InfoSec News

Microsoft on Tuesday is expected to tout what it considers strong momentum in the adoption of its Office 365 cloud-hosted collaboration and communication suite, particularly among small companies that previously were unable to afford on-premise implementations of Exchange and SharePoint, according to people familiar with the announcement.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Optima APIFTP Multiple Denial of Service Vulnerabilities
Real Networks RealPlayer Versions Prior to 15.0.0 Multiple Remote Vulnerabilities
As shoppers eagerly take advantage of Cyber Monday deals, a new poll shows that nearly three out of 10 Americans will do most of their holiday shopping online this year.
Software vendor Carrier IQ has withdrawn its threat to sue a security researcher for saying that its software helps phone companies surreptitiously track users of many popular mobile phones.
A continuing controversy in cloud computing is its putative cost benefits; specifically, whether public cloud computing can provide cost advantages over computing carried out within a company's own data center.
The addition of touch navigation aligns Amazon's Kindle Touch with its competition, but a few debatable interface and physical design choices might reduce your enthusiasm for this product.
NetApp is teaming up with Iron Mountain to offer its StorageGRID object storage software with two Iron Mountain medical data archiving services: the Digital Record Center for Medical Images and its vendor-neutral archive offering.
Security experts today warned consumers of a rapidly mutating spam campaign using bogus messages from UPS claiming that a package could not be delivered.
Worldwide server revenue grew 5.2% in the third quarter but declined for Hewlett-Packard (HP), Gartner Inc. said in a report on server sales during the quarter.
Charles Walton, inventor of the RFID technology now common everywhere from warehouses to retail stores to public libraries, has died at the age of 89 in California.
AT&T will launch the LG Nitro HD smartphone over its LTE network on Dec. 4 in stores and online for $249.99 with a two-year contract.
In a case that hinges on interpretations of software contract language and the respective rights of customers and vendors when it comes to third-party support organizations, 3M wants a court to declare that it doesn't owe Infor millions of dollars in fees.
Twitter acquired WhisperSystems, a firm that makes mobile encryption and firewall technology for Android devices.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
WordPress Lanoba Social Plugin 'action' Parameter Cross Site Scripting Vulnerability
Linux Kernel Headroom Check 'udp6_ufo_fragment()' Remote Denial of Service Vulnerability
Linux Kernel CVE-2011-3593 VLAN Packets Handling Remote Denial of Service Vulnerability
Linux Kernel b43 Driver Local Denial of Service Vulnerability
ZDI-11-338 : RealNetworks RealPlayer IVR MLTI Chunk Length Parsing Remote Code Execution Vulnerability
ZDI-11-337 : RealNetworks RealPlayer RV30 Uninitialized Index Value Remote Code Execution Vulnerability
ZDI-11-336 : RealNetworks RealPlayer Invalid Codec Name Remote Code Execution Vulnerability
ZDI-11-335 : RealNetworks RealPlayer RV10 Sample Height Parsing Remote Code Execution Vulnerability
ZDI-11-332 : RealNetworks RealPlayer Malformed AAC File Parsing Remote Code Execution Vulnerability
ZDI-11-331 : RealNetwork RealPlayer MPG Width Integer Underflow Remote Code Execution Vulnerability
Red Hat Linux Kernel CVE-2011-3347 VLAN Packets Handling Remote Denial of Service Vulnerability
ZDI-11-334 : RealNetworks RealPlayer genr Sample Size Parsing Remote Code Execution Vulnerability
ZDI-11-333 : RealNetworks RealPlayer ATRC Code Data Parsing Remote Code Execution Vulnerability
Perhaps I'm getting old and unimaginative - but I just don't get it...

About a month and a half ago, I published a diary called What's In A Name. In that diary, I discussed an interesting hack, where additional names were added to DNS zone information as part of what appears to be an SEO (search engine optimization) scam.

Over the past month, I've seen several web app RFI (remote file inclusion) attacks that have been using target files hosted on machines with names like blogger.com.victimdomain.com or img.youtube.com.victimdomain.com. A little digging shows that these names also appear to have been added to DNS zones without the knowledge or permission of their owners. As in the first set of these I found, those names point to a completely different machine (in fact, in a different country) that has nothing at all to do with the main domain.
So, what's the point of using one of these names? What does this sort of obfuscation gain someone doing RFI attacks?

I'd love to hear some theories, because honestly... I'm stumped.
Tom Liston

ISC Handler

Senior Security Analyst, InGuardians, Inc.

