Hackin9

FileTrek Survey Reveals That Black Hat Attendees' Opinions Split On
Dark Reading
The Black Hat USA conference is attended by sophisticated hackers, security experts and leaders from all areas of the infosec community including corporate, government, academic, and researchers. The conference was held in Las Vegas, Nevada at ...

 
A session by a team of crypto experts at Black Hat USA 2013 argued that RSA and Diffie-Hellman should be abandoned in favor of ECC.
 
Tech stocks had an upbeat week as industry watchers appear to be looking at the positive side of earnings from Internet, consumer electronics and networking companies.
 
Google is bringing a "find my phone" feature to Android later this month.
 
A report that Western nations deemed Lenovo PCs to be insecure was quickly kiboshed this week. CIO.com columnist Rob Enderle smells a rat and suspects it's only a matter of time before the source is outed (and unemployed). Meanwhile, Lenovo can relax and tout its security and stability.
 

In the wake of revelations about the National Security Agency's ability to broadly capture, index, and search the contents of unencrypted Web traffic, the Wikimedia Foundation is speeding up efforts to use secure Hypertext Transfer Protocol (HTTPS) by default for site visitors and editors for Wikipedia and other Wikimedia projects. But users will need to have accounts on the foundation's sites to get that protection.

"Recent leaks of the NSA’s XKeyscore program have prompted our community members to push for the use of HTTPS by default for the Wikimedia projects," Wikimedia Foundation operations director Ryan Lane said in a blog post on August 1. "Thankfully, this is already a project that was being considered for this year’s official roadmap, and it has been on our unofficial roadmap since native HTTPS was enabled."

The XKeyscore program allows the NSA to perform searches against recent Internet traffic to find a variety of data, including the raw HTTP requests made by users. These data could encompass searches on sites, content posted to those sites, and other interactions with Web pages not secured by encryption. While sites such as Google and Facebook offer connections over HTTPS as an option (Google uses it by default when users are logged in, and Facebook turned on default HTTPS just one day ago), most sites on the Internet don't use HTTPS for a variety of technical reasons—including hosting configurations, increased server-side processing requirements, and the use of third-party services that fail under HTTPS. That means that traffic to most websites can be captured by XKeyscore's packet capture system.

Read 1 remaining paragraphs | Comments

    


 
Malware writers are ramping up their use of commercial file hosting sites and cloud services to distribute malware programs, security researchers said at this week's Black Hat conference here.
 
There is a new effort in Congress to penalize companies that shift call center work overseas.
 
Yahoo today acquired Rockmelt, a company that tried to compete with Google, Microsoft and Mozilla in the cut-throat browser market, but failed.
 
Apple should end its existing e-book agreements with five major publishers and sign no new price-setting distribution contracts for five years under remedies for e-book price fixing proposed by the U.S. Department of Justice and 33 state attorneys general.
 
There is a new effort in Congress to penalize companies that shift call center work overseas.
 
More than five years ago, Cisco began warning wireless carriers and consumers about the coming barrage of video traffic over networks. Now that barrage is here and there's more to come.
 
Microsoft must rename its SkyDrive online storage service after losing a trademark infringement case in a U.K. court, leading analysts and legal experts to wonder how the company could have made such a mistake.
 

Less than 24 hours after researchers disclosed a new attack that can pluck secrets from webpages protected by the widely used HTTPS encryption scheme, the US Department of Homeland Security is advising website operators to investigate whether they're susceptible.

As Ars reported Thursday, an exploit dubbed BREACH—short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext—can decode e-mail addresses, certain types of security tokens, and other secrets from encrypted webpages, often in as little as 30 seconds. The attack builds on a previously developed technique known as CRIME, which manipulated data compression to glean clues about the plain-text contents of encrypted payloads. CRIME vulnerabilities were mitigated by disabling TLS compression and modifying the way the Google-developed compression known as SPDY worked. But as both CERT and the developers of BREACH have said, the new attack is much harder to protect against.

"We are currently unaware of a practical solution to this problem," the CERT advisory stated. "However, the reporters offer several tactics for mitigating this vulnerability. Some of these mitigations may protect entire applications, while others may only protect individual webpages."

