Share |

InfoSec News

The next time a website says to download new software to view a movie or fix a problem, think twice. There's a pretty good chance that the program is malicious.
 
Need to send someone a big batch of files? Don't attach one after another after another to your e-mail. Instead, compress the files into one smaller, easier-to-manage file. In other words, "Zip" them.
 
CVE-2010-0217 - Zeacom Chat Server JSESSIONID weak SessionID Vulnerability
 
IT employment passed the 4 million mark early this year for the first time in more than three years.
 
Intel on Tuesday showed a prototype smartphone based on its low-power Medfield processor and said Intel-based phones from "major players" would be in the market next year.
 
SAP is giving its ongoing push into mobile applications an extra shove with a series of new products aimed at verticals such as utilities, energy, retail and manufacturing, the company announced Tuesday during the Sapphire Now conference in Orlando.
 
Two new features being developed for the .Net framework will make greater use of multicore processors
 
Dell is reporting some success in its struggle to retool itself as a cloud and enterprise services provider, even as the company's consumer business continues to decline.
 
If you're looking for svelte, sexy design, then Toshiba's $1100, 5.5-pound Satellite M645-S4118X may not be your cup of tea. If you're looking for excellent all-purpose performance, playable gaming frame rates, top-notch sound and video--including Blu-ray--then it's Earl Gray with a vengeance.
 
Real Networks RealPlayer & RealPlayer SP Multiple Security Vulnerabilities
 
A new bill introduced in the U.S. Senate would update a 25-year-old law that sets the rules for law enforcement surveillance of e-mail and other electronic communications, with more legal protections for the privacy of data stored in the cloud.
 
Google Chrome prior to 5.0.375.125 Multiple Security Vulnerabilities
 
Google Chrome prior to 7.0.517.41 Multiple Security Vulnerabilities
 
A potential DDoS attack on Heroku, the Ruby platform-as-a-service provider now owned by Salesforce.com, is creating availability issues for its customers.
 
Intel will dramatically shake up its microprocessor road map to meet the demand for very-low-power processors and to fend off the competitive threat from rival chip design company ARM, CEO Paul Otellini said.
 
Python 'urllib' and 'urllib2' Modules Information Disclosure and Denial of Service Vulnerabilities
 
Red Hat scsi-target-utils TGT Daemon Remote Denial of Service Vulnerability
 
A David vs. Goliath battle has emerged in a patent dispute between small independent iOS application developers and a Texas-based patent holding company called Lodsys.
 
Astronauts on NASA's space shuttle Endeavour are using the spacecraft's robotic arm to inspect the shuttle's heat shield for damage today.
 
Congress on Thursday will again grill executives from Apple and Google over mobile privacy concerns.
 
[SECURITY] CVE-2011-1582 Apache Tomcat security constraint bypass
 
HTB22981: Multiple XSS (Cross Site Scripting) vulnerabilities in PHP Calendar Basic
 
[ MDVSA-2011:090 ] postfix
 
Ruxcon 2011 Call For Papers
 
California is considering legislation that would tighten Facebook's privacy practices, and the social network is not happy about it.
 
Hewlett-Packard reported a small year-on-year increase in revenue and profit for the three months ended April 30, but lowered its forecast for its full fiscal year.
 
The IT leader who can't explain where the IT function is and where it should be won't be around for long.
 
Cloud data storage and synchronization company Dropbox has been hit with a complaint to the U.S. Federal Trade Commission alleging that the company has deceived consumers about the level of encryption security it offers.
 
Network Block Device Server NULL Pointer Dereference Denial of Service Vulnerability
 
Watching your logs can be a lot of fun, in particular if you got some interesting logs to look at. On the other hand: If you think your logs are boring, you are probably just not looking hard enough. My latest log excursion started with two alerts from the ISC poll feature we have on the index page. Within a couple minutes, two very different IP addresses submitted comments that got identified as spam:
Request #1 from 212.117.165.179.

