InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Over the holidays, a friend of mine was busy trying to repossess her online accounts that had been hacked and taken over. While her experience wasnt quite as bad as Mat Honans, it still was a mess to untangle. Initially, we had suspected spyware, and spent some time looking through her PC for the presence of a keylogger. None was found. Once the first few accounts were returned to her, including an email account, we were able to (partially) reconstruct what had happened. Like in Mat Honans case, it wasnt the password, but rather the I forgot my password functionality that had been breached. Duh-oh.

We took this as incentive to analyze the password reset options of some of her accounts, and what we found was not pretty. It seems that I forgot my password comes in (at least) three variants:

(1) New password is sent to the email address on file

(2) New password can be set after answering a couple of Secret Questions

(3) New password is set after authenticating out-of-band (via phone or fax)

Lets start with (2). Not only since the Sarah Palin attackdo we know that password reset functions can be dangerous. Having a 10-character complex password with 60 bits of entropy is of little use if same password can be reset by answering what the color of your first car was - about 3 bits of entropy, or roughly equivalent to having a one digit password between 0 and 9! Still, call centers are expensive, and the economic incentive is strong for companies to provide a password reset function that is trivially EASY. And since the corresponding fallout is on the user and rarely on them, they dont care much.

Variant (3), the out of band confirmation, comes in two flavors - one is really competent and quite secure, and very very rare, because a real person asks really hard and not scripted questions about your past relationship with the company or institution. The other is silly and near useless, and very very common: Unfortunately, usually such calls go to call centers overseas, where the agent answering the phone will identify the caller by asking for .. yes, the color of the first car again. Some web sites, for example domain registrars, also require a faxed copy of a drivers license. Fax is that 1980s technology of image transmission with a picture quality that manages to make the most authentic passport look like a forgery. Hence, the hardest part for the attacker is probably to make sure his forgery doesnt look too authentic ...

Which leaves (1) .. an option that works reasonably well, presumed that the email doesnt get intercepted in transit, and that it isnt the email account itself that was compromised. If it is, then this function becomes deadly real quick, because the attacker can readily reset all your other passwords, pick up the new credentials in the compromised inbox, and continue hacking at his leisure. In our tests, we actually also found two web sites where the password reset email contained the correct password that my friend had set, which means that the web site in question had committed the cardinal sin of storing user passwords in cleartext. But thats a story for another time.

For now .. I suggest you start 2013 with taking a close look at the chain of trust between your important accounts: Which one can reset which others? If an attacker gets access to this one, what information does the account provide that allows to breach which other credentials? Also, click on the I forgot my password or I forgot my userid button, just to see what happens. You might discover that in a state of naive trust and delusion, some years ago, when you set up your account, you actually truthfully answered that your first car was blue.

How are you handling password reset functions to reduce the risk of them becoming an easy avenue for attackers? Please let us know in the comments below!

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
After a nearly two-year antitrust investigation, Google escaped with more of a slap on the wrist than a slap in the face, say industry analysts.

Manuel Humberto Santander Pelez SANS Internet Storm Center - Handler Twitter: http://twitter.com/manuelsantander Web: http://manuel.santander.name e-mail: msantand at isc dot sans dot org
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The new SATA Express specification will define new device connectors and motherboard connectors that will support both PCIe drives and existing SATA devices, offering a low-cost solution to fully utilize the performance of SSDs and hybrid drives
Google has taken steps to close potential security holes created by a fraudulent certificate for its google.com domain, discovered in late December.
Five months after its release, Apple's Mountain Lion became the most widely-used version of OS X, a Web measurement firm said Tuesday.

In december 24 2012, google detected a non-authorized certificate for the google.com domain. After investigations, it was confirmed that Turktrust Inc incorrectly created two subsidiary certificate authorities: *.EGO.GOV.TR and e-islam.kktcmerkezbankasi.org. The first one was used to create the fraudulent google.com domain certificate detected by Google Chrome. This is a big problem since intermediate CA certificates carry the full authority of the CA and therefore they can be used to create a certificate for any website the attacker wish to impersonate.

As a result of this problem, Mozilla is revoking starting January 8 the trust to both certificates, Microsoft issued the security advisory 2798897, publishing updates to revoke the fake google.com certificate and the two intermediate certification authorities and Google revoked same certs in Google Chrome in december 25 and 26 2012 updates.

SSL and X.509 has been proven weak as a standalone security control and definitely should be used with other strong authentication controls like One Time Password tokens. You can use other vendors like Vasco, Safenet and, of course, RSA. Despite all attacks and intrusions from previous years, they are still a very good reliable solution.

