InfoSec News

Ed Skoudis presents his annual Christmas challenge, here are the details, enjoy!.

Happy Holidays, challenge fans! Ed Skoudis here, with this year's holiday

hacking challenge.

Have you ever seen the classic video A Charlie Brown

Christmas, and pondered why Charlie Brown is so upset at the start of the

video? Also, have you ever wondered why the rest of the Peanuts gang is so

focused on the materialism of the Christmas season? Well, this year's

hacking challenge answers these questions. In our tale, you'll discover that

something happened before the start of the Charlie Brown Christmas video

that put these characters into such a state. That something is what we like

to call...



The Nightmare Before Charlie Brown's Christmas



These challenges, which are an annual tradition here at EthicalHacker.net,

are designed to help people develop their skills, show off their abilities,

and have some fun. During past holiday seasons, you got to tangle with the

Grinch, Rudolph, that Messy Marvin kid, Frosty, and even Santa himself. And

who can forget last year's Miracle on Thirty-Hack Street. Read this

challenge, answer the questions, and send your responses in by January 3,

2011. We'll choose three winners, each of whom will get an autographed copy

of my Counter Hack Reloaded book. One prize will go to the best technical

answer, another to the most creative answer that is technically correct, and

the final prize is based on a random draw from every person who submits an

answer. Even if you have no idea whatsoever for how to answer the questions,

send in your best shot to be entered in the random draw. And now, without

further adieu, the curtain rises on our story...

http://www.ethicalhacker.net/content/view/344/2/
Enjoy and happy holidays.
Mark H





(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Somehow somebody put a link to a pornographic chat site on a Barbie.com page used to promote Barbie Video Girl, a version of the iconic doll that comes with an embedded video camera.
 
The company is introducing a widget runtime platform based on Wholesale Applications Community spec.
 
New CEO Arun Oberoi doesn't exactly bristle at Viridity Software getting lumped into the Green IT vendor category, but he wants to make sure the Burlington, Mass., company is seen as more than that.
 
Internet telephony giant Skype blamed its peer-to-peer interconnection system for a problem that some reports said resulted in millions of users being unable to make calls using the service on Wednesday.
 
* 16:04 PMCST 12/22/10 by jcb *
A0-day exploit has been published at exploit-db (see US-Cert advisory) that takes advantage of a memory corruption vulnerability in IIS 7.5's FTPservice. This bug will work pre-authentication.
From the looks of it, it is a pure remote exploit that's chief use would be denial of service. As with any memory corruption bugs, it is theoretically possible to use this to gain access to the server with the permissions of the user that is running IIS. I think that would be difficult in this case, but time will tell. It is, nevertheless, a serious bug that at present has no patch. (As of this writing, Microsoft hasn't confirmed it is an issue).
Some defenses would be limiting FTP services that are internet-facing (especially if IIS), using firewalls to limit access to the server and configuring perimeter devices to check for memory attacks.
More details will be published here as we have them.
--

John Bambenek

bambenek at gmail /dot/ com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The U.S. Federal Trade Commission has filed a lawsuit asking a court to stop a "far-reaching" Internet enterprise that allegedly made millions of dollars by luring customers into trial memberships for bogus government grants and money-making schemes, then repeatedly charging them monthly fees for memberships they never ordered.
 
Santa decides what to give IT industry bigwigs, who were all over the naughty list this year.
 
Job prospects appear to be looking up for IT professionals, as multiple surveys suggest that large companies expect to slowly add staff next year.
 
Mozilla released Beta 8 of the Firefox 4 browser Wednesday, about a month later than planned.
 
A Blaine, Minn., man has pleaded guilty to charges that he hacked into his neighbor's Wi-Fi connection to e-mail death threats and child pornography, apparently with the intention of causing trouble for the unsuspecting neighbor.
 
www.eVuln.com : HTTP Response Splitting in Social Share
 
The Metasploit Framework contains exploit code that targets a recently uncovered zero-day vulnerability in Internet Explorer.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Dell plans to acquire cloud-based healthcare archive services provider InSite. The move follows Dell's purchase of IT services provider Perot last year.
 
Harvard study finds increasing DDoS attacks against human rights, dissident sites without the means to adequately defend themselves.
 
Rumors swirl around Microsoft preparing a ARM-based tablet version of Windows for CES 2011.
 
