(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Some of the smallest mobile operators in the U.S. have lined up behind a deal that would dramatically expand the country's fourth-largest carrier, a twist that has everything to do with the national dominance of AT&T and Verizon Wireless.
Google will pay $7 million to settle complaints from dozens of U.S. states about its unauthorized collection of personal data transmitted over Wi-Fi networks.

Microsoft has plugged a hole in its Windows operating system that allowed attackers to use USB-connected drives to take full control of a targeted computer.

Microsoft said it classified the vulnerability as "important," a less severe rating than "critical," because exploits require physical access to the computer being attacked. While that requirement makes it hard for hacks to spread online, readers should bear in mind that the vulnerability in theory allows attackers to carpet bomb conferences or other gatherings with booby-trapped drives that when plugged in to a vulnerable computer infect it with malware. Such vulnerabilities also allow attackers to penetrate sensitive networks that aren't connected to the Internet, in much the way the Stuxnet worm that targeted Iran's nuclear program did.

"When you look at it in the sense of a targeted attack, it does make the vulnerability critical," Marc Maiffret, CTO of BeyondTrust, told Ars. "Because of things like Stuxnet raising awareness around the physical aspect of planting USB drives or having people to take these things into facilities, it does make it critical."

Read 4 remaining paragraphs | Comments

IBM WebSphere DataPower XC10 Denial of Service and Security Bypass Vulnerabilities
Adobe Flash Player and AIR CVE-2013-0646 Remote Integer Overflow Vulnerability
As part of its monthly issue of software patches, Microsoft has fixed a Windows vulnerability that would have allowed someone to subvert a computer's security using only a USB thumb drive and some attack code.
Some U.S. taxpayers may have to wait a bit longer than usual to get their refunds, due to problems that recently cropped up with Intuit's tax-preparation software.
The lack of IT workers has forced healthcare to recruit IT help from other industries, according to PricewaterhouseCoopers, which says systems and data integration skills are the most sought-after.
Researchers from AT&T Labs will present the results of a record-setting fiber-optic transmission experiment next week at the Optical Fiber Communication Conference/National Fiber Optic Engineers Conference in Anaheim.
Facebook is planning a series of three events that will for the first time give mobile developers a chance to hear directly from the company and interact with its engineers and product managers.
Less than six week after the Department of Homeland Security issued a civil rights impact assessment saying that the government needed no warrant or cause to search electronic devices at U.S. borders, a federal appellate court has ruled otherwise.
Adobe Flash Player and AIR CVE-2013-0650 Use After Free Remote Code Execution Vulnerability
Adobe Flash Player and AIR CVE-2013-1375 Remote Heap Based Buffer Overflow Vulnerability
Adobe Flash Player and AIR CVE-2013-1371 Memory Corruption Vulnerability
South by Southwest Interactive is best known as the technology festival that put such social networking mainstays as Twitter and Foursquare on the map. But if there was a 'next big thing' at this year's event, finding it would be pretty hard.
As 115 Roman Catholic cardinals are isolated behind closed doors in the Sistine Chapel to choose a new pope, the historic tradition has focused a lot of attention on modern technology.
Cyberattacks are near the top of the list of most serious threats facing the U.S., with the rivaling concerns about terrorism and North Korea, intelligence officials with President Barack Obama's administration said.
Adobe today patched Flash Player, the fifth time this year it's updated the vulnerability-plagued software.
After just seven months on Mars, NASA's rover Curiosity has sent back apparent proof that the Red Planet could have supported life in the distant past.
Momentum is growing in the U.S. Congress to overturn a U.S. Library of Congress ruling that took mobile phone unlocking out of the legal exemptions to the Digital Millennium Copyright Act.
The merger between T-Mobile USA and MetroPCS moved one step closer to completion on Tuesday as the FCC approved the deal without conditions.
Microsoft Visio Viewer VSD File Format CVE-2013-0079 Remote Code Execution Vulnerability
The Chinese government says these aren't the hackers you're looking for.

After a rash of attacks against US businesses and government agencies throughout the past few months, the White House is now putting the issue of Chinese state-backed hacking on the front burner. Many of these attacks have been tied by network security firms directly or indirectly to a unit of the Chinese People's Liberation Army (PLA), though Chinese officials still deny any link to the attacks (they claim that China's networks are victims being targeted as well). However, country officials signaled a willingness to talk with the US about cooperation on Internet security—even if it's not clear whether or not the Chinese civilian government is completely in control of the PLA's operations.

