Hackin9

InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Rambus is considering whether to appeal the Wednesday jury verdict that scuttled its antitrust suit against Hynix Semiconductor and Micron Technologies, which could have required the defendants to pay nearly US$12 billion in damages.
 
IcedTea-Web Plugin CVE-2011-3377 Same Origin Policy Bypass Vulnerability
 
Microsoft certainly made a big splash Tuesday with its demonstrations of Windows 8 at the BUILD conference in Anaheim, and it's easy to see why. The new platform is a surprisingly radical departure from the traditional Windows paradigm.
 
Google Music, the company's cloud-based online music service, is now available to all users in the U.S. and includes song and album sales, as well as an integration with the Google+ social networking site.
 
Among the icons you might see in your iTunes library after enabling iTunes Match is this unfriendly guy to the left: a cloud with an exclamation point in it. No, it's not hinting at a chance of inclement weather; it means that iTunes Match has encountered a problem while scanning the track in question.
 
We've told you what you need to know about iTunes Match. But we're also happy to share with you some secrets of iTunes Match that you don't absolutely need to know, yet might enjoy knowing anyway. Trust that tucking these tidbits away will make you the star of every party--at least parties where everyone sits around and talks about the nuances of iTunes Match.
 
Increased use of mobile devices, especially smartphones, in addition to the transition to virtualization, are key factors weighing on enterprises trying to sort out security strategy and budgets, according to a survey of 688 information and security managers.
 
Opera Web Browser Information Disclosure and Unspecified Vulnerabilities
 
Cisco is updating two of its enterprise-level collaboration tools in a bid to move beyond the desktop.
 
The dramatic increase in the number of mobile industry lawsuits is forcing changes in the legal system and spurring new business models around patent licensing.
 
Qualcomm on Wednesday said its quad-core Snapdragon chips, designed to run Microsoft's upcoming Windows 8 OS, will appear in tablets in the second half of next year.
 
The Stop Online Piracy Act, the subject of a hearing before the U.S. House of Representatives Judiciary Committee Wednesday, has generated heated debate since lawmakers introduced it on Oct. 26.
 
Security needs to change in order to defend against targeted attacks, RSA chairman says.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
New malware that is signed with a valid digital certificate once belonging to the Malaysian government has been discovered by researchers at F-Secure.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
A San Francisco jury has rejected a US$4 billion antitrust claim by Rambus against rival RAM makers Hynix Semiconductor and Micron Technology, a California court announced Wednesday.
 
Cox Communications, which planned its own mobile network in 2008 but later settled for reselling Sprint Nextel service, stopped selling wireless altogether on Wednesday.
 
Sponsors of the controversial U.S. Stop Online Piracy Act defended the legislation Wednesday, saying the proposal is needed to shut down websites trafficking in billions of dollars worth of online piracy.
 
Reader Jim Ross seeks a slicker way to add files to his iPad. He writes:
 
InduSoft Web Studio 'CEServer' Component Stack-Based Buffer Overflow Vulnerability
 
30 Days With the Cloud: Day 6
 
Google today relaunched its Gmail app for Apple's iPhone, iPad and iPod Touch, two weeks after it yanked a buggy version.
 
After being bombarded with hard-core pornographic and violent images on their news feeds, some Facebook users may change how and if they use the social network, according to industry analysts.
 
It's clear by the increasing use of analytics software that companies are struggling to get their hands around the huge amounts of data it takes to run a successful business. But developing social, mobile, cloud computing and other applications are also driving the need for new technical skills.
 
The attacks against Facebook that planted pornography on users' news feeds relied on the same trickery as a campaign last spring that touted the death of Osama Bin Laden, a security researcher said today.
 
InduSoft Web Studio 'CEServer.exe' Remote Code Execution Vulnerability
 
Windows Mail and Windows Meeting Space DLL Loading Arbitrary Code Execution Vulnerability
 
Google is offering wireless network owners worldwide the possibility of opting out from its Wi-Fi geolocation mapping efforts, in the wake of a decision by the Dutch Data Protection Authority (DPA) that this process is in violation of legislation in the Netherlands.
 
The $250 Barnes & Noble Nook Tablet will provide solid competition for Amazon's Kindle Fire. This is Barnes & Noble's second-generation device, a follow-on to last year's Nook Color, which now drops to $200, the same price as the Kindle Fire.
 
Adobe Flash Player CVE-2011-2457 Stack Buffer Overflow Vulnerability
 
The creators behind the long-running Internet contest to write bizarre and unnecessarily complex C programming code, called the International Obfuscated C Code Contest (IOCCC), have resurrected their challenge after being on hiatus for five years.
 
