Newsletters: @RISK

@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

November 28, 2012
=============================================================

@RISK: The Consensus Security Vulnerability Alert

Vol. 12, Num. 45

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

=============================================================

CONTENTS:

NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST POPULAR MALWARE FILES 11/1/2012 - 11/8/2012
============================================================

TOP VULNERABILITY THIS WEEK: Multiple trivially remotely exploitable vulnerabilities were disclosed this week in Sophos antivirus products, after researcher Tavis Ormandy had worked with the company to ensure patches were in place prior to the release. As Ormandy included proof-of-concept exploits in his disclosure notes, malicious activity around them is expected to begin immediately. Users of Sophos products should update their software immediately.

============================================================

TRAINING UPDATE

- --SANS Sydney 2012 Sydney, Australia November 12-20, 2012
5 courses. Special Event evening bonus sessions: I've Been Geo-Stalked! Now What? And Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/sydney-2012

- --SANS San Diego 2012 San Diego, CA November 12-17, 2012
7 courses. Bonus evening presentations include Cloud Computing and the 20 Critical Security Controls; and Practical, Efficient Unix Auditing (with Scripts).
http://www.sans.org/event/san-diego-2012

- --SANS London 2012 London November 26-December 3, 2012
16 courses.
http://www.sans.org/london-2012/

- --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012
27 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-defense-initiative-2012

- --SANS Security East 2013 New Orleans, LA January 16-23, 2013
11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/security-east-2013

- --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013
The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events.
8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus San Antonio, Barcelona, Cairo, Anaheim, and New Delhi all in the next 90 days.

For a list of all upcoming events, on-line and live: www.sans.org

********************* Sponsored Links: *********************

1) Take the SANS Survey on the Security Practices of SCADA System
Operators and register to win an iPad! http://www.sans.org/info/116537

2) "New in the SANS Reading Room: SANS Survey on Mobility/BYOD Security Policy and Practices"
http://www.sans.org/info/116542

============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Researcher Tavis Ormandy releases multiple exploits for Sophos products
Description: In a scathing writeup that is a follow-on to a more theoretical release last year, well-known security researcher Tavis Ormandy released a series of practical attack techniques against common Sophos antivirus deployments, including integer overflows, cross-site scripting, heap overflows, denials of service, etc. As Ormandy disclosed the vulnerabilities to Sophos in October, patches are available for all but one of the attacks (a denial of service); customers are urged to update as soon as possible, since with the detailed explanations of how to exploit provided in Ormandy's paper, exploits are likely to emerge in the wild essentially immediately.
Reference:
https://lock.cmpxchg8b.com/sophailv2.pdf
http://nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/
Snort SID: 24625, 24626
ClamAV: PDF.Exploit.Agent-3

Title: Anonymous celebrates Guy Fawkes Day with a slew of compromises
Description: Members of the Anonymous collective chose to celebrate Guy Fawkes day (the historical figure from whom they draw the mask associated with their logo) this year by defacing a slew of websites worldwide, as well as dumping large chunks of data on PasteBin that were part of alleged compromises of major targets such as ImageShack and Symantec. While these claims are still being validated, the coordinated activity shows the continuing power of this group to wreak havoc on the Internet essentially at will, despite defenders' best efforts to stop them.
Reference:
http://pastebin.com/raw.php?i=jhLt7s83
http://www.technewsworld.com/story/Many-Hacks-Claimed-Few-Confirmed-on-Anons-Day-of-Mayhem-76555.html
Snort SID: N/A
ClamAV: N/A

Title: New Jersey allows last-minute email voting, invites security disaster
Description: With many of the state's residents displaced or otherwise impacted in their ability to vote by last week's Hurricane Sandy, a last-minute decision was made by the government of New Jersey to allow voters to cast ballots by email. Confusion over procedures, which have resulted in situations where officially-listed email addresses were bouncing and government officials were using private accounts on services such as Hotmail, has left a number of major security gaps open. Not only are there potential issues with voter fraud, the follow-on to this process will likely include phishing attacks referencing the need to authenticate a ballot cast via e-mail. Whatever the final outcome, the experiment will have major implications for distance online voting in the future, as it will be America's first major test of such a system.
Reference:
http://www.state.nj.us/governor/news/news/552012/approved/20121103d.html
http://www.crypto.com/blog/njvoting/
http://www.businessweek.com/news/2012-11-06/security-of-n-dot-j-dot-e-mail-voting-after-storm-is-questioned
Snort SID: N/A
ClamAV: N/A

