InfoSec News

Can security, often seen as obvious and ugly, actually be stylish and suitable for a building? Architect Rick Reeder gives us a tour of a property he designed with artful security as the goal
 

5bn mobile subscribers and counting
ZDNet Australia
... RT @kanguru_news: UK Data breach reporting law set for four-year rollout. http://bit.ly/dr8agI #databreach #infosec Summer Social & Search Big Financial ...

and more »
 
Walmart and Best Buy appear to have kicked off a price war in time for the back-to-school shopping season, with both retailers offering Compaq laptops with 15.6-inch screens for under US$300.
 
Wait for the right innovation
 
The U.S. Federal Trade Commission has extended settlement talks with Intel in the agency's antitrust investigation into the chip maker's treatment of its rivals.
 
Watch out for spin as Microsoft announces earnings tomorrow. Here are seven key themes to bear in mind about the state of the business - from software that's sold but never used, to "fastest-selling Windows ever" boasts.
 
Done well, benchmarks provide a basis for sound decision making. Yet, badly crafted benchmarks are remarkably common. Even worse, a poorly crafted benchmark can intuitively look like a good one, thereby discouraging a deeper benchmarking evaluation that could deliver superior results.
 
Hackers could exploit the unpatched Windows shortcut vulnerability using drive-by download attacks that trigger an infection when people simply surf to a malicious Web site, Microsoft said.
 
Gnome Foundation executive challenges open source coders to work on more social networking apps
 
Law enforcement officials from 38 states have sent a letter to Google, asking the company whether it tested its Street View mapping software before discovering it was snooping on Wi-Fi networks as the Street View cars drove through neighborhoods.
 
The state of Texas has issued a "Notice of Cure" that could threaten IBM's nearly $1 billion contract to consolidate the government's IT operations.
 
Books by Vinnie Mirchandi, Tony Hsieh and Devora Zack, plus a blog about social media for businesses and a webcomic
 
I'm a very patient man. It takes a lot to tick me off, and my enemies list is very short--a certain ultrasound technician and any D.J. who thinks Suzanne Vega's "Tom's Diner" is an acceptable playlist item are all that really come to mind. But I must say that Apple's Genius Bar has me at the end of my rope.
 
From PNC Financial Services Group to Proctor aanndd Gamble, this year's CIO 100 winners have developed innovative ideas that pay long-term dividends.
 
A powerful U.S. senator will introduce legislation allowing the U.S. Federal Communications Commission to share auction proceeds with spectrum holders that voluntarily give up unused bandwidth and will give police and fire departments additional spectrum for a nationwide wireless broadband network.
 
Dell is apparently warning customers that "a small number" of its PowerEdge R410 server motherboards may contain malicious software.
 
Facebook snagged its 500-millionth user Wednesday, and the social networking company celebrated by launching a new app called 'Facebook Stories.'
 
Hewlett-Packard on Wednesday quashed rumors of HP Slate's demise, saying the tablet with the Windows 7 OS may still be sold to customers.
 
Mozilla on Tuesday patched 16 vulnerabilities, nine of them critical, in Firefox 3.6, the largest update for the open-source browser since March.
 
The 2010 CIO 100 winners move beyond IT value, using technology to build new revenue streams, engage customers and speed decision making for lasting business growth.
 
Despite fears caused by the European debt crisis, spending on technology products and services is set to continue growing around the world, although the pace of growth in Europe overall will be lower, Forrester Research said.
 
Verizon Wireless and Motorola today said fewer than one-tenth of 1% of the new Droid X smartphones that have been sold have experienced a "flickering" or "banding" on the display, and that Motorola has resolved the problem.
 
Note that this malware does NOT exploit 'Vulnerability in Windows Shell Could Allow Remote Code Execution' 2286198. It simply uses the autorun.inf to launch the executable, or waits for the user to double click the .LNK file. I wrote up this diary before fellow handler Bojan pointed that out to me.
Aaron wrote in the following:

We had a user get infected ... The symptoms we saw were as follows:

The virus hides all folders on the root of any drive it has write access to.
It then drops an LNK file named the same as all of the folders. So you have a series of LNK files where your folders used to be. This appears to only happen at the root of the drive(s) the user has write access to.
Then the virus drops an autorun.inf, EXE, and SRC file at the root of the infected drives.



