InfoSec News


More of the LNKvulnerability. Additional fromour first report from Handler Joel and Infocon raising from Handler Lenny, there is now a Metasploit module that implements the exploit with the WebDAV method.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Nokia Siemens Networks' acquisition of most of Motorola's cellular networks business may be the last move in a long game of consolidation in the industry, which has been hammered by price pressures.
 
Dell announced Monday that it plans to acquire Ocarina Networks, a maker of hardware and software designed to reduce the amount of storage capacity enterprises need, for an undisclosed sum.
 
Information security is an exalted field. Exalted both in the sense of "noble" and in the sense of "inflated". We practice security as a dark art, a complex discipline of insiders with obscure acronyms. Even more than other areas of IT, security professionals are a "special" breed, as one can clearly see by the many certifications following our names, almost like titles of nobility. Yes, security is complex and esoteric. No, it should not be the practice of the few, but the practice of the many.
 
Google's second-quarter financial report last week provided further signs that, after years of trying, Google may finally be seeing material results from emerging businesses that could help it diversify from search advertising, which still generates most of its revenue.
 
A Microsoft advisory warns users about targeted attacks against a new Windows Shell zero-day vulnerability.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Microsoft - Zero day attack - Microsoft Windows - Operating system - Windows Shell
 
IBM on Monday announced second-quarter earnings of $23.7 billion and earnings of $2.61 per share, an increase of 2% and 13% respectively over the same period last year. Net income rose 9 percent to $3.4 billion.
 
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
We observed anincrease on UDP connections that use UDP port 5060. This port is typically used for VoIP connections using the SIP protocol. The activity is indicative of attempts to locate weakly-configured IP PBX system, probably tobrute-force SIP passwords. Once the attacker has access to the account, they may use it to make or resell unauthorized calls. The attacker may also use the access to conduct a voice phishing (vishing) campaign.

We observed a similar up-tick a few months ago. At the time, the activity was attributed to SIP brute-forcing that probablyoriginated from systems running in Amazon's EC2 cloud.
As described on the Digium blog, publicly-accessible SIP systems areseeing large numbers of brute-force attacks. Systems with weak SIP credentials will be compromised, similarly to how email accounts can be compromised by guessing the credentials The significant difference is that when someone takes over a SIP platform to make outbound calls, there is usually a direct monetary cost, which gets peoples attention very quickly.
One way to review your SIP exposure is to use the freeSIPVicious toolkit. Interestingly, SIPVicious now includes a tool forcrashing unauthorized SIPVicious scans.
A few security recommendations for those using the popular Asterisk IP PBX tool:

Automatically Block Failed SIP Peer Registrations
Seven Steps to Better SIP Security with Asterisk

Thanks toAdam Fathauer and Thomas B. Rcker for sharing the details of some of the malicious acrivities with us! Also, thanks to ISC handler Donals Smith for his insights on this topic.
-- Lenny
Lenny Zeltser - Security Consulting

Lenny teaches how toanalyzeandcombatat SANS Institute. You canfind him on Twitter. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
VeriSign has begun offering free malware scanning services to customers that use its SSL certificates. The goal is to make sure those customers' Web sites aren't inadvertently hosting malware that could infect visitors.
 
The new tools allow developers to turn off individual extensions and navigate code files
 
Facebook is hoping to hit a major milestone this week and expects to grab its 500 millionth user.
 
Contemporary IT infrastructure and applications operate in an extreme environment barely envisioned a decade ago, pushing networks to the limit and challenging the security industry to keep pace.
 
Security organizations today raised Internet threat levels to warn users that they expect widespread attacks using exploits of a just-acknowledged critical bug in all versions of Windows.
 
Intel introduced a six-core Core i7 desktop processor targeted at enthusiasts like gamers, while also cutting prices of some desktop and server chips by up to 48%.
 
The iPhone 4's antenna and reception problems have given pause to two out of three current iPhone owners, who said they would postpone upgrading to the new model, said research firm IDC.
 
Network stress testing tools are not for the underfunded, the underskilled or the faint of heart. Consider them carefully before deciding whether to purchase them or how to use them.
 
