InfoSec News

Finding out that your organization's computer defenses has been breached is a stressful experience. Many are unprepared to deal with such situations, and some have a false sense of security as the result of impractical incident response plans.
Having read about the recent PlentyofFish.com security incident, as described by its founder and a more measured perspective from Brian Krebs, I was inspired to create this short list of what not to do when responding to a security incident:

Don't drive the incident response (IR) team to work for several days without sleep. People's ability to conduct cognitive tasks is severely diminished when they are sleep-deprived. You may need to pull a one-nighter initially, but after that, stagger people's response tasks so they can get some rest.
Don't make rush decisions when deciding upon the initial incident response steps. It is OK to take some time to assess the situation before taking action to avoid making mistakes. Of course, you need to balance this with waiting too long before making decisions regarding the next steps.
Don't immediately attribute the source of the breach to people, companies or countries without conducting a thorough investigation. In particular, don't assume that the entity who notified you of the breach of a vulnerable condition is the entity responsible for the incident.
Don't hire the entity who notified you of the breach to assist with incident response, unless there's no one else qualified for the job. They might not be responsible for the breach, but it's best to avoid the situation where you might later accuse them of extortion. Also, there's no reason to encourage ambulance-chasing practices.

For more recommendations on what not to do when someone reports an incident, as well as for tips on what to avoid doing when reporting an incident, see our earlier diaryIncident Reporting - Liston's How-To Guide.
In addition, here are a few Emergency Incident Response steps from Mandiant, which are a good starting point for responding to a security incident. I also put together a few incident response cheat sheets:

Initial Security Incident Questionnaire for Responders
Network DDoS Incident Response Cheat Sheet
Security Incident Survey Cheat Sheet for Server Administrators
Critical Log Review Checklist for Security Incidents

-- Lenny Zeltser
Lenny Zeltser leads a security consulting team and teaches how toanalyzeandcombatmalware. He is activeon Twitterand recently launched asecurity blog.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Incident responders sometimes need to investigate the nature of a website reported as being malicious.They do this by connecting to the remote site, while taking care not to infect themselves, perhaps by using a laboratory machine that isn't connected to the production network. They also take care to conceal their origin, perhaps by connecting using a non-corporate DSL line or by using an anonymizing proxy, such as Tor. There are a few other connection elements they need to account for.
When connecting to malicious websites to investigate them, take care to set your User-Agent and Referer headers according to the attacker's expectations.
The Referer Field of the HTTP Header
For instance, Websense documented a recent Kookface variant Windows NT 5.1)

Proxy-Connection: Keep-Alive

Host: hostname-redacted.com
Benign response from the website looked like this when rendered by the browser:

In contrast, when the victim clicked on a link embedded in some page, the Referrer en-US) Gecko Ubuntu/9.10 (karmic) Firefox/3.5.1

Proxy-Connection: Keep-Alive

Host: hostname-redacted.com
The website responded by displaying the following message before redirecting to a non-malicious website http://rolly.com.

Tools for Controlling HTTP Headers
When investigating malicious websites using Firefox, you can control your Referer header by using the RefControl add-on. You can control your User-Agent header using the User Agent Switcher add-on.
Another option is to use command-line page retrieval tools, such as wget and curl. We discussed ways of controlling the headers sent by these tools in an earlier diary.
For more control over your browser's interactions with the malicious website, consider proxying your lab's browser through a local proxy tool, such asParos Proxy, Fiddler, WebScarab, etc.
-- Lenny Zeltser
Lenny Zeltser leads a security consulting team and teaches how to analyze and combat malware. He is active on Twitter and recently launched asecurity blog. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
SayNow may be better known for helping the Jonas Brothers and the NBA leave short voicemail messages for their fans, but on Monday it found another purpose: helping Egyptians communicate with the rest of the world.
 
The Internet Assigned Numbers Authority has assigned two large blocks of IPv4 addresses to the Asia-Pacific Network Information Centre, activating a rule under which the agency will give out the last of its IPv4 addresses.
 
The Internet Assigned Numbers Authority has assigned two large blocks of IPv4 addresses to the Asia-Pacific Network Information Centre, activating a rule under which the agency will give out the last of its IPv4 addresses.
 
Nuance's eCopy ShareScan Suite offers a number of powerful tools to help companies track and store scanned documents.
 
Full coverage of the crisis in Egypt from Computerworld, our sister publications and the IDG News Service.
 
Oracle has settled a lawsuit alleging that Sun Microsystems, which it bought last year, was engaged in a kickback scheme involving government contracts.
 
