Hackin9
NASA launched a solar telescope on Thursday that scientists hope will be able to unlock the secrets of how material gathers, moves and heats up as it travels through the Sun's lower atmosphere.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Opera recently suffered a compromisse to one of the servers it uses to distribute software updates. You probably read about the fact, that as part of this compromisse an expired certificate was used to sign malicious software. This software was then distributed using Opera's update servers. Users checking for updates during the time the malicious software was live automatically downloaded and installed the software using Opera's automatic update feature.

We can talk a lot about what may or may not have been done by Opera to prevent this from happening. At least, they detected the problem quickly, but then again, it took them a few weeks to notify users. But not too many of you are probably distributing major software packages. However, we all rely in some ways on automatic updates, and hope that vendors deliver "clean" (even if not bug free) software.

So what can you do to detect and clean up malicious software that was installed directly from a trusted vendor?

TrustNo1

A very long time ago, before we hashed passwords, this was one of the favorite once used by our users and somewhat indicates the attitude of many of our readers. Is paranoia still paranoia if they are actually out there to get you? In real live, this usually doesn't get you far. Features like auto-updates, and trusting digital signatures, are necessary to survive with non existing patch windows. You should however always think "defense in depth". There may be other controls to make sure the software behaves as expected. For example, if software "calls out" to other sites. Sadly, for a web browser, outbound connections are expected and hard to verfiy.

Anti-Malware

At this point in time, the malware distributed via the Opera update is widely recognized. However, if your system was infected, Anti-Malware is likely no longer functioning as designed. The attacker had a couple weeks to download and install additional components. One trick that may still work is an offline malware scan using a bootable CD. This method however doesn't scale well and is time consuming even for individual PCs. As a compromisse, you may want to scan the suspicous drive over the network by mounting it to a known clean system

Whitelisting

Many whitelisting systems will not flag software if it comes with a valid signature. Also, in this case, you may have added an exception thinking that the update to Opera was legitimate as it came from a legitimate Opera server and was signed.

Network Based Controls

This is probably the best way to avoid modifications made by the malware to the host. But properly configuring network based controlls (Firewall, Intrusion Detection or Prevention Systems) is tricky. You are likely still relying on signatures, and the signature may come too late in this case after the malware installed additional tools that no longer match the original signature. But a well tunes IDS is probably your best bet to detect this.

Host based Intrusion Detection/Prevention

HIPS comes in many forms, but I am thinking here of behavioral tools that detect processes escalating privileges and accessing files they shouldn't access (or establishing network connections). This may work here, if the malware doesn't manage to disable these tools.

My summary: Start with the host. If it is patched and well protected (Anti Malware / Whitelists ...), then chances are smaller that the malware will disable these features. The chance isn't 0, but smaller. Secondly, make sure your network defenses are in order and provide meaningful alerts that suplement hostbased detection.

Any other ideas I missed?

 

[1] http://my.opera.com/securitygroup/blog/2013/06/26/opera-infrastructure-attack

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
If Google Glass isn't enough to get you worried about technology, how about a device that can see through walls using Wi-Fi?
 
Google reportedly is developing a gaming console powered by its Android mobile operating system in an effort to widen the software's reach beyond smartphones and tablets and stay ahead of its competitors.
 
Larry Ellison and Marc Benioff's long-running public feud appears to be over, with the CEOs of Oracle and Salesforce.com making a joint appearance Thursday to extol the virtues of a new partnership they describe as financially sensible and strategically pragmatic.
 
Mozilla Firefox and Thunderbird CVE-2013-1693 Information Disclosure Vulnerability
 
Mozilla Firefox and Thunderbird CVE-2013-1692 Cross-Site Request Forgery Vulnerability
 
Further boosting its presence in the field of product marketing, Adobe is acquiring campaign management software provider Neolane for approximately US$600 million in cash.
 
Mozilla Firefox/Thunderbird CVE-2013-1697 Security Bypass Vulnerability
 
Mozilla Firefox/Thunderbird CVE-2013-1690 Remote Code Execution Vulnerability
 
Mozilla Firefox and Thunderbird CVE-2013-1684 Use-After-Free Memory Corruption Vulnerability
 
Nearly 36 years after its launch, NASA's Voyager 1 spacecraft is nearing the edge of the solar system and interstellar space.
 
