Hackin9

InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Mobile is the new frontier of videoconferencing, with several vendors bringing mobile devices into the fold for video meetings. Polycom is set to become the latest, with high-definition calling capability on the Apple iPad, Motorola Xoom and Galaxy Tab.
 
President Obama's administration has been tweaking U.S. immigration policy and making small changes where it can to try to encourage the type of immigrant it wants.
 
Intel on Tuesday said it was winding down its TV business and reallocating the resources to develop "ultrabooks," smartphones and tablets.
 
Pango HarfBuzz Engine Buffer Overflow Vulnerability
 
Cisco IOS Smart Install Remote Code Execution Vulnerability
 
RETIRED: Microsoft October 2011 Advance Notification Multiple Vulnerabilities
 
Retired: Autonomy KeyView Filter 'jtdsr.dll' Multiple Buffer Overflow Vulnerabilities
 
BlackBerry service delays experienced by users around the world on Tuesday were caused by a core switch failure within the RIM infrastructure, the company said late Tuesday.
 
After slipping to a two-year low in August, Google inched back up in the U.S. search market last month, according to comScore.
 
IBM is taking its business analytics capabilities down a new path by making them available to IT organizations to monitor and predict issues with systems and processes.
 
Companies should take a pragmatic approach to implementing Hadoop for their "big data" requirements, a new report released Tuesday by analyst firm Forrester Research urges.
 
Google Chrome Prior to 12.0.742.112 Multiple Security Vulnerabilities
 
Microsoft has issued eight security bulletins, two rated ?critical,? for its October 2011 Patch Tuesday. It also released its 11th volume of its Security Intelligence Report.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Malware and other attack techniques targeting Google Android smartphones are unlikely until cybercriminals figure out how to monetize attacks, according to Symantec.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Presented By:
Cisco and the Future of the Workplace Mobility
  Mobile workers will make up 35% of the global workforce in 2013, creating an ?anywhere office?. Will your network be ready to handle the load? Visualize the ?anywhere office? with Cisco.
http://network.cisco.com/

Ads by Pheedo

 
Microsoft released today volume 11 of its Security Intelligence Report covering the first half of 2011.
--

Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Softbiz Article Directory Script 'sbiz_id' Parameter SQL Injection Vulnerability
 
BlueCMS 'X-Forwarded-For' Header SQL Injection Vulnerability
 
Joomla! Clantools Component Multiple SQL Injection Vulnerabilities
 
OneCMS 'index.php' Cross Site Scripting Vulnerability
 
Apple today prepared iOS, Mac and Windows users for tomorrow's launch of iOS 5 and iCloud by shipping iTunes 10.5.
 
Cloud security threats come in all shapes and sizes, so we asked eight experts to weigh in on what they see as the top threat to cloud security. The answers run the gamut, but in all cases, our cloud security panelists believe that these threats can be addressed.
 
Many top websites share their visitors' names, usernames or other personal information with their partners without telling users and, in some cases, without knowing they're doing it, according to a new study from Stanford University.
 
FairSearch.org, a coalition of companies critical of Google's business practices, is urging all 50 U.S. state attorneys general to investigate the search giant over possible antitrust violations.
 
Microsoft today shipped eight security updates that patched 23 vulnerabilities in Windows, Internet Explorer (IE), .Net Framework, Silverlight and other bits in its portfolio.
 
Asus has unveiled its first ultrabook, called the Asus ZenBook, a sub-$1,000, thin, brushed-steel laptop computer aimed to compete with Apple's MacBook Air, as well as with the emerging tablet market.
 
Related POC for JCE Joomla Extension <=2.0.10 MultipleVulnerabilities
 
ZOHO ManageEngine ADSelfService Plus Administrative Access
 
[ GLSA 201110-06 ] PHP: Multiple vulnerabilities
 
[the following is a guest diary contributed by Russ McRee]
Given the extraordinary burst in headlines over the last six months relating to hacktivist exploitation of web application vulnerabilities, Critical Control 7: Application Software Security deserves some extra attention.
The control describes WAF (Web Application Firewall) use, input validation, testing, backend data system hardening, and other well-defined practices. Not until the 6th suggested step does the control state: Organizations should verify that security considerations are taken into account throughout the requirements, design, implementation, testing, and other phases of the software development life cycle of all applications.

For your consideration: it can be argued that, as a canonical principle, strong SDL/SDLC practices woven into the entire development and deployment process leads to reduction of attack vectors. Reduce said vectors and mitigations provided by enhanced controls become less of a primary dependency. Long story short, moving SDL/SDLC practices to the front of the line, while not a quick win, can be a big win. Thats not to say that SDL/SDLC replace or supplants controls, but a reduction in risk throughout the development process puts the onus on secure code where controls become an additional layer of defense rather than the only layer of defense.

