InfoSec Daily Podcast Episode 656 [ 45:14 | 62.14 MB ] Play Now | Play in Popup | Download (214)

InfoSec Daily Podcast Episode 656 for April 30, 2012. Tonight's podcast is hosted by Rick Hayes, Dave Kennedy, Boris Sverdlik, Beau Woods and Karthik Rangarajan.

InfoSec Daily Podcast Episode 655 [ 47:24 | 65.13 MB ] Play Now | Play in Popup | Download (252)

InfoSec Daily Podcast Episode 655 for April 27, 2012. Tonight's podcast is hosted by Rick Hayes, Dave Kennedy, Boris Sverdlik, Adrian Crenshaw, Geordy Rostad, and Karthik Rangarajan.

Special Guests: Erin Kennedy, and Nick

Announcements

Linuxfest Northwest 2012

When: April 28-29, 2012

Where: Bellingham Technical College – Bellingham, WA

http://www.linuxfestnorthwest.org/

AIDE 2012

When: May 21-25, 2012

Where: MU Forensic Science Center  - Huntington, West Virginia

http://www.appyide.org/

LayerOne 2012

When: May 26-27, 2012

Where: Clarion Hotel – Anaheim, CA

http://www.layerone.org

Security 504: Hacker Techniques, Exploits & Infcident Handling – Matt Romanek

When: June 20 – 27, 2012

Where: Courtyard Seattle Federal Way, WA

http://www.sans.org/mentor/details.php?nid=28014
 

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012

Where:  Bristol, UK

When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

Inside and Out of the Social-Engineer Toolkit (SET)

When: July 21 – 22, 2012

When: July 23 – 24, 2012

Where: Black Hat Vegas

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

DerbyCon 2012 – The “Deuce” Reunion

When:  September 27-30, 2012

Where: Louisville, KY

http://www.derbycon.com

Skydogcon

When: October 26-28

Where: Hotel Preston in Nashville, TN

http://www.skydogcon.com

Please consider making your  Amazon purchases through our affiliate link.  If you’re not familiar with the affiliate link it is locate the Affiliate Program link on the right hand side.

or simply use our QR Code Links.

Amazon:

Amazon UK:

Stories

Source:  http://www.theregister.co.uk/2012/04/27/html5/

HTML5 will allow web designers to pull off tricks that were previously only possible with Adobe Flash or convoluted JavaScript. But the technology, already widely supported by web browsers, creates plenty of opportunities for causing mischief.

During a presentation at the B-Sides Conference in London on Wednesday, Robert McArdle, a senior threat researcher at Trend Micro, outlined how the revamped markup language could be used to launch browser-based botnets and other attacks. The new features in HTML5 – from WebSockets to cross-origin requests – could send tremors through the information security battleground and turn the likes of Chrome and Firefox into complete cybercrime toolkits.

Many of the attack scenarios involve using JavaScript to create memory-resident "botnets in a browser", McArdle warned, which can send spam, launch denial-of-service attacks or worse. And because an attack is browser-based, anything from a Mac OS X machine to an Android smartphone will be able to run the platform-neutral code, utterly simplifying the development of malware.

Creating botnets by luring punters into visiting a malicious web page, as opposed to having them open a booby-trapped file that exploits a security flaw, offers a number of advantages to hackers.

Malicious web documents held in memory are difficult to detect with traditional file-scanning antivirus packages, which seek out bad content stored on disk. JavaScript code is also very easy to obfuscate, so network gateways that look for signatures of malware in packet traffic are trivial to bypass – and HTTP-based attacks pass easily through most firewalls.

Additional dangers involve social engineering using HTML5's customisable pop-ups that appear outside the browser to fool users into believing the wording on an alert box. More convincing phishing attacks can be created using the technique, McArdle said.

"The good stuff in HTML5 outweighs the bad," he added. "We haven't seen the bad guys doing anything bad with HTML5 but nonetheless it's good to think ahead and develop defences."

….

Source:  http://www.spamfighter.com/News-17679-Spam-Volume-in-March-2012-Declines-Only-Slightly.htm

Kaspersky Lab, which released its March 2012 spam report, shows that spam volumes from the total e-mail reduced 3.5% during March 2012 over the previous month of February 2012.

The new spam study reveals that the twenty greatest sources of junk e-mails continued to be same in March 2012, with the same countries as of February 2012 occupying the foremost 6 positions although South Korea and Vietnam interchanged ranks -the latter coming 4th and the former coming 5h.

