Zero Day Patches, Nasty New Malware, and Jailed Hackers
Ready for a dose of InfoSec news? Your weekly security highlights reel is spooled up and ready to go.
This week was all about software updates. Not only did Microsoft and Adobe’s monthly Patch Day bring us patches for critical zero day vulnerabilities, but we saw security updates for Firefox and iTunes as well. In today’s video, I talk about all those updates, as well as two new interesting malware variants, and the sentencing and jailing of a team of well-known hackers. View the video for all the details.
A quick note… Next week I’ll be attending the AusCERT security conference in Australia. Though I still expect to bring you a weekly video, I may post it earlier or later than normal due to travel and the time zone differences. Keep safe out there and see you next week.
Calling all Microsoft administrators. It’s time to spin up your virtual test machines and download, test, and deploy May’s batch of Microsoft security updates. This month’s theme is IE updates; with a focus on a recent IE zero day vulnerability, as well as a continuation of the “use after free” vulnerability theme I commented on last month.
According to their summary post, Microsoft released ten security bulletins today, fixing around 33 security vulnerabilities in many of their popular products. The affected software includes Internet Explorer (IE), Windows and related components, products from the Office suite (Word, Visio, and Publisher), Lync, and Windows Essentials. Microsoft rates the IE updates as Critical, and the rest as Important.
As I mentioned earlier, today’s theme definitely centers around IE. Last week’s security video covered how attackers have recently been exploiting a zero day IE8 vulnerability in the wild—most notably against the Department of Labor web site. One of today’s updates completely fixes this serious flaw. The other IE update continues to fix more “use after free” vulnerabilities, a class of memory corruption flaws that researchers and attackers have focused on lately. I highly recommend you install today’s IE updates immediately, then follow with the Windows and Office updates.
As an aside, Microsoft also released or updated four security advisories today. One of the updates has to do with one of today’s bulletins, but the other three are new. Once you’re finished handling today’s patches, you should check out Microsoft’s security advisory page as well.
Are you an over-worked IT administrator with no time to learn about the latest internet threats? Do you want to keep your network safe, but don’t know what the bad guys are up to? If that’s you, then our weekly information security highlights video is just the thing for you. For just three easy payments of… well, nothing… you can have all that and more!
Today’s episode covers Syrian cyber attackers hijacking The Onion’s twitter feed, a serious zero day vulnerability affecting Internet Explorer 8 (IE8), a major cyber bank heist, and more. For all the details, and some tips to protect yourself, watch the video below or check out the stories in the Reference section.
Welcome to our weekly network and information security (Infosec) news highlights. Typically, I deliver these security highlights as a short video. However, I’m traveling this week for both business and personal reasons, and was unable to produce the video version during my hectic travel schedule. The video will return next week from the Interop IT conference in Vegas. Until then, enjoy this text summary of the biggest Infosec stories from the week.
This week’s stories includes a big credential leak, the hijacking of a government web site, and news of a flaw in Google’s latest wearable computer. Read below for more details, and join us next week when the video version returns:
Living Social breach leaks 50mil user credentials - Attackers breached Living Social’s network and made off with the personal info of 50 million users. The stolen information included things like your email address, date of birth, and your hashed password. Though the passwords were hashed, attackers can still leverage brute force attacks to figure out the weaker ones of the bunch. If you use Living Social, you need to change your password immediately. More importantly, if you use the same password at other sites, stop doing that and change your passwords there too.
Latest on the mysterious Apache web site mass hijackings- Over the past few months, we’ve pointing out multiple incidents where thousands of Apache web servers were hijacked with a very sneaking backdoor. While researchers understood the complex backdoor attackers were injecting, no one really knew how attackers were initially gaining access to vulnerable sites (though many suspected Cpanel or WordPress vulnerabilities). In any case, ESET and Sucuri have released new research on the complex backdoor used in this attack campaign. It’s a very interesting read for the security conscious and a must-read for web administrators. Thanks to our friend and reader, Ryan, for pointing out this new research.
