InfoSec News


Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
We all take more photos than usual at this time of year. You might be taking pictures in the snow, photos of Christmas decorations, or just capturing holiday get-togethers. No matter what the subject, I'm reminded about just how important your photo collection actually is. These are treasured memories, and you don't want to trust decades of images to a finicky magnetized platter that spins at 7,000 rpm and, as it ages, could fail catastrophically. I don't mean to scare you, but it's a fact of life: All computer gear breaks eventually, and it's important to have a backup of your photos when that inevitable day comes. So with that in mind, I've rounded up some easy ways to back up your
SAP is fighting back against Oracle's demand it fork over $212 million in interest on top of a $1.3 billlion sum a jury awarded Oracle last month in its corporate-theft suit against the German software vendor, according to a court filing last week.
Pidgin MSN Use-After-Free Denial of Service Vulnerability
IBM Lotus Mobile Connect Unspecified Cross Site Scripting Vulnerabilities
Quite a few apps in the Android Market try to solve the problem of how to access, view, and edit office documents with an Android device. It's a difficult task compounded by the limitations of the small screen and keyboard, and by the fact, too, that many document formats are proprietary (Microsoft Office, Adobe PDF, and so on) and are thus difficult for third-party developers to work with. AlwaysOnPC provides a powerful, customizable, cross-platform solution that uses open-source software hosted on a cloud-based, Fedora Linux PC.
A lot of people see a PC that won't boot, and assume that it's infected. That's the least likely cause.
No two Apple products share a closer parallel history than the original iPhone and the original Macintosh computer. Each device was revolutionary for its time. The Macintosh, later known as the Macintosh 128K, was the first mainstream computer to include a graphical user interface similar to the ones we use today. The original Mac OS used movable application windows and included functions such as drag and drop. The 128K also popularized the use of a mouse and was notable for its compact dimensions. The iPhone was the first minicomputer to masquerade as a cellular telephone. It also had an intuitive, exclusively touch-based interface with limited physical buttons and no stylus--a common device for touch-based phones prior to the iPhone.

A recent study by Clearswift indicates that companies aren’t doing enough to train their workers about Internet security.

The Web and email security company conducted a survey of some 2,000 office workers in the U.S. UK, Australia, Germany, and the Netherlands, and found that only 29% had received Internet policy training in the past 12 years. Half of the respondents said they’d never had a dedicated session on their company’s security policy while 38% had no security training at all (dedicated or otherwise).

The lack of training is lost on employees, according to the study: Only 27% think their company could do better at communicating its online security policy. In fact, 71% report that their company has an Internet policy and that most of their coworkers are aware of it.

“Given the speed of all the new social media threats, it seems a little lax,” Alyn Hockey, Clearswift’s director of product management, said of the lack of security training.

The study also showed that workers are applying their own rules to technology use. Forty-four percent reported storing work data on personal memory devices and 25% use personal accounts on social networks to comment about their job. Twenty percent said IT security breaches happen when workers are trying to get their jobs done more efficiently.

Add to digg Add to StumbleUpon Add to Add to Google

A temporary workaround to mitigate a zero-day vulnerability in Internet Explorer causes most Web pages to load improperly.

By Ron Condon, UK Bureau Chief

Researchers at Trend Micro Inc. are warning Internet Explorer users that a workaround, which can be deployed to block a new zero-day flaw in the browser, can break the functionality of most Web pages.

Microsoft warned last week that it is investigating a new vulnerability that affects all supported versions of Internet Explorer, and could lay it open to remote code execution. The company also said it is aware of targeted attacks that are already trying to exploit the vulnerability.

The IE flaw exists due to an invalid flag reference within Internet Explorer, which can be accessed after an object has been deleted under certain conditions. The company says that in a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

Jonathan Leopando, a researcher with Trend Micro’s TrendLabs is warning that the temporary measures advocated by Microsoft to block the flaw will cause most Web pages to load improperly in IE.

“The mitigating steps force the use of a user-specified CSS style sheet (breaking site formatting) and disabling scripting (disabling many site features),” he wrote, adding that users should also check that Data Execution Prevention (DEP) is enabled, to reduce the potential effects of any exploits.

The best way to avoid the problem, he says, is to upgrade to the beta version of IE version 9, which is not affected.

In the TrendLabs blog, Leopando said Trend Micro researchers have acquired a sample of the exploit for the vulnerability and have analyzed the threat. The main page that delivers the exploit downloads a backdoor, which in turn downloads various encrypted files which, when decrypted, contain the commands that the backdoor will perform.

Leopando says we are likely to see further attacks exploiting the vulnerability. One reason is that a new hacking tool, called HKTL_ELECOM allows cybercriminals to generate pages that contain the JavaScript code which exploits this vulnerability.

