InfoSec News

Back in November, we covered the rampant re-emergence of Java Exploits that took advantage of the many unpatched Java VMs in use on home and university PCs. The situation has improved since, mainly because the need to patch Java to the latest version was well publicized. Anti-Virus, on the other hand, is still having a hard time detecting the ever-mutating exploits for CVE-2010-0840 and other bugs, so if your Java is not patched yet, make your computer a Christmas present and update to the latest JRE.
If you have proxy logs that keep track of your users' surfing, there are two easy ways to double-check on your perimeter anti-virus:
(1) egrep bpac.*class on the log. Six weeks after my initial diary, the bad guys are still friendly enough to compile their exploit into a JAR that uses a bpac subfolder. Yes, searching for a fixed string is pretty silly, but hey, it's for free, and just about as sophisticated and fancy as what your anti-virus does, anyway.
(2) egrep \.class.?$ | sed 's/.*http:..//' | sort | uniq -c | sort -rn | more This should give you all the Java Class files that your users downloaded. Yes, it will be a friggin' long list, most likely, but the sort and uniq commands will at least group lines that appear more than once. Feed this file into whatever analysis method you are comfortable with, and whittle it down to exclude all the domains with too many hits, these are usually applets from benign sites. What is left, is worth a look.
Above commands assume that your proxy is clever enough to unpack JAR archives and log the contents separately. If this isn't the case .. well, then you have to search for JAR files. But it is harder to guess wrong from right by just looking at the JAR file names.
Once you become more familiar with the Java downloads in your log, you can get more fancy. The code that I'm running at a community college where I help out extracts all the class downloads as above under (2), but then removes all domains from where more than 50 different files have been downloaded, assuming that these are the Sourceforges of this world, from where our computer science students fetch sample code and (yes...) canned homework solutions.
While I was trying the above commands on the college's log file, lookie, a new bad site popped up:
bombino777. com/1/jljncqxreljs.jar/bpac/KAVS.class
Facing such a request, it is a good idea to carefully scrutinize any subsequent downloads that the same user workstation makes ... If the workstation's Java was patched, nothing happens. If not .. you'll likely see a download of an EXE, sailing in the disguise of a PHP or GIF.


If you have other clever and quick ways to isolate malicious JARS or CLASS files in your proxy log, please let us know! (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
IBM researchers are now a step closer to commercializing an experimental technology that could be used load up a mobile phone with so much storage that it could keep copies of every movie made this year.
 
Researchers have found a parallel computing algorithm that could offer quantum computer-speed performance.
 
We've had some reports of some targeted emails from The White House.
Emails typically look as follows:

As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our greetings. Be sure that we're profoundly grateful for your dedication to duty and wish you inspiration and success in fulfillment of our core mission.



Greeting card:



http://yyyyyyyyyy.com/card/

http://xxxxxxxxxx.com/card/



Merry Christmas!

___________________________________________

Executive Office of the President of the United States

The White House

1600 Pennsylvania Avenue NW

Washington, DC 20500
The email links to an exe file which in turn downloads what looks like a key logger, typically associated with ZBOT. currently these are barely detected, but that should improve.
If you receive some of these I'd be interested in the URL as well as the headers of the message.
Cheers
Mark (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The demos, which Microsoft is calling "experiences", leverage technologies like SVG and HTML5 canvas
 
More than 24 hours after a Skype outage hit users around the world, the service has come back online for most users.
 
Linux Kernel Local Address Limit Override Security Weakness
 
Linux Kernel 'perf_event_mmap()' Local Denial of Service Vulnerability
 
Here in AU there was an AV scam that did the rounds earlier this year. You would receive a phone call and someone stating they were from Microsoft support would inform you that your system had been infected with a virus and that they were there to help you clean it up. They would direct you to the web site and encourage you to select one of their support packages the cheapest being $94 for one year and upwards from there. The calls I received were using callerID spoofing so I assume they were using compromised VOIP systems (plenty of those around). I'm guessing because someone is doing it again the scam is worthwhile.
Anyway, Chris (thanks) mentioned that they seem to be active again in the US and based on the web site also in the UK. In this call they represented themselves as Microsoft and they needed immediate access to the machine to help fix the problem.
Seeing as many of you may be spending time with less IT savvy people in the next few days, maybe mention this so they don't fall for it. I know a few elderly people that have now repeatedly purchased a fake service such as provided by these people calling.
Cheers
Mark



(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
In many ways, managing a data center is like maintaining a car. You need to periodically peek under the hood to make sure that everything is in good working order. Here are the questions to ask to gauge the health of your center.
 