Maria Namestnikov, security researcher at Kaspersky Lab explained that the first 3 ranks went to India (12.3%), Indonesia (7.5%) and Brazil (6.7%). While spam rates might've declined, the menace continued as severe as before with junk e-mail distributors adopting more-and-more refined techniques of scam, she said. Kaspersky.com published this dated April 19, 2012.

Besides, according to Namestnikov, it was ever-since the Calicos/Hlux network-of-bots' latest version got dismantled that the spam rates declined. During March 2012, Kaspersky Lab in combination with companies namely Dell SecureWorks, CrowdStrike, alongside HoneyNet Project dismantled the Kelihos.B botnet.

The spam study thereafter reveals that the topics most commonly utilized within the spam campaigns all through March 2012 related to Easter, St. Patrick's Day as also iPad3's recent launch.

Of the several spam campaigns related to St. Patrick's Day, security company Kaspersky states that the spammers, for acquiring the notice of e-mail recipients, resort to partner programs that abuse any holiday, celebration or same kind of event. Within the current example, it's Leprechaun-festooned spam websites, which present counterfeit designer watches.

….

Source: http://www.zdnet.com/blog/bott/report-says-hotmail-exploit-spread-like-wild-fire-is-now-fixed/4892

Microsoft plugged a serious security hole in its Hotmail password reset service last week, after one report claims it was widely exploited.

April 26, 3:00PM PDT: Microsoft confims existence of flaw and fix. See update at end of post.

Microsoft has deployed a fix for a Hotmail password reset vulnerability that was reportedly being exploited in the wild for days.

A report published today at Vulnerability-Lab described the vulnerability and provided a timeline for its disclosure and fix.

The bulletin rated the severity as “Critical,” based on this description:

A critical vulnerability was found in the password reset functionality of Microsoft’s official MSN Hotmail service. The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based). The token protection only checks if a value is empty then blocks or closes the web session. A remote attacker can, for example bypass the token protection with values “+++)-“. Successful exploitation results in unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA & send automated values over the MSN Hotmail module.

The bulletin says Microsoft fixed the vulnerability on April 20, 2012. The more detailed timeline puts the Vendor Fix/Patch date one day later:

Report-Timeline:

================

2012-04-06: Researcher Notification & Coordination

2012-04-20: Vendor Notification by VoIP Conference

2012-04-20: Vendor Response/Feedback

2012-04-21: Vendor Fix/Patch

2012-04-26: Public or Non-Public Disclosure

During at least part of that two-week gap, the vulnerability was widely exploited, one source says.

….

Source:  http://news.yahoo.com/hackers-hit-philippines-websites-amid-china-dispute-193846510.html

Philippine government websites are under heavy attack from hackers, apparently from China, amid a tense territorial dispute between the two countries in the South China Sea, officials said Thursday.

While some Philippine hackers have reportedly launched retaliatory attacks, the government appealed to them for restraint, said Roy Espiritu, spokesman of the government's information technology office.

"We've actually detected several attacks, including attempts at distributed denial of service," he said, in which a hacker infiltrates computers with which to attack a single target, such as a website, forcing it to shut down.

"They (hackers) are probing into different (Philippine) government domains so we can't say how many attacks there are. But it is a lot," Espiritu told AFP.

"The signatures (of the hackers) indicate they are from Chinese networks."

Espiritu conceded this could be a ruse and the attacks may have actually originated from other sources.

But he said all the attacks came after Philippine ships faced off with Chinese patrol vessels in April 8 in the disputed Scarborough Shoal in the South China Sea. Before that, there had been no such attacks.

The Chinese vessels initially prevented the Philippine Navy from arresting alleged Chinese poachers in the area. The stand-off is continuing.

….

Source: http://nakedsecurity.sophos.com/2012/04/27/carriers-oppose-producing-warrants-for-location-data/

The mobile carriers industry trade group, CTIA–The Wireless Association, is objecting to a proposed bill that would require the police to produce a warrant if it wants access to location data on people's mobile phones.

CTIA are calling the legislation "unduly burdensome" to say no to police who arrive without warrants.

The bill in question, California Location Privacy Bill (SB 1434), doesn't stop the carriers from handing over location data, but it does require that police get a warrant first.

The proposed law also states that carriers must publish reports showing the number of disclosures they've made in a given calendar year, including:

• how many times each wireless provider disclosed information (and how many times it didn't)

• how many times the carrier contested data demands

• how many users' data were disclosed.

And this report is to published on the internet by the following April.

