InfoSec News

Oracle Java SE CVE-2012-1711 Remote Java Runtime Environment Vulnerability
On Saturday, British mathematician Alan Turing would have turned 100 years old. It is barely fathomable to think that none of the computing power surrounding us today was around when he was born.
ACDsee Pro Multiple Image Parsing Memory Corruption Vulnerabilities
Sielco Sistemi Winlog Lite Buffer Overflow Vulnerability
XnView Multiple Image Decompression Memory Corruption Vulnerabilities
Believe it or not, it's been nearly four and a half years since Apple released the original --MacBook Air. At the time, it was revolutionary in terms of its size and weight, but it also was slow, had little storage, had only a single USB port for expansion, and was very expensive--it started at $1799, and if you wanted solid-state storage, the price increased dramatically (by $999!). As Jason Snell wrote at the time, "laptop design has always been about compromise," and the original Air required some painful compromises.
Pidgin XMPP Protocol File Transfer Request Handling Denial of Service Vulnerability
arpwatch CVE-2012-2653 Security Bypass Vulnerability
Re: Sielco Sistemi Winlog Buffer Overflow <= v2.07.14
Tech finally got a dose of good news this week from enterprise vendors including Oracle and Red Hat, which offered up some solid financial reports even as analysts continued to downgrade forecasts for IT spending this year.
Virtualenv Insecure Temporary File Creation Vulnerability
Re: Mybb 1.6.8 'announcements.php' Sql Injection Vulnerabilitiy

Yeah, I know, I probably get the price for the ISC Diaries with the weirdest titles lately. Blame it on the bad guys, who are showing more creativity in naming their malware than I ever would be able to muster ... and who also don't seem to know the difference between a forest and a Forrest :).
The latest malware sample is what Symantec calls JS.Runfore. A recent URL might tell you why:
http:// xmexlajhysktwdqe. ru/runforestrun?sid=cx (don't click)
Plenty of web pages currently seem to be infected with manipulated / changed jsquery files, which contain obfuscated Java Script code that generates the foresty URLs. The domain names generated change based on time and date. Successful connections are met by a series of 302 redirects that so far (for me) have not resulted in any real payload. The above URL redirects via moneyold. ru to freshtds. ru, where it ends (for me) in a 404 Error.
Here's a recent Wepawet report for an infected site (OK to click, but better don't click on any of the links in the report)


Please let us know in the comments below or via our contact form if you have additional information on Forrest (or Jenny, or Lieutenant Dan :).

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
An organization headed by a former federal CIO contends that despite Google's claims, its consumer privacy policy does apply to government customers in some cases.
Adobe yesterday updated Flash Player to solve a weeks-long problem for users of Mozilla's Firefox browser.
Like the global economy, the world of project management and collaboration software seems to be divided into two significant groups: the "haves" and the "have-nots".
[security bulletin] HPSBOV02793 SSRT100891 rev.1 - HP OpenVMS running SSL, Remote Denial of Service (DoS), Unauthorized Access
[security bulletin] HPSBOV02780 SSRT100766 rev.2 - HP OpenVMS ACMELOGIN, Local Unauthorized Access and Increased Privileges
ZDI-12-099 : DataDirect OpenAccess oaagent.exe GIOP Remote Code Execution Vulnerability
This initially started off as a diary entry about creating final reports during the Lessons Learned phase of incident response, but I kept referring back to the timeline and realized that it needed an entry of its own.
Investigation is all about answering the who, what, where, when, why and how questions. One indispensable tool for organizing this process is the timeline. It can be as simple as a quick sketch in a notebook or as complex as an interactive infographic. It will start off as an un-sorted, un-structured collection of data and if curated properly it will become a tool that will unify your investigation efforts, help identify gaps, and enable you to communicate clearly to management.
What Makes up a Timeline?
The core element of a timeline is the event. An event can be described as a set of:

Time-- either precise, or uncertain, (e.g. before Tuesday)

Place-- physical location, IP address, file-location, etc.

Person-- the actor, known or unknown

Action-- the what happened part of the event

Direct object-- if the what happened happened to someone or something, this is that someone or something.

Additionally, as events are processed you will want to enrich their entries with:

Tags-- events will be tagged to help pull out the important events during different stages, as well as help create documents needed later in the investigation
Evidence-- it's cumbersome and unwieldy to just drop a raw log entry into a timeline, but you will want to provide evidence that an event occurred.

