Posted by InfoSec News on Mar 20


By Alastair Stevenson
20 Mar 2013

The UK government's Communications-Electronics Security Group (CESG) has
dismissed rumours suggesting BlackBerry 10 failed its security tests.

A CESG spokesman told V3 on Wednesday that while it is still testing
BlackBerry 10's security features, it is optimistic the latest mobile OS...

Posted by InfoSec News on Mar 20


By Charles Hack
The Jersey Journal
March 20, 2013

NEWARK -- A former information technology administrator for the city of
Hoboken pleaded guilty in Newark federal court today to hacking into
Mayor Dawn Zimmer's email account to spy on her and other staff members.

Patrick Ricciardi, 46, who was the chief IT officer for the mayor's
office, pleaded guilty...

A cyber-attack in South Korea on Wednesday took the networks of several companies offline. While some recovered in a matter of hours, South Korea's public broadcasting organization, KBS, is still offline. But the identity of the person or group behind the attacks is still an open question—one muddied by the hackers who are taking credit for at least part of it. It's not clear at this point if the attack was state-sponsored, cyber-warfare by North Korea or simply an act of cyberterrorism by hackers looking to make a virtual name for themselves.

As we reported earlier, at about 2pm Seoul time, the networks of three broadcasters and three banks were affected by an attack that disrupted their networks, possibly caused by malware. But while malware was initially blamed for the outage, the malware that's been discovered thus far could not have taken networks down by itself. There was a lot more going on than just a malware attack; the convergence of multiple types of attacks suggests a coordinated effort by an organized attacker.

The latest update from South Korean officials is that the attack emanated from a Chinese IP address. But the identity of the attackers is still unclear.

Read 19 remaining paragraphs | Comments

Siemens SIMATIC WinCC TIA Portal Multiple Security Vulnerabilities
Siemens SIMATIC WinCC And PCS 7 Multiple Security Vulnerabilities

Howard Schmidt to Keynote InfoSec World 2013 in Orlando in April
PR Newswire (press release)
SOUTHBOROUGH, Mass., March 19, 2013 /PRNewswire/ -- Security veteran Howard Schmidt will be the kick-off keynote at InfoSec World 2013 that will take place April 15-17, 2013 in Orlando, Florida. Security veteran Howard Schmidt , who has headed up ...

Hewlett-Packard's shareholders have voted to reelect its entire board of directors, despite opposition from investors who want some members held accountable for recent troubles at HP, including its ill-fated acquisition of Autonomy.
Oracle's total revenue dipped 1 percent and profits remained almost flat in its most recent quarter, as revenue from new software licenses and cloud services dropped by 2 percent.
Google is looking to replace physical sticky notes with Keep, a new product designed for storing notes and other pieces of information.
A company owned by Sony and Philips is suing Apple, alleging it's infringed numerous patents covering digital rights management technology.

Just a day after Apple released iOS 6.1.3, a new lock screen bug has been discovered that could give an attacker access to private information. The vulnerability is different from the passcode bug(s) addressed by Tuesday's iOS update, but the end result is similar: access to iPhone's contact list and photos.

The new lock screen bug was first documented by YouTube user videosdebarraquito, who posted a video demoing the procedure. The basic gist, seen in the video below, is to eject the iPhone's SIM card while using the built-in voice controls to make a phone call.

Bypassing the iPhone passcode lock on iOS 6.1.3.

There are a couple important things to keep in mind, though. For one, it seems like this bug applies to most modern iPhones, though apparently the procedure isn't as easy as it looks. The YouTube video above shows the hack being executed on an iPhone 4, and iphoneincanada was able to replicate it on an iPhone 4. TheNextWeb was able to replicate it on an iPhone 4S but not an iPhone 5. But the iPhone 5 didn't get away scot free, as German language site iPhoneblog.de appears to have been able to replicate the bug on that version of the phone. We have not yet seen a confirmed case of the bug existing on the iPhone 3GS, though it's probably safe to assume that it does.

Read 1 remaining paragraphs | Comments


Researchers have unearthed a decade-long espionage operation that used the popular TeamViewer remote-access program and proprietary malware to target high-level political and industrial figures in Eastern Europe.