On April 12, the CTIA wrote [PDF] to the bill's sponsor, State Senator Mark Leno, saying that CTIA opposes the proposed legislation due to "serious concerns":

"These reporting mandates would unduly burden wireless providers and their employees – who are working day and night to assist law enforcement to ensure the public’s safety and to save lives."

… and that the legislation would "confuse" them.

For example, an issue the carriers would find confusing is the definition of "location information." CTIA say that it is "so sweeping" that it could overlap basic subscriber information:

"Since the implications of this definition are unclear, wireless providers will have difficulty figuring out how to respond to requests for such information. It could place providers in the position of requiring warrants for all law enforcement requests."

Ars Technica's Cyrus Farivar, for one, is confused about why the CTIA is confused.

Here's what he had to say:

"Earlier this month, the ACLU said it received over 5,500 pages from 200 local law enforcement agenciesabout their tracking policies. The organization concluded that 'while cell phone tracking is routine, few agencies consistently obtain warrants.

Importantly, however, some agencies do obtain warrants, showing that law enforcement agencies can protect Americans' privacy while also meeting law enforcement needs.' In short, it seems like law enforcement can stay within the law, even when it takes the trouble to get a warrant—how is that confusing?"

Regarding the cost and labour involved in putting up reports that tell the public how they are releasing our information: well, if it's really all that costly to the poor, cash-strapped wireless providers, perhaps it's time for them to increase the fees they charge law enforcement agencies for the all-you-can-eat buffet of data they provide.

….

Late Announcement:

Help Brad get a handicap accessible van. http://www.nmeda.com/mobility-awareness-month/heroes/montana/helena/1535/nina-and-brad-smith

[end]

InfoSec Dialy Podcast Episode 654 [ 44:50 | 20.53 MB ] Play Now | Play in Popup | Download (247)

InfoSec Daily Podcast Episode 654 for April 26, 2012. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Adrian Crenshaw, and Karthik Rangarajan.

Announcements

Linuxfest Northwest 2012

When: April 28-29, 2012

Where: Bellingham Technical College – Bellingham, WA

http://www.linuxfestnorthwest.org/

AIDE 2012

When: May 21-25, 2012

Where: MU Forensic Science Center  - Huntington, West Virginia

http://www.appyide.org/

LayerOne 2012

When: May 26-27, 2012

Where: Clarion Hotel – Anaheim, CA

http://www.layerone.org

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

When: June 20 – 27, 2012

Where: Courtyard Seattle Federal Way, WA

http://www.sans.org/mentor/details.php?nid=28014
 

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012

Where:  Bristol, UK

When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

Inside and Out of the Social-Engineer Toolkit (SET)

When: July 21 – 22, 2012

When: July 23 – 24, 2012

Where: Black Hat Vegas

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

DerbyCon 2012 – The “Deuce” Reunion

When:  September 27-30, 2012

Where: Louisville, KY

http://www.derbycon.com

Skydogcon

When: October 26-28

Where: Hotel Preston in Nashville, TN

http://www.skydogcon.com

Please consider making your  Amazon purchases through our affiliate link.  If you’re not familiar with the affiliate link it is locate the Affiliate Program link on the right hand side.

Or simply use our QR Code Links.

Amazon:

Amazon UK:

Pentest Lessons

1. Don't cat binary files in cube farms. The beeps sound like alarms, and the natives have to decide whether to evacuate.

2. Determining who is "in the loop" during a penetration test is an important step not best performed when you’re almost finished with an engagement.

3. When you pop a system, always always always grab the critical information first.  

4. When you pop a system, avoid high fives or yelling w00t.  This is critical for maintaining professionalism.

5. When you pop a system, always grab critical information before telling the customer about the access.  There’s nothing worse than the machine being turned off to avoid you collecting data.  See item #3.

Stories

Source:  http://boingboing.net/2012/04/26/sneak-attack-surprise-amendme.html

Source:  http://www.politico.com/news/stories/0412/75670.html

In a sneak attack, the vote on CISPA (America's far-reaching, invasive Internet surveillance bill) was pushed up by a day. The bill was hastily amended, making it muchworse, then passed on a rushed vote. Techdirt's Leigh Beadon does a very good job of explaining what just happened to America:

Previously, CISPA allowed the government to use information for "cybersecurity" or "national security" purposes. Those purposes have not been limited or removed. Instead, three more valid uses have been added: investigation and prosecution of cybersecurity crime, protection of individuals, and protection of children. Cybersecurity crime is defined as any crime involving network disruption or hacking, plus any violation of the CFAA.

