InfoSec News

Those of you that are Apple users will no doubt have noticed a few updates to Safari, but more importantly an update to the Snow Leopard O/S. Lion is out today. A few of us are Apple users and are in the process of installing/updating the product already.
Unlike previous upgrades this one is delivered digitally through the App store on the Mac. A 3.7GBupdate, so you will likely want to download it when connected to something cheaper than your 3G card.
No real major issues have been identified so far, but then it is early days. One change is that Rosetta is no longer installed, so some older applications may no longer work. In other words Lion is not fully backwards compatible with things that you might be running.
Over the next few days if there is anything of significance to report one of the handlers we'll let you know. As always if you have anything to add feel free to comment or contacts us.
-- Mark -- (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

This one started with ISC reader Lorenzo spotting a suspicious EXE download in his proxy logs. Sorting and analyzing the logs further led him to the page that actually triggered the download... and from there, he discovered a slice of what is behind those poisoned Google Image Searches that we covered earlier.
In a nutshell, there are websites running PHP, and a vulnerable version of (what we believe so far) WordPress or Joomla.
Once hacked, the bad guys add some custom malicious PHP.
The custom PHP uses Google Trends and other web sites with trending statistics to find out what people currently are interested in. Out of this, the PHP generates lots of links for these topics, pointing to itself and other similarly infected pages. Politely enough, the current version of the PHP keeps a log file of sorts of its activity .. and this log file is accessible, looking something like this (defanged to keep your anti-virus from panicking :)
a href=http://domain-removed/js/ajax.php?p=social-security-checkssocial security checks

a href=http://domain-removed/js/ajax.php?p=rebecca-naleparebecca nalepa

a href=http://domain-removed/js/ajax.php?p=droid-bionicdroid bionic

a href=http://domain-removed/js/ajax.php?p=marilyn-monroe-statuemarilyn monroe statue

a href=http://domain-removed/js/ajax.php?p=murdochmurdoch

a href=http://domain-removed/js/ajax.php?p=facebookfacebook

a href=http://domain-removed/js/ajax.php?p=iphone-5-release-dateiphone 5 release date

a href=http://domain-removed/js/ajax.php?p=men-of-a-certain-agemen of a certain age

a href=http://domain-removed/js/ajax.php?p=george-anthonygeorge anthony

a href=http://domain-removed/js/ajax.php?p=toshiba-thrivetoshiba thrive
One thing in common is the ?p=trendy-topic. If you search, for example, for
inurl:?p=casey-anthony inurl:php
in Google, chances are that a good bunch of the results are actually infected web sites. BEFORE YOU GO THERE: These search results are highly likely to return MALICIOUS content. As they say on TV: Don't try this at home, kids! As I say off TV: If you brick your PC or blackout your company, don't blame ME!
One of the search results, for example, is blog. ccdex.com/wp-admin/rtl.php?p=casey-anthony-jurors
In this case, you would go to blog. ccdex.com/wp-admin/log
... and lookie what you find: A long list of trending topics and other infected domains.
After trying a handful of these domains manually, Lorenzo wrote a script that recursively requested the log files, parsed them, and requested the log files of the domains mentioned within the log, etc... The result are currently about 100 domains that are hacked, and used to poison the search results.
Our investigation is still ongoing, if we find any further clues, we'll update this diary. If you have been analyzing the same thing in the past days, please share what you found so far.


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Intel's Atom microprocessor shipments declined during the second fiscal quarter of 2011, but the company reported strong profit growth even as it tried to diversify into the smartphone and tablet markets.
 
The new Google+ social site, out in limited beta release since late June, is growing its usage very quickly, but it remains far from a leadership position, according to Hitwise.
 
A U.S. House of Representatives subcommittee has voted to approve a bill that would require companies to notify affected customers about data breaches, and would require businesses holding personal information to establish data security programs.
 
Intel's Atom microprocessor shipments declined during the second fiscal quarter of 2011, but the company reported strong profit growth even as it tried to diversify into the smartphone and tablet markets.
 
Although State Street Corp. is laying off 530 IT workers and transferring another 320 jobs elsewhere, tech hiring nationally remains on the upswing so far this year.
 
Google has offered the first public indication that it may be willing to settle Oracle's lawsuit against it over the alleged infringement of Java patents in Google's Android OS.
 
A senior U.S. senator on Wednesday voiced opposition to AT&T's proposed acquisition of T-Mobile USA.
 
Oracle Enterprise Manager Grid Control Security Framework Session Modification Vulnerability
 
Apple today updated Safari to version 5.1, patching 58 security vulnerabilities and adding several new features, including sandboxing on Mac OS X 10.7.
 

Are NSA InfoSec Efforts Enough to Defend America in Cyber Warfare?
Top Secret Writers
These areas are not found on foreign soil or even outer space. The new frontier of warfare is Cyber Space. The methods and technologies used in this new virtual warfare are advancing on a daily basis. These advancements are being made so quickly that ...

 
This affordable operating system update is going to please a lot of users.
 
