InfoSec News

The Toshiba Satellite T235-S1345 is a lightweight ultraportable notebook with a good screen and an attractive, shiny red cover. Our review model, priced at $600, features an AMD Turion II Dual-Core K625 Processor, a 320GB hard drive, an ATI Mobility Radeon HD 4225 integrated graphics engine, 4GB of RAM, and a 13.3-inch widescreen. It also features Wi-Fi 802.11b/g/n, a built-in Webcam (with included face recognition software) and microphone, and it runs the 64-bit version of Windows 7 Home Premium.
 
Because I'm the editor in charge of laptop coverage here at PC World, I'm quite often asked, "Which notebook should I buy?" Only slightly less often am I asked, "Which model would you buy?" This is it. The HP Envy 14 is the laptop I would buy for myself, were I in the market for one right now. That doesn't necessarily mean it's the right laptop for you, because everyone has different needs, but I get my hands on a lot of laptops, so it's high praise indeed.
 
The Apple manager who was arrested last week pleaded not guilty Monday to charges of accepting kickbacks of at least $1 million from Asian suppliers.
 
In my review of the original Alienware M11x, I called the system a revelation for gamers: Finally, here was an ultraportable laptop with enough muscle to play the latest games at good quality and performance levels and without worrying about anemic battery life. Recently, Alienware updated the M11x with new internal hardware, swapping out the ultra-low-voltage Core 2 Duo chips for Intel's Core i5 and i7 ULV chips, and adding nVidia's Optimus automatic graphics switching technology.
 
In a development that is sure to alarm privacy advocates, a major auto finance company is quietly scoping the legality of using GPS tracking devices in vehicles it finances.
 
RAD Studio XE features former Borland tools aimed at cloud deployments
 
In an interview, Kennelly discusses the future of Riverbend and how WAN optimization is like building a private cloud
 
During Black Hat USA2010, Patrick Thomas presented a new web application fingerprinting tool called Blind Elephant (http://blindelephant.sourceforge.net). The tool uses the same techniques I've been using for a few years now, manually or through custom scripts, during web-app penetration tests to identify the available resources on the web application, and based on them, categorize its type and fingerprint its version. This methods apply particularly well to open-source web application and blogging frameworks, and CMS's, such as Drupal, Joomla, Wordpress, phpBB, phpMyAdmin, etc, as you can check the resources available on the source code for a specific version, and compare them with the resources of the target web-app.
Patrick took this idea seriously and created a Python-based tool. He has precomputed the hashes of the known files and automated the process. You can get more details from the original Black Hat presentation, or the updated version (v2). The tool is very useful from two perspectives:defensive and offensive.
On the one hand (offensive), to incorporate the tool to your pen-tests activities in order to fingerprint more accurately the target environment. On average it takes less than 6.5 seconds to fingerprint the web-app, with an average precision of three candidate versions (and the bandwidth compsumption is also very low).
On the other hand (defensive), to collect global details about the current state of the web portion of the Internet. The presentation provides results about the web application versions available out there, as well as the version distribution and real update status for the major players. The goal was to answer the following question:What % of (active) sites on the net are running a well-known webapp?. Iwould personally add ...a well-known VULNERABLEwebapp?. The results of this global analysis are pretty scary but match what Icommonly see on pen-tests. Just to provide you the insights of the phpMyAdmin vulnerability mentioned on a recent ISCdiary (from the tool author):
Scanned on June 18, the % of net-visible phpMyAdmin installations unpatched against PMASA-2009-3/CVE-2009-1151: 60.75%

(52.2% are running a vulnerable version in the 2.x branch, 8.6% are running a vulnerable version in the 3.x branch)
Please, use this tool and its results to create awareness and force people to patch web infrastructures and applications, and help them to improve the update process! Iknow this is easier said than done, but if you are still running a vulnerable web application more than one year after the vulnerability was announced, you are asking for trouble.
The project is looking for contributors, so its an opportunity to make a difference and help to make the Internet a more secure place.
----

Raul Siles

Founder and Senior Security Analyst with Taddong

www.taddong.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Intel today announced a new processor platform aimed at home and small business storage appliances that will boost I/O as well as support upcoming high-performance memory technology.
 
