InfoSec News

We wish all our readers and their families a wonderful and amazing 2011. Thanks for your support, contributions and for being part of this infosec community.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
NuSOAP 'nusoap.php' Cross Site Scripting Vulnerability
 
MantisBT 'upgrade_unattended.php' Local File Include and Cross Site Scripting Vulnerabilities
 
CA20101231-01: Security Notice for CA ARCserve D2D
 
Mantis Multiple Cross-Site Scripting Vulnerabilities
 
Mantis 'manage_proj_cat_add.php' HTML Injection Vulnerability
 
Android device makers around the world are anticipating great things from the next version of Google's mobile software, and they need the boost. Apple has a strong head start with its popular iPad, while the App Store and iTunes give it apps and content, to boot.
 
It’s the end of another year and the time when pundits reflect on their commentary over the year and repent.
 
Clearwire Chairman Craig McCaw, who founded Clearwire's predecessor company in 2003, is set to resign on Friday.
 
VLC Media Player Real Demuxer Remote Denial of Service Vulnerability
 
HP Photo Creative 'ContentMan.dll' ActiveX Control Buffer Overflow Vulnerability
 
[SECURITY] [DSA 2139-1] New phpmyadmin packages fix several vulnerabilities
 
HP Photo Creative v 2.x audio.Record.1 ActiveX Control (ContentMan.dll 1.0.0.4272) Remote Stack Based Buffer Overflow poc
 
Susan Kindler, a self-described "newbie to Windows," asked me about a good Windows 7 tutorial.
 

Blogging platform vulnerable to cross-scripting attacks

By Ron Condon, UK Bureau Chief

Put down that champagne bottle and go back to your computer. It may be tempting to begin celebrating the start of a new year, but according to WordPress, a newly discovered vulnerability in the widely used blogging platform really warrants instant attention.

The company has discovered a security bug affecting millions of blogs. The problem is in its HTML sanitation library, called KSES, which is supposed to filter out undesirable bits of HTML code. The vulnerability, which has been flagged as ‘critical’, could expose the WordPress blog to a cross-site scripting attack.

Researcher Matt Mullenweg, writing on the WordPress blog:

I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for. … [It] is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as “critical.”

WordPress 3.0.4 is available immediately.

Chester Wisniewski, a senior security advisor at Sophos Canada said the WordPress vulnerability can be easily exploited by an attacker. :

“On initial inspection it would appear to be quite trivial for folks with malicious intent to exploit these flaws, so consider applying this update before popping the cork on the bubbly on New Year’s Eve.”



Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Linux Kernel 'load_mixer_volumes()' Multiple Vulnerabilities
 
The No. 7 top sleeper tech story of 2010
 
The No. 8 top sleeper tech story of 2010
 
The No. 9 top sleeper tech story of 2010
 
Apple's quiet enterprise ascendance, looming ERP-like disasters in health care, the solution to a big security hole, and more didn't get the media attention they deserved -- until now
 
The No. 1 top sleeper tech story of 2010
 
The No. 2 top sleeper tech story of 2010
 
The No. 3 top sleeper tech story of 2010
 
The No. 4 top sleeper tech story of 2010
 
The No. 5 top sleeper tech story of 2010
 
The No. 6 top sleeper tech story of 2010
 
InfoSec News: Gawker was hacked six months ago, say sources close to Gnosis: http://www.guardian.co.uk/technology/2010/dec/29/gawker-hacking-gnosis-six-months
By Charles Arthur guardian.co.uk 29 December 2010
Hackers had access to the gossip site Gawker's content management system (CMS) and password files for around six months, rather than the few days [...]
 
InfoSec News: Data breach affects 4.9 million Honda customers: http://www.zdnetasia.com/data-breach-affects-4-9-million-honda-customers-62205394.htm
By Vivian Yeo ZDNet Asia December 30, 2010
Japanese automaker Honda has put some 2.2 million customers in the United States on a security breach alert after a database containing [...]
 
InfoSec News: New Geinimi Android Trojan Steals Data from Infected Mobile Applications: http://www.eweek.com/c/a/Security/New-Geinimi-Android-Trojan-Steals-Data-from-Infected-Mobile-Applications-717465/
By Fahmida Y. Rashid eWEEK.com 2010-12-30
A sophisticated piece of Android malware that has botnet-like capabilities was discovered attached to a number of games on a [...]
 
InfoSec News: Secunia Weekly Summary - Issue: 2010-52: ========================================================================
The Secunia Weekly Advisory Summary 2010-12-23 - 2010-12-30
This week: 32 advisories [...]
 