One of the things we did to scan our server shares was to run robocopy in list-only mode. We used a command similar to this:

robocopy servershare c: *.lnk /MAXAGE:2 /L /S /R:3 /W:3 /NDL

It scans for any LNK files created in the past 2 days. The reasoning is that LNK files should not be created very often on shares, so a large number of them would be suspicious.

He also sent us a copy of the files found on the affected system. The virustotal results virustotal.com results yesterday were 11/36 (30.56%).
This is what the .LNK file looks like:
xxd Backup Drive.lnk

0000000: 4c00 0000 0114 0200 0000 0000 c000 0000 L...............

0000010: 0000 0046 cb00 0000 0700 0000 0000 0000 ...F............

0000020: 0000 0000 0000 0000 0000 0000 007b b54b .............{.K

0000030: 7627 cb01 00c2 0100 0300 0000 0100 0000 v'..............

0000040: 0000 0000 0000 0000 0000 0000 7500 1400 ............u...

0000050: 1f50 e04f d020 ea3a 6910 a2d8 0800 2b30 .P.O. .:i.....+0

0000060: 309d 1900 2f43 3a5c 0000 0000 0000 0000 0.../C:........

0000070: 0000 0000 0000 0000 0000 0046 0032 0000 ...........F.2..

0000080: c201 00f3 3c87 9907 0066 6f65 7576 652e ........foeuve.

0000090: 7363 7200 002c 0003 0004 00ef be00 0000 scr..,..........

00000a0: 0000 0000 0014 0000 0066 006f 0065 0075 .........f.o.e.u

00000b0: 0076 0065 002e 0073 0063 0072 0000 001a .v.e...s.c.r....

00000c0: 0000 004a 0000 001c 0000 0002 0000 0000 ...J............

00000d0: 0000 0000 0000 001c 0000 003f 0000 0023 ...........?...#

00000e0: 0000 0003 0000 0014 0000 0020 0000 0000 ........... ....

00000f0: 00fe 7f5c 5c43 6c69 656e 745c 4324 0043 ...ClientC$.C

0000100: 3a00 666f 6575 7665 2e73 6372 000c 002e :.foeuve.scr....

0000110: 005c 0066 006f 0065 0075 0076 0065 002e ..f.o.e.u.v.e..

0000120: 0073 0063 0072 0021 0025 0073 0079 0073 .s.c.r.!.%.s.y.s

0000130: 0074 0065 006d 0072 006f 006f 0074 0025 .t.e.m.r.o.o.t.%

0000140: 005c 0073 0079 0073 0074 0065 006d 0033 ..s.y.s.t.e.m.3

0000150: 0032 005c 0073 0068 0065 006c 006c 0033 .2..s.h.e.l.l.3

0000160: 0032 002e 0064 006c 006c 0000 0000 00 .2...d.l.l.....
Here are md5sums of the files captured:
4514e6b0ebf1859bc06464cc86e6b0aa 994e7f70c6c8cfdc0d10.lnk

eb72f852dc417e5c1c500d777b763ff5 autorun.inf

4514e6b0ebf1859bc06464cc86e6b0aa Backup Drive.lnk

4514e6b0ebf1859bc06464cc86e6b0aa dellinks.lnk

4514e6b0ebf1859bc06464cc86e6b0aa DELL.lnk

4514e6b0ebf1859bc06464cc86e6b0aa Documents and Settings.lnk

7a86fc2e33f1853e56e87968554a4f23 Documents.lnk

4514e6b0ebf1859bc06464cc86e6b0aa DOS.lnk

6c312fa82a83602bf4bac49c569dddba foeuve.exe

6c312fa82a83602bf4bac49c569dddba foeuve.scr

8dd2dbd509c9e30c9a481fb790521a2a Music.lnk

4514e6b0ebf1859bc06464cc86e6b0aa New Folder.lnk

62ed86349f7d418d67c0e4dbbf2b0b57 Pictures.lnk

4514e6b0ebf1859bc06464cc86e6b0aa Program Files.lnk

4514e6b0ebf1859bc06464cc86e6b0aa QUARANTINE.lnk

4514e6b0ebf1859bc06464cc86e6b0aa RECYCLER.lnk

4514e6b0ebf1859bc06464cc86e6b0aa Root_C.lnk

4514e6b0ebf1859bc06464cc86e6b0aa System Volume Information.lnk

4514e6b0ebf1859bc06464cc86e6b0aa temp.lnk

94ea35e7315ede1f3226b42e8a1197e9 Video.lnk

4514e6b0ebf1859bc06464cc86e6b0aa Vision5.lnk

4514e6b0ebf1859bc06464cc86e6b0aa VNCTEMP.lnk

4514e6b0ebf1859bc06464cc86e6b0aa WINDOWS.lnk
The .LNK files affected all have the same hash value, the two dropped files as well (foeuve.*) share md5sums. Here is the contents of autorun.inf:
cat autorun.inf