Read 2 remaining paragraphs | Comments

    


 
A Samsung eight-core chip used in some Galaxy S4 smartphone models is now available for hackers to play with on a developer board from South Korea-based Hardkernel.
 
An advertising industry oversight group has reported Oracle to the U.S. Federal Trade Commission after the vendor allegedly failed to comply with previous rulings.
 
The Moto X is a revolutionary smartphone that will push everyday voice interaction with an artificial intelligence virtual assistant into the mainstream, says columnist Mike Elgan.
 
[security bulletin] HPSBUX02909 SSRT101289 rev.1 - HP-UX Apache Web Server, Remote Denial of Service (DoS)
 

Right now we are seeing fake American Express account alerts. The alerts look very real, and will trick the user into clicking on a link that may lead to malware. As many of these attacks, the exact destination will heavily depend on the browser used.

Antivirus does recognize the intermediate scripts as malicious and should warn the user if configured to inspect web content.

fake american express notification

(click on image for full size)

------
Johannes B. Ullrich, Ph.D.

SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Multiple vulnerabilities on D-Link DIR-645 devices
 
The Special Committee overseeing Dell's buyout proposal has reached an agreement with company founder Michael Dell and his associates, Silver Lake Partners, on a proposed purchase in which shareholders will get $13.75 per share and a special dividend of $0.13.
 
LinuxSecurity.com: A vulnerability has been discovered and corrected in gnupg and in libgcrypt: Yarom and Falkner discovered that RSA secret keys in applications using GnuPG 1.x, and using the libgcrypt library, could be leaked via a [More...]
 
[security bulletin] HPSBUX02908 rev.1 - HP-UX Running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
 
[security bulletin] HPSBUX02907 rev.1 - HP-UX Running Java7, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
 
Cisco Security Advisory: OSPF LSA Manipulation Vulnerability in Multiple Cisco Products
 
Apple should end its existing e-book agreements with five major publishers and sign no new price-setting distribution contracts for five years under remedies for e-book price fixing proposed by the U.S. Department of Justice and 33 state attorneys general.
 
[ MDVSA-2013:205 ] gnupg
 

We are seeing *a lot* of scans for the CKEditor file upload script. CKEditor (aka "FCKEditor") is a commonly used gui editor allowing users to edit HTML as part of a web application. Many web applications like wikis and bulletin boards use it. It provides the ability to upload files to web servers. The scans I have observed so far apper to focus on the file upload function, but many scans will just scan for the presence of the editor / file upload function and it is hard to tell what the attacker would do if the editor is found. 

Here are some sample reports:

Full sample POST request:

GET /FCK/editor/filemanager/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=File&CurrentFolder=%2F HTTP/1.1
HOST: --removed--
ACCEPT: text/html, */*
USER-AGENT: Mozilla/3.0 (compatible; Indy Library)

Some sample Apache logs:

HEAD /FCKeditor/editor/filemanager/upload/test.html
HEAD /admin/FCKeditor/editor/filemanager/browser/default/connectors/test.html
HEAD /admin/FCKeditor/editor/filemanager/connectors/test.html
HEAD /admin/FCKeditor/editor/filemanager/connectors/uploadtest.html
HEAD /admin/FCKeditor/editor/filemanager/upload/test.html
HEAD /FCKeditor/editor/filemanager/browser/default/connectors/test.html
HEAD /FCKeditor/editor/filemanager/connectors/test.html
HEAD /FCKeditor/editor/filemanager/connectors/uploadtest.html
HEAD /FCKeditor/editor/filemanager/upload/test.html

 

If you are using this module, make sure it is properly configured. It is recommended to password protect the editor if you can (of course, for a public blog comment system that may not be an answer, but it may not need the file upload capability
 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter @johullrich

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Posted by InfoSec News on Aug 02

http://www.dailymail.co.uk/sciencetech/article-2383200/One-PINs-correctly-guessed-time-Research-reveals-20-commonly-used-numbers.html

By VICTORIA WOOLLASTON
Mail Online
2 August 2013

Despite a rise in credit card fraud, the most commonly-used PIN is still
1234, with 1111 and 0000 coming in second and third.

Research has revealed that one in ten codes is so obvious it would take
criminals just one attempt to guess it correctly, while more...
 

