At the CSA Summit 2013, Mark Weatherford said the DHS 'cyber 911' service will better support the private sector, and new voluntary standards are in the works.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google


RSA 2013: (ISC)2 report says shortage of skilled infosec pros hurts economy
CSO (blog)
(ISC)2, administrator of the CISSP, released the results of its latest study on the infosec workforce this morning. The gist: Many infosec managers are understaffed, which makes it harder to stop data breaches and, in the bigger picture, hurts the ...
Latest (ISC)2 Workforce Study Shows Lack of Skilled Infosec Professionals and ...Infosecurity Magazine
Number and cost of data breaches linked to cyber skillsComputerWeekly.com

all 18 news articles »
The patent trial in Australia between Apple and Samsung Electronics has become so complex that a second judge has been assigned to the case.
CONFidence 2013 - Call for Papers - 28-29.05.2013 Krakow, Poland
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

I was recently in a client engagement where we had to rebuild / redeploy some ESXi 4.x servers as ESXi 5.1. This was a simple task, and quickly done (thanks VMware!), but before we were finished I realized that we had missed a critical part - the remote managent port on the servers. These were iLO ports in this case, as the servers are HPs, but they could just as easily have been DRAC / iDRAC (Dell), IMM or AMM (IBM) or BMC (Cisco, anything with a Tyan motherboard or lots of other vendors). These remote management ports are in fact all embedded systems - Linux servers on a card, booting from flash and usually running a web application. This means that once you update them (via a flash process) they are frozen in time as far as Linux versions and patches go. In this case, these iLO cards hadnt been touched in 3 years.

So from a security point of view, all the OS version upgrades and security patches from the last 3 years had NOT been applied to these embedded systems. What can you do with access to these remote managment cards? Well, anything from take over the console keyboard and screen, mount a CD or DVD over the netowrk, to powering the server off or reconfigure or delete RAID arrays. The goal of these cards is to enable you to do almost anything you can do from the console, but from a remote location. Couple this with difficulty in patching them (or just forgetting to patch them), and youve got a serious exposure.

How can you mitigate a situation like this? The obvious answer is to patch as updates come out. For many server vendors however, this means booting the server from a CD or DVD. This is often a tough sell to management, as its not only an outage for a production server, but if the firmware update fails or causes some new problem, that could cause another (unplanned) outage later, or in the best case a planned outage to back out the update. Plus you need to convince them every time the topic comes up that you need remote management at all, which eventually starts to sound like too much work. But *not* updating critical server components is a ticking time-bomb.

And all this assumes that your server vendor actually fixes known security issues in their OS or management interfaces. Since these interfaces are normally web-based, not only does this mean OS patches, but its VERY common to see XSS, CSRF, authentication bypass and even command injection vulnerabilities built-in to the web interface - so you get your web vulnerabilities for free before you even deploy your own web application! And server vendors arent always keen to hear about or fix security issues in these interfaces - from their point of view they might be asked to fix an interface issue in a product they stopped selling years ago, so to the sales folks it might seem like lost money to fix these things.

What many folks do is put the remote management cards in their dedicated management VLAN, which has ACLs and other protections on it. This certainly isolates these cards from attackers and targetted malware, but if that VLAN is ever breached, these cards become the low-hanging fruit for the attack, which can then be used as a pivot to attack more hardened interfaces such as the Hypervisor admin consoles or SAN management interfaces that are also commonly in these Management VLANS. Id suggest both patching your server hardware and segmenting these interface cards off, possibly on a dedicated VLAN just for them.

What other devices in your datacenter should be considered embedded systems, with the same risks?

The obvious ones in my mind are KVM (Keyboard / Video / Mouse) switches, which now often have IP interfaces for access, and in some cases operate over IP with dongles attached to the servers - in this case both the KVM unit and the individual dongles are all embedded systems.

On the network side - routers, switches and fiber channel switches all have these same risks. These devices and risks are generally more well-understood though, and in most security conscious environments are patched annually or (hopefully) more frequently. But in security assessments, its not uncommon at all for me to find a core routing switch that the entire organization depends on running 10 year old code (just to pick an example from last month).

