InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Yes, theres some irony to this diary entry. In the past, I have been suggesting repeatedly that organizations who do not have an all-out requirement to keep a Java JRE runtime installed, should get rid of it. Yet, here I was, a couple of days ago, reviewing some SIEM events at a Community College where I help out with IT Security, when something caught my eye (URLs defanged to keep you from clicking):

src= media-type=application/x-jar url=GET hxxp://outdrygodo.mine. nu/finance/etzko5.jar

src= media-type=- url=GET hxxp://outdrygodo.mine. nu/finance/qkefaw.php

src= media-type=application/octet-stream url=GET hxxp://outdrygodo.mine. nu/finance/e32ezw.php?category=/news_id=314214date=1012gen=jlam=true

Basically, a user here is getting an unsolicited Java Applet. A little while later, the same workstation gets an octet stream (think: executable). This cant be good. But why isnt anti-virus alerting on it? [Yes, this is a purely rhetorical question :)]

Turns out, the workstation in fact has been infected. The JAR contained an exploit for CVE-2012-4681. And there is a skype.dll sitting in C:\ProgramData, and, even better, it apparently happily talks to some server in the Ukraine:

src= media-type=- url=POST hxxp://195.191.56. 242/posting.php?mode=replyf=72sid5=0ef2884d693eadc605e9bf726c1b9881

Checking through the logs in detail now, we determined that the PC was talking to this server in the Ukraine whenever the user was logging into some web page. User goes to GMail? PC talks to the Ukraine. User goes to Amazon? PC talks to the Ukraine. User goes to online bank? Yup: you get the drift. In between, the spyware kept mum. But whenever the user happened to enter some password, the spyware merrily ratted him out.

Looking through the logs even further back, we were able to determine that the original infection had happened when the user visited a - perfectly benign - newspaper web site, which at the time apparently was featuring a poisoned advertisement banner somewhere within the page content. The entire attack happened compeletely stealthily, there is nothing the user could have seen or done (maybe with the exception of Java popping up in the tray, but who pays attention to that?)

In short, if your Java JRE is unpatched, you will get hacked. Silently and stealthily. The bad guys will grab all your passwords for a week or so. And then, they will move in, and change your life.

In the case at hand, it was an e-banking application, of all things, that did not yet work with Java JRE 7, and had kept the user from upgrading his Java JRE. From other users, I hear that some releases of enterprise software from large vendors like SAP, Oracle, etc, are also not fully compatible with the latest Java JRE, and thus force their users to remain exposed to attacks like the one described above.

Bottom line:

If you dont need Java JRE on your PC, get rid of it.

If you need it, patch it.

If you cant patch it because some silly application is not compatible with the patch, kick the [beep] of whoever supplies that application.