Hackers pwn Google Glass- You’ve probably seen Google Glass; the latest wearable computer. It’s not really out yet, but a group of select developers with cash to spare have gotten their hands on preview copies of this interesting new product. This week, one of those developers have learned how to jailbreak or root the device. Jailbreaking or rooting are terms used to describe when a user gains full administrative control of a device that was somehow locked down by the manufacturer. Usually, the devices owner is the one that wants to root a device, in order to do things that the manufacturer didn’t originally intend. However, the techniques used to root devices often leverage software vulnerabilities, which attackers could also leverage to take full control of your device. Obviously, you don’t want that. In any case, Google Glass is really still in beta, and not available to consumers. I wouldn’t be overly worried about this supposed flaw, as I’m sure Google will correct it before the official release. Still, an interesting read.
Reader vulnerabilities allows attackers to track PDF documents- Mcafee discovered an Adobe Reader flaw that attackers could leverage to find out when users open a particular Reader document, and what IP there are opening it from. This is not a critical issue, in that attackers can’t leverage it to execute code, but it does pose a privacy risk. There is no fix for the flaw yet, but you should expect one in an upcoming release.
Chinese attackers force Department of Labor site to serve malware - According to Alienvault, the Department of Labor web site was hijacked by China-based attackers, and then forced to serve malicious code, which then tries to infect anyone that visits the site. The Department of Labor has since cleaned their site, but if you happen to have visited it lately you should definitely scan your computer for malware.
Serious Flaw in IBM Notes- It’s hard for me to imagine anyone still using the Notes email client, but I have learned there are still some of you out there. This week, researchers reported a serious security flaw in this client, involving how it handles Java applets and javascript. IBM plans to fix the flaw soon, but until then you should disable javascript and Java applets in the Notes client.
This week’s security highlights video comes a bit early due to my travels in London to attend InfoSec UK.
If you’re looking for a quick summary of the week’s top security news, this is the vlog for you. In today’s video, I share a few themes from the biggest security conferences in Europe, news of the AP twitter feed hijack, warnings of a new Java exploit, and information about industry-wide flaws affecting serial port servers. Watch for all the details, and check the Reference section below for other interesting stories from the week.
Router Hacks, WordPress Attack, and Huge Oracle Update
During a week of such tragedy, it’s hard to give much thought to network and information security (InfoSec). Yet, we must stay vigilant, lest abhorrent cyber criminals leverage such tragedies against us in social networking campaigns.
In this week’s InfoSec news summary, I cover Oracle’s quarterly Critical Patch Update (CPU), a research project that uncovered vulnerabilities in consumer routers, a WordPress password cracking botnet, and how scammers are exploiting this week’s tragedies in their spam campaigns. Watch the video below for the highlights and some defensive tips.
As an aside, I will be traveling next week so I may not post the weekly video at its normal time.
Though I’m traveling in Singapore for a security conference, I still found a few spare minutes for my weekly InfoSec news summary. This week I cover some Bitcoin mining malware, CISPA returning from the ashes, some game related network attacks, and most interestingly, an Android smartphone hacking an airplane. For the details, watch the video below.
By the way, I apologize for the shaky camera. I forgot my tripod on this trip and shooting video with a busy schedule has its challenges. Don’t forget to check out the Reference section if you want to learn more.
First, a fair warning. This post serves no practical purpose, and is just for your entertainment. If you only visit this blog for practical security news and alerts, and you don’t have time for a bit of fun right now, feel free to skip this post. That said, you might find it entertaining, and it does still carry a security theme.
WatchGuard’s a great place to work. To me, one of the most important attributes of a good workplace is great people, and at WatchGuard we have those in spades. Recently, a talented and creative subset of those WatchGuard employees wrote and performed a parody version of Macklemore’s popular Thrift Shop rap. If you haven’t heard of Macklemore, he’s a Seattle-based rapper who recently rocked the Billboard charts with this budget shopper rap anthem. We thought how better to celebrate Macklemore’s success than making our own tongue-in-cheek security tune in this honor. Radio Free Security listeners have already heard this track, but today we bring you the full music video. If you’re up for some InfoSec-themed cheesy fun, watch below.
As an aside, I’m traveling in Singapore this week to speak at security conferences. As a result, I will post the regular WatchGuard Security Week in Review video later than usual. You can expect the “on the road” edition of our weekly video either late Friday or early Saturday. Have a great weekend! — Corey Nachreiner, CISSP (@SecAdept)
(Lyrics below, 3:08 runtime)
—- LYRICS—-
Hey, Jackson! Can we go to WatchGuard?