“This makes exploiting the vulnerability easier, which means that attacks that target will probably become more commonplace,” he wrote.

Add to digg Add to StumbleUpon Add to Add to Google

Adobe issued an alert Thursday warning of a critical vulnerability in its Flash Player that is being exploited in attacks on its Reader software.

The flaw could allow an attacker to take control of a system, Adobe said.

The vulnerability affects Flash Player10.1.85.3 and earlier versions for all the major operating systems, and Flash Player and earlier versions for Android. It also affects the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and Unix, and Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh

Adobe said there are reports of the vulnerability being exploited in the wild against Reader and Acrobat 9.x, but it isn’t aware of any attacks against Flash Player.

The company expects to provide a fix for Flash Player by Nov. 9 and an update for Reader and Acrobat during the week of Nov. 15.

Also on Thursday, Adobe released an update to fix a critical vulnerability in its Shockwave Player, which it warned about last week.

Add to digg Add to StumbleUpon Add to Add to Google

ipTrust, a start-up backed a couple of Internet Security Systems veterans, launched today and debuted its new botnet detection service and IP address reputation capabilities. The company, a subsidiary of Endgame Systems, also announced $29M in venture financing.

Chris Rouland, ISS CTO, and Dan Ingevaldson, former director of ISS’ XForce research team, said the company has been in hibernation for two years building security services for the federal government. During that time, they’ve been collecting data and maintaining state on millions of IP addresses looking for sites sending spam and malware, and recruiting for botnets. That data feeds the reputation engine at the heart of two products announced today: ipTrust Professional and ipTrust Web.

IpTrust Professional is a cloud-based API that enables integration with existing applications or services. Users can make queries in real time against their database to receive reputation scoring against any IP address on the Net, Ingevaldson said. Unlike other reputation engines that are primarily geolocation-based, this one can also take into account whether an IP address is infected with a Trojan or worm, or has been part of a botnet and sent spam before. User can then make the decision whether to deny access to or from that IP address.

“What we’re doing here is building an interface with this API into a massive data set,” Ingevaldson said. “We’ve collected 275 million pieces of information on IP addresses that we’re keeping state on. We’re collecting one terabyte of security event information weekly–and that’s going up all the time. We can scale to petabyte size. Our customers don’t have to download a petabyte of information, but our API allows them useful interfaces so they can make smarter decisions based on the information we provide them.”

IpTrust Web is a free infection notification service delivered in a software-as-a-service model. Users sign up online and provide a range of external IP addresses to be monitored. If an event occurs, an email notification is sent that contains a link to the ipTrust Web portal where the user gets rich metadata on the details, Ingevaldson said.

“The use cases more limited, but more focused,” Ingevaldson said. “That’s the opportunity here. We don’t intend to send an SMS with 10 million events. If your Blackberry goes off, you’ve got a Conficker infection, for example, with a link to our portal. It’s much more focused, much more refined and precise.”

Add to digg Add to StumbleUpon Add to Add to Google

by Ron Condon, UK Bureau Chief

If you haven’t yet applied last month’s patches to Microsoft Office, it might be worth making it a priority.

Researchers at Trend Micro Inc. have spotted a new exploit that sits inside an RTF file. When the file is opened, it triggers a buffer overflow, which, in turn, causes Microsoft Word to crash. The malware then plants a Trojan on the machine, thereby allowing the attacker to execute his or her own commands on the affected system.

Trend Micro threat response engineer Karl Dominguez flags this as a serious concern because, in addition to the risk of email attachments, anyone receiving an RTF email message could immediately become infected. Microsoft Outlook uses Word to handle email messages, so the mere act of opening or viewing specially crafted messages in the reading pane could cause the exploit code to execute.

Microsoft has fixed the stack-based buffer overflow vulnerability in Microsoft Office that causes the problem. A patch, which can be found in the official Microsoft MS10-087 bulletin, was issued as part of November’s Patch Tuesday.

Trend Micro said it has detected the exploit RTF files as TROJ_ARTIEF.SM, which then drops in another malicious file called TROJ_INJECT.ART. Both affect systems running Windows 2000, Windows XP or Windows Server 2003.

Add to digg Add to StumbleUpon Add to Add to Google

Email addresses and passwords of more than 1.3 million registered users of Gawker Media websites have been made publicly available after a hacking group broke into the company’s servers last weekend.

Gawker websites include Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin and Fleshbot. Gawker is warning users to change their account password and consider changing passwords to other websites if they are used for multiple accounts. The registration information was required to leave comments on the websites.

”We understand how important trust is on the internet, and we’re deeply sorry for and embarrassed about this breach of security—and of trust,” the company said on its website.

