12 total posts
Microsoft issues warning about XSS hole in SharePoint
The recently announced breach in the Apache Software Foundation's server shows that XSS holes should not be taken lightly. That narrowly targeted attack began with an XSS vulnerability and even experienced administrators had clicked on the poisoned links.
The cause of the current problem in SharePoint is insufficient filtering of the cid0 variable in the script /_layouts/help.aspx, which can be misused for reflective XSS.
SharePoint Server 2007 and SharePoint Services 3.0 are affected.
SharePoint Services 2.0, SharePoint Portal Server 2001, SharePoint Portal Server 2003 Service Pack 3 and SharePoint Server 2010 are not.
According to Microsoft, the problem does not occur with Internet Explorer 8 because its XSS detects and prevents the attack. Until a patch has been provided, Microsoft recommends preventing access to the flawed script by executing the following commands on the SharePoint server:
cacls "%ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx" /E /P everyone:N
cacls "%ProgramFiles(x86)%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx" /E /P everyone:N
The server then no longer offers any help functions. The change can be reversed once a patch has been installed. For instructions, see Microsoft's advisory.
Continued here: http://www.h-online.com/security/news/item/Microsoft-issues-warning-about-XSS-hole-in-SharePoint-990812.html
See : Microsoft Security Advisory (983438)
Vulnerabilities & Fixes : Microsoft SharePoint Server / SharePoint Services
Opera closes "extremely severe" hole
Opera has released version 10.53 of its Opera web browser for Windows and Mac OS X in order to close a vulnerability which the software maker rates as "extremely severe". The hole allows crafted web pages to inject and run code on a PC. It would only be necessary to visit such a web page for the vulnerability to be exploited.
The hole is created when a script makes multiple calls to modify the documents contents, causing Opera to reference an uninitialised value. This could lead to a browser crash and, using additional techniques, allow for code injection. Opera had only just released version 10.52 three days ago. Opera 10.53 can be downloaded from the vendors site.
Continued here: http://www.h-online.com/security/news/item/Opera-closes-extremely-severe-hole-991217.html
A Closer Look at Rapport from Trusteer
From Brian Krebs' "Krebs on Security":
A number of readers recently have written in to say their banks recently have urged customers to install a security program called Rapport as a way to protect their online bank accounts from fraud. The readers who pinged me all said they didn?t know much about this product, and did I recommend installing it? Since it has been almost two years since I last reviewed the software, I thought it might be useful to touch base with its creators to see how this program has kept pace with the latest threats.
The basics elements of Rapport ? designed by a company called Trusteer ? haven?t changed much. As I wrote in May 2008, the software works by assuming control over the application programming interfaces or APIs in Windows, the set of tools which allow software developers to create programs that interact with key Windows functionalities.
From that 2008 piece:
?Some of today?s nastiest data-stealing malware works by hijacking these Windows APIs. For example, keyloggers simply hijack or ?hook? the Windows API that handles the transmission of data from user interfaces, such as the keyboard and mouse. A more advanced type of malware ? known as a ?form grabber? ? hijacks the ?WinInet? API ? which sets up the SSL (think https://) transaction between the user?s browser and the encrypted Web site. By hijacking this API, a form grabber can rip out usernames and passwords even when the user is submitting them into a site that encrypts the data during transmission because it grabs that information at the lower level of the operating system, before it is encrypted.
Trusteer?s software examines these and other vital Windows APIs to see if any other process is trying to intercept sensitive data. It then blocks those that do.?
Continued here: http://krebsonsecurity.com/2010/04/a-closer-look-at-rapport-from-trusteer/
The Storm is back? Well, not exactly.
From the M86 Security Labs:
The Storm Worm is aptly named, for any mention of it creates a media storm, regardless of the reality behind the malware. Yesterday reports surfaced today of a renewed Storm, as researchers from CA announced the ?Come back of the Storm Worm." The news media was not slow to pick it up, for example, the Register?s headlines read ?Infamous Storm botnet rises from the grave.?
Despite its nickname, the Storm Worm was actually not a worm. Rather, it was once a major spamming botnet, representing some 20% of spam at its peak in mid-2007. It was also one of the most discussed and studied botnets ever, due to its size, distinctive spam campaigns, and revolutionary peer-to-peer communication model. Following all the attention and the targeting of Storm by Microsoft with its Malicious Software Removal Tool in September 2007 among other infiltration attempts, Storm died a slow death, which we duly noted here.
So what is going on with these latest pronouncements? Has Storm suddenly sprung back from the dead?
Continued here: http://www.m86security.com/labs/i/The-Storm-is-back-Well-not-exactly-,trace.1312~.asp
How Do I Report Malicious Websites?
So you?ve just spent your morning digging through web proxy logs figuring out how one of your users managed to get infected with the latest rehash of FakeAV and you?ve got a handful of malicious URLs that you need to block on your perimeter. Let?s also suppose that you hold some goodwill towards your fellow sysadmin and wish to help stop further damage. Where do you start?
Depending on what vendor you use to manage your web proxy filters, you may be helping out by simply protecting yourself. That information should bubble up to their other customers and expand protection. Another way to help smaller organizations and individuals is to share this information with free security solutions.
Google Safe Browsing
Get the biggest bang for your buck by leveraging the Google Search engine which many folks rely on to save them from exposure to typo-squatters and other badness. URLs can be submitted here: http://www.google.com/safebrowsing/report_badware/
Continued here: http://isc.sans.org/diary.html?storyid=8719
US Air Force phishing test transforms into a problem
Sorry Airman Supershaggy, "Transformers 3" is not coming to Andersen Air Force Base. And by the way, you've been phished.
