InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A person known by the alias of w3bd3vil on twitter released an HTML snippet that will cause the 64 bit version of Windows 7 to blue screen if viewed under Safari. The underlying vulnerability is however not a flaw in Safari but rather a flaw in the Windows kernel mode device driver, win32k.sys.
The proof of concept code by w3bd3vil only triggers a system crash. However, the system crash is the result of memory corruption and there is a possibility that this flaw could be used to execute arbitrary code. In order to accomplish this, the attacker would also need to work around the Windows 7 protection like DEP and ASLR. How to bypass these protections has been shown for other exploits.
A successful code execution would be very serious in this case. Win32k.sys, as kernel mode code, runs with system privileges and an attacker would obtain full access, exceeding the privileges of the user triggering the code.
Quick summary: Watch out for more on this over the next days. This could evolve either into a local privilege escalation issue or a remote code execution as admin problem. In particular if triggered by more popular browsers (Internet Explorer, Firefox, Chrome).

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Qualcomm's co-founder and former chairman and CEO, Irwin Jacobs, will retire from the mobile technology company's board next year, Qualcomm announced Tuesday.
Linux Kernel kexec-tools 'kdump/mkdumprd' Utility Information Disclosure Vulnerability
In another blow to Android, a judge at the U.S. International Trade Commission issued an initial determination that Motorola Mobility infringes four claims of a Microsoft patent. The judge also found that Motorola does not infringe claims related to six other Microsoft patents.
Oracle's net income for the second quarter ended Nov. 30 rose 17 percent to US$2.2 billion, with software sales rising but hardware-related revenue falling, the company reported Tuesday. Revenue for the quarter rose 2 percent to $8.8 billion.
Koha 'KohaOpacLanguage' Cookie Parameter Local File Include Vulnerability
LightSquared has asked the U.S. Federal Communications Commission to affirm its right to use its radio spectrum, possibly setting the stage for a legal battle over interference between its planned mobile data network and GPS receivers.
The U.S. Department of Justice is reviewing a proposed $3.6 billion spectrum purchase by Verizon Wireless, a spokeswoman there said Tuesday.
Koha 'help.pl' Local File Include Vulnerability
While 2011 was not a breakthrough year for Microsoft products, the company held steady amid criticism regarding its absence from the tablet market, its late arrival to the cloud, and low sales for Windows Phones.
Twitter plans to open source some of the Android security products built by the developers behind Whisper Systems, which Twitter acquired last month.
Oracle's net income for the second quarter ended Nov. 30 rose 17 percent to US$2.2 billion, with software sales rising but hardware-related revenue falling, the company reported Tuesday. Revenue for the quarter rose 2 percent to $8.8 billion.
Mozilla and Google today said that they had struck a new search deal that will provide "significant revenue" to the maker of Firefox.
SAP and Google executives on Tuesday provided a preview of the companies' plans to tie their respective cloud-based business applications together, but a number of details have yet to be finalized.
A hearing to debate and amend the controversial Stop Online Piracy Act (SOPA) in the U.S. House of Representatives has been delayed, likely until early next year.
A new draft computer security publication from the National Institute of Standards and Technology (NIST) provides guidance for vendors and security professionals as they work to protect personal computers as they start up.The first ...
T-Mobile USA will receive spectrum licenses in 128 U.S. markets and a seven-year roaming agreement that will expand its reach by 50 million potential subscribers, in addition to US$3 billion cash, after AT&T dropped its deal to merge with T-Mobile.
Re: ESA-2011-039: RSA(r), The Security Division of EMC, announces security fixes and improvements for RSASecurID(r) Software Token 4.1 for Microsoft(r)Windows(r)
The partial legal victory that Apple won Monday against HTC won't affect either company's short-term sales but could play an important part in Apple's long-range attempt to stymie Android's march, expert said today.
Six editors from IDG Enterprise (Computerworld, CIO.com, CSO) discuss IT trends for 2012. Topics include the consumerization of IT, where security threats will come from, the rise of big data and the cloud, and the IT economy.
Linux Kernel 'kdump' and 'mkdumprd' OpenSSH Integration Remote Information Disclosure Vulnerability
Apple has apparently agreed to purchase Anobit Technologies, an Israeli start-up that makes enterprise-class SSDs based on consumer-grade NAND flash chips.