TeamSpy, as the shadow group has been dubbed, collected encryption keys and documents marked as "secret" from a variety of high-level targets, according to a report published Wednesday by Hungary-based CrySyS Lab. Targets included a Russia-based Embassy for an undisclosed country belonging to both NATO and the European Union, an industrial manufacturer also located in Russia, multiple research and educational organizations in France and Belgium, and an electronics company located in Iran. CrySyS learned of the attacks after Hungary's National Security Authority disclosed intelligence that TeamSpy had hit an unnamed "Hungarian high-profile governmental victim."

Malware used in the attacks indicates that those responsible may have operated for years and may have also targeted figures in a variety of countries throughout the world. Adding intrigue to the discovery, techniques used in the attacks bear a striking resemblance to an online banking fraud ring known as Sheldon, and a separate analysis from researchers at Kaspersky Lab found similarities to the Red October espionage campaign that the Russia-based security firm discovered earlier this year.

Read 5 remaining paragraphs | Comments

Cyberattacks supposedly originating from China have raised alarms in recent weeks, but U.S. businesses and government agencies should worry as much about Iran and North Korea, a group of cybersecurity experts said.
The U.S. Senate is expected this week to take up a non-binding amendment to test support for online sales tax collections.
Microsoft has announced some key details of how it will introduce Dynamics ERP (enterprise resource planning) software products to the cloud computing model, from initial release dates to the precise role of partners.
Microsoft yesterday kicked off a promotion that rewards Windows 8 and Windows Phone developers $100 for each app that they publish in the company's app stores.
Samsung showed off some of its 2013 home entertainment products at an event in New York City Wednesday, with celebrities demonstrating some of the company's latest TVs and interface features.
Citrix has released new software to help users of its NetScaler Application Delivery Controller more easily troubleshoot application performance problems in complex network and data center environments.
ICANN's new CEO Fadi Chehade, who took over in October, is on a mission to help politicians around the world understand the importance of keeping the Internet intact and open, and is also working to bring home the addition of new generic top-level domains.
WebMD and Qualcomm Life are collaborating on a cloud offering that will allow consumers with mobile health monitoring devices to sync their data to the cloud, where it can be shared with healthcare providers.
The password encryption algorithm used in some recent versions of the Cisco IOS operating system is weaker than the algorithm it was designed to replace, Cisco revealed earlier this week.
APPLE-SA-2013-03-19-2 Apple TV 5.2.1
APPLE-SA-2013-03-19-1 iOS 6.1.3

The morning has brought a lot of links pointing to a number of different computer security incidents coming out of South Korea. It certainly sounds like the end of the world if you lump all together and attribute them to a single actor. However I dont think that is case.

Sifting through them I can tease out what appear to be 4 different threads to the story. In no particular order I have seen:

A reported DDoS that hasnt identified the targets, or when it started or when it ended or what the impact was.

Kaspersky reports of some web defacements here: http://www.securelist.com/en/blog/208194183/South_Korean_Whois_Team_attacks

There were some news sites that were defaced to redirect visitors to install some banking malware that targeted Korean banks: http://blog.avast.com/2013/03/19/analysis-of-chinese-attack-against-korean-banks/

Theres reports that a lot of machines had their hard drives wiped and analysis was released today: http://training.nshc.net/KOR/Document/virus/2-20130320_320CyberTerrorIncidentResponseReportbyRedAlert.pdf

Id like to urge readers to not link these 4 events together without additional analysis. Kaspersky linked the defacement with the wiper malware, despite this same warning being present in the news article that they linked to (I still heart you guys though.) The timelines on these events are still not clear, and the methods indicate different actors and motivations to me.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
LibTIFF 'LZWDecodeCompat()' Remote Buffer Underflow Vulnerability
[IA49] Photodex ProShow Producer v5.0.3310 ScsiAccess Local Privilege Escalation
U.S. companies and government agencies can learn from the large-scale disruptions that have hit several banks and media outlets in South Korea in the last 24 hours, security analysts said.
CA20130319-01: Security Notice for SiteMinder products using SAML
Re: VUPEN Security Research - Microsoft Internet Explorer 10-9-8-7-6 "OnResize" Use-after-free (MS13-021 / CVE-2013-0087)
[waraxe-2013-SA#098] - Directory Traversal Vulnerabilities in OpenCart


McAfee confirms Infosec no-show
Infosecurity Europe 2013 will be without one of the industry's two big guns after McAfee confirmed that it will not be attending. McAfee and arch-rival Symantec have traditionally used the UK and Europe's largest IT security show as a chest-beating ...

