Friday, 25 March 2011

Security Weekly News 25 March 2011 - Full List

Category Index

Hacking Incidents / Cybercrime
The Recent RA Compromise  []
On March 15th 2011, a Comodo affiliate RA was compromised resulting in the fraudulent issue of 9 SSL certificates to sites in 7 domains. Although the compromise was detected within hours and the certificates revoked immediately, the attack and the suspected motivation require urgent attention of the entire security field.
At no time were any Comodo root keys, intermediate CAs or secure hardware compromised. The compromise occurred at an affiliate authorized to perform primary validation of certificate requests. The compromise was promptly reported to the owners of the domains affected and the major browser providers and to the relevant government authorities.
In this blog post I will set out the relevant events as they are currently understood. More detailed information can be found in the incident report security notice  []
The box was compromised and the attackers were able to collect wiki account credentials. No other machines in the infrastructure appear to have been affected. Our biggest concern is, of course, the integrity of our source code. We did an extensive code audit and looked at every commit since 5.3.5 to make sure that no stolen accounts were used to inject anything malicious. Nothing was found. The compromised machine has been wiped and we are forcing a password change for all svn accounts.
We are still investigating the details of the attack which combined a vulnerability in the Wiki software with a Linux root exploit.
Rustock botnet out of action  []
Microsoft's Digital Crimes Unit reports that it has infiltrated the notorious Rustock botnet, consisting of an estimated 1 million infected PCs which were able to be remotely controlled for criminal ends. On the back of extensive research work and through the use of legal measures, the company gained access to, analysed and finally disabled command and control servers at five hosting providers in seven US states. The techniques used mirrored those used a year ago to take down the Waledac botnet.
RSA, one of the leading global manufacturers of cryptographic solutions, has apparently fallen prey to an attack in which data was stolen from its servers. According to a press release from RSA's CEO, Art Coviello, to RSA customers, part of the data included information about SecurID products, which could endanger their security.

Unpatched vulnerabilities
It seems that Stuxnet has given many security experts an interest in the potential holes in industrial control and SCADA (Supervisory Control and Data Acquisition) systems. Security specialist Luigi Auriemma, previously mainly known for detecting holes in games and media players, has released a list of 35 vulnerabilities in SCADA products by Siemens Tecnomatix (FactoryLink), Iconics (Genesis 32 and 64), 7-Technologies (IGSS) and DATAC (RealWin).
Security flaw in RealPlayer  []
For the time being, users of RealPlayer should be careful to check the origin of files in the 'Internet Video Recording' before playing them. A heap buffer overflow that occurs when the file is parsed allows attackers to inject and execute code locally. Because RealPlayer also runs as a browser plug-in, all users need to do is visit a specially crafted website to infect their PC.

Software Updates
Firefox 4 Released!  []
Microsoft is aware of nine fraudulent digital certificates issued by Comodo, a certification authority present in the Trusted Root Certification Authorities Store on all supported versions of Microsoft Windows. Comodo advised Microsoft on March 16, 2011 that nine certificates had been signed on behalf of a third party without sufficiently validating its identity. These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer.
Mozilla has been informed about the issuance of several fraudulent SSL certificates for public websites. The certificates have been revoked by their issuer which should protect most users. This is not a Firefox-specific issue. As part of our ongoing commitment to providing a secure Web experience for users, we have updated Firefox 4.0, 3.6, and 3.5 to recognize these certificates and block them automatically.
A critical vulnerability has been identified in the authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems. This vulnerability (CVE-2011-0609), as referenced in Security Advisory APSA11-01, could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment. At this time, Adobe is not aware of attacks targeting Adobe Reader and Acrobat. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.
A critical vulnerability has been identified in Adobe Flash Player and earlier versions (Adobe Flash Player and earlier versions for Chrome users) for Windows, Macintosh, Linux, and Solaris operating systems, and Adobe Flash Player and earlier versions for Android. This vulnerability (CVE-2011-0609), as referenced in Security Advisory APSA11-01, could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild against Flash Player in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment.
Flash Player 10.2 is now available for download on Android Market. This is a production GA (General Availability) release for Android 2.2 (Froyo) and 2.3 (Gingerbread) devices and an initial beta release for Android 3.x (Honeycomb) tablets that include at least Google's 3.0.1 system update.* To see if your device is certified for Flash Player 10.2, visit:
The beta of Flash Player 10.2 for Android 3.x is an exciting release that brings a full web browsing experience, including video, games and other interactive content, to the latest Android tablets. We have been working very closely with Google through the development of this beta to ensure tight integration and optimization between Flash Player 10.2 and new OS and browser capabilities.
Apple has released some Security updates and various fixes today.
Here's some handy links with a summarized list of software.
These vulnerabilities are fixed in VLC version 1.1.8
Joomla! 1.6.0 is vulnerable to Full Path Disclosure.
The Camino Project has issued version 2.0.7 of its open source web browser for Mac, a maintenance release that addresses several issues found in the previous version from mid-November of last year. According to the developers, the latest stable release of Mozilla's Mac browser includes updates that blacklist several invalid HTTPS certificates. It also restores the ability for certain Java applets to open new windows.
The Apache HTTPClient library has been updated to version 4.1.1 to close a critical bug in the library which sent the Proxy-Authorization header on to hosts when tunnelling through proxy servers which required authentication.The developers 'strongly encourage' all users of HTTPClient 4.0.x and 4.1 to upgrade to the new version. According to the change log, four other non-security bugs were also fixed.