Apple could be making plans for a big role in mobile Near Field Communications (NFC) with the recent hiring of Benjamin Vigier as its product manager of mobile commerce.
 
Four Democrat members of the U.S. House of Representatives will oppose a network neutrality proposal offered by Google and Verizon Communications last week. The lawmakers say the two companies shouldn't set the rules for how U.S. residents access the Internet.
 

The people have spoken: IT security salary survey reveals infosec compensation ...
SearchSecurity.com
However, most infosec pros still believe they're entitled to premium pay. According to the results of our survey, almost half of respondents believe that ...

 
If you're a Kindle owner, you've probably discovered the device's enviable ability to bookmark pages, highlight passages, and add notes (a.k.a. annotations).
 
A security expert estimates that between 500,000 and 5 million Network Solutions-hosted Web sites have been spreading malware for months.
 
End users rule, and tacking on bare-bones media features won't cut it.
 
Researchers in the U.K. are working on a robot that will develop emotions as it interacts with people.
 
H-1B visa critics and advocates agree that an increase in visa fees that targets Indian IT service providers is inequitable. What's more, they say, it will do little to create or maintain American IT jobs, and could in fact lead to increased offshoring.
 
An Apple manager with responsibilities for the company's contract manufacturing in Asia was arrested Friday and charged with accepting kickbacks.
 
James Gosling says the spat between Oracle and Google is really about ego, money, and power
 
----

Raul Siles

Founder and Senior Security Analyst with Taddong

www.taddong.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Riverbed CEO Jerry Kennelly gives his views on battling with Cisco Systems, expanding Riverbed's product line and opportunities in the cloud.
 
Samsung is set to display a new Android tablet computer, dubbed the P1000 Galaxy Tab, next month at a consumer electronics show in Berlin.
 
A networking joint venture formed out of a series of deals over the past several years is launching Monday in the U.S. under the name LG-Ericsson USA.
 
Apple has announced plans to revamp its support forums to add a personalized start page where users can collate their questions and track potential answers.
 
Two former employees of the District of Columbia's Office of Chief Technology Officer have been sentenced to prison terms for their roles in a kickback scheme they participated in there, the U.S. Department of Justice said.
 
Verizon today said a fiber-optic field trial it conducted in June for a business customer in Taunton, Mass., delivered near gigabit-per-second speeds.
 
SUPERAntiSpyware found three Trojans on Bill Artman's PC. Bill asked the Windows forum how this could happen when his PC is protected.
 
The latest viral scam making its way around Facebook is a lure that asks users if they want to install a "dislike" button, says the security firm Sophos.
 
Ybrant Digital, a digital marketing company in India, said on Monday that it has signed a stock purchase agreement to acquire Lycos from Daum Communications of South Korea for $36 million.
 
Hacked smartphones could endanger troops by sending location data to the enemy using mechanisms similar to those employed by recently discovered Android malware, experts say.
 
Hardly a week goes by when some organization or another doesn't lose some laptops and face a litany of IT security questions.. One that always comes up: Were the systems encrypted?
 
Traditional security technologies are losing the battle against the black hats and malicious code writers, says the security firm Symantec.
 
Dell has agreed to acquire virtualized storage provider 3PAR for about $1.15 billion, a move that will boost its capabilities for building public and private cloud computing environments. The deal is expected to close later this year.
 
Dell has agreed to acquire virtualized storage provider 3PAR for about $1.15 billion, a move that will boost its capabilities for building public and private cloud computing environments. The deal is expected to close later this year.
 
A test of TeliaSonera's LTE (Long Term Evolution) network and its new multimode modem shows the next-generation mobile technology at its best -- delivering speeds at up 59.1M bps (bits per second) -- when used at 2.6GHz. But it also reveals how the technology sometimes struggles when used indoors.
 