In case you are in the latter situation, feel free to share in the comments box below. Maybe there are other ISC readers similarly affected, and if you join forces, the vendor might be more inclined to listen.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Texas Instruments has partnered with AllGo Embedded Systems to announce a reference design that will allow Android 4.0 tablets to be built for under $70, the companies announced Wednesday.
Apple has offered to pay Google's Motorola Mobility unit up to one dollar per device for a license to its patents covering cellular and Wi-Fi technologies.
Texas Instruments has partnered with AllGo Embedded Systems to announce a reference design that will allow Android 4.0 tablets to be built for under $70, the companies announced.
The first wave of devices running BlackBerry 10, Research In Motion's new smartphone operating system, have entered carrier certification labs around the world, the company said Wednesday.
Siemens SiPass Integrated 'SiPass server' Component Buffer Overflow Vulnerability
The National Institute of Standards and Technology (NIST) has published draft guidelines that outline the baseline security technologies mobile devices should include to protect the information they handle. Smart phones, tablets and ...
Visual Studio is no longer simply an IDE, no longer a place you go just to write and debug C/C++ code.
Apple's executive shake-up this week is a sign that design is the 'tip of the spear' for the company, but the reorganization won't disrupt the firm's product delivery and may produce groundbreaking moves, analysts said today.
Some wireless and wired communications services downed by Hurricane Sandy have been restored over the past 24 hours, but FCC officials said Wednesday afternoon that several serious outages remain in New York, New Jersey and some other hard hit areas.
Google on Tuesday upgraded its Google Search app for the iPhone and iPad, providing a a voice search functionality that could pose a challenge to Apple's Siri.
Oracle Java SE CVE-2012-5069 Remote Java Runtime Environment Vulnerability
Big data, analytics and mobile apps are enabling smaller political campaigns and advocacy groups to be more effective when it comes to winning over voters and raising money. Is data mining by candidates a privacy concern?
radsecproxy Client Certificate Verification Security Bypass Vulnerability
NetCat CMS Multiple Cross Site Scripting Vulnerabilities
LetoDMS Multiple Cross Site Scripting and SQL Injection Vulnerabilities
Big data, analytics and mobile apps are enabling smaller political campaigns and advocacy groups to be more effective when it comes to winning over voters and raising money. Is data mining by candidates a privacy concern?
The U.N.'s International Telecommunications Union should embrace free and open broadband markets and allow individual countries to reform their telecommunications regulations instead of attempting to centrally regulate the industry, the U.S. delegation to an upcoming ITU meeting will say in proposals to be filed Wednesday.
Python keyring 'CryptedFileKeyring' component Password Encryption Weakness
Microsoft has been slapped with a patent infringement lawsuit over its use of dynamic "live" tile icons in Windows, including in the newly launched Windows 8 OS for PCs and tablets and in the Windows Phone 8 OS for smartphones.
U.S. cellphone carriers took a major step on Wednesday toward curbing the rising number of smartphone thefts with the introduction of databases that will block stolen phones from being used on domestic networks.
NASA has released a time-lapsed video of Hurricane Sandy, showing the storm move from its birth in the Caribbean to when it made landfall on the East Coast of the U.S.
SAP on Wednesday made a series of announcements meant to define itself as a major player in the enterprise social software market with a superior approach to rivals such as Salesforce.com.
A vulnerability which appears to be centred on the SWF based persistence mechanisms in the outdated YUI 2 framework has prompted Yahoo to call for affected users to contact them

The scene of the crime is a casino in California or Nevada, and the group consists of 14 members who all withdraw about $10,000 - within a time window of just 60 seconds. The FBI has now put an end to the Hollywood-style robberies

In emergencies, Secunia's Vulnerability Intelligence Manager (VIM) will warn admins of newly identified security holes in their infrastructure via SMS text message. F-Secure's software updater module offers the option to install the appropriate updates


What better time to talk about business continuity and disaster recovery. The super storm Sandy showed how important, and how difficult it can be to prepare adequately. Business continuity and disaster recovery are two separate activities, but of course, they do affect each other and have to be considered together. Business continuity deals with keeping the business going during an event, and disaster recovery relates to getting back to normal after the event passed. The better you can maintain business as normal during the event, the easier it should be to recover. But in some cases, keeping the business open is just not an option.

All too often business continuity and disaster recovery planning (BCP/DRP) is associated with large natural disasters like hurricanes and earthquakes. But I find that it is more useful to start with little things that happen regularly and scale your plan up from there. For example, some of these little things are:

- server failures

- component failures (switch, hard drive)

- road closures

- network provider outages

In its sum, the actions you take to cover yourself against these little issues can very well result in a plan to cover yourself against big problems. But these little issues are a lot easier to measure and test then the big problems.

Business continuity is covered as part of ISO 27002. The British standard institute created a distinct BCP standard, BS 25999 which is also referred to a lot. Like all the ISO 27000 series standards, the BCP/DRP is heavy on process improvement. There are however a couple of very important special items to consider:

First of all, you have to define the goal of your business continuity plan. 100% uptime is not a realistic goal. You need to distinguish business critical from non-critical functions. BCP/DRP is usually only applied for critical functions. For each function, you need to define:

- Recovery Point Objective: how much data are you willing to risk? For example, if you have daily off site backup tapes, you will risk one days worth of work. For a development shop, loosing one day of work may not be pretty, but probably acceptable. For a financial institution, loosing one day of transactions is probably catastrophic and not acceptable.

- Recovery Time Objective: How long can you afford to be out of business. In some cases, based on the disaster, there may also be no point being in business. If you have a shop in a subway station, and the subway is shut down, it doesnt help you to be open for business. It is important to be realistic and not to set overly optimistic goals.

