Hackin9

InfoSec News

RETIRED: Squid Proxy 'Host' HTTP Header Security Bypass Vulnerability
 
Mozilla Firefox/SeaMonkey/Thunderbird CVE-2012-0478 Denial of Service Vulnerability
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The U.S. Department of the Interior has picked Google Apps to provide cloud-based email and collaboration applications to about 90,000 staffers, choosing Google's services over Microsoft's Office 365.
 
Despite the accidental release of attack code for a bug in Oracle?s database, the company won?t change the code for fear of ?regression.?

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Disrupting mobile phone service is a legitimate tool for law enforcement authorities working against terrorism or other dangerous situations, a mass transit agency has said in defending its own mobile shutdown last August.
 

Oracle has a problem. And it’s summed up pretty well by the current uproar over the lack of a patch for a zero-day vulnerability in the Oracle TNS Listener. It’s the same problem Microsoft had a decade ago, and the same problem Adobe also has when it comes to security fixes. It’s this perception of arrogance Oracle gives off when serious security issues become public as this one has.

Oracle won’t patch a zero-day in its flagship database management system, and instead offered a workaround with the promise of fixing the vulnerability in the product’s next release. Swish that one around for a while: Oracle won’t patch a zero-day.

And to top it off, the vulnerability in question was reported to Oracle four years ago. In its April Critical Patch Update (CPU), Oracle finally got around to addressing the problem and did so with a workaround. Unfortunately for Oracle, the researcher who reported the vulnerability, Joxean Koret, misunderstood and believed a patch was available, so he spilled the beans on the vulnerability on the Full Disclosure list. The TNS Listener Poison Attack involves a man-in-the-middle attack that could hijack connections, route data from the client to the attacker where data could be stored, dropped or modified via SQL commands. Bad stuff.

According to Ray Stell, a database administrator at Virginia Tech University, the workaround suggested in the CPU is fairly simple to deploy. “You stop the listener, apply a configuration command and edit another configuration file and you’re up and running,” Stell said. Stell has a busy time ahead of him having to patch, er fix, er apply the workaround, to 40 Oracle boxes in his department alone.

The worst-kept secret in database security circles is that companies are very reticent to take database servers down for patching. Few can afford the downtime, much less the testing required to determine whether a patch will break functioning processes. It’s an unacceptable risk for most enterprises.

What should be unacceptable is Oracle’s continued thumbing of its nose toward security. Oracle said it won’t fix the vulnerability until the next full release because, according to its alert: “such back-porting is very difficult or impossible because of the amount of code change required, or because the fix would create significant regressions…”

Experts say the available workaround will keep Oracle installations secure against working exploits. Long term, however, Oracle needs to have its come-to-Jesus moment on security. It needs its version of Trustworthy Computing, which put Microsoft on a better course securing Windows and its other products. Unbreakable was a huge misstep in 2001, putting a massive target on the company’s software that guys like David Litchfield made a living on for a long time.

Publicly tripping over a zero-day vulnerability and working exploit code is just another indication that Oracle doesn’t entirely get it when it comes to security. Too bad, because it’s about time it did.



Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Apache Qpid CVE-2011-3620 Unauthorized Access Security Bypass Vulnerability
 
Mozilla Firefox/SeaMonkey/Thunderbird Site Identity Spoofing Vulnerability
 
Mozilla Firefox/Thunderbird/Seamonkey CVE-2012-0475 Security Bypass Vulnerability
 
The Iranian government acknowledged today that authorities have found evidence of recent cyberattacks against several agencies, according to reports by state-sponsored media outlets.
 
Microsoft's Internet Explorer in April again gained usage share, the third time in the year's first four months, to stay well above the 50% mark and remain the world's top browser, a Web analytics company said today.
 
Back when I had a morning commute, I would often pop in some earbuds before hopping on the bus and rock out to one of the many tunes on my iPhone as we rode through Chinatown. The problem, of course, came when I reached my desk mid-song: Did I pause and try and find the song on my Mac's iTunes library? Or did I continue to listen through my iPhone, only to look up hours later and realize I'd drained my phone's battery when I should have switched to my desktop?
 
OpenStack Compute (Nova) CVE-2012-2101 Denial Of Service Vulnerability
 
phpMyAdmin Database Name Cross Site Scripting Vulnerability
 
While Facebook made its fortune on people -- about 800 million users worldwide today -- posting funny pictures of their cats and kids, the social network is also taking advantage of its ability to be helpful to those in need.
 
