Last Chance: MacBook Air, Dell XPS 13 or $600 off with SANS Online Training Ends December 7

Newsletters: @RISK


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

December 20, 2012
=============================================================

@RISK: The Consensus Security Vulnerability Alert

Vol. 12, Num. 51

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

=============================================================

CONTENTS:

NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST POPULAR MALWARE FILES 12/13/2012 - 12/19/2012
============================================================

TOP VULNERABILITY THIS WEEK: An arbitrary memory write vulnerability in certain Samsung chipset drivers has been demonstrated in the wild, with easy-to-use source code available for exploit generation. Attacks are presumed to be commencing; Cyanogenmod has released a patch, but mainstream Samsung device users have not yet received one, despite claims that Samsung has a patch tested and available.

============================================================

TRAINING UPDATE

- --SANS Security East 2013 New Orleans, LA January 16-23, 2013
11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/security-east-2013

- --North American SCADA and Process Control Summit 2013
Lake Buena Vista, FL February 6-13, 2013
The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events.
8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013

- --SANS Secure Singapore 2013 February 25-March 2, 2013
6 courses. Bonus evening presentation: Security of National eID (smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013

- --SANS 2013 Orlando, FL March 8-March 15, 2013
46 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click Is All It Takes ...; Human Nature and Information Security: Irrational and Extraneous Factors That Matter; and Over-Zealous Social Media Investigations: Beware the Privacy Monster.
http://www.sans.org/event/sans-2013

- --Looking for training in your own community?
http://www.sans.org/community/

--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/onCyberdemand/discounts.php#current

Plus Anaheim, New Delhi, Scottsdale, Brussels, and Johannesburg all in the next 90 days.

For a list of all upcoming events, on-line and live: www.sans.org

============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Samsung device driver arbitrary memory overwrite vulnerability
Description: A user by the name of alephzain posted details of a major memory access vulnerability in devices using certain Samsung chipsets and kernels, which allows Android applications being installed on a device the ability to overwrite arbitrary system memory as root via the /dev/exynos "System on a Chip" devices. The device is available in many popular Samsung hardware platforms, including the Galaxy SII and SIII. MEIZU MX, etc. Full details, including system libraries, sample exploit code, etc. were published along with the writeup, and exploits are presumed to be starting to circulate in the wild at this point. Multiple users on XDA-Developers have posted patches, and Cyanogenmod has already committed a fix for its users. Meanwhile, other users of the popular Android development forum have charged that Samsung has had a patch for this known "open source" issue for weeks and have not released a fix for it, despite other updates having been pushed to their customers in the interim, highlighting the serious issue of vendors' and carriers' reluctance to patch rapidly for mobile devices.
Reference:
http://forum.xda-developers.com/showthread.php?t=2048511
http://en.wikipedia.org/wiki/Exynos_(system_on_chip)
http://www.androidauthority.com/xda-developer-patches-samsung-exynos-chip-vulnerability-140742/
Snort SID:
ClamAV:

Title: FBI report says SCADA "Niagara" backdoor exploited in the US this year
Description: Using nothing more than the popular web device search service Shodan, attackers in the wild have been exploiting an authentication bypass vulnerability in the Niagara AX Framework, made by Richmond, VA-based firm Tridium. The web interface for the framework, by default, does not require a password, and provides full administrative access to systems controlling HVAC in offices around the world. The system was typically set up with floor plans, personnel and departmental names, etc., providing a wealth of useful data for spear phishers, social engineers, and the like. As of Wednesday, Dec. 19, no notice was posted on the vendor's site discussing a patch or any mitigations for this vulnerability. Potentially impacted users are urged to shut down unnecessary web services, and restrict access to any others to only authorized, known IP addresses.
Reference:
http://www.wired.com/images_blogs/threatlevel/2012/12/FBI-AntisecICS.pdf
http://www.shodanhq.com/search?q=niagara_audit+-login
http://arstechnica.com/security/2012/12/intruders-hack-industrial-control-system-using-backdoor-exploit/
http://www.tridium.com/cs/products_/_services/niagaraax
Snort SID: 25057
ClamAV: N/A

Title: Anonymous Doxes the WBC
Description: Members of the Anonymous collective posted personal and professional contact details for members of the Westboro Baptist Church online on Pastebin Sunday morning, apparently in response to the WBC's announcement that it would be protesting the funerals of those taken in the recent tragedy in Newton, CT last week. Details of how the private information was found were not detailed by Anonymous, and little speculation has been put forward within the information security community. The move coincided with other political moves surrounding the group, such as a White House online petition that has gathered close to 200,000 signatures asking that the WBC be legally recognized as a hate group.
Reference:
http://pastebin.com/2PmbBm8f
https://petitions.whitehouse.gov/petition/legally-recognize-westboro-baptist-church-hate-group/DYf3pH2d
Snort SID: N/A
ClamAV: N/A

============================================================
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

Setting HoneyTraps with ModSecurity: Unused Web Ports:
http://blog.spiderlabs.com/2012/12/setting-honeytraps-with-modsecurity-unused-web-ports.html

Why Google Maps is better than Apple Maps:
http://www.theatlantic.com/technology/archive/2012/12/why-google-maps-is-better-than-apple-maps/266218/

