Threat Level: green Handler on Duty: Russ McRee

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Sophos 2012 Security Threat Report

Published: 2012-02-03
Last Updated: 2012-02-03 22:34:15 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

Last week Sophos released it 2012 Security Threat Report which highlighted some key finding from 2011:

- Smartphones and tablets causing significant security challenges
- Major data breaches and targeted attacks on high-profile companies and agencies
- Hacktivism -> A shift from hacking for money to hacking as a form of protest or to prove a point
- Conficker worm is still the most commonly encountered pieces of malicious software seen is Sophos customers
- Fake antivirus software is still the most common type of malware but in second half of the year appears to be on the decline
- Spearphishing attacks on the rise

Despite all this, some successes "On March 16, 2011 a coordinated effort known as Operation b107 between Microsoft, FireEye, U.S. federal law enforcement agents and the University of Washington knocked Rustock offline." [1] The entire report available here.

Handler Mark published a diary on some of the things to take in consideration "When your service provider has a breach". [3]

[1] http://www.sophos.com/en-us/security-news-trends/reports/security-threat-report/html-07.aspx
[2] http://www.sophos.com/en-us/security-news-trends/reports/security-threat-report/html-01.aspx
[3] https://isc.sans.edu/diary.html?storyid=10651
[4] http://www.sophos.com/medialibrary/PDFs/other/SophosSecurityThreatReport2012.pdf

Data breach diaries reported by ISC in 2011:

[1] Wordpress.com https://isc.sans.edu/diary.html?storyid=10729
[2] RSA Breach https://isc.sans.edu/diary.html?storyid=10609
[3] Lockheed Marting https://isc.sans.edu/diary.html?storyid=10939
[4] Sega Pass https://isc.sans.edu/diary.html?storyid=11065
[5] SonyPictures https://isc.sans.edu/diary.html?storyid=10996
[6] DigiNotar SSL Breach (result = bankruptcy) https://isc.sans.edu/diary.html?storyid=11479
[7] GlobalSign https://isc.sans.edu/diary.html?storyid=12205
[8] Stratfor Global Intelligence https://isc.sans.edu/diary.html?storyid=12271

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Keywords: 2012 Sophos
0 comment(s)
ISC StormCast for Friday, February 3rd 2012 http://isc.sans.edu/podcastdetail.html?id=2302

Critical PHP bug patched

Published: 2012-02-03
Last Updated: 2012-02-03 05:40:36 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Just about a month ago, PHP 5.3.9 was released, which included a patch for the "hash collision" problem. The basic hash collision problem affected various languages, including php and .Net (Microsoft fixed the issue in an out of band patch 2011-100 in late December).

PHP fixed the issue not by introducing a new hash function, but instead it limited the number of input parameters. Just like the php hardening patch suhosin did all along, PHP now supported a "max_input_var" parameter to limit the number of input parameters a request may send. The default limit was set to 1,000, plenty for most web applications.

Sadly, the fix was implemented incorrectly, and introduced a more severe vulnerability, a remote code execution vulnerability. Thats right: An attacker could craft a request, that will execute code on a web server running PHP 5.3.9.

Today, the PHP team released PHP 5.3.10 to address the issue.

If you are running PHP 5.3.9: PATCH NOW! This is a very critical bug

If you are running PHP 5.3.8: DO NOT UPGRADE TO 5.3.9. I would actually recommend that you wait. 

Additionally, try to enable Suhosin if at all possible. There is a slight performance hit, but it is unlikely to break your web application unless you are already tight in resources. Many Linux distributions include Suhosin, so it may be pretty easy to set up.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: php
2 comment(s)
New Poll - What security issue concerns you the most this year?
PHP 5.3.10 Released, Fixes CVE-2012-0830 available for download http://www.php.net/archive/2012.php#id2012-02-02-1
Diary Archives