InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Softbank's planned US$20 billion investment in Sprint validates the way the U.S. government handled last year's proposed merger of T-Mobile USA and AT&T, Sprint CEO Dan Hesse said Thursday.
When it comes to analyzing Big Data, software packages such as Hadoop or the R statistical language come readily to mind. But at least one company, AppNexus, also relies on the Python programming language to help conduct heavy-duty data analysis.
AMD has called a press conference in San Francisco on Monday where it's likely to announce plans for a SeaMicro server based on an upcoming 64-bit processor design from ARM.


5 Goals to Improve Infosec Skills at DHS
Top Department of Homeland Security officials, including Secretary Janet Napolitano and Deputy Undersecretary Mark Weatherford, over the past few days have been emphasizing the need for the department to increase its IT security workforce and skills.

and more »
Apple sold 27 million iPhones and 14 million iPads in the last quarter of 2012, swelling its revenue by 27 percent, but its profits fell short of what analysts had been expecting.
Sprint Nextel's deployment of its ambitious Network Vision infrastructure, which includes the gradual rollout of 4G LTE technology, is about three months behind schedule due to several factors, the company said during its financial results call on Thursday.
RETIRED: Apple Mac OS X Security Update 2012-004 Multiple Security Vulnerabilities
Microsoft's Surface RT tablet goes on sale on Friday, starting at $499 for a 32GB model. It seems to be a rough-and-tumble device.
Co-founder Corey Schou says (ISC)2 board member responsibilities include managing growth, certification value and building a "member-centric" culture.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Apple iOS SMS Spoofing Vulnerability
Open and misconfigured DNS (Domain Name System) resolvers are increasingly used to amplify distributed denial-of-service (DDoS) attacks, according to a report released Wednesday by HostExploit, an organization that tracks Internet hosts involved in cybercriminal activities.
Marissa Mayer has made her first acquisition at Yahoo, a recommendations app called Stamped that was developed by ex-Googlers and has even received backing from Google Ventures.
Microsoft officials on Thursday demonstrated how the new Surface tablet can withstand a fall from several feet onto a carpeted floor and is strong enough to be used as a skateboard.
Microsoft's big launch today for Windows 8 and its sibling, Windows RT, in New York City was either the best Windows launch in nearly 20 years or 'bupkis.'
Facebook has shown Wall Street that it's finally starting to figure out how to make money from its vast array of mobile users. heartening financial analysts and Wall Street investors who had been giving the social network a beating since its sluggish IPO.
Where are the sub-$300 Windows RT tablets? That's a question that might not be answered until Friday, when tablet makers finally put them on sale.
Kicking off what may be the company's most challenging marketing effort yet, Microsoft has launched its next generation operating system, Windows 8, in New York City.
Wordpress 3.4 Cross-Site Scripting Vulnerability
Smf 2.0.2 Cross-Site Scripting Vulnerability

In previous Diary's niche layer 2 protocols for different network areas have been covered. In keeping with that theme, this diary will cover three in particular. Two that are widely deployed (and may already be in your network) protocols and discuss one emerging protocol.
Ethernet truly is everywhere and most everything is converging, if not already, to an Ethernet transport model. You have Data Center Storage [1] [2], Voice over Internet Protocol (VOIP)[3], Infrastructure Management (e.g. SCADA [4]) all converging over that RJ45 and or Fiber port. You may or may not be aware that professional grade audio converged onto Ethernet for a transport many years ago.
There are several transport protocols but the three that we will discuss today are CobraNet [5] [6], Dante [7] [8] and Audio Video Bridging (AVB) [9] [10] [11] [12].
This article will not attempt to explain the protocols but more increase awareness and potential risks.
Let's talk Cobranet, invented in the 1990's by Cirrius Logic and is pretty much the first Audio transport over Ethernet. It is widely deployed and is a pure Open Systems Interconnect (OSI) [13] Model layer 2 protocol. This immediately sense of my PacketSense Danger Sense *Must know more* about how it is deployed.
Deployments may vary and range from converged to closed networks. Since it is an Ethernet Protocol it can co-exist with other Ethernet Traffic. A quick tcpdump run through network captures could tell you if Cobranet is on your network.
tcpdump -vv -e -nn ether proto 0x8819
Dante sits at Layer three in the OSI model [13] and is more of a VOIP style play. They recommend and use VOIP style of Quality of Service mechanisms. You can find a great technology overview of Dante @www.audinate.com/index.php.
Registering to get access to Dante documentation and marketing/white paper material was easy. This protocol however might be harder to find. It can use both Multicast [14] and Unicast traffic and looks to be customizable. I will admin openly that I have 0 experience in deploying or working with Dante but thought it important to include it's existence.
Audio Video bridging is the heart of what needed to be discussed today. This protocol is heading to a car near you :) among many other possible solutions. Today AVB is mostly audio but video is quickly ramping up. When first informed about the auto industry play with this protocol, it took me by surprise, but one of the heaviest components in a car is the wire harness. This protocol may change that. Now, beyond the scary Networking in my CAR????? it has other applications as well.
Both Dante and Cobranet are proprietary protocols, very well designed but not open. AVB is an open set of protocols managed by the IEEE [15] so the competition is now open. One thing that bothered me about this protocol is no security controls. Having some contacts in the AVNu alliance [10] and with the IEEE working group [15] this has been brought up.
There are several different protocols to snoop for but fortunately you are likely to not have this in your network just yet. The protocol is just ramping up. It is designed to converge with what the Pro Audio Space call Legacy traffic :) or email, web, etc. The AVNu team contributed time to the Wireshark group and latest versions of Wireshark parse this protocol.
The AVNu Alliance has a great list of resources to better understand AVB Itself @www.avnu.org/resource_library

Cyber Security Awareness tip for day 25, EVERYTHING is converging onto Ethernet And some don't think about the risks of converged networking. Be aware of the nuance protocols and services that may make it into your environment!