InfoSec News: Hacking cellphones' GSM software quick, cheap, researchers claim: http://www.montrealgazette.com/technology/Hacking+cellphones+software+quick+cheap+researchers+claim/4038592/story.html
By Jason Magder Postmedia News December 29, 2010
MONTREAL - Most of the world's cellphones can be hacked and their phone calls recorded using less than $100 of equipment, a pair of researchers have found.
The pair, Sylvain Munaut and Karsten Nohl, demonstrated to the Chaos Computer Club Congress in Berlin, Germany, this week how they intercepted phone calls and SMS messages using four phones they bought for less than $15 each, and a laptop. The pair said most phone networks working on the GSM standard are vulnerable. The GSM network is used by 80 per cent of the world's phones, including Rogers Communications Inc., which has the largest market share in Canada, and Fido.
Speaking for Rogers, Sebastien Bouchard said he wasn't sure if customers were affected by this vulnerability. He said, however, that Rogers works closely with the world GSM association to protect the privacy of its customers.
Bell Canada Enterprises and Telus Corporation use different technology, the HSPA+ network. Bell spokesperson Marie-Eve Francoeur said that network isn't affected by the vulnerabilities of GSM software. She said, however, that Bell is concerned with security and reviews its procedures continuously.
The pair showed how they could send a ghost text message to a target phone, that the phone would not see, but the phone would transmit its identification number to the sender.
[...]
 
InfoSec News: [Dataloss Weekly Summary] Week of Sunday, December 19, 2010: ========================================================================
Open Security Foundation - DataLossDB Weekly Summary Week of Sunday, December 19, 2010
5 Incidents Added.
======================================================================== [...]
 
InfoSec News: FBI raids ISP in Anonymous DDoS investigation: http://www.computerworld.com/s/article/9202838/FBI_raids_ISP_in_Anonymous_DDoS_investigation
By Robert McMillan IDG News Service December 30, 2010
Authorities in the U.S. and Germany have raided Internet Service Providers in hopes of tracking down the hackers who launched distributed [...]
 

Posted by InfoSec News on Dec 31

http://www.guardian.co.uk/technology/2010/dec/29/gawker-hacking-gnosis-six-months

By Charles Arthur
guardian.co.uk
29 December 2010

Hackers had access to the gossip site Gawker's content management system
(CMS) and password files for around six months, rather than the few days
suggested by the company, the Guardian has learnt from sources connected
to the break-in.

That contradicts the indications given by Gawker in public statements,
such...
 

Posted by InfoSec News on Dec 31

http://www.zdnetasia.com/data-breach-affects-4-9-million-honda-customers-62205394.htm

By Vivian Yeo
ZDNet Asia
December 30, 2010

Japanese automaker Honda has put some 2.2 million customers in the
United States on a security breach alert after a database containing
information on the owners and their cars was hacked, according to
reports.

The compromised list contained names, login names, e-mail addresses and
17-character Vehicle...
 

Posted by InfoSec News on Dec 31

http://www.eweek.com/c/a/Security/New-Geinimi-Android-Trojan-Steals-Data-from-Infected-Mobile-Applications-717465/

By Fahmida Y. Rashid
eWEEK.com
2010-12-30

A sophisticated piece of Android malware that has botnet-like
capabilities was discovered attached to a number of games on a
third-party Android market.

An advanced new Android Trojan has been found in the wild and it
displays botnet-like capabilities, said Lookout Mobile Security on...
 

Posted by InfoSec News on Dec 31

========================================================================

The Secunia Weekly Advisory Summary
2010-12-23 - 2010-12-30

This week: 32 advisories

========================================================================
Table of Contents:

1.....................................................Word From...
 

Posted by InfoSec News on Dec 31

http://www.montrealgazette.com/technology/Hacking+cellphones+software+quick+cheap+researchers+claim/4038592/story.html

By Jason Magder
Postmedia News
December 29, 2010

MONTREAL - Most of the world's cellphones can be hacked and their phone
calls recorded using less than $100 of equipment, a pair of researchers
have found.

The pair, Sylvain Munaut and Karsten Nohl, demonstrated to the Chaos
Computer Club Congress in Berlin, Germany, this...
 

Posted by InfoSec News on Dec 31

========================================================================

Open Security Foundation - DataLossDB Weekly Summary
Week of Sunday, December 19, 2010

5 Incidents Added.

========================================================================

DataLossDB is a research project aimed at documenting known and reported
data loss incidents world-wide. The Open Security Foundation asks for
contributions of new incidents and new data for...
 