OpenStack python-keystoneclient CVE-2013-2167 Security Bypass Vulnerability
 
NASA is preparing to launch a spacecraft tonight that scientists hope will answer fundamental questions on how the sun creates such intense energy.
 
IBM's latest round of job cuts, a series of layoff actions that began over a week ago, has passed the 3,000 mark.
 

A researcher says he has uncovered a security weakness that can easily trick people into executing malicious code when they use the Microsoft Internet Explorer and Google Chrome browsers to visit booby-trapped websites.

The attack was recently presented at the Hack in the Box security conference by independent security researcher Rosario Valotta. It exploits weaknesses in the way browsers notify users when they execute operating-system-level commands, such as printing or saving. He said the attack works against Windows 7 and Windows 8 users running IE versions 9 and 10 when they enter either one or two characters while visiting a malicious website. Windows 8 machines running Chrome can be forced to execute malicious code when users click on a single HTML button on a malicious page, such as "Play" for a video or a Facebook "Like." Windows provides some protection against this social engineering attack, but Valotta said attackers can often bypass those defenses.

When a user visits the attack website, it opens a pop-under window that in most cases will remain invisible. The hidden window immediately begins downloading a malicious executable file without notifying the user or requiring any kind of permission. When the website is visited using IE, the file can be executed when English-speaking Windows 7 users type "r" and when Windows 8 users enter the tab key followed by the r key. The keystrokes, which can be invoked by asking the visitor to solve a CAPTCHA puzzle used to filter out bots, send a Windows command to the pop-under window instructing it to run the recently downloaded file. Clicking a booby-trapped HTML button while visiting the page in Chrome similarly executes the malicious file.

Read 7 remaining paragraphs | Comments

 
python-suds Insecure Temporary File Creation Vulnerability
 
In its continuing efforts to woo users with new products and services, Yahoo is at it again, this time with a redesign of its News Page.
 
Hortonworks has released a preview distribution of the next generation of Apache Hadoop, one that promises to broaden the scope of the kinds of analysis that can be carried out on the data processing platform.
 
Microsoft today confirmed that Internet Explorer 11 (IE11) will be ported to Windows 7, but declined to name a release date.
 
Facebook is launching a beta tester program for Android smartphone users that it hopes will result in quicker diagnosis of bugs and more feedback on new features.
 
Submissions to Microsoft's Windows Store, after stalling earlier this year, are again on the increase, perhaps because developers have been reinvigorated by talk of Windows 8.1 and this week's BUILD conference.
 
The U.S. National Security Agency collected the email and Internet use records of some U.S. residents for about a decade following the 9/11 terrorist attacks, according to documents published Thursday by the U.K. newspaper the Guardian.
 
A small, humanoid robot will fly to the International Space Station this summer to take part in the first experiment on conversation in space between a human and a robot.
 
Expectations were high for the Windows 8.1 preview that Microsoft rolled out at its BUILD conference on Wednesday. Do you think with Windows 8.1 that Microsoft has turned a corner?
 
Perl Dancer.pm CVE-2012-5572 HTTP Header Injection Vulnerability
 
Apache Santuario XML Security for C++ CVE-2013-2210 Heap Buffer Overflow Vulnerability
 
[ MDVSA-2013:184 ] perl-Dancer
 

An update has been released for the SSL vulnerability reported in Ruby.  From the site: "All Ruby versions are affected".  The Ruby update also contains a patch for a DOS vulnerability; check out the details here.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A new variant of the Citadel financial malware uses in-browser injection techniques combined with extensive content localization to steal log-in credentials and credit card information from users in different countries, according to researchers from security vendor Trusteer.
 
Cisco waited too long to address the software-defined networking trend now sweeping the industry, Chairman and CEO John Chambers said this week at the Cisco Live conference.
 
[ MDVSA-2013:183 ] java-1.7.0-openjdk
 

Why is physical security at least as important as technical security?  As a colleague and friend once explained some years ago “physical security trumps all”.  If we lose the physical security of a device, we have truly lost ownership.  We often talk about systems and applications being owned by bad actors, and the l33t skillz employed to gain these prizes.  We cannot lose sight of the fact that a smash and grab is still an effective way to gain access to your data.  Some of the top security firms operating today will often demonstrate the weakness by actually physically penetrating the office/datacenter/DCO, returning with images of the days headlines next to your assets.