Many of the more advanced SCSI RAID, SCSI HBAs or Fiber Channel HBAs (Host Bus Adapters) are now web-enabled, with their own IP addresses and management interfaces (no risk there!). Folks tend to see these web interfaces as great features, and not make that next cognitive leap to see how they can easily be turned into silent killers.

Oh, one more thing - please change the passwords on all of these! All the patching in the world wont help you if youre attacker can google for the administrative credentials. I cant tell you how many SANs, Bladecenters or FC Switches Ive seen with the default administrative credentials still in play. If your admin password is still password, its time to change it!

The list of embedded devices in your datacenter goes on - door locks, lights and HVAC controls of course, but Im sure there are other embedded systems that could be turned to evil in our server racks. Take a walk down the cold aisle (or better yet, down the hot aisle) in your server room and take a look - please, post anything interesting that you might find in our comment form!


Rob VandenBrink

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft Windows Object Linking and Embedding (OLE) Automation Remote Code Execution Vulnerability
[SECURITY] [DSA 2629-1] openjpeg security update
VUPEN Security Research - Microsoft Windows OLE Automation Code Execution Vulnerability
DC4420 - London DEFCON Tuesday 26th Feb 2013
[SE-2012-01] New security issues affecting Oracle's Java SE 7u15
NoSuchCon CFP 2.0 / 15-17 May 2013 / Paris, France
Hewlett-Packard has sold some of the rights to its webOS mobile operating system to LG Electronics for use in smart television sets made by the South Korean electronics firm.
Yahoo CEO Marissa Mayer thinks workers are more efficient and creative when they're in the office. Is ending employee telecommuting a smart idea or not?
Analysts today were skeptical that Mozilla's push into mobile with Firefox OS would meaningfully change the game.
Yahoo CEO Marissa Mayer is reportedly tossing conventional business thought aside and calling in telecommuters.

Thanks to Gebhard for pointing out the article by Heise about a new spider focusing on finding web application vulnerabilities [1]. Punkspider runs essentially a vulnerabiliy scan on random web sites. The results are then searchable. I am not sure about the quality about the results (it doesnt find anything for isc.sans.edu ... ) but you may want to check your own site. There is also a simple, non documented at this point, json API:


Which accepts the following GET parameters:

searchkey: url|title

searchvalue: the url or title you would like to search for

pages: 0

pagesize: how many results (10 by default)

pagenumber: which page (1 by default)

For example:


The Heise article below has more details. Evidentially it is possible to block the spider via robots.txt but I havent seen the user agent documented. (need to check my logs). Of course, you could block it in robots.txt, or return overly large, or wrong results based on the user agent. Maybe some fake vulnerabilities to see who is exploiting them later.



Johannes B. Ullrich, Ph.D.

SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Sourcefire To Present At AGC Partners InfoSec Conference; Webcast At 4:00 PM ...
(RTTNews.com) - Sourcefire, Inc. ( FIRE ) will present at the AGC Partners'' 9th Annual InfoSec and Emerging Growth Conference in San Francisco. The event is scheduled to begin at 4:00 PM ET on February 25, 2013. To access the live webcast, log on at ...

and more »
Transmission 'UTP_ProcessIncoming()' Remote Denial of Service Vulnerability
Box is rolling out several new security features aimed at making its 150,000 business customers feel more confident in its cloud storage and file sharing service.
Texas Instrument hopes to cover a broader breadth of mobile products with new chips that support both the Qi and the Alliance for Wireless Power wireless charging standards.
Hewlett-Packard has sold some of the rights to its webOS mobile operating system to LG Electronics for use in smart television sets made by the South Korean electronics firm.
Software engineers at Intel are exploring new ways for computers to perceive the human voice, gestures and head-and-eye movements to supplement the traditional ways that people use the keyboard and mouse.
Dell has bolstered security features on its Latitude 10 tablet and offers an extended life battery, all in the hope these add-ons will appeal to large institutional users like the government, healthcare operations and the financial services industry.
The first ZTE phone based on Mozilla's Firefox OS will go on sale in the middle of the year in Spain, Venezuela and Colombia, where its maker hopes to boost smartphone penetration.
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0773 Remote Code Execution Vulnerability
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0775 Remote Code Execution Vulnerability
An error in the handling of netlink messages allows local Linux users to gain root access to the system

