InfoSec News

Apple's new iPad has plenty of new features -- but are they enough?
The following domain name registration scam has been making rounds at least for a couple of years. Itslongevity suggests that it remains effective at separating the victims from their money. The scam's email messages usually begin with the phrase:

(It's very urgent, Please transfer this email to your CEO or appropriate person, thanks)

The message is typically addressed to the generic title of CEO, President or Principal without specifying the person's name. It claims to come from a Chinese domain registration organization and states that some company is trying to register Asian versions of the domain name associated with the recipient's company, in TDs such as:

.asia, .cn, .co.in, .com.cn,com.hk,com.tw, .hk, .in,.net.cn,.org.cn, .tw
The text urges the recipient to contact the sender to protect this domain from the alleged impostor. Here's a sample:

After our initial checking, we have found the name were similar to your company's, so we need to check with you whether your company has authorized that company to register these names. If you have authorized this, we will finish the registration at once. If you have not, please let us know within 7 workdays, so that we will handle this issue better. Out of the time limit we will unconditionally finish the registration for 'Arub Asia Investment Ltd'.
The sender signs off with Best Regards and includes an email signature block that usually looks like this:

Best Regards,

Charles Chen

Tel:+86-5515223114 Fax:+86-5515223113

No.1688 Taihu Road,Baohe District,Hefei,Anhui,China
The text of the email message is mostly the same as it was when we saw this scam in 2010, though the sender's name, company association, domain name and address details are different.
BloggerMichael Lerner described his email interactions with the company sending such email messages in 2010, which confirmed that the scammers' goal was to convince the victim into registering the domain names in question through their company. Here's an excerpt from a response to Michael's correspondence:

If you think his registration will confuse your clients and harm your profits, we can send an application document to you and help you register these domains within our approving period. This is a better way to prevent domain name dispute

The most recent variant we've seen asked the sender to respond to [email protected] The website residing at that domain claims to belong to a comprehensive company engaged in the Internet intellectual property services that mainly provides network-based service, network intellectual property service, network promotion service, etc. The organization's website includes the slogan The Better Network, The Better Solutions.Searching for this slogan reveals lots of websites with nearly identical text and similar design.
If you analysed this old, yet still widespread scam, or if you have additional details to share regarding it, please contact us.
-- Lenny Zeltser

@lennyzeltser (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
San Jose is casting a vote of confidence in municipal Wi-Fi from the heart of Silicon Valley, planning a new, free network just a few years after such networks were declared all but dead.
ZB BLOCK Multiple Cross Site Scripting Vulnerabilities
Yahoo is accusing Facebook of copying a range of technologies that the flagging search company invented, in a lawsuit that alleges the social media giant infringes 10 patents.
Synology Photo Station 'photo_one.php' Script Cross Site Scripting Vulnerability
An analysis of installed endpoint security applications found Avast with a strong lead in the global antivirus market, followed by Avira, AVG, Microsoft and ESET.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A Tennessee official is blaming inadequate training, ignored warnings and unwise technology choices for ongoing problems with an installed software system used by the state Department of Children's Services.
Google Chrome Prior to 16.0.912.77 Multiple Security Vulnerabilities
Yahoo is accusing Facebook of copying a range of technologies that the flagging search company invented, in a lawsuit that alleges the social media giant infringes 10 patents.
OpenSSL has issued a security update for the CMS and S/MIME Bleichenbacher attack (CVE-2012-0884). SSL/TLS applications are *NOT* affected by this problem since the SSL/TLS code does not use the PKCS#7 or CMS decryption code. [1]
OpenSSL 0.9.8u and OpenSSL 1.0.0h are available for download here.
[1] http://www.openssl.org/news/secadv_20120312.txt