Posted by InfoSec News on Aug 02

http://healthitsecurity.com/2013/07/31/how-safe-is-minors-patient-data-from-hackers/

By Patrick Ouellette
Health IT Security
July 31, 2013

Handling patient data security among minors is a touchy subject that has
been evaluated more prominently of late with potential EHR software
complications. Minors’ patient data is valuable to would-be hackers even
more so than adults because of the relative unblemished nature of their
information....
 

Posted by InfoSec News on Aug 02

http://www.zdnet.com/researchers-reveal-details-of-active-comfoo-cyberespionage-campaign-7000018907/

By Charlie Osborne
Zero Day
ZDNet News
August 2, 2013

A cyberespionage campaign which targeted the RSA in 2010 is still active
and targeting networks worldwide.

Dell SecureWorks researchers Joe Stewart and Don Jackson have released a
new threat intelligence report documenting the "Comfoo" remote access
trojan (RAT) -- malware used...
 

Posted by InfoSec News on Aug 02

http://www.theregister.co.uk/2013/08/02/pwnie_awards/

By John Leyden
The Register
2nd August 2013

Security researcher Barnaby Jack, famous for his "jackpot" hack on ATMs,
which forced them to spit out cash, has won a lifetime achievement award
less than a week after his death.

The honour was announced yesterday at the Pwnie awards, Infosec's
equivalent to the Oscars.

Jack, 35, died last Thursday just days before he was due...
 

Posted by InfoSec News on Aug 02

http://www.thesmokinggun.com/documents/colin-powell-guccifer-email-hack-594321

The Smoking Gun
August 1, 2013

AUGUST 1 -- As a notorious hacker seeks to distribute "very personal"
e-mails sent to Colin Powell by a female Romanian diplomat, the retired
general is denying that he engaged in an extramarital affair with the
woman while he served as Secretary of State, though he recently advised
her to delete all their online...
 

Snowden picks up 'Epic 0wnage' gong in Vegas... well, not literally
Register
The honour was announced yesterday at the Pwnie awards, Infosec's equivalent to the Oscars. Jack, 35, died last Thursday just days before he was due to give a talk on electronic medical implants for humans at Black Hat. The slot at the Las Vegas ...

and more »
 
Google has shut down a specialized free music search service in India that it started in 2010 to link users to legal music streams on partner sites.
 
The United States International Trade Commission expects to complete its investigation into allegations of patent infringement between Apple and Samsung at the end of next week, it said Thursday.
 
The Windows 8 Secure Boot mechanism can be bypassed on PCs from certain manufacturers because of oversights in how those vendors implemented the Unified Extensible Firmware Interface (UEFI) specification, according to a team of security researchers.
 
Carl Icahn filed a lawsuit against Dell and its board of directors on Thursday as he continued to take steps to prevent the company's founder and investment company Silver Lake from taking the company private.
 
China Mobile, the country's largest mobile carrier, introduced two own-brand handsets on Friday, as a way to bring more affordable smartphones to its 740 million customers.
 
For Microsoft, there's a difference, a big difference, between a Windows upgrade and an update, even though both can be handed out free of charge to customers.
 
Eight-core processors are 'dumb,' as the consumer wants an experience that comes from more than just throwing cores together, a Qualcomm executive said, referring to new eight-core chips announced recently.
 
The decades-old legacy of Motorola as a semiconductor innovator remains alive, with Google providing its Motorola Mobility unit a fresh start in chip design with the X8 chip system, which will be used in the upcoming Droid and Moto X smartphones.
 
When you use media products from Amazon, Apple, Google or Microsoft, you're not just choosing a device -- you're joining a ecosystem. What are these four companies doing to maintain user loyalty? How well are they succeeding?
 
Bitcoin Bitcoind 'bitcoinrpc.cpp' Password Information Disclosure Vulnerability
 
Symantec Encryption Desktop CVE-2013-1610 Local Privilege Escalation Vulnerability
 
Symantec Backup Exec CVE-2013-4575 Remote Heap Buffer Overflow Vulnerability
 
Symantec Backup Exec CVE-2013-4677 Local Insecure File Permissions Vulnerability
 
Symantec Backup Exec CVE-2013-4676 Multiple Cross Site Scripting Vulnerabilities
 
Internet Storm Center Infocon Status