(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Australian infosec pros rank own businesses as sitting ducks
Australian infosec pros rank own businesses as sitting ducks. Summary: A survey asking Australian security professionals to rank their security has found that most of them failed themselves on their ability to respond to and protect their own businesses.

and more »
Twitter users reacted fast to the explosions that ripped through the Boston Marathon Monday, but the incident also revealed how social media can only be so reliable in such situations.
Cellular networks in Boston were still operating on Monday evening following the explosions near the finish line of the Boston Marathon, contrary to earlier reports that they had been shut down to prevent remote bomb detonations.
A dialog box presented by Java when it encounters an application that isn't signed by a digital certificate.

Oracle plans to release an update for the widely exploited Java browser plugin. The update fixes 39 critical vulnerabilities and introduces changes designed to make it harder to carry out drive-by attacks on end-user computers.

The update scheduled for Tuesday comes as the security of Java is reaching near-crisis levels. Throughout the past year, a series of attacks hosted on popular websites has been used to surreptitiously install malware on unwitting users' machines. The security flaws have been used to infect employees of Facebook and Apple in targeted attacks intended to penetrate those companies. The vulnerabilities have also been exploited to hijack computers of home and business users. More than once, attackers have exploited one previously undocumented bug within days or weeks of patching a previous "zero-day," as such vulnerabilities are known, creating a string of attacks on the latest version of the widely used plugin.

In all, Java 7 Update 21 will fix at least 42 security bugs, Oracle said in a pre-release announcement. The post went on to say that "39 of those vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password." The advisory didn't specify or describe the holes that will be patched. Security Exploration, a Poland-based security company that has discovered dozens of "security issues" in Java, has a running list of them here.

Read 5 remaining paragraphs | Comments

389 Directory Server CVE-2013-1897 Information Disclosure Vulnerability


John Bambenek

bambenek \at\ gmail /dot/ com

Bambenek Consulting

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
ROCKVILLE, Md. amp- In recognition of the critical need to protect private-sector intellectual property and other valuable business data from a growing number of cyber threats 11 major companies have formally established partnerships ...
The role of forensic science throughout the world is changing due to recent technological development. Whereas forensic science has traditionally supported police work, the field has begun moving into the spotlight as new research allows ...
Verizon Wireless reportedly has offered $1 billion to $1.5 billion for some of Clearwire's spectrum leases, possibly complicating Sprint Nextel's attempt to buy out the company in conjunction with its acquisition by Softbank.
Facebook is teaming up with the nation's attorneys general to launch a public awareness campaign aimed at keeping young people safer on the site.
Don't blame Windows 8 for plummeting PC sales, a retail analyst at NPD Group said today.
Adobe has released a public beta of its Lightroom 5 photo-editing application. While not a radical reworking, it includes some useful new tools.
The Schnucks supermarket chain struggled for two weeks to find the source of a breach that exposed credit and debit card information on as many as 2.4 million customers.
The long-awaited U.S. Senate comprehensive immigration bill, which could arrive in Congress on Tuesday, will likely contain provisions onerous to offshore outsourcing firms that are dependent on H-1B visas.
Dell remains committed to Microsoft's Windows RT, despite the poor market reception to the OS and a decline in prices of related tablets.
A fixed camera at IDG's Boston offices captured the moment two explosions rocked the finish line of today's Boston Marathon. The camera shakes slightly and then smoke envelopes the view.
The Cyber Intelligence Sharing and Protection Act (CISPA), a controversial cyberthreat information-sharing bill, will be debated on the floor of the U.S. House of Representatives this week, despite continued opposition from some privacy and digital rights advocates.
The Internet? Kind of a cesspool. And as the parent of kids who are now old enough to operate a Web browser, you can bet I'm keen on checking their activities and filtering out the inappropriate content.
A vulnerability discovered in a combined heat and power unit from German manufacturer Vaillant can lead to attackers potentially damaging the systems. The manufacturer recommends disconnecting the systems from the network

According to a study, Russian search engine Yandex is particularly profligate in returning search results pointing to infected web pages. Bing returns five times as many malware pages as Google

Multiple Vendor SSL/TLS Renegotiation Denial Of Service Vulnerability

I was recently working at a client, implementing wireless.  As in many Enterprise Wireless projects, we needed an Enterprise Certificate Authority (CA).  Imagine my surprise, that when we went to create an Enterprise Root CA, that one already existed.  And when we went to take a closer look at that Root CA, when we found that the server was retired - dead and gone, I got that sinking feeling and realized we might be on a trip down the project-over-run rabbit hole.

While you can certainly inventory all the certificates issued and active on a Certificate Authority, if the CA is gone there isn't a good way to do that.  So while you can easily delete a Root CA from Active Directory, once you delete it, that CA is no longer in the list of Trusted Roots.  All the Certificates issued by it will be invalid, and in this case nobody really was sure what that CA was put in to do.  So what we needed was an idea of what the impact of deleting that CA might be.

Then I remembered the story I wrote a while back on Microsoft certutil ( https://isc.sans.edu/diary/11962 ).  With a bit of playing, I was able to use certutil and psexec ( from Mark R's excellent  Sysinternals Utilities) to inventory the "Local Computer" certificate store of every machine in the domain.  