For each critical business function, you need to map what resources are needed to fulfill the function (servers, networks, people...).

Once you define the critical business functions and the acceptable downtime, you need to consider different threats and how they affect the resources required for each function. As I mentioned in the beginning: Start with little events that happen regularly. This will make it easy to define the likelihood and also to test the mitigation techniques. I would use events like hard disk failure, network outage and power failure. Also consider compound failures (what if power goes out and as a result, one of our routers power supplies burns out cutting off internet access). These cascade/compound failures are quite common.

As part of this threat analysis, you should be able to figure out how likely it is to suffer a particular outage, and how you are going to react to each event.

Testing your failover plans is of course very important. I actually recommend regular failover even if there is no event. In my experience, if you dont do it at least once a month (better: once a week), it will not work if needed. The problem is that your networks and business processes are not static. They keep changing and your plans need to be updated in response. If you dont test it regularly, you are not going to uncover these changes. And regular tests will force everybody to keep the plan up to date in order to avoid regular failures.

Back tot he event at hand: Hurricane Sandy. This is an event in scale that will challenge any BCP. First of all, keeping the business running is not necessarily a sensible option in many cases. (see my subway store example above). Businesses are located in expensive and in many ways inconvenient locations like New York City because they derive special advantages from the concentration of businesses in the area. Just packing up and move to a different location will keep the network running, but you may lose physical proximty to customers and collaborators. For example, the stock exchange would have been able to operate all electronically. However, the decision was made to keep it closed as it wasnt safe for the traders to all come to the trading floor, and having them work from home remotely would remove the personal contact required for some of the trades. Another challenge is to define the worst possible disaster to prepare for. For flooding, a 100 year flood is usually used to drive planning. The national flood insurance program is publishing maps that indicate what a 100 year flood in your area means. However, Sandy exceeded these levels and as a result many business were not prepared and had equipment like fuel pumps for generators placed in locations that got flooded.


Johannes B. Ullrich, Ph.D.

SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft's 16-month browser ballot screw-up in the European Union cost Mozilla an estimated 8.8 million downloads of its Firefox browser, the open-source vendor's head lawyer said.
For users who want a regular monitor, but still want to control Windows 8 using touch gestures, LG Electronics has introduced the Touch 10 monitor.
Using non-secured public Wi-Fi hotspots can leave you vulnerable to identity theft, data theft, snooping, impersonation and malware infection. That's why so many people rely on public virtual private network services, but VPNs are no panacea. Here are five potential gotchas.
TP-LINK TL-WR841N Router Local File Include Vulnerability
Two days after Hurricane Sandy hit northeast U.S. coastal areas, power and communications outages are continuing to be a concern, especially in lower Manhattan.
[BUGTRAQ]Security Advisory - TP-LINK TL-WR841N LFI - [UPDATE]
[slackware-security] seamonkey (SSA:2012-304-02)
[slackware-security] mozilla-thunderbird (SSA:2012-304-01)

DHS is right to eye kindergartners, but don't forget the adults
CSO (blog)
As CSO correspondent Taylor Armerding writes in our lead story this morning, DHS is setting its sites on kindergarten students as future infosec practitioners. As the story unfolds, we see a lot of skepticism. It's not that there's anything wrong with ...

and more »
Chinese handset maker ZTE showed off a new high-end phone on Wednesday. The Z5 has a 5-inch screen, a 13-megapixel camera and a quad-core processor.
Cross-platform development frameworks such as Apache Cordova, Sencha Touch and Xamarin.Mobile are all compatible with Windows Phone 8, making it easier to create apps for the new OS while at the same time developing apps for other platforms.
If you are looking for a modern password stealing trojan, you don't have to look far: the "Remote Adminstration Tool" Xtreme RAT is offered for sale to the public through a Google-hosted page

Mozilla Firefox/Thunderbird CVE-2012-3974 Local Code Execution Vulnerability
[waraxe-2012-SA#095] - Multiple Vulnerabilities in Wordpress FoxyPress Plugin
CA Technologies has updated its Clarity project and portfolio management software to accommodate more comprehensive long-term planning.
Softbank, which announced a $20 billion deal to acquire U.S. mobile operator Sprint Nextel earlier this month, said it booked a record operating profit in its fiscal first half.
The developers of the open source content management system have warned of multiple security holes that could be exploited to bypass security restrictions or execute arbitrary code. Patches will not be released until 6 November