Verizon Wireless plans to turn on its 4G LTE network in 14 more U.S. cities on Thursday, making the service available in a total of 179 markets.
 
Too many corporate decision-makers think it's wise to shore up only the most glaring security weaknesses. But attackers will always be able to find the weaknesses you decided you could live with.
 
Google is holding a press conference later today where it's largely believed the company will unveil Google Music, an online music store that will go head-to-head with Apple iTunes.
 
Adobe Flash Player CVE-2011-2452 Remote Memory Corruption Vulnerability
 
Adobe Flash Player CVE-2011-2445 Remote Memory Corruption Vulnerability
 
Adobe Flash Player CVE-2011-2456 Remote Buffer Overflow Vulnerability
 

The PCI Security Standards Council announced the latest slate of special interest groups that it will prioritize next year. Merchants, financial institutions, service providers and others voted on a variety of potential SIGs before settling on cloud, ecommerce security and risk assessment.

This is the first time SIG selection was put to a vote, and more than 500 were cast, close to a quarter of the SSC’s participating organizations, said Jeremy King, European director of the PCI SSC, who added that one-third of the votes cast came from outside North America.

PCI SIGs are essentially forums for feedback on topics that ultimately is turned into guidance for interpreting and implementing existing or new mandates to the standard, the SSC said in a release. This year, the SSC released guidance on tokenizationpoint-to-point encryption and virtualization.

SIGs are made up of merchants, payment processors and qualified security assessors. SIGs must complete their efforts and deliver a guidance document within one year.

This year, voters had seven potential SIGs to choose from, and were asked to select a top three. The seven, according to the Storefront BackTalk blog, were: administrative access to systems and devices; how to write a risk assessment; patch management; ecommerce guidelines; PCI in the cloud; small business and PCI; and managing hosted service providers.



Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

According to a U.S. intelligence report made available to Congress, foreign nations and other actors are using cyberespionage to take sensitive technology and trade data, and those actions pose a threat to American interests.

Reuters reported Thursday that in a report titled “Foreign Spies Stealing US Economic Secrets in Cyberspace,” the Office of the National Counterintelligence confirmed that foreign intelligence services, corporations and individuals have increased their efforts to take research and development data relating to U.S. technologies. These efforts include remote data downloads, transferring data to portable devices and via email.

The report, covering 2009-2001, was developed using data from intelligence agencies, think tanks, academia and what it called “private sector” resources. It referred to numerous sources being involved in cyberespionage against U.S. interests, but called out only Russia and China by name.

Though the report failed to link China to specific events, such as the RSA SecurID attack earlier this year, it represents a tacit acknowledgment that China’s involvement in cyberespionage represents a serious ongoing problem for U.S. companies.

“Chinese actors are the world’s most active and persistent perpetrators of economic espionage,” the Office of the National Counterintelligence wrote in the report. “China and Russia view themselves as strategic competitors of the United States and are the most aggressive collectors of U.S. economic information and technology.”



Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Internet System Consortium has published an alert earlier as they are investigating a potential vulnerability on Bind 9. There are reports of the DNSserver software crashing while generating log entry - INSIST(! dns_rdataset_isassociated(sigrdataset)) The details on this is rather limited at this point, aside from DoSeffect, it's unknown whether code execution is possible at this point.
Reference - http://www.isc.org/software/bind/advisories/cve-2011-tbd
Update:
ISC would appreciate network captures of active attacks against this BIND vulnerabiliy. Please submit to us via Contact Form.
Update 2:
Patches are now available:

http://www.isc.org/software/bind

https://www.isc.org/software/bind/advisories/cve-2011-4313
Update 3:
There have been a number of reports of people being affected. If you are one and you have some packets to share it would be appreciated if you can share them. We'll anonymise any identifying info.
Thanks
Mark (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
[SECURITY] [DSA 2346-1] proftpd-dfsg security update
 
Back in the 1990s and early 2000s, every business wanted to show off its glass house full of racks of green-lit servers. Today, Toronto-based Cookie Jar Entertainment believes the smaller the in-house data center, the better, and showing investors what good use you're making of cost-efficient cloud computing is a source of pride.
 
Nokia is planning to enter the tablet market, and will launch a product based on Microsoft's upcoming Windows 8 operating system, according to an executive.
 
Intel Tuesday celebrated the 40th birthday of its 4004 microprocessor -- the first complete single-chip central processing unit.
 

