NEWS - January 16, 2013

This week's relentless onslaught of security patches continued late Tuesday afternoon when Oracle released its quarterly Critical Patch Update, a healthy dose of 86 security updates across all major product lines including Oracle Database and MySQL Server.

The most serious may be a critical privilege escalation vulnerability (CVE-2012-3220) in Oracle Database Server. An attacker who is authenticated and has the Create Table privilege can exploit this flaw to gain control of the underlying Windows systems.

"This type of vulnerability would likely be exploited in conjunction with another attack to elevate privileges from the database to the operating system," said Ross Barrett, senior manager of security engineering at Rapid7. "Oracle Database is their flagship product and to say it is widely deployed is putting it mildly."

Oracle has been under harsh criticism for much of the young year, primarily for a zero-day vulnerability in Java 1.7u10. Exploits for the previously undisclosed flaw were being hosted in a number of exploit kits and attacks have already been seen in the wild dropping ransomware and assorted other malware. Oracle did respond quickly with an out-of-band Java 1.7 u11 update that addressed the sandbox-bypass vulnerability, but security experts still recommend disable Java and warn there are ways to bypass the security enhancements in the latest Java update.

Continued : https://threatpost.com/en_us/blogs/oracle-releases-86-patches-its-january-critical-patch-update-011613

Also:
Oracle's January patches close 86 holes
Oracle delivers 86 security fixes
Oracle Fixes 86 Security Flaws in Massive Critical Patch Update

Also See: Vulnerabilities / Fixes - January 16, 2013

Researchers have unearthed a new type of phishing kit that allows crooks to target specific users and keep away others in order to keep the scheme hidden from knowing eyes and security firms for as long as it's possible.

"The bouncer phishing kit targets a preset email list for each campaign. A user ID value is generated for the targeted recipients, sending them a unique URL for access to the attack," Limor Kessem, Cybercrime and Online Fraud Communications Specialist at RSA, explained in a blog post.

"Here's the interesting part - much like a night club's bouncer list - any outsider attempting to access the phishing page is redirected to a '404 page not found' error message. Unlike the usual IP-restricted entry that many older kits used, this is a true—depending on how you look at it—black hat whitelist."

As other, non specified potential visitors are "turned away", those at whom the attack was aimed are immediately faced with an attack page on the same hijacked website. The credentials submitted to and collected from this page are sent to the attackers.

Continued : http://www.net-security.org/malware_news.php?id=2378

From the F-Secure Antivirus Research Weblog:

The targeted attack campaign dubbed Red October raises an interesting question for people working on the frontline of corporate security. How to defend one's own organization against such attacks? And the good news is that at least for campaigns such as Red October, the information has been available for a long time already.

From a technical point of view, the targeted attacks used by Red October look very much like any other corporate espionage. The attackers need to get a user to click on an interesting looking document, and then the program being used to view the document needs to be vulnerable to attack, after which the system needs to allow a payload to be written to disk, after which the payload needs to be able to communicate back to a C&C server.

So in order to foil the attack, we as defenders need to be able to prevent any of the stages and then the attack is failure from a data stealing point of view, even as there might be need for cleanup.

The first and most obvious defense is of course user education, all users should be trained to be suspicious of any documents coming from external sources. Especially if they are not expecting that party to send a document. But unfortunately a moment of inattention is all that it required to open something that should have just been deleted. Thus education alone is not enough.

Continued : http://www.f-secure.com/weblog/archives/00002487.html

Related:
Rocra Espionage Malware Campaign Uncovered After 5 Years of Activity
Java Exploit Linked to Red October Malware Campaign

"The restaurant chain is investigating a breach that may have exposed customer data at more than 100 of its locations"

The chicken food chain Zaxby's is warning customers that hackers may have compromised customer credit card data at locations throughout the country.

According to the company, suspicious files were identified on computer systems at several of the chain's restaurants in places as varied as Florida, Alabama and Georgia. All totaled, roughly 100 locations are listed as possibly affected. The company did not say when or how exactly the chain locations were hacked, and did not respond to a request for more information before publication.

However, in an interview with CRN, Blake Bailey, chief financial officer for Zaxby's, says the firm was told Nov. 9 by one of its credit card processors that potentially fraudulent activity had been traced to some of the company's restaurants. According to the CRN report, the malware was not on the point-of-sale systems at the restaurants, making this breach different from recent attacks on Barnes & Noble and other retailers. Instead, Bailey tells CRN, the malware was found on hard drives on computers located at the restaurants.

Continued : http://www.darkreading.com/database-security/167901020/security/attacks-breaches/240146429/zaxby-s-restaurants-hit-with-data-breach.html.html

Also: Zaxby's Chicken Chain Warns of Possible Credit Card Thefts

Critical power generation systems inside two US power plants were infected with "known sophisticated malware" that spreads via USB drives, reports the US Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

The malware, which the team didn't name, infected a handful of machines during a software update initiated by an outside technician. With supervisory control and data acquisition (SCADA) systems vital in flipping switches and turning dials inside power plans, remote access to such equipment could enable a saboteur or hacker to cause serious infrastructure damage.

"When the IT employee inserted the drive into a computer with up-to-date antivirus software, the antivirus software produced three positive hits," according to the ICS-CERT report (pdf). "Initial analysis caused particular concern when one sample was linked to known sophisticated malware."

Continued : http://www.hotforsecurity.com/blog/malware-infecting-us-power-plant-scada-systems-5050.html

Also:
Malware infects US power facilities through USB drives
Viruses infect vital control systems at TWO US power stations

Google is continuing to introduce new security technologies in its Chrome browser, and the latest addition on the horizon is support for unprefixed Content Security Policy, a behind-the-scenes improvement designed to prevent malicious script injections. The technology is included in the beta of Chrome 25, which was released earlier this week, and will soon find its way into the stable channel.

One of the many attack vectors that have made life easier for the bad guys in the last few years is cross-site scripting. This attack relies on specific vulnerabilities in Web applications that allow attackers to get their own malicious scripts onto a legitimate Web page. Browsers will then run those scripts as if they were part of the trusted Web page, enabling the attacker to plant malicious code on a victim's machine or steal sensitive data.

Content Security Policy is one mechanism for preventing these kinds of attacks by allowing users to define which content sources they trust. Chrome then will run scripts only from those trusted sources, creating a whitelist of known good content sources and ignoring content from all other sources.

Continued : https://threatpost.com/en_us/blogs/chrome-25-support-unprefixed-content-security-policy-011613

"Graph Search makes it easier for cyber criminals to gather relevant details that can be used to target phishing attacks more effectively."

Facebook shook the tech world's foundation a bit with the announcement of Graph Search capability. Users are anxious for a chance to play with the new feature, and attackers are looking forward to this potent new weapon, er, tool as well.

In a nutshell, Facebook Graph Search is a search engine that allows you to find things based on relationships and context--basically drawing from the limitless pool of Likes, tags, and check-ins posted by a billion Facebook members.

From a search perspective, Graph Search seems like a very powerful tool--something that makes search more personally relevant, and a concept that should have Google worried a bit. You can search based on people, places, friends, and interests. For example, you can do a search for "friends who like The Beatles and live in Chicago," or "Italian restaurants my friends have visited nearby."

However, it's a bit of a double-edged sword as well. Andrew Storms, director of security operations for nCircle, says, "The new Facebook Graph Search is a phishers' dream come true. It takes the micro-targeting capabilities that have been available to online advertisers for years and puts them into the hands of cyber criminals."

Continued : http://www.networkworld.com/news/2013/011613-facebook-graph-search-is-an-265890.html