A library for handling keys has been found to have been manipulated on compromised RPM-based Linux systems, adding a backdoor and collecting username/password pairs on behalf of attackers

Oracle Enterprise Manager Grid Control CVE-2013-0352 Cross Site Scripting Vulnerability
Oracle Database Server CVE-2012-3220 Remote Stack Based Buffer Overflow Vulnerability
Get the latest from Mobile World Congress 2013 in Barcelona: news, reviews and more
A Polish security firm known for rooting out Java vulnerabilities has reported two new bugs in the browser plug-in to Oracle, Security Explorations said today.
'Add to cart'. 'Click to buy'. --What could be simpler?
In Star Wars terms, the small cells that mobile carriers and vendors will be talking up this week at Mobile World Congress are more like the odd-couple androids R2-D2 and C-3PO than like their foes, the Empire's phalanxes of identical storm troopers.
Ericsson and SAP will jointly market and sell cloud-based, machine-to-machine (M2M) products and services to enterprises via operators around the globe.
Twitter, Facebook and now Apple have found company laptops infected with malware that exploits a Java zero-day. The malware's launching point has now been confirmed as a forum site for iPhone developers
A new search engine called Punkspider publicly displays results of security scans for millions of web sites. The jury is still out on who it helps and who it hurts

Pidgin 'libpurple' Multiple Denial of Service Vulnerabilities
Pidgin 'Libpurple' CVE-2013-0271 Arbitrary File Overwrite Vulnerability
Pidgin 'libpurple' CVE-2013-0272 HTTP Header Stack Buffer Overflow Vulnerability
[SECURITY] [DSA 2631-1] squid3 security update
[ MDVSA-2013:014 ] java-1.6.0-openjdk

Just got another interesting phishing e-mail. This time around it is security company Trustwave that is being phished. I am not a customer, so I am not sure how well these e-mails reflect the real thing, but they confused me for a while. The give away that this is a fake is the from e-mail address as well as the link leading to a different site then advertised.

Click on the image for a full size example.

[Update:] An analysis of this phish by Trustwaves own Spiderlabs can be found here:http://blog.spiderlabs.com/2013/02/more-on-the-trustkeeper-phish.html


Johannes B. Ullrich, Ph.D.

SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Johannes B. Ullrich, Ph.D.

SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Help Net Security

RSA 2013: A spirited debate about infosec certs
CSO (blog)
Should the infosec community continue to support these certifications or should we encourage a more traditional academic approach? The talk comes after a year of intense campaigning from people looking to get on the (ISC)2 board. Candidates vowed to ...
Shortage of infosec pros equals frequent and costly data breachesHelp Net Security
Latest (ISC)2 Workforce Study Shows Lack of Skilled Infosec Professionals and ...Infosecurity Magazine
Number and cost of data breaches linked to cyber skillsComputerWeekly.com

all 18 news articles »
Visa's payWave mobile payment applet will be embedded in next-generation Samsung smartphones and tablets enabled with NFC, Visa and Samsung announced at Mobile World Congress.
Oracle Enterprise Manager Grid Control CVE-2013-0372 SQL Injection Vulnerability

Usually, we find that e-mail used to trick users to malicious or spam sites is either not customized at all, or manually tailored for a particular recipient. A couple years ago at our RSA panel with Alan Paller and Ed Skoudis, I eluded to mass customized malware. Malware that automatically harvests social networking accounts or other open source information to find out how to best target you. For example, the malware may see that you Like Star Trek on Facebook and then will send you a link to a new movie trailer.

