Share |

InfoSec News

EMC made several announcements around data replication and protection, including the ability to replicate data in real time between storage arrays thousands of miles apart.
The software giant patched three vulnerabilities and revised its Exploitability Index for prioritizing patch deployments.

Add to digg Add to StumbleUpon Add to Add to Google
Facebook and privacy, they seem contradictory at times, yet it's used by about 500 million users for stuff that they might want to keep a bit private in the end.
According to Symantec and El Reg, there is a problem that allowed apps to leak access tokens that remain valid. Apparently there are 100,000 apps that leak these tokens and they might sit in log files of e.g. advertisers waiting to be abused.
The good news is that we can do something to invalidate the access tokens: change our password!
So for those not knowing where to change the facebook password: it's in the upper right the account menu: choose Account Settings and then the 4th change is for the password.
Facebook, to their credit seems to have reacted as well and is going to move away from the older access tokens.

Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Today we were contacted with 2 different scams that used -for em at least- novel approaches to the social engineering part.

Melvin wrote in about an email in Portuguese, that after translation was accusing the recipient to have committed some traffic violations and was lining to notifications that were malware with minimal detection on virustotal. We didn't get the samples.

Roland wrote in with a story about an IM message that went something like:

can you pleasee help me out really quick

and take an IQ quiz for a major final

project im doing? I need to see how many

people out of my friends get over a 105

just go to http://iqtesting4 looking string

and take that test. if u do I will

owe you big time

He also noted that recent there were a number of registrations for domain.
Seems it might be a very good time to sharpen the awareness of our users to not click all that easy on links, and if they did anyway, to be very suspicious of what they download.

Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
The software giant patched three vulnerabilities and revised its Exploitability Index for prioritizing patch deployments.

Add to digg Add to StumbleUpon Add to Add to Google
Microsoft Windows Internet Name Service (WINS) Failed Response Remote Code Execution Vulnerability
Linux Kernel ATI Radeon R300 Local Input Validation Vulnerability
Linux Kernel DRM IOCTL Local Memory Corruption Vulnerability
Even though Verizon Wireless claims its fast LTE network is "up and running" following an April 26 outage, it's still not working for some customers, including 50 Chicago-based users of laptops with LTE modems.
Google kicked off its annual Google I/O developers conference by giving people what they've been expecting for months -- an online music service.
I was a having a conversation with another fellow security professional at the CSO Perspectives seminar a few weeks ago and he used the word "disintermediation" to make a point about his website. We had a bit of a chuckle about how that word that was used (rather, overused) during the dot-com days. The context back then was that the new, online world was going to obsolesce the traditional world of bricks-n-mortars through the "disintermediation" process of cutting out the no-value-adding, costly infrastructure of middle-men.
Microsoft is downplaying the threat posed by one of the three bugs the company patched today, said security researchers.
Microsoft's scooping up of Skype should be a great boon for the software maker, despite the hefty $8.5 billion price tag, say industry analysts.
The latest iMac models introduced by Apple this month benefit greatly from new Intel processors and greater device connectivity. Both changes offer users unprecedented speed from the iMac lineup.
It's not often Hewlett-Packard and Cisco share the same stage during a keynote address. But at Interop that's exactly what they did -- and HP didn't share the stage nicely.
On-demand ERP software vendor NetSuite is expected to announce a new push into large enterprises on Tuesday during its SuiteWorld user conference in San Francisco.
Mozilla Firefox/SeaMonkey OBJECT 'mObserverList' Use-After-Free Remote Code Execution Vulnerability
The company announces version 1.5.0 and says the cloud platform will graduate from preview status later this year
The U.S. government and the nation's top mobile-phone service providers on Tuesday launched a public safety program that will allow people to receive emergency alerts via text message.
Google on Tuesday touted Android's growth to 100 million smartphones and tablets, kicked off a rollout of Android 3.1 and gave developers a preview of the next major Android update called 'Ice Cream Sandwich.'
Microsoft CEO Steve Ballmer today promised that the company would continue to develop and support Skype on rival platforms.
Senators question Google and Apple about location tracking on their smartphones.
Google gave Android developers several reasons to cheer on Tuesday with its announcement of new versions of the operating system, as well as the addition of music and movies to the Android Market.
Postfix SMTP Server Cyrus SASL Support Memory Corruption Vulnerability
RETIRED: Microsoft May 2011 Advance Notification Multiple Vulnerabilities
Backtrack 5, codenamed revolution was released earlier today and is available for download.
Let us know what you're using it for.
Thanks to Jeff for the heads-up!

Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
An intuitive visual presentation of objectives can speed up the process.
Google gave Android developers several reasons to cheer Tuesday with its announcement of new versions of the mobile operating system, as well as the addition of music and movies to the Android Market.
Microsoft will integrate Skype's calling features into many of its key products, including Office, the Xbox and its Windows Phone software, but it will also continue to offer Skype for competing platforms, CEO Steve Ballmer said Tuesday.
The major U.S. telecommunications carriers join the U.S. government in creating a public safety network
Mozilla Firefox/SeaMonkey 'OnChannelRedirect' Method Memory Corruption Vulnerability
Apple's iPad hasn't materially affected consumer PC sales, as some have claimed, according to survey data compiled by the NPD Group.
Mozilla Firefox/SeaMonkey 'nsTreeRange' Dangling Pointer Remote Code Execution Vulnerability
WebGL Library Multiple Memory Corruption Vulnerabilities
HTB22977: XSRF (CSRF) in poMMo
Pixie CMS 'admin/index.php' SQL Injection Vulnerability
Overview of the May 2011 Microsoft patches and their status.

Contra Indications
Known Exploits
Microsoft rating
ISC rating(*)


An input validation vulnerability in WINS allow arbitrary code execution with the rights of the WINS system.

Note: WINS is not installed by default.

Replaces MS09-039.


KB 2524426
No known exploits


Memory corruption and buffer overflow vulnerabilities allow for arbitrary code execution with the rights of the logged on user.

Note:Microsoft confirms in the bulletin that Office for Mac versions 2004 and 2008 of Powerpoint are vulnerable, but no patch is available at this point in time, nor is there an indication of a time commitment.

Note: Windows Office 2010 and Office for Mac 2011 are not affected.

Replaces MS11-022.



KB 2545814
No known exploits


We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
Important: Things where more testing and other measures can help.
Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.

The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.


Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
More large companies are turning to collocation providers to relieve capacity constraints in their data centers, as a way to avoid the high cost of building their own new brick-and-mortar facilities, two studies suggest.
EMC has planted its development and acquisition future in the cloud, calling for increased development of open-source Web-based applications and MapReduce technologies to help mine unstructured data.
Researchers from Queens University presented a flexible, e-ink display at the Computer Human Interaction conference that they believe could one day replace smartphones. Called the Paper Phone, the device isn't much thicker than a few sheets of paper and uses the same type of display found on the Amazon Kindle and other popular e-readers.
Traidnt Up Multiple SQL Injection Vulnerabilities
HTB22976: Multiple XSS (Cross Site Scripting) vulnerabilities in poMMo
HTB22975: SQL injection in Calendarix
HTB22974: Multiple XSS in Calendarix
Re: SQL Injection in Pixie
OpenID4Java Attribute Exchange Remote Security Bypass Vulnerability
Apache Struts XWork 's:submit' HTML Tag Cross Site Scripting Vulnerability
Kay Framework Attribute Exchange Remote Security Bypass Vulnerability

The French security firm exploited a Google Chrome vulnerability, bypassing its sandboxing security feature and ASLR and DEP capabilties.

Google Chrome’s sandboxing security technology, designed to keep malicious code from infiltrating system processes has been compromised by researchers at VUPEN Security.

In an advisory issued Monday, the company said its research team discovered a zero-day vulnerability in the Google browser. The flaw enabled the team to bypass all security features in Chrome, including Address Space Layout Randomization and Data Execution Prevention, two techniques designed to foil exploits from gaining access to running processes.

“While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any default installation of Chrome despite its sandbox, ASLR and DEP,” the company said in its advisory.

The bypass works on Windows systems and relies on zero-day vulnerabilities. The company said the attack can be pulled off without exploiting a Windows kernel vulnerability.

The company said it would not publicly disclose the exploit code or technical details of the underlying vulnerabilities. The company issued an accompanying video as proof that the browser vulnerability was exploited.

A Google spokesperson told Brian Krebs of KrebsOnSecurity that the company’s engineering team was unable to verify VUPEN’s claims, because VUPEN hadn’t shared any information about their findings. If the vulnerability is verified, Google will issue an automatic update to the browser.

Weaknesses in ASLR and DEP have surfaced in the past at the TippingPoint Pwn2Own contest. Microsoft, which uses the technology, said a successful attack typically takes extremely sophisticated measures, including multiple zero-day vulnerabilities.

Sandboxing technology is seen as an added layer of defense for applications that are commonly targeted by attackers. Adobe Systems Inc. developed Adobe Reader X, which uses a sandbox to thwart attacks. A researcher bypassed a similar sandboxing feature used in Adobe Flash Player. The company has acknowledged that sandboxing is not a silver bullet approach, but an added security layer that can deter many attackers.