Nation's nuclear power watchdog comes up short on infosec compliance
By George V. Hulme, CSO | Security Add a new comment December 20, 2011, 10:09 AM — Like most big organizations with complex infrastructures, the Nuclear Regulatory Commission (NRC ) is having trouble consistently maintaining its vulnerability and risk ...

and more »
Google has paid $94 million for a stake in four photovoltaic power generation projects around Sacramento, California, bringing its total investment in renewable energy generation this year to $880 million, it announced Tuesday.
The prevalence with which hackers are handing out headaches to IT security pros will have a big upside for vendors in the coming year, according to new figures from Canalys.
Hard drive shortages peaked in October, pushing up prices by as much as 150%, but supplies and prices appear to be leveling off and may give online consumers much-needed relief in the weeks ahead.
Tiki Wiki CMS Groupware Stored Cross-Site-Scripting
Multiple vulnerabilities in PHPShop CMS Free
Re: SASHA v0.2.0 Mutiple XSS
[security bulletin] HPSBUX02697 SSRT100591 rev.1 - HP-UX Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities

Every year the holiday season is a boon to typosquatters using scams to phish unsuspecting users of sensitive information or peddle rogue antivirus software.

By Hillary O’Rourke, Contributor

With the hassle of finding the best deal and coping with the constant crowds, online shopping has never been more popular for the holiday season. But with that ease comes a warning from Websense: keep an eye out for online scams, particularly typosquatted sites.

Researchers at security research company Websense, Inc. are warning online holiday shoppers of typosquatted online domains, domains that cybercriminals have registered that are virtual but malicious copies of familiar sites in hopes of taking advantage of those who misspell the URL.

Websense researchers have claimed they’ve recently found more than 2,000 typosquatted online domains set up. Websense published a list of domains it found as part of a network of typosquatters, attempting to pose as a legitimate UK brand-name sites.  Websense said it has a “list of hundreds of hosts that are part of a typosquat hive (the hive itself contains thousands of hosts), and all of them are hosted in the US. We call it a hive because all of the listed hosts have a connection, and were most likely set up by the same cybercriminals.”

Researchers are also claiming that although the brand names may be spelled correctly in the domain, cybercriminals have created sites with the “.org” or “.net” domain suffixes as well. They added that they’ve seen a recent influx of these fraudulent domains in preparation for the holiday season.

The attackers often use these websites in fake emails and phishing sites in an attempt to lure consumers to claim online coupons. After a user clicks on the provided link, a pop-up shows up in another window with a different offer.

It’s important to remember that legitimate websites and the companies behind them sometimes employ a strategy of buying typosquat hosts that are similar to their site’s name. This is a good strategy for successful websites, as those companies usually understand the dangers of typosquatting and how their brand name can be affected and abused. Kudos go to Amazon, which registered a good number of potential typosquat hosts, including aqmazon (dot) com, amaxzon (dot) com, amzon (dot) com, and many more. These are all GOOD hosts registered by Amazon itself, leaving no chance for abuse as long as they remain registered to Amazon.

Typosquatting is used to quickly gain advertising revenue from sites receiving a high volume of accidental traffic. More recently, however, it’s often more about collecting as much information as the cybercriminals can get. With the holiday season in full swing, cybercriminals should expect to see success in both of those areas.

As the Websense says, it’s all “to ensnare the unaware.”

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Legislation is aimed at stopping piracy, but security professionals and industry groups say it could weaken security, hamper innovation and limit competition among small businesses and startups.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Google and Oracle continue to differ over when their lawsuit over alleged Java intellectual property violations in the Android mobile OS should begin, according to a joint filing the companies made late Monday in U.S. District Court for the Northern District of California.
A year ago I wrote that 2011 would be a year in which the Internet would "be under a multi-pronged attack that threatens to change it irrevocably in ways that may destroy much of the Internet's potential." Well, 2011 has come and mostly gone, and it turned out that my pessimism may have been misplaced but not invalid.
From more affordable virtualization to cloud everything to gigabit wireless to NAS appliances, small businesses have a lot to watch for in 2012. To help you plan for the year ahead, check our picks for top tech trends of 2012 -- all cast with the needs of small businesses in mind.
A popular Android application for Muslim users has been curiously hacked to commemorate the memory of a Tunisian produce vendor whose suicide kicked off anti-government protests in the country a year ago.
With the year drawing to a close, one thing seems abundantly clear: There are still an awful lot of ERP and other software projects running off the rails out there.
D-Link DSL Router Remote Authentication Bypass Vulnerability

