InfoSec News

Yahoo will unwrap on Wednesday a test version of a major upgrade of its Mail service, whose user engagement has been eroding to the detriment of the company's overall usage.
The other day, my wife asked me how to copy a PowerPoint presentation to a flash drive so she could take it with her to school. I was a little shocked. My very own wife doesn't know how to do this? I've failed as a husband!
Cyber Security Awareness Month - Day 26 - Sharing Office Files

Today's CSAM topic is Sharing Office Files.

There are some good points of attention when doing this.

1) Sharing inside the company.

Most companies have shared drives where people use to store documents that can be accessed by

one or several groups.
It is very important that you know who is on the list of Trusted people that can access those documents.
It is also necessary that the shares are included on the Anti-Virus scan and Backup process.
If you are not using a shared drive, but a web-based internal service like MS Sharepoint, the same check

should be done regarding the access control.

Sharing internal documents using external providers such as Google Docs, or Online Fileservers may be a

risk and very likely an internal policy violation even if they provide some level of authentication, so those should

be avoided at any cost.

2) Sharing Outside the company

Sometimes we need to share documents with third party and this can be a difficult task when it comes to security.
When not being able to use some kind of public/private key encryption method between the email exchange,

what I recommend is to use a common key and compact the file with a strong crypto algorithm such as AES.
Most compressors, like WinZip, WinRAR and 7-ZIP offer this option, so in this way you can ensure that even if the

email or file goes to the wrong hands, they may not be able to open the document.

3) Sharing inside the company with removable drives

Sometimes we need to share a document inside the company via removable drives.
At this point you can't really trust what it inside the thumb drive besides the document you need, and today it is very

common to find malware inside them, that will execute via Windows Autorun feature.
If your IT policy allows, you should really disable it this feature.
One thing that I usually do is to check them on my Linux box, and remove autorun.inf file from it before insert on my

Windows box.

4) Receiving Office Documents from outside the company
When receiving documents from outside the company, those will mostly be PDF or MS Office (.DOC, .XLS, .PPT).
Sometimes they may be legit documents, sometimes they may be part of a target attack :) .
There are a couple of ways to check those files. Our fellow handler Lenny Zeltser put together a very nice Cheat Sheet,

called...Analyzing Malicious Documents Cheat Sheet :) You can find the PDF here ( Don't worry, it is not malicious ):)
It contains several tools that you can use to help the identification of malicious documents when you don't want

to send them to external websites such as VirusTotal or Wepawet due some possible confidentiality issues.

As a last resource, create a VM image with Office and open the documents there :)

Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Security experts suggest ways users can protect themselves against Firesheep, the new Firefox browser add-on that lets amateurs hijack users' access to Facebook, Twitter and other popular services via Wi-Fi.
DeskNotes is the high-tech version of everyone's favorite low-tech reminder system, the yellow "sticky notes" that litter the cubicles and desktops of people everywhere. As you would hope for in a sticky notes program, it lets you create notes and move them around with ease. But this open source desktop utility also goes beyond what you would expect, with the ability to send notes via e-mail, and synchronize with Outlook.
In a major victory for the music industry, a New York federal judge has ordered embattled P2P software maker LimeWire to immediately and permanently stop distributing and supporting its file-sharing software.
Mozilla says it will patch a new zero-day flaw now being exploited in Web attacks.
For anyone needing to create a diagram, flow chart, business drawing, or similar image, the go-to tool is usually Microsoft Visio. But why spend money on software when Lovely Charts works the same magic free of charge?
PeaZip '.Zip' Remote Arbitrary Command Execution Vulnerability
VICIDIAL Call Center Suite 'admin.php' Multiple SQL Injection Vulnerabilities
The White House's top science and technology adviser, John Holdren, is putting his weight behind the development of the controversial national broadband plan.
Mobile websites are improving and Google ranks top in the category, according to the Yankee Group, which Tuesday announced its third annual survey of mobile sites on the Internet.
We can all agree that cell phones should have devoted mute buttons. We frequently encounter situations--meetings, movie theaters, putting the kids to bed--where our phones' beeps and boops must be silenced, and quickly. That's why it makes perfect sense for the iPhone to have its Ring/silent toggle switch.
Cleversafe has added thin provisioning and new security features to its cloud storage platform -- and has received a significant round of funding from the CIA's venture capital arm.
Barnes & Noble on Tuesday introduced an e-book reader called Nook Color, which will allow users to view color e-books and access social media applications on the Internet.
Google CEO Eric Schmidt is getting a lot of attention lately, not so much for the company's ubiquitous search engine, but for what he has been saying about privacy.
RETIRED: Real Networks RealPlayer SP and RealPlayer Enterprise Multiple Security Vulnerabilities
Researchers at the Columbia University Medical center hope that IBM analytics software can help them to more quickly spot symptoms of the deadly delayed ischemia complication that sometimes develops in stroke patients.
Sitecore CMS 'default.aspx' Cross Site Scripting Vulnerability
RE: [ #25400427] RE: How Visual Studio Makes Your Applications Vulnerable to Binary Planting
Google CEO Eric Schmidt has again kicked up something of an online firestorm with a statement about privacy.
A move toward more and more services in the cloud is inevitable, but vendors still need to focus on security, and the U.S. government needs to rewrite privacy laws to protect cloud customers, a group of experts said Tuesday.
Dutch police took unprecedented action in taking down a botnet on Monday: They uploaded their own program to infected computers around the world, a move that likely violated computer crime laws.
Are you reluctant to make networking a bigger part of your job search because you're scared that no one will want to meet with you? Think giving, not taking. Here are seven reasons why your contacts actually want to hear from you.
ABI Research said that smartphone shipments continued to explode in the second 2010 quarter while users are showing a willingness to pay more and more for comprehensive data plans.
Microsoft has posted the first release candidate for Windows Server 2008 R2, as well as for Windows 7.
North Carolina's Department of Revenue violated the First Amendment in asking Amazon for names of customers who bought books, a Washington judge ruled on Monday.
Security researchers from Trustwave's Spiderlabs research team demonstrated malware,--including a Windows credential stealer--that uses automated processes to avoid detection and dupe forensics investigators.