OS X 10.5 and 10.6 both have the robust Screen Sharing program built in. It lets you access other 10.5 and 10.6 systems, and it's backward-compatible with the industry-standard VNC (virtual network computing) protocol. Unfortunately, on its own, that program alone isn't very good at reaching out over the Internet; it's best for connecting to computers that are hooked up to the same router, using Bonjour.
 
When you've got the basics covered, but you still don't feel secure, what can you do? Here are a few advanced security tips to help you thwart some of today's most common attacks.
 
Looking deeper within malware yields fingerprints of the hackers who write the code, and that could result in signatures that have a longer lifetime than current intrusion-detection schemes, says one Black Hat 2010 speaker.
 
With everything running painfully slow, Dorslo discovered the one process that was to blame. The Answer Line forum suggested what to do.
 
We decided to raise the Infocon level to Yellow to increase awareness of the recent LNK vulnerabilityand to help preempt a major issue resulting from its exploitation. Although we have not observed the vulnerability exploited beyond the original targeted attacks, we believe wide-scale exploitation is only a matter of time. The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch. Furthermore, anti-virus tools' ability to detect generic versions of the exploit have not been very effective so far.
Although the original attack used the LNK vulnerability to infect systems from a USB key, the exploit can also launch malicious programs over SMB file shares. In one scenario, attackers that have access to some systems in the enterprise can use the vulnerability to infect other internal systems.
We discussed the LNK vulnerabilityin a diary a few days ago. That note pointed toMicrosoft's advisorythat described the bug Windows Shell Could Allow Remote Code Execution, which affects most versions of Windows operating systems. Microsoft's workarounds for the issue include:

Disable the displaying of icons for shortcuts. This involves deleting a value from the registry, and is not the easiest thing to do in some enterprise settings. Group Policy-friendly options include the use of Registry Client-Side Extensions, the regini.exe utility and the creation of a custom .adm file: seeDistributing Registry Changes for details.
Disable the WebClient service. This will breakWebDAV and any services that depend on it.

Another approach to mitigate the possible LNK attack involves the use ofDidier Stevens' toolAriad. Note that the tool is beta-software operating in the OS kernel, so it's probably not a good match for enterprise-wide roll-out.
Additional recommendations for making the environment resilient to an attack that exploits the LNK vulnerability include:

Disable auto-run of USB key contents. This would address one of the exploit vectors. For instructions, see Microsoft KB967715.
Lock down SMB shares in the enterprise, limiting who has the ability to write to the shares.

Sadly, enterprises that are likely to ever disable auto-run and lock down SMB file shares, probably have done this already back whenthe Conficker worm began spreading. Another challenge is that Windows 2000 and Windows XP Service Pack 2 are vulnerable, yet Microsoft no longer provides security patches for these OS.As the result, we believe most environments will be exposed until Microsoft releases a patch. We're raising the Infocon level in the hope that increased vigilance will increase enterprises' ability to detect and respond the attacks that may use the LNK vulnerability.
Update:Several readers recommended focusing on preventing unauthorized code from running by using approaches such as application whitelisting. For instance, Richard andErno mentioned AppLocker, which is an enterprise software control feature built into Windows 7. Erno wrote, My solution is standard user accounts and Software Restriction Policy or AppLocker in Group Policy. You can block execution of any files on removable drives or network drives, or actually pretty much anywhere except system folders. In my networks I only allow execution from Windows and Program Files. Remember to apply the software restriction policy for all executable files, including libraries (dlls). By the way, this is the kind of approach Jason Fossen and I explore in the new course we are about to debut, called Combating Malware in the Enterprise.
Do you have recommendations for addressing the LNK issue?Let us know.
-- Lenny
Lenny Zeltser - Security Consulting

Lenny teaches how toanalyzeand combat at SANS Institute. You canfind him on Twitter.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A new Microsoft advisory warns users about targeted attacks against a new Windows Shell zero-day vulnerability.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Microsoft - Zero day attack - Microsoft Windows - Operating system - Windows Shell
 
Rackspace's contribution of code to a new open-source project called OpenStack could help establish a counterweight to larger and proprietary players like Amazon's Elastic Compute Cloud (EC2), according to some observers.
 
Ignorance and seemingly innocent activities can subject you to fines, lawsuits, and even jail. Here's how to play it safe.
 