An Apple manager with responsibilities for the company's contract manufacturing in Asia was arrested Friday and charged with accepting kickbacks.
 
Google has bought Jambool, a company that makes a platform for managing online payments for virtual goods sold on gaming and social networking sites.
 
About a year ago, I wrote a diary here at the ISC called Putting the ED back in .EDU. Like most of the stuff I write, it caused a bit of a stir when it was published, because it pointed out that several .edu domains were riddled with compromised machines serving up link-fodder for peddlers of erectile dysfunction (ED) meds. And, oh yeah I named names.



All of this ruckus was caused by me using a little bit oGoogle-fu, to see what big-G had to say, specifically, in response to searches like these:



site:.edu buy viagra (link)



site:.gov buy cialis (link)



Its a hobby: some people collect coins, some people knit I look for compromised websites.



Being the pessimist that I am, when I re-whipped out a couple of those olGoogle-dorkin chestnuts the other day, I was pretty sure that I would still find some new best friends to chat with about their site security. (Note: If you get an unexpected phone call from me, its rarely what you would call good news.)



I wasnt disappointed.



While its been a bit over a year since I that piece was published (and three years since I originally pointed out the fun that a few choice Google searches could create) there was no shortage of joy to be found in this latest go round.



However, amid my ironic chucking and the pitter-patter of emails being fired off to various webmasters, I happened upon something that caught my interest.



It started off innocently enough: the library website of a small educational institution had been 0wned. I followed the link from my Google search to the library site and was quickly redirected to another page hawking enough sildenafil citrate to straighten up the Leaning Tower of Pisa. Heheheh...



Being the all-around nice guy that I am, I hit up the main web page of the school trying to find some contact information. While poking around, I noticed a link to the Librarys site right there on the front page.



Hmm, I thought to myself, you gotta wonder how long this sites been 0wned without anyone noticing. And I clicked the link.



A funny thing happened. The library page appeared.
Obviously, something odd was going on here. It was like a single website with two distinctly different, Jekyll and Hyde personalities...

(Somewhere, Robert Louis Stevenson is spinnin' in his grave like a top...)



Looking back and forth between my Google results and the schools main page, I fairly quickly determined that the URL at least appeared to be the same.



Just to be sure, I clicked through the Google page again and it took me right back to pharma-R-us



Then my wife called me for dinner.



Now I dont know how things are where you live, but in my house, when you get called for dinner, you go. Delay means a very quiet dinner with a side-dish of disapproving looks and no dessert.



One contented family meal later, and I returned to my desk, still intrigued.



Having closed out the browser before I left (look when you regularly search using terms like viagra, cialis, and levitra you find yourself getting into the habit of closing your browser when you leave trust me), I fired up a quick Google search based on the name of the school and the word library. Boom, there was the same link with the same sample chunk otext talking about the same virtues of cheap pharma.



So, I clicked on the link and landed on the Library site.



At that point, I clearly and loudly defined the meaning of the acronym WTF.



Now Im not always the quickest bunny in the forest (example: when I heard that Apple was patching flaws in iOS I immediately thought Thats really nice of them. I hope Cisco says thanks.) so I sat there scratching my well, lets say head, and thinking.



After a few moment's thought, an idea struck me.



Ouch.



I fired up the Tamper Data extension for Firefox, kicked it into tamper mode, and clicked on the home link on the Library page.



When Tamper Data offered me the opportunity to tamper with the request, I gladly accepted. I replaced the contents of the Referer (this is why we cant have nice things nerds cant spell) field with:



http://google.com/search?q=cialis



fired off the request, and lo! I was in erectile dysfunction heaven.



(Note: its like normal heaven, but the robes fit funny)



So whats going on here?



While I talked to the folks at the schools library, I wasnt able to get code from them. However, armed with what I had learned from finding that site, I was able to find several others, and heres what appears to be going on:



When the Ev1L [email protected] compromise the site, their goal is pretty simple: they want to change the content of the site itself to increase their positioning on the search engines. The whole idea would be ruined, however, if they gave away the fact that they'd 0wned the site. So the idea is to use the site not abuse it.



