@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
November 28, 2012=============================================================
@RISK: The Consensus Security Vulnerability Alert
Vol. 12, Num. 45
Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.
=============================================================CONTENTS:
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST POPULAR MALWARE FILES 11/1/2012 - 11/8/2012
============================================================TOP VULNERABILITY THIS WEEK: Multiple trivially remotely exploitable vulnerabilities were disclosed this week in Sophos antivirus products, after researcher Tavis Ormandy had worked with the company to ensure patches were in place prior to the release. As Ormandy included proof-of-concept exploits in his disclosure notes, malicious activity around them is expected to begin immediately. Users of Sophos products should update their software immediately.
============================================================TRAINING UPDATE
- --SANS Sydney 2012 Sydney, Australia November 12-20, 2012
5 courses. Special Event evening bonus sessions: I've Been Geo-Stalked!
Now What? And Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/sydney-2012
- --SANS San Diego 2012 San Diego, CA November 12-17, 2012
7 courses. Bonus evening presentations include Cloud Computing and the
20 Critical Security Controls; and Practical, Efficient Unix Auditing
(with Scripts).
http://www.sans.org/event/san-diego-2012
- --SANS London 2012 London November 26-December 3, 2012
16 courses.
http://www.sans.org/london-2012/
- --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012
27 courses. Bonus evening presentations include Gamification: Hacking
Your Brain for Better Learning; Building a Portable Private Cloud; and
Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-defense-initiative-2012
- --SANS Security East 2013 New Orleans, LA January 16-23, 2013
11 courses. Bonus evening presentations include The Next Wave - Data
Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your
Friends and Neighbors for Fun. Special Event: NetWars Tournament of
Champions.
http://www.sans.org/event/security-east-2013
- --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013
The Summit brings together the program managers, control systems
engineers, IT security professionals and critical infrastructure
protection specialists from asset owning and operating organizations
along with control systems and security vendors who have innovative
solutions for improving security. The Security Summit is an action
conference designed so that every attendee leaves with new tools and
techniques they can put to work immediately when they return to their
office. The Summit is the place to come and interact with top SCADA
experts, key government personnel, researchers and asset owners at the
multiple special networking events.
8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater
Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013
- --Looking for training in your own community?
http://www.sans.org/community/
- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus San Antonio, Barcelona, Cairo, Anaheim, and New Delhi all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
********************* Sponsored Links: *********************1) Take the SANS Survey on the Security Practices of SCADA System
Operators and register to win an iPad! http://www.sans.org/info/116537
2) "New in the SANS Reading Room: SANS Survey on Mobility/BYOD Security Policy and Practices"
http://www.sans.org/info/116542
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: Researcher Tavis Ormandy releases multiple exploits for Sophos products
Description: In a scathing writeup that is a follow-on to a more
theoretical release last year, well-known security researcher Tavis
Ormandy released a series of practical attack techniques against common
Sophos antivirus deployments, including integer overflows, cross-site
scripting, heap overflows, denials of service, etc. As Ormandy disclosed
the vulnerabilities to Sophos in October, patches are available for all
but one of the attacks (a denial of service); customers are urged to
update as soon as possible, since with the detailed explanations of how
to exploit provided in Ormandy's paper, exploits are likely to emerge
in the wild essentially immediately.
Reference:
https://lock.cmpxchg8b.com/sophailv2.pdf
http://nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/
Snort SID: 24625, 24626
ClamAV: PDF.Exploit.Agent-3
Title: Anonymous celebrates Guy Fawkes Day with a slew of compromises
Description: Members of the Anonymous collective chose to celebrate Guy
Fawkes day (the historical figure from whom they draw the mask
associated with their logo) this year by defacing a slew of websites
worldwide, as well as dumping large chunks of data on PasteBin that were
part of alleged compromises of major targets such as ImageShack and
Symantec. While these claims are still being validated, the coordinated
activity shows the continuing power of this group to wreak havoc on the
Internet essentially at will, despite defenders' best efforts to stop
them.
Reference:
http://pastebin.com/raw.php?i=jhLt7s83
http://www.technewsworld.com/story/Many-Hacks-Claimed-Few-Confirmed-on-Anons-Day-of-Mayhem-76555.html
Snort SID: N/A
ClamAV: N/A
Title: New Jersey allows last-minute email voting, invites security disaster
Description: With many of the state's residents displaced or otherwise
impacted in their ability to vote by last week's Hurricane Sandy, a
last-minute decision was made by the government of New Jersey to allow
voters to cast ballots by email. Confusion over procedures, which have
resulted in situations where officially-listed email addresses were
bouncing and government officials were using private accounts on
services such as Hotmail, has left a number of major security gaps open.
Not only are there potential issues with voter fraud, the follow-on to
this process will likely include phishing attacks referencing the need
to authenticate a ballot cast via e-mail. Whatever the final outcome,
the experiment will have major implications for distance online voting
in the future, as it will be America's first major test of such a
system.