A friend of the ISC, Sean, pointed out an instance while I was reading an old example of physical security facilitating the compromise, or possible compromise, of data.  A prison facility under construction in Iowa lost physical control of a laptop that had the blueprints of the prison, which is slated to house Iowa’s worst offenders.  The other example was a story related to tapping of fiber optic cables.  The tapping of fiber optic cables is not trivial, but one thing has to occur before the tapping can happen: Physical access to the cable.

Summary: When the CIO comes to you and says “physical security of the enterprise is now in your house”, be prepared.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A flaw in the bundled OpenSSL could allow Ruby applications into trusting a man in the middle attack with a crafted certificate with null characters in it. Updates for Ruby 2.0.0, 1.9.3 and 1.8.7 are now available to fix the problem
    


 
[ MDVSA-2013:182 ] mesa
 
[ MDVSA-2013:181 ] mesa
 
[ MDVSA-2013:180 ] curl
 
The Electronic Frontier Foundation has filed a lawsuit to force the U.S. Federal Bureau of Investigation to turn over records about a facial-recognition database it is building.
 
Cisco Systems released security patches for its email, Web and content security appliances in order to address vulnerabilities that could allow attackers to execute commands on the underlying OS or disrupt critical processes.
 
LinuxSecurity.com: Updated mesa packages fix multiple vulnerabilties An out-of-bounds access flaw was found in Mesa. If an application using Mesa exposed the Mesa API to untrusted inputs (Mozilla Firefox does this), an attacker could cause the application to crash or, [More...]
 
LinuxSecurity.com: A vulnerability has been discovered and corrected in mesa: Multiple integer overflows in X.org libGLX in Mesa 9.1.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XF86DRIOpenConnection [More...]
 
LinuxSecurity.com: A vulnerability has been discovered and corrected in curl: libcurl is vulnerable to a case of bad checking of the input data which may lead to heap corruption. The function curl_easy_unescape() decodes URL encoded strings to raw binary data. URL encoded octets are [More...]
 
LinuxSecurity.com: It was discovered that puppet, a centralized configuration management system, did not correctly handle YAML payloads. A remote attacker could use a specially-crafted payload to execute arbitrary code on the puppet master. [More...]
 
LinuxSecurity.com: Multiple security issues was identified and fixed in mozilla firefox: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under [More...]
 
LinuxSecurity.com: Several security issues were fixed in Thunderbird.
 
LinuxSecurity.com: Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors, use-after-free vulnerabilities, missing permission checks, incorrect memory handling and other implementaton errors may lead to the execution [More...]
 

Interesting, each windows 8 mobile developer should concentrate on these things while developing an app, and he should be more concern abouth the security issues. Does an app developer required to know where and how to market an developed app, as we know about windows phone store, do any of the app developers any other ways. Share with me. 

 

 

 
WebKit CVE-2013-2845 Multiple Memory Corruption Vulnerabilities
 
TYPO3 'meta_feedit' Extension Unspecified SQL Injection Vulnerability
 
TYPO3 'sofortueberweisung2commerce' Extension Unspecified SQL Injection Vulnerability
 
Europe's top court ruled Thursday that it is legal for countries to impose a levy on printer manufacturers such as Canon, Epson, Fujitsu, Hewlett-Packard, Kyocera and Xerox in order to compensate rights holders for unauthorised reproduction of their work.
 
Verizon Wireless has completed the initial rollout of its 4G LTE network, covering 95% of the U.S. population, and is now looking to reuse other spectrum for LTE and deploy small cells using the technology.
 
TYPO3 Maag Form Captcha Extension Open Redirection Vulnerability
 
TYPO3 Multishop Extension Unspecified SQL Injection Vulnerability
 
Fortinet FortiClient VPN Client SSL Certificate Validation Security Bypass Vulnerability
 
Opera has announced that unknown attackers had gained access to their internal network on 19 June and gained access to an expired code signing certificate. The attackers then signed malware and pushed it as an update to users
    


 
Microsoft will improve several security features in the upcoming Windows upgrade – some innovative, some long overdue. The company went into more detail at TechEd Europe
    


 
PEiD PE File Memory Corruption Vulnerability
 
An 8,900 kilometer undersea fiber cable system in Asia, backed by a consortium including Google, China Telecom, NEC and a host of local telecommunications companies, went live Thursday.
 
