InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The popularity of Malwarebytes Anti-Malware for consumers paved the way for a business version

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Researchers say attackers have exploited the flaw and recommend switching browsers until there's a fix.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
A deeper look into the Flame malware, linked to the infamous Stuxnet, has revealed that it may be just one of four pieces of malware created by the same unknown development team.
Attackers are exploiting a "zero-day" vulnerability in Microsoft's Internet Explorer and hijacking Windows PCs that cruise to malicious or compromised websites, security experts said today.
Reader Dwayne Norris has a problem with Dropbox links. He writes:
U.S. Sen. Chuck Schumer (D-NY), who is chair of the Senate's immigration subcommittee, is introducing his own green card STEM bill to challenge a similar Republican bill in the House.
Researchers say attackers have exploited a new zero-day vulnerability targeting IE users.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Oracle on Monday said it has agreed to acquire SelectMinds, a maker of "social talent sourcing software," in a bid to flesh out the capabilities it gained through this year's US$1.9 billion acquisition of Taleo.
Microsoft has announced the consumer and small-business prices for the new Office suite, which will be sold both via traditional single-device, perpetual licenses and via a new annual, multi-device cloud subscription.
Four vulnerabilities, including two affecting the Jenkins core and one deemed critical, have been identified
Advanced Micro Devices announced Monday that its chief financial officer, Thomas Seifert, has resigned from his post and that a hunt is on for his replacement.
Two Romanian men have pleaded guilty to participating in a $10 million scheme to hack into the computers of hundreds of Subway restaurants in the U.S. and steal payment card data, the U.S. Department of Justice said.
libgio CVE-2012-4425 Privilege Escalation Vulnerability
Microsoft Internet Explorer Image Arrays Use-After-Free Remote Code Execution Vulnerability
Reliable anomaly detection using a SIEM hinges on collecting a wide range of security events. Andrew Hutchison covers SIEM integration best practices.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
The U.S. Federal Communications Commission has waived restrictions that prevented cable operators from acquiring local telephone carriers, saying those mergers could lead to stronger competition to large telecom carriers for business customers.
A subcommittee in the U.S. House of Representatives will hear testimony on Friday about whether the FCC followed its own rules when it gave LightSquared conditional approval for an LTE network early last year.
If you're having trouble sleeping or gaining weight, your smartphone or laptop might be to blame, according to researchers at the Rensselaer Polytechnic Institute.
Asterisk 'externalIVR' Application Shell Command Execution Security Bypass Vulnerability
Mozilla Firefox, SeaMonkey, and Thunderbird CVE-2012-1956 Cross Site Scripting Vulnerability
BSIMM4 found some firms actively scanning for malicious code from rogue developers. Crisis simulation scenarios improve product security response.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
[waraxe-2012-SA#089] - Multiple Vulnerabilities in TorrentTrader 2.08
Attackers are exploiting a "zero-day" vulnerability in Microsoft's Internet Explorer and hijacking Windows PCs that cruise to malicious or compromised websites, security experts said today.
Tablets running on Intel's upcoming Atom chip code-named Clover Trail could come with the Android OS, adding another OS option for the processor platform in addition to Microsoft's soon-to-be-released Windows 8 OS, Intel said on Monday.
It's probably fair to ask why Japanese electronics maker Sharp -- deep in debt and red ink, cutting workers and salaries, awash in excess inventory in the brutal LCD market -- is actively promoting a line of talking vacuum cleaners.
Secunia Research: Novell GroupWise iCalendar Date/Time Parsing Denial of Service
[IA38] NCMedia Sound Editor Pro v7.5.1 MRUList201202.dat File Handling Local Buffer Overflow
The new 7-in. Kindle Fire HD tablet by Amazon, starting at $199, scored a 7 out of 10 rating from iFixit for its repairability by do-it-yourselfers.
With opposition growing to reported plans by President Obama to issue an Executive Order to bolster cybersecurity for the nation's critical infrastructure, the question now is whether the White House will plow ahead or drop the idea quietly in an election year.
A zero-day vulnerability is being used to infect IE users with malicious code when they visit a specially prepared web page. Microsoft has not yet issued a statement on the problem

[Positive Research] Intel SMEP overview and partial bypass on Windows 8 (whitepaper)
We've had numerous readers write in about an IE8 zero day, most pointed us here for more info on it == http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/
Since I'm not a Malware Analysis Guy (at least until I take Lenny's Forensics 610 class), Ihunted around for some confirmation before Iposted.
Iguess a Metasploit module that exploits it counts as confirmation !

Also more info here: http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day

And yes, there is code in the wild that exploits this (since Sept14th). And no, there is no patch for it yet

If you're still running IE7,8 or 9, today is a good day to think about switching browsers for a couple of weeks.

(thanks to our readers, who corrected my original post - this zero day affects not just IE8, but also IE7 and IE9)

Rob VandenBrink

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

In a recent story (see the bottom of this article), there's been some discussion about a prominent NMS (Network Management System) with an iPad interface that uses a simple to duplicate algorithm for it's password.

Do we care? Isn't the resulting password more secure than most passwords we ourselves would have picked? Not so much if it's simple to derive, but in my opinion, the real story here is that we are trusting our mobile devices and apps way more than we should. We buy low cost or free simple apps to do things that really matter, without checking doing our homework on security. In this case, the app is using cleartext authentication and xmpp (the jabber protocol) to remotely access and control their NMS. The password math doesn't help either. The NMS in turn has access to the full device configurations, as well as the ability to send email directly to network admins (great spearphishing target!), and most importantly, in many cases has admin access to all the network routers, switches, firewalls and even servers.