One of the advantages to a strong SDL/SDLC practice is the prescription of threat modeling where classification schemes such as STRIDE or DREAD help identify issues early as part of the development lifecycle rather than reactively or as part of controls-based activity.
OWASP offers excellent resources to help with SDL/SDLC efforts.

https://www.owasp.org/index.php/Security_Code_Review_in_the_SDLC
https://www.owasp.org/index.php/Threat_Risk_Modeling

As you take a look at testing in-house-developed and third-party-procured web applications for common security weaknesses using automated remote web application scanners dont fall victim to vendor hype. Test a number of tools before settling on one as some tools manage scale and application depth and breadth very differently. If youre considering monthly or ongoing scans of applications that may serve thousands of unique pages but with very uniform code, youll want a scanning platform that can be configured to remove duplicate items (same URL and parameters) as well as items with media responses or certain extensions.

There is a wide array of offerings, commercial and free/open source, so test well and consider that you may want to consider more than one particularly if youre considering inexpensive or free. Static code analysis tools are more often commercial but there are some free/open source offerings there as well. Plenty of search results will get you pointed in the right direction but again, test more than one. The diversity of results youll receive from different tools for both dynamic and static testing will surprise you.

Always glad to share experience with some of the tools in these categories should you have questions via russ at holisticinfosec dot org.
Takeaways:

A strong SDL/SDLC program reduces dependencies on controls.
Test a variety of dynamic and static web application testing tools.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Russian blogger Eldar Murtazin asserted today that the Samsung Nexus Prime smartphone and Android 4.0, also known as Ice Cream Sandwich, are "under question" over patent disputes.
 
Over the past several years, JetBlue has migrated from a traditional IT infrastructure with multiple data centers run by on-site employees to an almost completely outsourced model with virtual everything, from desktops to servers.
 
Security is one of the major impediments to enterprises moving their resources into the cloud. So, it's not surprising that numerous cloud security companies are springing up, attempting to address specific cloud security issues, like protecting virtual machines or encrypting data in motion.
 
Global social media revenue is expected to hit $10.3 billion by the end of this year, up 41% from 2010, according to Gartner Inc.
 
APPLE-SA-2011-10-11-1 iTunes 10.5
 
[ GLSA 201110-05 ] GnuTLS: Multiple vulnerabilities
 
[ GLSA 201110-04 ]
 
[ GLSA 201110-03 ]
 
Apple released iTunes 10.5 for Windows and MacOSX. For those following Apple this comes as no big surprise as there are functionality changes expected due to the imminent release of a new iPhone model. What is however a bit surprising is that they also released an impressive list of fixed vulnerabilities in the windows version of iTunes.
Even more interesting is that that list also mentions that e.g. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2011-006 or For OS X Lion systems, this issue is addressed in OS X Lion v10.7.2. And those are respectively a security update and an OSupdate that are not yet released at the time of writing.
--

Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Overview of the October 2011 Microsoft patches and their status.



#
Affected
Contra Indications - KB
Known Exploits
Microsoft rating(**)
ISC rating(*)


clients
servers




MS11-075
A vulnerability allows random code execution with full system rights through loading a hostile library from a WebDAV network share. Related to SA 2269637.


Active Accessibility



CVE-2011-1247
KB 2623699
No publicly known exploits.
Severity:Important

Exploitability:1
Critical
Important


MS11-076
A vulnerability allows random code execution with full system rights through loading a hostile library from a network location. Related to SA 2269637.


Media Center



CVE-2011-2009
KB 2604926

Exploits are trivial to find on the Internet

Severity:Important

Exploitability:1
Critical
Less Urgent


MS11-077
Multiple vulnerabilities in windows drivers allow Denial of Service, privilege escalation and random code execution.

Replaces MS11-054.


Windows drivers



CVE-2011-1985

CVE-2011-2002

CVE-2011-2003

CVE-2011-2011
KB 2567053

No publicly known exploits

Severity:Important

Exploitability:1
Critical
Important


MS11-078
A vulnerability in .NET (XAML Browser applications) and silverlight allows random code execution with the rights of the logged on user. Also affects IIS server configured to process ASP.NET pages.

Replaces MS09-061, MS10-060 and MS10-070.


.NET framework

Silverlight



CVE-2011-1253
KB 2604930


No publicly known exploits
Severity:Critical

Exploitability:1
Critical
Critical


MS11-079
Multiple vulnerabilities in Forefront Unified Access Gateway allow Denial of Service, privilege escalation and random code execution with the rights of the logged-on user. It affects both the client and server components, the impact is greater on the clients.