Japan's Sharp said Thursday it will team with a large Chinese manufacturer to build a factory in Nanjing and mass-produce LCD screens for TVs, computers and tablets.
 
Here's what you need to know about the recent point-to-site and site-to-site VPN upgrades to Windows Azure.
 
CVE-2013-2210
 
Mozilla Firefox CVE-2013-1699 Homograph Domain Spoofing Vulnerability
 
Mozilla Firefox CVE-2013-1696 Clickjacking Vulnerability
 
Mozilla Firefox CVE-2013-1698 Security Vulnerability
 
Mozilla Firefox CVE-2013-1695 Security Bypass Vulnerability
 
[security bulletin] HPSBUX02886 rev.1 - HP-UX Running HP Secure Shell, Remote Denial of Service (DoS)
 
[SECURITY] [DSA 2715-1] puppet security update
 
[security bulletin] HPSBST02890 rev.1 - HP StoreOnce D2D Backup System, Unauthorized Remote Access and Modification
 
Oracle Java SE CVE-2013-2460 Remote Security Vulnerability
 
[ MDVSA-2013:179 ] firefox
 
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Content Security Management Appliance
 
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Web Security Appliance
 
PayPal, which claims more than 128 million active accounts in 193 markets and 25 currencies around the globe, is now looking at outer space.
 
Opera Software said Wednesday hackers pilfered from its internal systems at least one code-signing certificate that was used to sign malicious software.
 
Oracle and NetSuite are to jointly offer cloud services to mid-size business customers.
 
Manufacturing giant Foxconn Technology Group also wants to ride the upcoming wave of wearable tech, and has unveiled a wristband that can monitor a user's health and sync with a smartphone.
 
A U.K.-based researcher has netted $20,000 for spotting a serious flaw in Facebook that could have allowed an attacker to take over anyone's account with minimal effort.
 
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Email Security Appliance
 
Security focus, we need your help
 

Posted by InfoSec News on Jun 27

http://www.zdnet.com/firm-facebook-bug-worse-than-reported-non-users-also-affected-7000017318/

By Violet Blue
Zero Day
ZDNet News
June 26, 2013

The security researchers who found Facebook's shadow profiles
vulnerability have compared their numbers to what Facebook told its users
in emails, and the numbers don't match.

They say Facebook told users the data exposure is much less than what the
researchers found, and the researchers...
 

Posted by InfoSec News on Jun 27

http://www.knoxnews.com/news/2013/jun/26/frank-munger-y-12-security-failures-overshadow/

By Frank Munger
Knoxville News Sentinel
June 26, 2013

It’s kind of hard to figure out the Y-12 nuclear weapons plant’s approach
to physical security these days, and part of that is by design.

The folks at the National Nuclear Security Administration and its
contractors don’t really want potential adversaries to know strengths and
weaknesses, etc.,...
 

Posted by InfoSec News on Jun 27

http://www.itworld.com/security/362522/buy-matthew-broderick-s-old-movie-computer-possibly-impress-ally-sheedy

By Phil Johnson
ITWorld.com
June 26, 2013

30 years ago this month, the classic hacker movie WarGames came out, and
young nerds across the land ogled the setup Matthew Broderick’s character
David Lightman had in his bedroom. No, we’re not (only) talking about Ally
Sheedy, who liked to hang out there. We speak, of course, about...
 

Posted by InfoSec News on Jun 27

http://www.washingtontimes.com/news/2013/jun/26/hackers-post-us-troops-personal-details-collateral/

By Shaun Waterman
The Washington Times
June 26, 2013

Computer hackers leaked personal information about thousands of U.S.
troops stationed in South Korea, the Pentagon confirmed Wednesday, adding
it is investigating the security breach, which came a day after
cyberattacks knocked South Korean government and news websites offline.

“The...
 

Posted by InfoSec News on Jun 27

http://www.healthcareitnews.com/news/breach-blues-british-columbia-lab

By Erin McCann
Associate Editor
Health IT News
June 26, 2013

Canadian-based LifeLabs Medical Laboratory Services has notified more than
16,000 patients in Kamloops, B.C., that their protected health information
has been compromised after a computer hard drive containing patient data
went missing.

According to a company notification, the computer hard drive contained...
 
Internet Storm Center Infocon Status