Rather than mucking around with the code for the site itself, the bad guys target the .htaccess files. For those of you unfamiliar with the workings of webservers, .htaccess files are used by the Apache webserver (and some others) to provide a way to make configuration changes to the server itself, on a per-directory basis. So, for instance, you can use an .htaccess file to change the way that the webserver treats specific types of files in a single directory only.



The bad guys also leverage another Apache tool, known as mod_rewrite. This tool provides a rule-based rewriting engine (based on a regular-expression parser) to rewrite requested URLs on the fly.



So, while I never actually got my hands on an altered .htaccess file, I have a pretty good idea of what they look like:



RewriteEngine On

RewriteCond %{HTTP_REFERER} .*google.*(cialis|viagra|levitra).*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*yahoo.*(cialis|viagra|levitra).*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*bing.*(cialis|viagra|levitra).*$

RewriteRule .* http://badsite.com [R,L]



Somewhere in there, they likely also have a rule that serves up different content when it thinks that Google-bot is coming to call. I tried to trick it into doing that by switching the User-Agent of my browser to mimic Google-bot, but it didnt work. (My guess: theyre combining User-Agent matching with some Google-ish IP address ranges, or something else entirely)



So, whats the moral of this tale about the two faces of a single site? Beware, dear reader. Just because your site looks normal to you, just because your site looks normal to the bulk of your visitors, you still may have been 0wned. Constant vigilance is the only means of protecting your site, and your reputation.



Stand up tall: be aware and be vigilant.



And if youre having a little trouble standin tall, I know a library website you can visit.



Tom Liston - Handler - SANS Internet Storm Center

Senior Security Analyst - InGuardians, Inc.

Director, InGuardians Labs

Chairman, SANS Virtualization and Cloud Computing Summit

Twitter: @tliston

My honeypot tweets: @netmenaces (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Dell on Monday announced it has agreed to acquire virtualized storage provider 3PAR for about US$1.15 billion, a move that will boost its capabilities for building public and private cloud computing environments. The deal is expected to close later this year.
 
A new startup funded by major chip makers and investment firms is taking aim at electricity bills, the biggest cost in data centers.
 
North Korea has established its first official presence on Twitter, the micro-blogging site that's being embraced by governments and an increasing number of world leaders.
 
A new law that increases visa fees to pay for border security is a national issue for India rather than one that only affects Indian outsourcing companies, according to India's National Association of Software and Service Companies (Nasscom).
 
More than half of all Verizon subscribers would likely buy an iPhone if Apple's device was supported by their current provider, a recent survey of U.S. consumers says.
 
Droid 2 is an example of the way major U.S. carriers are trying to broaden the appeal of smartphones by offering devices that have both touchscreens and physical keyboards.
 
It's getting tough out there for IT employees facing long workdays, short tempers and limited career options.
 
InfoSec News: Reminder: CPSRT 2010 paper submission due date approaching: Forwarded from: George Yee <gmyee (at) sce.carleton.ca>
CALL FOR PAPERS (For HTML version, please visit http://CPSRT.cloudcom.org/)
INTERNATIONAL WORKSHOP ON CLOUD PRIVACY, SECURITY, RISK & TRUST (CPSRT 2010)
In conjunction with 2nd IEEE International Conference on Cloud Computing [...]
 
InfoSec News: Milton, Caritas Carney hospitals to patients about dumped medical records: http://www.patriotledger.com/lifestyle/health_and_beauty/x316188449/Milton-Caritas-Carney-hospitals-to-patients-about-dumped-medical-records
By Lane Lambert The Patriot Ledger Aug 14, 2010
MILTON -- medical records?
Milton Hospital and Caritas Carney Hospital in Dorchester will soon be [...]
 
InfoSec News: Kenyan firms pay heavy price for data safety lapses: http://www.businessdailyafrica.com/Company%20Industry/-/539550/977138/-/simtwwz/-/
By Diana Ngaira Business Daily August 16 2010
Data has become an invaluable asset in every sector.
Yet even as the world’s businesses become interconnected by the same [...]
 
