Hackin9

At the Black Hat security conference in Las Vegas, a quartet of researchers, Alex Stamos, Tom Ritter, Thomas Ptacek, and Javed Samuel, implored everyone involved in cryptography, from software developers to certificate authorities to companies buying SSL certificates, to switch to newer algorithms and protocols, lest they wake up one day to find that all of their crypto infrastructure is rendered useless and insecure by mathematical advances.

We've written before about asymmetric encryption and its importance to secure communication. Asymmetric encryption algorithms have pairs of keys: one key can decrypt data encrypted with the other key, but cannot decrypt data encrypted with itself.

The asymmetric algorithms are built on an underlying assumption that certain mathematical operations are "hard," which is to say, that the time it takes to do the operation increases proportional to some number raised to the power of the length of the key ("exponential time"). However, this assumption is not actually proven, and nobody knows for certain if it is true. The risk exists that the problems are actually "easy," where "easy" means that there are algorithms that will run in a time proportional only to the key length raised to some constant power ("polynomial time").

Read 10 remaining paragraphs | Comments

    


 

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Facebook announced a new program this week that lets websites post public Facebook posts to their sites. And that could be a boon for businesses, says industry analysts.
 
Symantec Workspace Virtualization 'fslx.sys' Local Privilege Escalation Vulnerability
 
MachForm CVE-2013-4948 SQL Injection Vulnerability
 
File Roller CVE-2013-4668 Multiple Directory Traversal Vulnerabilities
 
Cisco Wide Area Application Services CVE-2013-3443 Remote Code Execution Vulnerability
 
Brief: GM Trey Ford said Black Hat 2013 attendance was up by 8% compared with last year's event. Ninety-eight new tools were introduced.
 
In his keynote at Black Hat 2013, Gen. Keith Alexander said NSA surveillance programs have strict oversight, despite many inaccurate media reports.
 
After a contentious opening keynote by NSA Director Gen. Keith Alexander, day one of Black Hat 2013 showed smart device hacks, severe SCADA issues.
 
Two U.S. senators have introduced legislation that would permanently extend a current moratorium on Internet access taxes in the country.
 
Attackers are actively targeting Internet-connected industrial control systems in an effort to compromise their operation, according to data collected from a global network of honeypot systems that simulate water pumps.
 
Windows 8's user share growth slowed significantly last month, hinting at further trouble for the struggling operating system, new statistics from an analytics company showed today.
 
The state of Pennsylvania will not renew a services contract with IBM regarding the development of a modernized unemployment compensation system, after the project reportedly has gone 42 months behind schedule and $60 million over budget.
 
Motorola Mobility unveiled the 4.7-in. Moto X smartphone on Thursday after weeks of build-up, but analysts said the new device will still have
 
Google's Motorola Mobility unit unveiled the highly anticipated Moto X smartphone on Thursday at an event focused on innovation. But many of the handset's highlighted features were similar to those on the recently announced Droid smartphones.
 
After five years, the ubiquitous SuperSpeed USB communications protocol got a huge upgrade this week with a new specification that more than doubles its speed.
 
The founder of the UpTime Institute, Kenneth G. Brill, died Tuesday. he is credited with playing an enormous role in shaping the modern data center industry.
 
Multiple Cisco Content Network and Video Delivery Products Command Injection Vulnerability
 
Multiple Hitachi Products Unspecified Local Privilege Escalation Vulnerabilities
 
Apple will launch a high-resolution, Retina-equipped iPad Mini this fall or in early 2014. Maybe.
 
Siemens SIMATIC WinCC TIA Portal CVE-2013-4911 Cross Site Request Forgery Vulnerability
 
Siemens SIMATIC WinCC TIA Portal CVE-2013-4912 URL Redirection Vulnerability
 

IntegriCell Announces CEO Aaron Turner as Featured Speaker at August IANS ...
PR Web (press release)
IT Security pioneer Turner to lead discussion on mobile security deficiencies at the IANS Toronto Information Security Forum, an educational and networking consortium of IT and infosec practitioners. Share on Twitter Share on Facebook Share on Google+ ...

and more »
 
Corporate attitudes regarding bring-your-own-device policies appear to fall into one of three categories, according to a survey of IT users: There's no official policy, devices are banned or no one talks about it.
 
The World Wide Web Consortium has finalized its specification for Web Storage, a technology that would give Web applications more flexibility in storing data on user machines.
 
