InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The meteoric rise in the smartphone market is creating a dangerous vulnerability in smartphone security -- one that may not be patched until the problem expands into what has been dubbed an "apocalypse."
Security--the topic, and thus the department--sometimes gets pigeonholed as a downer. Maybe from time to time you notice a coworker avoiding getting in the elevator with you. A CSO once told me it's even worse when you get in the elevator and some wiseacre turns to put his hands on the wall--as if expecting you to frisk him.
Today, as companies seek to both consolidate their vendor relationships and multisource, they tend to engage with a small number (typically two to nine) of preferred, very large IT services vendors that can be centrally governed. The strategic objectives of consolidation are important: Services clients can prequalify a few preferred suppliers that all users of IT services can easily and safely engage with. However, given the rapid pace of technology change, the need for agility, the new business stakeholders, and the rise of cloud services, a company's IT and innovation requirements are often best met by multiple best-of-breed suppliers.
RETIRED: Apple QuickTime Prior To 7.7.2 Multiple Arbitrary Code Execution Vulnerabilities

y spending is thought to be recession proof, but does it have the legs to outrun the current downturn? In-Q-Tel partner Peter Kuper thinks so, but there are still some rough times ahead.

Kuper, who has handled some high-profile IPOs in the security market, told Information Security Decisions 2012 attendees this week in New York City to stop spending on technology that doesn’t work. Investments in legacy security standbys (hello AV, firewalls et. al.) need to be tempered. Maybe Kuper has a vested interest in his remarks, but he’s also right. Signature-based defenses don’t work anymore. Kuper said it; analysts tell you the same thing and so do research firms. The Verizon Data Breach Investigations Report is probably the most sobering barometer of the ineffectiveness of today’s security technology: 96% of the attacks behind the breaches Verizon investigated were not complicated attacks; 97% could have been prevented with rudimentary controls; 92% of incidents were discovered by a third party, and only after months of constant infection.

Checkbox security ran by PCI and other mandates is heavily to blame here as well. Security managers are using compliance as a life preserver and to beg for budget. Budgets, meanwhile, are largely flat to slightly up, yet companies are nearly 100% owned.

“Where is the ROI there?” Kuper asked. “You’re asking for increased budget, yet three-quarters of you get your butt handed to you in minutes or less. How is that a good ROI for a CFO? Try explaining that to someone that doesn’t understand security.”

Couple that with some weak economic indicators that foreshadow another downturn-despite the market being back to pre-recession 2007 levels-and you’ve got a rocky road ahead friends.

Looking for a silver lining? OK. Venture capital firms are looking at security companies, and acquisitions are still happening in security, which are indications of innovation and some areas of strength. SIM vendors were the last market segment in play with Q1 Labs (IBM), Nitro Security (McAfee), LogLogic (Tibco) and ArcSight (HP) getting scooped up by larger vendors. Palo Alto, meanwhile, is going public soon, Kuper said, after booking $200 million last summer alone. Qualys is also perpetually in the IPO conversation. Sourcefire has been public since 2007, and after a rocky start, is trading 113% higher than last year.

“VCs were not investing much in security for a long while,” Kuper said. “But security is looking good again. I know a lot of VCs and they’re starting to call back. VCs are making money in security investing in innovative technology. It’s a good sign VCs are investing. Innovation cycles are up and a lot of good companies are getting funding.”