A new set of publications from the National Institute of Standards and Technology (NIST) could make it easier, faster, and most importantly, more reliable, for forensic examiners to match a set of fingerprints with those on file in any ...
Google is expanding its Google Fiber project in Kansas to Olathe, the fifth largest city in the state.

Attackers are using fraudulently obtained information to take over high-profile Xbox Live accounts held by current and former Microsoft employees, company officials said.

"We are aware that a group of attackers are using several stringed social engineering techniques to compromise the accounts of a handful of high-profile Xbox LIVE accounts held by current and former Microsoft employees," Microsoft officials said in a statement sent to Ars. "We are actively working with law enforcement and other affected companies to disable this current method of attack and prevent its further use."

The disclosure comes two days after security reporter Brian Krebs linked one of the people who may have prompted a raid on his home by armed police to a four-man team that uses illicitly obtained credit information to hijack Xbox Live accounts. According to Krebs, the same person who took credit online for the swatting attack also ordered a denial-of-service attack on his website. Records unearthed by Krebs found that the same Gmail address used to order that hit also ordered a DoS on Ars Technica.

Read 3 remaining paragraphs | Comments

I use Google Docs as part of my day job. On one recent morning I accessed a file and updated it but when I went back a short time later I got a "502" error page -- something had gone amok in Google land. Everything seemed to work when I tried a few hours later, but the incident was a forceful reminder of one of the important features of cloud services -- when they go down so do you.
A British government security group said Wednesday said it hasn't yet evaluated the security of BlackBerry 10 devices such as the Z10.
U.S. advocates for a free global Internet need to reach out to other nations to encourage their participation in open governance bodies like the Internet Corporation for Assigned Names and Numbers, ICANN CEO Fadi Chehad said.

In one of the more audacious and ethically questionable research projects in recent memory, an anonymous hacker built a botnet of more than 420,000 Internet-connected devices and used it to perform one of the most comprehensive surveys ever to measure the insecurity of the global network.

In all, the nine-month scanning project found 420 million IPv4 addresses that responded to probes and 36 million more addresses that had one or more ports open. A large percentage of the unsecured devices bore the hallmarks of broadband modems, network routers, and other devices with embedded operating systems that typically aren't intended to be exposed to the outside world. The researcher found a total of 1.3 billion addresses in use, including 141 million that were behind a firewall and 729 million that returned reverse domain name system records. There were no signs of life from the remaining 2.3 billion IPv4 addresses.

Continually scanning almost 4 billion addresses for nine months is a big job. In true guerilla research fashion, the unknown hacker developed a small scanning program that scoured the Internet for devices that could be logged into using no account credentials at all or the usernames and passwords of either "root" or "admin." When the program encountered unsecured devices, it installed itself on them and used them to conduct additional scans. The viral growth of the botnet allowed it to infect about 100,000 devices within a day of the program's release. The critical mass allowed the hacker to scan the Internet quickly and cheaply. With about 4,000 clients, it could scan one port on all 3.6 billion addresses in a single day. Because the project ran 1,000 unique probes on 742 separate ports, and possibly because the binary was uninstalled each time an infected device was restarted, the hacker commandeered a total of 420,000 devices to perform the survey.

Read 16 remaining paragraphs | Comments


The computer networks of three major South Korean banks and three television networks went offline nearly simultaneously at 2pm Seoul time on Wednesday, according to South Korea's National Police Agency. The government confirmed that malware was used to bring the networks down, and it is looking into whether North Korea is behind the attack.

While no definitive link has been made to North Korea, the government has said it's not ruling out the possibility. The South Korean military has raised its information surveillance levels in the wake of the attack, according to a report by Yonhap News Agency's Kim Eun-jung. North Korea has been blamed for a number of previous cyberattacks against South Korean government and business networks.

A spokesperson for South Korea's public broadcasting company KBS told Yonhap News Service that its network had been "paralyzed since 2pm, and we cannot do any business." At cable broadcaster YTN, editing equipment was also affected, impacting its broadcasts. The attack on financial institutions Shinhan Bank, Jeju, and Nonghyup affected Internet and mobile banking applications while taking ATM machines offline.

