InfoSec News

The U.S. Federal Communications Commission wants to drop the conditional waiver that could have allowed LightSquared to operate an LTE network in frequencies near the GPS band, potentially killing the carrier's plan to offer a hybrid satellite and cellular mobile data network.
Flaws in Internet Explorer and the Windows C Runtime library could be used to gain access to system files and download additional malware onto a victim?s machine.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Activist Yahoo shareholder Daniel Loeb has rejected the slate of board candidates put forth by the company's newly minted CEO, serving notice of his intention to lobby for his own candidates instead.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Hewlett-Packard and Intel are rethinking processor upgrades in servers, coming up with a new chip-slotting technique that could reduce the chance of errors, and ultimately prevent system failure.
It would seem that anonymous is soon to release another dump of information from the American military that will no doubt stir up some troubles. So far they have released 2 documents and the others are not far away. The leaks have been announced from the @anonymousIRC twitter account and come in the form of pdf files.

A hacker who use's the handle @FailRooT has said to of been arrested and had computers seized as part of a investigation into the hacking by the team they ran called @MetalSoftTeam. Metal Soft Team has been around for some time now and have made a name for themselves as defacers, hacking sites and leaving them with new pages or modifications to current pages.

Now its a worry that such websites are hackable with such minor hacks and shows that the governments are clearly not thinking about security the way they should be.

Hackers using the handle L0NGwave99 have claimed to taken down the www.nasdaq.com website whcih is now showing a time out error.


In my company, we began experiencing a problem when the users tried to access http://www.google.com.co though our Forefront TMG proxy. Every corporate user saw the following message:

This really looked strange, specially coming from google. I captured some packets and queried about the http get operations and got the following:

Got three operations: one from the main query, second one retrieving a javascript file and a third one unknown. First one looked normal as always, so I started analyzing second one. The MD5 for the javascript file is 886e4780fc0af43a19eb4dcd55b728d7. I looked up the resulting MD5 and got nothing. I uploaded the script to jsunpack and got nothing:

Also tried VirusTotal to scan the URL (http://www.google.com.co) and also got nothing:

I started analysis for http get number three. Wireshark shows some compressed content, so I took it from the capture and decompressed:

The compressed file has md5 1375a0f59d52d862a1297df7566c6894, the uncompressed file has md5 c4c490a2a55a16492c068ec50827958b and when loaded starts a download from http://ssl.gstatic.com/gb/js/sem_480d0cc56e70fa5af3dda306c8bc7ce6.js. I analyzed that javascript and wepawet and jsunpack shows nothing abnormal.

This problem has been confirmed in Microsoft website. I will update the diary when I have more information about it.

UPDATE: As of 20:11 GMT-5 Feb 14 2012, we received confirmation from Microsoft stating that this problem is a false positive and will be corrected in the update 1.119.1986.0 or higher for the antivirus.

Manuel Humberto Santander Pelez

SANS Internet Storm Center - Handler

Twitter: @manuelsantander


e-mail:msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
With official OKs from the U.S. Department of Justice and the European Commission on Monday, Google moved closer to finalizing its deal to acquire Motorola Mobility.
Apple will unveil the next iPad on March 7, according to reports, and it will be the first Apple product to support the faster LTE data networks now available in the U.S. from Verizon and AT&T.
Mobile data globally is expected to grow 18-fold by 2016, Cisco said in the update to its Visual Networking Index.
Hewlett-Packard has released the industry's first all-in-one workstation, the Z1, which the company said Tuesday is the most compact workstation available yet.
Hewlett-Packard will open a lab in the second quarter where select customers will be able to play around with its first low-power server based on an ARM processor, a company executive said this week.
With the widespread adoption of smartphones and the use of mobile tactics in U.S. presidential campaigns, could there come a day when Americans might vote wirelessly?
Hewlett-Packard's Vertica subsidiary has updated its real-time analytics software, giving it a graphical user interface and connectivity to big-data-styled analysis systems.
Microsoft today issued nine security updates that patched 21 vulnerabilities in Windows, IE, Office, .Net, Silverlight and SharePoint Server, including several critical bugs that can be exploited with drive-by attacks.
A bill in the U.S. Senate would require operators of so-called critical infrastructure networks to adopt cybersecurity practices if evaluations by the U.S. Department of Homeland Security find their security lacking.
SunPower Corp., which makes solar panels, has sued five former employees for stealing proprietary information and using it to benefit a rival firm.
Centrify mobile security supports Apple iOS and Google Android devices and can connect them to Microsoft Active Directory, but it lacks the robust management features found in major MDM suites, analyst says.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
RETIRED: Oracle Java SE Critical Patch Update February 2012 Advance Notification
Oracle Virtual Desktop Infrastructure (VDI) CVE-2011-3571 Remote Vulnerability
Survey of more than 2,000 IT security pros finds many getting raises and promotions despite lagging economy and tighter IT budgets.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Microsoft Windows 'Msvcrt.dll' Remote Buffer Overflow Vulnerability

Credit Union Times

Hidden Security Threats of Kiosks: Online Only
Credit Union Times
A frightening reality, said Jack Koziol, a director at InfoSec Institute, is that many, many kiosks remain vulnerable to attack via built-in USB ports, the route that undid the TJX kiosks. But it could be much uglier still at a financial institution.