Security's 2011 Women of Influence Winners Named
The 2011 Women of Influence Awards, co-presented by Alta Associates and CSO Magazine, recognize outstanding women in infosec careers. By Joan Goodchild The 2011 Executive Women's Forum "Women of Influence" Awards were celebrated recently at the annual ...

and more »
Data downloads and Web browsing on new LTE-ready smartphones were slightly faster on AT&T's new 4G LTE network than on the far more widely spread 4G LTE network of rival Verizon
Microsoft intends to ask the court to dismiss a Novell antitrust lawsuit, after a hung jury in Utah could not come to an accord on the case last week.
Although millions have downloaded Microsoft's Windows 8 developer preview, relatively few are actually using it, Web measurements show.
In testing cloud computing services and observing the growth of cloud activities, we've noticed that there are distinct phases that organizations go through in adopting cloud.
Developer release planned; open source organization asserts trademark protection
Most big companies rolled out their first ERP systems more than a decade ago. Now one in four businesses plans to upgrade or roll out a new ERP system
Seagate Technology said Tuesday it has completed the acquisition of the hard disk drive (HDD) business of Samsung Electronics, after it recently received approval for the deal in Australia, China, and the European Commission.

Posted by InfoSec News on Dec 19


By Rebecca Wanjiku
December 19, 2011

In reaction to rising cybercrime incidents in both public and private
sectors, some African governments have set up incident reporting and
early warning bodies with the support of AfriNIC (Africa Network
Information Center).

South Africa, Kenya, Morocco, Ivory Coast and Tunisia have set up

Posted by InfoSec News on Dec 19


The Secunia Weekly Advisory Summary
2011-12-08 - 2011-12-15

This week: 161 advisories

Table of Contents:

1.....................................................Word From Secunia...

Posted by InfoSec News on Dec 19


By Jeffrey Roman
Associate Editor
Bank Info Security
December 16, 2011

More than 200,000 payment card accounts have been compromised in a data
breach at Restaurant Depot, a food service wholesaler, and the
fraudsters are believed to be based in Russia, says Stanley Fleishman,

Forensic investigators hired by the wholesaler determined hackers were
able to obtain magnetic stripe...

Posted by InfoSec News on Dec 19


By Kim Zetter
Threat Level
December 19, 2011

A government digital forensic expert examing the computer of accused
WikiLeaks source Bradley Manning retrieved communications between
Manning and an online chat user identified on Manning’s computer as
“Julian Assange,” the name of the founder of the secret-spilling site
that published hundreds of thousands of U.S....

Posted by InfoSec News on Dec 19


By Wang Tian
People's Daily
December 20, 2011

Edited and translated by People's Daily Online

A Dec. 14 report by Bloomberg claimed that the networks of at least 760
companies, research universities, Internet service providers and
government agencies in the United States have been hit by the same elite
group of China-based cyber spies over the last decade.

The companies range...

Posted by InfoSec News on Dec 19


By Gregg Keizer
December 19, 2011

IBM, Hewlett-Packard (HP) and Microsoft led the list of companies that
failed to patch vulnerabilities within six months of being notified by
the world's biggest bug bounty program, according to HP TippingPoint's
Zero-Day Initiative (ZDI).

During 2011, TippingPoint -- a division of...

Posted by InfoSec News on Dec 19


By Mathew J. Schwartz
December 19, 2011

Federal authorities Friday announced the indictment of 55 people for
participating in a cyber crime fraud ring that relied on insiders to
steal hundreds of people's personal details from a bank and a car
dealer, among other organizations. The stolen information was then used
to defraud both the victims, as well as the...
Internet Storm Center Infocon Status