InfoSec News

In the week ending 27 October - Google Drive clients open backdoors, Wayland hit its 1.0 milestone and the Raspberry Pi got its ARM code open sourced. Also, Mozilla and CryptoParties, and attacking TrueCrypt

Approximately 3.6 million Social Security numbers and 387,000 credit and debit card numbers belonging to South Carolina taxpayers were exposed after a server at the state's Department of Revenue was breached by an international hacker, state officials said Friday.
A San Francisco court will hear arguments next month against a proposed US$22.5 million privacy settlement between Google and the U.S. Federal Trade Commission, over Google's use of cookies to track the Web movements of users running Apple's Safari browser.
In the biggest data compromise of the year, Social Security Numbers belonging to about 3.6 million residents in South Carolina have been exposed in an intrusion into a computer at the state's Department of Revenue.
New York-based political statistician and author Nate Silver was a special guest speaker at IBM's Information On Demand conference. Big data, algorithms and sports analysis were among the topics of discussion.
RT and RT RTFM Extension Security Bypass Vulnerability
Tech stocks were flat Friday afternoon after earnings announcements from IT vendors this week and a government economic report offered glimpses of good news, but not enough to dispel the pall that hangs over the technology market.
Microsoft today opened its virtual store and began selling upgrades to Windows 8 Pro for $39.99, making good on a promise made last summer.
Microsoft's launch of Windows 8 amid great fanfare yesterday left many users wondering whether the new operating system can prove a big boost to the ailing PC market.
The U.S. Supreme Court will hear arguments Monday in two cases with potentially broad implications to technology users, one reviewing whether consumers can resell copyright-protected products they have purchased and the second challenging an electronic surveillance program at the U.S. National Security Agency.
SAP has laid out a set of pricing and policies for tying together its array of cloud-based and on-premises applications, providing some options at no charge, but others that will cost customers additional money.
RETIRED: Apple iPhone/iPad/iPod touch Prior to iOS 6 Multiple Vulnerabilities
Here on Day 26 of Cyber Security Awareness Month, as the ISC focuses on standards, we received a very interesting email from David at Lamp Post Group, the IT provider for Access America Transport.
Per David: Access America owns a US Trademark and the domain accessamericatransport.com. On Tuesday, October 23, a malicious user registered the domain accessamericatransport.net and immediately began sending phishing emails under the domain. Purporting to be Access America Transport, some emails were sent to several of our carriers with a link to a fake Rate Confirmation (rate confirmations is a normal term in the 3PL industry) or carrier Claim which in fact linked to an executable containing a virus.
There are a number of interesting elements here so let me parse them individually.

First, with an eye for security awareness specific to your domain names:

Depending on the value of your enterprise name space, you may want to ensure you own the related domain for all the major TLDs (com, net, org) and even consider some of the newer offerings (info, biz, us). Think about close possible squatter matches too. Using the example David sent us, phishers and attackers may buy domain names that closely match those related to your enterprise. While the attackers David reported simply acquired accessamericatransport.net, had that not been available, they might have created the likes of accessamericantransport.com or accessamericatransp0rt.com. It can definitely start to get expensive to buy the near names matches in addition to what should be all your known good domain names, but your Internet presence is your reputation. David's sharing this attack with us all is admirable transparency and an excellent lesson learned.

By the way, as we are weaving in discussion around standards, you should read the primary DNS-related RFCs. I'm always reminded about how little I know about DNS when I dig in here. Yes, DNS dig pun intended.
So, let's dig into the attack against Access America Transport:

Most importantly, they've recovered control of accessamericatransport.net and have posted warnings to their primary page.

The phishing emails sent from accessamericatransport.net included links to Zeus binaries hosted in the Ukraine(UA) in Eastern Europe (shocker) at 91.20x.20y.167 (slight obfuscation to protect the innocent). The binaries, when executed, phoned home to 193.10x.1y.163 (Seychelles(SC) in Southern Africa) and POSTed victim identifying data to the C there's a nice writeup from 12 MAR 2012 on this behavior here.

Targeted Zeus attacks are nothing new, but in this case the analysis does seem to indicate a ramp up against the 3rd party logistics (3PL) industry. David indicated at least four other 3rd party logisitcs companies that have recently suffered similar attention. The efforts against Access America allegedly even included a vishing attempt.

In summary, here's the BOLO (be on the lookout):

1) Protect your domain name interests with awareness of any names you lose control of that may be used against your consumers

2) 3rd party logistics (transportation) organizations, beware of a possible increase in phishing/vishing activity leading to dangerous malware

The ISC always appreciates your feedback. Readers, if you're seeing similar activty, please feel free to comment or send us samples.