Windows Server 2008 Color Control Panel DLL Loading Arbitrary Code Execution Vulnerability
Microsoft Windows Indeo Filter 'iacenc.dll' DLL Loading Arbitrary Code Execution Vulnerability
Overview of the February 2012 Microsoft patches and their status.

Contra Indications - KB
Known Exploits
Microsoft rating(**)
ISC rating(*)


Code Execution Vulnerabilities in Windows Kernel-Mode Drivers

(Replaces MS11-087)



KB 2660465
disclosed vuln.

Exploitability: Likely

Elevation of privilege vulnerabilities in ancillary function driver

(Replaces MS11-046, MS11-080)

Ancillary Function Driver


KB 2645640

Exploitability: Likely

Cumulative Patch for Internet Explorer

(Replaces MS11-099)

Internet Explorer




KB 2647516

Exploitability: Likely

Sharepoint Elevation of Privileges Vulnerabilities




KB 2663841

Exploitability: -

Remote code execution vulnerability in color control panel

Color Control Panel

KB 2643719

Exploitability: Likely

Vulnerability in C Run-Time Library Could Allow Remote Code Execution

C Run Time Library

KB 2654428

Exploitability: Likely

Vulnerability in Indeo Codec Could Allow Remote Code Execution

Indeo Audio Codec

KB 2661637

Exploitability: Likely

Vulnerabilities in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution

(Replaces MS11-089)

Microsoft Office Suites and Software





KB 2663510

Exploitability: Likely

Vulnerabilities in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution

(Replaces MS11-069)

.NET Framework


KB 2651026

Exploitability: Likely

We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
Important: Things where more testing and other measures can help.
Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.

The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.


Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The FBI said its proposed plans to monitor social media sites to improve real-time situation awareness will be fully vetted by the agency's Privacy and Civil Liberties Unit.
Mozilla plans to ask all certificate authorities to review their subordinate CA certificates and revoke those that could be used by companies to inspect SSL-encrypted traffic for domain names they don't control.
Apache APR Hash Collision Denial Of Service Vulnerability
Intel on Tuesday introduced the Crystal Forest chipset, which the company hopes will fill a networking gap as it tries to build an integrated technology stack for data centers.

Infosec pros maintain job stability
Help Net Security
The information security profession offers not only stability but upward mobility, according to the 2012 Career Impact Survey released today by (ISC)2. Only seven percent of information security professionals were unemployed at any point during 2011, ...

and more »
Alcatel-Lucent is integrating Wi-Fi with mobile networks with its lightRadio architecture, allowing users to move seamlessly between the two networks and authenticate using the SIM card, the company said on Tuesday.
Well it would appear that a hacker using the handle Exotz has done one one anonyops.com an anonymous news related websites/blog that has strong affilation with the anonymous movement.

[ MDVSA-2012:019 ] apr
Adobe released two security bulletins for today's patch tuesday kickoff:
APSB12-02 [1]: Security update for Adobe Shockwave Player
This patch fixes a total of 9 vulnerabilities that affect Shockwave Player and earlier on Windows and OS X. After the update is applied, you should be at version Adobe rates these vulnerabilities critical as some of them allow the execution of arbitrary code.

APSB12-04 [2]: Security update for RoboHelp for Word
RoboHelp is not as commonly installed as other Adobe products. This patch fixes one vulnerability that is considered important. The vulnerability introduces a cross site scripting flaw in output generated by RoboHelp. I am not that familiar with the product, but even though Adobe doesn't specify it, it sounds like it may be necessary to re-create RoboHelp output after the update is applied to avoid the XSS issue in content generated with older versions.



Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Obama Budget Promises Stronger Infosec
The budget also would fund DoD cybersecurity pilots in partnership with DHS to determine how best to protect private-sector operated critical information infrastructures. Obama Budget Promises Stronger Infosec.


TheHostingNews.com (press release)

DDoS Report Highlights Need for Education
TheHostingNews.com (press release)
To register free – or to find more information on Infosecurity Europe 2012 – please go to www.infosec.co.uk– we look forward to you joining us for what promises to be an informative and educational show! Infosecurity Europe, celebrating 17 years at the ...


