AusCERT Week in Review for 25th January 2013

Date: 25 January 2013 Original URL: http://www.auscert.org.au/render.html?cid=7066&it=16886 Greetings, Those of you who remember the hack of the Sony PlayStation network back in April 2011 should be interested to hear that the UK's Information Commissioner's Office has issued a £250,000 fine against Sony for breaching its Data Protection Act. While the fine is somewhat of a drop in the ocean for the Japanese multinational, the fine sends a strong message to other companies regarding the security of customer's sensitive personal information. It is likely that we'll see similar fines issued to companies with poor security practices in the event of future data breaches. An announcement was made by Poland's computer emergency response team (CERT Polska) last week stating that they have successfully taken over a number of domains which have been linked to the Virut botnet. The Polish domain registry, NASK, took over 23 Virut domains back on January 17th. The Virut botnet, which has existed since 2006, is believed to have a staggering 890,000 infected IPs in Poland, let alone infections outside of the country, with anti-virus company Kaspersky Lab claiming that Virut infections made up 5.5% of all malware infections observed by their systems in the 3rd quarter of 2012. Last week reports surfaced regarding financial malware known as 'Shylock' propagating via Skype, and again this week researchers identified two more pieces of malware, known as 'Bublik' and 'Phorpiex' which also use Skype to propagate. Additionally Trend Micro discovered a worm known as 'Kepsy' which helps to spread 'Bublik' over Skype as well as clearing Skype history. 'Bublik' is believed to be a rootkit which acts as a remote access backdoor, with other functionality including the ability to upload and download files to and from a C&C server, download and install additional plug-ins, monitor browser activity, gather information on running applications, processes, and system and network information. 'Phorpiex' has quite different functionality, targeting removable drives and spreading via Skype messages which contain links to sites hosting the malware, while at the same time connecting to an IRC server to receive commands from an attacker. With the forced movement of Windows Messenger users over to Skype scheduled to take place in March, it is anticipated that we'll see an increasing number of similar pieces of malware propagating via Skype. A security researcher from IOActive, Cesar Cerrudo, recently discovered a bug in Twitter which enabled third-party applications access to the private messages of users even when the applications were not granted that level of access. Cerrudo reported the issue to Twitter's security team who developed and deployed a fix on January 17 2013, with Cerrudo describing the team as "very fast and responsive". However, Twitter has not issued any alert or advisory notifying users of the issue or its fix. This week's top five bulletins (in no particular order): 1) ESB-2013.0098 - ALERT [Win] Schneider Electric Interactive Graphical SCADA System: Administrator compromise - Remote/unauthenticated (22/01/2013) Schneider's IGGS is a a desktop application which integrates the configuration and monitoring functions of industrial control components from a wide range of vendors into a single interface. An independent researcher from Exodus Intelligence identified a buffer overflow vulnerability in IGGS which could be remotely exploited to allow for a denial of service or a potential administrator compromise. If your organisation utilises this product you should apply the patch immediately! 2) ESB-2013.0097 - [Appliance] BIG-IP: Administrator compromise - Existing account (22/01/2013) F5 released a bulletin this week detailing an administrator compromise vulnerability in its range of BIG-IP products. While the vulnerability requires authentication to exploit it is quite serious and patches should be applied to correct the issue. 3) ESB-2013.0106 - [Cisco] Cisco Wireless LAN Controllers: Multiple vulnerabilities (24/01/2013) Cisco announced that its family of Wireless Lan Controllers are vulnerable to four vulnerabilities which could allow code execution, denial of service or unauthorised access to the devices. Cisco has released patches to address these vulnerabilities. 4) ASB-2013.0010 - [Win][UNIX/Linux] WordPress: Multiple vulnerabilities (25/01/2013) WordPress received a maintenance and security update this week, which included fixes for a number of vulnerabilities. Potential impacts included cross-site scripting and cross-site request forgery. The developers of WordPress have made updating extremely simple within the administration console and it is recommended that administrators apply this update as soon as possible. 5) ASB-2013.0009 - [Win][Linux][OSX] Google Chrome: Multiple vulnerabilities (24/01/2013) This week's obligatory web browser bulletin mention goes out to Google Chrome, for its second security update in two weeks! Five vulnerabilities were corrected in Chrome this week, with impacts including code execution and denial of service. Melbourne will be host to the next AusCERT Security on the Move, being held on 14 March 2013 at the Intercontinental Melbourne The Rialto, 495 Collins Street. Presenters include Malcolm Shore, Allex Tilley, and our own Graham Ingram & Angus Gardner. Lastly, a quick reminder that the Call for Presentations and Tutorials for the AusCERT2013 Conference is still open and the deadline for submissions is only six days away with the CFP closing on the 31st January 2013. AusCERT welcomes original contributions for presentations and tutorials not previously published under a range of broad categories. For more information please go to: http://conference.auscert.org.au/conf2013/CFP.html Have a great weekend! Jonathan