Gawker posted a detailed FAQ explaining the extent of the breach and how registered users can protect themselves. A group named “Gnosis” claimed credit for the attack and posted a file containing the passwords at several peer-to-peer networks. The stored passwords were encrypted.

“We are in the process of notifying those users who associated an e-mail address with their Gawker accounts,” the company said.

On Monday, Graham Cluley, senior technology consultant for UK-based security vendor Sophos, said the Gawker breach appears to be tied to a spam campaign on social networking site Twitter. Del Harvey, Twitter’s director of trust and safety, said the company reset passwords to compromised accounts. Those behind the spam campaign hijacked Twitter accounts that used the same Gawker password.

“We … deleted updates on accounts affected by acai spam; accounts were compromised in the Gawker properties hack,” Harvey posted Monday on Twitter.

Add to digg Add to StumbleUpon Add to Add to Google

Trend Micro on Monday said it signed a deal to buy Mobile Armor, a provider of endpoint encryption technology. The St. Louis, Mo.-based company sells full-disk, file/folder, and removable media encryption products. Financial terms of the deal, which is expected to close Dec. 31, were not disclosed.

Trend Micro said Mobile Armor’s products will complement its existing DLP, email encryption and cloud encryption technologies.

Eva Chen, CEO of Trend Micro, said that Mobile Armor’s encryption line will boost Trend Micro’s data protection portfolio for the cloud computing era.

“This acquisition will expand our endpoint security market reach and will provide our customers with proven technology for encrypting data on laptops, tablet PCs, and smart phones. Mobile Armor’s solutions further our vision of protecting digital information wherever it resides and complements our recent announcement of Trend Micro SecureCloud for securing and controlling data in the cloud,” she said in a prepared statement.

Trend Micro competitor Symantec this fall detailed integration plans for PGP and GuardianEdge Technologies, two encryption companies it acquired in April for $370 million. Three years ago, McAfee acquired SafeBoot for full-disk encryption.

Add to digg Add to StumbleUpon Add to Add to Google

A newly detected drive-by attack encrypts media files and Microsoft Office documents and then demands payment to have the files decrypted.

By Ron Condon, UK Bureau Chief

One more reason for keeping your Adobe Systems software up to date. Sophos Ltd. security consultant Graham Cluley is reporting a new ransomware attack that hits computer users via a drive-by vulnerability on compromised websites.

Victims are suddenly presented with a message that their files have been encrypted and that they will need to pay $120 to regain access to them.

Early investigations indicate that the attacks are delivered using an Adobe PDF exploit, but that hasn’t been confirmed. The attacks affect a wide range of media files, such as .jpeg images and .mpeg audio files, as well as Microsoft Office files. Affected files have their names changed to include a new suffix called .ENCODED.

The attack, which Sophos has identified as Troj/Ransom-U, changes the user’s Windows desktop wallpaper to deliver the first part of the ransom message, which tells the user their files have been encrypted. It adds that they must act quickly to get their files decrypted, and must not tell anyone about the attack.

According to Cluley:

Of course, we don’t recommend paying money to ransomware extortionists. There’s nothing to say that they won’t simply raise their ransom demands even higher once they discover you are prepared to pay up.

The actual ransom note, contained in a .txt file warns that the files will deleted if the ransom is not paid quickly. “We can help to solve this task for $120 via wire transfer (bank transfer SWIFT/IBAN). And remember: any harmful or bad words to our side will be a reason for ingoring [sic] your message and nothing will be done,” it adds.

The user is asked to send the money and an email containing a fingerprint hex-string, which Sophos suggests is the encryption key used. Whether the decryption actually takes place after payment has not been tested.

Add to digg Add to StumbleUpon Add to Add to Google

by Ron Condon, UK Bureau Chief

A timely reminder came from Daniel Wesemann today writing on the SANS Internet StormCenter blog about the need to make sure that Java is kept patched and up to date.

Oracle Corp. (which now owns Java, since buying Sun Microsystems last year) released a patch bundle for Java in October, which included a long list of security fixes, several for vulnerabilities that could allow drive-by exploits.

“And since Java is present on pretty much every Windows PC, and people don’t seem to do their Java updates quite as diligently as their Windows patches, there are a lot of vulnerable PCs out there,” says Wesemann.

He describes in detail one popular family of exploits doing the rounds at the moment, called “bpac”, which exploits the Hashmap vulnerability (CVE-2010-0840). A user only needs to browse an infected webpage, and the exploit pulls down a series of .exe files (in one case, up to 66 of them) that could be hard to clean up after the event.

Ironically, the attack would be stopped by a Java security fix issued in July, but, as Wesemann observes: “I guess the bad guys won’t start ‘burning’ their newest Java exploits while the old set is still going strong.”