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Pure Storage today announced the second generation of its all-flash array, which can now be configured for high availability.
With the demise of MobileMe upon us, you'll need to come up with a new backup solution if this Apple service is your current backup method of choice. If you're a fan of online, cloud-based backups, then CrashPlan is one to consider.
Wunderkit helps you work. That's what a productivity app should do, of course, but some unnecessarily bog you down in details. In contrast, Wunderkit--a free iPhone offering from 6 Wunderkinder--makes it easy to create projects and schedule tasks. And it's better than many competing apps at recognizing the realities of the workplace.
Joomla! JCE Component 'file.php' Arbitrary File Upload Vulnerability
FlashPeak SlimBrowser TITLE Denial Of Service Vulnerability
A PCI Council guidance document requires merchants to use a validated PIN entry device or secure card reader to accept payments using mobile devices.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Microsoft?s senior director of security engineering says core SDL principles should be at the foundation of critical infrastructure system protection.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Someday, the digital economy will be powered by big black boxes, formerly known as data centers, that are so self-managing they may be partly robotic.
The executive director of Utah's Department of Technology Services has resigned over a data breach two months ago that exposed the Social Security numbers of about 280,000 Medicaid recipients.
Pro-Server EX Multiple Vulnerabilities
RETIRED: EMC Data Protection Advisor Multiple Denial of Service Vulnerabilities
EMC Data Protection Advisor NULL Pointer Dereference Denial of Service Vulnerability
CVE-2012-2334 Vulnerabilities related to malformed Powerpoint files in OpenOffice.org 3.3.0
CVE-2012-2149 OpenOffice.org memory overwrite vulnerability
CVE-2012-1149 OpenOffice.org integer overflow error in vclmi.dll module when allocating memory for an embedded image object

The White Hat Rally – One Olympic race not to miss
Your-Story.org (press release)
The White Hat Rally takes the InfoSec community's petrol heads and adventure seekers on a scenic, action packed tour in aid of Barnardo's charity. There is still plenty of time for new teams to sign up to take part in the event, which runs from June ...

A Microsoft in-store program that scrubs "bloatware" from Windows PCs will also be offered when Windows 8 machines reach the market later this year, a company representative said.
The vaunted Google search engine is set for an upgrade that will make it easier for users to find the information they need by putting their searches in context, the company said Wednesday.
Google is reportedly moving to more direct sales of its Android smartphones and tablets in a move to wrest control away from wireless carriers that install their own services on Android gear or block Google apps like Google Wallet.
WordPress Multiple Remote Vulnerabilities
Re: Trigerring Java code from a SVG image
Apple Quicktime Memory Corruption (CVE-2012-0671)
APPLE-SA-2012-05-15-1 QuickTime 7.7.2
Apple debuted in the top spot among mobile phone makers in a national customer-satisfaction survey, receiving a record-high score for the category.
Linux Kernel HFS Plus Filesystem Local Buffer Overflow Vulnerability
IBM Cognos TM1 Admin Server Remote Buffer Overflow Vulnerability

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
T-Mobile USA will cut 900 jobs in a restructuring, on top of a 1,900-job reduction at its call centers that was announced in March.
Android smartphones made up 56% of the global smartphones sold to end users in the first quarter of 2012, giving them a far higher share than the 22.9% held by Apple's runner-up iPhone, Gartner said Wednesday.
While the technology is moving forward, some still struggle with how to implement and integrate tools meant to help them get a grip on IT processes.

InfoSec Skills Launches Free Security Training Modules for UK Cyber Challenge ...
Virtual-Strategy Magazine
London, United Kingdom, May 16, 2012 --(PR.com)-- InfoSec Skills (http://www.infosecskills.com) has launched four fully subsidised topics from their premium information security training courses in Information Security Management Principles and ...

and more »
At Information Security Decisions 2012, Dan Guido put the mobile malware focus on the Android security model and Google?s mobile app vetting process.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

ek in San Francisco that covered a variety of cloud security issues, infosec expert Kevin Walker told attendees to be aggressive with cloud service providers and hold them accountable when it comes to security.

“The key for us practitioners is to go into this with eyes wide open,” said Walker, who has held senior security positions at Symantec and Cisco, among other global firms. He spoke at the Cloud Security Symposium, which was sponsored by Trend Micro.

The traditional focus on building fortresses with firewalls and IPSes won’t translate to the cloud, he said.  Cloud provider requirements include increased transparency about their operations and how they detect rogue tenants, and information security pros need to be aggressive in making sure providers meet security requirements, he said.

That’s certainly easier said than done, especially when business units are going around IT and signing up on Amazon. It’s a hard to press for security when you don’t even know what cloud services your company is using.

In many cases, lines of business aren’t waiting for IT when they need something - they simply use their credit card to buy cloud services, said JJ DiGeronimo, senior accelerate practice manager and cloud strategist at VMware. “IT departments have true competition from outside service providers,” she told attendees.