U.S. DHS Science and Technology Directorate, Cyber Security Division, Cyber ...
Sacramento Bee
SANS offers a myriad of free resources to the Infosec community including consensus projects, research reports, newsletters, and it operates the Internet's early warning system - the Internet Storm Center. At the heart of SANS are the many security ...

and more »
 
At the supercomputing conference in Seattle, there's an almost obsessive focus on developing an exascale computing system before the end of the decade.
 
Barnes & Noble began selling its new 7-in. Nook Tablet for $249 on Wednesday, earlier than executives said it would appear.
 
Back in July I promised to help track down a solution to the "General failure" error that appears in Microsoft Outlook when you click a link embedded in an e-mail. Judging from the number of pleas for help I continue to get from readers, this problem hasn't gone away. And it appears to affect users of all browsers, not just Firefox or Internet Explorer.
 
Is your computer running slower than usual? Are you getting lots of pop-ups? Have you seen other weird problems crop up? If so, your PC might be infected with a virus, spyware, or other malware--even if you have an antivirus program installed on it. Though other problems, such as hardware issues, can produce similar symptoms, it's best to check for malware if you aren't sure. But you don't necessarily need to call tech support or the geek across the street to scan for malware--I'll show you how to do it yourself.
 
Aerohive unveils simple but powerful branch Wi-Fi routers that integrate closely with a range of virtual and cloud-based services, including third-party Web security offerings.
 
ISC BIND 9 Recursive Queries Remote Denial of Service Vulnerability
 
Apple plans to hire a third-party auditing firm to investigate 15 of its suppliers suspected of violating environmental regulations, according to local environmental groups that met with the company Tuesday.
 
If your computers went down after the most recent storm and you lost some critical data, dont let that happen again. Read on. Insider (free registration required)
 
Sharp said it has no plans to abandon its Galapagos tablet line and announced a 7-in. model that can serve as a WiMax router.
 
Microsoft on Tuesday slammed the door on updating third-party software via Windows Update in the upcoming Windows 8.
 
Oracle's take on the distributed key-value data store is fast, flexible, and enterprise-grade serious
 
Intel has produced a new chip that can operate at a sustained speed of one teraflop -- the type of supercomputing speed the U.S. government paid $55 million for 15 years ago.
 
Hewlett-Packard introduced Wednesday its first business ultrabook, offering nine hours of battery life, a solid-state drive, and a security chip that protects data in email and information on the hard drive.
 
Elipda said Wednesday it has sued Nanya in the U.S. and Taiwan for DRAM patent infringements.
 

Posted by InfoSec News on Nov 16

http://www.eweekeurope.co.uk/comment/search-engines-could-be-a-hackers-doorway-for-unwary-coders-45712

By Eric Doyle
eWEEK Europe
November 14, 2011

Tools such as Google Code Search can provide hackers with a wealth of
information hidden in open source code, writes Eric Doyle

The downside of open source is its very openness. Hackers are using Open
Source Intelligence (OSint) to find personal information and even
passwords and usernames to...
 

Posted by InfoSec News on Nov 16

http://www.csoonline.com/article/694092/mystery-virus-disrupts-new-zealand-ambulance-service

By John E Dunn
CSO
November 15, 2011

Staff at New Zealand's St John's Ambulance service were forced to
coordinate emergency call-outs using manual radio systems last week
after computers systems were hit by a mystery 'virus'.

The disruption reportedly began on Wednesday when an unidentified piece
of malware started affecting the...
 

Posted by InfoSec News on Nov 16

http://www.dailytelegraph.com.au/news/national/you-just-cant-keep-secrets-in-canberra-obama-visit-details-stored-in-old-van/story-e6freuzr-1226196051856

By Steve Lewis and Gemma Jones
The Daily Telegraph
November 16, 2011

SENSITIVE details of US Secret Service agents and preparations for
President Barack Obama's visit have been stored in an old van parked at
a Canberra hotel.

On the day the President arrives in Canberra, The Daily...
 

Posted by InfoSec News on Nov 16

http://gcn.com/articles/2011/11/15/smart-grid-cybersecurity-chaos-pike-report.aspx

By William Jackson
GCN.com
Nov 15, 2011

An aging infrastructure, a lack of standards and inadequate spending
have left the security of critical global utility grids in a “state of
near chaos,” according to a recent white paper from Pike Research. In
one example, it shows how a $60 smart-phone app could enable an attack.

“The attackers clearly have the...
 

Posted by InfoSec News on Nov 16

http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/231903102/new-lingua-franca-for-exchanging-cyberattack-intelligence.html

By Kelly Jackson Higgins
Dark Reading
Nov 15, 2011

It's not easy for organizations to share firsthand attack intelligence
in a confidential or even meaningful way, so many don't bother, which
gives the bad guys another leg up. But tools to facilitate the sharing
of attack...
 

