Hackin9
LinuxSecurity.com: New gnutls packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. [More Info...]
 
LinuxSecurity.com: Nikos Mavrogiannopoulos of Red Hat discovered an X.509 certificate verification issue in GnuTLS, an SSL/TLS library. A certificate validation could be reported sucessfully even in cases were an error would prevent all verification steps to be performed. [More...]
 
LinuxSecurity.com: Updated gnutls packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Updated gnutls packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: An updated activemq package that fixes multiple security issues is now available for Red Hat OpenShift Enterprise 2.0. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Several security issues were fixed in PHP.
 
LinuxSecurity.com: Python could be made to crash or run programs if it received speciallycrafted network traffic.
 

CSO Magazine (blog)

Infosec 2020 – Coming Sooner Than You Think
CSO Magazine (blog)
Infosec 2020 – Coming Sooner Than You Think. Anthony Caruana (CSO Online); — 04 March, 2014 14:29. Trend Micro has been pushing their Vision 2020 theme for some time now. The online video series "2020" is the story about the near future based on ...

 

Time to catch up with that security reading now that your favourite team is second in the league, so lets see what we can do to bring us all up to speed ready for what Monday will bring, so in no particular order:

Data breach, after data breach it would appear as 2014 is turning into the year of the use of "sophisticated techniques" to breach online security.

Securing online applications via a mechanism which is susceptible to a brute force is not a good idea! 

Digging through our mail brings a gem. Nigeria Scams are still coming in, I do love todays which is from:

ACCESS BANK PLC
122 Adenirun Ogunsanya Street,
Off Bode Thomas Road,
Surulere Lagos - Nigeria
24/7 Banking
(24/7 Customer Care HotLine)
Tel: +234-705-654-3873
 
The colour coding is not mine, but is true to the original e-mail, nice touch! What makes this one truly special is that the e-mail was spoofed (shock!) to appear to come from "ACCESS BANK PLC - [email protected]".
 
Ping over any other weekend news, and I'll add to the list to give ISC readers some additional reading material.

Steve Hall

ISC Handler

www.tarkie.net

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Big Yell'eh has raised its ThreatCon to Yellow - "Medium : Increased alertness" due to increased activity exploiting CVE-2014-0322 which is referenced in Microsoft KB reference 2934088

If you cannot apply the FixIt, best look at the mitigating factors, or wait (and monitor, react, and fix) until the patch comes out to mitigate this vulnerability.

Steve Hall

ISC Handler

www.tarkie.net

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Yes, Windows XP is about to Xpire. This sunset has been a while in the making, and has even been paused so that the world could admire it a while longer. But now, it really is upon us, on April 8, the earth rotation will stop for a second or three, and then move on.

If you don't know whether you are running Windows XP, you are probably not reading SANS ISC, but for the off chance that you are, Microsoft now have a cute site http://AmIRunningXP.com to tell you. I wonder how many Mac users connect to that site, just to make sure :).

If you are still running XP anywhere, the current MSFT Blog states that users of XP who have "auto-update" turned on will see a *Warning* come March 8. So ... expect grandma to call and ask about the weird pop-up. It was anyway overdue that you talked to her. Kudos to Microsoft for keeping us connected with our family!

Long story short: If you are still on XP, get off it. The mentioned blog is now even offering migration tools, though that "free" offer is somewhat of a trojan: If you want to move applications in addition to your data, it comes with a 23$ price tag. But why anyone would opt to "migrate" applications rather than go for a clean re-install is anyway beyond me .. as is using a "migration tool" black-box without knowing what is actually being migrated.

Here's my XP migration 101:

  1. Determine if your box can run Windows 7 (enough muscle and memory). Yes, I wrote Windows 7. Who wants Windows 8, anyway?
  2. If no, buy a new computer. Not necessarily a PC. Then go to step 8.
  3. If yes, get yourself a new Hard Drive that fits, and a USB drive enclosure for the disk that is currently in the box.
  4. You'll need to buy a new OS. It doesn't come for free. You might find out that you have to buy Windows 8 after all, because Windows 7 supply is artificially shortened. Well, you had it coming. Life punishes he who is late. What were you waiting for? If the price tag of disk+enclosure+OS turns out bigger than buying a new computer, go to step 2.
  5. Install the new HD, and the new OS onto it.
  6. Boot the new OS. It probably won't bluescreen. Reinstall only the ~five applications that you remember using in the past two weeks or so.
  7. Attach the old HD via USB
  8. Manually copy whatever you still need of your data over. Be skimpy, you can always go back to the original disk if something vital is missing.
  9. Enjoy, sort of.

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Customers continue to have credit card and banking information stolen from taxi services in the Chicago area.    Customers of serveral cab services including American United, Checker, Yellow, and Blue Diamond have fallen victim to data theft over the last several weeks.  First American Bank is now advising customers to pay cash for taxi services in the area.  For more details check out Brian Krebs story.

http://krebsonsecurity.com/2014/03/illinois-bank-use-cash-for-chicago-taxis/

Thanks to ISC reader Sean Thomas for the heads up.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Type Safe Languages and Buffer Overflows

There are those of us that do most of our software development in “Type Safe” languages such as Python, Ruby and .NET.    Sometimes we smuggly look down upon languages such as C, C++ and Assembly that are not type-safe and do not provide memory protection.   You see, type-safe programming languages are "immune" to pesky problems such as buffer-offerflows.  