Django 'django.contrib.admin' Querystring Information Disclosure Vulnerability
 
CubeCart 'productId' Parameter SQL Injection Vulnerability
 
China's largest search engine Baidu reports that its new microblogging service has grabbed more than 1 million users after being launched three months ago.
 
PHP LCG Entropy Security Vulnerability
 
Bacteria have been at the forefront of news lately, and not just for causing illness. However, scientists are now testing the capability of storing electronic data in E.coli.
 
OTRS Core System Multiple Cross-Site Scripting and Denial of Service Vulnerabilities
 
A White House advisory group has expressed concerns over whether top researchers should focus on building supercomputers for the Linpack test rather than to undertake important tasks.
 
Want to know what time Santa will be touching down Christmas Eve to fill your stockings and drink the glass of milk you've left him? Google is teaming with NORAD to make it possible.
 
Mexico's central securities depository finds resource allocation can save money in financial trades
 
SAP has tapped the services of several additional lawyers following a jury's decision last month to award Oracle $1.3 billion in its corporate-theft lawsuit against SAP, indicating it may appeal the judgment.
 
Virtual Ethernet Port Aggregator (VEPA) moves switching out of the server back to the physical network and makes all virtual machine traffic visible to the external network switch, freeing up server resources to support virtual machines.
 
SaaS services enable small companies to fax, email and even send postal mail from back-office systems or desktop applications, with the speed, accuracy, visibility and control larger companies enjoy.
 
Opera Web Browser Prior to 11.00 Multiple Security Vulnerabilities
 
Search online versions of Computerworld's magazine articles from 2010 by headline, summary, date, author and keyword.
 
Skype continues to recover after an outage caused by problems with its peer-to-peer interconnection system. The latest estimates say that 10 million users are now online, according to a blog post
 
See online versions of stories from Computerworld print magazine organized by issue date.
 
Voltaire, a provider of Infiniband and Ethernet data center switching fabrics, this week announced a software license and development agreement with OEM customer IBM.
 
Juniper's strategic initiatives in 2011 and beyond are cloud computing and the mobile Internet.
 
A new Microsoft advisory warns about the Internet Explorer zero-day and urges customers to use the Enhanced Mitigation Experience Toolkit to mitigate the flaw.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Skype estimates that about two-thirds of its users are still unable to log in after an outage caused by problems with its underlying peer-to-peer interconnection system, it said in a blog post around midday European time Thursday.
 
IBM's vision of the future gives me pause and reminds me that progress is a mixed bag
 
TheHostingTool 'class_db.php' Multiple SQL Injection Vulnerabilities
 
Ok, fess up who asked for an IE 0 day for Christmas? I'm guessing Santa got his lumps of coal mixed up with a bag of exploits.
This exploit has been discussed over the last day or so on full disclosure and a number of other sites. Metasploit already has a module available for it (just search for CSS IE). Microsoft has put out an advisory 2488013 regarding the issue ( http://www.microsoft.com/technet/security/advisory/2488013.mspx). The issue manifests itself when a specially crafted web page is used and could result in remote code execution on the client.
Microsoft suggests using Enhanced Mitigation Experience Toolkit (EMET) to help address the issue. Details on that and a little bit more on the exploit can be found herehttp://blogs.technet.com/b/srd/archive/2010/12/22/new-internet-explorer-vulnerability-affecting-all-versions-of-ie.aspx
According to the advisory it is not actively being exploited ....yet
If you see it being exploited, drop us a line.
Cheers
Mark H (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Linux Kernel 'irda_getsockopt()' Local Integer Underflow Vulnerability
 
Facebook users are continually faced with privacy issues and controversial redesigns. We offer some simple fixes for most of the current problems.
 
Microsoft late Wednesday confirmed that all versions of Internet Explorer (IE) contain a critical vulnerability that attackers can exploit by persuading users to visit a rigged Web site.
 