White House National Security Advisor Tom Donilon said yesterday that the ongoing alleged Chinese attacks and theft of data from US government and business networks has elevated "cyber" to the top of President Obama's priority list in policy toward China. "From the President on down, this has become a key point of concern and discussion with China at all levels of our government," Donilon told an audience at the Asia Society in New York. "And it will continue to be."

The Obama administration is seeking three things from China's leadership with regard to cyber-espionage, Donilon said. "First, we need a recognition of the urgency and scope of this problem and the risk it poses—to international trade, to the reputation of Chinese industry, and to our overall relations. Second, Beijing should take serious steps to investigate and put a stop to these activities. Finally, we need China to engage with us in a constructive direct dialogue to establish acceptable norms of behavior in cyberspace."

Read 4 remaining paragraphs | Comments

The front page of exposed.su.

Identity thieves have posted social security numbers, credit information, and other sensitive data belonging to more than a dozen politicians and celebrities. It's a list that includes Vice President Joe Biden, FBI Director Robert Mueller, former Secretary of State Hillary Clinton, rapper Jay Z, and actor and director Mel Gibson.

The website, exposed.su, surfaced on Monday with birth dates, telephone numbers, home addresses, and in some cases credit reports for a handful of politicians and celebrities. Throughout the past 24 hours the site has published details on additional individuals. Social security numbers for Mueller, Jay-Z, and Gibson appeared to be valid, the Associated Press reported. Los Angeles Police Chief Charlie Beck, whose information was also posted on the site, hasn't challenged the accuracy, either. Still, other journalists wrote that phone numbers purportedly belonging to former California Governor Arnold Schwarzenegger and actor Ashton Kutcher reportedly went to a movie production company and a New York-based accounting firm respectively.

The site included the image of a gaunt young woman with black circles around her eyes and an index finger in front of her lips. It was headed by a quote from the Showtime TV series Dexter, in which the title character says, "If you believe that God makes miracles, you have to wonder if Satan has a few up his sleeve." The site included an embarrassing or humorous photo related to each individual whose information was disclosed. The act of publicly documenting the private details of people is known as "doxxing," and it came into vogue a few years ago with the growing visibility of the Anonymous hacking collective.

Read 2 remaining paragraphs | Comments


This month Adobe decided to fix four vulnerabilities in their Flash Player and AIR products for Black Tuesday:

APSB12-15tells about the fixes for CVE-2013-0646(integer overflow), CVE-2013-0650(use after free), CVE-2013-1371(memory corruption) and CVE-2013-1375(heap buffer overflow).


Swa Frantzen -- Section 66
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Chip makers STMicroelectronics and Texas Instruments have announced partnerships with Swedish vendor Thingsquare, which has developed a tiny operating system designed to make it easier to connect a broad variety of things, from street lights to thermostats.
With accelerating growth in tablets and smartphones and a maturing of OSes, PCs are seeing far less growth in DRAM use.
Google showed off apps, audio and gesture control for Google Glass at the South by South West (SXSW) conference.
Aggressive sales of smaller tablets triggered a revised tablet sales forecast today by IDC, which upped its projections for 2013 and said Android would supplant Apple's iOS as the dominant operating system this year.
LinkedIn may be the go-to place for many job seekers, but dont stop there. Here's a look at how you can use Facebook, Twitter and Google+--as well as some lesser-known social networks--to attract recruiters and land a job.
Four more holes in Adobe's Flash Player have been patched by the company. The priority given to the holes indicates that exploits for at least one of them are being used in the wild

Privoxy Proxy Authentication Credential Exposure - CVE-2013-2503

Overview of the March 2013 Microsoft patches and their status.



Contra Indications - KB

Known Exploits

Microsoft rating(**)

ISC rating(*)




The usual MSIE cumulative patch, adding fixes for eight more vulnerabilities. All 8 are of the use after free type and they all allow random code execution.

Replaces MS13-009.












CVE-2013-1288 was made public according to Microsoft.






A double deference vulnerability that allows random code execution in Silverlight.