Dell, through its Kace unit, is making available free Web browser security software that works by creating a protective "sandbox" on the desktop to isolate the user's desktop from malware or other harmful actions that might be encountered browsing the Web.
 
Motorola has found a buyer for its wireless network equipment unit: Nokia Siemens Networks will pay $1.2 billion for most of that business.
 
A security researcher on Sunday published a working exploit of a critical Windows vulnerability, making it more likely that attacks will spread.
 
On Thursday, a day before Apple CEO Steve Jobs held a press conference about the iPhone 4's antenna problems, the San Mateo County District Attorney's office withdrew the search warrant previously issued for Gizmodo editor Jason Chen's home in the case of the stolen iPhone prototype.
 
When Intel Corp. posted its best quarter ever this past week, industry watchers noted that the good news extends beyond the chip maker and touches on the high-tech industry and possibly the U.S. economy.
 
HTML 5 may be the next big thing in online video, but you've got to know what to do with it. We explain the ins and outs of the new video tag.
 
Engineering research and development spending increased overall during the recession, but more of this spending is moving offshore, according to a new study by Booz & Co.
 
InfoSec News: Fictitious femme fatale fooled cybersecurity: http://www.washingtontimes.com/news/2010/jul/18/fictitious-femme-fatale-fooled-cybersecurity/
By Shaun Waterman The Washington Times July 18, 2010
Call her the Mata Hari of cyberspace.
Robin Sage, according to her profiles on Facebook and other social-networking websites, was an attractive, flirtatious 25-year-old woman working as a "cyber threat analyst" at the U.S. Navy's Network Warfare Command. Within less than a month, she amassed nearly 300 social-network connections among security specialists, military personnel and staff at intelligence agencies and defense contractors.
A handful of pictures on her Facebook page included one of her at a party posing in thigh-high knee socks and a skull-and-crossbones bikini captioned, "doing what I do best."
"Sorry to say, I'm not a Green Beret! Just a cute girl stopping by to say hey!" she rhymingly proclaimed on her Twitter page, concluding, "My life is about info sec [information security] all the way!"
And so it apparently was. She was an avid user of LinkedIn - a social-networking site for professionals sometimes described as "Facebook for grown-ups." Her connections on it included men working for the nation's most senior military officer, the chairman of the Joint Chiefs of Staff, and for one of the most secret government agencies of all, the National Reconnaissance Office (NRO), which builds, launches and runs U.S. spy satellites. Others included a senior intelligence official in the U.S. Marine Corps, the chief of staff for a U.S. congressman, and several senior executives at defense contractors, including Lockheed Martin Corp. and Northrop Grumman Corp. Almost all were seasoned security professionals.
But Robin Sage did not exist.
Her profile was a ruse set up by security consultant Thomas Ryan as part of an effort to expose weaknesses in the nation's defense and intelligence communities - what Mr. Ryan calls "an independent 'red team' exercise."
[...]
 
InfoSec News: 15 nations agree to start working together to reduce cyberwarfare threat: http://www.washingtonpost.com/wp-dyn/content/article/2010/07/16/AR2010071605882.html
By Ellen Nakashima Washington Post Staff Writer July 17, 2010
A group of nations -- including the United States, China and Russia -- have for the first time signaled a willingness to engage in reducing the [...]
 
InfoSec News: New virus targets industrial secrets: http://www.networkworld.com/news/2010/071710-new-virus-targets-industrial.html
By Robert McMillan IDG News Service July 17, 2010
Siemens is warning customers of a new and highly sophisticated virus that targets the computers used to manage large-scale industrial control [...]
 
InfoSec News: Cyber protection: http://www.sbsun.com/business/ci_15535794
By Rebecca U. Cho Staff Writer The Sun 07/16/2010
A shortage of experts to protect the U.S. against hackers has led the government to cast a wide net for talent - and next week that net lands at Cal Poly Pomona. [...]
 
InfoSec News: Secunia Weekly Summary - Issue: 2010-28: ========================================================================
The Secunia Weekly Advisory Summary 2010-07-10 - 2010-07-17
This week: 106 advisories [...]
 
