Security Weekly News 25 February 2011 – Full list

Category Index

Hacking Incidents / Cybercrime

An organized crime group thought to include individuals responsible for the notorious Storm and Waledac worms generated more than $150 million promoting rogue online pharmacies via spam and hacking, according to data obtained by
In June 2010, an anonymous source using the assumed name "Despduck" began an e-mail correspondence with a key anti-spam source of mine, claiming he had access to the back-end database for Glavmed, a.k.a. "SpamIt", until recently the biggest black market distributor of generic pharmaceuticals on the Internet.
After many months of promising the information, Despduck finally came through with a 9-gigabyte database file that contained three years worth of financial books for the massive illicit pharmacy network. My source shared the data with several U.S. law enforcement agencies, and ultimately agreed to share it with me.
It has been an embarrassing week for security firm HBGary and its HBGary Federal offshoot. HBGary Federal CEO Aaron Barr thought he had unmasked the hacker hordes of Anonymous and was preparing to name and shame those responsible for co-ordinating the group's actions, including the denial-of-service attacks that hit MasterCard, Visa, and other perceived enemies of WikiLeaks late last year.
When Barr told one of those he believed to be an Anonymous ringleader about his forthcoming exposé, the Anonymous response was swift and humiliating. HBGary's servers were broken into, its e-mails pillaged and published to the world, its data destroyed, and its website defaced. As an added bonus, a second site owned and operated by Greg Hoglund, owner of HBGary, was taken offline and the user registration database published.
Anonymous logoApparently all the press attention Anonymous has been receiving since the WikiLeaks story broke last December is producing enough lulz to keep them hacking away. At least five websites belonging to Westboro Baptist Church are currently offline after they were defaced earlier today.
The ongoing dispute between the controversial church and Anonymous began with a letter allegedly posted by Anonymous last week. Today, during a live radio interview (interview contains adult language) Anonymous hacked into the church's websites and left a message for anyone who later visited.
Holly Hill police said actions by Orlando man was a form of job security
Whac-A-Mole seems like it could be endless fun.
Moles pop out of five holes in the arcade game and a soft mallet is used to force them back into the holes to score points.
Children and adults alike could whack the moles for hours at a time.
Or at least they could until a worker programmed a virus into the machines to make them shut down after a pre-determined number of plays, Holly Hill police said.
Now they have arrested that man, Marvin Walter Wimberly Jr., 61, of Orlando, who faces a charge of offenses against intellectual property.
New Fast-Flux Botnet Unmasked  []
'Wibimo' botnet also employs an unusual encryption process
A researcher has discovered a new botnet that uses the rare fast-flux method to stay alive and evade takedown.
Joe Stewart, director of malware research for Dell SecureWorks Counter Threat Unit, here yesterday showed a sample of the botnet's malware he had reverse-engineered, with evidence that the botnet uses fast-flux. Fast-flux is basically load-balancing with a twist: It's a round-robin method where infected bot machines serve as proxies or hosts for malicious sites and are constantly rotated, changing their DNS records to prevent discovery by researchers.
Winamp Forums Security Breach FAQ  []
Winamp Management Team –
My name is Geno Yoham and I am the General Manager of Winamp. Our entire team is dedicated to protecting the privacy of our users and has put extensive measures in place to ensure your information remains secure. As a result of these precautions, we quickly detected and blocked an attack on the Winamp Forums database. We have confirmed that this breach was isolated to the Winamp Forum ( site only. Other Winamp sites and products such as, and the Winamp Desktop Media Player were not affected in any way.