Web References

[1] http://tools.ietf.org/html/rfc3720
[2] http://en.wikipedia.org/wiki/Fibre_Channel_over_Ethernet
[3] http://en.wikipedia.org/wiki/Voice_over_IP
[4] http://en.wikipedia.org/wiki/SCADA
[5] http://en.wikipedia.org/wiki/CobraNet
[6] http://www.cobranet.info
[7] http://en.wikipedia.org/wiki/Dante_(networking)
[8] http://www.audinate.com/index.php?option=com_contentview=articleid=138
[9] http://en.wikipedia.org/wiki/Audio_Video_Bridging
[10] http://www.avnu.org
[11] http://www.ieee802.org/1/pages/avbridges.html
[12] http://www.wireshark.org/lists/wireshark-bugs/201005/msg00292.html
[13] http://en.wikipedia.org/wiki/OSI_model
[14] http://datatracker.ietf.org/wg/magma/charter/
[15] http://www.ieee802.org/1/pages/avbridges.html

Richard Porter
--- ISC Handler on Duty
Twitter: @packetalien
Email: richard at isc dot sans dot edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Reportedly, a decryption key allows users to manipulate the console's system start and install modified firmware versions. This is particularly useful to those who want to launch alternative operating systems or run pirated software

Bitweaver Multiple Cross Site Scripting and Local File Include Vulnerabilities
European Union regulators will not force Microsoft to open its Windows RT operating system to rival browsers, the Brussels-based antitrust agency said Wednesday.
Windows 8 is finally here and the stakes are sky high for Microsoft.
The technique of using algorithms to analyze footage from video surveillance cameras in real time began coming into its own five years ago. It's an intriguing adaptation of standard surveillance security. It's still an emerging market, as Jon Cropley, principal analyst at IMS Research, told CSO.
US book retailer Barnes & Noble has confirmed that a number of payment terminals in its nearly 700 stores were compromised by hackers to steal card data and PIN numbers

Google's next smartphone, the Nexus 4, will have a 4.7-inch screen and start shipping on Oct. 30, according to U.K. retailer Carphone Warehouse.
A home improvement retail chain can use an app running on an iPad to help design a customer's home, check inventory for the products, give a cost estimate to the customer, and take orders.
On the same day Microsoft loudly proclaims Windows 8 in New York, the aging-but-still-going Windows XP today quietly celebrated its 11th birthday.
Verizon Wireless, like AT&T, will start shipping the Samsung Galaxy Note II in November, but its subscribers will have to wait a bit longer than users on competing networks.
In New York on Wednesday night, Samsung officially launched the 5.5-in. Galaxy Note II at an elaborate -- but somewhat anticlimactic -- event featuring performer Kanye West.
Microsoft launches Windows 8, its new and controversial operating system. We bring you news, opinions, reviews, how-tos and more.
Apple has already sold 100 million iPads and the rollout this week of the iPad Mini will only add fuel to that fire, says columnist Ryan Faas.
Specification efforts by the bigwigs of the server, storage and software industry will soon allow OSes and applications to recognize and take full advantage of new non-volatile memory.
Facebook has paid far lower than the announced $1 billion in cash and stock for photo-sharing app Instagram, following a drop in its share price.
Emails from large companies such as Google, Yahoo, eBay and Amazon use digital signature keys that are so weak that they can potentially be cracked in just a few days

fwknop Multiple Security Vulnerabilities
phpMyFAQ 'index.php' Cross Site Scripting Vulnerability
Nintendo said Thursday pre-order sales of its new Wii U console are strong and the game is likely to have shortages this holiday season after its launch.

Posted by InfoSec News on Oct 25


By Richard Silverstein
Eurasia Review
October 24, 2012

The Israel’s Channel 2 reports (Hebrew) that the IDF intends to double
the manpower of its Unit 8200, which is charged with waging cyber-war on
Israel’s enemies. It plays a role akin to the NSA here in the U.S. and
was responsible for creating Stuxnet, Flame and the other cyber-viruses
which have...

Posted by InfoSec News on Oct 25


BBC News
24 October 2012

Huawei has offered to give Australia unrestricted access to its software
source code and equipment, as it looks to ease fears that it is a
security threat.

Questions have been raised about the Chinese telecom firm's ties to the
military, something it has denied.

Australia has previously blocked Huawei's plans to bid for work on its
national broadband network....

Posted by InfoSec News on Oct 25


By Matthew Heusser
October 24, 2012

You might have heard of DefCon, the big, bad, Las Vegas penetration and
hacking conference where gray (and darker) hats show off their exploits.

It's less likely that you've heard of GrrCon, the Grand Rapids,
Mich.-based hacking and penetration conference. The event drew 850
attendees in...

Posted by InfoSec News on Oct 25


By Kim Zetter
Threat Level

It was a strange e-mail, coming from a job recruiter at Google, asking
Zachary Harris if he was interested in a position as a site-reliability

“You obviously have a passion for Linux and programming,” the e-mail
from the Google recruiter read. “I wanted to see if you are open to
confidentially exploring...

Posted by InfoSec News on Oct 25


The Press-News
October 24, 2012

Aultman Hospital recently learned that an unidentified third party
gained unauthorized access to credit card and debit card information
relating to some purchases at the hospital's gift shop between February
and September 2012.

No patient health information was affected.

Upon learning of the security breach,...
Joomla! 'language search' Component Cross Site Scripting Vulnerability
Subrion CMS Multiple Cross Site Scripting and HTML Injection Vulnerabilities
VLC Media Player Read Access Violation Arbitrary Code Execution Vulnerability
Internet Storm Center Infocon Status