Forefront Unified Access Gateway (UAG)



CVE-2011-1895

CVE-2011-1896

CVE-2011-1897

CVE-2011-1969

CVE-2011-2012
KB 2544641
No publicly known exploits
Severity:Important

Exploitability:1
Critical
Important


MS11-080
An input validation vulnerability in the afd.sys driver allows privilege escalation.

Replaces MS10-046.


Ancillary Function Driver (AFD)



CVE-2011-1974
KB 2592799
No publicly known exploits
Severity:Important

Exploitability:1
Important
Less Urgent


MS11-081
The usual monthly collection of vulnerabilities in Internet Explorer. Cumulative patch. All versions of IE6 to IE9 are affected.

Replaces MS11-057.


IE



CVE-2011-1993

CVE-2011-1995

CVE-2011-1996

CVE-2011-1997

CVE-2011-1998

CVE-2011-1999

CVE-2011-2000

CVE-2011-2001
KB 2586448
No publicly known exploits
Severity:Critical

Exploitability:1
Critical
Important


MS11-082
Vulnerabilities in host integration server allow denial of service. The host integration server listens to udp/1478, tcp/1477 and tcp/1478.


Host Integration Server



CVE-2011-2007

CVE-2011-2008
KB2607679
Both vulnerabilities are publicly known.
Severity:Important

Exploitability:NA
Less Urgent
Important




We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
Important: Things where more testing and other measures can help.
Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.


The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

--

Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Information about how to securely navigate in the public clouds is, well, cloudy. We asked enterprise IT folks and IT consultants what resources they turned to get educated on this particular topic. The responses can loosely be broken down into three categories: niche conferences; big conferences, and authoritative voices accessible on the Internet.
 
Extending its expertise in the field of high performance computing (HPC), IBM is acquiring cluster computing software vendor Platform Computing, the companies announced Tuesday. Terms of the deal were not disclosed.
 
Corporate executives see the need to use social media to connect with their customers, but many acknowledge that they're still figuring out how best to do it.
 
More and more enterprise IT shops - as they get comfortable with virtualization practices in their own private clouds - are considering a jump to the public cloud. But before making that leap, consider these pieces of advice from those that have already jumped.
 
Microsoft today launched a website that cranks out security scores for the various editions of its own Internet Explorer (IE) as well as browsers built by rivals Google and Mozilla.
 
TwinCAT 'TCATSysSrv.exe' Network Packet Denial of Service Vulnerability
 
The National Institute of Standards and Technology (NIST) awarded today a $1 million cooperative agreement to the University of Maryland at College Park (UMD). Researchers at UMDamp's Institute for Systems Research will help NIST as it ...
 
[ MDVSA-2011:146 ] cups
 
[Announcement] ClubHack Mag Issue 21- October 2011 Released
 
Cisco Unified Presence and Jabber XCP XML Bomb Denial of Service Vulnerability
 
Cogent DataHub Directory Traversal Vulnerability and Information Disclosure Vulnerability
 
[SECURITY] [DSA 2321-1] moin security update
 
[ MDVSA-2011:147 ] cups
 
For the past several years, I have had the honor of writing for Network World in "Risk and Reward." Unfortunately, that time has come to an end as I am leaving the world of independent analysts to pursue new adventures. In my last column, I'd like to explore some of my recurring themes and offer some predictions for the future.
 
Some BlackBerry users throughout Europe, the Middle East and Asia experienced outages or delays for about 12 hours Monday, and appeared to be experiencing a second outage today, according to Twitter feeds from carriers in the U.K. and Egypt and other reports.
 
Peer-to-peer software developer Frostwire has agreed to settle U.S. Federal Trade Commission charges that its software would likely cause users to unknowingly share sensitive personal files, including pictures, from their Android devices, the FTC said Tuesday.
 
I have long been a Safari devotee. But since the introduction of Lion—or more accurately the introduction of Safari 5.1—Apple’s web browser quickly fell out of favor with me. Because of a few under-the-hood changes to how Safari does its thing, I’ve ended up abandoning the browser in favor of Google’s Chrome—an app I once said couldn’t serve as my default browser. Times have changed: Safari’s now absent from my Dock, and Chrome has claimed its spot.
 
AT&T announced five new Android smartphones on Tuesday, including the Motorola Atrix 2 with a powerful processor that goes on sale Sunday for just $99.99 with a two-year service agreement.
 
Cray was awarded a $97 million contract to build a supercomputer that could potentially deliver up to 20 petaflops of peak performance, or 20 quadrillion floating operations per second, to the Oak Ridge National Laboratory.
 
