Hackin9
Hoping to lure more Apache Hadoop users to its own data analysis services, Google has outfitted BigQuery with the ability to query multiple data tables.
 
The majority of email and Web gateways, firewalls, remote access servers, UTM (united threat management) systems and other security appliances have serious vulnerabilities, according to a security researcher who analyzed products from multiple vendors.
 

Id like to continue the discussion on stealthy malware persistence techniques that I began Wednesday and provide two more techniques. The goal is to show that there are many unusual and often overlooked ways to cause processes to execute. This will provide incident responders with ammunition to take what they already know is the right course of action after a malware infection or compromise by an attacker and wipe the drive. So lets talk about technique #3 and #4. If you missed the first two methods for malware persistence, you can read about those here:

http://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394

TECHNIQUE #3 - Program.exe

When Jake and I were preparing for the Shmoocon talk that we gave on this subject, I suggested we include this technique in our presentation. Jake disagreed because this thing has been around since the year 2000 and I quickly relented and agreed with him. At the time we both thought that this technique is pretty lame and we shouldnt have to worry about a THIRTEEN YEAR OLD vulnerability. Instead I decided to do a post on the ISC to talk about the technique and see what response we got. The response for you, our awesome supporters, was incredible. ISC readers documented several dozen of these attacks in critical systems common to most corporate desktop images. You made Jake a believer (he had a vulnerable OEM application you found on his laptop). The response was such that I am now convinced that an attacker can use this technique and have a great deal of confidence that his malware will be launched. As a matter of fact, it will probably be launched by something that has system permissions. I wont repeat the full details of the technique here since I already covered it on the ISC. You can check out this article if you missed it:

http://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464

This is the scenario. Malware or an attacker is on your machine. He has administrative or Power User access. The attacker drops a file called program.exe on the root of your C drive. program.exe is a small application that reads the command line parameters that were used to call it. It launches the real program you had intended to call and then executes its malicious payload. Simple but effective.

Detection:

Look at directory structures on your operating system. Do directory names have spaces in them? If so look for an executable in that directory that shares the name of the directory up until the space. For example:

Look for c:\program.exe if you have c:\Program Files\

Look for a c:\Document.exe if you have c:\Documents and Settings\

Look for C:\Users\username\Local.exe if you have c:\Users\username\Local Settings

And so on.



Technique #4 - Service Failure Recovery Startups

You can configure Windows services with an automatic recovery action. The defined action will be taken when the service crashes unexpectedly. You can see these on the recovery tab for a service using services.msc. Here you see this service first tries to restart the service, then it will .... ummm... whats that?? .. RUN A PROGRAM. Hmm.



You can also check this information with the SC QFAILURE servicename command like this:



Notice that this service it is set to execute commands that create a new administrative backdoor if the service fails. So the question becomes how does the attacker cause the service to fail? Well, how about a DoS? MS12-020 is a DoS that will cause the RDP terminal service to crash. Many organizations still have not patched this and have RDP services exposed to the internet. DoS patches are Low priority and important but they are never critical. After all, its just a DoS. But malware on your machine can stage an action and turn that DoS into future command execution. Alternatively, the attacker could have the primary malware replace files or reconfigure the system so that a legitimate service becomes dependent upon the primary malware. For example, they attacker may inject a copy of his code into a DLL that the service depends upon. Then when the victim updates their AV and scans the host to remove the primary malware they inadvertently break the service. Sometime later when the service must restart it triggers the secondary malware.

Detection:

Check all the COMMAND_LINE options on your services to see what commands are set to fire when a service fails. This little for loop will show you that information for all your services.

for /F tokens=1,2 delims=: %x in (sc query ^| find SERVICE_NAME) do @echo %y @sc qfailure %y | findstr /i command_line


Summary:

Add checking for c:\program.exe and other strange executables to you incident response checklist. Also add checking for service failure recovery processes to your list. Wiping the drive is a costly endeavor. It can cost you time and it can cost you some political skin as you convince business leaders to endure additional downtime. Any political hit for wiping the drive is smaller than the hit youll take if the machine is still infected. Just wipe the drive. Still not convinced? I have a few more parts to this series to go. This is only the tip of the ice berg.

