Hackin9

InfoSec News

Pedro Bueno (pbueno /%%/ isc. sans. org) Twitter: http://twitter.com/besecure (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Despite backing from the top PC makers, high prices and a disorganized software and hardware ecosystem could slow adoption of ultrabooks over the next few years, analysts said this week.
 
Apple modified its lawsuit against Amazon this week, accusing the giant e-tailer of infringing its "App Store" trademark in new advertising for the Kindle Fire tablet.
 
Target built a new website from scratch after outsourcing its online operations to Amazon for 10 years. But the launch of its in-house platform hasn't been smooth.
 
The Italian mathematician who contributed to the development of Google's search algorithm is preparing to launch his own challenge to the dominant search engine before the end of the year.
 
Enterprise software vendors have been rushing to build or buy "sentiment analysis" technologies that can analyze the tone of what people are saying about companies and brands on social media sites like Facebook, Twitter and LinkedIn.
 
From their press-release:
The FBI is seeking information from individuals, corporate entities and Internet Services Providers who believe that they have been victimized by malicious software (malware) related to the defendants. This malware modifies a computers Domain Name Service (DNS) settings, and thereby directs the computers to receive potentially improper results from rogue DNS servers hosted by the defendants.
If you believe that you are a victim in this case, the FBI wishes to hear from you. Submit your report here: https://forms.fbi.gov/dnsmalware
For more information about Operation Ghost Click:

http://isc.sans.org/diary/Operation+Ghost+Click+FBI+bags+crime+ring+responsible+for+14+million+in+losses/11986
http://www.fbi.gov/news/stories/2011/november/malware_110911

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Malware targeting Google's Android mobile operating system exploded in the last several months, its volume quintupling since July, Juniper Networks said.
 
Teardown experts at IHS iSuppli found it costs $201.70 to build Amazon's new Kindle Fire; that's almost $3 more than the $199 retail price.
 
A pump at a public water utility in Springfield, Ill. was destroyed after cyberattackers gained access to a SCADA system controlling the device, according to a security expert who obtained an official report on the incident.
 
Safari under iOS is OK but if you want a great browser, Gibbs reccommends Grazing.
 
Mozilla is making progress on adding a silent update mechanism to Firefox, with plans to integrate the new service in Firefox 10 early next year.
 
Oracle Java SE CVE-2011-3554 Remote Java Runtime Environment Vulnerability
 
Squid Proxy Caching Server CNAME Denial of Service Vulnerability
 
The integration of mobile networks and Wi-Fi promises to make hotspots more popular and easier to access, but it will also put pressure on providers to improve performance, according to hotspot aggregator Boingo Wireless.
 
The European Parliament has added its voice to those criticizing the controversial Stop Online Piracy Act (SOPA) in the United States criticizing the use of domain names seizures by U.S. authorities on copyright ‘infringing’ websites.
 
CFOs who gathered outside Boston on Thursday to discuss how they can be agents for change within their enterprises were treated to a close-up view of how Oracle not only transformed its own business but made its Sun Microsystems acquisition a success.
 
Platform-as-a-service provider Engine Yard is adding support for Node.js as part of a new program at the company designed to help it quickly experiment with new features and services.
 
Mozilla Firefox and Thunderbird 'loadSubScript()' Security Bypass Vulnerability
 
Novell iPrint Client 'nipplib.dll' Remote Code Execution Vulnerability
 
[ MDVSA-2011:176-2 ] bind
 
During my shift we received and email claiming to be from The Electronic Payments Association with the subject of Rejected ACH transfer. It informed us that our ACH transfer was canceled by the other financial institution, and provided a link to the supporting documentation.
If you click on the link (hXXp://masterwall.com.au/8ymksg/index.html -- I'm sharing the link so you can check you logs) you'll go off on a short trip through a few sites (and pull down some Google Ads-- you might want to look at who's making money off of that Google,) and eventually if you're running a system vulnerable to CVE-2010-1885 you'll eventually install a loader for what Ikarus is calling Worm.Win32.Fujack.o.
I've spent more time informing webmasters than really analyzing the code, but that's usually how it goes.
The defaced sites have all be informed. I've sent a message to the main hosting site as well (but don't expect and answer.)
The particular indicators for this event:
Initial defaced site: hXXp://masterwall.com.au/8ymksg/index.html
Intermediate sites can be pulled from the wepawet report here: http://wepawet.iseclab.org/view.php?hash=26a057f6807d39560631bfe7039d78adt=1321628919type=js
The endpoint (the one you want to block and search your logs for: hXXp://aquasrc.com/w.php?f=100e=8
The MD5 of what I pulled down: b4d9e3639b1bb326938efd9b6700f26d
This will install itself on the victim's machine and autostart after reboot, it will also try to spread via internal network shares.
I haven't spotted what it uses for it's command and control yet, so all I know for certain is that it spreads. I hope to update this later with the CCserver details.
Update:
The malware looks to be a variant of the banking trojan Zeus. Look in your DNSlogs for systems requesting quiversea.com.
Update 2:
As Chris W points out below, this appears to be a Blackhole exploit kit. So the cited CVEabove is simply the exploit that was appropriate for the honey-monkey visiting the site, it'll identify the victim's system and send an appropriate exploit. (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Premier 100 IT Leader Dennis Hodges also answers questions on the skills needed in a cloud-dominated world and more.
 