IBM is offering employees who are nearing retirement -- and may be worried about a layoff -- a one-time voluntary program that would ensure their employment through Dec. 31, 2013.
 
The BlackBerry 10 mobile operating system took center stage at the opening of BlackBerry World on Tuesday, as RIM CEO Thorsten Heins gave a sneak peek of the next-generation software on a prototype smartphone called the Dev Alpha.
 
SAP's technology chief has given a strong rebuttal to a recent presentation by an Oracle executive that was critical of SAP's HANA in-memory database, saying it is full of "falsehoods."
 
In a wide-ranging interview, an Apple expert shares real-world experiences about iPads in the enterprise, mobile device management and BYOD. Key takeaways for IT: Don't improvise when it comes to iPad adoption and don't get bypassed by rogue users.
 
Adobe Flash Player CVE-2011-2136 Remote Integer Overflow Vulnerability
 
Adobe Flash Player CVE-2011-2134 Remote Buffer Overflow Vulnerability
 
Microsoft on Monday declined to say whether Barnes and Noble's Nook app for Metro will be embedded into Windows 8 or Windows RT.
 
[ MDVSA-2012:067 ] samba
 
After hearing about my wife's iPad disconnecting from wireless for a couple of weeks (ok, maybe a bit longer than that), I decided to do some upgrades to the home network and replace the problem Access Point (and older home unit).
So off to the store I went, and came home with a bright shiny new A/B/G/N AP. After throwing the DVD away (you know, the one that comes in every box with the outdated firmware on it), and updating the unit to the current rev, my kid and I started setting it up.



It's been a while since I worked on a standalone AP - my builds normally involve controllers and *lots* of AP's. So imagine my surprise and joy when I found that these home units no longer default to an SSID with a default name and no security! This one started the setup by defaulting to WPA-2 / Personal, and asked me what I wanted to use for a key ! You really have to be determined now to create an Open SSID ( good news ! )



So are we looking the long, slow goodnight of open wireless on home networks? I've written in the past about how tablet users that don't know better routinely steal wireless from whoever is close without thinking twice - is this going to get harder and harder from them over the next few years, as people migrate to newer APs?
On the other hand, we're seeing more and more guest networks that are open, things like coffee shops, municipal offices, hair salons - pretty much anyplace you're likely to spend more than 5 minutes at seems compelled to offer up free wireless. But using free wireless that's offered to you is a much different proposition than stealing it from someone who's misconfigured their home network..



I invite your comments - my AP's name starts with and L and ends with an S (made by our friends at C***o). Are the current models from other vendors implementing better defaults now too?


===============

Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
After hearing about my wife's iPad disconnecting from wireless for a couple of weeks (ok, maybe a bit longer than that), I decided to do some upgrades to the home network and replace the problem Access Point (and older home unit).
So off to the store I went, and came home with a bright shiny new A/B/G/N AP. After throwing the DVD away (you know, the one that comes in every box with the outdated firmware on it), and updating the unit to the current rev, my kid and I started setting it up.



It's been a while since I worked on a standalone AP - my builds normally involve controllers and *lots* of AP's. So imagine my surprise and joy when I found that these home units no longer default to an SSID with a default name and no security! This one started the setup by defaulting to WPA-2 / Personal, and asked me what I wanted to use for a key ! You really have to be determined now to create an Open SSID ( good news ! )



So are we looking the long, slow goodnight of open wireless on home networks? I've written in the past about how tablet users that don't know better routinely steal wireless from whoever is close without thinking twice - is this going to get harder and harder from them over the next few years, as people migrate to newer APs?
On the other hand, we're seeing more and more guest networks that are open, things like coffee shops, municipal offices, heck, hair salons - pretty much anyplace you're likely to spend more than 5 minutes at seems compelled to offer up free wireless. But using free wireless that's offered to you is a much different proposition than stealing it from someone who's misconfigured their home network..



I invite your comments - my AP's name starts with and L and ends with an S (made by our friends at C***o). Are the current models from other vendors implementing better defaults now too?


===============

Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A longtime user details its Agile software development path
 
Corrections about Squid/McAfee URL Filtering Bypass
 
Call for Paper: 3rd Workshop on Security and Privacy in Social Networks
 
If you've ever sent, or received, a big file via email, you've undoubtably encountered a zip file. Double-click one of these and it expands to show files hidden inside. A zip file, or archive, takes up less space than the original files, so that your documents, images and whatnot are easier to send or store. But what do you do if a file won't expand or you come across a different type of archive? Here are answers to frequently asked questions about working with compressed files on Mac OS X.
 