[2] http://www.openssl.org/source/
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A new category of thin and light Windows 7 laptops called ultrabooks has emerged in the past few months, but questions remain about whether the time is ripe to buy or to wait for Windows 8 models with features like touchscreens.
WebKit Multiple Unspecified Memory Corruption Vulnerabilities
WebKit Multiple Unspecified Cross Site Scripting Vulnerabilities
WebKit Multiple Unspecified Memory Corruption Vulnerabilities
NBC Universal Media's publishing division has begun re-using its extensive video archives collected over decades to place video clips inside new e-books that will be sold on a variety of tablet platforms.
CNN may be in the process of buying online news and blogging site Mashable, according to reports.
NetBase's Enterprise Social Intelligence (ESI) platform is gaining new social media monitoring capabilities, the company announced on Monday.
AT&T isn't taking a spring break when it comes to LTE deployments.
The founder of the Cloud Computing Interoperability Forum is working to revive the organization, which fizzled in 2010.
Many people switching from Windows PCs to the Mac worry that they must leave the Windows world--and the files they've created in it--completely behind. And for those who need to run application not found on the Mac or who just can't bear doing without a favorite Windows-only game or two, this is a legitimate concern. Thankfully, you can have the best of both worlds as today's Macs can run Windows natively using Apple's Boot Camp technology. This technology creates a separate partition on your Intel Mac's hard drive where you can then install a copy of Microsoft Windows. In order to use Boot Camp, you must restart your Mac from this partition. When you do, Windows runs almost exactly as it would on a PC.
MySQL MyISAM Table Symbolic Link Local Privilege Escalation Vulnerability
[SECURITY] [DSA 2432-1] libyaml-libyaml-perl security update
Apple released Safari 5.1.4 for Windows as well as for OS X.
This update addresses a large number of bugs in Safari itself and in WebKit. Some of the issues fixed:
- Safari for Windows: An International Domain Name (IDN) issue with look alike characters. (I just patched Safari for OS X, and oddly, Safari still appears to render .com domains using international characters vs. punny-code. Firefox and Chrome do not show international characters for .com )
- All versions of Safari: While private browsing was active, sites were still recorded in the browsing history.
- 5 different cross site scripting vulnerabilities in WebKit
- a cookie disclosure vulnerability (WebKit)
- a cross origin issue in Webkit.
- 40 or more webkit issues that could lead to arbitrary code execution.
The update should be listed eventually at the standard Apple security URL:http://support.apple.com/kb/HT1222

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The sales of storage software in 2011 produced record revenues of more than $14 billion, IDC said.
eBay resellers are asking an average price of $591 for the base model of Apple's new iPad, or nearly $100 above list, the online auction site said today.<
A recent survey of the IBM SHARE user group found just 25% of respondents were collecting data from social media networks for business purposes, though many more are apparently planning to do so in the near future.
Python Hash Collision Denial Of Service Vulnerability
Oracle MySQL Server CVE-2012-0087 Remote Security Vulnerability
APPLE-SA-2012-03-12-1 Safari 5.1.4
On March 9, the National Institute of Standards and Technology (NIST) announced that it is soliciting proposals to establish a steering group in support of the National Strategy for Trusted Identities in Cyberspace (NSTIC) and to provide ...
Optical cables for Thunderbolt ports that enable faster data transfers over longer distances on computers such as Apple's Macintosh will be available later this year, Intel said Monday.
As the second-largest metropolitan area in the United States, Los Angeles is home to four million residents and the mecca for most of the entertainment industry's high-profile events. The almost constant stream of celebrity-infused happenings that require serious crowd control keeps the Los Angeles Police Department very busy.
Delays for Apple's iPad jumped yesterday as the company told U.S. customers that new orders would ship in two to three weeks.
MySQL Server InnoDB CONVERT_SEARCH_MODE_TO_INNOBASE Function Denial Of Service Vulnerability
Puppet Multiple Local Privilege Escalation Vulnerabilities

Oz ethical hackers to be set professional standards
CSO Magazine
I call on everyone in the Infosec community to lobby their MP to stop this sad joke immediately. The content of this field is kept private and will not be shown publicly. Users posting comments agree to the CSO comments policy.

