnerability
 
Oracle is facing a series of challenges for MySQL support revenues from third-party providers who say they can provide equal or better service for the open-source database.
 
After having been strung along for years, wannabe iPhone customers sent a message to Verizon: Can you hear me now?
 
House Republicans want a second look at spending on broadband stimulus projects.
 
Interview with Sean McAdam, CEO of F5 Networks, which has managed to garner nearly half of the Layer 4-7 switching market.
 
Apple cut component costs of the Verizon iPhone by about $5, a decrease of about 3% compared to what Apple pays now for the parts in the iPhone 4 on AT&T's network, an analyst at electronics research firm IHS iSuppli said.
 
Who has the faster cell phone, Verizon or Sprint? Is one camera in the iPad 2 one camera too few? And who owns your equipment when your employer lets you go? Computerworld readers discuss these and other topics.
 
Reader Mark is a frequent user of Windows' Character Map utility, which is helpful for finding and copying to the clipboard various special characters. He wants to know how he can pin it to the Quick Launch toolbar for fast and easy access.
 
Using social engineering techniques and spear-phishing attacks, attackers are exploiting Windows flaws and using tools to steal sensitive proprietary data, including project-financing information.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Google is developing a set of extensions for Java that should aid in better securing Java programs against buffer overflow attacks.
 
President Obama details a plan to cover 98% of the U.S. with 4G mobile service.
 
Microsoft today launched the release candidate of Internet Explorer 9 (IE9), saying that the browser is now feature complete and that the final build would ship shortly.
 
Start-up Druva today announced the latest edition of its inSync backup software, which is aimed at backing up laptops across enterprises.
 
Yahoo has announced a "digital newstand" called Livestand for tablet devices and cell phones that has been designed to deliver content from the company's various sites and online publications.
 
Microsoft Internet Explorer CVE-2011-0035 Uninitialized Memory Remote Code Execution Vulnerability
 
Security vendors at RSA Conference 2011 need to be more specific about the security technologies they are aiming at the cloud, industry analysts say.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

The Economist

Report: Egypt Shut Down Net With Big Switch, Not Phone Calls
Wired News (blog)
That according to a February presentation to the Department of Homeland Security's Infosec Technology Transition Council, obtained by Wired.com. ...
Egypt Shut Down Most of Internet Service by Pulling Single Switch in CairoTMC Net

all 9 news articles »
 
Yahoo has announced a "digital newstand" called Livestand for tablet devices and cell phones that has been designed to deliver content from the company's various sites and online publications.
 
Mozilla has rolled out the eleventh beta of Firefox 4, adding the "Do Not Track" feature it touted three weeks ago to the browser.
 
HP's TouchPad looks pretty similar to Apple's iPad on the outside but the inside is a different story.
 
Qualcomm announced its latest Snapdragon tablet processor, which includes multimedia features that could raise the standards of entertainment capabilities provided by tablets.
 
Microsoft Windows Kerberos Unkeyed Checksum Local Privilege Escalation Vulnerability
 
Microsoft Windows Kerberos Encryption Standard Spoofing Vulnerability
 
Critical updates fix several serious vulnerabilities that are being targeted by attackers in the wild.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
A survey of more than 600 IT security professionals finds nearly three quarters have been hacked at least once in the last 24 months through insecure Web applications.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Security B-Sides hits San Francisco a day ahead of RSA Conference 2011 and features some of security's most important researchers and analysts.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Attackers are becoming more skilled at harvesting the amount of bandwidth available and selecting specific targets, a new report finds.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Security vendor, HBGary Federal, has been hacked by the group known as "Anonymous" because the firm is helping federal investigators infiltrate the group.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
In its advance notification, Microsoft said it would issue 12 bulletins, three critical, addressing holes in Windows, Internet Explorer, Office, Visual Studio and IIS.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Researchers at security firm, Last Line of Defense, have discovered a cache of hundreds of thousands of stolen email credentials and FTP passwords.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
A study by the Ponemon Institute found that the average total cost of compliance is more than $3.5 million.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
With the job market becoming increasingly competitive, security professionals need to find ways to distinguish themselves beyond certifications and technical skills.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Adobe addressed more than a dozen vulnerabilities in Flash Player and more than two dozen holes in Adobe Reader and Acrobat.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Government workers are stymied by lack of mobile technologies, collaboration tools and mature telecommuting options, Forrester Research reports.
 