Read 1 remaining paragraphs | Comments

Cisco has issued a security advisory after Hashcat researchers disclosed a password flaw in IOS and IOS XE devices that enable brute-force attacks.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
A new Trend Micro study using honeypots for research highlights an alarming number and variety of attempted ICS security breaches.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
The Swiss National Supercomputing Center is going to upgrade its supercomputer with Nvidia GPUs to more accurately predict the weather in the steep mountains of the Swiss Alps.
With its new Grid VGX software, Nvidia is aiming to tear down the performance barrier that keeps graphics-intensive applications from running on virtual desktops.
LinuxSecurity.com: Updated kernel packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 6.1 Extended Update Support. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Updated sssd packages that fix one security issue and two bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
LinuxSecurity.com: Updated kernel packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 6.3 Extended Update Support. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Perl could be made to stop responding if it received specially craftedinput.

This is my third post in a series called Wipe the Drive Stealthy Malware Persistence . The goal is to demonstrate obscure configuration changes that malware or an attacker on your computer can leave behind to allow them to reinfect your machine. Hopefully this will give you a few more arrows in your quiver during the next incident when you say we need to wipe the drive and they say dont waste my time. We will pick up the conversation with techniques number five and six. If you missed the first four techniques you can read about those here:



TECHNIQUE #4 - Service Triggers based on ETW

Everyone knows to check for strange services running on your computer. If the service is running then the malware will be in memory during a forensic examination. So simply installing a service doesnt really seem like a stealthy way to leave malware behind. But when you combine it with Event Tracing for Windows (ETW) triggers they can be very stealthy.

Windows Event Trace Providers generate a wealth of information about what is happening on your computer. They are similar to events that show up in your event logs, but they dont show up in your event logs. You can turn on logging to see what types of events are being generated from a given provider. This can be used for good :


Or it can be used for evil (well.. penetration testing isnt evil, but you get the point):


The events generated by event providers can be used to create service triggers. The triggers in turn start and stop services when predetermined events occur on the machine. So services containing malware can start and stop in very interesting scenarios. For example, attackers malware can lie dormant until a given DNS host name is resolved by the WinInet provider. When the attacker is ready to 0wn you they simply cause your host to resolve that hostname using a link to a webpage an image tag in an HTML document. Or the attacker could make the malware network aware so that it is running when connected to your domain but disabled when you unplug it from the network. Another interesting scenario would be to have the malware lie dormant until an event is registered indicating that a given wireless access point is in range. When the attacker wants to start his malware service he brings a laptop beaconing that wireless SSID within wireless range to activate it.


You can query the triggers on a given service by running sc qtriggerinfo service name. Here you can see the trigger for the Windows Usermode Driver Framework service. It has a custom trigger event that fires based on some event tracing for windows provider. The sequence of bytes defined below in the DATA element must be present in the event to activate the trigger.

However, determining good from evil isnt that easy. Check out the trigger above. Is that a good trigger configuration? Is that the right data string? Who knows? In this case it is a default installation of Windows 7 so I hope it is good. The easy way to know if is right is to have a known good baseline of what your computer is supposed to look like and then detect changes. Do you want a baseline of triggers used on your systems? Here is a little for loop that will print all the services on your machine.

for /F tokens=1,2 delims=: %x in (sc query ^| find SERVICE_NAME) do @echo %y @sc qtriggerinfo %y

Technique #5 - Attach a debugger with ImageFileExecutionOptions

The operating system can be configured to automatically start a debugger every time a given application is launched. To set this up you simply create a registry key and windows will take care of the rest. So if I want to launch calculator every time someone tries to run notepad.exe it is one simple registry key. Give this a try. Use the following reg command to create a debugger key for notepad.exe.

reg add HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options
otepad.exe /v Debugger /t REG_SZ /d c:Windowssystem32calc.exe

Thats it! Now when you try to launch notepad calculator is launched instead. Notepad never even starts. Only calc.exe is run. Notepad would start if calc.exe was an actual debugger. Users might notice the wrong processes running. The attacker can solve this by putting debugger functionality into their code. Or after the malware starts it can delete the Debugger key and relaunch the original process so it starts normally.

While this is a cool trick, by itself it doesnt solve the attackers immediate problem. They want to lie dormant until incident response is finished. To do that they can attach the debugger to any infrequently run programs, such as the defrag process. On a server they might connect the debugger to Internet Explorer or another process that isnt used very often. Then the attacker just sits back and waits for you to retrigger the infection of your machine.


If you see a Debugger option under anything in the Image File Execution Options registry key you investigate that debugger. Here we can see the debugger attached to notepad.exe using the reg query command:

To delete the debugger you can use the following command.

reg delete HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options

Summary: Once a compromise has occurred finding all of the things the attacker could have done to your machine is usually more time consuming than just wiping the drive. Just wipe the drive. Still not convinced? I have a one part in this series to go.

