InfoSec News

A 19 year-old-community college employee allegedly stole money from online accounts at the school to help find a cure for HIV.
 
I have to admit, I've gotten a little lazy about reading through my firewall logs on my home machine every day, but today, I was looking back through my daily reports for the last 2 weeks and noticed a couple of odd port scans. I've been getting these scans from multiple IPs (2-4 of each per day) everyday for that period. I'll put up a netcat listener this evening to see if Ican get some packets, but Iwas wondering if any of our loyal readers had any idea what is going on here? Based on some of the ports being scanned, I'm guessing they are looking for open proxies to use as relays among other things, but some of those ports are new to me. Has anyone else seen them or know what they are actually looking for?
From aa.bb.cc.dd - 252 packets

To my.home.machine - 252 packets

Service: snmp (udp/161) (IPTABLES UDP-IN:) - 36 packets

Service: 3389 (tcp/3389) (IPTABLES TCP-IN:) - 54 packets

Service: 5900 (tcp/5900) (IPTABLES TCP-IN:) - 54 packets

Service: http-alt (tcp/8080) (IPTABLES TCP-IN:) - 54 packets

Service: 40080 (tcp/40080) (IPTABLES TCP-IN:) - 54 packets


From ee.ff.gg.hh - 32 packets

To my.home.machine - 32 packets

Service: 73 (tcp/73) (IPTABLES TCP-IN:) - 1 packet

Service: socks (tcp/1080) (IPTABLES TCP-IN:) - 1 packet

Service: 2301 (tcp/2301) (IPTABLES TCP-IN:) - 1 packet

Service: 2479 (tcp/2479) (IPTABLES TCP-IN:) - 2 packets

Service: 3128 (tcp/3128) (IPTABLES TCP-IN:) - 2 packets

Service: 3246 (tcp/3246) (IPTABLES TCP-IN:) - 3 packets

Service: 6588 (tcp/6588) (IPTABLES TCP-IN:) - 1 packet

Service: 8000 (tcp/8000) (IPTABLES TCP-IN:) - 2 packets

Service: 8085 (tcp/8085) (IPTABLES TCP-IN:) - 4 packets

Service: 8090 (tcp/8090) (IPTABLES TCP-IN:) - 2 packets

Service: 8118 (tcp/8118) (IPTABLES TCP-IN:) - 1 packet

Service: 9000 (tcp/9000) (IPTABLES TCP-IN:) - 4 packets

Service: 9090 (tcp/9090) (IPTABLES TCP-IN:) - 4 packets

Service: 9415 (tcp/9415) (IPTABLES TCP-IN:) - 2 packets

Service: 27977 (tcp/27977) (IPTABLES TCP-IN:) - 2 packets


---------------

Jim Clausing, GSE #26

jclausing --at-- isc [dot] sans (dot) org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Today proof of concept code (source code, with a compiled binary) of a 0-day privilege escalation vulnerability in almost all Windows operating system versions (Windows XP, Vista, 7, Server 2008 ...) has been posted on a popular programming web site.
The vulnerability is a buffer overflow in kernel (win32k.sys) and, due to its nature allows an attacker to bypass User Access Control (UAC) on Windows Vista and 7 operating systems.

Whats interesting is that the vulnerability exist in a function that queries the registry so in order to exploit this the attacker has to be able to create a special (malicious) registry key. Author of the PoC managed to find such a key that can be created by a normal user on Windows Vista and 7 (so, a user that does not even have any administrative privileges).
The PoC code creates such a registry key and calls another library which tries to read the key and during that process it ends up calling the vulnerable code in win32k.sys.

Since this is a critical area of the operating system (the kernel allows no mistakes), the published PoC only works on certain kernel versions while on others it can cause a nice BSOD. That being said, the code can be probably relatively easily modified to work on other kernel versions.
We are not aware of any exploitation of this vulnerability at the moment and, since it can be exploited only locally, it obviously depends on another attack vector, but knowing how users can be easy on clicking on unknown files, this is definitely something we will keep our eye on and post updates if we see exploitation.
The PoC has been in the mean time removed from the original site but now that it has been published Im sure that everyone who wants to get it can do that easily.
QUICKUPDATE:
Ijust wanted to confirm that the PoC works as advertised, as you can see below:

However, as expected(and stated by the PoC author), on my version of Windows 7, which has win32k.sys 6.1.7600.16667, it is unstable and causes a pretty nasty BSOD after couple of minutes (had even to restore the previous system state to get Windows to boot).



--

Bojan

INFIGO IS
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Gibbs has it all: weird Mac tales, Ubiquitous Ice, and robots cleaning his house
 
Gibbs again highlights the best of the worst.
 
Novell has clarified that Attachmate will retain Novell's Unix copyrights.
 
Netflix turned to Amazon Web Services to save money compared to running Oracle software and IBM machines, according to its cloud architect.
 
Re: Mozilla Firefox 3.6.12 Denial of Service Vulnerability
 
A complex collaboration application developed and abandoned by Google may find a second home at Apache
 
Analyst says verdict in Oracle-SAP trial likely awards Oracle far more than it's potential losses from theft of intellectual property.
 