Follow me on twitter : @MarkBaggett



Here is an AWESOME DEAL on some SANS training. Join Justin Searle and I for SANS new SEC573 Python for Penetration Testers course at SANSFire June 17-21. It is a BETA so the course is 50% off! Sign up today!

http://www.sans.org/event/sansfire-2013/course/python-for-pen-testers

There are two opprotunities to join Jake Williams (Twitter @malwarejake ) for FOR610 Reverse Engineering Malware. Join him on vLive with Lenny Zeltser or at the Digital Forensics Incident Response Summit in Austin.

vLive with Jake and Lenny begins March 28th, 2013:

http://www.sans.org/vlive/details/for610-mar-2013-jake-williams

Jake at DFIR Austin Texas July 11-15, 2013:

http://www.sans.org/event/dfir-summit-2013/course/reverse-engineering-malware-malware-analysis-tools-techniques




(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Samsung has taken the wraps off of its new Galaxy S4 smartphone, which will support global LTE roaming and has front- and rear-facing cameras that can be used simultaneously, the company said.
 
Samsung's next-generation Galaxy S4 smartphone was unveiled in New York City at 7 p.m. ET.
 
Adobe Reader Unspecified Remote Code Execution Vulnerability
 
Apple QuickTime CVE-2012-3756 Buffer Overflow Vulnerability
 
Secunia highlights the growing need for better third-party application security, plus Microsoft's security improvements, and the growing cost of zero-days.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
A Pentagon advisory panel suggests both beefed-up U.S. cyber-defenses and a proactive plan for offense.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
A former Tribune Company employee could face as much as 10 years of jail time over federal charges accusing him of conspiring with members of the hacker group Anonymous to hack into a Tribune website.
 

Matthew Keys, deputy social media editor for Reuters, has been charged with conspiring with members of Anonymous to hack into the website of the Los Angeles Times in December 2010.

Keys, 26, was charged with one count each of conspiracy to transmit information to damage a protected computer, transmitting information to damage a protected computer, and attempted transmission of information to damage a protected computer. The crimes carry sentences of up to ten years and fines of up to $250,000, though any actual sentences are likely to be a small fraction of these.

Keys was a former employee of California television station KTXL Fox 40. Fox 40 and the LA Times are both owned by media conglomerate the Tribune Company. Through his employment, he had credentials to the Tribune Company's content management system (CMS).

Read 2 remaining paragraphs | Comments

 
Oracle Java SE Remote Code Execution Vulnerability
 
Facebook has been busy lately, unveiling Graph Search, a new News Feed and now a redesign of Timeline. The good news is that the changes are likely to improve the social network. Here's a look at the best features of Facebooks recent updates.
 

If you've got 99 security problems, odds are Microsoft's not one—or at least it's just a minority of them. In its annual review of software vulnerabilities, security software firm Secunia found that 86 percent of vulnerabilities discovered on systems scanned by its software in the 50 most popular Windows software packages in 2012 were attributable to third-party developers and not to Microsoft's Windows operating system or applications. And for most of these vulnerabilities, a patch was already available at the time they were discovered.

Of the top 50 most used Windows packages—including the Windows 7 operating system itself, 18 were found to have end-point security vulnerabilities, a 98 percent increase over five years ago. Of those 18 packages, Google's Chrome and the Mozilla Firefox browser were the biggest culprits, with 291 and 257 detected vulnerabilities respectively. Apple iTunes came in third, with 243 detected vulnerabilities. The remainder of the top ten offenders were:

  • Adobe Flash Player: 67
  • Oracle Java JRE SE: 66
  • Adobe AIR: 56
  • Microsoft Windows 7: 50
  • Adobe Reader: 43
  • Microsoft Internet Explorer: 41
  • Apple Quicktime: 29

Of the vulnerabilities documented in Secunia's database, 84 percent had already been patched by vendors when they were discovered on systems. "This means that it is possible to remediate the majority of vulnerabilities," said Secunia Director of Product Management Morten R. Stengaard. "There is no excuse for not patching."

