InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
In initial tests, NASA's Mars rover Curiosity has discovered that Martian soil is an awfully lot like Hawaiian sand.
After Steve Jobs's death, many described Apple the company as his most enduring "product." This reorganization suggests that Cook has taken that to heart while simultaneously putting his own definitive stamp on it.
The new version of the Splunk machine data search engine comes with a distributed indexing technology that could save storage costs for those customers running the software as a high-availability service.
Post-Tropical Cyclone Sandy knocked out mobile, phone and cable service in many parts of the eastern U.S. on Monday, with about one in four cell sites affected in the hardest-hit band of the country between Virginia and Massachusetts, according to an FCC estimate.
Mozilla Firefox/Thunderbird/SeaMonkey 'defaultValue()' Security Bypass Vulnerability
Nvidia plans to integrate CPU cores alongside graphics cores in Tesla high-performance chips, which is a change from current Tesla chips that have only graphics processors.
Citrix is focused on helping enterprises deal with the challenge of running desktops and applications in a new mobile-centric world where tablets and smartphones proliferate.
Internet Security Alliance President Larry Clinton sees little hope that Congress would act on legislation aimed at bolstering cybersecurity lapses.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Hackers share attack techniques and vulnerability information, shedding light on what threats matter most, according to a new study.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Citrix is focused on helping enterprises deal with the challenge of running desktops and applications in a new mobile-centric world where tablets and smartphones proliferate.
Two monolithic buildings in lower Manhattan that serve as major network hubs for the U.S. are operating on generator power, thanks to Hurricane Sandy.
Drupal Core Arbitrary PHP Code Execution and Information Disclosure Vulnerabilities
Security analysts this week challenged S.C Governor Nikki Haley's defense of the state's information security practices in the wake of a data breach that exposed the Social Security Numbers of 3.6 million people.
Apple's lower-priced iPad Mini will significantly cannibalize sales of the company's full-sized iPad, with up to half of customers opting for the smaller tablet, an analyst argued today.
Both Google's and Apple's mobile platforms have security drawbacks and advantages. Is there a clear winner?
IBM, Epicor and other vendors could be eyeing a purchase of supply-chain software vendor JDA, analysts said Tuesday following a published report that the company was looking for suitors.
One day after the launch of its next generation mobile operating system, Windows Phone 8, Microsoft has released the SDK (software development kit) that will allow programmers to write applications for the new platform.
CIOs are merging online and offline retail to retain customers and reclaim the shopping experience. It's a strategy called 'omnichannel retail'--but it's a long and expensive journey.
Some cloud providers fail to detect and block malicious traffic originating from their networks, which provides cybercriminals with an opportunity to launch attacks in a botnet-like fashion, according to a report from Australian security firm Stratsec.
Microsoft CEO Steve Ballmer kicked off the company's annual Build developer conference emphasizing the momentum of the company's new Windows 8 and Windows Phone 8 operating systems.
Microsoft CEO Steve Ballmer touts the personalization features of Windows Phone 8 in a new 46-second video ad.
EMC has agreed to buy privately-held start-up Silver Tail Systems, a vendor of real-time web session intelligence and behavioral analysis.
Nearing the end of the month it would be remiss not to mention the DSD 35 mitigating strategies. Whilst not strictly a standard it provides guidance and The Defence Signals Directorate or DSD is an Australian government body that deals with many things called Cyber. Amongst other things they are responsible for providing guidance to Australian Government agencies and have produced the Information Security Manual (ISM) for years.
In the past few years they have expanded on this and produced the DSD 35 mitigating strategies. The DSD 35 mitigating strategies are based on examination of intrusions in government systems and have been developed to address the main issues that would have prevented the breach in the first place. In fact DSD states that by implementing just the top 4 strategies at least 85% of the intrusions would have been prevented.

The top four are:

Application whitelisting
Patch Applications
Patch operating system vulnerabilities
Minimise the number of users with domain or local administrative privileges.