Add to digg Add to StumbleUpon Add to Add to Google

So, this is not a marketing or just news about Firefox. :)

The reason for this post is that Firefox is the subject of two quite interesting security related news.

Starting on the first one.

There is a 0day vulnerability for Firefox, including the latest version. This vulnerability is already being exploited, so beware...
The good thing is that Mozilla is quite fast on those and already confirmed the issue and is working to get it fixed.

The second one is related to an Firefox extension released yesterday. It is called Firesheep.
In summary, it is an addon that will make it really easy to basically anyone hack accounts by sniffing traffic on public hotspots, such as airports, coffee shops,etc...

Hacking accounts by sniffing traffic on unsecured wifi networks is not really difficult, but until now, you would need some additional steps to accomplish it, but with Firesheep it is all there for you...really recommend a check on it.

PCWorld has a good write up on it.

Thanks for the readers that pointed that out.
Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Google CEO Eric Schmidt has again kicked up something of an online firestorm with a statement about privacy.
RE: RE: [Full-disclosure] Windows Vista/7 lpksetup dll hijack
McAfee's channel chief says the vendor's overhauled channel program rewards partners for doing good work and is resulting in happier customers.

Add to digg Add to StumbleUpon Add to Add to Google
Major online travel players Expedia, Kayak, Sabre and Fairlogix have banded together to oppose Google's planned acquisition of ITA Software and to ask the U.S. government to block the deal on the grounds that it will hurt competition and drive up prices.
The Googlemobiles sniffed open WiFi systems and everyone's outraged. Idiots.
Microsoft today launched Office for Mac 2011, the newest version of its application suite designed for Mac OS X.
RE: RE: [Full-disclosure] Windows Vista/7 lpksetup dll hijack
[security bulletin] HPSBMA02603 SSRT100319 rev.1 - HP Insight Control Power Management for Windows, Remote Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF)
Free Download Manager Remote Control Server Stack Buffer Overflow Vulnerability
HP Insight Control Virtual Machine Management Unspecified Remote Privilege Escalation Vulnerability
You can forgive Steve Jobs for a bit of hyperbole when he’s on stage introducing new products to an audience of thousands of people following along via a live video stream and countless liveblogs. “It’s like nothing we’ve ever created before,” Jobs said when introducing the new MacBook Air. “We think it’s the future of notebooks.”
Losing your Android phone, whether accidentally or through theft, is one of the easiest ways to become a victim of identity theft. Suddenly, handy features such as your integrated e-mail, contacts, and calendar can be used against you by strangers. Although Android phones have built-in security functions (go to the Settings menu and select Security) such as the ability to lock the phone and require a password after a specified period of inactivity, many people disregard them because it's a little less convenient to have to unlock the phone with each use.
Ghostscript 'gs_type2_interpret()' Function NULL Pointer Dereference Denial of Service Vulnerability
Re: IPv6 security myths
[security bulletin] HPSBMA02597 SSRT100198 rev.1 - HP Version Control Repository Manager (VCRM) for Windows, Remote Cross Site Scripting (XSS)
[security bulletin] HPSBMA02601 SSRT100316 rev.1 - HP Insight Control Server Migration for Windows, Remote Cross Site Scripting (XSS), Privilege Escalation, Unauthorized Access
[security bulletin] HPSBMA02599 SSRT100235 rev.1 - HP Virtual Server Environment for Windows, Remote Arbitrary File Download
Apple iPhone Lock Screen Security Bypass Vulnerability
HP HPeDiag ActiveX Control Multiple Information Disclosure and Remote Code Execution Vulnerabilities
EgyPlus 7ml Multiple Input Validation Vulnerabilities