Basically this means CISPA can no longer be called a cybersecurity bill at all. The government would be able to search information it collects under CISPA for the purposes of investigating American citizens with complete immunity from all privacy protections as long as they can claim someone committed a "cybersecurity crime". Basically it says the 4th Amendment does not apply online, at all. Moreover, the government could do whatever it wants with the data as long as it can claim that someone was in danger of bodily harm, or that children were somehow threatened—again, notwithstanding absolutely any other law that would normally limit the government's power.

Lawmakers voted to reject a motion to recommit by Rep. Ed Perlmuttter, who sought to add language specifying that nothing in the bill could be construed to allow employers and the government from mandating that employees and job applicants disclose confidential passwords without a court order. The defeated motion also would have added language saying that nothing in the bill could allow the government from blocking access to the Web through “the creation of a national Internet firewall similar to the ‘Great Internet Firewall of China.'

….

Source: http://threatpost.com/en_us/blogs/backdoor-equipment-used-traffic-control-railways-called-huge-risk-042512

Security researchers are warning about the risk posed by an embarrassing security hole in industrial control software by the firm RuggedCom. A hidden administrative account could give remote attackers easy access to critical equipment that is used to manage a wide range of critical infrastructure, including rail lines, traffic control systems and electrical substations.

The undocumented backdoor account was first revealed on Monday in a post to the Full-disclosure security discussion list by a user with the initials "JC." The account uses the login name "factory" and a dynamically generated password that is based on the device's machine address – or MAC, according to the post.

A Ruggedcom spokesperson said the company was working on a response, but could not immediately comment on the post.

The details of the vulnerability could not be independently confirmed and RuggedCom did not immediately respond to a request for comment from Threatpost. However, the use of hard coded account credentials is common in the industrial control space, where remote, administrative access to devices that are deployed in the field has long been a priority for vendors and customers, alike.

The post's author, "JC" was not able to immediately comment on the details of his post. He was identified as is Justin W. Clarke, an independent security researcher based in San Francisco according to Digital Bond blog, a source for information on security issues in SCADA and industrial control systems.

….

Source: http://nakedsecurity.sophos.com/2012/04/26/credit-card-websites/

Cybercrime is big business these days, in fact it's an industry. So it's not a surprise to find that criminals are embracing ecommerce. But I'm sure some will be surprised to discover just how professional and legitimate criminal websites can appear.

For instance, watch the following video to see footage of a website that was selling stolen credit card details.

The UK's Serious Organised Crime Agency (SOCA), working alongside the FBI and the US Department of Justice, has announced that it has seized the domain names of 36 websites used to sell stolen credit card information.

The websites use advanced e-commerce Automated Vending Cart (AVC) platforms to allow them to sell large numbers of credit card and bank details.

Visitors to the websites are now greeted by a message from the authorities:

According to a SOCA statement, two men were arrested early yesterday morning suspected of making large scale purchases of compromised data from websites such as those described above.

….

Source: http://www.theregister.co.uk/2012/04/26/taiwan_spies_smuggle_us_military_tech/

Two suspected Taiwanese drug smugglers have been accused of an ambitious plot to smuggle some pretty serious military technology including a US drone out of the States and into China.

Hui Sheng Shen and Huan Ling Chang, who have been in custody since February for allegedly smuggling methamphetamine into the US, will be formally charged with conspiracy to violate the Arms Export Control Act, according to an AP report.

The two were caught in an undercover FBI sting which caught them on tape claiming that their clients in the Chinese government were keen on acquiring US drones as well as stealth technology, anti-aircraft systems and even an E-2 Hawkeye early warning aircraft.

The two reportedly ignored the undercover Feds’ repeated cautioning that they would not like to profit from any kit which would harm US interests, with Shen saying, “I think that all items would hurt America.”

"The people we met, they come from Beijing. … They work for Beijing government … some kind of intelligence company for Chinese government — like C.I.A," Shen reportedly told the agents. "They are spies."

Shen also boasted that he could use scuba divers to transport parts of the kit underwater from Port Newark-Elizabeth Marine Terminal to a ship waiting offshore – a similar technique to that which he allegedly used to smuggle drugs.

….

Source: http://www.networkworld.com/news/2012/042512-will-obama-preside-over-the-258673.html

If President Barack Obama is going to win a second term, he may have to do it without the support of privacy and civil liberties organizations, including those in information and personal security.