Read on Ars Technica | Comments

 
[SECURITY] [DSA 2640-1] zoneminder security update
 
[SECURITY] [DSA 2644-1] wireshark security update
 

Richard Porter --- ISC Handler on Duty
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The U.S. International Trade Commission will take two more months to decide whether Apple's iPhone and iPad should be taken off sale in the U.S. due to alleged patent infringements, it said late Tuesday.
 
Microsoft has issued a detailed mea culpa about the lengthy and ill-timed outage that affected its webmail services on Tuesday and Wednesday, an incident that undermines the company's push for its new Outlook.com as a better alternative to Gmail and Yahoo Mail.
 
For a variety of reasons, some businesses are looking to downgrade from Windows 8 to Windows 7. The good news is that Microsoft's business licenses come with downgrade rights, but the catch is that the rules can be tricky and compliance could become an issue. Here are some clarifications on your rights when downgrading from Windows 8 or standardizing on noncurrent Microsoft software.
 
A day after Andy Rubin stepped aside from leading Android, Google today said that Jeff Huber, the company's head of mapping and commerce, is also leaving his post.
 
Scientists at the California Institute of Technology have taken the next step in the evolution of the computer chip, developing self-healing integrated chips.
 
Americans took to the Internet Thursday as tens of thousands signed petitions on sites pleading for Google Reader's life.
 
The U.S. Congress needs to shut down so-called patent trolls whose infringement lawsuits are diverting company resources from hiring and research, a group of technology companies told lawmakers Thursday.
 

The federal government's official catalog of software vulnerabilities was taken offline after administrators discovered two of its servers had been compromised. By malware. That exploited a software vulnerability.

The National Vulnerability Database is maintained by the National Institute of Standards and Technology and has been unavailable since late last week, according to an e-mail sent by NIST official Gail Porter published on Google+. At the time of this article on Thursday afternoon, the database remained down and there was no indication when service would be restored.

"On Friday March 8, a NIST firewall detected suspicious activity and took steps to block unusual traffic from reaching the Internet," Porter wrote in the March 14 message. "NIST began investigating the cause of the unusual activity and the servers were taken offline. Malware was discovered on two NIST Web servers and was then traced to a software vulnerability."

Read 2 remaining paragraphs | Comments

 

Researchers have devised two new attacks on the Transport Layer Security and Secure Sockets Layer protocols, the widely used encryption schemes used to secure e-commerce transactions and other sensitive traffic on the Internet.

The pair of exploits—one presented at the just-convened 20th International Workshop on Fast Software Encryption and the other scheduled to be unveiled on Thursday at the Black Hat security conference in Amsterdam—don't pose an immediate threat to the millions of people who rely on the Web-encryption standards. Still, they're part of a growing constellation of attacks with names including BEAST, CRIME, and Lucky 13 that allow determined hackers to silently decrypt protected browser cookies used to log in to websites. Together, they underscore the fragility of the aging standards as they face an arsenal of increasingly sophisticated exploits.

"It illustrates how serious this is that there are so many attacks going on involving a protocol that's been around for years and that's so widely trusted and used," Matthew Green, a professor specializing in cryptography at Johns Hopkins University, told Ars. "The fact that you now have CRIME, BEAST, Lucky 13, and these new two attacks within the same week really illustrates what a problem we're facing."

Read 14 remaining paragraphs | Comments

 

Sadly, far too often we hear about hackers getting punished for their exploits—even when the hack doesn’t really damage anyone. (RIP Aaron Swartz.)

Today, however, two people are being rewarded for a fun, harmless hack. After taking over a prominent electronic billboard in Belgrade, installing Space Invaders on it, and playing it via their iPhones for 20 minutes, two Serbian students were rewarded by the billboard's owner with two iPad mini 4Gs.

“This has never happened before, but we appreciate the fact that these guys have, in a charming way, pointed us to this huge problem,” Slobodan Petrovic, the manager of the billboard ad company, DPC, told Serbian news site Kurir on Wednesday (Google Translate). “Now it is clearer than ever that we need to protect ourselves better. In more developed countries, these actions are unthinkable because of severe sanctions.”