Manuel Humberto Santander Pelez

SANS Internet Storm Center - Handler



e-mail: msantand at isc dot sans dot org
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
EMC and Lenovo are expanding the joint LenovoEMC Ltd. venture to include co-branded NAS products for SMBs and the distributed enterprise.
Mobile startups are all the rage right now, and many venture capitalists are placing their bets and hoping to cash in. Here are seven new mobile ventures to keep an eye on, some of which may change how we think about mobile.
The U.S. Federal Trade Commission's antitrust settlement with Google will create few changes in the way the company operates, both critics and fans of the deal said.
Tiki Wiki CMS Groupware 'unserialize()' Multiple Remote PHP Code Execution Vulnerabilities
Simple Webserver 2.3-rc1 Directory Traversal
Microsoft will release seven security updates next week -- including one rated critical for Windows 8 and Windows RT -- to patch 12 vulnerabilities in Windows, Office, SharePoint Server and the company's website design software.
Practical ideas from CSOs and subject matter experts of all sorts
Adjusting to changes in corporate hardware buying habits, the Apache Software Foundation's Cassandra NoSQL distributed database has been updated to better use larger servers through the introduction of virtual nodes and configurable policies for disk failure.
Aastra IP Telephone encrypted .tuz configuration file leakage
AST-2012-015: Denial of Service Through Exploitation of Device State Caching
AST-2012-014: Crashes due to large stack allocations when using TCP
Google has agreed to change some of its business practices, including allowing competitors access to some standardized technologies, to resolve a U.S. Federal Trade Commission antitrust complaint against the company.
Samsung plans to launch its first cell phones this year based on Tizen, a Linux-based operating system that will principally rival Google's Android OS.
With less than a week to go before this year's International CES Show in Las Vegas commences, it's unclear which new products will generate the most buzz among attendees of the massive trade show. However, Ultra HDTVs, Windows 8 tablets, smart appliances, and smartphone apps figure to fight for center stage.
Google has taken steps to close potential security holes created by a fraudulent certificate for its google.com domain, discovered in late December.
Web traffic on Android tablets from various vendors grew substantially after the Christmas holiday, cutting the iPad's share by more than 7%.
A half-million lines of custom code wasn't enough to produce a viable Dynamics AX ERP (enterprise resource planning) system for point-of-sale and RFID products distributor ScanSource, according to a lawsuit it has filed against Avanade, the joint venture between Microsoft and Accenture.
Western Digital is expected to release versions of an enterprise-class 3.5-in. helium-filled drive this year, which could propel the company into first place for enterprise drive sales.
Google has agreed to change some of its business practices, including allowing competitors access to some standardized technologies, to resolve a U.S. Federal Trade Commission antitrust complaint against the company.
To make more efficient use of data and improve data protection, take a holistic approach to information governance-one that focuses attention on the most sensitive data while removing impediments to sharing.
Over the Christmas period, German coffee roaster turned retailer Tchibo has been selling a 35mm negative scanner that was infected with the Conficker virus. The company is now offering refunds to affected customers

The U.S. Federal Trade Commission will host a press conference Thursday afternoon to discussion its investigation of Google for antitrust violations.
Storing information in the public cloud from a growing market of vendors is a viable alternative to on-premise, traditional storage options for some use cases, research firm Gartner says.
ExaGrid's unique scale-out grid architecture makes for powerful, scalable, and uncomplicated disk-based backup and deduplication
The developers of Ruby on Rails, a popular Web application development framework for the Ruby programming language, released versions 3.2.10, 3.1.9, and 3.0.18 of the software on Wednesday in order to patch a serious SQL injection vulnerability.
The long courtship between the Wi-Fi Alliance and the Wireless Gigabit Alliance, which promotes a fast wireless LAN technology that runs on very high frequencies, is set to end in marriage just a little too late for the International CES trade show next week.
The attackers who recently infected the website of the Council on Foreign Relations with an exploit for an unpatched vulnerability in Internet Explorer, also targeted the website of Capstone Turbine Corporation, a U.S.-based manufacturer of gas microturbines used for power generation, heating and cooling, according to a security researcher.
Samsung Electronics should keep its commitment to consumers and withdraw its demands for bans on imports of Apple products in the U.S. as it did in Europe, Apple said in documents filed with the U.S. International Trade Commission (ITC) on Wednesday.
Enterprises buying new mobile devices and investing in security and storage management will give IT spending a boost in 2013.
Investing in security has become one of the topmost priorities of enterprises, given the recent increase in cyber-crime incidents. We spoke to Bhaskar Bhaktavatsalu, regional director a India and SAARC, Check Point, about the changing security landscape and how Check Point has been faring in the market.
Multiple Asterisk Products CVE-2012-5976 Stack Overflow Denial of Service Vulnerability
Opera Web Browser Buffer Overflow and Information Disclosure Vulnerabilities
One thing you might have noticed about Windows 8 is its new boot loader (i.e. the screen that appears shortly after you start your PC). It has a graphical interface, which is nice, but it's not great for anyone who prefers a dual- or multi-boot setup, and it also makes it a little harder to get to advanced boot options.
Polycom HDX Video End Points Unspecified Cross Site Scripting Vulnerability
Opera Web Browser Prior to 12.12 Information Disclosure Vulnerability
djbdns dnscache SOA Requests Remote Cache Poisoning Vulnerability
Google executive chairman Eric Schmidt will join a humanitarian trip to North Korea that may take place as early as this month.
More DDoS attacks on banks, cyberwarfare, and targeted attacks could well be in store in 2013, security experts warn.
Sure you want users to comply with security edicts, but would you phish your own employees or share your company's hack history? At least some CIOs say yes. Insider (registration required)
Hackulous, one of the most well-known platforms for stolen apps has ceased to operate, but app developers have no reason to hope that their situation is about to improve