and more »
What's in a name? When it comes to servers, as it turns out, quite a lot.
A limitation built recently into Google Chrome to detect and block Flash Player exploits ended up breaking certain Flash-based applications and games for some users.
Aurora WebOPAC SQL Injection - Security Advisory - SOS-12-004
Android wireless accepts fake response (No interaction requires) (Vulnerability ?)
OSI Security: CheckPoint Firewall VPN - Information Disclosure
Apple along with five ebook publishers must address all the European Commission's antitrust concerns before any settlement can be reached warned the European Union's competition chief on Monday.
And what should companies do about truly persistent threats?
[SECURITY] [DSA 2431-1] libdbd-pg-perl security update
[SECURITY] [DSA 2430-1] python-pam security update
Re: Ariadne 2.7.6 Multiple XSS vulnerabilities
Wikidforum 2.10 Multiple security vulnerabilities

Career Watch: Which will be the jobs of the 21st century?
I've been a systems administrator for a while, but I'm becoming more and more interested in security (by way of very interesting interactions with our excellent infosec staff). Any ideas on how to move into that area? Take advantage of your information ...

and more »
Setting aside the hype, advanced persistent threats do present CISOs with a few to-dos
Next month Marvel Comics is releasing a new application that will add augmented reality content to some of its comic books, the company announced on Sunday at the SXSW Interactive conference in Austin, Texas.

The big-bad scary zero-day exploit: it sends almost the same kind of shivers down everyone’s back as APT. Yet, like the advanced persistent threat, the zero-day is suffering some hype fatigue. More Web servers are popped by known bugs and exploits than some shadowy secretive attack crafted by the Electrical Engineering University of China’s People’s Liberation Army. Yet companies are still bombarded with marketing FUD about zero-days despite numbers that indicate exploits hitting unknown vulnerabilities account for less than 1% of all malware.

So do zero-days matter? Like everything else in security, it depends. If you’re in the bug hunting and bug selling business, they sure do. Last week’s CanSecWest hacker, err, researcher conference in Vancouver was a zero-day Lollapalooza with companies like VUPEN taking dead-aim at Google Chrome and Microsoft’s IE9 browser with zero-days developed just for the event. The French company, called out by privacy advocate Chris Soghoian at the recent Kaspersky Security Analyst Summit, admits to holding on to certain vulnerabilities and exploits only for its customers, refusing at times to share information with the affected vendors. Soghoian said VUPEN and others sell exploits to governments, who pay a heck of a lot more for what can be turned into a weaponized exploit than say a security conference or a bug bounty program, such as TippingPoint’s Zero-Day Initiative.

VUPEN CEO Chaouki Bekrar told Threatpost that VUPEN’s government customers are only trusted democracies and not oppressive countries. Taking him at his word, there’s still the argument that while a select few get a fix, the general user population remains exposed. It’s silly to think attackers aren’t way ahead of the game and already have their share of unreported bugs and exploits at their disposal, but this level of backroom wheeling and dealing is disconcerting. It casts a poor light on offensive security research and events like the Pwn2Own contest are probably unwillingly aiding and abetting.

I had a conversation with Microsoft senior security strategist lead Katie Moussouris recently about zero-days and vulnerability disclosure. Katie has been in the security business a while, including a stint at @Stake back in the day, and she said Microsoft’s experience with the research community is much different. She said that 80% of vulnerabilities found in Microsoft products are disclosed privately, and 90% of those disclosures are made directly to Microsoft. Most researchers, she said, are not motivated by money, but by intellectual curiosity. As a result, Microsoft has shied away from offering a bug bounty, and has instead focused on rewarding defensive security research with initiatives such as its Blue Hat Prize.

These are watershed days for security researchers and vulnerability disclosure. To be honest, the whole disclosure debate probably gives most of you a headache, worst of all if you’re a CISO sitting between the researchers and the vendors and the VUPEN-like middlemen while all this wrangling plays itself out. Tim Stanley, former CISO at Continental Airlines, summed it up best a couple of years ago:

“I love the love-fest between the vendors and researchers, but quite honestly, I don’t give a hoot. I’m the consumer, the guy who paid for the product that I expect to be correct in the first place. I’m the guy who paid for the software. When am I gonna know? The issue becomes a matter where the people paying for the product need to be better represented in this process.”


Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Infor on Monday launched Inforce Everywhere, the first in a series of planned software products that will tie its ERP (enterprise resource planning) applications to Salesforce.com.
ECM matters because information's 'findability' will be a big part of CIO success in the years ahead. (Insider, registration required.)