SAP is in a new legal entanglement less than a week before it heads to court over intellectual property charges by Oracle, but the new case has to do with marketing, not third-party support for ERP software.
The advent of online coupons has made shopping and saving that much easier. In an earlier era, people spent their Sunday mornings clipping coupons out of the newspaper. Now, you can download coupons from dedicated sites like or, or even social networking sites like Facebook and LinkedIn. But this convenience carries certain privacy risks: Some companies track consumer spending habits based on the coupons those consumers use.
The talk around the virtual water cooler these days among the Mac developer crowd is all about the forthcoming Mac App Store. Announced on Wednesday by Steve Jobs, this store will extend the current iOS App Store concept to Mac OS X.
Extreme Networks Tuesday rolled out an Ethernet switch line designed to play a series of roles, including edge aggregation in the campus and top-of-rack server access in the data center.
ZTE, one of China's largest network equipment and phone suppliers, is set to buy US$3 billion worth of semiconductor components from five U.S. technology vendors.
Armenian authorities arrested a 27-year-old man on Tuesday on suspicion of running a large botnet that was dismantled after a unique take-down operation by Dutch law enforcement and computer security experts on Monday.
Police took over the command and control servers responsible for sending orders to Bredolab, a notorious spam botnet known for spreading rogue antivirus programs.

Add to digg Add to StumbleUpon Add to Add to Google

Microsoft, Competence IT and Korus Consulting to Introduce FIM2010-Based Joint ...
PRLog.Org (press release)
PRLog (Press Release) – Oct 26, 2010 – Microsoft Corporation, Competence IT (Indeed ID) and Korus Consulting LLC will demonstrate a joint solution based on ...

Microsoft may be looking to add to its existing patent infringement case related to the use of Google's Android mobile phone software by targeting phone makers in Taiwan, according to a Chinese-language news report.
Apache Tomcat Form Authentication Existing/Non-Existing Username Enumeration Weakness
Apache Tomcat XML Parser Information Disclosure Vulnerability
Apache Tomcat Java AJP Connector Invalid Header Denial of Service Vulnerability
Apache Tomcat 'RequestDispatcher' Information Disclosure Vulnerability

New IISP graduate scheme could help to create a professional network of ...
SC Magazine UK
IISP's graduate scheme could help kick-start careers, in an era where IT and business are ever more closely knit. There is concern within the information ...


Improvements in techniques in medicine and aviation could be used in the ...
SC Magazine UK
Apparently unrelated areas such as medicine and aviation have insights that infosec would do well to use. One of the things I love about the world of ...

Departing Microsoft exec Ray Ozzie has issued a communique expanding on his 2005 call for Microsoft to jump on the cloud or perish.
Try out these add-ons -- from Apple's Safari Extensions Gallery and beyond -- for better social networking, tab management, security and more.

Moving on from the 2007 data loss by HMRC
SC Magazine UK
Vistorm's Peter McAllister says: β€œThe fear of forthcoming cuts is causing infosec thinking to become more radical – but pragmatic, rather than ideological. ...

A third trial is set to begin in a bitter, closely watched legal battle between Minnesota native Jammie Thomas-Rasset and the Recording Industry Association of America (RIAA).
Senator Harry Reid is questioning the validity of polls showing him in a close race with Republican challenger Sharron Angle for his U.S. Senate seat in Nevada because random survey calls fail to include cell phones.
Intel announced the opening of its first ever chip manufacturing facility in Asia on Tuesday, in Dalian, China.
Pedro Bueno (pbueno /%%/ isc. sans. org) Twitter: (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Internet Storm Center Infocon Status