Increasingly the president, who was expected to fulfill the dreams of civil libertarians by creating a more open, transparent and less-intrusive government, is instead being viewed as a nightmare.

Many of the complaints are focused on broken promises regarding the aftermath of 9/11: The president pledged to close the military prison at Guantanamo Bay, Cuba, and it remains open. He attacked the Patriot Act as a candidate, but it also remains. And according to his critics, while he slammed President Bush's tactics in the "war on terror," he has now embraced and expanded most of them, including the killing of U.S. citizens abroad who are deemed to be terrorists.

But for cyber-privacy advocates, the major concern is that they believe the Big-Brother and "thought police" nightmare of George Orwell's "1984" could be a reality by 2013, when the National Security Agency's new data center is due to open at the Utah National Guard's Camp Williams, south of Salt Lake City in Bluffdale.

Some in the infosec and privacy community say it is not so much about who is president as it is about the reach, power and inertia of the intelligence establishment. Whatever, the reason, the coming Utah Data Center is expected to give a whole new meaning to the concept of Big Data.

NSA, which already has vast powers to sift and analyze digital communications by people with the bland job description of "traffic analyst," is expanding those powers to the point where, according to James Bamford, writing last month in Wired magazine, it will be able to intercept, store and analyze, "all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches, as well as all sorts of personal data trails– parking receipts, travel itineraries, bookstore purchases, and other digital 'pocket litter.'"

….

Source:  http://www.net-security.org/secworld.php?id=12818

A critical security flaw affecting Microsoft's Hotmail has been detected almost simultaneously by Vulnerability Lab researchers and a Saudi Arabia hacker and, until a temporary fix has been put in place by Microsoft on Friday last, it has been used by hackers to hijack users' Hotmail/Live account.

"The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. Remote attackers can bypass the password recovery service to setup a new password

and bypass in place protections (token based)," explained Vulnerability Lab's researchers.

"The token protection only checks if a value is empty then blocks or closes the web session. A remote attacker can, for example bypass the token protection with values '+++)-'. Successful exploitation results in unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA & send automated values over the MSN Hotmail module."

Naveen Thakur offers a description of the exploit of which he saw videos propagating online: "It involves using a Firefox addon called Tamper Data which allows the the user to intercept the outgoing HTTP request from the browser in real time and modify the data. All the attacked had to do was to select the 'I forgot my Password' and select 'Email me a reset link' and start the Tamper Data in Firefox and modify the outgoing data."

The bug was to easy to exploit, he says, and it spread like wild fire through the hacking community and forums.

….

Source:

….

[end]

InfoSec Daily Podcast Episode 653 [ 34:54 | 47.95 MB ] Play Now | Play in Popup | Download (183)

InfoSec Daily Podcast Episode 653 for April 25, 2012. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, and Karthik Rangarajan.

Announcements

Linuxfest Northwest 2012

When: April 28-29, 2012

Where: Bellingham Technical College – Bellingham, WA

http://www.linuxfestnorthwest.org/

AIDE 2012

When: May 21-25, 2012

Where: MU Forensic Science Center  - Huntington, West Virginia

http://www.appyide.org/

LayerOne 2012

When: May 26-27, 2012

Where: Clarion Hotel – Anaheim, CA

http://www.layerone.org

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

When: June 20 – 27, 2012

Where: Courtyard Seattle Federal Way, WA

http://www.sans.org/mentor/details.php?nid=28014
 

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012

Where:  Bristol, UK

When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

Inside and Out of the Social-Engineer Toolkit (SET)

When: July 21 – 22, 2012

When: July 23 – 24, 2012

Where: Black Hat Vegas

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

DerbyCon 2012 – The “Deuce” Reunion

When:  September 27-30, 2012

Where: Louisville, KY

http://www.derbycon.com

Skydogcon

When: October 26-28

Where: Hotel Preston in Nashville, TN

http://www.skydogcon.com

Please consider making your  Amazon purchases through our affiliate link.  If you’re not familiar with the affiliate link it is locate the Affiliate Program link on the right hand side.

or simply use our QR Code Links.

Amazon:

Amazon UK:

Stories

Source: http://www.computerworld.com/s/article/9226521/New_sneakier_Flashback_malware_infects_Macs

A new, sneakier variant of the Flashback malware was uncovered yesterday by the French security firm Intego.

Flashback.S, which Intego described Monday, uses the same Java vulnerability as an earlier version that has infected an estimated 820,000 Macs since its appearance and still plagues over 600,000 machines.