Four days after the Egyptian government ordered Internet service providers to disconnect from the Internet, the country's last working Internet company has abruptly vanished from cyberspace.
 
IBM DB2 Administration Server (DAS) Buffer Overflow Vulnerability
 
A study by the Ponemon Institute found that the average total cost of compliance is more than $3.5 million.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

Can the Government Prevent a DDoS Attack on One of Its Systems?
Data Center Journal
... offering practical and professional expertise. For further information please visit www.infosec.co.uk. Will Hogan is VP of Marketing and Sales at Idappcom.

and more »
 
IBM, Intel and Hewlett-Packard on Monday said they would invest in an effort led by the White House to create jobs and promote growth in emerging technology areas such as cloud computing, health care and mobile applications.
 
Motorola Mobility is taking on Apple's iPad with a new one-minute ad for its Xoom tablet set to air during this year's Super Bowl.
 
An anticipated refresh by Apple of its prime notebook line may be delayed by an Intel chipset design blunder, analysts said today.
 
RW::Download Index.PHP Multiple SQL Injection Vulnerabilities
 
Symantec IM Manager 'eval()' Code Injection Vulnerability
 

The Center for Internet Security’s US Cyber Challenge today kicked off an online competition to identify high school students possible interested in cybersecurity career. The Cyber Foundations competition is part of US Cyber Challenge’s overall goal of finding 10,000 Americans interested in pursuing cybersecurity as practitioners or researchers.

Rep. James Langevin (D-Rhode Island) will formally kick off the program tomorrow at a high school in his home state. Langevin heads the Congressional Cyber Caucus.

Cyber Foundations will provide tutorials and training material developed by the SANS Institute to high school students who register before Feb. 18. Registrants will then be able to take three quizzes in March and April, testing their knowledge and aptitude on networking, operating systems and system administration. Statewide winners will get cash prizes of up to $100 ; winners will be announced April 30.

This is one of several similar initiatives sponsored through USCC, a division of CIS. USCC conducts  competitions and camps nationwide to help individuals sharpen their cybersecurity skills and provide them with opportunities at internships and employment.

“If we are to be successful in protecting our critical infrastructure systems from cyber threats—whether intentional attacks or unintentional compromises—we must address our nation’s shortage of skilled cyber security professionals,” said James A. Lewis, director and senior fellow, technology and public policy program at the Center for Strategic and International Studies.  “The U.S. Cyber Challenge provides a range of opportunities to identify and nurture talented Americans to meet this national priority.”

Pilot programs were held in Rhode Island, California and Maryland.

“I’m so proud of our students in Rhode Island who piloted the U.S. Cyber Challenge Cyber Foundations competition last fall, and I look forward to expanded participation from more schools and students,” Langevin said. “By partnering with others in the cyber community, I hope this challenge will grow into a national model for inspiring and harnessing our young cyber talent.”



Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Egypt's government had shut down phone services, and is still blocking Internet access amid massive protests. Should providers obey government shutdown orders?
 
Last week during Macworld 2011 (formerly known as Macworld Expo) I spent a portion of my time standing in front of attendees demonstrating one thing or another on an iPad. Unlike other presentations that similarly projected images from an iPad, the images from my iPad were darned near pristine. This is the story of how I did it.
 
The average savings achieved by IT offshoring has declined for the past five years, even as companies expanded their offshore initiatives, Duke University's sixth annual corporate offshoring study found.
 
A Premier 100 IT Leader also has advice on getting your company to perform a market adjustment for IT salaries.
 
The Android OS dominated globally in the fourth quarter in smartphones and gained ground on the iPad in the tablet marketplace, according to several analyst reports released today.
 

Importance of Governance and Oversight
CSO (blog)
Access to information is the key attribute that drives the all organizations. It is the one variable that ...

 
Intel on Monday said it had stopped shipments of the chipset used with its latest generation of Core processors after it found a design flaw.
 
T-Mobile USA announced via Twitter that the Dell Streak 7 will be sold for $199.99 after a $50 rebate starting Wednesday.
 
Android tablets grabbed a 22% share of the world's tablet market last quarter, denting for the first time the iPad's dominance, a research firm said today.
 
You probably already know that you can shrink (or enlarge) the Dock by clicking and dragging the bars that separate the applications from folder stacks. You probably also know that you can adjust the Dock size in System Preferences, by opening the Dock pane and dragging the Size slider whichever way you want.
 