Software Updates

Published: July 12, 2010
Updated: February 16, 2011
Applies To: Windows 7 with SP1
These release notes address the most critical issues and information about the Windows® 7 operating system with Service Pack 1 (SP1). Currently, no critical issues that require you to take corrective action either before or immediately after installation have been reported or discovered in testing. This document is continuously updated, so if any such issues are discovered or reported, they will be available here.
When performing a virus scan, Microsoft's Malware Protection Engine fails to process a specially crafted registry value correctly, enabling local attackers with restricted privileges to execute arbitrary code at system privilege level (privilege escalation). According to Microsoft's advisory, the vulnerable anti-malware engine (mpengine.dll) is part of the Security Essentials (MSE), Windows Live OneCare, Windows Defender, Forefront Client Security and Forefront Endpoint Protection 2010 products as well as the Malicious Software Removal Tool. All versions up to 1.1.6502.0 are reportedly vulnerable.
A patch that is being deployed automatically via the virus and signature update mechanism will fix the issue
When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur.
CVE: CVE-2011-0414
CERT: VU#559980
Program Impacted: BIND
Versions affected: 9.7.1-9.7.2-P3
Severity: High
Exploitable: remotely
When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur. This deadlock will cause the server to stop processing all requests. A high query rate and/or a high update rate will increase the probability of this condition.
CVSS Score: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)
Package : asterisk
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-0495
Debian Bug : 610487
Matthew Nicholson discovered a buffer overflow in the SIP channel driver
of Asterisk, an open source PBX and telephony toolkit, which could lead
to the execution of arbitrary code.

Business Case for Security

Social networking will be the attacker platform of choice in 2011, says Ed Skoudis, founder and senior security consultant with InGuardians.
'But organisations will also have to look out for attacks using memory-scraping, lessons learned from Stuxnet, hardware hacking, and exploiting lack of defences around Internet Protocol version 6 (IPv6),' he told attendees of RSA Conference 2011 in San Francisco.
Skoudis, who has also authored and regularly teaches the SANS Institute courses on network penetration testing and incident response, said the 'bad guys' always move to where the action is, which is now social networking sites like Facebook and LinkedIn.
The 2010 Internet Crime Report was released today by the Internet Crime Complaint
Center (IC3). The report demonstrates
how pervasive online crime has become, affecting people in all demographic groups
throughout the country. In 2010, IC3 received 303,809 complaints of Internet crime,
the second-highest total in IC3's 10-year history.
IC3 is a partnership between the Federal Bureau of Investigation (FBI) and the National
White Collar Crime Center (NW3C). Since its creation in 2000, IC3 has received more
than 2 million Internet crime complaints.
The 2010 Internet Crime Report provides specific details about various crimes, victims
and perpetrators, as well as state-specific data. It also outlines how IC3 has adapted
its methods to meet the needs of the public and law enforcement.
IC3 received and processed an average of 25,317 complaints per month in 2010. Non-delivery
of payment or merchandise accounted for the most complaints (14.4 percent). Scams
using the FBI's name (13.2 percent) and incidents of identity theft (9.8 percent)
rounded out the top three types of complaints.
Faced with securing personal devices and a growing base of threats, security pros feel overwhelmed, (ISC)2 survey reports
Faced with an attack surface that seems to be growing at an overwhelming rate, many security professionals are beginning to wonder whether their jobs are too much for them, according to a study published last week.
Conducted by Frost & Sullivan, the 2011 (ISC)2 Global Information Security Workforce Study (GISWS) says new threats stemming from mobile devices, the cloud, social networking, and insecure applications have led to 'information security professionals being stretched thin, and like a series of small leaks in a dam, the current overworked workforce may be showing signs of strain.'
'In the modern organization, end users are dictating IT priorities by bringing technology to the enterprise rather than the other way around,' said Robert Ayoub, global program director for network security at Frost & Sullivan. 'Pressure to secure too much and the resulting skills gap are creating risk for organizations worldwide … They are being asked to do too much, with little time left to enhance their skills to meet the latest security threats and business demands.'
Unless you've been living under a stone for last couple of weeks, you will have heard about the HBGary Federal hack. Seeing everything published about this probably makes every security professional think for at least a second, 'Could this happen to me too?'.
As most details about how the attack was carried have been published already (for example, see we can now look at all exploited vulnerabilities.
Email, IM fall lower on the list; malware authors take note and respond accordingly, Blue Coat says
U.S. users spend more of their online time on social networks than on anything else — and malware authors are following suit, according to a study published today.
According to Blue Coat's 2011 Web Security Report, U.S. users spend about 906 million hours on social networks each month — more than twice as many as they spend on online games (407 million hours) and email (329 million).
Attackers recognize this trend and are responding in kind, the study says.
Heartland 2010  []
This is the fourth in a series of posts looking at Heartland's share price and business performance.
In November I looked at the trouble their share price has had and how they have underperformed the market and their peers. There are some studies out there showing that share prices are not affected by breaches but it sure looks like the shares took a hit in this case