Implementing the top 4 (Some general hints anyway)

Application whitelisting

Application whitelisting is one of the more effective methods of preventing malware from executing and therefore the attack from being effective. The main argument you will hear against this is that application whitelisting is difficult to achieve, which in a sense is correct. It will take effort to get the environment to the point where everything functions as it should. However in the whitespace following the top 4 is a good piece of advice form DSD Once organisations have implemented the top four mitigation strategies, firstly on computers used by employees most likely to be targeted by intrusions and then for all users, additional mitigation strategies can then be selected to address system security gaps to reach an acceptable level of residual risk. In other words address the high risk users and issues first and then propagate the control to the remainder of the organisation.
There are a number of tools available that will implement application whitelisting and the initial prolong of systems in order to get the whitelisting right. A number of end point products are also capable of enforcing it and of course app locker in windows can also do the job. When implementing it, make sure you do this in test environments first to sort out the issues.

Patch Applications

Patching applications is something that we all should be doing, but can be difficult to achieve. One issue that I come across is the vendor won't let us. Providers of certain applications, usually expensive, will not allow the environment to be changed. If you patch the operating system or supporting products they'll not provide support. In one extreme case I'm aware of the vendor of the product insisted the operating system was reverted back to XP SP2 before they would provide support. Those situations are difficult to resolve and unfortunately I can't help you out there. However going forward it may be an idea to make sure that support contracts allow for the operating system and other supporting products to be patched without penalty. As a minimum identify what really can't change and what can.
So outside of those applications that are just too hard, implement a process that patches applications that can be patched, maybe remove those that are really not needed. For those applications that are to hard, you will have to find some other controls that help you reduce the risk to them, possibly strategy one?

Patch operating system vulnerabilities

Many organisations have this sorted reasonably well. A number of operating system provide a relatively robust process to update operating system components. One of the clients I work with does the following which works for them. When there is an advanced notification the bulletin is analysed. A determination is made whether the patch needs to be applied and how quickly. Once they are released they are implemented in the DEV environment straight away and systems are tested, assuming they do not break anything the patches are implemented in UAT and other non production environments. Systems are tested again (A standard testing process mostly automated). Production implementations are scheduled for a Sunday/Monday implementation. Assuming there are no issues stopping the implementation everything is patched by Monday morning. It takes effort, but with some automation the impact can be reduced. There are also a number of products on the market that will assist in the patching processes, simplifying life.

Minimise the number of users with domain or local administrative privileges.

Removing admin rights will also take a little bit of effort. Identify those that have administrative rights, domain or local. Identify what functions or roles they actually perform that require those full rights. Take local admin rights as an example. There are some applications that really do require the user to have local administrative rights. However there are also plenty that need them for the sake of convenience, rather than figuring out what access is really needed admin rights are given. Some applications you come across need admin right the first time they are run, after that no more. Your objective should be to remove all local admin rights from users and reduce domain administrative rights to as few as possible accounts in the environment.
You will need to test before implementing in production.

If it all seems overwhelming break it down into smaller jobs. Do those devices that are critical to the organisation first and then expand the efforts. But once done you will have reduced risk to the organisation and you can start looking at implementing the remaining 31 controls. As I said at the start not necessarily a standard, but how often can you say that you know of a way to reduce risk of targeted attacks by 85% or more?

I'm interested in finding out how you may have implemented one or more of the top 4 controls, please share by commenting, or let us know via the contact form and I'll add contributions later in the week.