But unlike Flashback.K, the variant that first surfaced last month and has caused consternation among Mac users, Flashback.S never asks the victim to enter an administrative password for installation, but instead relies only on the silent exploit of the Java bug to sneak onto the system.

"The differences are very subtle," Peter James, a spokesman for Intego, said in an interview Tuesday. "There's no password request [by Flashback.S]."

Flashback.K used different infection tactics: Even though it exploited the same Java vulnerability — identified as CVE-2012-0507 — it also displayed the standard OS X password-request dialog. If users entered their password, the malware installed itself in a different location, where it was even harder to detect.

….

Source: http://threatpost.com/en_us/blogs/researcher-causes-endless-restart-loop-samsung-tvs-042412

Italian security researcher Luigi Auriemma was trying to play a trick on his brother when he accidentally discovered two vulnerabilities in all current versions of Samsung TVs and Blu-Ray systems that could allow an attacker to gain remote access to those devices.

Auriemma claims that the vulnerabilities will affect all Samsung devices with support for remote controllers, and that the vulnerable protocol is on both TVs and Blu-Ray enabled devices.

One of the bugs leads to a loop of endless restarts while the other could cause a potential buffer overflow.

Auriemma discovered the issues accidentally. He told Threatpost via email that he was trying to play a trick on his brother. He only wanted to send a remote controller request with a funny message, but he ended up nearly destroying the TV.

To exploit Auriemma’s vulnerabilities requires only that the devices are connected to a wi-fi network.

As background, Auriemma explains that when the device receives a controller packet it displays message informing users that a new ‘remote’ has been detected, and prompts the user to ‘allow’ or ‘deny’ access. Included with this remote packet is a string field used for the name of device. Auriemma found that if he altered the name string to contain line feed and other invalid characters, the device would enter an endless loop.

Auriemma claims that nothing really happens for the first five seconds, but then he lost control of the TV, both manually on the control panel and with the remote. Then after another five seconds, he claims, the TV automaticall restarts. Then the process repeats itself forever, even after unplugging the TV. Eventually, Auriemma managed to reset the TV in service mode. He writes that users can avoid the situation altogether by hitting ‘exit’ when prompted to ‘allow’ or ‘deny’ the new remote device.

….

Source:

http://bits.blogs.nytimes.com/2012/04/24/nissan-is-latest-company-to-get-hacked/

Nissan confirmed its computer systems were hacked two weeks ago.  The Japanese automaker said that hackers broke into its network and stole employees’ usernames and encrypted passwords. The company said it first noticed an abnormality on its network Friday, April 13, when it discovered a piece of malicious malware had targeted employees’ log-in credentials and was transmitting them back to an outside computer server. Nissan did not say which employees had been targeted, what division they worked in or what the intruders may have been after. The company tracked the intrusions back to an Internet protocol address, but said it did not give much indication of who was behind the attack.

“We do know the I.P. addresses but it really does not tell you a whole lot,” said David Reuter, a Nissan spokesman. “Hackers can bounce things off servers all over the world, so the entry I.P. address is not necessarily where the hack originates. The trail goes cold pretty quickly.”

Nissan said it waited a week to disclose the attack to customers and employees while it closed open holes in its network and cleaned up its systems with the help of outside security consultants. On Friday, Andy Palmer, a Nissan executive vice president, disclosed the attack in a statement and said there was no indication any customer, employee or intellectual property data had been stolen.

….

Source: http://threatpost.com/en_us/blogs/e-mail-source-code-vmware-bubble-compromised-chinese-firm-042412

Source: http://blogs.vmware.com/security/2012/04/vmware-security-note.html

Source: http://www.crn.com/news/security/232900903/anonymous-hacker-claims-credit-for-vmware-esx-code-leak.htm

April 23, 2012, our security team became aware of the public posting of a single file from the VMware ESX source code and the possibility that more files may be posted in the future. The posted code and associated commentary dates to the 2003 to 2004 timeframe.

The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers. VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today. We take customer security seriously and have engaged internal and external resources, including our VMware Security Response Center, to thoroughly investigate. We will continue to provide updates to the VMware community if and when additional information is available.

VMware's ESX hypervisor source code leak may stem from an attack on a Chinese import-export firm last month in which an anonymous hacker claims to have made off with more than one terabyte of confidential documents.

On Tuesday, Kaspersky Lab's Threatpost blog reported the details of its recent IRC conversation with "Hardcore Charlie," the anonymous hacker who posted the purported VMware ESX source code online on April 8.