SANS Institute to Host Inaugural Mobile Device Security Summit
MarketWatch (press release)
6, 2012 /PRNewswire via COMTEX/ -- Top Mobile Security Experts Come Together to Address Some of the Toughest Mobile Security Issues including BYOD, Hacking, Mobile Vulnerabilities and Exploits To help InfoSec professionals better prepare for and fend ...

and more »
The target http://osm.opdc.go.th/main.php was still defaced at time of publish and features some funny stuff like they have set them selfs as "Hax.r00t is now president of .th Saadi is now Prime Minister ".


Trail of Bits: An alliance of #infosec heavyweights
CSO (blog)
A new information security operation is up and running, led by some very notable industry stars. The company is called Trail of Bits, and is comprised of CEO Dan Guido, CTO Dino Dai Zovi, and Chief Scientist Alexander Sotirov.

Cryptome.org, a website dedicated to disclosing confidential information, was compromised last week and then used to infect PCs running Internet Explorer.
Sony is developing electric wall sockets and plugs that can control power consumption by appliance, user or original power source.
WordPress Relocate Upload Plugin 'abspath' Parameter Remote File Include Vulnerability
Cyberoam Central Console 'file' Parameter Local File Include Vulnerability
phpLDAPadmin 'base' Parameter Cross Site Scripting Vulnerability
Nokia Siemens Networks is offering carriers new ways to view information about their own performance and translate it into action that may improve subscribers' experiences -- or change their rates.
In a move to expand its IT automation software to take on development management as well, UC4 Software has purchased Austrian software company Ventum and integrated the company's technologies into its own software package, UC4 announced Tuesday. Terms of the deal were not disclosed.
Microsoft's disclosure that it will 'include' four Office apps with Windows on ARM has analysts parsing the news like spies who once tried to figure out what went on inside the Kremlin.
Hadoop is all the rage, but it requires expertise that's beyond the ken of many IT shops, customers say.
In a move that's unlikely to sit well with privacy advocates, the FBI has begun scouting for a tool that will allow it to gather and mine data from social networks like Facebook, Twitter and blogs.
The idea of a company having a chief mobility officer isn't a new one. But as organizations scramble to establish mobile strategies, having a CMO could be a key to success, according to Forrester Research.
The leak comes from the hacker claiming to be 0xOmar who has the pastebin account username 0XO. The leaked data has come from 2 different sites which have been hacked and they are www.moch.gov.il & www.tarbut-hadiur.gov.il.

Hewlett-Packard will be showing new smartphone and tablet applications for Apple's iOS and Google's Android that will allow system administrators to remotely control and configure servers, the company said on Monday.
More than 30 offices across China of a commerce regulatory body are investigating Apple's sales of the iPad in the country, according to the lawyer for the little-known Chinese company that has accused Apple of trademark infringement.

Posted by InfoSec News on Feb 14


By Aliya Sternstein

The Homeland Security Department nearly doubled its 2013 funding request
for cybersecurity in an otherwise slimmed-down budget.

There is bipartisan support for improving computer network defenses, so
the outlook may be positive for obtaining much of the proposed $769
million from Congress. The funding would go toward the National Cyber

Posted by InfoSec News on Feb 14


By Lucian Constantin
IDG News Service
February 13, 2012

Valve has informed users of its Steam online game distribution platform
that hackers have probably downloaded encrypted credit card transaction
data from a backup database during an intrusion last year.

In November 2011, Valve announced that hackers gained unauthorized
access to...

Posted by InfoSec News on Feb 14


By Mathew J. Schwartz
February 13, 2012

An Anonymous-related Twitter channel claimed Friday that the group had
successfully taken down the CIA's public-facing website.

The CIA website reportedly remained inaccessible several hours after the
attack, then appeared to be offline intermittently for the rest of the
weekend, as well as on Monday, in the face of...

Posted by InfoSec News on Feb 14


By Taylor Armerding
CSO Online
February 13, 2012

It was supposed to be a confidential conference call last week that
included two of the top law enforcement agencies in the world -- the FBI
and Scotland Yard -- and possibly officials from France, Germany,
Ireland, the Netherlands and Sweden.

The agenda was a private discussion of the ongoing...

Posted by InfoSec News on Feb 14


Associated Press
February 13, 2012

TEHRAN, Iran -- A senior Iranian military official said Monday that
Tehran’s nuclear and other industrial facilities suffer periodic cyber
attacks, but that the country has the technology to protect itself from
Electronics Giant Philip has become victim to hackers after they defaced a subdomain and leaked a heap fo data on to privatepaste. The hack which has been claimed by hackers usig the handle's Bch195 and HaxOr was discovered on pastebin in the following release message.

Combined Systems a U.S.-based firm that supports military forces and law enforcement agencies around the world has become the latest victim to anonymous hackers who have left the website in a very bad state.

Internet Storm Center Infocon Status