“People are used to securing a box, but now we’re moving to securing the data,” she said. “Data is going to sit everywhere and you’ll have to manage it regardless of where it sits.”

Data-centric security has been an ongoing theme in the industry for several years as corporate network boundaries crumble as employees increasingly become more mobile. Enterprise adoption of cloud computing is becoming yet another driver.

“If can’t control the systems anymore. … That’s the only way to do it [security] — to protect the data,” Trend Micro CTO Raimund Genes told me in an interview.

Trend Micro naturally has a vested interest in this trend - the company sells encryption products including a key management service for cloud and virtual environments - but it does make sense given that enterprise data is increasingly flowing to cloud environments and becoming harder to track. Maybe the rise of cloud computing will help push data-centric security into the mainstream.

In the meantime, if you’re looking for ways to track down unauthorized use of cloud services by your developers or sales executives, we published tips in this article.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
SAP seems to be betting its future on its HANA in-memory database, spotlighting the technology once again at the Sapphire conference in Orlando Wednesday, announcing a slew of new applications, partnerships and functional enhancements for the system.
The European Organisation for Nuclear Research (CERN) is using automation technology from Electric Cloud to accelerate the application development efforts of more than 10,000 users of its ROOT software.
After three-and-a-half years of Obama's presidency, progressive and conservatives have developed pointed assessments of his administration's handling of tech policy issues. From cybersecurity to net neutrality, how does the tech agenda fit into the fall election?
Mozilla Marketplace will be online in a few weeks to take on Apple App Store and Google Play Store
As we are running out of IPv4 address space, many networks, instead of embracing IPv6, stretch existing IPv4 space via multiple levels of NAT. NAT then uses reserved IP address space. However, there are more address ranges reserved then listed in RFC1918, and not all of them should be used in internal networks. Here is a (probably incomplete) list of address ranges that are reserved, and which once are usable inside your network behind a NAT gateway.

List of Reserved IPv4 Address ranges

Address Range
Suitable for Internal Network
no (any address)
yes (with caution: If you are a carrier)
no (localhost)
yes (with caution: zero configuration)
no (not used now, may be used later)
yes (with caution: for use in examples)
no (6-to-4 anycast)
yes (with caution: for use in benchmark tests)
yes (with caution: test-net used in examples)
yes (with caution: test-net used in examples)
no (Multicast)
no (or unwise? reserved for future use)

Most interesting in this context is RFC6598 (, which was recently assigned to provide ISPs with a range for NAT that is not going to conflict with their customers NAT networks. It has been a more and more common problem that NAT'ed networks once connected with each other via for example a VPN tunnel, have conflicting assignments.
Which networks did I forget? I will update the table for a couple days as comments come in.

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Facebook is working to increase the size of its IPO by 85 million shares -- a move could lift the value the company's upcoming stock offering to about $18.5 billion.
Bind DynDB LDAP 'bind-dyndb-ldap' Package Remote Denial of Service Vulnerability
There's a new push in the Senate to set aside as many as 55,000 green cards to science, technology, engineering and math graduates -- so-called STEM workers.

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
This is a clarification to Dan's diary from yesterday. We are interested to hear, if anybody else is seeing DNS replies from RFC1918 non-routable IP addresses, in particular from So far, we only have one report, and we are trying to figure out if this is something wide spread, or something unique to this user.
This reader first noticed the problem when the firewall reported more dropped packets from 10.x addresses. Two example queries that caused the problem are A queries for 25280.ftp.download.akadns.net and adfarm.mplx.akadns.net. The reader receives two responses: One normal response from the IP address the query was sent to, and a second response from the 10.x address. As a result, the problem would go unnoticed even if the 10.x response is dropped. Both responses provide the same answer, so this may not be an attack, but more of a misconfiguration.
As a side note, initially the DNS protocol specifically allowed for replies to arrive from an IP address different then the one the query was sent to:
Some name servers send their responses from different addresses than the one used to receive the query. That is, a resolver cannot rely that a response will come from the same address which it sent the corresponding query to. This name server bug is typically encountered in UNIX systems. (RFC1035)
However, later in RFC2181, this requirement was removed:
Most, if not all, DNS clients, expect the address from which a replyis received to be the same address as that to which the queryeliciting the reply was sent. This is true for servers acting asclients for the purposes of recursive query resolution, as well assimple resolver clients. The address, along with the identifier (ID)in the reply is used for disambiguating replies, and filtering spurious responses. This may, or may not, have been intended whenthe DNS was designed, but is now a fact of life. (RFC2181)
But we are NOT looking for responses that are coming from the wrong source, but duplicate responses. Once from the correct and once from the incorrect address.
Here an example stray packet submitted by the reader (slightly modified for privacy reasons and to better fit the screen)

