Hackin9

The Age

What if they pulled the plug?
The Age
The internet has become so enmeshed in our lives that the loss of it - even temporarily - is more than most of us can contemplate, writes Brad Howarth. Tweet · Pin It · submit to reddit · Email article · Print · Reprints & permissions ...

and more »
 
Oracle has extended its data center fabric to its Sparc-based Unix platforms, promising to let enterprises tie more servers and applications into the high-speed infrastructure.
 
Walt Disney has shut down in-house development at LucasArts, the gaming arm of Lucasfilm, less than a year after buying its parent company.
 
An online bitcoin storage service, Instawallet, said Wednesday it is accepting claims for stolen bitcoins after the company's database was fraudulently accessed.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
There could be big changes coming to the fiddly and sometimes annoying Web browsing experience on cellphones.
 
Shaw reviews Toshiba's Excite 10 SE tablet and HP's EliteBook Folio 9470m Ultrabook.
 
Mozilla Firefox/SeaMonkey CVE-2013-0794 Information Disclosure Vulnerability
 
Mozilla Firefox 'app_tmp' Directory Insecure Permissions Vulnerability
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0791 Out of Bounds Memory Corruption Vulnerability
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Puppet 'auth.conf' CVE-2013-2275 Security Bypass Vulnerability
 
Puppet CVE-2013-1652 Security Bypass Vulnerability
 
Puppet CVE-2013-2274 Remote Code Execution Vulnerability
 
It says something when powerful and popular social media tools such as Facebook and Twitter become the template for an entirely new form of workplace collaboration.
 
Twitter's in-the-moment stream of quick comments and links might seem tailor-made for those with short attention spans, but the company is rolling out changes that will make tweets more interactive, including the ability to access mobile apps from inside a tweet.
 
U.S. lawmakers need to make significant changes to a controversial cyberthreat information sharing bill because the legislation could be used to give federal intelligence agencies backdoor wiretapping powers, the Center for Democracy and Technology said.
 
Viking and Micron plan to begin shipping forms of non-volatile DRAM on standard DDR4 DIMMs this summer. The cards combine DRAM with a NAND flash backup that speeds recovery and can be used as a tier of storage in a server.
 
A $2 billion device attached to the outside of the International Space Station has found particles that could be the building blocks of dark matter.
 
The U.S. government agency leading an effort to create a voluntary cybersecurity framework for companies operating critical infrastructure wants to hear ideas about what to include in those standards.
 
Harvard University President Drew Faust has ordered up a review of the university's email privacy polices amid disclosures that a secret search of some deans' email accounts was broader than originally acknowledged.
 
Dell will release Windows tablets later this year that could potentially include devices with screen sizes larger than 10 inches.
 
Within days, NASA's robotic rovers and orbiters working on Mars will go silent as a solar conjunction interrupts communications between that planet and the Earth.
 
TC-SA-2013-01: Reflected Cross-Site-Scripting (XSS) vulnerability in e107 CMS v1.0.2
 
PHP Code Injection in FUDforum
 
SQL Injection Vulnerability in Symphony
 
Novell GroupWise Multiple Remote Code Execution Vulnerabilities
 

One of the topics we cover in our Defending Web Applications class is how to secure static files. For example, you are faced with multiple PDFs with confidential information, and you need to integrate authorization to read these PDFs into your web application. The standard solution involves two steps:

- Move the file out of the document root

- create a script that will perform the necessary authorization and then stream the file back to the user

Typically, the process of streaming the file back to the user is pretty simple. Most languages offer the ability to read the file, and then echo it back to the browser. In some cases, like for example PHP, there is a special command for this (readfile). This makes writing these access control scripts pretty easy, until you are faced with a new twist, the Range header.

The Range header is meant to be used to support partial downloads. A client may request just part of a file, instead of asking for the entire file.

RFC 2616 is a bit ambiguous when it comes to Range headers. First of all, it introduces the Accept-Ranges header, which can be used by the server to signal that it supports the Range header. Next, it states that the client may send a request using a Range header anyway, even if the server doesnt advertise support for it. The server also has the option to send Accept-Ranges: none to explicitly state that it does not support this type of header.

So whats the problem? It turns out that different HTTP clients appear to deal with Range headers slightly differently. In particular the iOS Podcast client requires support for the Range header, and will only download parts of the file if they are not supported. Apple recently advised iTunes publishers of this issue and requires content to be hosted on servers that support the Range header.

For a server, this is usually not a problem, wouldnt it be for a recent Apache DoS attack that caused some to block Range requests. Also, our file streaming script now needs to support the range requests.

Here is a quick outline of how to support Range requests properly:


Figure out if the Range header is used and extract the requested range.The range header should look like:

Range: bytes=1234-5678

but could look like:

Range: bytes=0-

If the upper end is missing, it is assumed to empty until the end of the file.



load the file (if possible, only the part that needs to be send)



Send the file, but use a 206 Partial Content response code. Also, add the Content-Range header to indicate what you are sending.

Content-Range: bytes 1234-5678/1234567 (start-end/total size). One interesting twist: The size is indicated in bytes, while the range is indicated as an offset. So the maximum Range is the size-1.