InfoSec News: Pentagon Wants to Secure Dot-Com Domains of Contractors: http://www.theatlantic.com/politics/archive/2010/08/nsa-might-monitor-dotcom-domains-for-defense-contractors/61456/
By Marc Ambinder The Atlantic Aug 13 2010
To better secure unclassified information stored in the computer networks of government contractors, the Defense Department is asking [...]
 
InfoSec News: Cyberwar Against Wikileaks? Good Luck With That: http://www.wired.com/threatlevel/2010/08/cyberwar-wikileaks/
By Kevin Poulsen Threat Level Wired.com August 13, 2010
Should the U.S. government declare a cyberwar against WikiLeaks?
On Thursday, WikiLeaks founder Julian Assange told a gathering in London [...]
 
InfoSec News: Linux Advisory Watch: August 13th, 2010: +----------------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | August 13th, 2010 Volume 11, Number 33 | | | [...]
 
InfoSec News: Liberation Day Korea-Japan cyber battle brews: http://joongangdaily.joins.com/article/view.asp?aid=2924623
By Christine Kim JoonAng Daily August 14, 2010
A second cyber battle may be brewing this weekend between Korean and Japanese Internet users, following on the first round of volleys in March, according to recent posts on popular community boards in both countries.
Netizens on certain Korean Internet clubs and cafes are calling for attacks on one of Japan’s most popular Web forums, 2channel, tomorrow, when Koreans will celebrate the anniversary of their liberation from Japan in 1945. Users on 2channel are also expected to retaliate.
On March 1, the anniversary of the Korean independence movement, Korean Internet users flooded the site with data requests, eventually forcing it offline temporarily.
The action is known as a distributed denial of service, or DDOS, attack, because it relies on a large number of attackers to overload 2channel by any means they could.
[...]
 

Leading Security Specialist adds Egress Switch to best of Breed Product Portfolio
MyNewsdesk (press release)
Egress Software Technologies, an innovator in secure collaboration, announced today a partnership with Infosec Technologies (IST). ...

and more »
 
Electronics component suppliers that allegedly paid kickbacks to gain business from Apple declined to comment on the allegations when contacted on Monday.
 

Posted by InfoSec News on Aug 15

http://www.wired.com/threatlevel/2010/08/cyberwar-wikileaks/

By Kevin Poulsen
Threat Level
Wired.com
August 13, 2010

Should the U.S. government declare a cyberwar against WikiLeaks?

On Thursday, WikiLeaks founder Julian Assange told a gathering in London
that the secret-spilling website is moving ahead with plans to publish
the remaining 15,000 records from the Afghan war logs, despite a demand
from the Pentagon that WikiLeaks “return”...
 

Posted by InfoSec News on Aug 15

+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| August 13th, 2010 Volume 11, Number 33 |
| |
| Editorial Team: Dave Wreski <dwreski () linuxsecurity com> |
| Benjamin D. Thomas <bthomas () linuxsecurity...
 

Posted by InfoSec News on Aug 15

http://joongangdaily.joins.com/article/view.asp?aid=2924623

By Christine Kim
JoonAng Daily
August 14, 2010

A second cyber battle may be brewing this weekend between Korean and
Japanese Internet users, following on the first round of volleys in
March, according to recent posts on popular community boards in both
countries.

Netizens on certain Korean Internet clubs and cafes are calling for
attacks on one of Japan’s most popular Web...
 

Posted by InfoSec News on Aug 16

Forwarded from: George Yee <gmyee (at) sce.carleton.ca>

CALL FOR PAPERS (For HTML version, please visit http://CPSRT.cloudcom.org/)

INTERNATIONAL WORKSHOP ON CLOUD PRIVACY, SECURITY, RISK & TRUST (CPSRT 2010)

In conjunction with 2nd IEEE International Conference on Cloud Computing
Technology and Science (CloudCom 2010), November 30 - December 3, 2010
Indiana University, USA, http://2010.cloudcom.org/

IMPORTANT DATES - EXTENDED!...
 