Read 15 remaining paragraphs | Comments

 
AVG's anti-virus software mistook a Windows system file for a trojan and brought Windows XP systems to a halt. Those who deleted the falsely accused file had an even bigger problem


 
[ MDVSA-2013:025 ] pidgin
 
[slackware-security] seamonkey (SSA:2013-072-02)
 
[slackware-security] perl (SSA:2013-072-01)
 
Re: SQLi found in Kodak Insite
 
Video: McGraw discusses the past and future of the BSIMM maturity framework for software security, and how vendors like Adobe and Microsoft measure up.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Bask Iyer, SVP and CIO, Juniper Networks, talks about the challenges of working with extremely tech-savvy employees spread across 46 countries, and ways to tackle them.
 
Judging from various leaks, reports, rumors and official tweeted photos, Samsung will focus heavily on new software features when it unveils the Galaxy S 4 smartphone tonight in New York City.
 
Social media sites already offer free advertising in the form of tweets and Facebook posts, but these tools can only take your brand so far. The next step involvesA paying forA social media ads, and if you're considering this option, you're probably most concerned with one big question: What will my return actually be?A Will spending money on an ad on Twitter or Facebook bring more customers to my business than the same amount spent on Google AdWords?
 
Microsoft will issue security fixes for its Windows Store apps on the fly, not just on the familiar monthly Patch Tuesday, the company said this week.
 
Have you ever wondered just how fast your home or work network really is? Or needed to troubleshoot a network connection? There are some solid command-line (Terminal) tools, such as iperf, that let you do this, as well as a number of traditional Mac apps. But Speedy Net (Mac App Store link), which I discovered last year via Twitter, is my current tool of choice. It's a little app that does one thing, but does it well and simply: It lets you test the performance of a network connection between two Macs (or, using the $1 Speedy Net iOS app, between any combination of Macs and iOS devices).
 
The Samsung Galaxy S smartphone series has attracted rabid fans, with older-generation models keeping a residual value that rivals that of older-generation Apple iPhones.
 
Enterprises that use mobile device management (MDM) systems to protect their corporate data on employees' mobile phones are not safe from attacks from spyphones, researchers warned at BlackHat Europe on Thursday.
 
New data is bringing scientists much closer to proving that a particle discovered in the Large Hadron Collider last year is the elusive Higgs boson.
 
A U.S. government computer vulnerability database and several other websites at the National Institute of Standards and Technology have been down for nearly a week after workers there found malware on two Web servers.
 
Google says it will shutter some services, such as Google Reader, and APIs. Will this affect your use of Google's APIs and cloud services?
 
It's true: The Internet really is out to get us all. Here are a few steps you can take toward being safer every time you use the Web. (Insider; registration required)
 

It was straight out of your favorite spy novel. The US and Israel felt threatened by Iran's totalitarian-esque government and its budding nuclear program. If this initiative wasn't stopped, there was no telling how far the growing conflict could escalate. So militaries from the two countries reportedly turned to one of the most novel weapons of the 21st century: malware. The result was Stuxnet, a powerful computer worm designed to sabotage uranium enrichment operations.

When Stuxnet was found infecting hundreds of thousands of computers worldwide, it was only a matter of time until researchers unraveled its complex code to determine its true intent. Today, analysts are up against a similar challenge. But they're finding considerably less success taking apart the Stuxnet cousin known as Gauss. A novel scheme encrypting one of its main engines has so far defied attempts to crack it, generating intrigue and raising speculation that it may deliver a warhead that's more destructive than anything the world has seen before.

Gauss generated headlines almost immediately after its discovery was documented last year by researchers from Russia-based antivirus provider Kaspersky Lab. State-of-the-art coding techniques that surreptitiously extracted sensitive data from thousands of Middle Eastern computers were worthy of a James Bond or Mission Impossible movie. Adding to the intrigue, code signatures showed Gauss was spawned from the same developers responsible for Stuxnet, the powerful computer worm reportedly unleashed by the US and Israeli governments to disrupt Iran's nuclear program. Gauss also had links to the highly advanced Flame and Duqu espionage trojans.

