Multiple Apple Products CVE-2014-1296 Information Disclosure Vulnerability
Mozilla Firefox CVE-2014-1520 Local Privilege Escalation Vulnerability
QEMU CVE-2013-4541 Remote Code Execution Vulnerability
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The new 10.9.3 update to Mavericks offers improved support for 4K displays. Before the update, Retina MacBook Pros and the new Mac Pro were able to drive 4K displays, but using any resolutions below the monitor's native resolution would result in soft, slightly blurry-looking screen elements and jaggy text. The new resolution options and system optimizations in 10.9.3 make scaled resolutions look much, much better.

Federal prosecutors have secured an unusually stiff sentence against a low-level identity thief by invoking the same law used to target bosses of the Gambino crime family and Los Angeles street gangs.

On Thursday, David Ray Camez, 22, was sentenced to serve 20 years in prison and pay $20 million in restitution for his participation in carder.su, a website that allowed people to collaborate on crimes involving identity theft, computer malware, and other types of online graft. He was already serving a seven-year sentence for the same acts when he and 38 others were charged in a 2012 indictment. The indictment alleged violations of the Racketeering Influenced Corrupt Organizations (RICO) Act, which allows for harsh criminal and civil penalties for acts that are part of an ongoing criminal enterprise.

Under RICO, it didn't matter that Camez's conduct was an infinitesimal small part of the illegal acts carried out on carder.su; or that he was just 17 or 18 years old when he was caught purchasing or possessing counterfeit drivers licenses, credit and gift cards, and equipment for manufacturing counterfeit cards. During sentencing, prosecutors provided evidence establishing the site, with an estimated 5,500 members as of 2011, was responsible for losses totaling $50 million. Feds also established that carder.su was a criminal enterprise engaged in large-scale trafficking of compromised credit cards and identities. The showings were some of the many factors under RICO that allowed for increased penalties for Camez, who went by the online aliases "Bad Man" and "doctorsex."

Read 2 remaining paragraphs | Comments


How exec snatched $6m budget from his infosec team because he couldn't see ...
One unnamed executive went further, and told AISA board member Lani Refiti during an interview that he revoked the $6m security budget he approved each year because infosec geeks failed to produce evidence of return on investment when they most ...
Troy Braban named winner of SC AwardiT News

all 2 news articles »

=============== Rob VandenBrink Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

=============== Rob VandenBrink Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

One of the "prepare for a zero day" steps that I highlighted in my story last week was to inventory your network stations, and know what's running on them.  In short, the first 2 points in the SANS 20 Critical Security Controls.  This can mean lots of things depending on your point of view.

Nmap can make an educated guess on the existence of hosts, their OS and active services:
nmap -p0-65535 -O -sV x.x.x.0/24
Good information, but not "take it to the bank" accuracy.  It'll also take a LONG time to run, you might want to trim down the number of ports being evaluated (or not).  Even if you don't take this info as gospel, it's still good supplemental info, for stations that are not in your domain.  You can kick this up a notch with Nessus (Nessus will also login to stations and enumerate software if you have credentials)

If you're running active directory, you can get a list of hosts using netdom, and a list of apps on each host using WMIC:
netdom.exe query /domain:domainname.com workstation | find /v "List of Workstations" >stations.out

(if you use "server" instead of "workstation", you'll get the server list instead)

and for each station:
wmic product list brief

But having run exactly this recently, this can take a LONG time in a larger domain.  How can we speed this up?  In a word, Powershell.
To inventory a domain:
import-module ActiveDirectory
Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion

To inventory the software on a remote workstation:
Get-WmiObject -Class Win32_Product -computername stationnamegoeshere | Select-Object -Property Name

( see here for more info: http://technet.microsoft.com/en-us/library/ee176860.aspx)

I collected this information first using the netdom/wmic way (hours), then using powershell (minutes).  Guess which way I'd recommend?

OK, now we've got what can easily be Megabytes of text.  How do we find out who needs some TLC?  Who's running old or unpatched software?

As an example - who has or does NOT have EMET 4.1 installed?

To check this with WMIC:

"go.cmd" (for some reason all my parent scripts are called "go")  might look like:
@echo off
for /f %%G in (stations.out) do call emetchk.cmd

and emetchk.cmd might look like:
@echo off
echo %1  >> inventory.txt
wmic /node:%1 product where "name like 'EMET%%'" get name, identifyingnumber, InstallDate >> inventory.txt

Or with powershell, the domain enumeration would look like:
import-module ActiveDirectory
Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion  > stations.out

Then, to enumerate the actual applications (for each station in stations.out), you could either use the emetchk.cmd script above, or re-do the thing in powershell (I haven't gotten that far yet, but if any of our readers want to add a script in the comments, I'm sure folks would love to see it!) - in this example the

Get-WmiObject -Class Win32_Product -computername stationname | Select-Object -Property Name > stationname.txt