Dealing with Uncertainty
Investigations are constantly dealing with uncertainty. At the beginning of an investigation you have very little information and a seemingly uncountable list of unanswered questions. It's okay to place empty squares on your time line that say things like victim was web surfing or leave a blank in one of the time/place/person fields of an event. This helps you call out what you don't know and will help refocus your resources or re-prioritize your efforts. Being able to inventory your unknowns is probably a better measure of the progress of your investigation than counting the Gigabytes you've acquired, the number of lines of log files you've analyzed, or other metrics of effort.
Where to Start
When confronted with the empty page, you can start with when you were informed. This will form the basis of a response timeline. Next you can add events from the report that came in (e.g. the IDS alert, or escalation from your NOC, or 3rd party report.) Gathering events will come naturally as you ask questions about the incident and data comes in. For an example of semi-automated timeline creation I recommend a read of Rob Lee's SUPER timeline (http://computer-forensics.sans.org/blog/2011/12/07/digital-forensic-sifting-super-timeline-analysis-and-creation)
Using the Timeline for Coordination
Timeline creation can be spread across multiple teams. For example, your IDS team could build what they see, the firewall team does their part, while system administrators and digital forensic teams will perform their own version of an investigation and can provide you with a list of events. If you agree upon a common tool and standardized format ahead of time, this can allow you to tackle large, complex cases by distributing effort without losing too much context. A very simple format could involve spreadsheets that track: date, time, timezone, person, place, action, tags, evidence link. These could be collected from the different teams, merged, sorted and visualized.
Tagging and Aggregation
Now you've got what seems like a jumbled, insurmountable mess spread across multiple spreadsheets, and stuck in text files-- not to mention crucial details hiding visio diagrams, power points and emails. All of which has references to the memory and drive images that you've taken, the log files you've preserved and the pcap files that were captured. How is a timeline making this any easier?
The timeline is supposed to help you get organized, not clutter everything up. So if you're tasked with coordinating the timeline events from other groups, you will want to settle upon one tool for your own sake. As you're processing/reviewing events you'll want to tag them to note:

critical phases in the incident response noting when the team determined entry into a new phase (e.g. containment commences, remediation complete)
the interpreted phase of the attack (e.g recon, exfiltration)
Control failure/opportunity (e.g. attack identified in system logs, but no IDS alert fired)

You will also need to perform quite a bit of data-reduction to turn a fully-populated timeline into something usable by management and other groups. All of the effort spent tagging events will pay off in this stage since you will be able to easily determine with a little bit of filtering on your spreadsheet (or whatever tool you're using) when recon was started, when the first successful attack struck, when you detected the breach, how long it took to resolve. This is what others are going to be interested in. A set of events can be aggregated and summarized into an overall event renamed using higher-level language, e.g. in that case, flag that as a finding which you'll use later. You may also glean additional insight into the case by examining the blind-spots in the case, or struggling to untangle a set of event-chains. It could be that you're dealing with more than one attacker who happened to leverage the same vulnerability in your network and thus have overlapping incidents.
The Products of a Good Timeline
You should be able to walk through a chain of events and it should feel consistent, and if you've carefully linked to the evidence a compelling narrative of events will emerge. It should be easy to build after-action reports describing the series of events. Metrics for response should naturally come out of the timeline: each phase of the incident response process, time between event and detection, elapsed time from detection to remediation, etc. Preparing a case for law-enforcement should follow naturally from the timeline. The Lessons Learned document can be pre-populated by using the Control Failure/Opportunity tagged events (there are going to be other non-temporal issues like a lack of patches or weak separation of duties.)
You're Doing it Already
If timelines aren't a part of your standard investigative process, you're still very likely subconsciously going through the process. You're collecting the same amount of information was you try to solve the who, what, where, when, why and how questions and you're certainly organizing a chain of events in your head. Your raw case notes probably contains times, places, people, and actions, and you've got log files, and images, and pcaps just waiting to be turned into SUPER timelines. I bet your executive summary is written out as a series of aggregated events.
By keeping the timeline external, and using it to coordinate parts of an investigation, I hope this helps you tackle larger cases with less stress, and less sanity-loss.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The world's largest social network said Thursday that it is rolling out an editing feature that will let you fix errant posts.
Payment services provider PayPal will reward security researchers who discover vulnerabilities in its website with money, if they report their findings to the company in a responsible manner.
WordPress Schreikasten Plugin Multiple HTML Injection Vulnerabilities
ZDI-12-100 : HP OpenView Performance Manager PMParamHandler Remote Code Execution Vulnerability
ZDI-12-098 : AOL Products dnUpdater ActiveX Uninitialized Pointer Remote Code Execution Vulnerability
ZDI-12-097 : HP Data Protector Express Opcode 0x320 Parsing Remote Code Execution Vulnerability
ZDI-12-096 : HP Data Protector Express Opcode 0x330 Parsing Remote Code Execution Vulnerability
Microsoft yesterday announced that each of the three finalists in the BlueHat Prize $250,000 security contest came up with ways to detect and stymie one of the most effective exploit methods now being used by hackers.
The first release of the Surface tablet computers will be Wi-Fi-only, unnamed sources told the Washington Post.
Adobe Acrobat and Reader 'msiexec.exe' Search Path Remote Arbitrary Code Execution Vulnerability
Adobe Acrobat and Reader (CVE-2011-4372) Memory Corruption Vulnerability
This week features some more tools that will be helpful to skim daily. They are linked at https://isc.sans.edu/tools/#at-a-glance. We've have some pages set up with a variety of information with some overlap so you can use what works best for you!
Quick list of right now, today - https://isc.sans.edu/today.html