This also affects the mac version of silverlight 5. The update is expected via the auto-update feature on Macs.

Replaces MS12-034.




No publicly known exploits






A memory management vulnerability allow random code execution in the Visio viewer. The full package is exempt from this problem.

Replaces MS12-059.

Visio Viewer



No publicly known exploits






Four different privilege escalation vulnerabilities in Sharepoint. Of note: it includes an XSS and a directory traversal vulnerability in addition to a problem with callback functions and a buffer overflow.

Replaces MS12-066.







No publicly known exploits.






A buffer management problem allows leaking arbitrary data in memory. It could expose usernames and passwords of accounts.



KB Outlook isnt part of all Office for Mac 2011 licenses either.

Replaces MS12-076.

Outlook for Mac



No publicly known exploits



Less Urgent

Less Urgent


3 similar problems exist with the windows USB drivers that allow privilege escalation to full administrative rights.

USB Kernel Mode Drivers





No publicly known exploits




Less Urgent

We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.

Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.

Important: Things where more testing and other measures can help.

Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.

The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.

The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.

Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.

All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.


Swa Frantzen -- Section 66
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Small businesses looking for network attached storage would be wise to look at the Netgear ReadyNAS Ultra 2. Administrators will find this appliance easy to manage and will appreciate its support for third-party add-ons.
Hewlett-Packard's purchase of Autonomy is under investigation by the U.K. Serious Fraud Office, the company said in a regulatory filing ahead of its annual meeting where there are expected to be challenges to the re-election of Chairman Ray Lane and two board members.
China and the US have both signalled that they are prepared to talk over the increasingly heated issue of cyber espionage, but not without conditions being met for both sides

Gary McGraw talks about the past and future of the BSIMM maturity framework for software security, and how vendors like Adobe and Microsoft measure up.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Microsoft later today will reverse a months-long practice in how Internet Explorer 10 handles Adobe's Flash Player on Windows 8's and Windows RT's Modern user interfaces.
As demand for PC processors plummets, Advanced Micro Devices has borrowed technologies from mobile devices and gaming consoles as a way to perk up sales of its A-series laptop processors, which were introduced on Tuesday.
South by Southwest Interactive is such a massive technology conference with so much activity and many ideas being thrown around at once that it can be hard to give an overall feel for the Austin, Texas, extravaganza using just words.
A Cisco-funded router startup has unveiled its first product, which the company says implements breakthrough silicon-to-photonics circuitry for scaling service provider networks and enabling them for software-defined networking (SDN).
LinuxSecurity.com: Updated tomcat6 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Updated kernel-rt packages that fix several security issues and three bugs are now available for Red Hat Enterprise MRG 2.3. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: An updated thunderbird package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...]
LinuxSecurity.com: Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Updated java-1.7.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...]
LinuxSecurity.com: Yves Orton discovered a flaw in the rehashing code of Perl. This flaw could be exploited to carry out a denial of service attack against code that uses arbitrary user input as hash keys. Specifically an attacker could create a set of keys of a hash causing a denial of service via [More...]
LinuxSecurity.com: New mozilla-firefox packages are available for Slackware 13.37, 14.0, and -current to fix a security issue. [More Info...]
LinuxSecurity.com: New mozilla-thunderbird packages are available for Slackware 13.37, 14.0, and -current to fix a security issue. [More Info...]
LinuxSecurity.com: Several vulnerabilities have been discovered in sudo, a program designed to allow a sysadmin to give limited root privileges to users. The Common Vulnerabilities and Exposures project identifies the following problems: [More...]
LinuxSecurity.com: Updated 389-ds-base packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
LinuxSecurity.com: Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...]

Oops, its on!

Even if you could not care less about IPv6, there are quite serious security consequences to it being out there and to your devices having it. Even if youre not actively participating, you need to address the risk IPv6 poses in some environments.

IPv6 is equiped with the ability to connect with IPv4 networks - which sounds logical as before IPv6 is globally rolled out (if that ever happens), all globally accessible services (like the web) are on the old IPv4 network. But even when you least expect it, IPv6 can open up tunnels through IPv4 networks and connect anyway - even where you have disabled the transition of IPv6 packets in perimeters and the like.

