InfoSec News

Yesterday's earthquake (centered in Vermont), along with Monday night's earthquake (centered in Colorado), got me to thinking about disaster preparedness (again).
Lots of ITgroups would like to do more in the area of BCP(Business Continuity Planning), but can't get budget due to a management philosophy of disasters happen elsewhere. For many of my clients in this situation, these earthquakes are nice wedge to demonstrate that disasters do in fact happen close to home - everyone had a bit of a pause today when the buildings, and us inside them, swayed back and forth for a minute.
If you have a good DR(Disaster Recovery Plan) at work, now might be a good time to dust it off to make sure everything still works, while this is still fresh in everyone's mind. Make sure that your plan truly reflects the needs of your organization. The IT side of DRis relatively simple - a second location, some servers, replication (often SANor virtualization based), and you're getting there. Oh - and failing back to the production site is important (and often overlooked) as well.
I've seen DRplans go down in flames, where the ITgroup comes through 100%, all the backup servers are running, but for one reason or another, the company can't do business. Think things like - where does my main 1-800 telephone number go? How will we ship? How will we receive? There are hundreds of non-ITdetails that go into a working organization and should go into a good BCPstrategy.
Don't neglect DRplanning at home as well, there are lots of good references on how to kit your house out for common disasters, but Iparticularly like the CDCguide on surviving the Zombie Apocalypse ( ). If you can survive that, I'm thinking you're good for anything.
The whole DR topic is seeing real interest due to recent events - please, use our comment form and let us know if the recent earthquakes have shaken things up in your organization, if you are now stirred to consider changes in Disaster Preparedness at work or at home?
=============== Rob VandenBrink Metafore (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Sorry for the play on words, but really, we do.
I just finished a security assessment engagement, and the pentest part was one of my shortest in history. Part of the morning procedure for the helpdesk was to login to their corporate critical infrastructure gear and verify status and history against a daily checklist. This included all the usual suspects - Backups, critical servers, power, HVAC (Heating, Ventilation, AC), generator, the works. Good so far, right? Keep reading .... The client had a mix of some new and some older UPS Controllers (smart PDUs actually), the older ones only supported telnet and http (no ssh or https). Because this gear was doing the job, the request to upgrade to the latest version of the gear (which *does* support encryption) was put off until the next budget year (2013).
Part of my internal pentest was to sniff for the easy stuff - ftp, telnet and the like (using a man-in-the-middle attack against the user VLAN's default router). Starting with this, especially in smaller environments, is almost a sure thing. I caught a telnet login to the UPS PDU's within 10 minutes of starting the session - and guess what? To keep things easy, they had used the same password for:

UPS PDUs and controllers

Domain Administrator

SQL Server SA

Firewall (vty access and enable)

Routers and Switches (vty access and enable)
So, for the want of 5K worth of upgraded hardware, all of the internal infrastructure was compromised - I had a first draft of the pentest section of the report done before my coffee was finished.

We've done a number of diaries on telnet over the years, notably, but this message bears repeating, we see telnet over and over (and over), in big companies, small companies, financial, public sector, healthcare, whatever.
Scans for open telnet services on the public internet have their highs and lows, but even the low values remain consistently high ==
Just re-iterate - compromising telnet is as easy as looking for it. It's not something that should be used in a modern ITgroup. And yes, Microsoft did us all a great service when they removed it from the default install in Windows 7.
Important Note - if you plan to run a Man in the Middle (MITM) attack against a busy router, be VERY SURE that you have the horsepower to do this. If you should run out of CPU in this process, you will have ARP Poisoned critical servers in the client's datacenter, potentially making them unreachable by clients. This process can often take up to 4 hours to clear up on it's own (the default ARP timer on many routers and firewalls), depending on the gear. Also, be VERY SURE that you terminate the MITM gracefully when the process is complete (same risk here).
Note 2 - Since 1994, the team has formally recommended using something other then plain text authentication due to potential network monitoring attacks ( ). Disabling telnet (and rlogin, and any clear text authentication for admin) is a key recommendation in just about every hardening guide out there. FTP is another nice target - if you have an FTP server, do not allow any interactive user accounts to start an FTP session, as the credentials are sent in the clear. Similarly, do not host or transfer any sensitive information using FTP. If you plan to transfer any sensitive information over a public internet, consider using strong encryption (commonly implemented via FTPS, SFTP, HTTPS or SCP).