Hardcore Charlie claims to have obtained the VMware ESX source code after breaching the corporate network of the China National Electronics Import-Export Corporation (CEIEC), a Beijing-based firm. He also broke into and stole documents from the networks of China North Industries Corporation (Norinco) WanBao Mining Ltd, Ivanho and PetroVietnam, according to the Threatpost report.

VMware could not be reached for comment.

In a security bulletin issued earlier on Tuesday, VMware warned that a single file from its ESX server hypervisor source code had been posted online and said it is possible that more proprietary files could be leaked.

The leaked ESX code is from the 2003 to 2004 period, and security experts told CRN the potential impact of the breach depends on how much VMware has changed the code base since then.

VMware said it shares source code with industry partners, but other vendors, including Cisco, have had source code leaks in the past without problems, said Charlie Winckless, senior security architect at Presidio Networked Solutions, Greenbelt, Md.

Still, a zero-day vulnerability in ESX could pose significant problems for VMware and the legions of cloud service providers whose infrastructure runs on the hypervisor. Winckless said the availability of ESX source code could give hackers a better chance to find undiscovered vulnerabilities.

"How serious this exposure is depends on the level of code audit performed," Winckless said. "There almost certainly will be some bugs and issues exposed, but it's far from certain that they are exploitable."

VMware spends a lot of effort guarding against the disaster scenario of attackers compromising multiple virtual servers on a single piece of hardware, which makes it less likely that such an attack could stem from the leaked source code, according to Winckless.

….

[end]

InfoSec Daily Podcast Episode 652 [ 38:54 | 53.44 MB ] Play Now | Play in Popup | Download (213)

InfoSec Daily Podcast Episode 652 for April 24, 2012. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Karthik Rangarajan, and Themson Mester.  

Guest Co-Host Varun Sharma.

Announcements

Linuxfest Northwest 2012

When: April 28-29, 2012

Where: Bellingham Technical College – Bellingham, WA

http://www.linuxfestnorthwest.org/

AIDE 2012

When: May 21-25, 2012

Where: MU Forensic Science Center  - Huntington, West Virginia

http://www.appyide.org/

LayerOne 2012

When: May 26-27, 2012

Where: Clarion Hotel – Anaheim, CA

http://www.layerone.org

Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek

When: June 20 – 27, 2012

Where: Courtyard Seattle Federal Way, WA

http://www.sans.org/mentor/details.php?nid=28014
 

Social Engineering Training

When: July 21-24, 2012

Where: Black Hat Vegas

When: August 20-24, 2012

Where:  Bristol, UK

When:  November 12-16, 2012

Where:  Columbia, MD

http://www.social-engineer.com/social-engineer-training

Inside and Out of the Social-Engineer Toolkit (SET)

When: July 21 – 22, 2012

When: July 23 – 24, 2012

Where: Black Hat Vegas

http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html

DerbyCon 2012 – The “Deuce” Reunion

When:  September 27-30, 2012

Where: Louisville, KY

http://www.derbycon.com

Skydogcon

When: October 26-28

Where: Hotel Preston in Nashville, TN

http://www.skydogcon.com

Please consider making your  Amazon purchases through our affiliate link.  If you’re not familiar with the affiliate link it is locate the Affiliate Program link on the right hand side. Or simply use our QR Code Links.

Amazon:

Amazon UK:

Stories

Source:  http://blogs.mcafee.com/mcafee-labs/cve-2012-0158-exploit-in-the-wild

Since last week, we have seen many specially crafted files exploiting CVE-2012-0158, a vulnerability in MSCOMCTL.OCX in Microsoft Office and some other Microsoft products. This exploit can be implemented in a variety of file formats, including RTF, Word, and Excel files. We have already found crafted RTF and Word files in the wild. In the malicious RTF, a vulnerable OLE file is embedded with \object and \objocx tags.

The following image shows an example of a crafted RTF file containing a vulnerable OLE file. You can see the signature of the OLE file in D0CF11E0. …

Upon opening a crafted file with the vulnerable application, as in other document exploit files, we see an innocent file posing as bait, while in the background, the Trojan files are installed. Here are typical malware installation steps triggered by the vulnerable application, Word in this example:

1. The crafted document is opened by a Word process.

2. Exploiting the vulnerability triggers the shellcode in the OLE file.

3. The shellcode installs the Trojan(s) on the victim’s machine. Typically, the Trojan is installed in the following path:

%userProfile%\Local Settings\Temp\(filename).exe

4. The shellcode start a new process of Word and opens as bait an innocent document file embedded in the document. Typically the bait file is dropped at:

%userProfile%\Local Settings\Temp\(filename).doc

5. The shellcode terminates the Word process that opened the crafted document.

Because of steps 4 and 5, users will see Word quit and then immediately relaunch with the bait file. If you see this symptom, check with your system administrator.