Symantec Endpoint Protection Reporting Module 'fw_charts.php' Remote Code Execution Vulnerability
 
IPN Development Handler 'login.php' Multiple SQL Injection Vulnerabilities
 
InfoSec News: VA employees tap cloud apps on their own, posing security risk: http://www.nextgov.com/nextgov/ng_20101222_6852.php
By Bob Brewin Nextgov 12/22/2010
Computer savvy Veterans Affairs Department employees have started to use Internet-based services and tools that the VA does not provide on its systems, presenting a security challenge, according to its chief [...]
 
InfoSec News: Secure SCADA set to prosper in the future: http://www.controlengeurope.com/article/38793/Secure-SCADA-set-to-prosper-in-the-future.aspx
Control Engineering Europe 20 December 2010
New analysis from Frost & Sullivan indicates that the SCADA market is among the most rapidly growing control systems markets in the world. [...]
 
InfoSec News: System Glitch Confuses Bank's Customers: http://inaudit.com/audit/it-audit/system-glitch-confuses-bank%E2%80%99s-customers-3704/
By Bob Styran IN Audit December 23, 2010
Grupo Santander, a banking firm based in Spain, has reported to the Financial Services Authority (FSA) a system glitch with its printers [...]
 
InfoSec News: 79% of web users put personal info in passwords: http://www.pcadvisor.co.uk/news/index.cfm?NewsID=3254182
By Carrie-Ann Skinner PC Advisor December 20, 2010
Nearly four in five (79 percent) web users admit to using personal information and phrases in passwords, says Check Point.
Research by the security firm, which created the ZoneAlarm software, revealed more than a quarter (26 percent) reuse the same passwords for email, online banking or social networking accounts, while 8 percent claim they copy passwords from online lists of 'good' passwords.
Furthermore, more than 22 percent have had their social networking accounts hacked, and the same amount have experienced email hacking.
"Especially now, with online shopping on the rise this holiday season, consumers need to be aware of the importance of passwords and the fact that hackers are getting more and more sophisticated in cracking them," said Bari Abdul, vice-president of consumer sales at Check Point.
[...]
 
InfoSec News: USENIX Security '11 Call for Papers Now Available: Forwarded from: Lionel Garth Jones <lgj (at) usenix.org>
On behalf of the 20th USENIX Security Symposium (USENIX Security '11) program committee, I am inviting you to submit high-quality papers covering novel and scientifically significant practical works in security or applied cryptography. [...]
 
InfoSec News: Mattel disavows Barbie Video Girl porn link: http://www.computerworld.com/s/article/9202201/Mattel_disavows_Barbie_Video_Girl_porn_link
By Robert McMillan IDG News Service December 22, 2010
Somehow somebody put a link to a pornographic chat site on a Barbie.com page used to promote Barbie Video Girl, a version of the iconic doll [...]
 
InfoSec News: OpenBSD Project Finds Two Bugs In Software's IPsec Implementation: http://www.darkreading.com/database-security/167901020/security/attacks-breaches/228900060/openbsd-project-finds-two-bugs-in-software-s-ipsec-implementation.html
By Mathew J. Schwartz, InformationWeek Special to Dark Reading Dec 22, 2010
The OpenBSD project has found two bugs in how OpenBSD, a Unix-like open source operating system, implements Internet protocol security (IPsec).
The bugs are of interest given the recent allegation made by Gregory Perry, former CTO of now-defunct Federal Bureau of Investigation contractor Network Security Technology (NetSec), that the FBI created a backdoor in the OpenBSD code base, specifically in how it implements IPsec. He also alleged that multiple developers involved in contributing code to OpenBSD were on the payroll of NetSec, and that the FBI had hired it to create the backdoors.
Are the bugs a smoking gun? According to Theo de Raadt, the founder and leader of the OpenBSD project, one IPsec bug in OpenBSD relates to a "CBC oracle problem," and was fixed in the software crypto stack by Angelos Keromytis, the architect and primary developer for its IPsec, but ignored in device drivers, overseen by device driver author Jason Wright. Interestingly, both men had worked for NetSec, at different times.
"Neither Jason nor Angelos were working for NetSec at that time, so I think this was just an accident," said de Raadt. "Pretty serious accident."
[...]
 