[AUtoRUn]

aCTION=Open folder to view files

SHeLLEXECuTe=FOeUVE.EXE

IcoN=%syStEMRoOt%sySTEm32Shell32.dll,4
Today the virustotal.com results for foeuvre.scr are similar, 23/41 (56.1%).
Thanks Aaron!
So, in a nutshell, not the exploit or malware we were looking for, but interesting nonetheless.
Cheers,

Adrien de Beaupr

EWA-Canada.com
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

EC sets out European data sharing processes
ZDNet UK
RT @BurgessCT: RT @kanguru_news: UK Data breach reporting law set for four-year rollout. http://bit.ly/dr8agI #databreach #infosec We're still after a ...

and more »
 

First customer goes live on 100Mbps fibre trial
ZDNet UK
RT @BurgessCT: RT @kanguru_news: UK Data breach reporting law set for four-year rollout. http://bit.ly/dr8agI #databreach #infosec We're still after a ...

and more »
 

IBM data server comes to Ubuntu
ZDNet UK
RT @BurgessCT: RT @kanguru_news: UK Data breach reporting law set for four-year rollout. http://bit.ly/dr8agI #databreach #infosec We're still after a ...

and more »
 

VeriSign inform about site safety through search engines.
ZDNet UK (blog)
... http://bit.ly/dr8agI #databreach #infosec Dragon brings speech to the iPhone with Search and Dictation apps: ... search tools on iPhone and Android. ...

and more »
 
Reader Srinivas is having a problem with Internet Explorer 8:
 
Apple's iPhone 4 antenna problems were discussed unendingly, but not really analyzed thoroughly.
 

A Tidbit (A tasty morsel of gossip)
ZDNet UK (blog)
RT @BurgessCT: RT @kanguru_news: UK Data breach reporting law set for four-year rollout. http://bit.ly/dr8agI #databreach #infosec We're still after a ...

and more »
 

Adobe builds sandbox tech to block attacks
ZDNet UK
RT @BurgessCT: RT @kanguru_news: UK Data breach reporting law set for four-year rollout. http://bit.ly/dr8agI #databreach #infosec We're still after a ...

and more »
 

Google search solution satisfies China
ZDNet UK
RT @BurgessCT: RT @kanguru_news: UK Data breach reporting law set for four-year rollout. http://bit.ly/dr8agI #databreach #infosec We're still after a ...

and more »
 

ZDNet UK (blog)

Zscaler adds email to security cloud
ZDNet UK (blog)
See penultimate link on this page - http://bit.ly/9i7mAm UK Data breach reporting law set for four-year rollout. http://bit.ly/dr8agI #databreach #infosec ...

and more »
 
As the mobile battle narrows, the iPhone finally faces a real challenger.
 
Canonical to offer DB2 Express in a virtual appliance edition
 
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

ZDNet UK

Google launches new look for images search
ZDNet UK
See penultimate link on this page - http://bit.ly/9i7mAm UK Data breach reporting law set for four-year rollout. http://bit.ly/dr8agI #databreach #infosec ...

and more »
 
Dell is apparently warning customers that "a small number" of its PowerEdge R410 server motherboards may contain malicious software.
 
A Dell support forum post confirms that PowerEdge R410 replacement motherboards contain malware. The posting is here en.community.dell.com/support-forums/servers/f/956/t/19339458.aspx. The embedded server management firmware in some motherboards contain the malicious code. The issue is not present on new servers and does not impact non-Windows based servers. No further information on the malware itself, mitigation techniques, the specific motherboards affected, nor the method of the original infection are yet available. Dell is sending snail mail and calling affected customers. Thanks Geoff and one other reader for bringing this to our attention!
Cheers,

Adrien de Beaupr

EWA-Canada.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Adobe have announced that Reader will run in a sandbox called Protected Mode blogs.adobe.com/asset/2010/07/%20introducing-adobe-reader-protected-mode.html. It is based on Microsoft's Practical Windows Sandboxing blogs.msdn.com/b/david_leblanc/archive/2007/07.aspx. This is good news as it will drastically reduce the attack surface of Adobe Reader and mitigate the impact of any vulnerabilities within the product.
Cheers,

Adrien de Beaupr

EWA-Canada.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
It's been almost a year since I served up some nice, hot laptop tips (see "Laptop Q&A: Power Off Quickly, Fix Sticky Keys")--and that's inexcusable. I'll make it up to you this week with some useful advice on adding memory to a laptop, turning an old laptop hard disc into an external drive, and using your laptop's power settings effectively.
 
