Friday, 6 May 2011

Security Weekly News 06 May 2011 - Full List

Category Index

Hacking incidents / Cybercrime
 
LastPass.com, a free password management service that lets users unlock access to all of their password protected sites with a single master password, is forcing all of its approximately 1.25 million users to change their master passwords after discovering that intruders may have accessed the company's user database.
In an alert posted to the company's blog late Wednesday, LastPass said that on Tuesday morning it spotted a "traffic anomaly" - unexplained transfers of data - from one of the company's databases. From that blog entry:
 
The assault force of Navy SEALs snatched a trove of computer drives and disks during their weekend raid on Osama bin Laden's compound, yielding what a U.S. official called "the mother lode of intelligence."
The special operations forces grabbed personal computers, thumb drives and electronic equipment during the lightning raid that killed bin Laden, officials told POLITICO.
"They cleaned it out," one official said. "Can you imagine what's on Osama bin Laden's hard drive?"
U.S. officials are about to find out. The material is being examined at a secret location in Afghanistan.
 
Hackers `steal X Factor details`  [www.monstersandcritics.com]
Details of more than 250,000 X Factor entrants are said to have been stolen and Simon and bosses at American TV network Fox, are said to be scared that the thieves will use the details to make money.
An official investigation has been launched and an email, which was seen by the Daily Star, was sent to all contestants to warn them about the security breach.
 
Best Buy Suffers Second Email Breach  [www.darkreading.com]
Epsilon hack victim's customer emails exposed yet again -- via a different vendor
Best Buy, which was among the 100 or so companies hit in the recent Epsilon breach, is responding to a second consecutive breach at the hands of one of its vendors.
The big-box electronics retailer found on April 22 that email addresses of some of its customers had been 'accessed without authorization' via one of its vendors, according to a Best Buy spokesman, who declined to name the vendor. Best Buy had already parted ways with that provider prior to the discovery of the breach, he said, due to a 'strategic business decision.'

Unpatched vulnerabilities
 
According to an advisory from security services provider Secunia, the VLC Media Player is at risk from multiple vulnerabilities in the Libmodplug library, which it rates as 'highly critical'. First reported by a user with the pseudonym of 'epiphant', Libmodplug, also known as the ModPlug XMMS Plugin, is said to be prone to stack-based buffer overflows caused by 'boundary errors within the 'abc_new_macro()' and 'abc_new_umacro()' functions in src/load_abc.cpp'.
 
Is Abbey Road in Russia? Nikon's image verification system says this picture is real.
Source: Elcomsoft Nikon's image verification system has been cracked. Hackers at ElcomSoft say they have managed to extract Nikon's secret signature key from a camera and sign arbitrary images with it

Software Updates
 
 
 
Apple has released versions 4.3.3 and 4.2.8 of its iOS mobile operating system; the updates address the previously reported concerns about a database on the company's iPhone, iPad and iPod Touch devices that was apparently tracking the location of the device. The updates come less than two weeks after researchers reported that the devices held this information and published a tool to visualise the stored data on a map.
 
Chrome: Left-Before, Right-After. Google has released the stable version of Chrome 11. After the update, users will have version 11.0.696.57 of Google's web browser. As previously reported, Chrome 11 features the addition of a new logo that drops the previous 3D bubble look for a flatter and more simple look
 
The patch resolves several security issues (CVE-2011-1786, CVE-2010-1324, CVE-2010-1323, CVE-2010-4020, CVE-2010-4021, and CVE-2011-1785) affecting OpenLDAP and KRB5.
 
Cisco has released an update for it's Unified Communications Manager software which fixes multiple vulnerabilities. The update closes two SQL injection vulnerabilities in the Unified Communications Manager which allowed an attacker to take control of the communications server.
 
The developers of Dropbox have published an experimental update 1.2.0 for Windows, Mac OS X and Linux to solve the recently reported security problem. Unauthorised parties could gain access to the online storage service, and hence to the files stored there, without being noticed simply by copying the configuration file to another system.
 
With a hotfix, Microsoft has solved the problems that occurred in PowerPoint 2003 after the last Patch Tuesday update. A security patch released in April's round of updates prevented some presentations with background images from opening, resulting in an error message stating that the file is corrupted and cannot be fully displayed. As a workaround, Microsoft recommended uninstalling the affected patch via the Control Panel. Only users of PowerPoint 2003 are affected as later versions of the presentation software do not contain the bug.
 
The WordPress.org development team has released version 3.1.2 of its open source blogging and publishing platform, a maintenance and security update to WordPress 3.1 from late February.
 