Rob VandenBrink Metafore (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Rob VandenBrink
Metafore (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
ESA-2011-030: RSA, The Security Division of EMC, announces security fixes for RSA enVision
IBM's worldwide server revenue jumped a healthy 24.5 percent in the second quarter, putting it neck and neck with Hewlett-Packard for the top spot, IDC reported Tuesday.
Satellite TV provider Dish Network hopes to build a 4G cellular network, if the U.S. Federal Communications Commission permits it, according to a filing the satellite provider made on Monday.
Concrete CMS <= Cross Site Scripting
With geeks still scrambling to get their hands on the last of Hewlett-Packard's $99 TouchPads, a $49 deal just seems too good to be true -- and it is.
Staff were evacuated at several data centers following Tuesday's earthquake but operations at most facilities appear to have been unaffected, according to Twitter posts and other sources.
Google is keenly aware that many people are eager to set up profiles in Google+, the company's new social network, but the site will remain in a limited trial while the company works feverishly toward a broader rollout that can accommodate a larger number and wider variety of users.
Ohio State University researchers armed with sewing machines and computers have come up with a way to weave radio antennas into clothing in an effort to give wearers more flexible and reliable communications capabilities.
Mozilla developers are in the early stages of building an open application interface for smartphones and tablets called WebAPI.
EMC AutoStart Domain Name Logging Multiple Buffer Overflow Vulnerabilities
Apache Commons Daemon 'jsvc' Information Disclosure Vulnerability
Sprint announced it will start selling the new BlackBerry Curve 9350 smartphone on Sept. 9 for $79.99, after rebate.
Sprint will for the first time sell an iPhone, starting with the next generation of the phone, in mid-October, the Wall Street Journal reported on Tuesday.
Microsoft is incorporating a software stack in its upcoming Windows 8 OS to natively support devices based on the USB 3.0 interconnect, which is in a battle for adoption with Intel's Thunderbolt.
The clip shows up without explanation, lasting for about six seconds during a rather mundane documentary about hacking produced by the state-sponsored China Central Television
Facebook is making a series of design changes to the site to make it clearer to users who can see the content that they post, an issue Google has been criticizing Facebook about since it launched its own social network, Google+, in June.
Pure Storage, a start-up that just received $30 million venture funding, has announced an all-NAND flash storage array that it said can compete with traditional hard drive-based systems on price.
Just moments after a 5.9 magnitude earthquake hit the East Coast on Tuesday afternoon, Twitter and Facebook lit up with the news.
Some lucky Palo Alto, Calif., residents are getting a glimpse of what Google's new fiber network will soon deliver to Kansas City, Kan.
EnterpriseDB could increase the relevance of its database to Oracle shops with a new toolset, announced Tuesday, that can manage many servers at once.
Talk of a lower-priced iPhone 4 sweeping news outlets and Apple blogs today isn't exactly a shock, an analyst said today.
Lenovo's business-orientated tablet, the ThinkPad Tablet, is now available for order and should start shipping within a week. The 10-inch Android device boasts an impressive mix of consumer and business-friendly features that might please both you and your IT department.
A 5.9-magnitude earthquake centered in central Virginia disrupted cell phone service and closed two nuclear reactors, numerous bridges and tunnels in East Coast cities on Tuesday afternoon.
Thanks to the iPad, the traditional IT culture is about to be upended.
The humanoid robot on board the International Space Station was brought to life on Monday.
McAfee says Google’s Android platform has become the most popular target for mobile malware developers, outpacing Java Micro Edition and Symbian.

Add to digg Add to StumbleUpon Add to Add to Google
This release fixes two issues introduced in the PHP 5.3.7 release:

Fixed bug #55439 (crypt() returns only the salt for MD5)

Reverted a change in timeout handling restoring PHP 5.3.6 behavior, which caused mysqlnd SSL connections to hang (Bug #55283).

All PHP users should note that the PHP 5.2 series is NOT supported anymore. All users are strongly encouraged to upgrade to PHP 5.3.8.

For source downloads please visit the downloads page at

Windows binaries can be found on

Christopher Carboni - Handler On Duty (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
The nice thing about being a pessimist, as the old saying goes, is that every surprise is a good one.

In our industry, it's easy to be pessimistic for any one of a hundred reason that don't need listing here. (Disclaimer - yes, I'm a pessimist)
Whether your glass is half empty, half full, or as one friend recently told me, broken, what is it that surprised you so far this year?

Give us your comments on what surprised you and what you learned from it. Just maybe you can save someone else (less pessimistic) from a painful surprise.