Business Case for Security
Slow-growing demand is about to get a boost, Frost & Sullivan says
As threats become more severe and complex, the demand for security information and event management tools will grow to more than $1 billion worldwide by 2015, according to an industry research firm.
The market for SIEM tools, which has been slow-growing for more than a decade, is about to get a shot in the arm, according to a report issued last week by Frost & Sullivan.
The study, 'World Security Information and Event Management (SIEM) and Log Management Products Market,' reports that the SIEM market earned revenues of $678.1 million in 2009 and predicts that this figure will hit $1.3 billion in 2015.
Information security policies and corresponding controls are often unrealistic. They don't recognize how employees need to interact with computer systems and applications to get work done. The result is a set of safeguards that provide a false sense of security.
This problem will continue to grow due to consumerization of IT: the notion that employees increasingly employ powerful personal devices and services for work. This trend makes it easier for the employees to engage in practices that make their life and work more convenient while introducing security risks to their employer.
Hackers Take Schools To School  []
Nearly two-thirds of schools suffer two breaches or more per year, Panda Security study says
Some 63 percent of K-12 schools say they have experienced at least two security breaches in the past year, according to a new study, and their IT administrators are struggling to find the resources they need to keep up with security tasks.
According to the 'Panda Security Kindergarten-12 Education IT Security Study,' which was published today, many schools are struggling to find the time and resources they need to build out their security programs.
PCI Playing Mobile Limbo  []
Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.
Given the very nature of PCI, it does horribly when dealing with new technologies. That is, of course, the exact area where PCI needs to be really strong. When technology is new, that's when PCI guidance is most needed. Six months after everyone has deployed is not the best time to weigh in with advice. Giving retail chains a choice of either holding back or not complying with PCI is hardly the best move for an industry that needs to constantly grow and evolve.

