Hackin9

If you are easily confused like me, you may appreciate this quick summary as to the different updates released the last couple of days:

Oracle Java:

Java 7 Update 15

Java 6 Update 41

Apple

(in addition to Apples Java update to the versions shown above)

iTunes 11.0.2.25

Adobe

Flash Player 11.6.602.168 (Windows. OS X is still on 167)

Probably the most dangerous thing you can do when applying patches is to rush. You may not only end up with a broken system, but worse, the patch may not be applied correctly. Take the time to test that you are all up to date. Encourage your coworkers and relatives to visit browsercheck.qualyis.com to test if all plugins are installed correctly.

(we may update this diary for a day or two)

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Dell has reported another quarter of declining revenue and profits as the company's CEO continues his battle to take the PC maker private.
 
Twitter is urging its account holders to be smarter with their passwords following two recent attacks by hackers directed at Burger King and Jeep that took control of those accounts.
 
Your phone isn't the only piece of equipment able to share an internet connection with other devices. Windows has been able to do this for years; the problem is getting it accomplished quickly, easily and wirelessly, especially on the go with a laptop system. Connectify Hotspot (two editions, various pricing) provides the tools to do precisely this, acting as a software router between whatever internet connection you provide and the other computers connected to your laptop.
 
With a handful of ways to customize the drive and the high-speed USB 3 interface, the AV Pro is a storage device built to help streamline the workflow of creative professionals. CalDigit offers two different models of the AV Pro: a model with a 3.5-inch hard drive, or one with a 2.5-inch solid-state drive. Regardless of which model you choose, the AV Pro has user-serviceable drives that allow easy replacement of the drive mechanism when the need arises.
 
Oracle has sold assets related to the Lustre parallel distributed file system to high-performance computing storage vendor Xyratex, which has pledged to lead further development of the software in its current collaborative open-source environment.
 
Nvidia on Tuesday announced the GeForce GTX Titan, a GPU designed to handle the most demanding games by harnessing the processing power of 2,668 graphics cores.
 

The label of state sponsored attacks or advanced persistent treat has been used and abused frequently in the last few years. Hardly ever have we seen any hard evidence of how these attacks happen, and who is behind it. The report by Mandiant that made the news this week is probably the best public summary of these attacks listing conclusive evidence linking the attacks to the chinese government.

Attributing cyber attacks is always very difficult. IP addresses dont really mean much as attackers frequently use chains of compromissed machines to attack the ultimate target. The Mandiant report uses additional evidence and does a very good and thorough job in tracing the attacks.

But what does it mean to you?

First of all: Read the report (the original, not the press releases and commentaries):http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf . Direct management to the video that Mandiant made.

The report also includes lots of IP addresses and other indicators that you can use to check your own networks for similar compromisses.

The attacks follow a very tried and true pattern:


send an e-mail to the victim.

the victim will click on a link or an attachment

an exploit will be used to compromisse the users system

additional software will then be used to establish a foothold and exfiltrate data


What can you do about this?

At each step, try to see how you could possibly intercept the attack. For example conduct your own phishing exercises. With permission, register a hotmail/gmail/yahoo mail account using an executives e-mail address. Sent an email to all employees using this from address and see how many people click. Direct them to a nice but educational page telling them how they may have been hacked this way, and what to look for.

This way, you gain a bit of awareness, but you also gain hard numbers on how many people in your organization would have clicked on the link. This is critical to demonstrate the size of the issue to manage to obtain resources to defend agains tthis threat.

Next, to prevent the infection of the system. Patching still helps. Not all attackers use 0-day attacks. But more importantly, reduce the attack surface by removing unneeded software (Java, Flash, Office...) . Office may be a hard one to remove, but limit it to the pieces of the package that are actually needed. It will save you on licensing fees too.

Consider whitelisting. While not perfect, if done right, it is a lot better then anti virus.

And finally in this very brief list: Dont forget some kind of exfiltration or data leakage protection. Look for anomalies more then for signatures. The better you know what is normal on your network, the better are your chances to detect bad stuff.

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Apple has also provided an update for JAVA http://www.apple.com/support/downloads/ Update 13 addresses a number of security issues and should be applied to Apple systems sooner rather than later. Details on what the java update fixes can be found here http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html



Not sure whether this addresses the issue that has been reported in relation to the breach of apple, which according to the articles Ive seen have been atributed to a java issue.