twitter: tliston
P.S.: The folks at the web hosting company that I talked with were less than helpful. The contents of DNS were confidential and they could only respond to a client complaint. So I'm left trying to explain to some poor, clueless, mom and pop outfit that they need to contact their web host and complain about something called DNS. Lovely.
I keep hearing horror stories about how organizations treat people who contact them regarding security issues. Please make sure that *your* organization truly works with anyone who reports an incident. It's the frickin' holidays, after all...
UPDATE: B-I-N-G-O! Both @web007 and @jjarmoc on Twitter came up with the answer... and made me kick myself for not looking more closely at how these machine names were being used in the RFI attack. The attack is intended to satisfy a poorly written domain name matching filter for allowed remote includes in the script being attacked... in this case, timthumb.php. Thank you, thank you, thank you! And, if you're using timthumb.php, you need to make sure you're using the latest version. Also, @jjarmoc correctly points out that this isn't really an RFIattack... the malicious code is actually uploaded and executed - but the end result is the same. (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apple will launch a 15-in. MacBook Air in the first quarter of 2012, according to a report from a Taiwanese publication that cited unnamed sources in the component supply channel.
Free software activists have released a new peer-to-peer search engine to take on Google, Yahoo, Bing and others.
The U.S. Department of Justice and U.S. Immigrations and Customs Enforcement have seized the domain names of 150 websites accused of selling counterfeit products, including sports jerseys, handbags and shoes.
Vulnerabilities in Siemens Automation License Manager
Vulnerabilities in Siemens SIMATIC WinCC flexible 2008 SP2
Wordpress skysa-official plugin Cross-Site Scripting Vulnerabilities
[ MDVSA-2011:179 ] glibc
If Black Friday was any indication of a move to online shopping, e-tailers on Cyber Monday may be headed to a record breaking sales day.
As the Macintosh becomes a common tool in today's enterprise, IT has much to learn about effectively working with the Apple platform. Insider (free registration required)
As someone who does vulnerability assessments, you always hope your clients are doing a good job with their security infrastructure. Theoretically, the perfect assessment is we didn't find any problems, here's a list of our tests, and here's a list of things you're doing right. In practice, though, that *never* happens.'
Also in real life, there's that private (or vocal) WOOT moment that you have when you find a clear path from the internet to the crown jewels. I can start anticipating that moment when I see a VOIP gateway in the rack - these allow remote VOIP sessions (either from a handset or a laptop) to connect to the PBX, through a proxy. VOIP vendors (all of them) sell these appliances as Firewalls, and usually they have the word Firewall in the product name.

I had a recent assessment, where we found that the VOIP gateway was based on Fedora 7, with all server defaults taken. Yes, that includes installing an Apache webserver, a DNS server and a Mail server. All unnecessary, all exploitable (given the vintage). Not only that, but they enabled packet forwarding and SNMP, so that not only did the unit forward packets from the internet to inside resources, it also advertised that fact through default SNMP community strings, along with the internal subnets themselves ! Oh, and source routing was enabled - - sort of a pen-test trifecta !
In another engagement, we found a gateway from a different vendor, based on BSD (good start), but with a similar litany of issues:

SNMP enabled on the exterior interface
Default snmp community string
Routing enabled
Internal interfaces and internal routes listed via snmp
Source routing enabled
Oh, and the admin interface (with vendor default credentials) was facing the internet - not that we needed that, it was already open!
an expired, self signed certificate.
To top it all off, when you got to the admin interface, the you were looking at the word Firewall in the product name ! (yea, that made me smile too)

Not having actually seen the unit, I asked the client to check to see if it might have been hooked up backwards (with the private interface on the internet side) - alas, that was not the case, the hardened interface had these issues !
It's still *extremely* common to see voicemail servers based on SCO Unix or Windows 2000 (Windows NT4 in a recent assessment ! ). One vendor in particular still has a production, new-off-the-shelf voicemail server based on Win2k.

Mind you, all of the appliances had been in the rack for a number of years - the current crop of these devices are not nearly as open as some of the older ones. But that's actually part of the problem - people seem to consider Voice systems (PBXs and ancillary equipment) as appliances - somehow different than Windows or Linux servers. Which as you've probably guessed, is not wise - they *are* Windows or Linux servers! They need to be patched updated, monitored and included in every process that your internal, dmz and perimeter servers see.

Even today, we see organizations trust appliances from vendors that don't place security at the fore. Then once they are installed, they are promptly ignored, sometimes for years. Anymore, if it has an ethernet jack, you should be asking security questions before it gets plugged in. And those security questions should be asked again, at least once or twice a year in the form of an audit, assessment or pentest.

Anyway, all I can say is - when I'm looking for vulnerabilities, I LOVE (ok, I really really like) VOIP gateways !

... but you knew I'd be saying that !


Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Wait - What? Click Here?
It appears that our spamming friends are taking advantage of the Cyber Monday phenomena, and trying to phish us into clicking links in the hope of getting that awesome deal on a watch, camera, tablet or laptop.
While there certainly are great deals and reputable vendors, my personal spam / phish email count is 8 so far today (and it's just 9am here in sunny Ontario, Canada). Emails that appear to be from a reputable vendor, but in order to actually get that great deal, yes, you guessed it - click here ! The link that they want me to click of course does not belong to the vendor that the email appears to come from.
In roughly half the cases, it's close enough to fool lots of people. The other links are obfuscated in hex, so they don't look like anything unless you click them. Of the illegitimate sites, most of them I've looked at are distributing malware, but really they could be anything - with the count rising by the hour, who has time to check them all out?
There are some good deals out there today, but please, shop responsibly! Check that link out before you click!

Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Black Friday proved to be the best yet for the Kindle e-reader and tablet devices, while the Kindle Fire tablet remains Amazon's top-selling product.
Chicago-based real-estate management company Equity Office ran all its voice and data traffic over an MPLS WAN, but when poor peak-time performance drew complaints from end users, it switched to technology that delivers more bandwidth at half the cost.
If your IPv6 strategy is to delay implementation as long as you can, you still must address IPv6 security concerns right now.
'Tis the season for websites to crash and burn. Here are some strategies used successfully by retailers to make sure they don't go down. Ever.
Certifications and inspections should be included in your contract. Insider (registration required)
Advanced Micro Devices' first branded desktop system memory modules, called AMD Memory, will be available in North America through major retailers, the company said Monday.
Internet Storm Center Infocon Status