If you run this periodically, you can "diff" the results between runs to see what's changed.  Diff is standard in linux, is part of Windows these days also if you install the SFU (services for unix), or you can get a nice diff report in powershell with :

Compare-Object -ReferenceObject (Get-Content c:\path\file01.txt) -DifferenceObject (Get-Content c:\path\file02.txt)

But what about the stations who aren't in our corporate domain?  Even if your domain inventory is solid, you still must sniff network traffic using tools like PVS (from Tenable) or P0F (open source, from http://lcamtuf.coredump.cx/p0f3/) to identify folks who are running old versions of java, flash, air, IE, Firefox (pre-auto update versions mostly) and so on, that aren't in your domain so might get missed in your "traditional" data collection.  Normally these sniffer stations monitor traffic in and out of choke points in the network like firewalls or routers.  We covered this earlier this year here: https://isc.sans.edu/diary.html?date=2013-12-19

I hope this outlines free or close to free solutions to get these tasks done for you.  If you've found other (or better) ways to collect this info without a large cash outlay and/or a multi-week project, please share using our comment form.

Rob VandenBrink

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The National Institute of Standards and Technology (NIST) has issued for public review and comment a proposed major update to its Guide to Industrial Control Systems (ICS) Security.*Credit: xa9Minerva Studio-Fotolia_comMost industrial ...
So what happens now that the U.S. Federal Communications Commission voted to release a net neutrality proposal and seek public comments?
Apple has made a big push to get iPads in the hands of college students -- and productivity apps such as iWork and now Office for iPad are helping. But one university professor says tablets 'fall far short' of meeting the prerequisites for serious college coursework.
Two new development kits that require Arduino programming skills could make it easier for the do-it-yourself set to build electronics and wearable devices.
The National Digital Stewardship Alliance Innovation Working Group is honoring NIST for a software archive that has proven highly valuable to digital forensic investigators and is also paying off in other unimagined ways.xa0Some of the ...
Amazon, Snapchat and AT&T rank among the least trustworthy technology companies when it comes to how they handle government data requests, according to a report from the Electronic Frontier Foundation.
The U.S. Federal Communications Commission will limit the amount of spectrum the nation's two largest mobile carriers can buy in an upcoming auction of highly sought spectrum controlled by television stations.
Apple will debut a split-screen feature for the iPad in this year's iOS 8, tilting its tablet toward PC-like functionality and mimicking a core feature of Microsoft's Windows 8 on tablets, according to a report Tuesday.

Last week, we saw Orange (a Telecom company based in France) compromised, with the info for 1.3 million clients breach.  At this time, it does not appear that any credit card numbers or credentials were exposed in that event.(http://www.reuters.com/article/2014/05/07/france-telecomunications-idUSL6N0NT2I120140507)

The interesting thing about this data breach was that it involved systems that would not be considered "primary" - the site compromised housed contact information for customers who had "opted in" to receive sales and marketing information.

I'm seeing this as a disturbing trend.  During security assessments, penetration tests and especially in PCI audits, I see organizations narrow the scope to systems that they deem as "important".   But guess what, the data being protected has sprawled into other departments, and is now housed on other servers, in other security zones where it should not be, and in some cases is in spreadsheets on laptops or tablets, often unencrypted.  Backups images and backup servers are other components that are often not as well protected as the primary data (don't ask me why this oversight is so so common)

The common quote amongst penetration testers and other security professions for this situation is "guess what, the internet (and the real attackers) have not read or signed your scope document"

It's easy to say that we need to be better stewards of our customer's information, but really we do.  Organisations need to characterise the "what does our information look like" (with regex's, or dummy customer records that you can search for), then go actively hunt for it.  Be your own Google - write scripts to crawl your own servers and workstations looking for this information.  Once this process is in place, it's easy to run this periodically, or better yet, continuously.  Put this info into your SNORT (or other IPS) signatures so you can see them on the wire, in emails, file/copy or file/save operations.

Too often the breach that happens is on a system that's out of scope and much less protected than our "crown jewels" data deserves.  If you're in the process of establishing a scope for PCI or some other regulatory framework, stop and ask yourself "wouldn't it be a good idea to put these controls on the rest of the network too?"

Rob VandenBrink

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The U.S. is collecting comments on whether to allow certain H-1B spouses to work, and the prevailing theme is one of frustration.
The first smartphone carrying Windows Phone 8.1 starts shipping this week in Asia, even as Microsoft continues tweaking that latest version of its mobile OS.
Austin Energy, one of the largest city-owned utilities in the U.S., has signed a deal to purchase 150 megawatts of solar electricity from Recurrent Energy, one of North Americas biggest solar developers.
MiniUPnP 'miniwget.c' Remote Buffer Overflow Vulnerability
Cisco IOS Software CVE-2014-3263 Remote Denial of Service Vulnerability
APPLE-SA-2014-05-15-1 OS X Mavericks v10.9.3

Consumers on InfoSec: What, Me Worry?
Consumers around the world aren't overly concerned about Internet security, perhaps because they've experienced fatigue from the oversaturated media coverage of data breaches, Unisys Chief Information Security Officer David Frymier says. "It just ...