Multiple HP LaserJet Pro Printers CVE-2013-4807 Unspecified Information Disclosure Vulnerability
 
U.S.-based workers show more initiative and are more innovative and more understanding of the business than offshore workers are, according to a new study that looks on sourcing services in the U.S.
 
The large majority of people working in IT procurement are "significantly dissatisfied" with the way SaaS (software as a service) vendors define contract language related to security, a feeling likely to persist through 2015, according to a Gartner report.
 
A frame from a video demonstration showing BREACH in the process of extracting a 32-character security token in an HTTPS-encrypted Web page.
Prado, Harris, and Gluck

The HTTPS cryptographic scheme, which protects millions of websites, is susceptible to a new attack that allows hackers to pluck e-mail addresses and certain types of security credentials out of encrypted pages, often in as little as 30 seconds.

The technique, scheduled to be demonstrated Thursday at the Black Hat security conference in Las Vegas, decodes encrypted data that online banks and e-commerce sites send in responses that are protected by the widely used transport layer security (TLS) and secure sockets layer (SSL) protocols. The attack can extract specific pieces of data, such as social security numbers, e-mail addresses, certain types of security tokens, and password-reset links. It works against all versions of TLS and SSL regardless of the encryption algorithm or cipher that's used.

It requires that the attacker have the ability to passively monitor the traffic traveling between the end user and website. The attack also requires the attacker to force the victim to visit a malicious link. This can be done by injecting an iframe tag in a website the victim normally visits or, alternatively, by tricking the victim into viewing an e-mail with hidden images that automatically download and generate HTTP requests. The malicious link causes the victim's computer to make multiple requests to the HTTPS server that's being targeted. These requests are used to make "probing guesses" that will be explained shortly.

Read 16 remaining paragraphs | Comments

    


 
WordPress Audio Player Plugin 'playerID' Parameter Cross Site Scripting Vulnerability
 
The Lenovo ThinkPad Tablet 2 is a business-centric mobile device that offers an all-day PC experience. Battery life is impressive, as is the included stylus. But the optional accessories that make it an effective tool for power users are also the features that leave the most room for improvement.
 
Oracle Java SE CVE-2013-2407 Remote Security Vulnerability
 

Security Product Acquisition – Ten Top Tips
Infosecurity Magazine
Chief information security officers (CISOs) are increasingly adding risk management to their ever expanding portfolio of responsibilities, according to a new report by infosec social networking site Wisegate. Information security professionals baulk at ...

 
Say what? AT&T ranked highest for customer care satisfaction of of the nation's full-service wireless carriers in a J.D. Power survey of more than 7,000 customers released today.
 
Not getting the responses you expected from your online resume? Learn what common pitfalls IT pros experience in their journey to find a better job.
 
Ultra Mini HTTPD 'GET' Request Stack-Based Buffer Overflow Vulnerability
 
miniBB SQL Injection and Multiple Cross Site Scripting Vulnerabilities
 
Oracle Java SE CVE-2013-2452 Remote Security Vulnerability
 

This is a guest diary written by Jeff Singleton. If you are interested in contributing a guest diary, please ask via our contact form

---------------

We can already use two-step authentication in GMail with the Google Authenticator Android app. The idea is creating a secret key shared between the service and the Android app, so every 30 seconds we get a randomly generated token on Android that must be provided to login in addition to the password. That token is only valid in that 30s time frame.

Since this provides a nice second security layer to our logins, why don't take advantage of it also in our Linux box?

We'll need two things to get started:

Install Google Authenticator on our Android, iOS or Blackberry phone.

Install the PAM on our Linux box

The first step is frivolous, so we will just move on to the second one.

To setup two-factor authentication for your Linux server you will need to download and compile the PAM module for your system. The examples here will be based on CentOS 6, but it should be easy enough to figure out the equivalents for whatever distribution you happen to be using. Here is a link with similar steps for Ubuntu/Debian or any OS using Aptitude.