Now there are places you want no complications from having to deal with 2 concurrent IP stacks. Eg. an easy to audit high security setup (aka a donjon) that is not likely to run out of addresses is much easier if you can do it without added complications.

So what can we do ?


At the host level we can try to tell it not to participate in IPv6, but it might be not all that easy. Beck when IPv6 started to become implemented some of us ripped out IPv6 support in our more critical machines kernels. But even if you still succeed in that (its not so easy anymore as in the early days), there is more and more you have to do as more and more of the system tools are IPv6 aware and will complain loudly if the kernel doesnt do IPv6 anymore.

Theres a point where this doesnt pay off, anymore and obviously its not something you can do in proprietary OSes anyway.

Many devices anlso simply cannot be configured not to do any IPv6 on their interfaces.

So your options on hosts are often limited. And it often lacks central control to enfoce it across all hosts you might have.


The more intelligent your network is, the more likely you can write filters in it not to transmit IPv6 packets. This is still not your perimeter that blocks it, but its you best approach to make sure machines do not start to talk IPv6 among themselves within your perimeter.

In larger networks one can e.g. use netflows to monitor for IPv6 traffic on the inside as well.

Perimeter / Firewall

Your firewall is essentially a router that filters traffic. Now most highend environments will have a default closed policy and as long as that policy is also applied to IPv6 you should be in the clear for traffic that passes through your perimeter.

But: how do you know it is in fact closed for IPv6 when you have e.g. a bit older software that only knows about IPv4. How can you be sure its blocking IPv6 ?

The answer lies in detecting IPv6 traffic.

Similarly, if you policy isnt a fully closed policy, you need to work to make sure that IPv6 packets that disguise themselves as IPv4 do not leave your secured area as they would become accessible from the outside through tunnels they create themselves.


Your IDS/IPS and other monitoring might need to monitor for IPv6 use if you do not want it to be used.


So that leaves us to try to enumerate how IPv6 can be embedded in IPv4.

If you look at the IPv4 protocol numbers (official list here), youll notice there are a lot of them in there related to IPv6. Yes, IPv4 can be encapsulated next to ICMP (1) , TCP (4) and UDP (17) etc.

The most commonly known one is 41, but there are quite a few others, all relating to IPv6.

In order to pass through out IPv4 NAT gateways (technically some will call it port address translation - as more often than not were doing an N to 1 mapping) its easier for those building a tunnel to encapsulate their IPv6 in a UDP packet.

So you need to know these too. I know of Teredo which isbuilt into windows and enabled by default.

Teredo connects to UDP port 3544 by default.

Essentially nothing prevents a determined -or malicious if youre enforcing policies- entitiy on the inside of your perimeter to tunnel any protocol over any other allowed one - even if proxied, nothing changes there obviously. As soon as you allow communication there is a potential for those on the inside and outside to work together to build a tunnel - fact of live.

Well known endpoints

There are a number of well known endpoints for IPv6 tunnels.

DNS request for isatap.MyCompany.com. indicate a ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) in action

DNS request for teredo.ipv6.microsoft.com indicate Teredo in action.

192.88.99.* is used by 6to4

Those can be blocked and/or monitored. But again no guarantees exist no new tunneling mechanisms will be invented are existing be intentionally modified to escape anyway.


In a quick search I found this at vendors on how to block IPv6:



Well, then its off to you, our readers: feel free to comment on how you prevent IPv6, your experiences in getting out to the rest of IPv6 without a cooperating perimeter etc.


Swa Frantzen -- Section 66
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Amazon Web Services (AWS) has expanded its Elastic Beanstalk to include Node.js, in an effort to make it easier to deploy and manage application development on its cloud.
Expanding its stack of enterprise ready open source middleware, Red Hat has integrated key software from its acquisition of FuseSource last September.
WebKit Type Confusion CVE-2013-0912 Remote Code Execution Vulnerability
Microsoft is changing the default behaviour of Internet Explorer 10 on Windows 8 to allow all Flash content. On Windows RT, both the desktop and "Metro" versions of the browser will show most Flash content

GNU Coreutils 'uniq' Text Utility Buffer Overflow Vulnerability
An unauthenticated telnet port leads to a debug shell on a number of HP's LaserJet Pro printers – accessing it gives access to passwords and HTTPS settings for HP's ePrint service and could be used to deny service