Posted by InfoSec News on Aug 16

http://www.patriotledger.com/lifestyle/health_and_beauty/x316188449/Milton-Caritas-Carney-hospitals-to-patients-about-dumped-medical-records

By Lane Lambert
The Patriot Ledger
Aug 14, 2010

MILTON -- medical records?

Milton Hospital and Caritas Carney Hospital in Dorchester will soon be
contacting thousands of patients whose medical records were found at a
public dump in late July.

Both hospitals have posted information for patients on...
 

Posted by InfoSec News on Aug 16

http://www.businessdailyafrica.com/Company%20Industry/-/539550/977138/-/simtwwz/-/

By Diana Ngaira
Business Daily
August 16 2010

Data has become an invaluable asset in every sector.

Yet even as the world’s businesses become interconnected by the same
business language, developing nations face an extra cost burden through
their almost complete negligence of information security, according to a
2005 Information Economy Report from...
 

Posted by InfoSec News on Aug 16

http://www.theatlantic.com/politics/archive/2010/08/nsa-might-monitor-dotcom-domains-for-defense-contractors/61456/

By Marc Ambinder
The Atlantic
Aug 13 2010

To better secure unclassified information stored in the computer
networks of government contractors, the Defense Department is asking
whether the National Security Agency should begin to monitor select
corporate dot.com domains, several officials and consultants briefed on
the matter...
 
During this year we wrote only a few times about DDOS(Distributed Denial of Service)attacks, referencing a report from 2009, and a couple of attacks in January and August.
On March 2010, Team Cymru released a 4-part series of videos (Episodes 42-45) and a related paper covering the basics of DDoS, a good resource to point novice people to.
However, although DDOSis still a prevalent threat, the research, improvements and information sharing in this area seem to have decrease during this year, even with all the new and growing botnets out there, most of them implementing DOS or DDOS capabilities. Obviously, some attack reports become public, while some other DDOSincidents never see the light.
We would be interested on hearing you, and know about your experiences: what are the latest improvements on both the offensive and defensive sides, what are the solutions security vendors and service providers are offering you worldwide, what are the latest attack techniques, what are the most effective tools to detect and mitigate the attacks, what is the current underground offering (DaaS, DDOS-as-a-Service)? (...the list could go on and on)
You can share the details with us through the contact page (include DDOS in the subject) or the comments section below.
----

Raul Siles

Founder and Senior Security Analyst with Taddong

www.taddong.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The Seven Deadly Sins of Security Vulnerability Reporting pretends to become an easy to follow list, not very technical but security relevant (so that anyone can point people to it), for any organization, commercial company, and open-source project in order to improve the resources and procedures they put in place to be notified (by external security researchers or third parties) and act on security vulnerabilities on their official web site(s), services, or any of their products



This is a scenario we (Internet Storm Center handlers) frequently find ourselves at, when notifying findings during our daily activities, or acting as a vulnerability reporting proxy for other researchers.



Below you can find the summarized list, while the additional reasoning and comments for every item are available on the original post I made on Taddong's Security Blog.

Communication channels:)?
ACK (Acknowledgment): How can the researcher know you have received the notification?
Verification:How do you know if the notification is related with a new vulnerability (0-day) or is a well known issue?
Interactivity: Once you confirm it is a new vulnerability, design a plan to fix it, and keep all parties involved informed about how the plan progresses.
Researchability: All the previous sins provided guidance to the organization that has the responsibility to fix the vulnerability, but... what about the security researcher that found it?



Bonus:Once a fix for the vulnerability is available and it is finally announced, provide credit where appropriate.

I strongly recommend you to go through the list during this Summer, identify what sins you can redeem in your environment, and implement the changes on September. Let's get ready for the new season!
Please, share with us any finding or remarkable situation you might have found when reporting vulnerabilities (or when someone reported vulnerabilities to you), through the contact page or the comments section below.
----

Raul Siles

Founder and Senior Security Analyst with Taddong

www.taddong.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Internet Storm Center Infocon Status