Reference:
http://www.state.nj.us/governor/news/news/552012/approved/20121103d.html
http://www.crypto.com/blog/njvoting/
http://www.businessweek.com/news/2012-11-06/security-of-n-dot-j-dot-e-mail-voting-after-storm-is-questioned
Snort SID: N/A
ClamAV: N/A
Title: Coke gets hacked, doesn't tell anyone
Description: Bloomberg news service announced this week that Coca-Cola
company, which was considering purchasing Chinese-owned juice maker
Huiyuan in 2009, was compromised three days before that deal fell
through, with numerous sensitive files related to the acquisition having
been exfiltrated as a result of the breach. While the breach itself is,
sadly, not particularly newsworthy on its own, Coke's failure to
disclose the breach - which might have been required under current SEC
guidelines surrounding breach disclosure had those rules been in place
three years ago - is sure to reignite the debate about the disclosure
responsibilities of organizations whose networks are breached.
Reference: http://www.bloomberg.com/news/2012-11-04/coke-hacked-and-doesn-t-tell.html
Snort SID: N/A
ClamAV: N/A
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
GDB quick reference:
http://www.stanford.edu/class/cs107/other/gdbrefcard.pdf
Reversing malware protocols with machine learning:
http://blog.hugogascon.com/2012/10/reversing-malware-protocols-with_28.html
Nuclear Exploit Pack goes 2.0:
http://blog.webroot.com/2012/10/31/nuclear-exploit-pack-goes-2-0/
Unencrypted bar codes on airline boarding passes pose threat:
http://www.techrepublic.com/blog/security/unencrypted-bar-codes-on-airline-boarding-passes-pose-threat/8589
Exploiting a MIPS stack overflow:
http://www.devttys0.com/2012/10/exploiting-a-mips-stack-overflow/
Final report on DigiNotar hack shows total compromise of CA servers:
http://threatpost.com/en_us/blogs/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112
iOS security: Objective-C and nil pointers:
http://blog.ioactive.com/2012/11/ios-security-objective-c-and-nil.html
Info disclosure with Apache server-status:
http://urlfind.org/?server-status
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: : CVE-2012-0507
Title: Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30
and earlier, and 5.0 Update 33 and earlier allows remote attackers to
affect confidentiality, integrity, and availability via unknown vectors
related to Concurrency.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: : CVE-2012-4969
Title: Microsoft Internet Explorer 7/8/9 contain a use-after-free vulnerability
Vendor: Microsoft
Description: Microsoft Internet Explorer versions 7, 8, and 9 are
susceptible to a use-after-free vulnerability that may result in remote
code execution.
CVSS v2 Base Score: 9.7 (AV:N/AC:L/Au:N/C:C/I:C/A:P)
ID: : CVE-2012-4681
Title: Java 7 Applet Remote Code Execution
Vendor: Oracle
Description: Oracle Java 7 Update 6, and possibly other versions, allows
remote attackers to execute arbitrary code via a crafted applet, as
exploited in the wild in August 2012 using Gondzz.class and
Gondvv.class.
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
ID: : CVE-2012-2019
Title: HP Operations Agent Opcode coda.exe 0x34 Buffer Overflow
Vendor: HP
Description: Unspecified vulnerability in HP Operations Agent before
11.03.12 allows remote attackers to execute arbitrary code via unknown
vectors, aka ZDI-CAN-1325.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: : CVE-2012-4501
Title: Citrix CloudStack and CloudPlatform Default Credentials Design
Error Vulnerability
Vendor: Citrix
Description: Citrix Cloud.com CloudStack, and Apache CloudStack
pre-release, allows remote attackers to make arbitrary API calls by
leveraging the system user account, as demonstrated by API calls to
delete VMs.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
MOST PREVALENT MALWARE FILES DDDD:
COMPILED BY SOURCEFIRE
SHA 256: B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96
MD5: 573b6cc513e1b7cd9e35b491eacc38f3
VirusTotal: https://www.virustotal.com/file/B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96/analysis/
Typical Filename: winhblmdx.exe
Claimed Product: winhblmdx.exe
Claimed Publisher: winhblmdx.exe
SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal: https://www.virustotal.com/file/DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/
Typical Filename: smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin
Claimed Product: smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin
Claimed Publisher: smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin
SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal: https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615/analysis/
Typical Filename: 01.tmp
Claimed Product: 01.tmp
Claimed Publisher: 01.tmp
SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal: https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/
Typical Filename: lmlkl.sys
Claimed Product: lmlkl.sys
Claimed Publisher: lmlkl.sys
SHA 256: D7AFECB4CB054FFC200198369613F77682291BF2FD4F73BC8A6894050B1D92C2
MD5: be3d80a773482af1702eee7574e4eb7c
VirusTotal: https://www.virustotal.com/file/D7AFECB4CB054FFC200198369613F77682291BF2FD4F73BC8A6894050B1D92C2/analysis/
Typical Filename: deployJava[1].js
Claimed Product: deployJava[1].js
Claimed Publisher: deployJava[1].js
(c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account