Singapore Expands Into Cyber Defense Business
DefenseNews.com (subscription)
Ltd. (STEE-InfoSec), to provide hardware products to defend against cyber attacks and protect networks under the DigiSAFE name brand. STEE-InfoSec, previously known as DigiSAFE Pte. Ltd., specializes in the design, development and manufacturing of ...

and more »
perl-DBD-Pg Module Multiple Format String Vulnerabilities
China's two leading video sites, Youku and Tudou, announced on Monday the companies would merge, creating the country's largest online video platform and dealing a blow to the companies' rivals.
Some big names in Silicon Valley's tech community are helping a group of talented, young students who are victims of circumstance and politics.
Pilot fish is tapped to help a team that has been unable to fix a server that's been down for two weeks. He arrives on the scene and promptly spots the problem... (Insider, registration required.)
There's always a reason why things break in IT, and the powers that be can usually find someone to blame -- whether that someone is a data center operations staff member, an OEM, a systems integrator or a third-party service provider. (Insider, registration required.)
As workers increasingly use personal or company-owned consumer technology on the job, IT managers face an ever-growing challenge -- maintaining control of corporate data as hundreds or thousands of new devices are added to a company's technology stable.
Scientists at IBM Research say they have achieved a major breakthrough in quantum computing that will allow engineers to begin creating a full-scale quantum machine.
Carrier IQ executives said they hope that customers are once again realizing the value of the data that the company's software collects, after some operators disabled the software following a privacy uproar late last year.
Researchers last Friday unveiled zero-day vulnerabilities in Google's Chrome and Mozilla's Firefox during the final day of two hacking challenges that awarded $210,000 to contestants.
One expected benefit from the shift to the cloud is the emergence of a refreshing new crop of innovative software suppliers.
CIOs are waking up to the reality that they've lost control over access to data stored in software-as-a-service applications purchased by other departments.
Heavy-duty mobile IT apps for the iPad, iPhone, and Android devices have many IT departments on the move

Posted by InfoSec News on Mar 12


The Secunia Weekly Advisory Summary
2012-03-04 - 2012-03-11

This week: 179 advisories

Table of Contents:

1.....................................................Word From Secunia...

Posted by InfoSec News on Mar 12


By Amber Corrin
March 09, 2012

The Battle of the Atlantic was World War II’s longest military campaign
and centered on U.S. merchant ships and German U-boats, but there are
lessons from that battle that are applicable to the Defense Department’s
enterprise approach to cyber warfare, according to the Defense
Information Systems...

Posted by InfoSec News on Mar 12


By Elinor Mills
March 10, 2012

AUSTIN, Texas -- Some funny things were happening at the South by
Southwest conference here today. My virtual private network connection
kept getting disabled, and even stranger, on a friend's laptop a window
popped up showing an animated cartoon cat flying through the air with a
rainbow in its wake....

Posted by InfoSec News on Mar 12


By Kim Zetter
Threat Level
March 9, 2012

VANCOUVER, British Columbia -- Just hours before the end of Google’s $1
million hack challenge, a teenager who once applied to work at Google
without getting a response, hacked the company’s Chrome browser using
three zero-day vulnerabilities, one of which allowed him to escape the
browser’s security sandbox.

The tall...

Posted by InfoSec News on Mar 12


By Lee Seung-ho
Korea JoongAng Daily
March 12, 2012

The major computer hackings of Nonghyup and Hyundai Capital last year
make many people think that hackers are only interested in banks and big

The reality is that hackers are interested in individuals too. And they
are getting cleverer about how to make you open up your computer for
their gain.

Google Chrome Prior to 17.0.963.79 Remote Code Execution Vulnerability
Last week's column about The Google and its new privacy policy got quite a response, ranging from "I don't get it, what's the fuss?," through to "I don't care, I have nothing to hide," and "it's been pretty obvious for years where this was all heading but very few people bothered to sound the alarm ... until now when it's too late."
After the Dow Jones Industrial Average climbed over 13,000 recently, San Jose Mercury News columnist Mike Cassidy made an impassioned case for including Apple in the index, a position he buttressed in part by citing an analysis by Adam Nash of Greylock Partners.
Internet Storm Center Infocon Status