For a while now, I am seeing simple e-mails that appear to be doing something like that. The emails follow the same pattern. The Real Name displayed is the name of a person I know. The from e-mail address however has no relation to the person, and is usually some kind of free email yahoo/gmail style address. The body of the e-mail itself is just a one liner with a link.

I did suspect Facebook as the source of the information. For most of the senders I had gotten these e-mails from in the past, there are other ways then Facebook that link me to them. But wasnt sure about it until now, when I received the e-mail below.

Orlando Fermi is the name for the Facebook page of my cat. I dont think there is anything else that links me to this particular name. The URL no longer works (for me at least... getting a 404 right now). But I would suggest you dont try it out.

In the past these e-mail led to various exploit kits, and on occassion spam. But it may also happen that an exploit kit will redirect you to spam if it doesnt have the right exploit for you. My cats Facebook profile is public (sort of on purpose) and well, Mr. Fermi is a pretty mean cat so I wouldnt click on any link he sends me anyway which is one reason I didnt fall for this one.

And BTW: If you do happen to visit RSA: Ed, Alan and myself will have this years panel on Wednesday 9:20am in room 134. Lots of interesting stuff this year about targeted attacks, DDoS attacks and things like mobile malware stealing two factor auth tokens. (as usual, check the program guide for changes in room/time).


Johannes B. Ullrich, Ph.D.

SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
In his review of the Logitech Ultrathin Keyboard Cover for full-size iPads (rated 4 out of 5), my friend and colleague Dan Frakes described that accessory as making the right compromises for an iPad keyboard case. Which, since the debut of the iPad mini, has had many people anxiously awaiting a smaller version. Unfortunately, the iPad mini's size presents additional challenges when it comes to physical keyboards, and Logitech's sequel for the iPad mini, the $80 Ultrathin Keyboard mini, makes some of the wrong tradeoffs. The result is a keyboard cover that offers different frustrations than typing with the mini's onscreen keyboard, but not necessarily less
Hortonworks is bringing the popular open-source Apache Hadoop data processing platform to Microsoft shops.
Telecom carriers continue to complain about taxes, regulation and over-the-top competition, but Mozilla's Firefox OS provides a glimmer of hope to some executives speaking at the opening of Mobile World Congress.
CometChat Remote Code Execution and Cross-Site Scripting Vulnerabilities
AT&T Monday said it will supply LTE wireless services to most General Motors vehicles starting in 2014 in the U.S. and Canada.
The largest mobile operators in China, Japan, and Korea have agreed on common standards for touch-card technology, clearing the way for travellers across East Asia to user their phones for travel and payments.
SAP has acquired SmartOps in a move the company says will allow it to develop real-time supply chain applications that take advantage of SAP's HANA in-memory database.

Help Net Security

Shortage of infosec pros equals frequent and costly data breaches
Help Net Security
(ISC)2 released the results of its sixth Global Information Security Workforce Study (GISWS). The study of more than 12,000 information security professionals worldwide (3,229 from the Europe/Middle East/Africa region) reveals that the global shortage ...
Latest (ISC)2 Workforce Study Shows Lack of Skilled Infosec Professionals and ...Infosecurity Magazine
Number and cost of data breaches linked to cyber skillsComputerWeekly.com