POST /poll.html HTTP/1.1
CONNECTION: close
ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HOST: isc.sans.edu
REFERER: http://isc.sans.edu/
USER-AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
COOKIE: dshield=91b1d9cff4a31d61f426935aad5bbd2
COOKIE2: $Version=1q=0.1
COOKIE2: $Version=1
Post Data:
token:
poll: 4
poll_comment: add comment
subject: -1'
The first one isn't all that remarkable in my opinion. We get a couple dozen of them a day. But the second one is sort of interesting. Can you pick out why?
subject:-1' is the line that caught my attention. The other odd thing was that these two requests came in very close to each other but look very differently.
If you look at the two IPaddresses (91.214.45.223 and 212.117.165.179), it turns out that both are part of AS 5577, a network registered in Luxemburg. Further, looking up these addresses in Threatstop's checkip feature [1] shows that these are suggested to be part of the Russian Business Network
Well... what to do from here?Seeing a little bit of coordination like this always makes me think What did I miss now?. So my next idea was What else comes in from AS 5577. AS 5577 originates about 20 prefixes. While not everything in AS 5577 is evil, it does appear to be a hiding spot for RBN activity. The company root.lu appears to be in the super low rate dedicated hosting business [2] which frequently means not much money to spend on oversight and proper abuse handling. The next step was to filter the last few days of logs for these prefixes, to check what else we get. Here a few oddities that came to light (there were a couple hundred hits...)
1. Are we listed yet?

212.117.162.204 GET /block.txt HTTP/1.1 libwww-perl/6.0
212.117.164.170 GET /top10-2.txt HTTP/1.0 Wget/1.11.4
212.117.172.150 GET /top10-2.txt HTTP/1.0 Wget/1.10.2 (Red Hat modified)
94.242.197.100 GET /top10-2.txt HTTP/1.0 Wget/1.12 (linux-gnu)

Looks like they keep checking if they are listed as a top 10 or a blocked IP address. Got quite a few hits like that from AS 5577 hosts. Interestingly, they use a couple different IPaddress and user agents to perform these queries. And yes, they are listed from time to time.
2. Synapse as SQL Injection tool

212.117.165.179 GET /index.html?menu=-1%27 Synapse)

The user agent points to the Apache XMLEnterprise Bus Synapse. It is not clear why this user agent here is used, or if it is actually related to the tool by Apache. But so far, all the requests with this user agent are related to SQL injection attempts.
3. Outdated Browsers and a Love for RSS

212.117.177.5 GET /diary.html?storyid=10885 rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

The URL(rss)indicates that the user here followed a link in our RSS feed, and the RSS feed is polled regularly by AS 5577 machines. The browser version is a bit old and set to US English Windows NT 5.1)
We haven't used the .php extension nor the host name forum.dshield.org in a while. So it is odd that this IPcame back 3 times in one second, but never retrieved the URL it got redirected to. Again HTTP/1.0 and a fake looking user agent (this user agent exists... but I have hardly ever seen it used legitimate these days). Maybe the old bulletin board we had at that URLyears ago was vulnerable to *something* and is still listed in some search engine.
More to come...

[1] http://threatstop.com/checkip

[2] http://root.lu
------
Want to learn more about defending web applications?Check out DEV522 Defending Web Applications in Denver CO and Washington DC.

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
SAP is giving its ongoing push into mobile applications an extra shove with a series of new products aimed at verticals such as utilities, energy, retail and manufacturing, the company announced Tuesday during the Sapphire Now conference in Orlando.
 
SLAs aren 't enough to ensure uptime for your computing services. You have to familiarize yourself with the provider 's infrastructure.
 
Nvidia on Tuesday announced the Tesla M2090 graphics processor, which the company calls the world's fastest "parallel processor" for high-performance computing.
 
H
 
Apple's iPhone 5 will be manufactured in the third quarter, hinting at a possible launch of a new version of the iconic smartphone later this year, a financial analyst firm said Tuesday.
 

Ramp in regulation and threats pushed IT security in the boardroom, says Infosec
ComputerWeekly.com
The hike in regulation in recent years means IT security has become a boardroom topic and a discipline in its own right, says Claire Sellick, Infosecurity Europe's event director. "IT professionals from all walks of business life are now looking for ...