Following on from its security patch for Flash Player, Adobe has now released new versions of Adobe Reader 9.x and 10.x and Acrobat X for Windows and Macintosh ahead of schedule. They were originally intended for release on 25 April, but because of the numerous exploits for the vulnerability (CVE-2011-0611) already circulating in the wild, Adobe decided a little more urgency was called for. The vulnerability was first disclosed on 14 March and was provisionally patched shortly thereafter.
 
Microsoft will support the FBI in its efforts to combat the Coreflood/Afcore botnet by releasing an out-of-schedule update for its Windows Malicious Software Removal Tool (MSRT). The company usually only updates the tool on the second Tuesday of every month, and it seems that the criminals behind Coreflood were aware of this as they circulated new variants of the worm at approximately the same time as Microsoft released its April MSRT update. Microsoft says that the update also provides additional enhancements to the MSRT engine for other malware families.
 
Microsoft has released the first security update for its Windows Phone 7 smartphone operating system.
 
The web-based user interface of the ZyWall range of products contains vulnerabilities that allow unauthorised attackers to obtain data and reconfigure devices. The ZyXEL USG 20, 20W, 50, 100, 200, 300, 1000, 1050 and 2000 appliances are affecte
 
John the Ripper 1.7.7 released  [www.vulnerabilitydatabase.com]
John the Ripper is free and Open Source software, distributed primarily in source code form. If you would rather use a commercial product tailored for your specific operating system, please consider John the Ripper Pro, which is distributed primarily in the form of "native" packages for the target operating systems and in general is meant to be easier to install and use while delivering optimal performance.
 
Sysinternals updates  [technet.microsoft.com]
ZoomIt v4.2
This update to ZoomIt, a screen magnification and annotation utility, now adjusts the drawing pen size when you enter drawing mode from live zoom to match the static zoom pen size.
Process Explorer v14.11
Process Explorer v14.11 includes the ability to configure network and disk activity icons in the tray.
 
sqlmap 0.9 released  [seclists.org]
sqlmap is an open source penetration testing tool that automates the
process of detecting and exploiting SQL injection flaws and taking
over of database servers. It comes with a kick-ass detection engine,
many niche features for the ultimate penetration tester and a broad
range of switches lasting from database fingerprinting, over data
fetching from the database, to accessing the underlying file system
and executing commands on the operating system via out-of-band
connections.
 
Remember the news about iPhone recording all the places where it goes? iPhoneTracker was developed to map the information when the iPhone is synchronized to a OSX machine. Handler Bojan ported it to Linux and named it iPhoneMap. I tested it myself on cygwin and works perfect.

Business Case for Security
 
You have probably heard that important web services like Reddit, HootSuite, Quora, Foursquare etc. have recently suffered a quite lengthy outage - what you also probably know is that this outage was caused by Amazon Web Services (AWS), their cloud computing service provider. What you probably didn't know is that AWS is ISO 27001 certified.
But isn't ISO 27001 a guarantee against such service outages? Didn't a certification company check the AWS? What's the point of ISO 27001 if such things can happen?
The answers are: No, Yes, and Lower risk.
Let me explain...
ISO 27001 certification does not guarantee that the Internet service provider is going to have uptime of 100%, or that none of the confidential information is going to leak outside the company, or that there would be no mistakes in data processing. ISO 27001 certification guarantees that the company complies with the standard and with its own security rules; it is guarantees that the company has taken all the relevant security risks into account and that it has undertaken a comprehensive approach to resolve major risks. ISO 27001 does not guarantee that none of the incidents is going to happen, because something like that is not possible in this world.
 
But most professionals still don't think PCI has much of an impact on security, Ponemon/Imperva study says
PCI-compliant companies have fewer breaches, but most security pros still don't believe compliance has much positive impact on data security, according to a study released last week.
 
Following up on this morning's news that Sony Online Entertainment servers were offline across the board, SOE announced that it has lost 12,700 customer credit card numbers as the result of an attack, and roughly 24.6 million accounts may have been breached.
The company took SOE servers offline after learning of the attack last evening, and today detailed the unfortunate results: 'approximately 12,700 non-US credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, the Netherlands, and Spain' were lost, apparently from 'an outdated database from 2007.' Of the 12,700 total, 4,300 are alleged to be from Japan, while the remainder come from the aforementioned four European countries.
 