Web Technologies

XSS is not a big deal, or is it? On many occasions, I've seen this vulnerability being classified as useless, not serious, and being a low threat. What I've always had in mind is that it's only the capabilities of the browser, and the hackers mind which sets the limit for a XSS attack.
When building a ajax based application, you want to protect any POST request against CSRF attacks. If you are using jQuery, then jQuery provides a lot of convenience methods for ajax calls ($.get(), $.post(), $.getJSON() etc.) and it would be a shame if you would have to duplicate adding CSRF tokens to all your ajax calls manually or by going back to $.ajax(), because the convenience method didn't support the way you wanted to add the token. But jQuery, being the customizable framework it is, of course allows you to add these kinds of things through events.
Session based tokens
If you are using session based tokens, you probably generate a secure token when generating the session, and store that token in the session. When a request comes back to the server, you check that the token is included in the request and compare it to what's in the session. If it's the same token, you accept the request, if not you reject it.
I'm concerned that too much of software security and Appsec is focused on the enterprise, the big firms with the resources and a mandate for security; and that there aren't enough practical, affordable, simple solutions for small teams – where most of us work today, building and maintaining a lot of the world's software. I want to know more about what's out there that small teams can understand and use and rely on.
Your consent without your approval
Facebook users have been subjected to another round of clickjacking attacks that force them to authorize actions they had no intention of approving.
The latest episode in this continuing saga, according to Sophos researchers, is a set of campaigns aimed at Italian-speaking users of the social network. The come-ons promise shocking videos about such things as the real ingredients of Coca Cola. Instead, they are forced into registering their approval of the videos using Facebook's "Like" button.
How do you spell JavaScript again?  []
So I came across a cool post to hack the new HTML5 parser that Opera is developing, it is awesome that a vendor says hey c'mon look what we've done, please try and break our stuff. I couldn't resist having a go as they asked so nicely and within minutes….
What's New In Python 3.2  []
This article explains the new features in Python 3.2 as compared to 3.1. It focuses on a few highlights and gives a few examples. For full details, see the Misc/NEWS file
Spot the Vuln – Reasoning  []
Man is a reasoning rather than a reasonable animal. – Alexander Hamilton.