 
Google's all-Web computers are due to hit stores June 15. Here's a look at what to expect.
 
In another shot at their common rival Google, Microsoft and Facebook are teaming up again to make Bing's search engine more social.
 
Wordpress is_human() Plugin Remote Command Injection Vulnerability
 
Pligg CMS 'scategory' Parameter SQL Injection Vulnerability
 
Americans are more enamored than ever with Microsoft's software, according to a national customer satisfaction survey released today.
 
Microsoft will release the first service pack for Office 2010 in late June, when it will for the first time support Google's Chrome running the suite's online applications using SharePoint 2010, the company said Monday.
 
As NASA's space shuttle Endeavour is carrying prototypes of fingernail-size satellites that are expected to someday travel to Saturn.
 
With Firefox 4 released not too long ago and Firefox 5 supposed to be released on June 21st. The firefox train is moving full speed ahead, the laggers are dealt with in an aggressive manner as well. There seems to be 12 million users still on Firefox 3.5, that's still a significant amount of users. We all remember what happened with IE6...To avoid that from happening again, Firefox will start issuing warning on Google's default pages for users of version 3.5 and planning to push out 3.6.18 as an update (if auto update is enabled) once Firefox 5 is out (finger still crossed on the Jun 21st day).
The days when a common web applications tell users that a certain new version of browsers not being supported is long gone. Still remember when lots of government and banks websites are asking users to use only supported browsers IE 6 and maybe IE7. I think we are all moving towards sites aggressively making the users upgrade to newer browsers in an effort to protect them as well. Newer browsers generally have better protection and support new protection mechanisms (have you seen all the protection HTTPheaders that are supported by the new browsers?)
More info about the Firefox 3.5 forced upgrade,
http://www.theregister.co.uk/2011/05/16/mozilla_firefox_3_5_forced_upgrade/ (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Microsoft released the latest version of their Security Intelligence Report - volume 10 which covers the online threat in year 2010. It is a good research report and summarizes the threat landscape with concrete data to support the findings.
Some of the interesting findings,

Exploitation thru Java platform is on significant rise since Q2 2010. The number of exploitation on Java platform far exceed Adobe software and OSplatforms.
Malicious IFrames accounts for a large number of the attacks over HTTP, this likely indicate the effect of hijacked and compromised websites
Conficker is the most active malware family in Enterprise environment and only 9th in the general Internet environment
JS/Pornpop is the most active malware family on the general Internet (non-domain joined computer)environment
On phishing front, the phishing sites targeting social networking are increasing and they are effective in getting themselves presented to victims.
Overall OSlevel vulnerability counts is steady and browser vulnerability count is increasing slower, however, it is surprising that application vulnerability count is decreasing since 2008. Maybe the software vendors are actually getting much more secure?


(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
According to Websense, Canada has been seen as a prime target to move cybercrime operations into their network infrastructure. Here is a summary of Patrik Runald's blog and the complete post can be found here.
Jump in Hosted Phishing Sites - A 319% increase in the last year. The various site locations are shown here.

Increase in Bot Networks Over the past 8 months, a 53% increase of bot Command and Control (CC). When compared to the U.S., France, Germany and China, Canada is now 2nd for hosting bot networks.

Malicious Websites - Websense noticed a decline of malicious website, however, this decline is moving at a much slower pace in Canada

Overall Increase in Cybercrime - In the 2010 Websense Threat Report, Canada was #13 and is now #6 in 2011.
Have you noticed an increase in cybercrime activity from web servers hosted in Canada?


[1] http://community.websense.com/blogs/websense-insights/archive/2011/05/05/the-next-hotbed-of-cyber-crime-activity-is-canada.aspx

[2] http://www.websense.com/content/threat-report-2010-introduction.aspx?cmpid=prblog


-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Media In Spot CMS 'index.php' SQL Injection Vulnerability
 


Internet Storm Center Infocon Status