Mark H

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Educause, the keeper of the .edu TLD, is reporting that a server used to hold user profiles was breached and data was exfiltrated. For the most part, this will not affect our readers, unless you are in charge of a .edu domain, and do have an account with EDUCAUSE as a result. You should have received an e-mail from EDUCAUSE asking you to reset your password. Evidently EDUCAUSE uses informz.net to send these notices and we had readers suggesting that they are phishing emails. Regardless: Dont click on the link in the e-mail. Go to the EDUCAUSE site and change your password if you think you may be affected.

http://www.educause.edu/sb

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

(I originally wrote update 14, but turns out this is update 15)

Oracle released update 15 for Java 7 and update 41 for Java 6 today. I havent seen any specific security content yet, but Oracle states that The highest CVSS Base Score of vulnerabilities affecting Oracle Java SE is 10.0 , which is the maximum possible score and indicates remote compromisse.

Apple users: If you think you are safe, check todays news about how Apple itself got compromissed via a Java vulnerability (maybe this is why Apple was so quick in disabling the Java plugin via X-Protect).

http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html

once you are done patching (if you still have Java installed), head to browsercheck.qualys.com to make sure all the other plugins are up to date)



------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google's famed "triumvirate" -- Larry Page, Sergey Brin and Eric Schmidt -- will give oral statements over the coming weeks as part of a private antitrust suit brought against Google and six other technology companies by former employees.
 
Mozilla is taking steps to limit the risk of powerful subordinate Certificate Authority (CA) certificates falling into the hands of attackers and potentially being used to issue rogue certificates for use in SSL snooping attacks.
 
With Microsoft making a big push with its free email service Outlook.com, Google's Gmail and Yahoo Mail suddenly have a serious new rival.
 
Dell has reported another quarter of declining revenue and profits as the company's CEO continues his battle to take the PC maker private.
 
Banks in Asia Pacific are expected to grow IT spending by 8.8% in the coming year according to IDC Financial Insights. This is higher than the 7% growth experienced during 2012, noted Michael Araneta, consulting and research Director for IDC Financial Insights Asia/Pacific.
 
HTC announced its new flagship HTC One smartphone on Tuesday, which HTC Americas President Mike Woodward dubbed "the best phone ever made."
 
Mozilla today released Firefox 19, adding a built-in PDF viewer to the browser and patching 13 security vulnerabilities.
 
Demand for services and the need to ensure patient safety drive IT spending at St Teresa's Hospital.
 
 
Firefox 19 brings a PDF viewer written in JavaScript, which should reduce reliance on PDF reader plugins, and fixes four critical flaws that are also corrected in Thunderbird, Firefox ESR, Thunderbird ESR and Seamonkey


 
Apple on Tuesday said it was a victim of a malware attack when a small number of systems inside the company were compromised.
 
Google may be taking a page from Apple as it considers opening brick-and-mortar retail stores, according to reports.
 
Outlining its flash strategy for the next two years, NetApp said today that it will begin selling an enterprise-class all-flash array this year and it announced a purpose-built flash storage architecture for 2014.
 
Foswiki Security: Alert CVE-2013-1666 - Remote Code Execution Vulnerability in MAKETEXT macro.
 
FreeBSD Security Advisory FreeBSD-SA-13:02.libc
 
SQLi found in Kodak Insite
 
Microsoft Tuesday will demonstrate for the first time an integration between its Lync enterprise IM, audio and video conferencing server and its Skype consumer counterpart, the latest Microsoft response to the consumerization of IT trend.
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0754 Remote Code Execution Vulnerability
 
FreeBSD Security Advisory FreeBSD-SA-13:01.bind
 
Canonical has introduced the Ubuntu tablet interface, which will compete with Android, iOS and Windows with its own take on multitasking and advanced security features. The launch is the next step in Canonical's quest to unify phones, tablets, PCs and TVs.
 
Hewlett-Packard is set to deliver a new blade that will quadruple the virtual desktops that can be deployed from one server compared to the company's previous offerings.
 
The British Phonographic Industry is seeking to block file-sharing sites Fenopy, H33t and Kickass Torrents, the BPI said on Tuesday.
 
HTC has declared the end of megapixels with its new One smartphone, which has a 4.7-inch screen and a redesigned camera that can capture sharper images.
 
A flood of phishing mail saw the university's security team act by blocking the forms on Google Docs that the phishing victims were being sent to. The block was temporary, but the security team hope the message about phishing lingers


 
The so-called 'Internet of everything,' the rapidly approaching world where objects from refrigerators to factory robots can talk to people and other machines, will create a massive business opportunity worth $14.4 trillion over the next decade, according to a new study from Cisco Systems.
 
Joe Lieberman (I-Conn.) retired in January after quite a colorful two-dozen years in the U.S. Senate. One of the major issues he pushed for during his last few years in office was protection of the U.S. critical infrastructure. Along with Sen. Susan Collins (R-Maine), Lieberman put forth a series of bills aimed at requiring some level of protection for such infrastructure, the last of these being voted down in November.
 