….

Source:  http://www.theinquirer.net/inquirer/news/2169403/100-million-users-affected-social-network-vulnerability

DO IT YOURSELF social networking company Ning is reportedly suffering from a slight security problem that could affect 100 million users.

Ning lets people set up their own gasbag social networking channels and is used by people like the pop group Radiohead. According to a Dutch report a problem with its security could leave them wide open to account hijackers.

A Dutch web site called Web Wereld says that two students, Angelo Geels and Alex Brouwer have exploited cookies to gain login control over Ning user accounts. They used a proof of concept that showed they could access 90,000 accounts and 100 million users, but had no intention of exploiting it for malicious purposes.

They did suggest that if others were able to use it then they could take over Ning accounts. "You can build an application that automates acquisition of an identity," said Geels in the report.

The students told Ning about the exploit last month and since then the firm has worked to fix it. This is not the first time that security students have worked with Ning, and last year students reported five vulnerabilities that included the threat of credit card theft.

….

Source:  http://news.softpedia.com/news/Experts-Find-Control-Panel-for-Ransomlock-Powered-Ransomware-265732.shtml

Researchers have come across another Trojan that fuels such campaigns. The novelty in this scenario is that the control panel that’s being utilized in the scheme has been found.

Identified by Symantec as Trojan.Ransomlock.K, the malicious element communicates with a command and control server from which it receives its orders.

The interface that allows the cybercrooks to communicate with their Trojan is called Silent Locker Control Panel and according to the experts, it is somewhat similar to other control panel used for pieces of malware such as ZeuS and SpyEye.

The Russian variant of the Silent Locker Control Panel found by experts offers a number of options. First of all, it tracks the infected computer’s location and date, information that can be used for billing.

Also based on the location, the cybercriminal can choose what picture the ransomware displays when it takes over a computer. For instance, if the victim resides in the UK, a picture of the Metropolitan Police can be used, the default image being the one shown in the screenshot.

If notifications that rely on the reputation of a law enforcement agency don’t work, the fraudsters can always turn to fake Windows Security Checks or other scams that may convince the victim that his/her device is being blocked for performing illegal activities, or even because of some phony system errors.

….

Source:  http://www.computerworld.com/s/article/9226476/Google_boosts_Web_bug_bounties_to_20_000

Google today dramatically raised the bounties it pays independent researchers for reporting bugs in its core websites, services and online applications.

The search giant boosted the maximum reward from $3,133 to $20,000, and added a $10,000 payment to the program.

The Vulnerability Reward Program (VRP) will now pay $20,000 for vulnerabilities that allow remote code execution against google.com, youtube.com and other core domains, as well as what the company called "highly sensitive services" such as its search site, Google Wallet, Gmail and Google Play.

Remote code flaws found in Google's Web apps will also be rewarded $20,000.

The term "remote code execution" refers to the most serious category of vulnerabilities, those which when exploited allow an attacker to hijack a system and/or plant malware on a machine.

A $10,000 bounty will be paid for SQL injection bugs or "significant" authentication bypass or data leak vulnerabilities, Google said in the revised rules for the program.

Other bugs, including cross-site scripting (XSS) and cross-site request forgery (XSRF) flaws, will be compensated with payments between $100 and $3,133, with the amount dependent on the severity of the bug and where the vulnerability resides.

….

Source:  http://www.bbc.com/news/technology-17811565

Iran has been forced to disconnect key oil facilities after suffering a malware attack on Sunday, say reports.

The computer virus is believed to have hit the internal computer systems at Iran's oil ministry and its national oil company.

Equipment on the Kharg island and at other Iranian oil plants has been disconnected from the net as a precaution.

Oil production had not been affected by the attack, said the Mehr news agency.

However, the attack is believed to have been responsible for knocking offline the websites of the Iranian oil ministry and national oil company.

The Ministry website was back in action on Monday but the oil company site has remained unreachable.

An Iranian oil ministry spokesperson was quoted as saying that data about users of the sites had been stolen as a result of the attack. Core data about Iran's oil industry remained safe because it was on computer systems that remain separate from the net, they added.

The terminal on Kharg Island handles about 90% of Iran's oil exports.

….

[end]