OpenVAS Manager Remote Arbitrary Command Injection Vulnerability
 
Linux Kernel 'blk_rq_map_user_iov()' Local Denial of Service Vulnerability
 
Linux Kernel 'AF_ECONET' Protocol NULL Pointer Dereference Denial of Service Vulnerability
 
[HITB-Announce] Reminder: HITB2011AMS - Call for Papers closes on the 18th of Feb
 
Oracle's StorageTek division today announced it will be shipping 5TB tape drives with five times the capacity and more than twice the performance of previous drives.
 
Vodafone made it clear to a world watching deadly protests in Egypt that no matter how sophisticated and secure a privately-run communications network may be, it is still under the government's thumb.
 
The IBM Social Business Toolkit can be used to link social network feeds into enterprise applications
 
VirtueMart eCommerce for Joomla <= 1.1.6 Blind SQL Injection
 
[SECURITY] [DSA-2154-2] exim4 regression fix
 
[SECURITY] [DSA-2154-1] exim4 security update
 
MaraDNS 'compress_add_dlabel_points()' Heap Buffer Overflow Vulnerability
 
[SECURITY] [DSA-2156-1] pcscd security update
 
With the last IPv4 addresses about to be allocated, the good news is that IT managers -- at least in the U.S. and Europe -- don't suddenly have to get the next Internet Protocol working.
 
ARM is offering two new processors -- the Cortex-R5 and Cortex-R7 -- which will help next-generation smartphones and tablets take better advantage of increasing mobile broadband speeds, the company said on Monday.
 
Eddie Schwartz, CSO of network analysis firm NetWitness, talks about targeted malware in the wake of Stuxnet and the company's new Spectrum malware analysis platform.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Intel on Monday said it had stopped shipments of the chipset used with its latest generation of Core processors after it found a design flaw.
 
The mobile enterprise is emerging quickly, driven by consumer passion for smartphones and tablets and the understanding--from workers and employers alike--that mobile devices let workers get more done in less time.
 
IBM is preparing a version of its Lotus Symphony office suite for online use
 
The open-source software development site SourceForge is speeding up its move to a new a security model following a targeted attack that may have compromised the passwords of its large user base.
 
SQL Developer Data Modeler 3.0 users can link to Subversion version control system; Microsoft, IBM databases supported too
 
Hackers just keep devising new ways to target Facebook and Amazon.com users. Read up on these five threats before you're "spear phished" - or worse.
 
Vodafone and France Telecom say mobile phone service was restored in Egypt on Saturday as demonstrations against President Hosni Mubarak's government continued across the country on Monday.
 
IBM, Intel and Hewlett-Packard on Monday said they would invest in an effort led by the White House to create jobs and promote growth in emerging technology areas such as cloud computing, health care and mobile applications.
 
Shipments of Android-based smartphones reached 32.9 million worldwide in the fourth quarter of 2010, making Android the best-selling operating system for smartphones, market research company Canalys said.
 
Novell GroupWise Internet Agent REQUEST-STATUS Buffer Overflow Vulnerability
 
Proprietary, incompatible coding systems and app store controls can make mobile app dev too hard -- so try these HTML-oriented alternatives
 
HBGary introduced an appliance that sits at the perimeter of the enterprise network to watch for possible incoming malware and outgoing traces of botnet infections.
 
WM Downloader '.m3u' File Buffer Overflow Vulnerability
 
FreeType TrueType Font Handling 'ttinterp.c' Remote Code Execution Vulnerability
 
InfoSec News: Gardai probe theft of laptops from Revenue fraud squad: http://www.independent.ie/national-news/gardai-probe-theft-of-laptops-from-revenue-fraud-squad-2515913.html
By Tom Brady Security Editor Independent.ie January 29 2011
GARDAI were last night investigating how 10 laptops were stolen from the headquarters of the Revenue's fraud and tax evasion section.
Internal inquiries were also being carried out into an embarrassing security breach that resulted in three men breaking into the building and then walking to the second floor without being spotted.
The break-in took place at the Revenue Commissioners' offices at Ashtown Gate on the Navan Road in Dublin on Thursday.
Three men forced their way in through a fire emergency door at the side of the building at around 7.15pm.
[...]
 
InfoSec News: ShmooCon 2011: Your Android's dirty little secret: http://www.csoonline.com/article/659764/shmoocon-2011-your-android-s-dirty-little-secret
By Bill Brenner Senior Editor CSO January 29, 2011
WASHINGTON, D.C. -- Presenters at the ShmooCon security conference have spent much attention on mobile vulnerabilities in the last couple years, [...]
 