The global market for business intelligence software will hit $13.8 billion in 2013, but the pace of growth will be slower than in past years, according to new figures from analyst firm Gartner.
 
Amazon Web Services has introduced OpsWorks, a cloud-based platform powered by the Chef framework, which will give enterprises more integrated tools for managing the complete application life cycle.
 
Security company Mandiant has provided evidence of conspicuous correlations between the best known Chinese hacker group and a Chinese military unit


 
As Microsoft pushed Outlook.com out of preview mode today, analysts said the company's "Scroogled" attack ads, which fired shots at Google's Gmail two weeks ago, were effective.
 
Being an introvert isn't the end of the world or your career. However, to be successful in the IT field today, you've got to overcome shyness and learn that it's OK to ask for (and offer) help.
 
After a lull, the race to add more processor cores to chips continues. Tilera is developing a new chip that will have more than 100 processor cores as the company looks to outperform ARM and Intel processors in Web-specific tasks.
 
Nvidia hopes to power sub-$200 smartphones and tablets under $300 with its latest Tegra 4i processor, which is also the company's first chip with an integrated LTE modem.
 
Chipmaker LSI is taking ARM-based processors to new frontiers with its upcoming AXM5500 family, which will be used in mobile base stations of all sizes.
 
Microsoft Windows 'Win32k.sys' CVE-2013-1271 Local Privilege Escalation Vulnerability
 
Microsoft Windows 'Win32k.sys' CVE-2013-1274 Local Privilege Escalation Vulnerability
 
Microsoft Windows 'Win32k.sys' CVE-2013-1267 Local Privilege Escalation Vulnerability
 
Microsoft Windows 'Win32k.sys' CVE-2013-1266 Local Privilege Escalation Vulnerability
 
Microsoft Windows 'Win32k.sys' CVE-2013-1270 Local Privilege Escalation Vulnerability
 
Microsoft Windows 'Win32k.sys' CVE-2013-1268 Local Privilege Escalation Vulnerability
 
Cisco Tuesday introduced small cell hardware and intelligent software designed to help carriers and enterprises improve wireless connections over hybrid networks made of 3G and 4G cellular and Wi-Fi technologies
 
Cisco's long-anticipated entry into cellular base stations will come at Mobile World Congress next week, along with the company's familiar promise of an end-to-end architecture.
 
Burger King saw a surprising upside after its Twitter account was compromised on Monday: tens of thousands of people began following its account.
 
Microsoft Windows 'Win32k.sys' CVE-2013-1257 Local Privilege Escalation Vulnerability
 
Microsoft Windows 'Win32k.sys' CVE-2013-1256 Local Privilege Escalation Vulnerability
 
Microsoft Windows 'Win32k.sys' CVE-2013-1251 Local Privilege Escalation Vulnerability
 
Microsoft has moved its email service Outlook.com out of the preview phase, and plans a marketing campaign to boost its adoption worldwide.
 
Tizen, the open-source project backed by Intel and Samsung Electronics, has released to software developers and device makers the software development kit and source code for a new version of its operating system.
 
In the second part of a three-part series, we look at two companies that have chosen Joomla as their content management system.
 
While first day sales for Microsoft's Surface RT tablet attracted a long line in Beijing back in October, demand for the device in China has been low, as shipments reached only 30,000 units during the fourth quarter, according to research firm IDC.
 
The restriction on modifying account details that was introduced in iOS 6 is easily bypassed


 
Microsoft .NET Framework CVE-2013-0073 Remote Privilege Escalation Vulnerability
 
A new report traces a large cybersecurity threat group to China's People's Liberation Army, specifically an unit that goes under the cover name "Unit 61398".
 
We are standing in a parking lot in the city of MalmAP, southern Sweden, one ofA the many places Peter Sunde now calls home. The sky above us is grey, as usual at this time of year. Just as the parking meter spits out our ticket, a young man driving much too fast on a motorcycle roars up behind us. He is followed by a police car, sirens blaring and blue lights flashing.
 
Oracle Sun Products Suite CVE-2013-0399 Local Solaris Vulnerability
 

Posted by InfoSec News on Feb 18

http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html

By DAVID E. SANGER, DAVID BARBOZA and NICOLE PERLROTH
The New York Times
February 18, 2013

On the outskirts of Shanghai, in a run-down neighborhood dominated by a
12-story white office tower, sits a People’s Liberation Army base for
China’s growing corps of cyberwarriors.

The building off Datong Road, surrounded by restaurants, massage...
 
Internet Storm Center Infocon Status