Read 23 remaining paragraphs | Comments

 
A single, slightly unusual IPv6 packet is all that's required to cause a Windows PC with a Kaspersky firewall to freeze. Now that the problem has been disclosed, the company has acted to fix it


 
The National Vulnerability Database belonging to US NIST is offline after suspicious traffic led investigators to malware on two of the public-facing web servers


 
IBM has started a new practice to help organizations interact more effectively with their customers through the use of social media and other emerging technologies.
 
Twitter has released an app for Windows 8, with several features designed specifically for the new operating system from Microsoft.
 
The ailing FeedDemon RSS reader will shut down after Google Reader is closed on July 1, its creator said. FeedDemon is a standalone RSS reader that can also sync with Google Reader.
 
Google is shutting down its Google Reader and seven other products and services, taking the total number of features or services shut since its "spring cleaning" began in 2011 to 70.
 
Two researchers from security firm Imperva have devised new techniques that could allow attackers to extract sensitive information from encrypted Web traffic.
 
Google has removed some programs from its Play store that block web advertisements, contending the applications violate its rules by interfering with other services.
 
WordPress may be a popular CMS, but its built-in backup isn't ideal. Here are 10 plugins that can help you keep your entire site safe.
 
Samsung's next-generation Galaxy S4 smartphone is being unveiled Thursday night in New York City. The event starts at 7 p.m. ET.
 
BlackBerry today announced technology designed to securely separate work and personal data on Android and iOS smartphones and tablets, as its Balance software does for new BlackBerry 10 devices.
 
Almost on demand, certain Wi-Fi routers download an executable file from the internet and then execute it at root privilege level


 

Posted by InfoSec News on Mar 14

http://healthitsecurity.com/2013/03/13/pa-health-system-reports-144-patient-data-identity-theft/

By Patrick Ouellette
Health IT Security
March 13, 2013

In what’s turned out to be a multi-layered case, 144 patients of Community
Hospital in Chester and Crozer-Chester Medical Center in Upland, PA had their
names, dates of birth and Social Security numbers stolen in an IRS tax fraud
sting from January 2008 to September 2011.

Rafael Henriquez...
 

Posted by InfoSec News on Mar 14

http://www.nextgov.com/defense/2013/03/officials-worry-about-vulnerability-global-nuclear-stockpile-cyber-attack/61855/

By Aliya Sternstein
Nextgov.com
March 13, 2013

Senators requested a national intelligence assessment of foreign nations’
abilities to protect their nuclear weapons from digital strikes after the
Pentagon's chief cyber officer said he does not know whether China, Russia or
other nuclear powers, aside from the United...
 

Posted by InfoSec News on Mar 14

http://www.dailymail.co.uk/news/article-2292756/Brazilian-doctor-used-fake-fingers-silicon-sign-absent-colleagues-ghost-worker-scam.html

By BECKY EVANS
Daily Mail Online
13 March 2013

A Brazilian hospital doctor used 'fake fingers' made of silicon to record the
attendance of fellow medics when they were not at work.

Officers seized six 'fingers' from doctor Thauane Nunes Ferreira, 29, when they
arrested her on Sunday...
 

Posted by InfoSec News on Mar 14

http://www.eweek.com/security/google-offers-help-advice-for-hacked-website-owners/

By Todd R. Weiss
eWEEK.com
2013-03-13

Google set up online resources to help the owners of hacked Websites regain
control and make security repairs.

Google is offering a new series of "how-to" articles and videos to help the
owners of hacker Websites regain control of their online properties and keep
the Internet safer for users.

The project was...
 

Posted by InfoSec News on Mar 14

http://www.abs-cbnnews.com/nation/03/14/13/hackers-took-3-days-crack-pnoy-website

By David Dizon
ABS-CBNnews.com
03/14/2013

MANILA - Local hackers took only 3 days to crack the encrypted password of the
official website of the Office of the President, a member of Anonymous
Philippines revealed Thursday.

Local netizen #pR.is0n3r said members of Anonymous Philippines were able to
detect a vulnerability in the President's website, which...
 
Internet Storm Center Infocon Status