Share |

InfoSec News


Reader Stephanie told us that during an image search of a Mussolini image in google found a site downloading malware. I decided to look into this issue further to see what I could find. Before starting, please be careful on what you do, as this page is still alive.

Iclicked the image found in google. The following script was received from the host:



The URL loads the following javascript, which is coded:





After decoding, it rises an executable, MD5 ef42a441af5e5a250f18aeb089698c35. It does not perform any changes to the system, but it connects to 69.50.197.243 TCP port 8000 to further download for malware content.

Such attacks are common. How to minimize the risk of these attacks? We can summarize some controls:

Malware perimeter defense: You can use any malware product to test HTTP, FTP and any other protocol allowed for the inside users.
Please download files from well-known sites. If you need to download something from unknown sites, please take all measures to check and review the downloaded content before using it.
I tested noscript against this webpage and it was correctly blocked. I do not recall a similar control for Internet Explorer. Maybe one of our readers can recommend one?
Host IPS can protect the machine for buffer overflow or similar attacks triggered by exploits or malware.
And, of course, the Antivirus.

-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Remember the news about iPhone recording all the places where it goes? iPhoneTracker was developed to map the information when the iPhone is synchronized to a OSX machine. Handler Bojan ported it to Linux and named it iPhoneMap. I tested it myself on cygwin and works perfect.

You need to install the DBD-SQLite and DBI perl modules before executing the application. After the installation, go to C:\Users\your user name\AppData\Roaming\Apple Computer\MobileSync\Backup. You will find a directory about 41 chars long very similar to a SHA1 hash. Go inside that directory and execute inside the find_sqlite.py script. It will get you the name containing the GPSstored information. After that, issue the following command:



If you open your index.html file with your favorite browser, you will see a map like this one:


-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Adobe is fixing a serious vulnerability affecting its Reader and Acrobat products. The update affects current versions of Adobe Reader and Acrobat X for Windows.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
HP Network Automation Unspecified Information Disclosure Vulnerability
 
Amazon's prolonged outage of cloud services has the potential to set back cloud adoption by giving businesses -- especially those already on the fence -- a strong reason to go slow.
 
Mozilla Firefox CSS Handling Status Bar Spoofing Vulnerability
 
Google Chrome CSS Handling Status Bar Spoofing Vulnerability
 
The allegedly kidnapped son of Eugene Kaspersky, founder of Moscow-based security vendor Kaspersky Labs, has been freed by his captors in Russia, according to unconfirmed news reports.
 
Google launched a beta test this week of Google Offers, which could compete head-to-head with the increasingly popular Groupon discount service.
 
IBM has configured its new BPM software to help small and mid-sized organizations set up their own automated workflows just like big businesses do.
 
Microsoft Internet Explorer CSS Handling Status Bar Spoofing Vulnerability
 

Although perimeter security controls are well publicized, there are many suppliers who can offer them in different countries and these devices can fit into all types of budgets, there are still security problems in custom applications developed within companies that are not so easily solved.



In the modern corporate world, the immediacy of business is a predominant feature. For people responsible for computer security is a challenge because we need to find a balance between the needs required by business, the solution time and the risks that the company can tolerate in information assets.

This week we were dealing with an incident relating to unauthorized access and information leakage of a web application. When we analyzed the logs of the IPS, we find the following:





This pattern is repeated continuously with a number of web pages that make up the application. All request were successfully served. I made the following questions:



Where is the check for the tag Referer? Although this tag is very easy to spoof using any intermediate proxy used in vulnerability analysis, works enough to embarrass people that downloads the webpage on their computers, modify the HTML source to modify the parameters for the forms actions and from the page stored continue their transactions.
Where is the session id issued by Tomcat for this HTTP request? I asked what happened to the Tomcat configuration for requesting sessions when different servlet invoked. Natural behavior that I expected to see was a redirect to the homepage to request username and password. Response received was that the functionality was not implemented because the business was waiting for an urgent application to come out with a public campaign and that this functionality would be covered once the campaign ended.
The previous response I received made me raise another question: Is session timeout implemented? I received the same answer: It was not implemented for the same reasons outlined above.

We found other repeated pattern of packets, which turned out to be the root cause of the incident:



Someone with interactive access to the server could upload a modified servlet, which the attacker invoked in the HTTP request and then it was possible to modify and retrieve information from the application.

The lessons learned from the case are as follows:

Periodically review the information security baseline measures of security for computers that make up the IT infrastructure of your company and verify that all the devices have them in their own settings. In case any of them can not have it implemented, document and minimize the risk with another control.
Do not skip the normal process of software development, especially those steps involving functional testing and security testing. Any error that presents in production will be far more costly than to discover and correct it before posting the application to users.
According to the authentication means, the risks of information assets and security controls are in place at your company, define a security architecture for applications that include the method for input data validation, internal processing control, message integrity, validation of the output data, data encryption, file security and system audit logs.
Although you may become victim of a gang of cyber criminals looking to commit the information and finance business, the vast majority of incidents are presented by vulnerabilities that are well documented, that common people are well-aware of and become materialized because carelessness when implementing IT solutions for business.
It is clear that security measures can never be an obstacle to achieving business goals, but keep in mind that business goals can be seriously affected by the fault or negligence in the implementation of information security controls.