The current state of online advertising endangers the security and privacy of users and the U.S. Federal Trade Commission should force the industry to offer better protections through comprehensive regulation, the U.S. Senate said in a report.
The ability to come up with cohesive cloud offering has eluded Lenovo for years, but the company is taking steps to offer more services that it can wrap around its mobile devices and enterprise products.
To make it easier for users to build their own private and hybrid cloud systems using IBM technology, the company has added its distribution of the OpenStack cloud hosting software to its recently launched online market of products and services.
Toshiba plans to demolish its No. 2 flash memory plant in Japan and replace it with a new facility where it and SanDisk will produce 3D NAND.
If Satya Nadella is celebrating his first 100 days as CEO of Microsoft today, no one can blame him, a corporate leadership expert said.
The FCC voted to release a hotly debated proposal to reinstate net neutrality rules, asking whether it should advance a proposal allowing broadband providers to engage in "commercially reasonable" traffic management.
What could be less news than the end of Windows XP support? Everybody on the planet has been told about it a hundred times. This article concerns the real danger you haven't been reading about.
Embracing the widely used JSON data-exchange format, the new version of the PostgreSQL open-source database takes aim at the growing NoSQL market of nonrelational data stores, notably the popular MongoDB.
eGroupWare CVE-2014-2987 Cross Site Request Forgery Vulnerability
[security bulletin] HPSBMU02995 rev.7 - HP Software HP Service Manager, Asset Manager, UCMDB Browser, UCMDB Configuration Manager, Executive Scorecard, Server Automation, Diagnostics, LoadRunner, and Performance Center, running OpenSSL, Remote Disclosure
[ MDVSA-2014:088 ] python-lxml
[CVE-2014-0749] TORQUE Buffer Overflow
[ MDVSA-2014:087 ] php
AT&T will introduce a high-definition voice service over its LTE network in parts of four Midwest states on May 23, the carrier announced.
Samsung Electronics has sent out invitations to a June 12 event in New York, at which the company is expected to launch new Android tablets.
[REVIVE-SA-2014-001] Revive Adserver 3.0.5 fixes CSRF vulnerability
Bilyoner mobile apps prone to various SSL/TLS attacks
[SECURITY] [DSA 2928-1] linux-2.6 security update
Paypal Inc Bug Bounty #109 MOS - Bypass & Persistent Vulnerability
[security bulletin] HPSBMU03040 rev.1 - HP LoadRunner & HP Performance Center, running OpenSSL, Remote Disclosure of Information
CSRF and Remote Code Execution in EGroupware
Apple is the company the tech world looks to for innovation and for leadership. The company is on multiple 'most admired' lists. To what does the company credit that success? Clearly, its design capabilities.
The OpenStack cloud platform works well for companies that aim to deploy software or infrastructure as a service but remain wary of doing so using public cloud services. Here's how to find out if OpenStack is right for your business.
HTC is hoping the design and the ability to take high-resolution selfies with a 5-megapixel front camera will make its One Mini 2 a hit.
ownCloud CVE-2014-2585 Security Bypass Vulnerability
Zenoss Monitoring System HTML Injection and Open redirection Vulnerabilities
Despite mixed reviews from critics, Samsung's Galaxy S5 smartphone is proving to be another hit for the company, with 11 million of the phones sold in the first month of launch.
A former owner of several Subway fast-food restaurants in southern California pleaded guilty Wednesday to charges stemming from a gift card scheme that involved tampering with several other Subway stores' computerized cash registers.
Samsung's Chromebook 2 has a distinctive design and a roomy 1080p display, but it also has some meaningful drawbacks compared to other devices.
John Chambers may stay chairman and CEO of Cisco Systems for the time being, but with the company's financial results just beginning to emerge from a slump and major challenges remaining, it won't be an easy time to hold onto one of the longest leadership stints in the IT industry.
Some of the biggest U.S. retailers have banded together to share information about cyberthreats, in a bid to avert breaches like that suffered by Target last holiday season.
Autodesk announced Wednesday an open software platform for 3-D printing called Spark, which will be open and freely licensable to manufacturers and others.
A massive survey by the Pew Research Center about the Internet of Things in 2025 is very optimistic about its future, though its responses are filled with questions, doubts and caveats.
Codem-transcode 'lib/probe-handler.js' Remote Command Injection Vulnerability
FreeBSD Security Advisory FreeBSD-SA-14:10.openssl
[SECURITY] [DSA 2927-1] libxfont security update
St Module Directory Traversal Vulnerability
Marked Module Multiple Content Injection Vulnerabilities
hapi File Descriptor Leak Denial of Service Vulnerability
X.Org libXfont Multiple Integer Overflow and Memory Corruption Vulnerabilities
Internet Storm Center Infocon Status