all 18 news articles »
ZTE debuted a smartphone with a 5.7-in. screen dubbed the Grand Memo at Mobile World Congress in Barcelona Monday. It's a follow up to its 5-in. Grand S smartphone that the company introduced at CES last month.
Mobile operators are hoping to make it easier for developers to integrate network-based features with their applications using a new platform called OneAPI Exchange.
The Cisco CSR 1000V router is designed for enterprise network managers who want to have a little piece of their Cisco infrastructure in the cloud.
The Cisco UCS Express family is a new set of blades that add high-performance general-purpose Intel server capabilities to the ISR G2 series of routers.
During our review of 802.11ac routers, some of the vendors sent along additional products that they thought we might be interested in. Here are short reviews of four WiFi tools that you might find useful in your network.
Sony's Xperia Tablet Z will go on sale globally in the second quarter, priced from $499in the U.S.
webfs 'webfsd.log' Insecure File Permissions Vulnerability
In his recent State of the Union address, President Barack Obama had nice things to say about tech vendors, specifically drawing attention to a unique IT education program backed by IBM.
The biggest users of H-1B visas are offshore outsourcers, many based in India, or U.S.-based companies whose employees are mostly located overseas, according to government data obtained and analyzed by Computerworld.
There are several factors to consider in planning a wise and pain-free restructuring. Insider (registration required)
The buying and selling of used IT equipment is not a trivial market, but it doesn't get enormous attention. In many cases, enterprises unload used equipment as a trade-in or at bargain price to a wholesaler because they just want the equipment off the floor.
There are still many unknowns about how going private will affect Dell and its customers, but company executives insist that the vendor will continue to pursue its latest enterprise strategy. Insider (registration required)
Hoping to cut costs and improve efficiency, the PGA of America will use rugged handhelds for real-time scoring during its 2013 season.
IBM is looking to bring mobile and social workloads onto mainframes as a way of keeping the expensive machines competitive.
With robots increasingly being used on factory floors and elsewhere, researchers are looking for ways to help humans work better with their robotic peers.
Mozilla will automatically block third-party cookies starting with Firefox 22, which is slated to ship this summer, according to the Stanford University researcher who coded the change.
Aruba Networks announced a Wi-Fi controller today that can create more efficient pathways for wireless traffic and control more than 32,000 Wi-Fi hotspots.

Posted by InfoSec News on Feb 25


By Meng Yan and Zhou Yong
People's Daily Online
February 25, 2013

Recently, Mandiant, a U.S. network security company released a report saying
"China's military is involved in the hacker attacks". The Ministry of Foreign
Affairs and the Department of Defense have responded to the relevant slanders.
The U.S. companies and media successively created "hacker...

Posted by InfoSec News on Feb 25


By Robert Lemos

An analysis of exploit and malware traffic inside corporate networks found that
social networks account for few attacks, while 97 percent of exploit traffic
focused on 10 applications, nine of which were critical business applications.

The analysis of log data from 3,056 companies underscores that internal...

Posted by InfoSec News on Feb 25


The New York Times
February 24, 2013

WASHINGTON -- When the Obama administration circulated to the nation’s Internet
providers last week a lengthy confidential list of computer addresses linked to
a hacking group that has stolen terabytes of data from American corporations,
it left out one crucial fact: that nearly every one of the...

Posted by InfoSec News on Feb 25


By Dan Goodin
Ars Technica
Feb 22 2013

The providers of the cPanel website management application are warning some
users to immediately change their systems' root or administrative passwords
after discovering one of its servers has been hacked.

In an e-mail sent to customers who have filed a cPanel support request in the

Posted by InfoSec News on Feb 25


By John E Dunn
22 February 2013

Former LulzSec hacktivist turned supergrass ‘Sabu’ has dodged sentencing for a
second time, presumably as a reward for his past or continued cooperation with
the US Government.

Sabu, or Hector Xavier Monsegur to give his full name, was originally due to be
sentenced last August on 12 counts of...
Intel will start shipping its high-performance Atom smartphone chip with 3D transistors to device makers later this year, who will then test the chip for use in handsets.
Samsung Monday announced an improved version of its SAFE management and security system for popular Samsung-branded smartphones and tablets.
Episode 1: Last week the administrators of 7,000 university websites were being called upon to change their .edu domain account passwords after a server security breach. Trouble was that the breach had been reported to the admins by Educause -- the non-profit higher-education IT group that runs .edu -- via an email that some recipients complained bore the familiar markings of a phishing attempt.
MasterCard revised its year-old mobile payment strategy by unveiling a digital, cloud-based service called MasterPass that moves well beyond near-field communication technology used in smartphones to also support QR codes, traditional credit cards and other ways to make payments.
Helping IT shops deal with the security and management of consumer smartphones and tablets in the workplace will be a big theme at Mobile World Congress this week.
Internet Storm Center Infocon Status