Network Security

Bluehat talk
Please Read
If you have previously used a W7 RDP 'patch' please rename or delete %SystemRoot%system32termsrv.dll.bak prior to running the updated script. Sorry for any inconvenience caused.
If you've been following MissingRemote for a while, you know one of our most popular series of guides is Enabling Concurrent Remote Desktop sessions. Continuing that trend we have an updated process below working with the RTM (Official Release to Manufacturing) version of Windows7 Ultimate, Professional, Home Premium and Enterprise Editions, x86 & x64 build 7601, Service Pack Build 1130.
I will use this post to collect some of the problems we are hearing about with Windows 7 SP1 and Windows 2008 R2 SP1. Right now, there is no urgent reason to install this service pack and it should be tested first.
A few areas to watch:
– Whitelisting / Blacklisting: Whitelisting software may not have checksums yet to verify all the files that are modified by the service pack. Same for anti-virus: Some anti virus products monitor system files for changes and may sound an alert or block the installation of SP 1
– Firewalls: Third party firewalls may find that some of the low level hooks they use have changed.
Many solid state disks (SSDs), and other flash media such as USB flash drives and memory cards, cannot be securely wiped by software alone. Even after repeatedly overwriting the entire disk, traces of the original data may remain in the memory cells of NAND Flash chips. These traces cannot usually be accessed via the storage medium's standard interface, but they can be read directly from the chips using specialised electronics. According to a team of researchers from the University of California in San Diego led by Michael Wei, the lack of a reliable delete function makes this kind of medium unsuitable for certain usages.
With Snort 2.9 came the introduction of the Data Acquisition (DAQ) library to replace direct calls to PCAP functions.'DAQ supports PCAP, AFPACKET, NFQ, IPQ, IPFW, and DUMP which is used for testing.'[1]
After I upgraded from 2.8.6 to (current version is, my Snort rules and in particular my Snort rule to detect Windows binary download (sid:15306) no longer detected Windows binary download via a browser. It was also affecting my Snort statistics that were constantly showing a small amount of packet loss.
In Part 1 of this series, I barely scratched the surface of password brute forcing.
In this post I hope to go beyond the basics and demonstrate some approaches I use to significantly increase the quality of my tests as well as my chances of success.
Everyone measures success differently, but hopefully some of you will consider success using these techniques to convey the importance to your developers, customers, bosses, friends, spouses, etc. of selecting strong passwords for web-based authentication mechanisms. I am not talking simply about complexity, length, and so forth, although they of course help. Rather, I am referring to the quality of the password, something that is more difficult, but not impossible to enforce.
Interested in capturing, documenting and analyzing scans and malicious activity, Corelan Team decided to set up a honeypot and put it online. In the first week of december 2010, Obzy built a machine (default Windows XP SP3 installation, no patches, firewall turned off), named it 'EGYPTS-AIRWAYS', set up a honeypot + some other monitoring tools, and connected it to the internet.
As expected, we quickly started to see all kinds of traffic… some of them were obvious port scans, others were less obvious recons or attacks. Both exciting and interesting… We could probably spend some time to document the various types of attacks, maybe build a nice table with figures and produce some kick-ass management graphs and do some trends analysis. It would be a fun exercise…
…but nothing beats the real deal.
Earlier this year Mark Baggett wrote an article on running a Nessus scan through Meterpreter. It involved installing an SSH server on the compromised machine and then using it as a SOCKS4 proxy to forward the scan traffic through to the target machine (Nessus Scanning through a Metasploit Meterpreter Session). It was a great idea but I don't like installing tools on clients machines if I can avoid it so never got round to doing it on a test.
Recently Zate Berg added the Nessus plug-in to Metasploit to let you control a Nessus server from the Metasploit command line. Without thinking it through my initial reaction was 'Great I can now scan through a Meterpreter pivot'. Once I thought about it and read Carlos's article New Nessus Plug-In For Metasploit I realised that the Nessus server was still running on the attacker machine and so didn't have access to the tunnel.

Database Security

Nothing amuses me more than some nice vendor-on-vendor smackdown action. Well, plenty of things amuse me more, especially Big Bang Theory and cats on YouTube, but the vendor thing is still moderately high on my list.
So I quite enjoyed this Dark Reading article on the release of the Oracle Database Firewall. But perhaps a little outside perspective will help. Here are the important bits:
Oracle Database Firewall Controversy  []
Lindsay passed me a link to an article about the recent Oracle Firewall public release and also the recent partnering with F5.
The part that interests me most is the Oracle firewall and the fact that Oracle has stated:
'..which together it claims will supersede the database activity monitoring (DAM) market…'
Of course the vendors of DAM products completely disagree with this statement and to be honest so do I. A firewall is not activity monitoring and as stated in the article most of the DAM product players support IDS/IPS and also audit trail facilities. So a database firewall is only part of a DAM product and a DAM product provides a better all round solution than just a firewall. Its a subset; Are they (Oracle) suggesting that only a firewall is needed? and that IDS and Audit are not needed (maybe outside of the database? – or maybe they feel audit vault or core audit features satisfies that part of the DAM solution), I don't know of course I can only speculate.