InfoSec News: Hackers steal Co-op patrons' personal information: http://www.dailycampus.com/news/hackers-steal-co-op-patrons-personal-information-1.1949423
By John Sherman The Daily Campus January 30, 2011
Falling victim to digital maliciousness, HuskyDirect.com was hacked early last week, leaving credit card numbers and other customer [...]
 
InfoSec News: [HITB-Announce] Reminder: HITB2011AMS - Call for Papers closes on the 18th of Feb: Forwarded from: Hafez Kamal <aphesz (at) hackinthebox.org>
Happy 2011 everyone! Just a reminder that the Call for Papers for the second annual HITBSecConf in Europe is closing on the 18TH OF FEBRUARY! We've received some awesome submissions so far and the event is really shaping up nicely. [...]
 
InfoSec News: LinkedIn IPO filing reveals poor disaster recovery set-up: http://www.datacenterdynamics.com/focus/archive/2011/01/linkedin-ipo-filing-reveals-poor-disaster-recovery-set-up
By Yevgeniy Sverdli Datacenter Dynamics 28th January, 2011
Although it has recently implemented a disaster recovery program, the professional social networking company LinkedIn does not currently have a way to quickly shift production workload to a back-up data center.
In documents filed with the US Securities and Exchange Commission, the company disclosed that downtime at its primary data center means downtime for LinkedIn.
“Although this program is functional, it does not yet provide a real-time back-up data center, so if our primary data center shuts down, there will be a period of time that the website will remain shut down while the transition to the back-up data center takes place,” the document read.
The document cited is LinkedIn’s statement of registration for an Initial Public Offering, which aims to raise up to US$175m. The offering’s underwriters are Morgan Stanley, Bank of America Merill Lynch, JP Morgan, Allen and Company and UBS.
[...]
 
Netzip Classic '.zip' File Parsing Buffer Overflow Vulnerability
 
SDP Downloader 'Content-Type' Header Remote Buffer Overflow Vulnerability
 

Posted by InfoSec News on Jan 30

Forwarded from: Hafez Kamal <aphesz (at) hackinthebox.org>

Happy 2011 everyone! Just a reminder that the Call for Papers for the
second annual HITBSecConf in Europe is closing on the 18TH OF FEBRUARY!
We've received some awesome submissions so far and the event is really
shaping up nicely.

The event will once again take place at the NH Grand Krasnapolsky in
Amsterdam from the 17th - 20th of May. HITB2011AMS will be a quad-track
conference...
 

Posted by InfoSec News on Jan 30

http://www.datacenterdynamics.com/focus/archive/2011/01/linkedin-ipo-filing-reveals-poor-disaster-recovery-set-up

By Yevgeniy Sverdli
Datacenter Dynamics
28th January, 2011

Although it has recently implemented a disaster recovery program, the
professional social networking company LinkedIn does not currently have
a way to quickly shift production workload to a back-up data center.

In documents filed with the US Securities and Exchange...
 

Posted by InfoSec News on Jan 30

http://www.independent.ie/national-news/gardai-probe-theft-of-laptops-from-revenue-fraud-squad-2515913.html

By Tom Brady
Security Editor
Independent.ie
January 29 2011

GARDAI were last night investigating how 10 laptops were stolen from the
headquarters of the Revenue's fraud and tax evasion section.

Internal inquiries were also being carried out into an embarrassing
security breach that resulted in three men breaking into the building
and...
 

Posted by InfoSec News on Jan 30

http://www.csoonline.com/article/659764/shmoocon-2011-your-android-s-dirty-little-secret

By Bill Brenner
Senior Editor
CSO
January 29, 2011

WASHINGTON, D.C. -- Presenters at the ShmooCon security conference have
spent much attention on mobile vulnerabilities in the last couple years,
and several attendees this year say it's a topic of major importance to
them.

Last year, a talk focused on weaknesses in the iPhone. This year, two...
 

Posted by InfoSec News on Jan 30

http://www.dailycampus.com/news/hackers-steal-co-op-patrons-personal-information-1.1949423

By John Sherman
The Daily Campus
January 30, 2011

Falling victim to digital maliciousness, HuskyDirect.com was hacked
early last week, leaving credit card numbers and other customer
information up for the hacker's grabs.

HuskyDirect.com is an official vendor of UConn sports goods that works
in cooperation with the UConn Co-op. The site has been taken...
 
Microsoft Windows MHTML Script Code Injection Vulnerability
 


Internet Storm Center Infocon Status