Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

February 28, 2013
=============================================================

@RISK: The Consensus Security Vulnerability Alert

Vol. 13, Num. 9

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

=============================================================

CONTENTS:

NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST POPULAR MALWARE FILES 2/19/2013 - 2/26/2013
============================================================

TOP VULNERABILITY THIS WEEK: Oracle's Java woes continued this week, with a detail-free announcement of a pair of new vulnerabilities by Security Explorations and confirmation that a previously patched vulnerability is now being actively exploited in the wild.

============================================================

TRAINING UPDATE

- -- SANS 2013 Orlando, FL March 8-March 15, 2013
47 courses. Bonus evening sessions include Please keep Your Brain Juice Off My Enigma: A True Story; InfoSec in the Financial World: War Stories and Lessons Learned; and Finding Unknown Malware.
http://www.sans.org/event/sans-2013

- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013
8 courses. Bonus evening presentations include Base64 Can Get You Pwned!; The 13 Absolute Truths of Security; and Look Ma, No Packets! - The Recon-ng Framework.
http://www.sans.org/event/monterey-2013

- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013
7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013

- --SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013
9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-guardian-2013

- --SANS Security West 2013 San Diego, CA May 7-May 16, 2013
32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/security-west-2013

- --SANS Secure Singapore 2013 February 25-March 2, 2013
6 courses. Bonus evening presentations include APT: It is Time to Act; and Security of National eID (smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013

- --Secure Canberra 2013 Canberra, Australia March 18 - March 23, 2013
Featuring Network Penetration Testing and Ethical Hacking and Computer Forensic Investigations - Windows In-Depth.
https://www.sans.org/event/secure-canberra-2013

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Johannesburg, Abu Dhabi, Seoul, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live: www.sans.org

********************** Sponsored Link: *********************

1) Take the Mobile Application security Survey! Enter to Win an iPad!
http://www.sans.org/info/125672

============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: New Java vulnerabilities announced, old one exploited in the wild
Description: Polish security firm Security Explorations has privately disclosed details of two vulnerabilities in Java to Oracle, while publicly disclosing their existence. The firm stated that these new vulnerabilities do affect the newest released version of Java 1.7. Information concerning these vulnerabilities is not yet public and no proofs of concept are known outside of this firm's shared information with Oracle. Meanwhile, Java 7u11 exploit CVE-2013-0431 is being exploited in the wild via multiple exploit kits; users are urged to patch immediately.
Reference:
https://threatpost.com/en_us/blogs/two-more-java-zero-days-found-polish-research-team-022513
https://community.rapid7.com/community/metasploit/blog/2013/02/25/java-abused-in-the-wild-one-more-time
Snort SID: 25861, 25862
ClamAV: Java.Trojan.Agent-22

Title: Vulnerability in Adobe Flash Player (CVE-2013-0633) seeing broad exploitation
Description: Since last week's newsletter, which noted that this attack had been limited in scope, this particular vulnerability has seen mainstream adoption, including inclusion in the "Gong Da" exploit kit. Originally traveling primarily through email embedded in Word documents, this now-patched vulnerability is now being exploited heavily over HTTP. Users are strongly encouraged to patch as soon as possible.
Reference:
http://www.adobe.com/support/security/bulletins/apsb13-04.html
http://eromang.zataz.com/2013/02/26/gong-da-gondad-exploit-pack-add-flash-cve-2013-0633-support/
Snort SID: 25681, 25683
ClamAV: BC.Exploit.CVE_2013_0633

Title: Apple iPhone lock screen bypass
Description: The Apple iPhone on version