Web Technologies
Recently, a colleague sent me an email which provided a flashback into my own past:
Hey, Eric--
Why do we show this when opening HTML locally? What are we protecting the user from?
Internet Explorer restricted this webpage notification bar
I myself had sent an email with almost the same text nearly seven years ago, and the surprisingly complicated answer is one of the key reasons I joined the IE team a few months later.
At the time, I was working as a Program Manager on the Office Online website, and I'd come across the specs for the Windows XP SP2 (codename "Springboard") updates to the web browser. Now, by this time, I'd been working on the web for nearly 8 years, and I "knew" what everyone else did about web security-you're supposed to treat web content on the Internet as hostile, but script running from your local computer was obviously more trusted and thus should run freely. What were these Springboard guys thinking? Didn't they know how the web was supposed to work?
According to Tor developer Jacob Appelbaum and a blog posting by the Mozilla Foundation, the Comodo SSL Certification Authority may have been compromised. As a consequence, criminals apparently obtained nine certificates for web sites that already existed, including There is no official statement on whether the situation was caused by insufficient checks during the certification process or by a breach of Comodo's infrastructure.
Today marks the 30th day since I removed all the root certificates for trusted certificate authorities. It was an interesting one month and I've learned a bunch. The main takeaway from this experiment is that I don't need 3 digit number of trusted CAs in my browser. Again, this is person specific and US centric, but the total count as of today is 10! The list of subject names and signatures follows for the ones interested in the exact list.
Like no other release before it, Firefox 4 includes a number of significant security features. These features are addressing attacks that are in particularly hard to avoid by developers and in which the browser is more so the victim then the server.
These attacks, Cross Site Scripting (XSS), redirects to HTTP pages from HTTPS and Clickjacking use vulnerable web applications more as a mirror to bounce attacks into the browser. The browser can provide meaningful protection against these attacks, unlike for more server centric attacks like sql injection, for which the attacker is in full control of the client.
The PHP-Nuke version 8.x and lower versions are vulnerable to Cross Site Request Forgery (CSRF) because its Anti-CSRF mechanism (Referer Check) is found to be broken.
Abraham's note: You should be using random tokens for CSRF protection as described here:
Spot the Vuln - Invincible  []
This week's vulnerability is was a tricky one. The bug patched in this change list affected the Comment-Rating plugin for WordPress (fixed in 2.9.24). Let's take the bug step by step. First, the application takes a user/attacker supplied value and runs it through an escaping function here (line 9):
$k_id = strip_tags($wpdb->escape($_GET['id']));
So, $k_id is now tainted and contains an escaped value provided by the attacker. A few lines later, we see the following code:
Today, we're updating the Chrome beta channel with a couple of new capabilities, especially for web developers. Fresh from the work that we've been doing with the HTML Speech Incubator Group, we've added support for the HTML speech input API. With this API, developers can give web apps the ability to transcribe your voice to text. When a web page uses this feature, you simply click on an icon and then speak into your computer's microphone. The recorded audio is sent to speech servers for transcription, after which the text is typed out for you. Try it out yourself in this little demo. Today's beta release also offers a sneak peek of GPU-accelerated 3D CSS, which allows developers to apply slick 3D effects to web page content using CSS.
The New York Times is estimated to have spent $40 million to $50 million to construct an elaborate new paywall that will force some users of the site to pay a monthly fee to read paper content. But just days after rolling out a version of the paywall, the newspaper is playing whack-a-mole with loyal readers who have found simple ways around it.
In the days since the paywall went live, readers have leveraged Twitter and some simple Web programming to circumvent the paywall, which limits readers to 20 free articles a month. Kristin Mason, a New York Times spokesperson, said in an e-mail message, that the company is monitoring the situation, but expects 'some percentage of people who find ways around our digital subscriptions.'

Network Security
Last week, I talked about heavy obfuscation being used by attackers to hide their HTML source code from detection. This time we came across an interesting fake antivirus website, which not only continually changes the source of the webpage but also the malicious binaries being used in the attack. This occurs when you revisit that same malicious site. The malicious site also changes certain strings used inside the animation sequences. For this blog, I have visited that site a few times in span of a minute and collected the various source files and malicious binaries. Here are the screenshots of fake security warnings for different visits:
Wipe, rinse and repeat  []
Most of us have faced a time when a machine gets compromised with malware. In some cases it gets to the point where cleaning the infected computer is too time consuming or too difficult to clean, so the easy option is to wipe the machine and rebuild it.
Just before the forensic community (or some of my fellow handlers) lynch me for making this over generalised, evidence eliminating statement, allow me to elaborate.
Read only USB stick trick  []
The sad demise of readily available, cheap USB sticks with a switch to flip the device to be read only has caused some problems when dealing with suspicious machines, especial when I'm off duty and I hear the dreaded words "Oow, you're in IT - could you have a look at my computer quickly?"
Back in the good old days, I could pick them up at nearly all my favourite shops and the vendors gave them away by the bucket load, but alas, they seem to have all but disappeared.
CD/DVD or Blu-ray disks are great, but lugging around a harden CD case really does clash with some of my outfits and doesn't always send out the right message, particularly at: romantic diners, standing at a checkouts or trying to order drinks at a bar. This is where a small USB key, fitting neatly in to a pocket, helps me blend in with the rest of humanly almost seamlessly. Almost.
Chris Gates wrote a blog post about the 'getvncpw' meterpreter script. I ran into the same issue on Penetration Tests in the past but didn't know much about the wacked out version of DES that RFB (the VNC protocol) was using. Not being a fan of manually editing a binary and compiling each time I had a password to crack I wanted to find another way, but didn't get a chance to.
Password cracking in the cloud  []
Passware Kit Forensic is commercial software that enables users to harness the power of cloud computing to accelerate password recovery. It allows the use of Amazon Elastic Compute Cloud for accelerated password recovery, without the need to buy hardware.