[Editor's note: This article is part of our series of articles on installing and upgrading to Lion.]
 
[Editor's note: This article is part of our series of articles on installing and upgrading to Lion.]
 
Dell's acquisition of Force10 Networks will fill a critical networking hole as the company buys its way into building an integrated technology stack for data centers, analysts said on Wednesday.
 
InterDigital on Tuesday said it was considering selling the company, and now the Wall Street Journal, citing unnamed sources, said Google is interested in scooping up the mobile chip technology developer.
 
The U.S. government will buy energy efficient electronics and will promote e-recycling under a new strategy.
 
Apple refreshed its MacBook Air line, equipping the notebooks with faster processors based on Intel's Sandy Bridge architecture and adding support for Thunderbolt that transfers data at speeds up to 10Gbps.
 
The FBI arrested 14 people this week thought to belong to the hacking group Anonymous over their alleged participation in attacks against PayPal. The raids come amid a recent spike in 'hacktivist' activity by Anonymous. Can the group survive the arrests to hack another day?
 
In its first SUSE-related product offering since it acquired Novell earlier last year, Attachmate has expanded the reach of SUSE Studio-based virtual appliances to include mainframes.
 
Tiki Wiki CMS Groupware 'snarf_ajax.php' Cross Site Scripting Vulnerability
 
Oracle has quietly made its Fusion Applications generally available, albeit with a caveat, but it seems that any serious fanfare over the long-awaited software may be reserved until the company's annual OpenWorld conference in October.
 
Increasing customer demand for big data technologies and cloud computing brought record financial results at EMC in the second quarter, the company reported Wednesday.
 
U.S. Marine Corps Gen. James 'Hoss' Cartwright, vice chairman of the Joint Chiefs of Staff, was sharply critical of the Defense Department's IT systems and sees much room for improvement.
 
[ MDVSA-2011:115 ] bind
 
XSS in Tiki Wiki CMS Groupware
 
OSI Security: Elitecore Cyberoam UTM - Authenticated Cross-Site Scripting Vulnerability
 
President Obama's proposed Identity Ecosystem seeks to lock down personal credentials, but is it actually feasible?

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Presented By:
Get Ready for Tomorrow Today with Cisco
  The way the world consumes and shares data will dramatically change in the next five years. Is your network ready to handle the load? Friend and follow Cisco across the web as we show you how to prepare for the future.
socialmedia.cisco.com

Ads by Pheedo

 
Researchers will demonstrate an Android phone drive-by attack using a vulnerability in Skype and the smartphone’s Webkit browser engine.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
In a decade, Mac OS X evolved from a curious hybrid of the classic Mac OS and the NextStep operating system to a mainstream computer operating system used by millions. It was a decade of continual refinement, capped by the bug-fixing, internals-tweaking release of Snow Leopard in 2009.
 
MapServer Multiple Security Vulnerabilities
 
Oracle GlassFish Enterprise Server Multiple Input Validation Vulnerabilities
 
HTC / Android OBEX FTP Service Directory Traversal Vulnerability
 
Oracle Sun GlassFish Enterprise Server Stored XSS Vulnerability - Security Advisory - SOS-11-009
 
H2HC Brazil (Hackers 2 Hackers Conference) 8th Edition - Call for Papers
 
Apple today officially launched OS X Lion, the first major upgrade to its operating system software in two years.
 
Dan wrote in with some interesting results after a co-worker reported an unusual error.
Is anyone else having similar problems/results?
A dns lookup shows the NS records pointing to servers at JOMAX.NET





$ dig search.live.com

DiG 9.7.0-P1 search.live.com

-HEADERsearch.live.com



. IN ANSWER SECTION:

search.live.com



. 60 IN A 69.25.212.52

search.live.com



. 60 IN A AUTHORITY SECTION:

search.live.com



. 65535 IN NS WSC2.JOMAX.NET



.

search.live.com



. 65535 IN NS WSC1.JOMAX.NET

MSG SIZE rcvd: 121



A whois on live.com



is very interesting as well:



~$ whois live.com



Whois Server Version 2.0



Domain names in the .com and .net domains can now be registered

with many different competing registrars. Go to http://www.internic.net



for detailed information.



Server Name: LIVE.COM.ZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM



IP Address: 69.41.185.200

Registrar: TUCOWS.COM



CO.

Whois Server: whois.tucows.com



Referral URL: http://domainhelp.opensrs.net



Server Name: LIVE.COM.ITS-NOT-ROCKET-SCIENCE-MR-RIKY-BLAIKIE.BURTYB.COM



IP Address: 209.85.6.100

Registrar: ENOM, INC.

Whois Server: whois.enom.com



Referral URL: http://www.enom.com

Server Name: LIVE.COM.IS.N0T.AS.1337.AS.GULLI.COM

IP Address: 80.190.192.39

Registrar: EPAG DOMAINSERVICES GMBH

Whois Server: whois.enterprice.net





Referral URL: http://www.enterprice.net

Server Name: LIVE.COM.IS.0WN3D.BY.GULLI.COM

IP Address: 80.190.192.39

Registrar: EPAG DOMAINSERVICES GMBH

Whois Server: whois.enterprice.net





Referral URL: http://www.enterprice.net

Domain Name: LIVE.COM

Registrar: CSC CORPORATE DOMAINS, INC.