Hewlett-Packard's purchase of Autonomy is under investigation by the U.K. Serious Fraud Office, the company said in a regulatory filing ahead of its annual meeting where there are expected to be challenges to the re-election of Chairman Ray Lane and two board members.
Microsoft will update the Internet Explorer 10 version built for its Windows 8 and Windows RT "modern" tile-based interface to run Flash content by default, reversing course on its original decision around this issue.
A Michigan developer last week started selling a $5 utility that lets Windows 8 customers shun the new Modern UI by running apps on the classic desktop.
Development tools in the cloud enable programming from anywhere, but they're not suited for all app dev needs
With the introduction of Windows 8, touchscreens are coming to the desktop -- but they're not cheap. We look at three of the latest monitors from Acer, Dell and ViewSonic.
Reporters Without Borders named five countries that regularly spy on journalists and dissidents, a practice the group contends is made possible with advanced technology from private companies.

TeleSign Honored With 2013 InfoSec Global Product Excellence Award for ...
Marketwire (press release)
TeleSign Honored With 2013 InfoSec Global Product Excellence Award for Fraud Prevention. Third Consecutive Win for the Security and Fraud-Prevention Company. LOS ANGELES, CA--(Marketwire - Mar 12, 2013) - TeleSign, an Internet security and ...

and more »
Anti-spam blacklist NJABL has shut down its database. Administrators running mail servers which continue to query the defunct database could run into problems once the hosting service removes the name server entries

Net-Server 'allow_deny()' Function Security Bypass Vulnerability
Disk Pool Manager Multiple SQL Injection Vulnerabilities
Piwik Unspecified Cross Site Scripting Vulnerability

Career Watch: Master's of infosec students don't wait for degree to get jobs
IT-related academic programs tend to be judged on how well getting a degree correlates with getting a job. On that basis, Indiana University's Master of Science in Security Informatics program is beyond successful. Many of its students get job offers ...

Multiple Honeywell Products 'HscRemoteDeploy.dll' Activex Remote Code Execution Vulnerability
389 Directory Server CVE-2013-0312 Remote Denial of Service Vulnerability



Posted by InfoSec News on Mar 11


By Tom Vanderbilt
March 11, 2013

On July 22, 1851, on a day when a visitor to London had any number of
amusements at his disposal—from M. Gompertz’s Giant Panorama (“including a new
diorama of intense interest”) at the Parthenium Rooms on St. Martin’s Lane, to
the “Real...

Posted by InfoSec News on Mar 11


By Gao Yuan
China Daily
March 12, 2013

China is one of the world's biggest victims of cyber attacks, and Chinese
companies should improve their Internet security systems and remain vigilant to
cyber threats, Internet security researchers said

At least 60 percent of the attacks targeting China's large companies,
government, and scientific research institutions come from overseas,...

Posted by InfoSec News on Mar 11


By Aliya Sternstein
March 11, 2013

The National Institute of Standards and Technology has started visiting
businesses to rally support for a nationwide cybersecurity program called for
by a February executive order.

The Feb. 12 mandate directed NIST, a Commerce Department agency, to develop
standard guidelines for protecting...

Posted by InfoSec News on Mar 11


By Kevin Fogarty
March 11, 2013

It may now be possible for anyone, even if they follow rigorous privacy and
anonymity practices, to be identified by DNA data from people they do not even

A paper published in January in the journal Science describes a process by
which it's possible to identify by name the donors of DNA samples, even without...

Posted by InfoSec News on Mar 11


By Ellen Messmer
Network World
March 11, 2013

Tripwire today said it had acquired nCircle for an undisclosed price, a deal
that will meld together two longtime rivals in the security and
vulnerability-management industry. Tripwire, which had been acquired by
investment firm Thoma Bravo two years ago, said it expects to continue making
more acquisitions to grow as a...

China calls for global hacking rules
The Canberra Times
Chinese Foreign Minister of China Yang Jiechi (L) leans over to talk with Chinese Premier Wen Jiabao (R) during a summit. Photo: LEE JAE-WON. Hackers breach Reserve Bank. SHANGHAI: China issued a new call on Saturday for international "rules and ...

Internet Storm Center Infocon Status