Internet Protocol Version 4, Src: 10.17.x.y, Dst: ---removed---
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00
Total Length: 84
Identification: 0x2a7e (10878)
Flags: 0x00
Fragment offset: 0
Time to live: 59
Protocol: UDP (17)
Header checksum: correct
User Datagram Protocol, Src Port: domain (53), Dst Port: antidotemgrsvr (2247)

Domain Name System (response)
Transaction ID: 0xb326
Flags: 0x8400 (Standard query response, No error)
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .1.. .... .... = Authoritative: Server is an authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... 0... .... = Recursion available: Server can't do recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer not authenticated
.... .... ...0 .... = Non-authenticated data: Unacceptable
.... .... .... 0000 = Reply code: No error (0)

Questions: 1
Answer RRs: 1
Authority RRs: 0
Additional RRs: 0


ads.adsonar.akadns.net: type A, class IN
Name: ads.adsonar.akadns.net
Type: A (Host address)
Class: IN (0x0001)


ads.adsonar.akadns.net: type A, class IN, addr
Name: ads.adsonar.akadns.net
Type: A (Host address)
Class: IN (0x0001)
Time to live: 5 minutes
Data length: 4
Addr: (



Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Google released Chrome 19, patched 20 vulnerabilities in the browser and doled out $16,500 in bug bounties and rewards to independent researchers.
The technology may get a big push from mobile adoption, but integration among multiple UC components is still a tough slog.

Posted by InfoSec News on May 16


By Heather May
The Salt Lake Tribune
May 15 2012

Gov. Gary Herbert apologized to the 780,000 victims of the health data
security breach on Tuesday.

To restore the public’s trust, he announced Tuesday that he fired
Department of Technology Services director Stephen Fletcher and hired an
ombudsman to shepherd victims through the process of protecting their...

Posted by InfoSec News on May 16


By Naomi Nix
Chicago Tribune reporter
May 15, 2012

A Northwestern Memorial Hospital employee has been charged with identity
theft after she allegedly used the personal information of hospital
patients to pay her bills.

Shatina Golden, 35, of Matteson is charged with aggravated identity

Posted by InfoSec News on May 16


By Team Register
16th May 2012

While “cyber* operations” are becoming an increasing focus of both
government and private research, legal frameworks are failing to keep
pace, the US Army Cyber Command operational attorney Robert Clark has
told the AusCERT security conference in Queensland.

As noted earlier by F-Secure’s Mikko Hypponen in his keynote address to

Posted by InfoSec News on May 16


By Matthew Boyle
The Daily Caller

President Barack Obama’s Homeland Security secretary, Janet Napolitano,
has presided over the hiring of at least four senior staffers and
advisers who have no law enforcement experience but align politically
with the president.


Vladimir Skoric serves as a “special assistant” to...

Posted by InfoSec News on May 16


By Sara Sorcher
May 14, 2012

After China’s visiting defense minister denied American accusations that
his country is behind a growing wave of cyberattacks aimed at the United
States, 79 percent of National Journal’s National Security Insiders said
Washington should take a tougher public stance...

InfoSec Skills Launches Free Security Training Modules for UK Cyber Challenge ...
PR.com (press release)
London, United Kingdom, May 16, 2012 --(PR.com)-- InfoSec Skills (http://www.infosecskills.com) has launched four fully subsidised topics from their premium information security training courses in Information Security Management Principles and ...

and more »
Internet Storm Center Infocon Status