InfoSec News

Posted by InfoSec News on Mar 13


By Taylor Armerding
March 13, 2012

Last week's arrests of five LulzSec leaders was major news in the
hacktivist world, but it looks like that takedown may have been just an
intermediate step in pursuit of a more prominent fugitive: WikiLeaks
founder and editor-in-chief Julian Assange.

The first shock to the loose affiliation of political...

Posted by InfoSec News on Mar 13


By Dan Goodin
Ars Technica
March 13, 2012

Microsoft has plugged a critical hole in all supported versions of
Windows that allows attackers to hit high-value computers with
self-replicating attacks that install malicious code with no user
interaction required.

The vulnerability in the Remote Desktop Protocol is of particular...

Posted by InfoSec News on Mar 13


March 13, 2012

A 2009 data breach that has already cost BlueCross BlueShield of
Tennessee nearly $17 million got a little more expensive Tuesday.

The insurer today agreed to pay $1.5 million to the U.S. Department of
Health and Human Services (HHS) to settle Health Insurance Portability
and Accountability Act...

Posted by InfoSec News on Mar 13


By Kevin McCaney
March 12, 2012

A recent study by security company Trustwave found that the most common
computer passwords are still variations on the word “password.”

That news won’t make anyone spit out their morning coffee; the
prevalence of bad passwords is an established fact of life. But the
report does shed light on why bad passwords are...
BGHH, Bangladeshi grey hat hackers have announced yet another server that has been hacked and ended up with all sites being defaced. The deface page is the exact same deface page we have been seeing for a couple of months now that is related to all the border killings that go on between india and bangladeshi.


Posted by InfoSec News on Mar 13


By Adam Clark Estes
The Atlantic Wire
March 13, 2012

A group of hackers calling themselves Th3 Consortium and claiming to be
affiliated with Anonymous and LulzSec broke into yet
DigitalPlaground.com, the third porn site it's hacked in as many weeks,
stealing 72,000 passwords and 40,000 credit card numbers. All three porn
sites Th3...
The attack which has been carried out by xDev from @b4lc4nh4c and the Nasheed Bank isnt a normal bank its an information bank and download site.

THA, The Hackers Army have hacked and left defaced 300 websites. The defacing features the below message and gives credits to other THA hackers as well.

A 2009 data breach that has already cost BlueCross BlueShield of Tennessee nearly $17 million got a little more expensive Tuesday.
Soon FourSquare won't be the only cool kid on the location-based apps block: A new wave of startups, including Highlight, Zaarly, TaskRabbit and Localmind, are generating buzz at South by Southwest by drawing on smartphone location data to deliver a range of social, commercial and informational experiences.
After 244 years, the Encyclopaedia Britannica will cease publishing its flagship encyclopedia and concentrate on its digital offerings.
libpng 'png_inflate()' Function Heap Based Buffer Overflow Vulnerability
Vulnerability experts call the Microsoft Remote Desktop Protocol flaws dangerous and say they should be quickly addressed by patching admins.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Dell?s security portfolio expands with purchase of unified threat management and next generation firewall vendor SonicWall from private equity firm.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
FriBidi Python binding (pyfribidi) Buffer Overflow Vulnerability
AContact - Advanced Contact for Android Unspecified Security Vulnerability
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
More than three out of four medical residents at the University of Chicago said tablets allowed them to complete tasks quicker and spend more time on direct patient care.
With an aggressive new CEO at Yahoo's helm and Facebook looking ahead at its initial public offering, Yahoo's patent lawsuit may have Facebook in an awkward position.
Oracle's intellectual property lawsuit against Google over the Android mobile OS will go to trial on April 16, according to a judge's order filed Tuesday in U.S. District Court for the Northern District of California.
New survey results from IT security community Wisegate finds no consistent plan in place across enterprises for allowing and securing user-owned devices.
The Hollywood consortium Ultraviolet is teaming up with Walmart to convert customers' DVD and Blu-ray movies into digital copies through the streaming service Vudu. Just be prepared to pay a steep price for the privilege if you've got a big movie collection.
The Office of U.S. Trade Representative, along with officials in the European Union and Japan, have filed a trade complaint against China over what they're calling unfair export restraints on rare earths and other elements used in the manufacturing of mobile phones, laptops and MP3 players.
Microsoft'sMarch 2012 Black Tuesday announcement included theMS12-020 patch, which fixes a vulnerability in Microsoft's implementation of RDP. This vulnerability (CVE-2012-0002) could allow a remote unauthenticated attacker to execute arbitrary code on the affected system. Microsoft labeled this issue Critical and we assigned it our highest severity label Patch Now for servers. Here's why:

TheCVE-2012-0002 vulnerability applies to most flavors of Microsoft Windows.
It can be exploited over the network.
Companies often make RDP accessible on the standard TCP port 3389 from the Internet for remote access to servers and sometimes workstations.

These factors make it very attractive for attackers to attempt reverse-engineering Microsoft'sMS12-020 patch to, understand the details of the bug and craft an exploit. This will likely happen sooner than 30 days.The universal applicability of the exploit and its targetability over the Internet and internal networks might motivate the creation auto-propagating worms to capture systems quickly and efficiently.
For these reasons, we recommend applying the MS12-020 patch as quickly as practical in your environment. Until you install the patch, consider moving your RDP listeners to non-standard ports. You should also explore the applicability of Microsoft's advice to enable Remote Desktops Network Level Authentication (NLA). This will mitigate the problem: On systems with NLA enabled, the vulnerable code is still present and could potentially be exploited for code execution. However, NLA would require an attacker to first authenticate to the server before attempting to exploit the vulnerability.

Lenny Zeltser


@lennyzeltser (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Some observers see the LulzSec bust as an "intermediate step" in the pursuit of a more prominent fugitive: WikiLeaks founder and editor-in-chief Julian Assange.
Microsoft today released six security updates that patched seven vulnerabilities, including a critical Windows bug that hackers will certainly try to exploit with a network worm, according to researchers.
The Vatican has confirmed that its website suffered a second hacker attack in the space of six days but declined to comment on the event.
Cynthia McKenzie, senior vice president, IT, Enterprise Application Services, at Fox Entertainment, talks about the company's SaaS projects and its BYOD policies.
Google, in a coup, has hired Regina Dugan, director of the Defense Advanced Research Projects Agency, for a senior executive position.
RETIRED: Microsoft March 2012 Advance Notification Multiple Vulnerabilities
Microsoft Remote Desktop Protocol CVE-2012-0002 Remote Code Execution Vulnerability
GNU Gnash 'GnashImage::size()' Integer Overflow Vulnerability
After several years of sluggish sales, the semiconductor industry is on the verge of a rebound, according to market research firm Gartner.
Mozilla on Monday announced it was postponing the release of Firefox 11, but changed its mind today, saying that the browser upgrade would go out on schedule.
For Twitter, making sense of its mountains of user data was big enough of a problem that it purchased another company just to help get the job done.
Cloud computing offers a value proposition that can be both appealing and unsettling to the CFO. However, CIO.com columnist Bernard Golden explains why freeing up capital investment should more than make up for the uncertainty of variable monthly pricing.
A new downtown Wi-Fi network being built in San Jose, Calif., could indicate a resurgence, based on new approaches, to the ill-fated and brief "muni Wi-Fi" fad of the past decade. The network is scheduled to go live this summer.
Depending on which survey or story you read, the cloud can be either a good thing for IT workers and their job security, or it can be terrifying.
Tim Theriault, senior vice president and CIO at Walgreen Co. outlined the Walgreens 2.0 project, four different IT initiatives that helped upgrade legacy systems at the company.
PBLang 'u' Parameter Local File Include Vulnerability
Overview of the March 2012 Microsoft patches and their status.

Contra Indications - KB
Known Exploits
Microsoft rating(**)
ISC rating(*)


Vulnerability in DNS Server Could Allow Denial of Service

DNS Server

KB 2647170

Exploitability: Likely

Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege

Kernel-Mode Drivers

KB 2641653

Exploitability: Difficult

Vulnerability in DirectWrite Could Allow Denial of Service


KB 2665364

Exploitability: Unknown
Less Urgent

Vulnerabilities in Remote Desktop Could Allow Remote Code Execution

Remote Desktop


KB 2671387

Exploitability: Likely

Vulnerability in Visual Studio Could Allow Elevation of Privilege

Visual Studio

KB 2651019

Exploitability: Likely

Vulnerability in Expression Design Could Allow Remote Code Execution

Expression Design

KB 2651018

Exploitability: Likely

We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
Important: Things where more testing and other measures can help.
Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.