In congressional testimony this morning, Dr. Gene Spafford of Purdue University said that Sony was using outdated software on its servers-and knew about it months in advance of the recent security breaches that allowed hackers to get private information from over 100 million user accounts.
According to Spafford, security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which 'was unpatched and had no firewall installed.' The issue was 'reported in an open forum monitored by Sony employees' two to three months prior to the recent security breaches, said Spafford.
 
Like any industry, high tech has its share of scandals. But they are invariably made worse by companies that react to bad news by hoping no one will notice. As the saying goes, it's not the crime, it's the cover-up that kills you.
 
The recent data breach at security industry giant RSA was disconcerting news to the security community: RSA claims to be "the premier provider of security, risk, and compliance solutions for business acceleration" and the "chosen security partner of more than 90 percent of the Fortune 500."
The hackers who broke into RSA appear to have leveraged some of the very same Web sites, tools and services used in that attack to infiltrate dozens of other companies during the past year, including some of the Fortune 500 companies protected by RSA, new information suggests. What's more, the assailants moved their operations from those sites very recently, after their locations were revealed in a report published online by the U.S. Computer Emergency Readiness Team (US-CERT), a division of the U.S. Department of Homeland Security.

Web Technologies
 
It's astonishing that 10 years of technological progress have produced web application behemoths like Facebook, Twitter, Yahoo! and Google, while the actual technology inside the web browser remained relatively stagnant. Companies have grown to billion-dollar valuations (realistic or not) by figuring out how to shovel HTML over HTTP in ways that make investors, advertisers, and users happy.
The emerging HTML5 standard finally breathes some fresh air into the programming possible inside a browser. Complex UIs used to be the purview of plugins like Flash and Silverlight (and decrepit, insecure ActiveX). The JavaScript renaissance seen in YUI, JQuery, and Prototype significantly improve the browsing experience. HTML5 will bring sanity to some of the clumsiness of these libraries and provide significant extensions.
Here are some of the changes HTML5 will bring and what they mean for web security
 
Osama FaceBook worm  [pastebin.com]
Source code to the Facebook Osama Execution worm doing the rounds. Well commented, easily repurposed.
 
Document metadata can be very useful on your own PC. Tag yourself as the author of a report, say, or enter some relevant details in its description, and the file should be much easier to find later. When you need to share documents online, though, it's a very different story. Without knowing it, you could be giving all kinds of information away to hackers: usernames, network details, email addresses, software information and a whole lot more.
So does any of this apply to you? Manual checking is tedious, and could take a very long time, but, fortunately, it isn't necessary. FOCA Free is a simple tool that automates the process of checking any websites for metadata issues, and it's both quick and easy to use.
 
Run the NoScript plug-in for Firefox, which can block scripts on Web pages that you don't authorize
 
For last couple of weeks we received quite a bit of reports of images on Google leading to (usually) FakeAV web sites.
Google is doing a relatively good job removing (or at least marking) links leading to malware in normal searches, however, Google's image search seem to be plagued with malicious links. So how do they do this?
The activities behind the scenes to poison Google's image search are actually (and unfortunately) relatively simple. The steps in a typical campaign are very similar to those I described in two previous diaries (Down the RogueAV and Blackhat SEO rabbit hole - part 1 at http://isc.sans.edu/diary.html?storyid=9085 and part 2 at http://isc.sans.edu/diary.html?storyid=9103). This is what the attackers do:
 
IronBee, Community and SSL  [www.h-online.com]
An interview with Ivan Ristic
Ivan Ristic is all about security. Author of Apache Security, the guide to securing Apache web servers; developer of ModSecurity, the open source web application firewall and founder of SSL Labs which surveyed the state of SSL security on the web. Last year he joined security firm Qualys and is
Ivan Ristic now heading up the recently announced IronBee open source web application firewall project. The H caught up with Ristic and talked about how that and his SSL Labs survey projects are developing.
 
Google has announced that this week's Chrome developer channel (also known as the Dev channel) build, version 12.0.742.9, of its WebKit-based web browser now allows users to more than just delete cookies; they can now delete Adobe Flash Player Local Shared Objects (LSO), also known as 'Flash cookies'. Typically, unlike browser cookies, these Flash cookies cannot simply be disabled or deleted via browser settings.
 
Although perimeter security controls are well publicized, there are many suppliers who can offer them in different countries and these devices can fit into all types of budgets, there are still security problems in custom applications developed within companies that are not so easily solved.