People just as blithely (blindly?) use tablets and phones to access their bank accounts and control their cars (what could go wrong with that?)

In the case of an NMS I can certainly see the attraction, now that tablet screens are just as good as many laptops, running your NMS from a tablet can be much easier from a tablet than a traditional laptop - especially if you're not at work.

I gotta admit that it still bothers me when I see the bank adds on TV, encouraging people to access their bank accounts using their phone (you know, the one without a screensaver or keyboard lock) - you know, so that their bank account is even *less* protected when the phone is stolen.

Mind you, some folks would likely be more upset if their social media accounts could be accessed this way ... umm, wait a second! A favourite highschool prank is to steal a phone from your classmate for 10 minutes to put a bogus (and embarassing) facebook or twitter post up.

When did we stop using VPNs - the classic solution to encapsulating and encrypting sensitive traffic? The VPN that encrypts both the data, the destination IP address and the authentication?

My worry here isn't really that the datastream could be MITM'd to steal credentials or hijack sessions, though that's certainly possible in this case. The worry should really be that if your phone or tablet is stolen, big parts of our modern life go with it - banks accounts, facebook and twitter, ebay, your car keys. And in this case control of your network. If all we protect this stuff with is a simple keyboard password (my 11 yr old shoulder surfed mine - https://isc.sans.edu/diary.html?storyid=13084), then if your phone is lost, all is lost - you BETTER have a remote wipe function ready to go!

More here:




Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
"Daddy, can I stay up late tonight?"
Samsung will announce a 5-in. Galaxy S4 at Mobile World Congress in Barcelona next February, according to company officials and executives at parts suppliers quoted in The Korea Times.
Salesforce.com has grown into a company much broader in scope than its name would suggest, having moved well beyond its roots in on-demand CRM (customer relationship management) software.
The number of countries where a controversial movie trailer on YouTube has been blocked increased to five by Monday, as Google ran into legal threats in some of these countries.
Apple today announced that it had sold two million iPhone 5 smartphones in the first 24 hours of pre-orders last week, more than double the previous record set in 2011.
[SECURITY] [DSA 2480-4] request-tracker3.8 regression update
[slackware-security] patch (SSA:2012-257-02)
[ MDVSA-2012:153 ] dhcp
[SECURITY] [DSA 2549-1] devscripts security update
Businesses that want to trade in their old systems for new IT should consider moving to open source first before thinking about a proprietary system, according to a report commissioned by transaction processing services provider Amadeus IT Group.
Canonical has reminded users that version 11.04 of Ubuntu, known as "Natty Narwhal", is nearing its end of life, after which no further updates, including security updates and critical fixes, will be made available

Google took down on Friday in Indonesia the controversial movie trailer that has sparked protests worldwide, adding the country to the short list of nations where the video can't be seen on YouTube.
Google has moved a step closer to making good on its promise to support "Do Not Track" in Chrome by the end of this year.
While SSDs offer the best upgrade to a computer money can buy, they don't come cheap -- but there are alternatives that provide the performance you want without breaking the bank.
Two Panasonic component factories have been vandalized and shut down in China amid the widespread anti-Japanese protests sweeping the country, a company spokeswoman said Monday.
Eastman Kodak has told a bankruptcy court that it is exploring alternatives to the auction of its digital imaging patents, including keeping the patents and setting up a licensing company to repay creditors.
Novell GroupWise Internet Agent CVE-2012-0271 Remote Integer Overflow Vulnerability
With the iPhone 5 slated to ship Sept. 21, the big question for business users and IT pros is how it and iOS 6 will affect them and their companies. Columnist Ryan Faas has some answers.
The W3C's Web Cryptography Working Group has published a first working draft for an API implementation for web browsers that will provide encryption and decryption features as well as secure communication using JavaScript


Posted by InfoSec News on Sep 17

Forwarded from: Boris Sverdlik <boris.sverdlik (at) jadedsecurity.com>


With the ISC2 Board of Directors deadline coming up I was hoping InfoSec
News subscribers could help us get the word out. We're short about 100
signatures and would really appreciate any help.

Vote for Boris Sverdlik aka Jadedsecurity, Dave Lewis aka Gattaca, Scot
Terban aka Krytpt3ia and  For ISC2 Board of Directors...

Posted by InfoSec News on Sep 17


By Ellen Nakashima
The Washington Post
September 16, 2012

The federal government has taken a “failed approach” to cybersecurity,
with efforts that focus on reducing vulnerabilities rather than actively
deterring attackers, according to one of the FBI’s top former cyber...

Posted by InfoSec News on Sep 17


By Ken Pishna
MMA Weekly
September 15, 2012

At least two of the hackers that were recently snagged in a two-year
sting operation by the FBI were involved in the hacking of UFC.com and
company president Dana White’s personal information.

Mir Islam, aka “JoshTheGod,” and a 15-year-old hacker from California
that goes by the moniker...

Posted by InfoSec News on Sep 17


By Mark Reeth
TMF Wreath
September 16, 2012

It seems hackers are everywhere these days, with the recent infiltration
of GoDaddy.com only the most recent example in a series of attacks
against businesses, websites, and the government. But within the chaos
there is a possible investment: Buy the companies that protect others
from hackers. So which cybersecurity...

Posted by InfoSec News on Sep 17


By William Jackson
Sept 13, 2012

The most common concern for federal IT security professionals is
regulatory compliance, according to nCircle’s recently released 2012
Federal Information Security Initiatives Trend Study.

The results indicate misplaced priorities, said Karen Cummins, nCircle’s
director of federal markets. “If you pick compliance, that...
ISC DHCP IPv6 Lease Expiration Handling Denial of Service Vulnerability
Internet Storm Center Infocon Status