Panasonic Wednesday announced that it will end its brief return to the European smartphone market, pulling out less than a year after launching its first handset outside of Japan since 2005.
The US State of South Carolina has acknowledged a massive cyber attack that involved the theft of 3.6 million social security numbers and nearly 400,000 credit card numbers

Adobe Flash Player CVE-2012-0725 Remote Memory Corruption Vulnerability
Chinese handset maker ZTE showed off a new high-end phone on Wednesday. The Z5 has a 5-in. screen, a 13-megapixel camera and a quad-core processor.
As the U.S. launched what's expected to be the world's fastest supercomputer at 20 petaflops, China is building a machine that is intended to be five times faster when it is deployed in 2015.
Magnetic resonance wireless charging has the potential to power everything in our lives from a distance. One company, WiTricity, has developed several ways to wirelessly charge everything from smartphones to TVs, cars and solar panels.
Advocacy groups and political campaigns have unparalleled access to vast amounts of new and detailed data on voters interests, hobbies, lifestyles and political leanings -- and they're grappling with how to best exploit these vast troves of unstructured data.
Notices will be sent out to developers of up to 100 mobile apps that are not compliant with California privacy law, starting with those who have the most popular apps available on mobile platforms, the office of the state's attorney general Kamala D. Harris said Tuesday.
Microsoft today made it official, saying that the replacement for the now-dead-and-buried "Metro" brand for apps on Windows is "Windows 8 Store."
A new series of articles introduces readers to the tools and techniques needed to reverse engineer .NET bytecode and to manipulate code from those programs at byte level


Posted by InfoSec News on Oct 31

Forwarded from: Wenyuan Xu <wyxu (at) cse.sc.edu>

The Sixth ACM Conference on Security and Privacy
in Wireless and Mobile Networks

ACM WiSec '13

April 17-19, 2013
Budapest, Hungary...

Posted by InfoSec News on Oct 31


By Patrick Thibodeau
October 30, 2012

Two monolithic buildings in lower Manhattan that serve as major network
hubs for the U.S. are operating on generator power, thanks to Hurricane

The buildings, known as carrier hotels, are a 2.9 million square foot
structure at 111 8th Ave., and a 1.8 million square foot facility at 60...

Posted by InfoSec News on Oct 31


By J. Nicholas Hoover
October 30, 2012

The Federal Bureau of Investigation is adding resources, building new
tools, increasing hiring and expanding collaboration with local groups
as part of its Next Generation Cyber Initiative, an effort to overhaul
the FBI's Cyber Division, the agency announced last week.

The FBI has long been...

Posted by InfoSec News on Oct 31


By Tracy Kitten
Bank Info Security
October 29, 2012

No new distributed denial of service attacks against banks occurred
during the week of Oct. 22. The hacktivist group claiming credit for the
earlier string of attacks against 10 U.S. banks said it took the week
off to observe an Islamic holiday. But additional attacks are expected,
perhaps as soon as Oct. 30, if...

Posted by InfoSec News on Oct 31


By Evan Hansen
Gadget Lab

Jamin Barton is a soft-spoken musician with a quick laugh and a winning
smile who tends bar under the nickname “Sudsy” at the 500 Club in San
Francisco’s Mission District. He was closing up after a slow Tuesday
last month when he saw the phone.

“We find about...

Posted by InfoSec News on Oct 31


By John Leyden
The Register
30th October 2012

Israeli police departments were pulled offline last Thursday following
the discovery of a Trojan especially targeted at law enforcement
networks in the Jewish state.

The malware was distributed using spammed messages, spoofed so that they
appeared to come from the head of the Israel Defense Forces, Benny
Gantz. The malicious...

Posted by InfoSec News on Oct 31


By Dan Goodin
Ars Technica
Oct 30 2012

Federal authorities said they uncovered an advanced bank heist that
defrauded Citigroup of more than $1 million by exploiting a security
loophole in the way it handles electronic payments.

The scam worked by simultaneously withdrawing funds from cash advance
kiosks maintained in at least 11 casinos...
Internet Storm Center Infocon Status