Microsoft have updated their security advisory 'Vulnerability in Windows Shell Could Allow Remote Code Execution' 2286198 to describe further attack vectors for this vulnerability. The vulnerability can be exploited using .LNK files on removable drives, via WebDav and network shares, using .PIF files as well as .LNK, and documents that can have embedded shortcuts within them. The original discussion on this vulnerability is here isc.sans.edu/diary.html?storyid=9181



The ISC has previously raised the infocon isc.sans.edu/diary.html?storyid=9190 with regards to this issue, and will continue to monitor for any changes. Please let us know via our contact us page or by commenting below if you have any new information on the issue, have been affected by this vulnerability being exploited, or have a copy of malware taking advantage of it.
Cheers,

Adrien de Beaupr

EWA-Canada.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
An automated "Fix it" prevents attacks from attempting to exploit a serious vulnerability with the way Windows handles shortcut icons.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Microsoft - Operating system - Zero day attack - Microsoft Windows - Windows Shell
 

GovInfoSecurity.com

Infosec certification worse than inadequate
FederalNewsRadio.com
Information security certification is getting some tough criticism from the Commission on Cybersecurity for the 44th Presidency. ...
Harsh Words for Professional Infosec CertificationGovInfoSecurity.com (blog)
US Facing a Human Capital Crisis in Cybersecurity, Says CSISCircleID
9 Key Cybersecurity Roles for GovernmentGovInfoSecurity.com

all 8 news articles »
 
President Barack Obama said that he can't intervene in the long-running case of a British hacker charged with breaking into U.S. military computers.
 
Microsoft late Tuesday released an automated tool to stymie exploits of a critical unpatched Windows vulnerability that experts fear will soon be used by hackers against the general PC population.
 
As the mobile battle narrows, the iPhone finally faces a real challenger
 
Recent TV advertising campaigns from the nation's two largest wireless carriers have put a premium on trying to empower us and inspire us about innovation, almost as if wireless communication had become a kind of religion.
 
A Harris Interactive survey found that IT workers see an improving economy -- and an opportunity to start looking for a better job.
 
InfoSec News: Hospital files with data of 800,000 are missing: http://www.boston.com/news/local/massachusetts/articles/2010/07/20/hospital_files_with_data_of_800000_are_missing/
By Martin Finucane and Kay Lazar Globe Staff The Boston Globe July 20, 2010
Computer files from South Shore Hospital that contain personal [...]
 
InfoSec News: Google Chrome bug bounty ups Mozilla's ante: http://www.theregister.co.uk/2010/07/20/google_bug_bounty/
By Dan Goodin in San Francisco The Register 20th July 2010
Two days after Mozilla sextupled the bug bounty paid to security researchers to $3,000, Google has upped the ante for vulnerabilities that are reported in its Chrome browser. [...]
 
InfoSec News: Online casino glitch let players use others' money: http://www.theglobeandmail.com/news/national/british-columbia/bc-shuts-down-online-casino-after-security-glitch/article1646314/
By Rod Mickleburgh Globe and Mail July 20, 2010
For more than a hundred gamblers who logged on during the first few hours of British Columbia's new online casino, the odds could not have been better. They were able to bet using other people's money.
While it's not clear how many took advantage of the rare opportunity to experience risk-free gambling, the bizarre security breach prompted BC Lottery Corporation to close down the heavily travelled site soon after it opened for business last Thursday.
PlayNow.com, the first government-sanctioned site in North America to offer online casino games, remains closed while software developers try to figure out what went wrong.
BCLC initially blamed an overload of gamblers seeking to bet early and often on the much-ballyhooed service for the embarrassing shutdown.
[...]
 

Help Net Security

BSides Las Vegas 2010 speaker line-up announced
Help Net Security
These events are all about expanding the spectrum of infosec discussions and encouraging participants to give voice, creation and refinement to the 'next ...

and more »
 

Euromoney subscriptions rise with financial markets
This is London
Its events unit, which includes leading coal-industry conference Coaltrans and information-security event InfoSec World, had a 21% rise in delegate numbers ...