Cloud Security

Cloud computing has become an integrated part of IT strategy for companies in every sector of our economy. By 2012, IDC predicts that IT spending on cloud services will grow almost threefold, to $42 billion. So it's no surprise that decision makers no longer wonder "if" they can benefit from cloud computing. Instead, the question being asked now is "how" best to leverage the cloud while keeping data and systems secure.
ISF shares seven deadly sins of cloud computing  []
At the (ISC)2 Secure Leadership Conference at the BT Headquarters in London on 8 February 2011, Adrian Davis, principle research analyst at the ISF (Information Security Forum), shared with the audience what he considers to be the seven deadly sins of cloud computing.
"ISF's view of the cloud is shifting", Davis told his audience. "As an industry, we have technology definitions that we are happy with, acronyms and terminology like 'platform as a service', that no-one else uses. Most of society doesn't actually get what we are talking about."
Organizations, he says, are concerned about costs and "getting rid of the IT team in the basement". Sometimes, this means cutting information security completely out of the loop, leaving those responsible for security unable to influence the decision.

Mobile Security

Wireless Wisdom  []
Dr Les Pritchard of e-Security specialists Fiasa (Forensic Investigation and Security Advice) outlines the risks faced by business people using wi-fi or 3G to access the internet while on the move and the precautions they must take. In addition he highlights how those who offer wi-fi access to others need to protect themselves against improper use that could leave them wide open to criminal charges or expensive lawsuits.
A new mobile phone virus has been discovered to have infected 150,000 people in China allowing hackers to remotely monitor calls, according to the Beijing Times on Wednesday.
The virus, named X Undercover, takes advantage of existing vulnerabilities in smart phones by forcing the three-way calling service to secretly open. Conversations and text messages can be monitored and copied after the virus breaks into the calling sequence, said Zou Shihong, a security expert with NetQin Mobile Inc.
To date, Russian antivirus program vendor Kaspersky has found nearly 2,000 viruses, Trojans, and other threats for mobile devices. At the Mobile World Congress (MWC), the company's founder Eugene Kaspersky told The H's associates at heise Online that although that figure is nothing compared to the number of Windows contaminants, it is nonetheless rising exponentially.
While you can't fully backup and restore everything if you lose your jailbreak in a software upgrade or restore, AptBackup is a free app available in Cydia that can help alleviate the trouble of getting all your jailbreak apps back where they belong.
As you can see in the video above, the backup and restore process is very easy. To back up, just launch AptBackup. To restore all your apps, you'll need to re-download AptBackup from Cydia. Once you do, all you have to do is press the restore button. This will automate the process by re-downloading all the necessary apps from Cydia to your iOS device. While it can't restore settings, it does take the tedious work out of setting things up every time you upgrade.
Mac OS X: iTunes backs up your iOS device's settings each time you sync, but it doesn't even come close to backing up the device in its entirety. If you want a complete backup of your device, you can do it easily with an application called PhoneDisk and the wonderful command-line utility rsync.
Samsung phone Samsung user Alex Roebuck took this picture of his 'bricked' phone
Microsoft has revealed that 1 in 10 users who tried to install a software update on their Windows mobile experienced problems.
The company had previously said that only a 'small number' of handsets were affected.
ZeuS in the Mobile is back
Yesterday, Polish Security Consultant and blogger Piotr Konieczny wrote (Polish) about a new wave of ZeuS trojan attacks. This time, it took place in Poland and it was directed against customers of ING Bank.
The samples used in this attack run on a number of platforms: Trojan-Spy.Win32.Zbot.bbmf for Windows, Trojan-Spy.SymbOS.Zbot.b for Symbian and Trojan-Spy.WinCE.Zbot.a for Windows Mobile. Yes, this time ZeuS in the Mobile (ZitMo) targets users of Windows Mobile smartphones too.
Motorola XOOM Rooted  []
Since it's another Google experience device, and ships with fastboot support (albeit, limited), it really does come rooted out of the box. Just needed to figure out the board kernel base, and compile up a new kernel.
Unfortunately the kernel was not available in the Android repositories. At first, I tried using the Harmony kernel, since they are both tegra 2 250 chips. That turned out to be major fail. As soon as I was about to give up, I noticed that AOSP had updated their tegra kernel repository with some new tasty branches for stingray. Kudos to these guys for being so on the ball! I was able to compile that up and get a working recovery to obtain root, and then get Superuser on the device.
I also built up a recovery, but due to a nonfunctional SD card slot (until they release a firmware update that enables the slot), nothing really works. That will come later.
Here are the instructions to root your device (this assumes you have adb and fastboot installed on your computer):
Kindle 3.1 Jailbreak  []
In the constant battle of manufacturers vs. jailbreakers, the turnaround time between a new software release and a new jailbreak seems to be getting shorter and shorter. [Yifan] noticed that a recent Kindle update broke a previous method of running unsigned code and started the search for a new workaround.
He eventually found a way to force the Kindle to run unsigned code based upon how the software update checked for digitally signed files. With that knowledge in hand, he discovered that he could trick the updater to run any file he wanted by exploiting the standard functionality found in the Unix 'cat' command.