Title: Coke gets hacked, doesn't tell anyone
Description: Bloomberg news service announced this week that Coca-Cola company, which was considering purchasing Chinese-owned juice maker Huiyuan in 2009, was compromised three days before that deal fell through, with numerous sensitive files related to the acquisition having been exfiltrated as a result of the breach. While the breach itself is, sadly, not particularly newsworthy on its own, Coke's failure to disclose the breach - which might have been required under current SEC guidelines surrounding breach disclosure had those rules been in place three years ago - is sure to reignite the debate about the disclosure responsibilities of organizations whose networks are breached.
Reference: http://www.bloomberg.com/news/2012-11-04/coke-hacked-and-doesn-t-tell.html
Snort SID: N/A
ClamAV: N/A

============================================================
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

GDB quick reference:
http://www.stanford.edu/class/cs107/other/gdbrefcard.pdf

Reversing malware protocols with machine learning:
http://blog.hugogascon.com/2012/10/reversing-malware-protocols-with_28.html

Nuclear Exploit Pack goes 2.0:
http://blog.webroot.com/2012/10/31/nuclear-exploit-pack-goes-2-0/

Unencrypted bar codes on airline boarding passes pose threat:
http://www.techrepublic.com/blog/security/unencrypted-bar-codes-on-airline-boarding-passes-pose-threat/8589

Exploiting a MIPS stack overflow:
http://www.devttys0.com/2012/10/exploiting-a-mips-stack-overflow/

Final report on DigiNotar hack shows total compromise of CA servers:
http://threatpost.com/en_us/blogs/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112

iOS security: Objective-C and nil pointers:
http://blog.ioactive.com/2012/11/ios-security-objective-c-and-nil.html

Info disclosure with Apache server-status:
http://urlfind.org/?server-status

=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: : CVE-2012-0507
Title: Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Concurrency.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: : CVE-2012-4969
Title: Microsoft Internet Explorer 7/8/9 contain a use-after-free vulnerability
Vendor: Microsoft
Description: Microsoft Internet Explorer versions 7, 8, and 9 are susceptible to a use-after-free vulnerability that may result in remote code execution.
CVSS v2 Base Score: 9.7 (AV:N/AC:L/Au:N/C:C/I:C/A:P)

ID: : CVE-2012-4681
Title: Java 7 Applet Remote Code Execution
Vendor: Oracle
Description: Oracle Java 7 Update 6, and possibly other versions, allows remote attackers to execute arbitrary code via a crafted applet, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

ID: : CVE-2012-2019
Title: HP Operations Agent Opcode coda.exe 0x34 Buffer Overflow
Vendor: HP
Description: Unspecified vulnerability in HP Operations Agent before 11.03.12 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1325.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: : CVE-2012-4501
Title: Citrix CloudStack and CloudPlatform Default Credentials Design Error Vulnerability
Vendor: Citrix
Description: Citrix Cloud.com CloudStack, and Apache CloudStack pre-release, allows remote attackers to make arbitrary API calls by leveraging the system user account, as demonstrated by API calls to delete VMs.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

=========================================================
MOST PREVALENT MALWARE FILES DDDD:
COMPILED BY SOURCEFIRE

SHA 256: B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96
MD5: 573b6cc513e1b7cd9e35b491eacc38f3
VirusTotal: https://www.virustotal.com/file/B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96/analysis/
Typical Filename: winhblmdx.exe
Claimed Product: winhblmdx.exe
Claimed Publisher: winhblmdx.exe

SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal: https://www.virustotal.com/file/DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/
Typical Filename: smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin
Claimed Product: smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin
Claimed Publisher: smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin

SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal: https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615/analysis/
Typical Filename: 01.tmp
Claimed Product: 01.tmp
Claimed Publisher: 01.tmp

SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal: https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/
Typical Filename: lmlkl.sys
Claimed Product: lmlkl.sys
Claimed Publisher: lmlkl.sys

SHA 256: D7AFECB4CB054FFC200198369613F77682291BF2FD4F73BC8A6894050B1D92C2
MD5: be3d80a773482af1702eee7574e4eb7c
VirusTotal: https://www.virustotal.com/file/D7AFECB4CB054FFC200198369613F77682291BF2FD4F73BC8A6894050B1D92C2/analysis/
Typical Filename: deployJava[1].js
Claimed Product: deployJava[1].js
Claimed Publisher: deployJava[1].js

=============================================================

(c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account