Aside from the annoyance of having to write a more complex script, why does this matter for security?

Think Intrusion Detection systems, and maybe even web application firewalls: It is now for example possible for an attacker to request your secret document one byte at a time, possibly defeating data leakage protection. Or an attacker streaming an exploit from a web server could do so in small chunks to again defeat content filtering by the client. I played with various overlapping ranges and such, and it looks like browsers will discard these requests as they should.

It is also possible to specify multiple ranges in one request (which is what the Apache DoS was about), but so far I havent observed any requests like this.

In short: watch it but dont block it. It may make sense to log and pay attention to Range requests, but you shouldnt blindly block all of them as they may be required by the browser/http client.

References:

RFC 2616:http://www.rfc-editor.org/rfc/rfc2616.txt

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
China's biggest search engine, Baidu, is reportedly working on its own computerized eye glasses, going head-to-head with Google's Glass project.
 
Organizations face malware-related events that bypass traditional defense technologies on their networks every three minutes, according to a new report released Wednesday by security vendor FireEye.
 
Miami Children's Hospital recently launched a free iPhone app that uses Wi-Fi triangulation to help patients and their families navigate through the center.
 
Cloud-based marketing automation vendor Marketo's plans to raise up to $75 million in an initial public offering, which were revealed this week, could influence larger companies to acquire the company, including Salesforce.com and SAP.
 
Harvard University President Drew Faust has ordered up a review of the university's email privacy polices amid disclosures that a secret search of some deans' email accounts was broader than originally acknowledged.
 
Security firm Sophos has asked that its customers update to the latest version of the appliance as soon as possible. User interface vulnerabilities allow sensitive data to be accessed without authorisation and enable man-in-the-middle attacks


 
ModSecurity XML External Entity Information Disclosure Vulnerability
 
Google AD Sync Tool - Exposure of Sensitive Information Vulnerability - Security Advisory - SOS-13-001
 
[slackware-security] mozilla-thunderbird (SSA:2013-093-02)
 
SEC Consult SA-20130403-0 :: Multiple vulnerabilities in Sophos Web Protection Appliance
 

Companies may use Twitter, Facebook to share operations info, SEC says
Valley Dispatch
Companies can use social media such as Facebook and Twitter to unveil key information about their operations as long as they've told investors where to look for it, the Securities and Exchange Commission announced Tuesday. The decision averts a ...

and more »
 
Google launched its Microsoft Office substitute, Quickoffice, for Apple's iPhone, Android smartphones and Android tablets, fulfilling a promise made in December.
 
The second-generation Nexus 7 tablet, powered by a Qualcomm Snapdragon processor, will be launched around July, according to two unnamed sources in a Reuters report.
 
A private message taken from BlackSEO.com in which a user named "Mavook" takes credit for the Flashback trojan that infected 650,000 Macs.

A year to the week that a newer, more virulent version of the Flashback trojan was found to have infected more than 500,000 Mac computers, investigative reporter Brian Krebs has identified a young Russian man who has taken credit as the mastermind behind the malware.

Flashback.K, as that version was known, was a breakthrough because it was among the first pieces of mainstream malware to hijack Macs even when users didn't enter an administrative password. Rather than trick users into installing what appeared to be an update to the Adobe Flash program—as previous Flashback versions did—this new release exploited a security bug in Apple's version of the Java software framework. Users who had it installed and visited booby-trapped websites were infected with no warning. Even after Apple released software to remove Flashback, the malware was still able to thrive in the following weeks, expanding its infection base to 650,000 machines. Over the past two or three months, more than 38,000 machines remained infected, according to a researcher at antivirus provider Kaspersky Lab.

Until now, there have been no public clues about the identity of the evil genius who was responsible for Flashback. Researchers knew the malware was able to earn as much as $10,000 per day by redirecting Google search results to third-party advertisers. Acting on this knowledge, Krebs began scouring the underground forums on BlackSEO.com, a site frequented by blackhat experts in search engine optimization.

Read 6 remaining paragraphs | Comments

 
The ownCloud developers have released the third update to ownCloud 5.0 in 24 hours after two security updates caused installations of the software to become unusable. ownCloud 5.0.3 seems to fix these problems


 
For almost nine months, Apache web servers have been being compromised with a Darkleech module that injects iFrames into pages to expose users to other sites filled with malware. The scale of the problem is only just being revealed


 

Social media OK for releasing info: SEC
The Japan Times
WASHINGTON – Companies can use social media such as Facebook and Twitter to unveil key information about their operations as long as they've told investors where to look for it, the Securities and Exchange Commission announced Tuesday.

and more »
 
With the rise of cloud, everything can now be easily delivered as a service, whether it is business processes, infrastructure or security. As such, the outsourcing of IT functions and management is continuing to gain momentum among enterprises around the world.
 