[SECURITY] [DSA 2320-1] dokuwiki regression fix
 
Contao 2.10.1 Cross-site scripting vulnerability
 
ABUS TVIP 11550/21550 Multiple vulnerabilities (and possibly other ABUS cams)
 
Six weeks after EMC's RSA security division saw its SecurID system hit by hackers, RSA president Tom Heiser met with the CIO of a large global medical device company.
 
Fiberlink is moving beyond just managing the delivery of enterprise mobile applications with the launch of MaaS360 AppCloud, a service in which Fiberlink will host the apps.
 
Toshiba will begin shipping its highest-capacity 2.5-in. enterprise-class hard drive early next year. The drive comes with native encryption for data security.
 
Overland Storage today announced its first converged NAS and iSCSI SAN array that scales up to 288TB, and has a starting price of about $1,700.
 
Bluefire Productions announced e-reader software that can be used by independent booksellers for Android devices. The software is a supplement to a free Bluefire e-reader version for iPad that was released last November.
 
The latest additions to Nokia's phone portfolio, the C2-05 and the X2-05, come with a new browser that uses Nokia's own compression technology to deliver content faster, the company said in a blog post on Tuesday.
 
With data doubling about every year, the University of Kansas Physicians group turned to virtualization to cut costs and boost performance.
 
Microsoft advises that users don't panic when news breaks about the latest zero-day vulnerability, a flaw that hackers exploit before a software developer manages to patch the problem.
 
Nginx, an increasingly popular open source Web server software program, has gotten some commercial backing.
 
From relocating non-critical data to standardizing servers and storage, IT leaders offer their tips for how to get more out of your data center.
 
While Apple's iPad reigns as the top-selling tablet in China, half of the sales for the iconic device have come from unauthorized resellers, according to a Beijing-based research firm.
 
The website of the New York Stock Exchange slowed down significantly twice on Monday afternoon, the day when the hacker group Anonymous was scheduled to launch a DDoS (distributed denial-of-service) attack on the website, according to an Internet and mobile cloud monitoring company.
 
If recent trends continue, C could supplant Java as the most popular programming language by next month
 
Dovecot 'script-login' Multiple Security Bypass Vulnerabilities
 
Dovecot Sieve Plugin Multiple Unspecified Buffer Overflow Vulnerabilities
 
E-commerce, mobile computing, tablets and other emerging channels have become so important to Best Buy that the company is rebuilding internal IT resources it outsourced seven years ago.
 

Posted by InfoSec News on Oct 11

http://newsinfo.iu.edu/news/page/normal/19832.html

FOR IMMEDIATE RELEASE
Oct. 6, 2011

BLOOMINGTON, Ind. -- The Indiana University School of Optometry has
notified 757 patients that a computer server on which certain health
information was stored was visible on the Internet for almost a month,
between August and September 2011.

The server, containing information relating to patients seen by a former
faculty member of the school, Kevin E....
 

Posted by InfoSec News on Oct 11

http://www.ameinfo.com/277676.html

AME Info
October 11 - 2011

The first ever CyberLympics regional finals at Gitex Technology Week
head towards the climax of the competition with some of the most skilful
hackers from India and the Middle East taking part in a series of
ethical challenges to attack and defend a number of software targets.

Covering web applications, OS compromise, exploit hunting, and lock
picking, the event involves six...
 

Posted by InfoSec News on Oct 11

http://www.csoonline.com/article/691438/kenyan-banking-security-regulation-spurs-growth-of-data-centers

By Rebecca Wanjiku
CSO
October 10, 2011

The Kenyan government's regulations for back up and disaster recovery
plans in the banking sector has spurred growth in data centers, as
businesses move to comply to new rules.

The Central Bank of Kenya has strict risk and compliance guidelines that
compel banks to put in place mechanisms to...
 

Posted by InfoSec News on Oct 11

http://www.guardian.co.uk/technology/2011/oct/10/lulzsec-hacker-sun-emails

By Charles Arthur
guardian.co.uk
10 October 2011

The hacker who styles himself "Sabu", erstwhile leader of the LulzSec
hacking crew, claims to have a cache of emails copied from the Sun which
are being stored on a Chinese server, along with data from a number of
other hacks.

But he claimed this weekend that they will not be released yet: "there
are a...
 

Posted by InfoSec News on Oct 11

http://www.v3.co.uk/v3-uk/news/2116018/london-olympics-team-prepares-cyber-physical-attacks

By Rosalie Marshall
V3.co.uk
10 Oct 2011

London 2012 chief executive Paul Deighton on Monday officially launched
the technology hub set to play a key role at the Olympics next year and
revealed the exhaustive measures put in place to safeguard the
infrastructure from attack or systems failure.

The Technology Operations Centre (TOC) for the London...
 
Apache HTTP Server 'mod_proxy' Reverse Proxy Information Disclosure Vulnerability
 
Internet Storm Center Infocon Status