Privacy and Censorship

New copyright law could damage our IT industry
The reports in recent days – notably on Silicon Republic – that the outgoing Government is to sign into law a provision granting judges the power to injunct Internet Service Providers in breach of copyright laws are disturbing.
It looks like they're legislating for the 'three strikes and you're out rule' in the last days of the administration.
If this is the case, then I would urge Minister Hanafin not to sign this Statutory Instrument and to consult carefully with the IT industry, telecoms providers and the Department of Communications before there are any further moves.
The Federal Court of Australia has dismissed a case (read the ruling) from the movie industry which argued that ISPs must take action against file-swappers, based on allegations of infringement from copyright holders. The case against ISP iiNet was an appeal of the original judgment in the matter, which also went against rightsholders.
The appeal, considered by three judges, is remarkably long-and thorough. (It includes sentences like, 'Computers operate by means of binary code. A bit is either a zero or a one. A byte is 8 bits. A kilobyte is 1,024 bytes, a megabyte is 1,024 kilobytes and a gigabyte is 1,024 megabytes.')
Adam Pash – When you're browsing from a public Wi-Fi connection-like at your favorite coffee shop-anyone on that network can snoop on what you're doing, with very few exceptions. So can the IT crew at your workplace. Today, we're going to walk through setting up an encrypted proxy server on your home computer so you can secure your browsing session no matter where you're connected, keeping your private data significantly more private.


There are add-ons, VPNs, and apps galore that offer a safer browsing experience-but the browser you use, and the sites you visit, offer strong but simple security tools, too. Here are the best of the no-hassle, no-install-required options that you should be using now.
Advancing the Idea of Collective Action to Improve Internet Security and Privacy
To help address growing concerns regarding Internet security and privacy, I recently published a paper outlining an approach to addressing botnets and malware that threaten consumer devices connected to the Internet entitled Collective Defense: Applying Public Health Models to the Internet.
Today at the RSA 2011 conference in San Francisco, I presented the details of this proposal for collective defense, and shared a proof of concept scenario exemplifying how an organization, such as a bank, might promote better device health. Below is video of that scenario:


Today, SecureState released a new module for the Metasploit Framework that allows users to brute force credentials on Microsoft OWA servers. The module, written in Ruby, forges HTTP requests (both GET and POST) to simulate a user logging into the web service. By checking the responses, the module determines whether the authentication succeeded and reports the information to the user. This is often useful on penetration tests when the attacker has a list of Active Directory users but no services that are using domain authentication.


Flying Cars  []