The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.


Lenny Zeltser


@lennyzeltser (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A new free app, Apple Configurator, allows businesses to deploy, manage, and configure more than one iOS device. It?s not MDM, but it?s a step in the right direction.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Microsoft is investigating reports that about a dozen models of Skype-certified phones are having trouble logging into the IM, VoIP and video-conferencing service.
IT executives understand the value of cloud services and videoconferencing tools, but one of the chief concerns remains the strain those services put on network bandwidth, according to a study released today.
The Apple iPad is expected to dominate the worldwide demand for NAND flash in media tablets at least through the year 2015.
SAP on Tuesday further expanded the reach of its HANA in-memory database, announcing that HANA now supports the 10.0 version of its BusinessObjects financial planning and consolidation application running on NetWeaver.
Adobe ColdFusion Hash Collision Denial Of Service Vulnerability
GE Proficy Plant Applications Suite Remote Memory Corruption Vulnerabilities
BroadVision's Clearvale enterprise social networking software will now lets companies create networks on an ad hoc manner in which a mix of employees, partners and customers can participate.
Cybercriminals are impersonating victims in order to obtain replacement SIM cards from their mobile carriers, which they then use to defeat phone-based Internet banking protections, security vendor Trusteer said in a blog post.
Sony Mobile Communications announced the Android-based Xperia sola, which allows users to interact with the phone without touching the screen, on Tuesday.
HP Data Protector Express Multiple Unspecified Remote Code Execution Vulnerabilities
PrivaWall Antivirus Office XML Format Evasion/Bypass Vulnerability
Announcing Hackademic CFP
ESA-2012-012: EMC Documentum eRoom Multiple Vulnerabilities
Yealink VOIP Phone Persistent Cross Site Scripting Vulnerability [CVE-2012-1417]
[security bulletin] HPSBMU02746 SSRT100781 rev.1 - HP Data Protector Express, Remote Denial of Service (DoS), Execution of Arbitrary Code
In the past week the Sun shed powerful waves of solar plasma and charged particles. It's just a matter of time before one of these storms knocks out portions of our critical infrastructure, experts say.
Ukraine's would-be major crackdown on cybercrime is increasingly looking like a bust. The result is the country becoming a haven for hackers, in the view of analysts, including some Ukraine security officials.
Want to kick your PC performance up a few notches? A good liquid cooling system moves heat from the CPU more efficiently than air cooling and can run substantially more quietly. Many PC performance enthusiasts have used liquid cooling for years, and it's easy to see why liquid cooling is a popular performance upgrade.

A recurring theme I hear at conferences is that security teams can’t fight the inevitable shift to cloud computing, and instead need to figure out ways to adapt. This message was echoed at RSA Conference 2012, where a panel of CISOs urged the industry to get ahead of the cloud trend and ensure cloud services are adopted securely.

With its potential to slash IT costs, cloud computing is driving fundamental change in organizations, said Jerry Archer, senior vice president and CISO at Sallie Mae. “Everyone in this room will be impacted by it,” he told attendees.

That got me thinking: How will information security roles change as cloud computing becomes more prevalent in the enterprise? Do security pros need to worry about looking for other lines of work as security responsibilities shift to public clouds?

Industry experts I talked to see security pros continuing to play an important role as cloud adoption accelerates. After the RSA panel, Archer told me that security pros may need to acquire additional knowledge, for example in the area of contracts and law. But security is necessary and those with security expertise become “the gatekeepers” in this new IT environment, he said.

Cloud Security Alliance Executive Director Jim Reavis said security roles will change depending on the organization – whether it’s a cloud provider or cloud consumer. Providers will need to be able to provide the whole stack of security expertise and technologies while consumers will be looking to leverage higher layers of the cloud stack – SaaS and PaaS. For security pros working at organizations that are cloud consumers, this will mean a shift away from operational skills to application skills and closer work with business units, he said.