Security testers at the Guam Air Force base's 36th Communications Squadron had to send out a clarification notice on Monday after an in-house test -- called an operational readiness exercise (ORE) in Air Force parlance -- of how airmen would respond to a phishing e-mail worked out a little too well.
The e-mail said that crews were going to start filming "Transformers 3" on Guam and invited airmen to fill out applications on a Web site if they wanted to work the shoot. The Web site then asked them for sensitive information.
This type of in-house phishing exercise is a routine occurrence in the military and in major corporations, and is generally seen as a good way of promoting security awareness. But in Andersen's case, the information in the phishing e-mail started leaking to the civilian world.
"Unfortunately, many of Andersen's personnel responded to this inject and submitted their personal information to the Web site, and forwarded the information outside of Andersen," the Air Force base said in a statement.
Continued here: http://www.networkworld.com/news/2010/043010-us-air-force-phishing-test.html
Facebook: Network problem that slowed site is fixed
"After reporting last night it was working on the site, Facebook says traffic issue corrected"
Facebook this morning reported that the network issues that slowed the social network last night have been resolved, and that the site is working normally again.
Early this morning, Facebook posted a note on its site telling users that its engineers had cleared up some network issues that last night were causing slowdowns and time outs on the social networking site.
"We were experiencing a network issue that affected how we distributed traffic between our data centers," said Kathleen Loughlin, a spokesman for Facebook, in an email to Computerworld today. "As a result, the site may have been slow or timed out for some users. We worked diligently to resolve the issue as quickly as possible and it was fully resolved."
Continued here: http://www.computerworld.com/s/article/9176165/Facebook_Network_problem_that_slowed_site_is_fixed
Glype proxy may not cloak your identity
"Popular 'anonymous' service reveals sensitive information, says researcher"
A widely used proxy service thought to provide anonymous Web surfing and used to skirt network administrator bans on access to sites like Facebook frequently reveals sensitive information about its users, according to a Swiss security researcher.
Glype is a small bit of PHP code that routes requests for Web pages through other Web pages running its software, said the researcher, who runs the Swiss Security Blog and the Zeus Tracker project. He prefers to remain anonymous.
The Glype code allows someone to, for example, access Facebook at work even if that page is blocked, as it appears the traffic is coming from the Web page running the proxy. Many companies now block sites such as Facebook.
Continued here: http://news.techworld.com/security/3222227/glype-proxy-may-not-cloak-your-identity/
China drops out of 'Dirty Dozen' chart
Spam originating from hacked computers in China has "steadily reduced" and the country is now out of the Top 12 chart for spam relaying. However, the Asian continent continues to top the list for spam distribution, observes a new report.
In a Thursday report covering the first quarter of 2010, security vendor Sophos announced that China had dropped out of the "Dirty Dozen" list to become No. 15 in spam relaying, contributing to just 1.9 percent of the world's spam.
Graham Cluley, senior technology consultant at the security firm, said in the report that China had earned a bad reputation as the "launch pad of targeted attacks against foreign companies and government networks".
However, "at least in the last 12 months", China has shown that the proportion of spam relayed by computers in the country has steadily reduced, he noted..
Continued here: http://www.zdnetasia.com/china-drops-out-of-dirty-dozen-chart-62062956.htm
From Graham Cluley's Blog: China slides off list of top spam-relaying nations
New Spam Attack Abusing Amazon, Apple, Twitter Email ...
New Spam Attack Abusing Amazon, Apple, Twitter Email Notification
From the Security Response Blog:
Surprising? Not the least bit. Spammers have always shown their liking for big names and brands. And very often these brands are abused to spread malware or gain access to users? accounts. However, they are also sometimes used only to entice users to open emails. These emails may contain links to pornographic or pharmacy sites.
During recent times we have monitored spam attacks that have used the email templates of famous Internet brands such as Amazon, Apple, and now, Twitter. Using the email templates of well-known newsletters and notifications is a commonly known trick to make recipients believe the authenticity of spam email. Recipients may treat these emails as legitimate and may open them without any suspicion. Though this attack uses an old trick, we feel it is important that users are reminded about this type of spam campaign, which has been observed for over a month or so. We have seen variations in the email templates (as mentioned: first Amazon, then Apple, and then Twitter) along with different methods of spreading the messages. After the initial attacks were effectively blocked by email filters, we saw the same version of spam being sent using bounce messages. This means that these messages would later be received in the form of a non-delivery receipt (NDR).
Spammers are mixing this up nicely by randomizing the URLs using hacked websites. For example:
Continued here: http://www.symantec.com/connect/blogs/new-spam-attack-abusing-amazon-apple-twitter-email-notification
Also : Spam Poses as a Twitter Email Notification
IT consultant gets 5 years for plundering $2m
".. from banks he administered"
A contractor who provided IT administration services to banks was sentenced to more than five years in prison this week after admitting he used his insider knowledge to plunder some $2m from four financial institutions.
Zeldon Thomas Morris, 43, was ordered to serve 63 months in federal prison and pay restitution of a little more than $1.8m, according to documents filed in US District Court in Utah. He was also required to forfeit cars, real estate, and other personal property, and prohibited for life from "participating in any manner in the affairs of any federally regulated financial institution."
Continued here: http://www.theregister.co.uk/2010/04/30/it_consultant_sentenced/