A New Jersey IT consulting firm has reached a plea agreement with the federal government to settle an H-1B fraud case brought against it in 2009.
 
The FCC's decision to create new net neutrality rules gets a mixed reaction.
 
[SECURITY] [DSA-2136-1] New tor packages fix potential code execution
 
VMSA-2010-0020 VMware ESXi 4.1 Update Installer SFCB Authentication Flaw
 
http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-04
 
VSR Advisories: Citrix Access Gateway Command Injection Vulnerability
 
CIO Joe Beery of Life Technologies has found an answer to the age-old question, "What has IT done for me lately?" Earlier this year, he gave top executives and a pilot group of sales folks and finance staff one of the hottest emerging technologies to arrive on the enterprise scene: mobile business intelligence.
 
-- John Bambenek bambenek at gmail /dot/ com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Reader discussions and comments on the hottest Computerworld stories for the week of December 20, 2010.
 
A look at the FCC's net neutrality outline.
 
Tor Unspecified Heap Based Buffer Overflow Vulnerability
 
Company data belonging to customers of Microsoft's hosted business suite BPOS has been accessed and downloaded by other users of the software.
 
Rumors swirl around Microsoft preparing a tablet version of Windows for the CES show.
 
Motorola Mobility, which includes Motorola's mobile device and home business, has acquired media streaming company Zecte.
 
Our manager finds a way to enable iPhones and Android devices to be used on the corporate network.
 
Teradata is planning to buy integrated marketing software vendor Aprimo for $525 million, the company announced Wednesday. The transaction is expected to close in the first quarter of next year.
 
Sony launched a subscription streaming music service Wednesday, furthering its plan to offer a range of content via the Internet to its consumer electronics devices.
 
Former Auto Warehousing Co. CIO Dale Frantz was a rising star at the company and in the IT industry, but he was also a thief. He was sentenced this month to serve nearly six years in prison for embezzling more than $500,000 from the company.
 
OpenSSL DTLS Packets Multiple Denial of Service Vulnerabilities
 
OpenSSL 'zlib' Compression Memory Leak Remote Denial of Service Vulnerability
 
OpenSSL 'dtls1_retrieve_buffered_fragment()' DTLS Packet Denial of Service Vulnerability
 
Microsoft has pulled a non-security update to Outlook 2007 after customers complained of connection and performance issues when the automatic update was applied to company machines.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
A universal remote control saved my marriage.
 
Why might you want to add a business services layer to your data center's private cloud computing effort? John Stetic of Novell shares his opinion.
 
Microsoft IIS FTP Service Remote Buffer Overflow Vulnerability
 
Sony launched a subscription streaming music service Wednesday, furthering its plan to offer a range of content via the Internet to its consumer electronics devices.
 
Teradata is planning to buy integrated marketing software vendor Aprimo for $525 million, the company announced Wednesday. The transaction is expected to close in the first quarter of next year.
 
Microsoft WMI Administrative Tools ActiveX Control Remote Code Execution Vulnerability
 
Microsoft is investigating claims by security researchers of an unpatched bug in Internet Explorer that could be used to hijack Windows-based PCs.
 
Apple's iPad is easily the IT product of the year. But will it have an equivalent impact on enterprise IT, beyond its current status of must-have gadget for the up-to-the-minute executive?
 
Some of the first tablets to challenge the iPad are from Archos, Samsung and ViewSonic. We try them out.
 
The Alcatel-Lucent backed Multimedia Patent Trust (MPT) has filed a law suit against Apple, Canon, LG Electronics and TiVo accusing them of infringing its patents on video compression.
 
The H-1B and L-1 visa program is becoming an increasingly important source of money for Congress as it tries to pay for the cost of new legislation, including the pending 9/11 health bill.
 
Facebook CEO Mark Zuckerberg continued his tour of China on Wednesday and met the head of Sina, the operator of a popular microblogging service and Internet portal.
 
Synology America Corp on Tuesday announced the release of its newest server, the Disk Station DS1511+.
 
Latest iteration of Red Hat's iconic Linux distribution offers some shops a substantial upgrade and, for others, a fork in the road
 
Classified Component for Joomla! SQL Injection Vulnerability
 


Internet Storm Center Infocon Status