His advice is short and sweet: “If you haven’t done so yet, hunt down and patch every incarnation of Java on the PCs that you are responsible for.”

Add to digg Add to StumbleUpon Add to Add to Google

Security vendor offers bounty for bugs found in its firewall and Web filtering appliances.

Security vendor Barracuda Networks is jumping on board the bug bounty bandwagon, offering between $500 and $3,133.70 to bug hunters who find serious vulnerabilities in its products. Barracuda, which sells a variety of security appliances for antispam, antivirus, Web content filtering and Web application firewall capabilities, is the first security vendor to offer such a program for its own products.

Barracuda said flaws found in the Spam & Virus Firewall, Barracuda Web Filter, Barracuda Web Application Firewall and the Barracuda NG Firewall would be eligible for a reward.

Researchers reporting security bugs will collect a cash prize ranging from $500 to $3133.7, depending on the severity of the vulnerability as judged by the Barracuda Labs Bug Bounty Panel. Bounties can be donated to charity as requested by the bug reporter.

According to Barracuda: Vulnerabilities can be reported to  BugBounty at with the following PGP key…). The company set up a Web page explaining the bug bounty program.

Bug types that are in scope include those that compromise confidentiality, availability, integrity or authentication. For example: remote exploits, privilege escalation, cross site scripting, code execution, command injection.

Google extended its current bug bounty program for Chrome browser flaws this week, adding a reward for serious Web application flaws found in its Blogger, Orkut and YouTube websites. Barracuda offers the same payout structure as Google. Mozilla offers a similar program for bugs found in Firefox.

Google said it has had success with its Chrome browser bug bounty program, which it launched in February. The company said it has seen an increase in “high-quality” reports on bugs found in its Chromium browser.

Add to digg Add to StumbleUpon Add to Add to Google
Microsoft Windows Fax Services Cover Page Editor (.cov) Memory Corruption poc
Social Engine 4.x (Music Plugin) Arbitrary File Upload Vulnerability
Over the holiday weekend, a number of sites got Owned and Exposed. At this point, there is not a lot of detail available, but the sites in question did confirm the breach. It should be noted that the site used to distribute the popular backtrack Linux distribution, as well as the Ettercap project got breached. it is not clear for how long these sites were breached and if any of the tools were altered.
More information:

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
ImpressCMS 'quicksearch_ContentContent' Parameter HTML Injection Vulnerability
Multiple Vulnerabilities in OpenClassifieds
[waraxe-2010-SA#078] - Multiple Vulnerabilities in CruxCMS 3.0.0
[SECURITY] [DSA 2137-1] Security update for libxml2
Pligg XSS and SQL Injection
[ MDVSA-2010:251-2 ] firefox
Re: [IMF 2011] 2nd Call - Deadline Extended - Addenunm
Re: XSS vulnerability in ImpressCMS
[security bulletin] HPSBST02619 SSRT100281 rev.2 - HP StorageWorks Storage Mirroring, Remote Execution of Arbitrary Code
It's a testament to how far Linux has come that users today don't typically have to use the command line if they don't want to. Such is the quality of the graphical user interfaces in many modern Linux distributions that there's simply no need, in general.

Forbes (blog)

The Four Minute Malware: Aurora, Stuxnet, and Beyond
Forbes (blog)
And then on June 17, 2010 VirusBlokAda, a little infosec company in Belarus discovered a new piece of malware that exploited a heretofore unknown Windows ...

and more »
A major U.S. mine for rare earth metals has gone back into operation, adding a much needed source to offset China's control of the unique group of materials necessary to build tech gadgets like smart phones and laptops.
The FCC's new Net neutrality rules would prohibit wired broadband providers from blocking legal Web content and services.
PHP 'ext/phar/stream.c' and 'ext/phar/dirstream.c' Multiple Format String Vulnerabilities
IBM ENOVIA 'emxFramework.FilterParameterPattern' Cross Site Scripting Vulnerability
The feasting on open source software continues but some wonder if the check might be coming due
So you've successfully jailbroken your iOS device -- now what? Try these 10 apps for starters
Office 365, Microsoft's suite of cloud-based applications for businesses, could be a productivity booster but still has some glitches that need to be addressed.
The cell phone hologram concept is one technology listed on IBM's fifth annual Five in Five List, which highlights five innovations that IBM predicts will change people's lives over the next five years.
D-Bus Nested Variants Denial of Service Vulnerability
The FCC likely faces a lawsuit and congressional action opposing its recent Net neutrality vote.
Jetty Web Server Plugin for Eclipse Multiple Cross Site Scripting Vulnerabilities
Google Chrome prior to 8.0.552.215 Multiple Security Vulnerabilities
As users of Apple's hardware and software, we do have a weird relationship with that company, don’t we?

Internet Storm Center Infocon Status