 
InfoSec News: SCADA System's Hard-Coded Password Circulated Online for Years: http://www.wired.com/threatlevel/2010/07/siemens-scada/
By Kim Zetter Threat Level Wired.com July 19, 2010
A sophisticated new piece of malware that targets command-and-control software installed in critical infrastructures uses a known default [...]
 
InfoSec News: DHS, vendors unveil open source intrusion detection engine: http://www.computerworld.com/s/article/9179436/DHS_vendors_unveil_open_source_intrusion_detection_engine
By Jaikumar Vijayan Computerworld July 20, 2010
The Open Information Security Foundation (OISF), a group funded by the U.S Department of Homeland Security (DHS) and several security vendors, [...]
 

Posted by InfoSec News on Jul 21

http://www.wired.com/threatlevel/2010/07/siemens-scada/

By Kim Zetter
Threat Level
Wired.com
July 19, 2010

A sophisticated new piece of malware that targets command-and-control
software installed in critical infrastructures uses a known default
password that the software maker hard-coded into its system. The
password has been available online since at least 2008, when it was
posted to product forums in Germany and Russia.

The password...
 

Posted by InfoSec News on Jul 21

http://www.computerworld.com/s/article/9179436/DHS_vendors_unveil_open_source_intrusion_detection_engine

By Jaikumar Vijayan
Computerworld
July 20, 2010

The Open Information Security Foundation (OISF), a group funded by the
U.S Department of Homeland Security (DHS) and several security vendors,
this week released an open source engine built to detect and prevent
network intrusions.

The somewhat oddly named Suricata 1.0 engine is touted as a...
 

Posted by InfoSec News on Jul 21

http://www.boston.com/news/local/massachusetts/articles/2010/07/20/hospital_files_with_data_of_800000_are_missing/

By Martin Finucane and Kay Lazar
Globe Staff
The Boston Globe
July 20, 2010

Computer files from South Shore Hospital that contain personal
information for about 800,000 people may have been lost when they were
shipped to a contractor to be destroyed, hospital officials announced
yesterday.

The officials declined to identify...
 

Posted by InfoSec News on Jul 21

http://www.theregister.co.uk/2010/07/20/google_bug_bounty/

By Dan Goodin in San Francisco
The Register
20th July 2010

Two days after Mozilla sextupled the bug bounty paid to security
researchers to $3,000, Google has upped the ante for vulnerabilities
that are reported in its Chrome browser.

In a continuing play on elite hacker speak, Google will begin paying as
much as $3,133.70 for the most critical bugs that are brought to its...
 

Posted by InfoSec News on Jul 21

http://www.theglobeandmail.com/news/national/british-columbia/bc-shuts-down-online-casino-after-security-glitch/article1646314/

By Rod Mickleburgh
Globe and Mail
July 20, 2010

For more than a hundred gamblers who logged on during the first few
hours of British Columbia's new online casino, the odds could not have
been better. They were able to bet using other people's money.

While it's not clear how many took advantage of the rare...
 

Euromoney says uncertainty remains after strong Q3
Reuters
But the company, whose events include leading coal-industry conference Coaltrans and information-security event InfoSec World, cautioned that sales growth ...

and more »
 
An apparent lack of communication between Intel and the Taiwan government over the closing of Intel's WiMax Program Office in Taiwan has brewed into a media storm here to rival Apple's Antennagate in the U.S.
 

GovInfoSecurity.com

Harsh Words for Professional Infosec Certification
GovInfoSecurity.com (blog)
That last point, looked at another way, is that many certification programs are tailored to prepare infosec pros to fill out checklists to conform with the ...
9 Key Cybersecurity Roles for GovernmentGovInfoSecurity.com

all 2 news articles »
 
Siemens confirmed Tuesday that one of its customers has been hit by a new worm designed to steal secrets from industrial control systems.
 
For the third time in the last four quarters, Apple today reported it sold a record number of Macs, although sales of the iPhone slipped slightly.
 
VMware on Tuesday reported a 48% jump in revenue for the second quarter, a greater increase than expected, and raised its outlook for the full year on strong demand for its virtualization software.
 
Yahoo's second-quarter revenue was $1.6 billion, coming in on the low end of the company's expectations and falling short of analyst predictions.
 

Internet Storm Center Infocon Status