-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A Who's Who of IT bellwethers including Apple, IBM, Intel and Qualcomm issued strong financial reports this week, the height of earnings season, reinforcing forecasts for a strong year for the tech sector.
 
The Document Foundation on Friday announced a second beta for LibreOffice 3.4, the offshoot of the OpenOffice.org codebase, one week after Oracle said it would no longer sell a commercial version of the productivity suite.
 
Contention and biases among technology and business factions can derail the deployment of unified communications systems that are efficient, cost-effective and simple enough to use so they actually get adopted by end users, according to a Forrester Research study.
 
QEMU KVM 'virtio-blk' Driver Local Privilege Escalation Vulnerability
 
Amazon.com is well into the second day of trying to fix a cloud outage that has partially disabled or knocked out several popular websites, including Quora, Foursquare and Reddit.
 
PHP 'phar/tar.c' Heap Buffer Overflow Vulnerability
 
Zenphoto 'x-forwarded-for' Header HTML Injection Vulnerability
 
SanDisk and its partner Toshiba announced this week a 64Gbit NAND flash memory chip using 19-nanometer (nm) technology, a process one size smaller than the memory chip Intel and Micron announced last week.
 
The availability of the iPhone on Verizon and AT&T's discount on the iPhone 3GS kept Android at bay in the enterprise, at least for customers of Good Technology.
 
Samsung Electronics has hit back at Apple, filing lawsuits in three countries in which it alleges that Apple infringed on Samsung patents on smartphone technologies. Apple had filed suit against Samsung last week, claiming that the consumer electronics maker used features copied from Apple's iPad, iPod Touch and iPhone in its Galaxy smartphone and Galaxy Tab tablet PC.
 
Japan's Asahi Glass will soon begin producing glass for touch panels on smartphones and tablet PCs that is thinner than sheets from competitors. The glass could contribute to making smartphones and tablet PCs thinner and lighter.
 
Renesas Electronics expects to restart production at a quake-hit factory in east Japan in mid June, about two weeks earlier than initially planned, it said Friday.
 
Microsoft's Project Barcelona is creating Web-like indexing tools to manage the explosion of enterprise data.
 
Financial services firms are beginning to use social networking sites to promote services to corporate customers, set up private online forums and monitor what customers say about them.
 
InfoSec News: Navy gives contract for cyber support: http://www.upi.com/Business_News/Security-Industry/2011/04/21/Navy-gives-contract-for-cyber-support/UPI-61591303391774/
United Press International April 21, 2011
MCLEAN, Va., April 21 (UPI) -- Virginia's Booz Allen Hamilton has been awarded a contract to support the U.S. [...]
 
InfoSec News: Secunia Weekly Summary - Issue: 2011-16: ========================================================================
The Secunia Weekly Advisory Summary 2011-04-14 - 2011-04-21
This week: 101 advisories [...]
 
InfoSec News: Is China winning the cyber war?: http://fcw.com/articles/2011/04/25/buzz-china-cyber-spying.aspx
By Michael Hardy FCW.com April 21, 2011
The Cold War took its name from the relative lack of shooting that characterized it. The United States and Soviet Union fought one another politically, diplomatically and economically but rarely with guns or tanks. It was not a hot war.
We have a couple of hot wars going on now, but there's another cold war under way, too -- one being fought between the United States and China, primarily using IT.
And it looks as though China has the upper hand at the moment.
"According to U.S. investigators, China has stolen terabytes of sensitive data, from user names and passwords for State Department computers to designs for multibillion-dollar weapons systems," write Brian Grow and Mark Hosenball in a report for Reuters. "And Chinese hackers show no signs of letting up."
[...]
 
InfoSec News: 2nd CfP: CRiSIS 2011: Risks and Security of Internet and Systems: Forwarded from: Marius Minea <marius (at) cs.upt.ro>
CALL FOR PAPERS [ PDF version at: http://crisis2011.cs.upt.ro/CRiSIS2011-CfP.pdf ]
The Sixth International Conference on Risks and Security of Internet and Systems CRiSIS 2011 Timisoara, Romania, 26-28 September 2011 [...]
 
InfoSec News: Phishing Attack Hits Oak Ridge National Laboratory: http://www.informationweek.com/news/government/security/229402048
By Elizabeth Montalbano InformationWeek April 21, 2011
The Department of Energy's Oak Ridge National Laboratory is investigating a sophisticated phishing attack that forced it to shut down email and Internet access last week. [...]
 
InfoSec News: Stuxnet-like attacks beckon as 50 new Scada threats discovered: http://www.v3.co.uk/v3-uk/news/2045556/stuxnet-attacks-beckon-scada-threats-discovered
By Phil Muncaster V3.co.uk 21 Apr 2011
Cyber criminals appear to be ramping up their interest in industrial control systems after research from application security management firm [...]
 