Opera Web Browser Prior to 12.02 Remote Code Execution Vulnerability
Opera Web Browser Memory Corruption Vulnerability
Opera Web Browser Repeated Attempts Site Access Address Bar URI Spoofing Vulnerability
The U.S. government misrepresented facts when it approached a court for search warrants against Megaupload, according to a filing Wednesday by counsels of the file-sharing site.
The Supreme Court of Virginia has vacated a preliminary injunction against reviews posted by a woman on Yelp and Angie's List, in an outcome that is being described by civil rights groups as a victory for freedom of online speech.
Smartphone and tablet owners downloaded a record 1.76 billion iOS and Android apps during the week of Dec. 25 to Dec. 31, a mobile analytics company said
mediawiki-extensions 'RSS_Reader' Extension HTML Injection Vulnerability
An SQL Injection vulnerability has been found in Ruby on Rails that affects all versions of the web framework. The problem was originally discovered by a researcher who used it to bypass Ruby on Rails user authentication


Last week at the CCC conference in Hamburg, my colleague Luka Milkovic presented his work on memory acquisition tools. The presentations PPT is available at http://events.ccc.de/congress/2012/Fahrplan/events/5301.en.html

Since memory acquisition is becoming increasingly popular in any incident forensics, I think it is very important for every incident handler to be aware of deficiencies in this process.

So how does the memory acquisition process work? Once executed, all memory acquisition tools (see slide 17 on the presentation) install a driver to get kernel access through it and then start reading memory and either dumping it to a file or over the network.

Now, the above mentioned slide 17 shows another interesting thing you can notice that all memory acquisition tools (except Win32DD) create buffers in user space. In other words, it is relatively simple for an attacker to inject into these tools and mess up with their output! Further, apart from Win32DD (which can also be attacked, but it is a bit more difficult) all other well known memory acquisition tools are doing it wrong.

There have already been other presentations about attacks on memory acquisition tools, so Luka created a PoC tool (should be released soon) called Dementia that allows one to hide any currently active process. The tool monitors buffers containing memory addresses to be written and if a memory address of a process that is to be hidden is detected, the tool simply overwrites that memory space with zeroes.

The Dementia tool runs completely from user mode and requires no kernel drivers this allows it to subvert all those most popular memory acquisition tools that store buffers in user mode (FTK Imager, MDD, Memoryze, Winen ...) the only requirement are admin rights since the tools need them as well. Keep in mind that Win32DD can be attacked as well, but it requires a kernel driver since the attacker needs to be able to modify kernel buffers.

So what can we do? Not much unfortunately. As the first step the tools mentioned above should be fixed to utilize drivers correctly (i.e. all buffers in kernel mode, and not user mode). We could also use other acquisition methods such as memory dumps over Firewire, but that might be difficult with servers since they normally do not have Firewire interfaces. As Luka also mentioned, we could rely on crash dumps since they are much more difficult to tamper with (but not impossible).

And of course if nothing else, just be aware that we cannot (completely) trust acquired memory images.



(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Wordpress Advanced Custom Fields Plugin 'acf_abspath' Parameter Remote File Include Vulnerability
Drupal Core 'getimagesize()' Information Disclosure Vulnerability
Astium PBX Denial of Service Vulnerability
Internet Storm Center Infocon Status