InfoSec News: Microsoft confirms 'nasty' Windows zero-day bug: http://www.computerworld.com/s/article/9179299/Microsoft_confirms_nasty_Windows_zero_day_bug
By Gregg Keizer Computerworld July 17, 2010
Microsoft on Friday warned that attackers are exploiting a critical unpatched Windows vulnerability using infected USB flash drives. [...]
 
InfoSec News: Linux Advisory Watch: July 17th, 2010: +----------------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | July 17th, 2010 Volume 11, Number 29 | | | [...]
 
InfoSec News: Damn Vulnerable Linux - The most vulnerable and exploitable operating system ever!: http://www.geek.com/articles/news/damn-vulnerable-linux-the-most-vulnerable-and-exploitable-operating-system-ever-20100717/
By Matthew Humphries Geek.com July 17, 2010
Usually, when installing a new operating system the hope is that it's as up-to-date as possible. [...]
 

Posted by InfoSec News on Jul 18

http://www.washingtontimes.com/news/2010/jul/18/fictitious-femme-fatale-fooled-cybersecurity/

By Shaun Waterman
The Washington Times
July 18, 2010

Call her the Mata Hari of cyberspace.

Robin Sage, according to her profiles on Facebook and other
social-networking websites, was an attractive, flirtatious 25-year-old
woman working as a "cyber threat analyst" at the U.S. Navy's Network
Warfare Command. Within less than a month, she...
 

Posted by InfoSec News on Jul 18

http://www.washingtonpost.com/wp-dyn/content/article/2010/07/16/AR2010071605882.html

By Ellen Nakashima
Washington Post Staff Writer
July 17, 2010

A group of nations -- including the United States, China and Russia --
have for the first time signaled a willingness to engage in reducing the
threat of attacks on each others' computer networks.

Although the agreement, reached this week at the United Nations, is only
recommendations, Robert K....
 

Posted by InfoSec News on Jul 18

http://www.networkworld.com/news/2010/071710-new-virus-targets-industrial.html

By Robert McMillan
IDG News Service
July 17, 2010

Siemens is warning customers of a new and highly sophisticated virus
that targets the computers used to manage large-scale industrial control
systems used by manufacturing and utility companies.

Siemens learned about the issue on July 14, Siemens Industry spokesman
Michael Krampe said in an e-mail message Friday....
 

Posted by InfoSec News on Jul 18

http://www.sbsun.com/business/ci_15535794

By Rebecca U. Cho
Staff Writer
The Sun
07/16/2010

A shortage of experts to protect the U.S. against hackers has led the
government to cast a wide net for talent - and next week that net lands
at Cal Poly Pomona.

The 22 winners of a statewide competition that sought to identify
Californians with a talent for cyber security - the protection of
computers and networks against attacks - are set to...
 

Posted by InfoSec News on Jul 18

========================================================================

The Secunia Weekly Advisory Summary
2010-07-10 - 2010-07-17

This week: 106 advisories

========================================================================
Table of Contents:

1.....................................................Word From...
 

Posted by InfoSec News on Jul 18

http://www.computerworld.com/s/article/9179299/Microsoft_confirms_nasty_Windows_zero_day_bug

By Gregg Keizer
Computerworld
July 17, 2010

Microsoft on Friday warned that attackers are exploiting a critical
unpatched Windows vulnerability using infected USB flash drives.

The bug admission is the first that affects Windows XP Service Pack 2
(SP2) since Microsoft retired the edition from support, researchers
said. When Microsoft does fix the...
 

Posted by InfoSec News on Jul 18

+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| July 17th, 2010 Volume 11, Number 29 |
| |
| Editorial Team: Dave Wreski <dwreski () linuxsecurity com> |
| Benjamin D. Thomas <bthomas () linuxsecurity...
 

Posted by InfoSec News on Jul 18

http://www.geek.com/articles/news/damn-vulnerable-linux-the-most-vulnerable-and-exploitable-operating-system-ever-20100717/

By Matthew Humphries
Geek.com
July 17, 2010

Usually, when installing a new operating system the hope is that it's as
up-to-date as possible. After installation there's bound to be a few
updates required, but no more than a few megabytes. Damn Vulnerable
Linux is different, it's shipped in as vulnerable a state as...
 

Internet Storm Center Infocon Status