Russ McRee | @holisticinfosec
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
SAP has laid out a set of pricing and policies for tying together its array of cloud-based and on-premises applications, providing some options at no charge, but others that will cost customers additional money.
About 100 people waited outside Boston's Microsoft Store Friday to buy the company's new Surface tablet, which runs a new version of Windows.
Megaupload founder Kim Dotcom could violate the terms of his bail, or face new criminal charges, if he launches a new file-sharing and storage service as planned, the U.S. Department of Justice said in a court filing this week.
CoDeSys, a piece of software running on industrial control systems (ICS) from over 200 vendors contains a vulnerability that allows potential attackers to execute sensitive commands on the vulnerable devices without the need for authentication, according to a report from security consultancy Digital Bond.
Hacking a hardware keylogger, setting up a free cloud-based honeypot with Amazon EC2, a GUI for ping.exe, the supposed return of TDL4 and a hotel master key disguised as a dry erase marker

Many mail servers are at risk from a buffer overflow when checking DKIM signatures. Patches and updated packages are now available

Special Webcast: How To Create an Engaging Awareness Program People Want To Take - 3nd in Series
Tuesday, October 30, 2012 at 1:00 PM EDT (1700 UTC/GMT)
Featuring: Will Pelgrin, Chair of the MS-ISAC, President CEO of the Center for Internet Security
Details and sign in at https://www.sans.org/webcasts/create-engaging-program-people-3nd-series-95539

Adam Swanger, Web Developer (GWEB, GWAPT)

Internet Storm Center https://isc.sans.edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The FBI has arrested Paul Ceglia for attempting to defraud Facebook and its co-founder Mark Zuckerberg in a scheme to grab a large stake in the company and billions of dollars.
Apple kick-started pre-orders of the iPad Mini early today, and within hours, sold out the white model in all three Wi-Fi configurations.
Smartphone security, or the lack of it, is downright scary. At this week's McAfee Focus event, CIO.com columnist Rob Enderle discovered just how easy it is to hack into someone else's device. Even if you secure corporate phones, employees' personal phones pose a significant risk.
Germany leaps to the top of the chart for share of malicious emails detected by Kaspersky in September, with the US dropping from top to eighth

SAP now says it will proceed with two major user conferences set for Madrid next month, after saying earlier this week that it was weighing its options following concerns over labor strikes planned for the same time as the shows.
Inventory 1.0 Multiple SQL Vulnerabilities
Inventory 1.0 Multiple XSS Vulnerabilities
We finally go hands-on with the Surface RT. Here's our first impressions.
[SECURITY] [DSA 2566-1] exim4 security update
[security bulletin] HPSBHF02819 SSRT100920 rev.2 - HP, 3COM, and H3C Routers & Switches, Remote Disclosure of Information
Amazon.com reports $274M loss in the third quarter-- its first loss in nine years -- on revenue up 27% year to $13.8B.
It was almost a year ago that a curious mathematician with no real Internet security training was able to walk through a gaping security hole left by Google -- a weak email cryptographic key.
In Windows 8, Microsoft has greatly improved the operating system's ability to detect malware before it has a chance to run, experts say. Windows 8 should also make it more difficult for people to unknowingly install malware in the first place.
Casio is preparing to launch a new Android tablet for businesses that acts as a personal scanner.
Apple has increased the prices of apps sold through its iTunes App Store in Europe because of exchange rate changes, it said on Friday. The minimum price for an app in the Euro zone rose to $1.15.
Apple on Thursday announced record revenue on the back of booming iPhone sales, but iPad sales came up short of Wall Street's expectations.
Which OS the IT staff at United will use is a question that will be answered in time, but the mere fact that it can investigate all three client device operating systems is a major change for corporate IT.
Windows 8 presents a radically new interface to users, but never fear: Our comprehensive guide will help you find your way around the new OS and make the most of its features.
Researchers found that a number of programs use ineffective encryption when trying to securely transmit data. They say that the most common culprit is badly designed libraries

Nokia has dropped off the list of the top five smartphone vendors in the third quarter, facing stiff competition from Samsung and Apple globally, and from high-growth vendors like Huawei in China, where Nokia was the dominant player as recently as the third quarter of 2011, research firm IDC said Thursday.
Modifying Apple's iPhone software to install applications not approved by Apple will still be legal under new exemptions to take effect on Sunday in the U.S., but illegal for an iPad and other tablets.
Internet Storm Center Infocon Status