$ sudo yum install pam-devel
$ wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
$ tar xvfj libpam-google-authenticator-1.0-source.tar.bz2
$ cd libpam-google-authenticator-1.0
$ make
$ sudo make install
$ sudo vim /etc/pam.d/sshd

Once the PAM module and the command-line google-authenticator application are installed, you need to edit the /etc/pam.d/sshd file to add the below code to the very top of the file.

auth required pam_sepermit.so

auth required pam_google_authenticator.so

auth include  password-auth

Additionally, you may wish to add the two-step authentication to your display manager (kdm, gdm, or lightdm). Depending on your distro you might be using a different login manager. Pick and edit the correct file among these:

·       /etc/pam.d/gdm

·       /etc/pam.d/lightdm

·       /etc/pam.d/kdm

Add this line at the bottom:

auth required pam_google_authenticator.so

Once we have that installed we will run this command with the user we want to use two-step authentication with. If we want to use it for several users we will have to run it once with each of them, since it generates a unique secret key each time:

% google-authenticator

Do you want me to update your "~/.google_authenticator" file (y/n) y

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/user@server%3Fsecret%3DABCD12E3FGHIJKLMN

Your new secret key is: ABCD12E3FGHIJKLMN

Your verification code is 98765432

Your emergency scratch codes are:

  01234567
  89012345
  67890123
  45678901
  23456789

Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) n

If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y

 

Once you see the above text in your terminal window, the very next thing you will do is launch your web browser and point it to the URL shows towards the top of the text above.

 

You should now see is a big QR code. Open your Google Authenticator app on your phone of choice and hit the menu button then select "Scan barcode". Point the camera to the QR code on the screen and you'll get a new item on the Google Authenticator main screen with an ID for the user and computer and the generated token below, along with a counter showing how much time is left for the code to expire.
 

TIP: time is very important, so your Linux server should have an NTP client installed in order to keep the time accurate. You should definitely keep an eye on this, and if you have any trouble you may have to open the window size as noted by google-authenticator.

TIP: You will also need to edit /etc/ssh/sshd_config to enable "ChallengeResponseAuthentication" and "UsePAM" (set them both to "yes").

Finally, you will restart sshd to commit the changes you just made. When this is done, try logging into the system via SSH:

% ssh <your server>

Verification code:

Password:

Last login: Tue May 10 11:54:21 2011 from client.example.com

 

You must provide the verification code as presented by your phone in order to log in. Even if the password is known, without the verification code, the login will fail.

Important: you will not be able to use this method if you use ssh private/public keys as the two are mutually exclusive.

The two step authentication will keep users out of you box as long as they don't also have access to your phone, but you shouldn't forget that there's no way to really secure a box if the attacker has physical access to it.

The secret key is stored in your home folder. The attacker could boot your box from a Live CD, get the key and generate tokens and have access to your Linux server.

Then again same thing holds true for you user password so that's not to say that two step authentication is not secure, it's just that is has the same problems as any other login method when it comes with physically accessible machines.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Snowden leaves Moscow airport as Russia grants him asylum for a year
Computerworld
Demonstrate the Business Value of Security In this whitepaper, Forrester Research demonstrates how to calculate the value InfoSec provides. You'll learn how to justify and defend tough financial decisions... Live Webcast Bring Mobile Innovation to your ...

and more »
 
National Security Agency leaker Edward Snowden has finally left the transit area of the Moscow airport, after Russia granted him temporary asylum, his lawyer told The Wall Street Journal.
 
 
LinuxSecurity.com: GnuPG and Libgcrypt could be made to expose sensitive information.
 
LinuxSecurity.com: Evolution would sometimes encrypt email to the wrong recipient.
 
LinuxSecurity.com: Ghostscript could be made to crash if it opened a specially crafted file.
 
HP Integrated Lights-Out CVE-2013-4805 Unspecified Authentication Bypass Vulnerability
 
Thanks to better sensors and other tech advances, robots are being used for new applications, including quality control.
 
Before turning to the world of cloud computing, let's pause to remember the crazy days of the 1970s when the science of the assembly line wasn't well-understood and consumers discovered that each purchase was something of a gamble. This was perhaps most true at the car dealer, where the quality of new cars was so random that buyers began to demand to know the day a car rolled off the assembly line.
 

V3.co.uk

Black Hat: Biases skew vulnerability reports for companies
V3.co.uk
Steve Christey, principal Infosec engineer with MITRE, and Brian Martin of the Open Security Foundation said at Black Hat that the chain ranging from the researchers to the vendors, to the vulnerability databases that classify bugs is clouding the ...

and more »
 
Researchers showed a Black Hat audience how femotcell technology, used by phone companies to boost cell phone coverage, can be hacked to intercept cell phone calls, text messages and other data.
 
Many door and window sensors, motion detectors and keypads that are part of security systems used in millions of homes and businesses can be bypassed by using relatively simple techniques, according to researchers from security consultancy firm Bishop Fox.
 
