InfoSec News

ecoCMS 'admin.php' Cross Site Scripting Vulnerability
ZABBIX 'nav_time' Parameter SQL Injection Vulnerability
Press Release Script 'page.php' SQL Injection Vulnerability
JoomlaTune JComments Joomla! Component 'ComntrNam' Parameter Cross-Site Scripting Vulnerability
[security bulletin] HPSBUX02725 SSRT100627 rev.1 - HP-UX Apache Running Tomcat Servlet Engine, Remote Information Disclosure, Authentication Bypass, Cross-Site Scripting (XSS), Unauthorized Access, Denial of Service (DoS)
[security bulletin] HPSBUX02724 SSRT100650 rev.2 - HP-UX Running System Administration Manager (SAM), Local Increase in Privilege
Happy Thanksgiving!
On the heels of Dr. Ullrich's diary regardingSCADA hacks published on Pastebin I thought I'd mention some Pastebin monitoring and recon resources that you may find useful.
One reader wrote in to say that you could use Google Alerts to monitor Pastebin for names and keywords of interest to you, but you may prefer a setnames and keywords that are relevant for your needs.
Or, as Lenny pointed out in his July blog entry, you could use Andrew's PasteLertor PasteBin Scraper. And in case you weren't following along, Andrew -- Paterva -- Maltego -- Pastebin Transforms.

More than one SANS certification track curriculum discusses Maltego use for good reason. :-)
Any useful Pastebin crawling/scraping tactics you'd like to share? We await your comments or contact.
Russ McRee

@holisticinfosec (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A week-long DDoS attack that launched a flood of traffic at an Asian e-commerce company in early November was the biggest such incident so far this year, according to Prolexic, a company that defends websites against such attacks.
AT&T will continue to seek antitrust clearance for its merger with rival T-Mobile USA, it said Thursday. However, to reflect the break-up fee it will have to pay T-Mobile's owner Deutsche Telekom if the deal does not get regulatory approval, AT&T expects to recognize a US$4 billion [b] accounting charge in the fourth quarter.
Hitachi plans to aggressively pursue large cloud computing projects and market software that will integrate data from infrastructure across entire cities, it said Thursday.
China has passed the U.S. in the third quarter to become the world's largest smartphone market by shipments, but may find it tough to hold the position in the next two quarters, according to a research firm.
IBM System Storage TS3100 and TS3200 Tape Library Express Security Bypass Vulnerability
After using Siri, Apple's new voice-controlled 'personal assistant' on the iPhone 4S, columnist Michael deAgonia thinks it's time to add voice control to the list of paradigm-shifting ways to interact with a computer -- right behind the mouse, keyboard and touch gestures.
Red Hat Enterprise Linux NFSv4 Mount Local Denial of Service Vulnerability

Posted by InfoSec News on Nov 24


By: security curmudgeon
infosec island
November 23, 2011

Distributed Denial of Service, or DDoS, attacks are an extremely simple
thing, in concept.

This article won't get into the details of investigation, C&C tracking,
dozens of jurisdiction battles, mitigation, or any of the technical
aspects of such attacks.

Rather, this article is a...

Posted by InfoSec News on Nov 24


By Dan Goodin in San Francisco
The Register
24th November 2011

A Silicon Valley software maker has withdrawn legal threats against an
Android developer who claimed the company's diagnostic application
amounted to a rootkit that posed a privacy threat to millions of handset

In a statement issued on Wednesday, Mountain View, California-based
Carrier IQ apologized to...

Posted by InfoSec News on Nov 24


By John Ribeiro
IDG News Service
November 23, 2011

A Hungarian citizen has pleaded guilty to stealing confidential
information from the computers of Marriott International, and
threatening to reveal the information if the hotel chain did not offer
him a job maintaining the company's computers, the Department of Justice
said on Wednesday....

Posted by InfoSec News on Nov 24


By Liz Tay
Nov 24, 2011

Strike forces identify 'plenty of young Aussies' underground.

NSW Police has appropriated material from criminal credit card trading
forums as training manuals in its fight against credit card fraud.

Detective inspector Bruce van der Graaf described a thriving, organised
marketplace for stolen...

Posted by InfoSec News on Nov 24


By Jaikumar Vijayan
November 23, 2011

Three Republican presidential candidates at Tuesday's CNN-sponsored GOP
debate said that cyberattacks pose an emerging national security threat
to the United States.

In closing comments during the debate, GOP hopeful Newt Gingrich, the
former Speaker of the House, said that...
Internet Storm Center Infocon Status