“I don’t think IT teams or security teams will disappear because of cloud,” Reavis said. “If you’ve got security expertise, you’ll be well employed for many years to come.”

Randall Gamby, information security officer for the Medicaid Information Service Center of New York (MISCNY), told me he sees security’s role falling in the vendor management space when it comes to cloud. Security professionals need to help organizations ask the right legal and technical questions of a cloud provider to ensure their data is protected.

“Being able to set up criteria to judge a cloud vendor and understand not only the services it offers, but the risks it may pose is important,” he said.

How do you think information security roles will change as cloud services become more prevalent? Leave me a comment below.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
SecuVOICE is aimed primarily at the mobile market, but also supports enterprise phone systems
A laptop's portability makes it convenient--and an easy target for thieves.
Ericsson has made an offer to acquire the Broadcast Services Division of Technicolor, as it looks to make further inroads into the broadcast market, the company said on Tuesday.
Samsung Electronics has started upgrading its Galaxy S II smartphone to Android 4.0 or Ice Cream Sandwich, the company said on Tuesday.
Upon assuming his role as White House CIO, Brook Colangelo and his staff put in 80 hour weeks, "if not more." And in his first 40 days on the job, the White House email system was down 23% of the time.
Oracle has updated the kernel of its Linux distribution to take advantage of the latest Linux advances, the company announced Tuesday.
Intel is supporting the development and promotion of a new local languages interface designed to help Indians access the Internet without having to discover and type in the URLs (uniform resource locators) of various websites.
Apple yesterday updated Safari to version 5.1.4, patching 83 vulnerabilities and boosting JavaScript performance on OS X Lion.
Twitter has acquired blogging company Posterous, and said its engineers, product managers and others will join Twitter teams working on several key initiatives.
The National Geographic Society is in the process of uploading its backup and archive to a public cloud service.
We pit Google's Blogger against WordPress to see which service is easier, more feature-filled and better for users who need a simple hosted blog.
Introducing new consumer devices and apps, showing how they work, and getting feedback on them, is leading to the creation of IT 'petting zoos' in a variety of organizations.
The consumerization of IT trend is causing chaos and confusion in IT operations grappling with the demand that they support the latest iPad, iPhone or Android device.
Although Siri, Apple's voice-controlled personal assistant, isn't included on the new iPad, that's not a bad thing, says columnist Michael deAgonia. The technology still needs to mature before being rolled out to millions of more users.

Posted by InfoSec News on Mar 13


By Iain Thomson in San Francisco
The Register
12th March 2012

The boss of the recently shut-down Megaupload file-sharing site claims
that his records show plenty of US government users, including members
of the Senate and the Department of Justice.

"Guess what -- we found a large number of Mega accounts from US
Government officials including the Department of Justice...

Posted by InfoSec News on Mar 13


By Tracy Kitten
Bank Info Security
March 12, 2012

What emerging security challenges will new mobile devices and platforms
pose for banks and credit unions? Brian Pearce and Amy Johnson shed
light on Wells Fargo's approach to unique retail and commercial risks.

Johnson, who heads up strategy and execution for CEO Mobile, Wells
Fargo's mobile service for commercial and...

Posted by InfoSec News on Mar 13


By Jeremy Kirk
March 11, 2012

A 27-year-old man pleaded guilty on Saturday in a British court to
hacking the website of a reproductive health services agency, obtaining
the details of people who had registered on the website.

James Jeffery, of Wednesbury in the West Midlands, pleaded guilty to two...

Posted by InfoSec News on Mar 13


By Mathew J. Schwartz
March 12, 2012

The top military commander in NATO has been targeted by attackers
wielding fake Facebook pages.

Attackers have been creating Facebook pages under the name of Admiral
James Stavridis, NATO's Supreme Allied Commander Europe (SACEUR), in an
attempt to lure his colleagues, friends, and family into connecting with

Posted by InfoSec News on Mar 13


By Dara Kerr
March 12, 2012

During the court case for Jeremy Hammond--the Antisec hacker busted for
stealing data in the Stratfor breach--the FBI says charges made with
stolen credit card information equals $700,000.

When the Antisec branch of Anonymous hacked into security think tank
Strategic Forecasting, or Stratfor, at...
Internet Storm Center Infocon Status