Today's ISCStormcast! - https://isc.sans.edu/today.html#stormcast
Today's Diaries - https://isc.sans.edu/today.html#diaries
Today's HEadlines - https://isc.sans.edu/today.html#headlines

Security DASHBOARD - https://isc.sans.edu/dashboard.html

More information in a previous Feature at https://isc.sans.edu/diary/ISC+Feature+of+the+Week+Security+Dashboard/12550

Handler Diary Feed - https://isc.sans.edu/rssfeed.xml

Title Only RSSfeed of Handler Diaries for your favorite reader

Consolidated Security News Feed - https://isc.sans.edu/newssummary.xml

A reduced number of articles from our News Summary page

ISCSite Updates - https://isc.sans.edu/releasenotes.html

Dated list of notable updates to the ISC/DShield website. Another good way to stay informed about website features!
Page also has link to https://isc.sans.edu/releasenotes.xml so you can be notified of updates in your feed reader

Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form

Adam Swanger, Web Developer (GWEB, GWAPT)

Internet Storm Center https://isc.sans.edu
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
It's rare to find entertainment-for-all-ages titles in the iOS App Store. Typically, there's little room between the throngs of uber-casual titles and the hardcore ports to find a game that has both the depth and breadth to be truly recommendable to all types of gamers. But Air Mail, a new flight simulator published by Chillingo (who discovers mobile studio talent better than anyone), might be just such a standout.
Google has launched an enterprise mapping service designed to let companies manage field crews via a Web-based administration console linked to an application on remote employees' smartphones.
If you were looking for a bright side to Apple's underwhelming updates to its Mac Pro line of tower computers, it would have to be that Apple hasn't forgotten that it makes such a product.
Hacktivist group UGNazi says it caused multiple Twitter outages Thursday. Update: Twitter says a "cascading bug" was to blame.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
In May I created a poll to sample our readers' preferences concerning the delivery of patches from their vendors. Do you prefer the predictable delivery of a batch of security advisories and patches? Or do you prefer a as-they-become-available model? (https://isc.sans.edu/diary.html?storyid=13150)
After the first week, I was surprised that nearly two-thirds of the poll participants preferred the predictable batch method and the few comments that did come in, didn't match up with my expectation that the breakdown would be based on the size of the environment. Currently it's closer to my expectations showing about 3/4 prefer the as it becomes available method.
So, I have new hypotheses and have added a new level of detail to capture in this month's poll.
Considering the results of the poll (https://isc.sans.edu/poll.html?pollid=331results=Y) did it turn out the way that you expected?

-KL (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Google is adding the ability for developers to respond to reviews and comments posted about their apps on the Play app store, the company said in a blog post on Thursday.
Sony said Friday it will invest $1 billion to increase its production capacity for the image sensors used in digital cameras, eyeing the booming market for smartphones, tablets and other camera-equipped gadgets.
Gamers have always demanded the fastest and most powerful systems. We tested three screamers to find the best laptop for the job.
Flipboard is now available for Android. The app, which aggregates content in a magazine-like format, also integrates content from Google+ and YouTube, a Flipboard blog post said on Friday.
Google has launched a location-based tool that combines its mapping technology and Android smartphones to deploy offsite staff effectively depending on their locations.
A Twitter executive last night offered an explanation for the cause of an outage that twice knocked Twitter offline around the world on Thursday.
In November 1983, a Cold War-era made-for-TV movie called 'The Day After' aired. It featured the nuclear destruction of Kansas City. A month later, the city of Takoma Park, Md. passed an act making it a nuclear-free zone.
Oracle JavaFX CVE-2012-0508 Remote Code Execution Vulnerability
HP OpenView Performance Manager CVE-2012-0127 Remote Code Execution Vulnerability
Apple QuickTime Prior To 7.7.2 Multiple Stack Overflow Vulnerabilities

In IT security, compliance continues to evolve
Crain's Cleveland Business (blog)
Because of the way that Infosec grew up, it's traditionally been seen as an ... This history is unfortunate, because in truth, Infosec is an organic process that ...

HP Data Protector Express Multiple Remote Code Execution Vulnerabilities
Facebook has settled a lawsuit in which it was alleged to have used the names and likeness of the plaintiffs without their prior consent in "Sponsored Stories" advertisements shown to their online friends on the social networking website, according to a motion filed by the plaintiffs in a federal court on Wednesday.

Perimeter security: IT's Maginot Line
ZDNet Australia
"An organisation can just go and give an infosec vendor a bucket load of money, and tick the box done, sorted ... That frustrates me, because organisations have ...

Internet Storm Center Infocon Status