Next week's RSA Conference 2011 will feature a number of sessions devoted to cloud security issues.
 
Google will offer its hundreds of millions of users the option of adding a second verification step when signing into their accounts, to complement the existing password-only authentication mechanism.
 
Exim Sticky Mail Directory Local Privilege Escalation Vulnerability
 
Exim MBX Locking Insecure Temporary File Creation Vulnerability
 

Veracode Leads the Charge for Secure Software at RSA Conference 2011
Business Wire (press release)
Chris Eng will present a session at 9:45 am entitled “Critical Consumption of Infosec Stats.” Veracode is the only independent provider of cloud-based ...

and more »
 
Google has caught Microsoft with its hand in its search-engine cookie jar. That's bad, but it also leads me to the question, How much can you trust any search engine?
 
Linksys WAP610N Unauthenticated Root Consle
 
[SECURITY] [DSA-2158-1] cgiirc security update
 
[SECURITY] CVE-2010-3449: Apache Continuum CSRF vulnerability
 
[SECURITY] CVE-2011-0533: Apache Continuum cross-site scripting vulnerability
 
It's a shame that everyone can't bask in the joy of a function-filled keyboard or multibutton mouse. Consider the convenience of launching applications and controlling a system's volume with the press of a button, rather than awkwardly fumbling your way through menus and prompts within a desktop operating system. And most modern software for these mice and keyboards lets you remap essential parts of your daily routine to buttons a finger's length away.
 
QuickPHP Directory Traversal Vulnerability
 

NASDAQ Breach: You Should be Concerned
BankInfoSecurity.com (blog)
In the wake of our recent Faces of Fraud survey, I've spoken with a number of InfoSec and fraud experts recently about fraud detection and prevention, ...

and more »
 
Mobile phone maker INQ has collaborated with Facebook on phones optimized for the social networking site.
 
Executives from Facebook, Google and other companies have held talks with Twitter over a possible acquisition of the micro-blogging service, pushing its estimated value as high as $10 billion, according to a report in The Wall Street Journal.
 
Researchers in Germany say they've been able to reveal passwords stored in a locked iPhone in just six minutes and they did it without cracking the phone's passcode.
 
Web-hosting provider Rackspace has acquired software developer Anso Labs to help build up the OpenStack cloud computing project, a company official said.
 

When a call starts off with I think we've had an incident or something isn't right actual proof of an event or incident has really occurred is a must*.If it's some odd happening on Windows, then it's time to look at the Windows event logs. Windows has three standard event logs: application, system and security. The one most security folks need to keep an eye on is the security event log.

Some questions to ask or ponder about your Windows security logs


Do you review or monitor them?
How big are the log files?
What happens when the log file are full?
Do you know if security audit policies in place?
Do you have different audit policies for certain systems?
Are allyour machines using the same time reference?
Can you recognize the event ID that could mean trouble?



Each company has its own policies and procedures on how their systems are designed built, configured and managed, but as incident responders we should know these basic details about the security event log.

A common stumbling block for security teams is actually viewing the security logs on other computers. Access to the security logs, by default, is only to a user with local admin right on the machine. There is a nifty way to allow security staff to view them, while not give them full admin access to the remote machines and is recommended by Microsoft [1]. This avoids upsetting the Windows admin team - who are by now still deploying the latest Ms patches and thus pretty busy.

Microsoft has produced a number of helpful guides on how to configure and apply polices [2 3] and there are a large number of other references out there. Working with the Windows admin team help them identify some of the warning signs that appear in the security logs, such as multiple account lock outs, brute force account guessing attacks and what certain event ID are [4]

Let's say you have all the right audit policies in place and can view the security logs, but you're attempting to piece together an attack over 50 machines. Just viewing that many separate Windows event logs will make you go crazy. Jason Fossen, author of SANS Windows track, has a wonderful script [5] to convert event logs in to CSV files. Use tools, such as trusty old Ms Excel, to parser the data from CSV files and correlate them in to events timelines. This makes spotting trends, events or incidents much easier as you can look at the combined dataand even turn it in tographs.