Mozilla Firefox/Thunderbird/Seamonkey CVE-2013-0789 Memory Corruption Vulnerability
 
Mozilla Firefox/Thunderbird/Seamonkey CVE-2013-0788 Memory Corruption Vulnerability
 
Samba CIFS Attributes CVE-2013-0454 Remote Security Bypass Vulnerability
 
FreeBSD Security Advisory FreeBSD-SA-13:04.bind
 
FreeBSD Security Advisory FreeBSD-SA-13:03.openssl
 
While most corporations have strict policies against using consumer-class file sharing and collaboration services because they are not secure, employees still regularly use them because they are convenient and easy to use, a survey finds
 
John Manville, Sr. VP-Global Infrastructure for IT, Cisco, talks about the unique position he enjoys by heading the infrastructure team of the networking leader, and some of the new initiatives being undertaken by them.
 
Sophos Web Protection Appliance Multiple Cross Site Scripting Vulnerabilities
 
Google is hoping to make it easier for developers to integrate SMS or voice communications in applications running on the company's App Engine platform.
 
LinuxSecurity.com: Applications using poppler could be made to crash or possibly run programsas your login if they opened a specially crafted file.
 
LinuxSecurity.com: Applications using libxslt could be made to crash if they processed aspecially crafted file.
 
LinuxSecurity.com: New mozilla-thunderbird packages are available for Slackware 13.37, 14.0, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: New mozilla-firefox packages are available for Slackware 13.37, 14.0, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: An updated jenkins package that fixes one security issue is now available for Red Hat OpenShift Enterprise 1.1.3. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: An updated thunderbird package that fixes several security issues is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 5.6 Extended Update Support. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical [More...]
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
The Internet Corporation for Assigned Names and Numbers (ICANN) has selected three emergency back-end registry operators to guarantee domain names within a new generic top-level domain (gTLD)A will resolve in the event of a failure at a new TLD operator, it said on Tuesday.
 
The U.S government and two other entities involved in investigations leading to the indictment of the late Internet activist Aaron Swartz have asked a federal court in Boston to redact the names of people involved in the case from documents being sought by Swartz's estate and by some lawmakers.
 
The U.S. Securities and Exchange Commission has cleared the use of social media such as Facebook and Twitter to announce corporate information.
 
Mozilla on Tuesday shipped Firefox 20, adding more flexible private browsing and patching 13 vulnerabilities, five rated "critical" by the company's security team.
 
There are still areas in the U.S. that have limited or no wireless telecommunications. How are the four major suppliers handling this?
 
While large portions of the U.S. are looking forward to faster wireless broadband, some regions don't have even simple cell phone service. What is being done to help?
 
Maybe people are bored with Apple and Windows machines, or just restless for the challenge of something new. But different is selling.
 

Posted by InfoSec News on Apr 03

http://www.jsonline.com/news/crime/medical-college-researcher-charged-with-stealing-anticancer-compound-ls9cnn4-200958961.html

By Bruce Vielmetti
Journal Sentinel
April 1, 2013

A researcher at the Medical College of Wisconsin has been charged with stealing
a possible cancer-fighting compound and research data that led to its
development, all to benefit a Chinese university.

Huajun Zhao, 42, faces a single count of economic espionage,...
 

Posted by InfoSec News on Apr 03

http://arstechnica.com/security/2013/04/exclusive-ongoing-malware-attack-targeting-apache-hijacks-20000-sites/

By Dan Goodin
Ars Technica
Apr 2 2013

Tens of thousands of websites, some operated by The Los Angeles Times, Seagate,
and other reputable companies, have recently come under the spell of
"Darkleech," a mysterious exploitation toolkit that exposes visitors to potent
malware attacks.

The ongoing attacks, estimated to have...
 

Posted by InfoSec News on Apr 03

http://www.csoonline.com/article/731069/dhs-fbi-warn-over-tdos-attacks-on-emergency-centers

By Antone Gonsalves
csoonline.com
April 01, 2013

Federal law enforcement officials are reporting a rise in attacks in which the
telephone lines of emergency call centers are flooded with bogus calls by
extortionists whose demands for cash are refused.

The Department of Homeland Security (DHS) and the Federal Bureau of
Investigation (FBI) recently...
 

Posted by InfoSec News on Apr 03

http://healthitsecurity.com/2013/04/02/unencrypted-laptops-stolen-from-women%E2%80%99s-health-enterprise/

By Patrick Ouellette
Health IT Security
April 2, 2013

Yet another breach involving unencrypted laptops has been announced, this time
in Atlanta, Georgia at Women’s Health Enterprise, Inc. of Family Health
Enterprise (FHE). Women’s Health Enterprise notified 3,000 patients of FHE’s
Breast Health Promotion Program that there had been...
 

Posted by InfoSec News on Apr 03

http://www.tmz.com/2013/04/02/celebrity-hackers-lady-gaga-angelina-jolie-dennis-rodman-robert-deniro/

BY TMZ STAFF
4/2/2013

Angelina Jolie and Lady Gaga are the two newest victims of the celebrity
hackers who had already exposed the financial secrets of Michelle Obama and
Beyonce ... TMZ has learned.

The hackers returned to the Internet after a brief hiatus ... and immediately
hit six more A-list victims, including Angelina, Gaga, NRA...
 
Internet Storm Center Infocon Status