[ MDVSA-2011:176-1 ] bind
 
VMSA-2011-0014 VMware vCenter Update Manager fix for Jetty Web server addresses directory traversal vulnerability
 
Opinion: BlackBerry security has been a boon to enterprises, and unless security pros help save the platform, enterprise mobile security will suffer.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Samsung's hot new Galaxy Nexus smartphone, the first to run Android 4.0, went on sale Thursday in the U.K. and is expected to be available in the U.S. on Verizon Wireless by the end of the month.
 
Amazon is working on a smartphone to be released in the fourth quarter of 2012, according to a Citigroup analyst quoted by All Things D.
 
VMWare released a new advisory, and updated a security advisory yesterday.

VMSA-2011-0014: http://www.vmware.com/security/advisories/VMSA-2011-0014.html
VMSA-2011-0013.1: http://www.vmware.com/security/advisories/VMSA-2011-0013.html



(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google has released an update for Chrome 15 that addresses a high-risk vulnerability. The security issue is the result of an out-of-bounds memory write in the browser's JavaScript engine.
 
The Stop Online Piracy Act has ignited a firestorm of protest over whether it could lead to online censorship. Here's a look at what the fight is all about.
 
A study measuring the performance of the iPhone 4S on all three U.S. wireless carriers found AT&T to be superior in Web browsing and data downloads and uploads when compared to Apple's latest smartphone on either Verizon Wireless or Sprint.
 
Are you an Android user but longing for the functionality of Siri's voice recognition? We look at a variety of interesting apps.
 
Yelp, a local business reviews site, filed Thursday with the U.S. Securities and Exchange Commission for an initial public offering (IPO) of up to $100 million.
 
A U.S. House Intelligence Committee is launching an investigation into Chinese telecommunication equipment suppliers Huawei and ZTE to determine whether the companies pose a security threat to the U.S.
 

Posted by InfoSec News on Nov 18

http://gcn.com/articles/2011/11/17/oak-ridge-lab-stop-insider-exfiltration.aspx

By William Jackson
GCN.com
Nov 17, 2011

Researchers at the Energy Department’s Oak Ridge National Laboratory are
developing a tool to identify malicious insiders and stop them from
sending sensitive information outside the enterprise.

The system, which is being tested in a lab environment, uses a
host-based agent to “learn” a user’s behavior and to look...
 

Posted by InfoSec News on Nov 18

========================================================================

The Secunia Weekly Advisory Summary
2011-11-10 - 2011-11-17

This week: 52 advisories

========================================================================
Table of Contents:

1.....................................................Word From Secunia...
 

Posted by InfoSec News on Nov 18

http://www.eweek.com/c/a/Security/IT-Security-Salaries-Expected-to-Grow-45-in-2012-166496/

By Fahmida Y. Rashid
eWEEK.com
2011-11-16

IT security professionals are projected to see higher salary increases,
compared with the overall IT market in 2012, according to Robert Half
Technology's latest salary guide.

Salaries for IT security professionals are projected to increase by 4.5
percent in 2012, according to a new salary survey.

The...
 

Posted by InfoSec News on Nov 18

http://news.cnet.com/8301-31921_3-57326956-281/sandia-labs-sopa-will-negatively-impact-u.s-cybersecurity/

By Declan McCullagh
CNet News
Privacy Inc.
November 17, 2011

Add the Sandia National Laboratories, part of the U.S. Department of
Energy, to the list of opponents of a controversial Hollywood-backed
copyright bill.

Leonard Napolitano, Sandia's director of computer sciences and
information systems, warned in a letter that the...
 

Posted by InfoSec News on Nov 18

http://www.theregister.co.uk/2011/11/17/water_utility_hacked/

By Dan Goodin in San Francisco
The Register
17th November 2011

Updated - Hackers destroyed a pump used by a US water utility after
gaining unauthorized access to the industrial control system it used to
operate its machinery, a computer security expert said.

Joe Weiss, a managing partner for Applied Control Solutions, said the
breach was most likely performed after the attackers...
 

Posted by InfoSec News on Nov 18

http://www.zdnet.com.au/wealthy-staff-not-hackers-often-thieves-339326370.htm

By Michael Lee
ZDNet.com.au
November 17th, 2011

Companies are being duped more by their own employees than by external
hackers when it comes to cyber fraud, according to KPMG Forensic
associate director Stan Gallo, and those employees are often high
earners.

Gallo presented his talk on corporate identity theft and fraud at
Attachmate Group's A Powerful...
 

Posted by InfoSec News on Nov 18

http://www.darkreading.com/database-security/167901020/security/attacks-breaches/231903320/stolen-desktop-computer-exposes-data-of-nearly-4-million-patients.html

By Kelly Jackson Higgins
Dark Reading
Nov 17, 2011

A desktop computer stolen from healthcare organization Sutter Medical
Foundation has potentially exposed the personal information of nearly 4
million patients.

The password-protected but unencrypted machine contained a patient...
 
Some of Taiwan's smaller manufacturers said they were relieved to see Google release the source code for its Android 4.0 operating system, after being cut out of the picture with its previous Honeycomb version.
 
A U.S. House Intelligence Committee is launching an investigation against Chinese telecommunication equipment suppliers Huawei and ZTE to find whether the companies pose a security threat to the country.
 
Internet Storm Center Infocon Status