Facebook turned on a key security feature by default on Wednesday that scrambles data sent by users to the company's servers, following similar moves in recent years by Web services such as Google and Twitter.
 
Samsung is moving to be one of the first handset vendors to tap into China's upcoming market for 4G services by introducing new Galaxy S4 phones capable of operating on both FDD and TDD LTE networks.
 
[KIS-2013-08] vtiger CRM <= 5.4.0 (SOAP Services) Authentication Bypass Vulnerability
 
[KIS-2013-07] vtiger CRM <= 5.4.0 (vtigerolservice.php) PHP Code Injection Vulnerability
 
[KIS-2013-06] vtiger CRM <= 5.4.0 (SOAP Services) Multiple SQL Injection Vulnerabilities
 
[KIS-2013-05] vtiger CRM <= 5.4.0 (customerportal.php) Two Local File Inclusion Vulnerabilities
 
Oracle Solaris CVE-2013-3813 Remote Security Vulnerability
 
Oracle Solaris CVE-2013-3757 Remote Security Vulnerability
 
Oracle Solaris CVE-2013-3786 Local Security Vulnerability
 
U.S.-based workers show more initiative, are more innovative and more understanding of the business than offshore workers, a new study that looks on sourcing services in the U.S has found.
 

Posted by InfoSec News on Aug 01

http://www.wired.com/threatlevel/2013/07/alexander-blackhat-keynote/

By Kim Zetter
Threat Level
Wired.com
07.31.13

LAS VEGAS -- Amid new revelations today about another expansive NSA
surveillance program, agency chief Gen. Keith Alexander appeared before an
audience of security professionals to defend his bulk collection of phone
records and other data.

Although Alexander promised to "answer every question to the full extent...
 

Posted by InfoSec News on Aug 01

http://news.techworld.com/security/3461457/uk-cyberdefence-strategy-fixated-on-top-down-security-say-mps/

By John E Dunn
Techworld
30 July 2013

The UK Government’s much-vaunted Cyber Security Strategy is overly-fixated
on high-level defence at the expense of investing in basic policing and
consumer protection, the Home Affairs Select Committee has warned.

The Committee’s report is not the first time the narrow focus of the...
 

Posted by InfoSec News on Aug 01

http://english.donga.com/srv/service.php3?biid=2013080143238

Dong-A Ilbo
AUGUST 01, 2013

Authorities’ investigation has found that 110,000 personal computers in
South Korea were transformed into zombie PCs because the head of an
information technology company in the South handed over the right to
access a domestic computer network to spies from the North’s intelligence
bureau and hacker. “Cyber invaders” planted by the enemy have...
 

Posted by InfoSec News on Aug 01

http://qz.com/109999/a-breakthrough-in-cryptography-could-thwart-a-favorite-attack-of-hackers/

By Christopher Mims
Quartz
July 30, 2013

Microsoft, Apple, and every maker of mobile and desktop apps on the planet
all have a problem: The moment they issue a security "patch," or an update
to their software designed to plug a hole that could be exploited by
hackers, those same hackers work feverishly to reverse-engineer that patch
in...
 

Posted by InfoSec News on Aug 01

http://www.darkreading.com/management/new-free-service-cracks-weak-passwords/240159192

By Kelly Jackson Higgins
Dark Reading
July 31, 2013

Praetorian this week launched a free, cloud-based password auditing
service that ferrets out weak passwords and hashes.

The new PWAudit.com is based on Amazon AWS; it automatically detects hash
types and includes a wordlist generator and reporting features.
Password-cracking tools aren't new, but...
 
[security bulletin] HPSBMU02902 rev.1 - HP Integrated Lights-Out iLO3, iLO4 IPMI Cipher Suite 0 Authentication Bypass Vulnerability
 
SQL Injection in Cotonti
 
Open-Xchange Security Advisory 2013-07-31
 
CORE-2013-0618 - Multiple Vulnerabilities in TP-Link TL-SC3171 IP Cameras
 
Drupal Flippy Module Access Bypass Vulnerability
 
Plone Multiple Remote Security Vulnerabilities
 

Heckling and applause for NSA Director at Black Hat infosec conference
legal Insurrection (blog)
National Security Agency Director Gen. Keith Alexander was met with both heckling and applause at the Black Hat information security conference in Las Vegas, Nevada on Wednesday. Ever since the leaks from former NSA contractor Edward Snowden thrust ...

 
Internet Storm Center Infocon Status