Posted by InfoSec News on Dec 31

http://www.computerworld.com/s/article/9202838/FBI_raids_ISP_in_Anonymous_DDoS_investigation

By Robert McMillan
IDG News Service
December 30, 2010

Authorities in the U.S. and Germany have raided Internet Service
Providers in hopes of tracking down the hackers who launched distributed
denial of service (DDoS) attacks against Web sites such as Visa.com,
PayPal.com, and Mastercard.com earlier this month.

In documents posted Wednesday to the...
 
Apple iOS Networking Packet Filter Rules Local Privilege Escalation Vulnerability
 
One thing a lot of security researchers have been predicting for years is rise in mobile malware. However, due to mobile phones with low power, a lot of operating systems, closed environments and many other reasons we havent seen any significant mobile malware until this year.
And just in time for 2011 a new trojan for Android has been found by a company called Lookout. While Android trojans have been very popular, this one was pretty advanced and that is why it caught everyones attention.
The most important characteristic of this trojan is that it has botnet capabilities. This means that the trojan connects to a CC server in order to retrieve commands and enables an attacker in effectively controlling the infected phone.
So how does the trojan gets installed in the first place? The attackers managed to infect some Android games which are hosted on various sites (as far as I know, not the Android market however, as I dont have an Android phone Im not too familiar with the process of installing Android applications). The user simply goes to install such a game and gets infected. However, keep in mind that the installer will warn the user that the application wants to access sensitive parts of the phone as well as capabilities to send SMS messages, make phone calls etc. That being said, we know that most users will just click on yes (remember UAC on Vista?) and Im afraid that statistics for users blindly clicking on yes is even worse on mobile phones since there are many more users and security awareness is much, much lower.
Another question that comes to mind is how these applications got infected in the first place? This is an interesting question that I dont have answer too, however, it is quite possible that the attackers compromised original web sites/computers of game developers and inserted their trojan. This can even be done with a full package since one can easily modify the .apk packages that are used to install applications. One thing we can expect for 2011 is that more such incidents will take place.
Back to the trojan. The attackers obfuscated the code quite a bit but, of course, it can always be analyzed. Whats interesting is that they hard coded a lot of information (CC servers, commands that can be issued by the CC server etc) and encrypted that information with the DES algorithm. Of course, the encryption was there just to prevent simple analysis of the code since CC servers will not be visible as plain text any more. With a bit of analysis I found the DES key and wrote a simple program that decrypted all hard coded data. The configuration and the DES key can be changed by a CC server in which case the trojan will store the new key by using Androids PreferenceManager.
By doing this I uncovered the full list of CC servers which you can see below. The trojan talks to port 8080 on every server:
www.widifu.com

www.udaore.com

www.frijd.com

www.islpast.com

www.piajesj.com

www.qoewsl.com

www.weolir.com

www.uisoa.com

www.riusdu.com

www.aiucr.com

117.135.134.185
The trojan has various capabilities (still have to analyze some of them), but one thing is clear: it steals a lot of information and sends it to the attacker. The stolen information gets POSTed to a CC server and below you can see all parameters that get populated by the trojan:

IMEI=

IMSI=

AdID=

CPID=

PTID=

SALESID=

msgType=

latitude=

longitude=

MODEL=%sBOARD=%sBRAND=%sCPU_ABI=%sDEVICE=%sDISPLAY=%sFINGERPRINT=%sHOST=%s

ID=%sMANUFACTURER=%sPRODUCT=%sTAGS=%sTIME=%sTYPE=%sUSER=%sSoftwareVersion=%s

Line1Number=%sNetworkCountryIso=%sNetworkOperator=%sNetworkOperatorName=%sNetworkType=%s

PhoneType=%sSimCountryIso=%sSimOperator=%sSimOperatorName=%sSimSerialNumber=%s

SimState=%sSubscriberId=%sVoiceMailNumber=%sCPID=%sPTID=%sSALESID=%sDID=%s

sdkver=%sautosdkver=%sshell=%s
So, to wrap up the year with probably the last diary (unless Chris comes up with something else), it looks as 2011 will be as interesting as 2010 for us security people. We can definitely expect more mobile malware and while, in this case, the user gets informed that the application will perform suspicious activities we know that the human is (almost) always the weakest link. So, while working on the technical protections do not forget those security awareness sessions that can really save the day.
--

Bojan

INFIGO IS (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 


Internet Storm Center Infocon Status