Whois Server: whois.corporatedomains.com





Referral URL: http://www.cscglobal.com

Name Server: NS1.MSFT.NET

Name Server: NS2.MSFT.NET

Name Server: NS3.MSFT.NET

Name Server: NS4.MSFT.NET

Name Server: NS5.MSFT.NET





Status: clientDeleteProhibited

Status: clientTransferProhibited

Status: clientUpdateProhibited

Updated Date: 08-apr-2009

Creation Date: 28-dec-1994

Expiration Date: 27-dec-2017



Last update of whois database: Wed, 20 Jul 2011 12:28:01 UTC
Dan followed up with:


Additional: we use Global Crossing for our ISP, all of their DNS servers (which we use as forwarders) produce the same results. Other name servers I checked (OpenDNS, ATT) looked okay. As of right now, users get the Bing webpage when they go to http://search.live.com, though the IP addresses haven't changed.


Something doesn't smell right about this.
Indeed
Christopher Carboni - Handler On Duty (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Apple on Wednesday released its latest operating system, Mac OS X version 10.7, an upgrade that may be incremental, but nevertheless will likely contribute to the Mac's rising popularity especially among consumers.
 
Google has started warning some search users of malware on their computers, after it found unusual search traffic coming through a small number of intermediary servers called proxies.
 
IBM Lotus Domino iCalendar Meeting Request Parsing Remote Stack Buffer Overflow Vulnerability
 
Lenovo announced a family of three 10.1-in. tablet computers, including two that run Android 3.1 and one that runs Windows 7.
 
These initiatives can take some time to implement, early adopters say, but can pay for themselves in valuable business insights.
 
These initiatives can take some time to implement, early adopters say, but they can pay for themselves in valuable business insights.
 
Logitech's LifeSize division is embracing the cloud in a bid to extend videoconferencing's reach, announcing new services and the acquisition of a small mobile video company called Mirial.
 
There's a lot to like about the latest Apple OS, but not everything is as great as Mac fans might believe
 
Subway is a fast-food franchisor with some 35,000 restaurants worldwide. Like many big enterprises, it expected to host a new mission-critical spending-management system in-house. It ended up doing the exact opposite.
 
Apple has reported a record number of iPhone and iPad sales in the second quarter of 2011, powering revenues of $28.6 billion, also a record.
 
eglibc Signedness Error Multiple Remote Code Execution Vulnerabilities
 

Posted by InfoSec News on Jul 20

Forwarded from: Abhijeet Patil <getabhijeetpatil (at) gmail.com>

Dear All, here we are with issue 18 of ClubHack Mag for the month of July2011.
Like most of the times, this issue is also theme based and the theme for issue
18 is Metasploit.

We have some good news for our readers. CHMag is now partners with Hakin9 and
PenTestMag. Also starting from June 2011, CHMag is available in ePUB format
also for eBook readers like Kindle &...
 

Posted by InfoSec News on Jul 20

http://risky.biz/anonymous

By Patrick Gray
Risky.biz
July 20, 2011

As many readers would no doubt already be aware, the FBI has just
arrested 16 "members" of Anonymous in relation to DDoS attacks and
intrusions.

The US Department of Justice swiftly issued a press release with the
catchy, ALL CAPS title of "SIXTEEN INDIVIDUALS ARRESTED IN THE UNITED
STATES FOR ALLEGED ROLES IN CYBER ATTACKS".

So this is a massive blow...
 

Posted by InfoSec News on Jul 20

http://latimesblogs.latimes.com/showtracker/2011/07/nothing-says-answer-the-dang-question-like-a-pie-in-the-face-testimony-by-james-and-rupert-murdock-before-parliments.html

By Mary McNamara
Show Tracker
Los Angeles Times
July 19, 2011

Testimony by Rupert and James Murdoch before a Parliament committee was
interrupted Tuesday morning when a man in a checked shirt attempted to
shove a plate full of shaving cream into Murdoch’s face. The man,...
 

Posted by InfoSec News on Jul 20

http://www.vancouversun.com/technology/Hacker+arrested+creating+zombie+computers/5125994/story.html

By Joelle Pouliot
Postmedia News
July 19, 2011

LAVAL, Que. -- RCMP investigators arrested a 24-year-old computer hacker
from Laval on Tuesday, who was apprehended for creating a botnet -- a
collection of computers infected with a virus and controlled remotely by
him.

Joseph Mercier, an information security manager for an unidentified...
 

Pragmatic insecurity: How staff, ID cards render infosec defunct
SC Magazine Australia
Wayne hasn't seen a major breach relating to cloned RFID cards, but one infosec professional in attendance had. And the breach cost the company hundreds of thousands of dollars. In another, visitor cards were given unfettered access, over and above ...

 
Internet Storm Center Infocon Status