The Svea Court of Appeals has decided that WikiLeaks founder Julian Assange should still be detained, it said in a statement on Wednesday.
 
Xen 'drivers/xen/blkback/blkback.c' Local Denial Of Service Vulnerability
 
Linux Kernel 'posix-cpu-timers.c' Local Race Condition Vulnerability
 

Familiar Names in Gov Infosec Circles
GovInfoSecurity.com (blog)
Why did we pick these individuals? They all have had distinguished careers as innovators and thought-leaders in securing government IT. ...

 
Grown-ups and IT departments aren't the only ones eying the Apple iPad this year. It's the No. 1 choice of kids between the ages of 6 and 12 the U.S.
 
Salesforce.com has named ex-BT chief scientist JP Rangaswami to a job with the same name.
 
Reader John is having a problem with his Vista-powered HP desktop: random reboots. Some days, he says, it reboots five minutes after he powers it up in the morning. Sometimes it happens later in the day, and sometimes not at all. To help narrow down the problem, check out Scott Dunn's "Make Random Reboots Tell You What's Up."
 
Online researcher ComScore is projecting that online sales will increase by 11% during the 2010 holiday shopping season.
 
After 11 rounds of international negotiations, the final text of the controversial Anti-Counterfeiting Trade Agreement (ACTA) has overcome its biggest hurdle yet when it was welcomed as a step in the right direction by the European Parliament, which voted 331-294, with 11 members abstaining, to approve the measure.
 
[eVuln.com] email XSS in SimpLISTic
 
[eVuln.com] Multiple XSS in MCG GuestBook
 
In Nigeria, South Africa and Indonesia, more than 90% of 18- to 27-year-olds use mobile phones as their primary means to access the Internet, even though smartphones aren't widely used, according to a survey by Norwegian browser company Opera Software.
 
An international race to build an exascale supercomputer is under way, and one of the people leading it is Peter Beckman. He spoke to Computerworld about some of the challenges ahead for exascale computing.
 
Mozilla Firefox 3.6.12 Denial of Service Vulnerability
 
The Unbearable Lightness Of Non-Fixing: A Short Study in Security Reactiveness And Proactiveness
 
Opera teased a major new version of its desktop browser last month, and now the first Opera 11 beta is here to offer an early taste of its--count 'em--11 new features.
 
A jury has awarded Oracle $1.3 billion in damages in its corporate theft lawsuit against SAP.
 
Microsoft's cloud productivity suite has big ambitions, but feels poorly integrated and may leave admins wanting more
 
Apache Tomcat Authentication Header Realm Name Information Disclosure Vulnerability
 
There is an international race under way to build an exascale supercomputer, and one of the people leading it is Peter Beckman. He spoke to Computerworld about some of the challenges ahead for exascale computing.
 
InfoSec News: Network card rootkit offers extra stealth: http://www.theregister.co.uk/2010/11/23/network_card_rootkit/
By John Leyden The Register 23rd November 2010
Security researchers have demonstrated how it might be possible to place backdoor rootkit software on a network card.
Guillaume Delugre, a reverse engineer at French security firm Sogeti [...]
 
InfoSec News: Two former students charged in university hack in Mo.: http://www.computerworld.com/s/article/9197884/Two_former_students_charged_in_university_hack_in_Mo.
By Jaikumar Vijayan Computerworld November 23, 2010
Two former students at the University of Central Missouri (UCM) have been indicted by a federal grand jury on charges of breaking into [...]
 
InfoSec News: Hacker Gets 18 Months in U.K. Prison: http://www.eweek.com/c/a/Security/Hacker-Gets-18-Months-in-UK-Prison-112826/
By Brian Prince eWEEK.com 2010-11-23
A Scottish man was sentenced today to 18 months in prison for spamming out e-mails laced with malware and stealing data.
A 33-year-old Scottish man was sentenced today to 18 months in prison in the U.K. for spamming out malware-infected e-mails and stealing data.
The sentencing today of Matthew Anderson of Drummuir, Aberdeenshire, Scotland, brought to an end to an investigation first launched four years ago. According to the Metropolitan Police Service (MPS), Anderson was part of a ring that targeted hundreds of businesses in the U.K. with malware starting in 2005. The conspiracy was operated by members of a cyber-crew called m00p that spammed out millions of e-mails laced with malware, authorities said.
It was Anderson's job to manage the operation by composing the e-mails and distributing them with virus attachments, police said. The malware allowed Anderson to access private data stored on computers without the knowledge of the computer's owner, according to police.
[...]
 
InfoSec News: DHS Cybersecurity Center Promotes Information Sharing: http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=228300460
By Elizabeth Montalbano InformationWeek November 23, 2010
The Department of Homeland Security (DHS) has launched a new cybersecurity center aimed at communicating more efficiently with state [...]
 
InfoSec News: The Top Five Challenges In Securing Oracle Databases: http://www.darkreading.com/database-security/167901020/security/application-security/228300490/the-top-five-challenges-in-securing-oracle-databases.html
By Adrian Lane Contributing Writer Darkreading Nov 23, 2010
[Excerpted from "Database Security: Oracle Offers New Tools To Counter [...]
 


Internet Storm Center Infocon Status