Mark H - Shearwater

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft CEO Steve Ballmer today said that the company had sold 4 million upgrades to Windows 8 since Friday, when the discounted deals kicked off.
ARM on Tuesday introduced its first 64-bit Cortex-A50 series processor designs as the company tries to preserve its dominance in smartphones and tablets while catching up with Intel in servers.
Some early users of Microsoft's Surface RT tablet say they are confused or frustrated by the touch interface on the 10.6-in. display and are relying instead on the attachable keyboard with its more conventional track pad and arrow keys to input commands.
Sybase CEO John Chen is leaving SAP, roughly two-and-a-half years after SAP acquired the company for its database and mobility technologies, SAP announced Tuesday.
Thanks to specialist search engines and new tools, even inexperienced hackers can carry out attacks on industrial control systems. Attacks have been on the increase since the start of the year, according to ICS-CERT

Richard Porter --- ISC Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Telefónica's newly created Telefónica Dynamic Insights unit aims to improve the way the company analyses and markets customer data. Its first product, to be called "Smart Steps", is based on location data for users

Taiwanese PC maker Asus saw major growth in its tablet shipments in the third quarter with the launch of Google's Nexus 7 and projects the shipments will reach at least 10 million units next year.
RETIRED: Microsoft Windows Help Viewer Memory Corruption Denial of Service Vulnerability
Invision Power Board 'core.php' Unspecified Security Vulnerability
[security bulletin] HPSBUX02825 SSRT100974 rev.1 - HP-UX Running Java, Remote Indirect Vulnerabilities
[SECURITY] [DSA 2569-1] icedove security update
John Thompson, former Symantec CEO, explains why the company he now heads offers a better way to manage the performance of cloud infrastructure
Amazon Web Services has upgraded its Storage Gateway so it can cache data locally, and has also made it generally available.
Dokuwiki 'index.php' Path Disclosure Vulnerability
In one of the photos, the dark-haired, bearded hacker is peering into his computer's screen, perhaps puzzled at what's happening. Minutes later, he cuts his computer's connection, realizing he has been discovered.
As the clock winds down to what could turn out to be an extremely close presidential race, some election watchdogs are keeping a wary eye on paperless electronic voting machines that are scheduled to be used in several key states and jurisdictions around the country.
The EFF has criticised Canonical for its recent inclusion of the shopping lens feature in Ubuntu 12.10 and the way the company is handling data collected by the software

Last nights storm cut power to millions of households across much of the north east of the US and parts of Canada. The outages affect major population centers, including New York City.
At this point, the damage to infrastructure appears to be substantial and recovery may take days to weeks.
We have not heard of any outages of east coast services like amazon's cloud or google web services hosted in the area. We will try to keep you updated as we hear about any larger outages, but right now, there are only some individual web sites affected. This may change if power outages persist.
If you reside in the effected area, you are probably best off staying at home. Many roads are blocked by debris and in some cases by downed power lines.
Here are some of the typical issues we see after an event like this:
- outages of communications networks as batteries and generator fuel supplies run out.

- malware using the disaster as a ruse to get people to install the malicious software (watch this video of the flooding)

- various scams trying to take advantage of disaster victims.
A couple ways how the internet can help in a disaster like this:
- many power companies offer web pages to report and monitor outages.

- FEMA offers updates on it's ready.gov and disasterassistance.gov web sites.

- local governments offer mobile applications to keep residents informed.
Twitter can provide very fast and localized updates, but beware that twitter is also used to spread misinformation.
A lot has been made of tweets that suggest organized looting. The posts I have seen appear to be meant as a joke if read with other tweets by the same person. In some cases the person doesn't live in the area, or the account is very new. Remember it is hard to detect irony in 140 characters.
We hope everybody in the effected area will stay save. The storm is still on going and internet outages are probably the least significant issue right now.

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
DokuWiki 'ns' Parameter Cross Site Scripting Vulnerability
Intel researchers are working on a 48-core processor for smartphones and tablets but it could be five to 10 years before it hits the market.
For companies drowning in data, extracting value from all this information is a major IT priority. But success depends on how well customers tackle significant organizational challenges.
Microsoft said it will webcast the two keynotes of its BUILD developers conference, starting with today's at noon ET,
Exim DKIM DNS Decoding CVE-2012-5671 Remote Buffer Overflow Vulnerability
MapServer Map File Double Free Remote Denial of Service Vulnerability
Mozilla Firefox/SeaMonkey/Thunderbird CVE-2012-4196 Cross-Origin Security Bypass Vulnerability
Internet Storm Center Infocon Status