Posted by InfoSec News on Nov 16

On 11/16 2011, Congress holds hearings on the first American Internet
censorship system.

This bill can pass. If it does the Internet and free speech will never be the
same. I'm afraid InfoSec News will be forced offline, if you are in the
U.S., please visit the URL below and join the fight to stop SOPA!

Join all of us on the 16th to stop this bill.

http://americancensorship.org/
 
You may have seen the reports that the New Zealand Ambulance service had to revert to manual processing of calls after a worm affected a number of their systems (http://computerworld.co.nz/news.nsf/news/mystery-virus-disrupts-st-johns-ambulance-service). This got me thinking about what needs to happen in order to deal with this kind of situation, but first lets set the scene.
Most organisations will have the basic security controls in place. They will have policies, firewalls, Antivirus on the desktop and maybe on the servers. Scanning software on email and web traffic, possibly even USB control. So how did the worm get in in the first place? Now this is purely speculation, based on past experiences and in no way relates at all to the NZ ambulance case. We are talking hypothetically here. So What could possibly have happened?
There are a few attack vectors I can think of and no doubt you can add to this.

Option 1: A laptop has been off the corporate network for a while, may not have been patched or kept up to date with patches and AV. It is infected when connected to the internet at an insecure location. When brought back into the corporate environment (e.g. plugged into the network or connected via VPN) the malware did a little jump for joy and started spreading.
Option 2: User browses a web page and is the victim of a drive by. The malware is downloaded and starts spreading.
Option 3: An email is opened and malware is downloaded and executed.



Any of the three above options are possible in most environments. AV products whilst good, are far from infallible and it is easy enough to create malicious payloads that sail past most antivirus products. Once the malware is in, it can do its thing and start attacking the rest of the infrastructure.
So if prevention is difficult, you may have to face the reality that what happened to NZ Ambulance can happen to you. If you can't prevent you must detect. How can you identify the fact that you have an issue? Worst case scenario, a third party tells you. At the Storm Centre we often contact ISPs, Corporations and yes sometimes Government agencies to give them some bad news, usually they are a tad surprised. It is much better to find these things your self. It makes explanations to CEOs that much more comfortable.
What should you be looking for? You may look at firewall logs to see what traffic from inside the network is bouncing off the firewall. Examine proxy logs to look for connections to interesting locations (insert your favourite countries here). Look for multiple connections from multiple devices in your network to a few target locations. Examine server and AD logs to find log in attempts. You may receive complaints that things are slow, so monitor help desk calls. Systems that stop working may be a clue as well. If you can spend an hour, 30 minutes, even less to look at your logs on a daily basis, then you will be in a better position to identify weirdness. Once detected you can react.



You've found the worm, now what? turning the device off will contain it, but it is unlikely to make management happy, especially if you start switching off critical servers. So you may need to do something else. Workstations may be a bit easier to contain. You could move them to a sandbox or walled garden environment. Place them on this contained vlan and they can do less damage to the rest of the organisation. Ideally this is an automated process, but someone with quick fingers could in a pinch achieve this as well. If you find it is leaving your environment, you might need to change firewall rules or IDS/IPS rules.
For eradication, realistically the only safe option is to rebuild. Re-image, redeploy the system from known good media. You could attempt a removal process documented by an AV vendor or other organisation, just remember it wasn't picked up in the first place. Since the state of the machine is unknown you are really better off to rebuild, sorry.





Putting all the above in the context of the incident handling process
Preparation

In addition to the policies and base security controls mentioned above, you may want to consider the following:

No local admin privileges
Segmentation in the network
IDS/IPS
Log Monitoring and analysis (ACLs, or internal firewalls)
Private VLANS
Darknet

Identification

Look for unusual network activity
Examine log files
Become familiar with your environment

Containment

Move the device to a sandbox VLAN
Switch it off
Implement firewall rules, ACLs other configuration changes to reduce the ability to do damage.

Eradication

Unfortunately rebuild is the safest option.
Some vendors may have a removal process
Identify how they got in and develop strategies to plug the hole

Recovery

Put systems back in a controlled fashion.
Monitor activities, watch for their return

Lessons Learned

Learn the lessons :-)
Fix the issues identified
Implement the controls that allow you to ideally prevent, but at least detect it next time.

the above is by no means complete so if you have anything to add, feel free to add a comment or let us know via the contact form.
Mark H - Shearwater









(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
China Mobile and China Unicom, two of the country's largest mobile operators, said they plan to bring SIM card-based Near Field Communication (NFC) technology to their customers.
 
Internet Storm Center Infocon Status