Has WWII carrier pigeon message been cracked?
http://www.bbc.co.uk/news/uk-20749632

Mercury Android malware system releases new version:
http://labs.mwrinfosecurity.com/blog/2012/12/14/whats-new-in-mercury-v2/

Scientific study of malware obfuscation techniques:
http://www.xors.me/?p=6126

Inside Impact Exploit Kit:
http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html

The Dexter malware: getting your hands dirty:
http://blog.spiderlabs.com/2012/12/the-dexter-malware-getting-your-hands-dirty.html

Lessons learned from US financial services DDoS attacks:
http://ddos.arbornetworks.com/2012/12/lessons-learned-from-the-u-s-financial-services-ddos-attacks/

- From SQL injection to shell: PostgreSQL edition:
https://pentesterlab.com/from_sqli_to_shell_pg_edition.html

=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: : CVE-2012-4959
Title: Novell File Reporter Agent XML Parsing Remote Code Execution Vulnerability
Vendor: Novell
Description: Directory traversal vulnerability in NFRAgent.exe in Novell File Reporter 1.0.2 allows remote attackers to upload and execute files via a 130 /FSF/CMD request with a .. (dot dot) in a FILE element of an FSFUI record.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: : CVE-2010-2590
Title: SAP Crystal Reports Print ActiveX "PrintControl.dll" Heap Buffer Overflow Vulnerability
Vendor: SAP
Description: Heap-based buffer overflow in the CrystalReports12.CrystalPrintControl.1 ActiveX control in PrintControl.dll 12.3.2.753 in SAP Crystal Reports 2008 SP3 Fix Pack 3.2 allows remote attackers to execute arbitrary code via a long ServerResourceVersion property value.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: : CVE-2012-5975
Title: SSH Tectia Authentication Bypass Remote
Vendor: SSH Communications
Description: A remote authentication bypass vulnerability was disclosed which affects the current Unix/Linux versions of Tectia SSH Server. The vulnerability exploits a bug in the SSH USERAUTH CHANGE REQUEST function.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

ID: : CVE-2012-6066
Title: FreeFTPD /FreeSSHD Remote Authentication Security Bypass Vulnerability
Vendor: freesshd
Description: freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demonstrated by an OpenSSH client with modified versions of ssh.c and sshconnect2.c.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: : CVE-2012-5611
Title: Oracle MySQL Server Command Processing Buffer Overflow Vulnerability
Vendor: Oracle
Description: Stack-based buffer overflow in MySQL 5.5.19, 5.1.53, and possibly other versions, and MariaDB 5.5.2.x before 5.5.28a, 5.3.x before 5.3.11, 5.2.x before 5.2.13 and 5.1.x before 5.1.66, allows remote authenticated users to execute arbitrary code via a long argument to the GRANT FILE command.
CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)

=========================================================
MOST POPULAR MALWARE FILES 12/13/2012 - 12/19/2012:
COMPILED BY SOURCEFIRE

(Virustotal links that are not found mean that the file that Sourcefire is detecting has not yet been analyzed by Virustotal)

SHA 256: 806E83820EABE18D28FA4080F20189EE160F43AFB3E51B99CDA23CF4EF73F9C8
MD5:
VirusTotal: https://www.virustotal.com/file/806E83820EABE18D28FA4080F20189EE160F43AFB3E51B99CDA23CF4EF73F9C8/analysis/
Typical Filename:
Claimed Product:
Claimed Publisher:

SHA 256: 1B8C2FC3E7324DE7D88A5A481F5FA9FC7A1CA6EA3EEEE6056ACFB749FCA4E046
MD5:
VirusTotal: https://www.virustotal.com/file/1B8C2FC3E7324DE7D88A5A481F5FA9FC7A1CA6EA3EEEE6056ACFB749FCA4E046/analysis/
Typical Filename:
Claimed Product:
Claimed Publisher:

SHA 256: 7413CF9F448EC6845EA5FF00B07C73D8E4869C85DEB7DE1224CA27D4AF6F0DD3
MD5:
VirusTotal: https://www.virustotal.com/file/7413CF9F448EC6845EA5FF00B07C73D8E4869C85DEB7DE1224CA27D4AF6F0DD3/analysis/
Typical Filename:
Claimed Product:
Claimed Publisher:

SHA 256: CA3BBC97310150AA85AEB15AB85F63A7D1B0CDB4BE2C3565A71FB5FB3EA1AB33
MD5:
VirusTotal: https://www.virustotal.com/file/CA3BBC97310150AA85AEB15AB85F63A7D1B0CDB4BE2C3565A71FB5FB3EA1AB33/analysis/
Typical Filename:
Claimed Product:
Claimed Publisher:

SHA 256: 883FC048EA0FDC044601EF84A93AB90FA1181E9D2E8E544FA6119D35D5B2A94F
MD5:
VirusTotal: https://www.virustotal.com/file/883FC048EA0FDC044601EF84A93AB90FA1181E9D2E8E544FA6119D35D5B2A94F/analysis/
Typical Filename:
Claimed Product:
Claimed Publisher:

=============================================================

(c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account