Follow me on twitter : @MarkBaggett

Here is an AWESOME DEAL on some SANS training. Join Justin Searle and I for SANS new SEC573 Python for Penetration Testers course at SANSFire June 17-21. It is a BETA so the course is 50% off! Sign up today!


There are two opprotunities to join Jake Williams (Twitter @malwarejake ) for FOR610 Reverse Engineering Malware. Join him on vLive with Lenny Zeltser or at the Digital Forensics Incident Response Summit in Austin.

vLive with Jake and Lenny begins March 28th, 2013:


Jake at DFIR Austin Texas July 11-15, 2013:

http://www.sans.org/event/dfir-summit-2013/course/reverse-engineering-malware-malware-analysis-tools-techniques (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apple has released a third update for iOS 6.1 to fix vulnerabilities. The update also corrects at least one hole that has been exploited by the evasi0n jailbreak

Authorities in South Korea are investigating network failures at three TV stations and two banks. They say that the failures were likely caused by a cyber-attack, but that the attackers' identity and origin are currently unclear

As PC sales remain sluggish, analysts expect Taiwanese vendors Acer and Asustek Computer to try to seize today's changing tech market with low-end Android tablets, for which consumer demand is high.
Several high-profile Xbox Live accounts for former and current Microsoft employees were compromised by attackers using social engineering techniques, the company said late Tuesday.
An industry coalition with backing from Microsoft, Nokia and Oracle has objected to Google's application for certain top-level domain strings.
Google has fully implemented a security feature that ensures a person looking up a website isn't inadvertently directed to a fake one.
What is T-Mobile USA planning for its news event in New York City next Tuesday? The wireless carrier will probably formalize its plans to offer smartphones with no contract, possibly an iPhone, and announce new LTE service.
Both approaches have their benefits and downsides; just make sure you know what you're getting into before you make a huge commitment either way.
Collaboration software vendor Open-Xchange plans to launch an open-source, browser-based productivity suite called OX Documents.
Computer networks of banks and some broadcasters in South Korea were hit Wednesday in what is suspected to be a cyberattack, according to news reports.
The U.S. Department of Homeland Security (DHS) has moved to agile development and is shifting to cloud platforms in an effort to improve its IT operations.
JFreeChart Multiple HTML Injection Vulnerabilities
Sami FTP Server 'LIST' Command Buffer Overflow Vulnerability
wwwstats Clickstats.PHP Multiple HTML Injection Vulnerabilities
Linux Kernel 'cdc-wdm' USB Device Driver Heap Based Buffer Overflow Vulnerability
GNOME Online Accounts CVE-2013-0240 SSL Certificate Validation Security Bypass Vulnerability

Posted by InfoSec News on Mar 19


Hawaii News Now
March 19, 2013

A defense contractor living in Kapolei is accused of leaking U.S. military
secrets. The Army reservist with a top secret security clearance allegedly
shared classified data with his girlfriend who is a Chinese national. Court
documents revealed that Benjamin Pierce Bishop, 59, met the 27-year-old in
Hawaii at a...

Posted by InfoSec News on Mar 19


By Kelly Jackson Higgins
Dark Reading
March 18, 2013

It took only a few hours before attackers started to hammer away at two decoy
water utility networks stood up in a recent experiment that resulted in 39
attacks from 14 different nations over a 28-day period.

Researchers at Trend Micro...

Posted by InfoSec News on Mar 19


March 19, 2013

As the United States and its adversaries move from using missiles to malware on
its targets, a group of specialists have drafted preliminary guidelines for the
world’s ramped-up cyberwars.

The rule book published this week, The Tallinn Manual on International Law
Applicable to Cyber Warfare, was curated by NATO’s Cooperative Cyber Defense
Center of...

Posted by InfoSec News on Mar 19


By Aliya Sternstein
March 19, 2013

Within three years, the Pentagon’s Cyber Command will deploy more than 100
teams focused predominantly on defending military networks rather than
attacking adversaries’ systems, according to Defense Department officials.

The department recently reorganized Cyber Command, which since 2010 has...

Posted by InfoSec News on Mar 19


By Jennifer Martinez
The Hill

An elite unit of Chinese hackers that allegedly waged a massive cyber-espionage
campaign against U.S. companies has attempted to clean up their online presence
after being identified in a public report by information security firm

Since the release of the report last...
Internet Storm Center Infocon Status