(Chorus)
I’m gonna block some spam,
Only got one product plugged in the socket
I-I-I’m secure, protected by WatchGuard,
This is freakin awesome!
(Verse 1)
Nah, walk up to the conference like, “what up I got a huge stock”
Got the channel so pumped about the product that we got
Walkin’ n roamin’ round, people tryna come see
All they say is, “damn, that’s a cool ass AP”
Connecting consoles all over like a fiend
APs be all white, cept those LEDs, flashin’ green!
Competitors sweatin’ cuz all their products are cheap plastic
Probably shoulda copied us, everyone thinks ours are fantastic!
(Crissssppppp)
But snaps, not everyone can be WatchGuard! (Trrrruuuuu!)
(Chorus)
I’m gonna block some spam,
Only got one product plugged in the socket
I-I-I’m secure, protected by WatchGuard,
This is freakin awesome!
(Verse 2)
What you know about rockin’ our products for a bargain?
No one can come close, not even by a large margarine.
I’m digging, I’m digging, im searching through the interwebz
One shady website is another man’s privacy!
Thank your granddad’s messin’ with your personal computer
Cleaning up all this Phishing is enough to confuse sea birds (seagull Caws “caw caw”)
So I’m in Sea town, you can find me in the ID (Food Chainz!)
Looking up new threats like a W.G. should properly
Your grammy, your aunty, your momma, your mammy,
I’ll block them malwares and burn up those spammies, first hand, I’ll rock those suckas brotha!
The built in UTM with the anti-virus on that motherboard haha, (match the pitch of the song w/ laugh)
I hit the power on and they stop those viral suckas
Good deals, WatchGuard Tech! Yeah!
(Chorus)
I’m gonna block some spam,
Only got one product plugged in the socket
I-I-I’m secure, protected by WatchGuard,
This is freakin awesome!
(Bridge) 2x
I’ll protect your security codes
I look through LAN cables
While you drinks rootbeer floats
We got your back like a bar of soap
(Chorus)
I’m gonna block some spam,
Only got one product plugged in the socket
I-I-I’m secure, protected by WatchGuard,
This is freakin awesome!
Unless you’re new to IT, you’re probably aware that today—the second Tuesday of the month—is Microsoft Patch Day.
As expected, Microsoft released nine security bulletins today, fixing 13 vulnerabilities across products like Internet Explorer (IE), Windows and its components, Sharepoint Server, and a few other Office server products. The worst two, Critical-rated updates fix security problems in IE and the Remote Desktop Client (RDC) that ships with Windows (specifically, its ActiveX control). The vulnerabilities in both these products could help remote attackers launch drive-by download attacks. If an attacker can get your IE or RDC users to visit a specially crafted web site (or a legitimate, hijacked web site), they could leverage these flaws to execute arbitrary code with those users’ privileges. You should download, test, and apply these Critical updates as soon as you can, or let Windows’ automatic updater do it for you.
As an aside, some experts had expected today’s IE update to fix some publicly disclosed vulnerabilities from the recent Pwn2Own contest at a Canadian security conference. In their IE alert, Microsoft credits two Google security researchers for discovering the flaws they fixed today. However, the Pwn2Own IE 10 flaws were disclosed by different researchers from VUPEN. So it appears the Pwn2Own IE flaws are still open issues.
Microsoft also released seven other updates, which they rate as Important. While not as serious as the ones mentioned above, they all fix some relatively risky issues too. In general, I recommend you always install all of Microsoft’s monthly patches as quickly as you can. That said, be sure to at least try and test the server updates before deploying them to your production network.
I’ll post more detailed alerts about these security bulletins as the day progresses. Stay tuned. — Corey Nachreiner, CISSP (@SecAdept)
What do zombie video games, North Korea, and emergency telephone systems have in common? They’ve all been compromised by cyber attackers this week.
If you’re too busy dousing IT fires to keep up with InfoSec news on your own, give our weekly security news summary a try. In this short video, I quickly highlight the biggest security stories from the week, and give some practical defense tips along the way.
This week’s episode covers a new telephony denial of service (TDos) extortion scheme , a serious flaw in a common database system, the latest Anonymous operation, and a mysterious Apache hijacking campaign that has affected over 20,000 web servers. Watch the video below for the full scoop, and check out the Reference section for additional stories.
May 17, 2013 