Lets compare the source code of simple C and Python program that assign and print a string.   First here is the Python source code.

>>> mystring="This is my string"
>>> print mystring
This is my string


You can see that with Python you don’t have to declare a variable type.  You don’t have to specify how big your string will be.   All you do is assign a string to your variable and the Python language takes care of the rest for you.   Now lets take a look at C version of that code.

char mystring[20]=“This is my string”;
printf(“%s”, mystring);


With C the first line tells the compiler that the "mystring" variable will hold 20 characters.   The next line will assign the mystring variable the value “This is my string”.    The programmer is responsible for defining both what the variable will store and what the size of variable in memory will be.     If the programmer makes a mistake and only allocates 20 bytes of memory then tries to store 30 bytes a buffer overflow condition exists.

Since the underlying Python language takes care of all of the memory management and variable typing for you, it is "immune" to these type of problems.   So type use type-safe languages and everything will be fine.  Right? 

Last week an exploit was posted to pastebin.com that exploited a buffer overflow condition in Pythons socket.recvfrom_into() function.     The function was introduced in Python 2.5 and is still vulnerable in Python 3.   Every Python program out there that uses that function is potentially vulnerable to remote exploitation.   And the exploit for this vulnerabilty is being ditributed in the wild.  But how can this be?    It is a type safe language!   

All type safe languages do offer some protection against memory manipluation attacks, but eventually they all these languages make calls to native libraries.   So while software developers in type-safe languages are usually less likely to develop code vulnerable to buffer overflows this exploit serves as a potent reminder than all languages are vulnerable to exploitation.     Security professional should always rely on defense in depth.  

The vulnerability has been patched in the latest version of the 3.3.4 Python interpreter.    Update your interpreter soon.   Verions 2.7 interpreters are a little more complicated.  The lastest interpreter is 2.7.6 and it doesn’t contain the patch for Issue #20246.    The patch is available on the website, but is not compiled into the lastest build yet.    In this case prevention isn’t possible so detection and monitoring is essential.    Keep an eye on the Python website and watch for the latest updates.

There are a couple of chances to sign up for SANS Python programming course.  Join me for Python for Penetration testers in Reston VA March 17-21 or at SANSFire in Baltimore June 23-27.

Python bug report: http://bugs.python.org/issue20246

http://www.sans.org/event/northern-virginia-2014/course/python-for-pen-testers
http://www.sans.org/event/sansfire-2014/course/python-for-pen-testers

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

PacketSled CEO to Present at AGC's 10th Annual West Coast InfoSec and ...
Virtual-Strategy Magazine (press release)
SAN FRANCISCO, Feb. 24, 2014 /PRNewswire/ -- PacketSled, the leading innovator in real-time Security Intelligence and Analytics for advanced targeted attacks, will be presenting at America's Growth Capital (AGC) Tenth Annual West Coast InfoSec and ...
InfoStretch Is Being Featured at the AGC Partners' Tenth Annual West Coast ...PR Web (press release)
Skyera CEO Presents at AGC Partners' 10th Annual West Coast Information ...SYS-CON Media (press release)

all 11 news articles »
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Microsoft has introduced OneDrive for Business, the new name for SkyDrive Pro, and announced that companies can adopt the cloud storage service as a standalone product, without having to sign up for Office 365 or SharePoint Online.
 

An Illinois-based bank is urging customers to stop using credit and debit cards to pay for cab rides in Chicago until more details can be learned about a possible breach suspected of compromising the payment processor that local taxi companies use.

The warning, made Friday by First American Bank, comes amid the high-profile hack on the corporate network of Target that led to the compromise of credit card data for 40 million customers. Since then, several other large retailers have reported similar breaches or come under suspicion of being hacked. The reports are creating an environment of mistrust among payment card issuers, retailers, and consumers. In Friday's advisory First American Bank officials put it this way:

As you’re hearing more and more in the news about the theft of debit and credit card data, we at First American Bank wanted to let you know that we are doing everything we can to ensure our customers are protected and will go to great lengths to do so.

We are advising you not to use your First American Bank debit cards (or any other cards) in local taxis. We have become aware of a data breach that occurs when a card is used in Chicago taxis, including American United, Checker, Yellow, and Blue Diamond and others that utilize Taxi Affiliation Services and Dispatch Taxi to process card transactions.

We have reported the breach to MasterCard® and have kept them apprised of details as they’ve developed. We have also made repeated attempts to deal directly with Bank of America Merchant Services and Bank of America, the payment processors for the taxis, to discontinue payment processing for the companies suffering this compromise until its source is discovered and remediated. These companies have not shared information about their actions and appear to not have stopped the breach.