Luckily, in this case we only needed to worry about machines in the Active Directory Domain, so this survey got the job done for us.

What we needed to run was a short script like this, on each machine in the domain:

REM ============== getiss.cmd ==============
echo ========================== >> \\utilserver\sharename\certs.txt
hostname >> \\utilserver\sharename\certs.txt
certutil -store my | find "Issuer" >> \\utilserver\sharename\certs.txt

The first 2 lines (the echo and hostname commands) just break up the output, and identify the machine being evaluated in each test.  The last line is where all the action is - we're dumping the local certificate store, only looking at the Local Machine store.  In this case all we're only interested in is which server issued the certificate, so we're looking for the word "Issuer" in the output.  Since we're looking anyway, I'm not going to parse this out further, I'll happily look at *all* the issuers in the domain to see if we've got any other issuer-based certificate problems in our domain.

Now I'll call this little script for every computer in the domain:

psexec \\* -u domainname\adminuser -p adminuserspassword -cf getiss.cmd

Our output looks like:

Issuer: CN=CA01-CA, DC=domain, DC=com
Issuer: CN=SERVERNAME7, L=1720207907, OU=SharePoint, O=Microsoft
Root Certificate: Subject matches Issuer

... and so on.

So what did we find?  The old CA hadn't issued any certificates that were currently in play on anything in the domain.   We also found a number of self-signed certificates (where the Issuer matched the hostname).  So, with this in hand, we can delete that old CA from the Domain and know in our hearts that we're not going to mess up any of the critical services in the organization (Sharepoint or Exchange for instance).  Details on doing this, now that the impact has been assessed, can be found at these and many other links on microsoft.com ( http://support.microsoft.com/kb/555151  , http://support.microsoft.com/kb/889250http://blogs.technet.com/b/pki/archive/2011/10/07/how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects.aspx )

Scripting saves the day again, in about 10 minutes no less !

If you've had a similar experience, or if you've got a simpler or more elegant scripting approach for this type of problem, by all means use our comment form and share.

Rob VandenBrink

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Bradford Networks Addresses BYOD Security Threats at InfoSec World 2013
MarketWatch (press release)
ORLANDO, FL, Apr 15, 2013 (Marketwired via COMTEX) -- InfoSec World Expo and Conference, Booth #104 -- Bradford Networks(TM), the best choice to secure network access for BYOD, today announced its participation in the InfoSec World Expo and ...

and more »
What are the legal ramifications of allowing staff to bring their own mobile devices to work and where is the dividing line between organisational and employee risk?
More than two-thirds (70 per cent) of Australian businesses are using the social media to deliver customer service, according to a study by consultancy and research firm, Fifth Quadrant.
Complainants in the European Union's antitrust case against Google said Monday that the company's proposed remedies could be worse than the current situation.
Dish Network has made a US$25.5 billion bid to acquire wireless operator Sprint Nextel, hoping to edge out a rival bid from Japanese operator SoftBank.
Applied Micro Circuits is looking to make its 64-bit chip for ARM servers more powerful and flexible through a collaboration with specialized chip maker Altera.
A Sony-backed ISP in Japan has launched a 2Gbps Internet service, which it said is the world's fastest for home use.
LinuxSecurity.com: Multiple vulnerabilities has been found and corrected in poppler: poppler before 0.22.1 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors that trigger an invalid memory access in (1) splash/Splash.cc, [More...]
When a security researcher announced that he'd written an Android app that allowed him to hijack a jet with his Samsung Galaxy smartphone, he acknowledged an important caveat to his exploit: It had been tested only on a simulator.
Dish Network has made a $25.5 billion bid to acquire wireless operator Sprint Nextel, hoping to edge out a rival bid from Japanese operator SoftBank.
Hosting companies are reporting increased brute force attacks on WordPress installations around the world. The attacks have been traced back to a botnet that is apparently controlling as many as 90,000 IP addresses

U.S. Secretary of State John Kerry called defending against cyberattacks a major part of maintaining security in Asia, and said Washington is forming working groups with China and Japan to address the issue.
Before getting into the installation and use of WinDbg for W8, I looked for additional sources to help with crash resolution. Just Googling "Windows 8 crash" returned forums, guides, tools and books, all offering varying levels of help.
Windows 8 has been out for a while, featuring an interface that's as cool as it is annoying . . . until you get the hang of it. But, like any computer operating system, it can fall over. Luckily, there is an easy way to solve the cause of most crashes; just call up WinDbg, the Windows debugger; a free tool to diagnose the most common causes of Windows crashes -- misbehaved third party drivers.
Microsoft is working on designs for a touch-enabled smart watch, joining a number of other large competitors like Samsung Electronics and Apple who are said to be working on similar devices, a newspaper reported.
Expanding beyond its own OpenStack hosted services, Rackspace is offering to build OpenStack deployments for other hosting providers as well, such as telecommunication companies.
Apple's noted silence has hurt its mystique and caused it to cede the "cool" factor to competitors, a communications expert said.
Today's emergency notification technology allows enterprises to send out, and employees to receive, real-time situational advisories.
Xen CVE-2013-1920 Local Memory Corruption Vulnerability
Internet Storm Center Infocon Status