InfoSec News: Indictment says hacker took $274K from Digital River: http://www.startribune.com/local/112307894.html
By PAUL WALSH Star Tribune December 22, 2010
Federal authorities say a Texas hacker stole more than a quarter-million dollars from a subsidiary of Digital River Inc., the Eden Prairie-based e-commerce company, by redirecting electronic payment transfers to his personal account.
In an indictment unsealed Tuesday in federal court in Minneapolis, Jeremey Parker, 35, of Houston, was charged with computer fraud and wire fraud.
According to the indictment:
From Dec. 23, 2008, through Oct. 15, 2009, Parker hacked into the computer network to take $274,000 belonging to Digital River through a subsidiary, SWReg Inc.
[...]
 

Posted by InfoSec News on Dec 23

http://www.darkreading.com/database-security/167901020/security/attacks-breaches/228900060/openbsd-project-finds-two-bugs-in-software-s-ipsec-implementation.html

By Mathew J. Schwartz, InformationWeek
Special to Dark Reading
Dec 22, 2010

The OpenBSD project has found two bugs in how OpenBSD, a Unix-like open
source operating system, implements Internet protocol security (IPsec).

The bugs are of interest given the recent allegation made by...
 

Posted by InfoSec News on Dec 23

http://www.startribune.com/local/112307894.html

By PAUL WALSH
Star Tribune
December 22, 2010

Federal authorities say a Texas hacker stole more than a quarter-million
dollars from a subsidiary of Digital River Inc., the Eden Prairie-based
e-commerce company, by redirecting electronic payment transfers to his
personal account.

In an indictment unsealed Tuesday in federal court in Minneapolis,
Jeremey Parker, 35, of Houston, was charged with...
 

Posted by InfoSec News on Dec 23

http://www.nextgov.com/nextgov/ng_20101222_6852.php

By Bob Brewin
Nextgov
12/22/2010

Computer savvy Veterans Affairs Department employees have started to use
Internet-based services and tools that the VA does not provide on its
systems, presenting a security challenge, according to its chief
information officer. It's also a clarion call for the department to
adopt these applications, CIO Roger Baker said on Wednesday during a
media call...
 

Posted by InfoSec News on Dec 23

http://www.controlengeurope.com/article/38793/Secure-SCADA-set-to-prosper-in-the-future.aspx

Control Engineering Europe
20 December 2010

New analysis from Frost & Sullivan indicates that the SCADA market is
among the most rapidly growing control systems markets in the world.

The report: ‘Strategic Analysis of the World SCADA Market,’ finds that
the market earned revenues of $4,584.5 million in 2009 and estimates
this to reach...
 

Posted by InfoSec News on Dec 23

http://inaudit.com/audit/it-audit/system-glitch-confuses-bank%E2%80%99s-customers-3704/

By Bob Styran
IN Audit
December 23, 2010

Grupo Santander, a banking firm based in Spain, has reported to the
Financial Services Authority (FSA) a system glitch with its printers
that led to the distribution of 35,000 bank statements to wrong
recipients, risking millions of pounds in fine for the data breach.

The erroneously released bank statements...
 

Posted by InfoSec News on Dec 23

http://www.pcadvisor.co.uk/news/index.cfm?NewsID=3254182

By Carrie-Ann Skinner
PC Advisor
December 20, 2010

Nearly four in five (79 percent) web users admit to using personal
information and phrases in passwords, says Check Point.

Research by the security firm, which created the ZoneAlarm software,
revealed more than a quarter (26 percent) reuse the same passwords for
email, online banking or social networking accounts, while 8 percent...
 

Posted by InfoSec News on Dec 23

Forwarded from: Lionel Garth Jones <lgj (at) usenix.org>

On behalf of the 20th USENIX Security Symposium (USENIX Security '11)
program committee, I am inviting you to submit high-quality papers
covering novel and scientifically significant practical works in
security or applied cryptography.

The USENIX Security Symposium brings together researchers,
practitioners, system administrators, system programmers, and others
interested in...
 

Posted by InfoSec News on Dec 23

http://www.computerworld.com/s/article/9202201/Mattel_disavows_Barbie_Video_Girl_porn_link

By Robert McMillan
IDG News Service
December 22, 2010

Somehow somebody put a link to a pornographic chat site on a Barbie.com
page used to promote Barbie Video Girl, a version of the iconic doll
that comes with an embedded video camera.

Sandra McDermott reported the problem to her local TV news station
Tuesday after clicking on the link while trying...
 
D-Link WBR-1310 'tools_admin.cgi' CGI Script Authentication Bypass Vulnerability
 


Internet Storm Center Infocon Status