Christopher Carboni - Handler On Duty (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Oracle has updated its server virtualization software with greater policy control and more connectors for storage systems, the company announced Tuesday.
Researchers have spotted the first malware that exploits a critical vulnerability in Android 2.3, aka Gingerbread, finding samples tucked into legitimate apps on Chinese download sites.
Hewlett-Packard's WebOS is not dead yet, and that could be a good thing for chip maker Qualcomm.
HP today announced a federated software product that allows storage administrators to migrate data without downtime and unveiled a new, highly automated, high-capacity storage array for virtualized and cloud environments.
The Lenovo IdeaPad S205 shapes up as a very appealing, somewhat consumer-oriented alternative to the ThinkPad X120e.
You use Microsoft Outlook to manage your email, your appointments, your contacts, and your to-do lists. So when this program doesn’t behave the way it’s supposed to, you have a nightmare. Following are solutions to five common but serious Microsoft Outlook problems.
Utilities and security apps are two of the most important categories of software that PC users download. From keeping your operating system slim and bloatware-free to eradicating cookies and spyware, these apps amply reward you for downloading them. And best of all, they're free!
As it continues bulking up the feature set of its previously minimalist site, Twitter has started adding an image-gallery section in user profiles.
Research In Motion announced three new BlackBerry Curve smartphones running the latest version of the company's mobile operating system, BlackBerry 7, which offers a faster Web browsing experience.
These free software gems are perfect if you're looking to push the limits of what you can fit into your day. Connectivity downloads will help you streamline your Internet connection and set up remote-control access to a second computer so you can be at work without being at work--or simply help someone from a distance fix a browser problem. Our free productivity software selections will help you get organized and move away from the infuriatingly complex and bulky Microsoft Office suite to lighter and more intuitive office programs.
Keeping your social media contacts and mixed media files organized is crucial if you want to expand your computer's range from a word-processing, Internet-browsing device to a full-force entertainment system. Use these free downloads to keep everything accessible, from YouTube and Hulu videos to your Facebook friends. We also suggest some freeware for editing photos and music that doesn't skimp on functionality even though it costs nothing. Because what fun is social media if you can't photoshop lolcats into photos of your friends and share the results with them?
WebKit SVG styles Use-after-free Memory Corruption Vulnerability

Nashville Technology Council Appoints President/CEO
Business Wire (press release)
Ms. Massey joins NTC just in time to participate in several upcoming events, including Naked Hospital and InfoSec. Naked Hospital, which takes place August 25 th at The Factory in Franklin, is a roundtable event focused on Transparency and eHealth with ...

and more »
Cisco Systems made its fortune selling routers for the cores of enterprise and service-provider networks, but now the company is sending its technology farther from those cozy confines than ever before.
Amazon Web Services (AWS) has launched a public beta test of ElastiCache, which is designed to allow enterprises to speed up their Web applications, the company said on Monday.
A German privacy protection authority is calling on organizations there to close their Facebook fan pages and remove the social networking site's "Like" button from their websites, arguing that Facebook harvests data in violation of German and European Union law.
Linux Kernel IPv6 Fragment Identification Remote Denial of Service Vulnerability
Linux kernel l2cap Remote Buffer Overflow Vulnerability
We look at 3D laptops from Asus and Toshiba, which offer high performance mobile media, gaming and presentations.
There are signs that Apple may soon allow China Mobile to distribute the iPhone, a deal that could give Apple a bigger share of China's mobile phone market. But Apple faces a tough choice in order to reach such a deal, say analysts: develop an iPhone specifically for China Mobile, which operates a 3G network incompatible with current models of the iPhone, or make iPhone buyers use the carrier's slower 2G network.
China overtook the U.S. in both PC sales and shipments in the second quarter, according to research firm IDC.
Automated host deployment, revamped HA, large-scale VM support, and storage automation features rev up vSphere for big shops
Folding tablets. Solar-powered slates. Apps that automatically install -- and delete -- themselves based on your location. Not all of these concepts will survive the leap from research to retail, but many will ship before you know it.
Microsoft will release a detailed overview of the Mango app submission process later on Tuesday, the company said in a blog post, as it prepares to release the first major update to Windows Phone 7.
In a decision that has implications for online locker services, a federal judge in New York gave on Monday a partial victory to MP3tunes, a company that runs an online music storage service.
Microsoft said on Tuesday it will work with a Chinese operating system developer to create cloud computing products for the country's market, a move that could help the U.S. company sell to China's government agencies.
Google on Monday patched 11 vulnerabilities in Chrome, including one of the rare bugs the company has deemed critical in its browser.
Adobe Photoshop '.GIF' File Remote Memory Corruption Vulnerability
VIPS 'LD_LIBRARY_PATH' Local Privilege Escalation Vulnerability
Internet Storm Center Infocon Status