Mobile Security
Private users can now protect their Blackberry smartphones in the same way that corporate users do using the BlackBerry Enterprise Server. The Canadian BlackBerry maker Research in Motion (RIM) is now providing to European customers the BlackBerry Protect application, previously only available to customers in the US. The free service includes client software for the BlackBerry and a web application.
Security specialist Michael Gough, best known for his attacks on VoIP systems, appears to have discovered a vulnerability in LAN-attached access control systems. The vulnerability apparently allows electronic locking systems to be opened without authorisation over a network. Working with developer Ian Robertson, Gough has developed an Android app called Caribou which exploits the vulnerability to unlock doors for which an RFID key card would normally be required.
iOS 4.3.1 Leaked !  []
By Gamal Sabry at Wednesday, March 23, 2011
Here's another proof from BGR, they have leaked a screenshots of the upcoming iOS 4.3.1 which has been tested by someone inside Apple. According to the source, iOS 4.3.1 will simply fix bugs and battery life improvement. You can check out the changes from iOS 4.3 after the jump.

The Tor Project has long understood that the certification authority (CA) model of trust on the internet is susceptible to various methods of compromise. Without strong anonymity, the ability to perform targeted attacks with the blessing of a CA key is serious. In the past, I've worked on attacks relating to SSL/TLS trust models and for quite some time, I've hunted for evidence of non-academic CA compromise in the wild.
I've also looked for special kinds of cooperation between CAs and browsers. Proof of collusion will give us facts. It will also give us a real understanding of the faith placed in the strength of the underlying systems.
Does certificate revocation really work? No, it does not. How much faith does a vendor actually put into revocation, when verifiable evidence of malice is detected or known? Not much, and that's the subject of this writing.
THE spy approaches the target building under cover of darkness, taking a zigzag path to avoid well-lit areas and sentries. He selects a handy vantage point next to a dumpster, taking cover behind it when he hears the footsteps of an unseen guard. Once the coast is clear, he is on the move again - trundling along on four small wheels.

Transmitting Data Through Steel  []
This is cool:
Tristan Lawry, doctoral candidate in electrical and computer engineering, has developed equipment which can transmit data at high rates through thick, solid steel or other barriers. Significantly, Lawry's kit also transmits power. One obvious application here would be transmission through the steel pressure hull of a submarine: at the moment such hulls must have hundreds of penetrations for power and data cables, each one adding expense, weight and maintenance burden.
Detecting Words and Phrases in Encrypted VoIP Calls
Abstract: Although Voice over IP (VoIP) is rapidly being adopted, its security implications are not yet fully understood. Since VoIP calls may traverse untrusted networks, packets should be encrypted to ensure confidentiality. However, we show that it is possible to identify the phrases spoken within encrypted VoIP calls when the audio is encoded using variable bit rate codecs.
This rather unusual security measure was discovered when an editor at c't magazine, The H's associates in Germany, in preparation for an article, routinely fed a few input fields with character strings that would indicate if there were XSS or SQL injection problems at the site. Unfortunately, such security holes are still very common and would be unforgivable for a central password storage service. When a colleague of the editor tried to access the Lastpass web site a little later, he was only presented with the message that his IP address had been blocked due to suspicious activities.
Canadian vendor selling assets in order to raise money for creditors.
Nortel Networks Corp. is doing its bit to alleviate the Internet space crunch, selling 666,624 IP addresses to Microsoft Corp. for $7.5 million.
The Canadian telecommunications-equipment maker, which filed for bankruptcy protection in 2009, is selling assets to raise money for creditors. In court papers Monday, Nortel urged quick approval of the address sale to make the most of the opportunity to profit from its store of strings of numbers that identify particular devices hooked to the Internet: computers, Web-enabled phones, and other gadgets.

Android on  []
Here's a bit of advice for would-be gadget thieves: don't steal other people's stuff. But if you do have the compulsion to take what isn't yours, do the world a favor, and make sure you steal from people who are incredibly tech-savvy, like Mark Bao. The 18-year-old entrepreneur and student at Bentley University in Waltham, Massachusetts had his MacBook Air stolen roughly two months ago. Last week, Bao discovered he could access some features of the machine, including his browser history and the contents of his hard drive. One of the revelations was that his thief (as have others before him) immediately took a picture with Photo Booth. The crook even recorded himself dancing (terribly) to a remix of Tyga's 'Make it Rain,' which Bao posted on YouTube. Check it out after the break.