Jawbone's original Jambox ( Macworld rated 4.5 out of 5 mice ) Bluetooth speaker is one of my favorite iOS accessories--it looks cool, it fits in your pocket, it connects simply, and it generates amazing sound for its size. But as Jawbone vice president Travis Bogard told me, "Sometimes, there are situations where you want more sound." That, said Bogard, is why the company made the Big Jambox.
 
Microsoft will from now on be paying more attention to the icons, titles, and content of apps on Marketplace, and expects them to get more subtle and modest in the imagery used, the company said in a blog post on Monday.
 
When being a do-gooder grows boring, why not switch teams? That's the route Liv Games takes with Monster Wars, an evil-themed sequel to the developer's popular tower defense game Legendary Wars.
 
Facebook launched a new tool today that co-founder and CEO Mark Zuckerberg hopes will help connect patients with needed organ donors.
 
The worldwide smartphone market grew 42.5 percent year-over-year during the first quarter, as Samsung Electronics overtook Apple for the smartphone leadership position, according to IDC's estimates.
 
Stick with the original Quickoffice HD app and either Dropbox or Box instead for a more reliable, cheaper alternative
 
Western Digital company HGST on Tuesday announced what it claimed to be the first 12 gigabit-per-second (Gbps) SAS solid state drive for use in enterprise storage servers, delivering twice the throughput compared to current 6Gbps SAS technology.
 
The Flashback malware that's infected hundreds of thousands of Macs may be generating more than $10,000 a day for the hackers who made the Trojan horse, Symantec said.
 
Samba CVE-2012-2111 Remote Security Bypass Vulnerability
 

InfoSec Skills CEO Backs David Willets' "Hybrid" Approach to National Cyber ...
Virtual-Strategy Magazine
InfoSec Skills' CEO, Terry Neal, has said that he fully supports the position David Willets described in a speech at Europe's biggest Information Security trade show last week. London, United Kingdom, May 01, 2012 --(PR.com)-- InfoSec Skills' ...

and more »
 

Posted by InfoSec News on Apr 30

http://www.wired.com/threatlevel/2012/04/ruggedcom-to-fix-vuln/

By Kim Zetter
Threat Level
Wired.com
April 30, 2012

After ignoring a serious security vulnerability in its product for at
least a year, a Canadian company that makes equipment and software for
critical industrial control systems announced quietly on Friday that it
would eliminate a backdoor login account in its flagship operating
system, following public disclosure and...
 

Posted by InfoSec News on Apr 30

http://www.theregister.co.uk/2012/04/30/eukhost_billing_system_compromise/

By Brid-Aine Parnell
The Register
30th April 2012

Web-hosting firm eUKHost has been hacked by Pakistani hacking team
UrduHack, which appeared to have gained access to its billing system.

The company sent out an email to customers and announced on its website
over the weekend that it had spotted the intrusion within the last 24
hours.

"We can confirm that an...
 

Posted by InfoSec News on Apr 30

http://www.bankinfosecurity.com/processor-warns-hacking-trend-a-4720

By Tracy Kitten
Bank Info Security
April 30, 2012

Over the past year, First Data, the largest payments processor in the
U.S., has seen an uptick in "trolling" - hackers sniffing networks for
remote access into point-of-sale systems that are open or loosely
protected.

The targets: Smaller merchants, those categorized by Visa as Level 4.
These merchants process...
 

Posted by InfoSec News on Apr 30

http://www.csoonline.com/article/705316/how-online-black-markets-work

By Brandon Gregg, CPP
CSO
April 30, 2012

The internet is no stranger to crime. From counterfeit and stolen
products, to illegal drugs, stolen identities and weapons, nearly
anything can be purchased online with a few clicks of the mouse. The
online black market not only can be accessed by anyone with an Internet
connection, but the whole process of ordering illicit goods...
 

Posted by InfoSec News on Apr 30

Forwarded from: nullcon <nullcon (at) nullcon.net>

Hi All,

For the very first time nullcon now comes to Delhi - to showcase cutting
edge security technologies and discuss new attack vectors and security
threats among the Corporate world and the Government sector. The event
brings together thought leaders, Corporates, Government and security
professionals all under one roof.

Prototype:
-------------

We are introducing a new sub-event -...
 
Internet Storm Center Infocon Status