Network Security
 
 
Advanced Nmap  [www.securityaegis.com]
The second reason is Nmap is no longer a scanner. Not that anyone who reads this blog wouldn't know that but, nmap has grown into a beast of some sorts. Nmap has effectively extended itself to replace Medusa (with Ncrack), Hping (with Nping), Nessus/OpenVAS (with Nmap Scripting Engine), Netcat (with Ncat), UnicornScanner/UDPProtoScanner (New Nmap UDP scanning), as well as has a host of bolted on scripts that extend Nmap beyond just a normal users use case. Today we'll just go through a few cool things, as you can find a lot about general nmap scanning techniques from the below books:
 
The Teredo protocol [1], originally developed by Microsoft but since adopted by Linux and OS X under the name 'miredo' has been difficult to control and monitor. The protocol tunnels IPv6 traffic from hosts behind NAT gateways via UDP packets, exposing them via IPv6 and possibly evading commonly used controls like Intrusion Detection Systems (IDS), Proxies or other network defenses.
As of Windows 7, Teredo is enabled by default, but inactive [2]. It will only be used if an application requires it. If Teredo is active, 'ipconfig' will return a 'Tunnel Adapter' with an IP address starting with '2001:0:'
 
I would like to tell you about the situation I experienced this afternoon. The goal of a log management solution is to collect and store events from several devices and applications in a central and safe place. By using search and reporting tools, useful information can be extracted from those events to investigate incidents or suspicious behaviors. During a live implementation, I started to collect Syslog messages from a bunch of Cisco switches and routers. While looking if the events were correctly normalized and processed, I discovered lot of "traceback" messages like the following one:
-Process= 'xxx', level= 0, pid= 172
-Traceback= 1A32 1FB4 5478 B172 1054 1860 ...
 
6to4 - Why is it so Bad?  [labs.ripe.net]
We pointed out in the article 6to4 - How Bad is it Really? that roughly 15% 6to4 connections we measured fail. More specifically we saw a TCP-SYN, but not the rest of a TCP connection. A similar failure rate was independently observed by Geoff Huston. There are 2 reasons why 6to4 is interesting to look at:
1) A minority of operating systems default to preferring 6to4 (and other auto-tunneled IPv6) over native IPv4 when an end-host connects to a dual-stacked host [1]. When the 6to4-connection fails it has to time-out before hosts try the IPv4 connection. This results in a poor user experience, which is the reason some large content providers are hesitant to dual-stack their content.
2) In a near future with IPv6-only content, 6to4 might be the only connectivity option for IPv4-only end-hosts that were 'left behind' and don't have native IPv6 connectivity yet. The end-host would have to have a public IPv4 address or be behind a 6to4-capable device (typically a CPE) for this to work. People looking for ways to make IPv4 hosts talk to IPv6 hosts should know about pros and cons of specific technologies that try to enable that.
 
Over the last two months the Rapid7 team has been hard at work rewiring the database and session management components of the Metasploit Framework, Metasploit Express, and Metasploit Pro products. These changes make the Metasploit platform faster, more reliable, and able to scale to hundreds of concurrent sessions and thousands of target hosts. We are excited to announce the immediate availability of version 3.7 of Metasploit Pro and Metasploit Express!
 
Data centers infographic  [www.peer1.com]
 
IRM (Incident Response Methodologies)  [cert.societegenerale.com]
CERT Societe Generale provides easy to use operational incident best practices. These cheat sheets are dedicated to incident handling and cover multiple fields on which a CERT team can be involved. One IRM exists for each security incident we're used to dealing with.
CERT Societe Generale would like to thank SANS and Lenny Zeltser who have been a major source of inspiration for some IRMs.
Feel free to contact us if you identify a bug or an error in these IRMs.
IRM-1 : worm infection
IRM-2 : Windows intrusion
 
The distance between clusters indicates whether or not there is a change in bit state. A team of researchers has presented a steganographic technique which can be used to conceal data on a hard drive. The technique is essentially based on targeted fragmentation of clusters when saving a file in the FAT file system. When decoded, the distance between clusters reveals the binary sequence of the hidden data. Two (numerically) sequential clusters, for example, mean that the following bit is equal to the previous one.
 
First you have to know what to collect before you can analyze all of the data you gather
As log management and security information and event management (SIEM) experts pore over the latest results from the annual SANS survey on log management, debate lingers over whether organizations really have mastered the art of useful data collection, or whether they need to adjust their log collection behaviors to better enable more analysis down the road.

Mobile Security
 
Network security for Android.  [www.whispersys.com]
WhisperMonitor provides a software firewall capable of dynamic egress filtering and real-time connection monitoring, giving you control over where your data is going and what your apps are doing.
 