By having the correct information logged and access to the security logs it should take the guessing out of whether a dozen accounts have been locked out is a co-incidence or an actual security incident.

If you have any other suggestions or advice on using the Windows security logs, please feel free to add a comment.


[1] How to set event log security locally or by using Group Policy in Windows Server 2003 for non-admins to access them:
http://support.microsoft.com/kb/323076

[2] Configuring Audit Policies Windows 2000/2003:
http://technet.microsoft.com/en-us/library/dd277403.aspx

[3] Advanced Security Auditing in Windows 7 and Windows Server 2008 R2:
http://social.technet.microsoft.com/wiki/contents/articles/advanced-security-auditing-in-windows-7-and-windows-server-2008-r2.aspx

[4] My favourite place to find what Security Event ID mean:
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx

[5] Dump Windows Event Logs to CSV Text Files
http://blogs.sans.org/windows-security/2009/06/30/dump-windows-event-logs-to-csv-text-vbscript/


Recommended Event Logs sizes in windows:
http://support.microsoft.com/kb/957662



* Gut feelings, aching bones, birds flying in weird formation or milk suddenly turning sour is all very nice, but isn't going to help prove an event or incident has taken place to others.
Chris Mohan --- ISC Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Verizon Wireless said on Thursday it had made the first voice call over a commercial LTE network using the Voice over LTE standard.
 
Social engineering expert Chris Hadnagy shares juicy tales of successful cons he's seen as a security consultant, along with six prevention tips.
 
Security vendors are rolling out new technologies designed to let companies take advantage of cloud computing environments without exposing sensitive data.
 
A broad spectrum of IT people, including those close to security functions, appear to have little awareness of key security issues impacting their organizations, a new survey shows.
 
The company irks open source advocates but is steadfast in upgrading Sun-derived technologies
 

Posted by InfoSec News on Feb 10

http://www.startribune.com/business/115532664.html

By Chris Serres
Star Tribune
February 8, 2011

Thousands of Wells Fargo & Co. customers were left angry and short of
cash Monday after a majority of the bank's 12,000 ATMs nationwide
crashed.

The outage, which began Monday afternoon, lasted for several hours and
was still not fixed by the time branches closed. Many frustrated
customers went from one Wells Fargo ATM to the next trying to...
 

Posted by InfoSec News on Feb 10

http://www.nytimes.com/2011/02/10/business/global/10hack.html

By John Markoff
The New York Times
February 10, 2011

At least five multinational oil and gas companies suffered computer
network intrusions from a persistent group of computer hackers based in
China, according to a report released Wednesday night by a Silicon
Valley computer security firm.

Computer security researchers at McAfee Inc. said the attacks, which
were similar to but...
 

Posted by InfoSec News on Feb 10

Forwarded from: Hafez Kamal <aphesz (at) hackinthebox.org>

We are proud to announce the immediate availability of HITB Magazine
Issue 005 - The first HITB Magazine release for 2011!

HITB Magazine
=============
http://magazine.hackinthebox.org/

Direct Link
===========
http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-005.pdf

Just over a year has passed since Issue 001 and 2010 was definitely a
great year for our humble magazine...
 

Posted by InfoSec News on Feb 10

http://www.wired.com/threatlevel/2011/02/rbs-hacker-avoids-jail/

By Kim Zetter
Threat Level
Wired.com
February 9, 2011

A Russian hacker convicted of the $9 million hack of RBS WorldPay has
avoided jail and has been given only a suspended sentence.

Yevgeny Anikin, 27, received a suspended sentence of five years on
Monday, according to Russian state news agency RIA Novosti, after
pleading guilty to what the U.S. has called “perhaps the...
 

Posted by InfoSec News on Feb 10

Forwarded from: Lionel Garth Jones <lgj (at) usenix.org>

On behalf of the 2011 Electronic Voting Technology Workshop/Workshop on
Trustworthy Elections (EVT/WOTE '11) program committee, we are inviting
you to submit your original research on important problems in all
aspects of electronic voting.

USENIX, ACCURATE, and IAVoSS are sponsoring the 2011 Electronic Voting
Technology Workshop/Workshop on Trustworthy Elections (EVT/WOTE '11)....
 
Linksys WAP610N Unauthenticated Root Access Security Vulnerability
 


Internet Storm Center Infocon Status