InfoSec News: Carder Pleads Guilty to Fraud Involving $36 Million in Losses: http://www.wired.com/threatlevel/2011/04/rogelio-hackett-guilty/
By Kim Zetter Threat Level Wired.com April 21, 2011
A hacker and carder has pleaded guilty to trafficking in more than half a million stolen card numbers that resulted in $36 million in fraud losses.
Rogelio Hackett, Jr. [...]
 
InfoSec News: Hundreds log into a rogue wireless hotspot at Infosec conference: http://www.theinquirer.net/inquirer/news/2045528/hundreds-log-rogue-wireless-hotspot-infosec-conference
By Asavin Wattanajantra The Inquirer April 21, 2011
HUNDREDS OF PEOPLE attending London's Infosec conference logged into a rogue wireless hotspot that could have left them open to attack by [...]
 

Posted by InfoSec News on Apr 22

http://www.wired.com/threatlevel/2011/04/rogelio-hackett-guilty/

By Kim Zetter
Threat Level
Wired.com
April 21, 2011

A hacker and carder has pleaded guilty to trafficking in more than half
a million stolen card numbers that resulted in $36 million in fraud
losses.

Rogelio Hackett, Jr., 26, pleaded guilty Thursday in Virginia to one
count of access device fraud and one count of aggravated identity theft.

The hacker was arrested in 2009 for...
 

Posted by InfoSec News on Apr 22

http://www.theinquirer.net/inquirer/news/2045528/hundreds-log-rogue-wireless-hotspot-infosec-conference

By Asavin Wattanajantra
The Inquirer
April 21, 2011

HUNDREDS OF PEOPLE attending London's Infosec conference logged into a
rogue wireless hotspot that could have left them open to attack by
hackers.

For a couple of hours on days one and two of the conference, insecurity
firm Cryptocard created a wireless hotspot called...
 

Posted by InfoSec News on Apr 22

http://www.upi.com/Business_News/Security-Industry/2011/04/21/Navy-gives-contract-for-cyber-support/UPI-61591303391774/

United Press International
April 21, 2011

MCLEAN, Va., April 21 (UPI) -- Virginia's Booz Allen Hamilton has been
awarded a contract to support the U.S. Space and Naval Warfare Systems
Center Pacific.

The contract is worth $71.5 million over two years and has a potential
value of $189.4 million over five years.

Under...
 

Posted by InfoSec News on Apr 22

========================================================================

The Secunia Weekly Advisory Summary
2011-04-14 - 2011-04-21

This week: 101 advisories

========================================================================
Table of Contents:

1.....................................................Word From...
 

Posted by InfoSec News on Apr 22

http://fcw.com/articles/2011/04/25/buzz-china-cyber-spying.aspx

By Michael Hardy
FCW.com
April 21, 2011

The Cold War took its name from the relative lack of shooting that
characterized it. The United States and Soviet Union fought one another
politically, diplomatically and economically but rarely with guns or
tanks. It was not a hot war.

We have a couple of hot wars going on now, but there's another cold war
under way, too -- one...
 

Posted by InfoSec News on Apr 22

Forwarded from: Marius Minea <marius (at) cs.upt.ro>

CALL FOR PAPERS
[ PDF version at: http://crisis2011.cs.upt.ro/CRiSIS2011-CfP.pdf ]

The Sixth International Conference on
Risks and Security of Internet and Systems
CRiSIS 2011
Timisoara, Romania, 26-28 September 2011
http://www.crisis-conference.org/

IEEE Computer...
 

Posted by InfoSec News on Apr 22

http://www.informationweek.com/news/government/security/229402048

By Elizabeth Montalbano
InformationWeek
April 21, 2011

The Department of Energy's Oak Ridge National Laboratory is
investigating a sophisticated phishing attack that forced it to shut
down email and Internet access last week.

As of Thursday, external email and Internet service was still not back
online at the lab, though employees were once again allowed use of their...
 

Posted by InfoSec News on Apr 22

http://www.v3.co.uk/v3-uk/news/2045556/stuxnet-attacks-beckon-scada-threats-discovered

By Phil Muncaster
V3.co.uk
21 Apr 2011

Cyber criminals appear to be ramping up their interest in industrial
control systems after research from application security management firm
Idappcom found 52 new threats in March targeted at supervisory control
and data acquisition (Scada) systems of the sort hit by the infamous
Stuxnet worm.

Tony Haywood, chief...
 
rdesktop Disk Redirection Directory Traversal Vulnerability
 

USA Today

Intel pushes security features in Sandy Bridge Core platform
V3.co.uk
At the Infosec security show this week, Intel disclosed findings from a pan-European study into the true cost to businesses of data breaches from lost laptops in particular. The report claims that the average figure adds up to £31148, when regulatory ...
Intel will leave McAfee alone, but it can secure our chipsInquirer

all 603 news articles »
 

eWEEK Europe UK

Infosec: Battle To Find A Future Security Chief Begins
eWEEK Europe UK
The search to find the Cyber Security Champion 2012 is beginning. Last year, the winner of the competition was Wakefield postman Dan Summers, despite competition from security professionals. The idea behind the Cyber Security Challenge is to promote IT ...

 


Internet Storm Center Infocon Status