An attacker employing a rogue GSM/GPRS base station usually wants to compromise the communications of a particular user, while trying to generate the least possible activity for the rest of mobile users within his radio range. We call this a "selective attack". In order to perform it, the attacker must know the victim's IMSI (the number that identifies a SIM card) in advance.
There are two widespread misconceptions regarding this type of attack. Most people think that:
A.- It is difficult to obtain the victim's IMSI, and
B.- It is difficult not to affect the other users in the radio range of the rogue base station
However, there are some techniques that allow the attacker to solve the aforementioned issues. In this article we explain one of them as an illustrative example.

Cloud Security
 
Cloud providers might be attractive targets for attackers, but liability can't be outsourced, experts say
After hackers breached e-mail marketing provider Epsilon in late March, a steady stream of email apologies were sent out to customers. Unfortunately, that same channel of communication is what made Epsilon such an attractive target in the first place.
From an attacker's perspective, cloud services providers aggregate access to many victims' data into a single point of entry, experts say. And as their services become more popular, they will increasingly become the focus of attacks, according to Josh Corman, director of research for The 451 Group, an analyst firm.
 
Online services have come under increasing attack -- how can enterprises ensure that their cloud service is secure and available?
The dark side of the cloud's silver lining has become apparent during the past few months. With the Amazon outage, the breach of marketing service provider Epsilon, and the attack on Sony's PlayStation Network, companies have significant fodder for concerns over the security of the cloud.
Cloud providers need to find answers to allay these concerns. These services can be as secure as keeping data in the traditional enterprise network is, but the services are not there quite yet, says Chris Whitener, chief security strategist for Hewlett-Packard. 'When we talk to customers, the first impediment to adopting cloud is worries over security,' he says.
 
This executive summary recaps a series of posts and a year's worth of research on how the USA PATRIOT ACT impacts cross-border clouds, and considers whether data is safe from the risk of interception or unwarranted searches by U.S. authorities; even European protected data.
Although this is a U.S.-oriented site and I am a British citizen, the issues I surface here affect all readers, whether living and working inside or outside the United States.
 
The sorry state of Cloud security  [www.businesscloud9.com]
With security still cited as the main inhibitor to end user adoption of Cloud Computing, the results of a new study by the Ponemon Institute isn't likely to help matters with its claims that service providers aren't focused enough on security.
The study - Security of Cloud Computing Providers - finds that the majority of Cloud providers allocate less than 10% of their resources to security while focusing attention on delivering benefits, such as reduced costs and speed of deployment.
 
Now that we have fully restored functionality to all affected services, we would like to share more details with our customers about the events that occurred with the Amazon Elastic Compute Cloud ("EC2") last week, our efforts to restore the services, and what we are doing to prevent this sort of issue from happening again. We are very aware that many of our customers were significantly impacted by this event, and as with any significant service issue, our intention is to share the details of what happened and how we will improve the service for our customers.
 
The Case for Cloud Security Standards  [www.govinfosecurity.com]
'On a global basis, countries are recognizing that they need a uniform commercial code, if you will, for data - a unified approach for managing IT infrastructure services,' says Marlin Pohlman of the Cloud Security Alliance.
'And they need to do it in a harmonized, cross-border, compatible fashion,' he adds - which is why he's encouraged by the latest news of the Cloud Security Alliance partnering with the International Organization for Standardization/International Electrotechnical Commission to develop new, global security and privacy standards for cloud computing.

Privacy
 
Google has announced that this week's Chrome developer channel (also known as the Dev channel) build, version 12.0.742.9, of its WebKit-based web browser now allows users to more than just delete cookies; they can now delete Adobe Flash Player Local Shared Objects (LSO), also known as 'Flash cookies'. Typically, unlike browser cookies, these Flash cookies cannot simply be disabled or deleted via browser settings.
 
As a penetration tester hired to pierce the digital fortresses of Fortune 1000 casinos, banks and energy companies, Kevin Finisterre has hacked electronic cash boxes, geologic-survey equipment, and on more than one occasion, a client's heating, ventilation, and air-conditioning system.
But one of his most unusual hacks came during a recent assignment testing the security of a US-based municipal government. After scanning several IP addresses used by the city's police department, he soon discovered they connected directly into a Linux device carried in police cruisers. Using little more than FTP and telnet commands, he then tapped into a digital video recorder used to record and stream audio and video captured from gear mounted on the vehicle's dashboard.

Funny
 
 
Nicknames  [www.dilbert.com]
 
Best practices  [dilbert.com]