Add to digg Add to StumbleUpon Add to Add to Google
Ten years after the Sept. 11 terrorist attacks, the United States government may finally be making progress on allocating spectrum for a next-generation public safety mobile broadband network.
Google has confirmed plans to unveil a long-rumored music service on Tuesday.
Many people consider the Apple MacBook Air to be the gold standard in ultrathin laptops, but Windows users don't have to jump to the Mac platform to get the same slim and sleek design.
European lobby groups have expressed alarm at a Belgian court’s ruling that Google News violates copyright rules.
Rhodes 3.0, which Rhomobile says is the first framework to support Windows Phone 7, is being positioned as an alternative to Silverlight
Microsoft's $8.5 billion acquisition of Skype is largely seen as a defensive move by analysts, as the company struggles to keep up with the likes of Google and Facebook on the Internet.
Microsoft has agreed to buy Skype for $8.5 billion, the companies announced Tuesday.

Your vertical Is . . .
ComputerworldUK (blog)
When advising Forrester clients on InfoSec, the first question I ask is, “what compliance mandates are you under?” Like it or not, compliance determines how data is handled and that defines your vertical in our data-driven society. ...

and more »
Smartphone shipments dipped in the first quarter compared with the previous quarter, a type of decline that hasn't happened for a couple of years.
Microsoft has agreed to buy Skype for $8.5 billion, the companies announced Tuesday.
Fujitsu is now taking orders for its Stylistic Q550 Slate PC tablet, one of the earlier tablets to use Oak Trail, Intel's first dedicated tablet processor.
With a diverse mobile workforce and a bevy of consumer devices, corporate America is more like a university campus than ever before. They can learn a thing or two by studying the way some leading schools approach security.
Last week's Firefox upgrade boosted the browser's market share by 30% in four days, putting it quickly ahead of Microsoft's new Internet Explorer 9 offering.
Google has confirmed plans to unveil a long-rumored music service on Tuesday.
On-demand ERP software vendor NetSuite is expected to announce a new push into large enterprises on Tuesday.
acpid Multiple Local Denial of Service Vulnerabilities
ViewSonic's dual-boot, Windows 7 and Android 2.2 Frankentablet showcases the worst of both worlds
Nuke Evolution Xtreme 'modules.php' SQL Injection Vulnerability

Posted by InfoSec News on May 10


Open Security Foundation - DataLossDB Weekly Summary
Week of Sunday, May 1, 2011

28 Incidents Added.


DataLossDB is a research project aimed at documenting known and reported
data loss incidents world-wide. The Open Security Foundation asks for
contributions of new incidents and new data for...

Posted by InfoSec News on May 10

By John Leyden
The Register
9th May 2011

OpenID has warned of bugs in its authentication technology that create a
possible means for hackers to modify data sent between sites.

The flaw is noteworthy because many high-profile sites -- including
Google, Yahoo! and Flickr -- use the technology so that once users have
logged into one site, they aren't constantly prompted for...

Posted by InfoSec News on May 10

By Cindy George
Houston Chronicle
May 9, 2011

Unlike the Marvel Comics hero of Asgard who packed cinemas this weekend,
a different Thor without superpowers was punished in a Houston federal
courtroom Monday for a failed scheme to hack local ATMs using Barack
Obama as an alias.

Thor Morris, 20, of Jacksonville, N.C., was sentenced to three years and
one month in federal prison...

Posted by InfoSec News on May 10

By Jameson Berkow
Financial Post
May 9, 2011

Canada is becoming a new breeding ground for cyber criminals, according
to a report obtained by the Financial Post.

The number of Canadian servers found to be hosting phishing sites --
malicious websites designed to lure visitors to enter sensitive personal
information -- jumped 319% over the past year,...

Posted by InfoSec News on May 10

By Robert McMillan
IDG News Service
May 9, 2011

Scammers looking to flog cheap software have hacked Web pages on
high-profile websites, including those belonging to NASA and Stanford

NASA, just a week away from its penultimate space shuttle launch, has
now removed dozens of Web pages that popped up on its Jet Propulsion

Posted by InfoSec News on May 10

By Mathew J. Schwartz
May 09, 2011

One-third of security professionals who handle encryption don't
understand self-encrypting hard disk drives. In particular, they're
unsure whether the drives are better or worse than software-based
encryption for preventing tampering, managing encryption, or handling
authentication keys.

Those findings come from a...

Posted by InfoSec News on May 10

By Tim Wilson
Dark Reading
May 9, 2011

A network frequently used by the members of the hacker group Anonymous
has been compromised, according to its operators., an IRC network that provided a forum for members of the
Anonymous group as well as other hackers, has been temporarily shut

Posted by InfoSec News on May 10

By Bill Bird
The Beacon News
May 9, 2011

Suzie Steinmetz of Naperville is one of untold Chicago area residents
who have lost money and had their financial identities compromised
following what appears to be credit and debit card PIN pad tampering at
local Michaels stores.

Like other victims, Steinmetz shopped earlier this year at a Michaels...

Internet Storm Center Infocon Status