Since identifying the scheme, we have continuously monitored activity on our customers’ cards. Until the situation is rectified, we will continue to close and reissue cards that have been exposed. This interruption of card services has inconvenienced our customers while they wait for a new card. This can be particularly problematic for customers who are traveling. We believe strongly that the sanctity of our customer’s ability to access their funds without such risk of interruption is a bedrock principle in customer service, and we do so only in cases of extreme risk.

We have submitted a complaint to the City of Chicago Department of Business Affairs and Consumer Protection to get its help to stop the fraud, and have shared the information we have with the appropriate authorities. We ask that you not use your card in taxis until we can advise you that this criminal activity has been stopped.

As always, please monitor your account for any suspicious activity and report it right away to (847) 952-3700. Make sure we have your most current e-mail and phone numbers on file so that we can contact you immediately in the event of another breach. Thank you for choosing First American Bank. We appreciate your business.

According to an article published Monday by KrebsOnSecurity, bank officials issued the statement 18 days after learning of a pattern of fraud on cards previously used in Chicago taxis.

Read 2 remaining paragraphs | Comments

 
Two of Microsoft's top executives will leave, the company confirmed today, signaling more change as it pivots to become a devices and services seller.
 
John Halamka, the CIO of Beth Israel Deaconess Medical Center in Boston, doesn't let any crisis go unused as either a teachable moment, or as a chance to lead IT into new directions.
 
Microsoft today said it has not changed the end-of-support policy for Windows XP users in China, and will still cut off those customers -- as it will others around the world -- from security patches after April 8.
 
Apple's CarPlay user interface will not only add complexity to existing in-vehicle infotainment systems, it would virtually take away the keys from automakers who plan their own systems and interfaces.
 
Reacting to criticism from customers that upgrading from Windows XP was 'impossible,' Microsoft today announced it would give away a limited migration tool to help people move to a newer operating system.
 
[SECURITY] [DSA 2868-1] php5 security update
 
[SECURITY] [DSA 2869-1] gnutls26 security update
 
CFP: Passwords^14, Las Vegas, August 5-6
 
Russia has moved to block citizens from accessing online information about the Ukrainian political movement that ousted the country's pro-Russian president last week.
 
Work is well underway on a study of big data technologies' impact on privacy rights, a senior Obama administration official said Monday, stopping short of saying that substantive new policy changes could be around the corner.
 
Meetup's website remained offline Monday, the victim of a massive DDoS attack, which began last week with an email asking the company's CEO to cough up US$300, or else.
 
[CVE-2014-2206] GetGo Download Manager HTTP Response Header Buffer Overflow Remote Code Execution
 
Two of Microsoft's top executives will leave the company, including its head of marketing and the former CEO of Skype.
 
Pen tester Mark Wolfgang argues segmenting for security is a key piece of an overall defense-in-depth strategy. Here he explains why and how to accomplish it in your organization (registration required)
 
Three phases of an attack that changes a router's DNS settings by exploiting a cross-site request vulnerability in the device's Web interface.
Team Cymru

Researchers said they have uncovered yet another mass compromise of home and small-office wireless routers, this one being used to make malicious configuration changes to more than 300,000 devices made by D-Link, Micronet, Tenda, TP-Link, and others.

The hackers appear to be using a variety of techniques to commandeer the devices and make changes to the domain name system (DNS) servers used to translate human-friendly domain names into the IP addresses computers use to locate their Web servers, according to a report published Monday by researchers from security firm Team Cymru. Likely hacks include a recently disclosed cross-site request forgery (CSRF) that allows attackers to inject a blank password into the Web interface of TP-Link routers. Other attack techniques may include one that allows wireless WPA/WPA2 passwords and other settings to be remotely changed.

So far, the attacks have hijacked more than 300,000 servers in a wide range of countries, including Vietnam, India, Italy, Thailand, and Colombia. Each compromise has the potential to redirect virtually all connected end users to malicious websites that attempt to steal banking passwords or push booby-trapped software, the Team Cymru researchers warned. The campaign comes weeks after researchers from several unrelated organizations uncovered separate ongoing mass hacks of other routers, including a worm that hit thousands of Linksys routers and the exploit of a critical flaw in Asus routers that exposes the contents of hard drives connected by USB.

Read 7 remaining paragraphs | Comments

 
Apache Subversion 'mod_dav_svn' Module SVNListParentPath Denial of Service Vulnerability
 
Avaya Multiple IP Phones Multiple Command Injection and Stack Buffer Overflow Vulnerabilities
 
While actors, directors and other Hollywood types got their coveted Oscar awards last night, Twitter was getting recognition of its own.
 
Samsung was already on the path to global domination of the smartphone and tablet market when it unveiled another truckload of devices last week at Mobile World Congress in Barcelona.
 
A second federal bill that proposes "kill-switch" technology be made mandatory in smartphones as a means to reduce theft of the devices was introduced Monday.
 
Mozilla is pushing ahead with its efforts to discourage the use of plug-in based content on the Web and gave developers until the end of March to apply for an exemption from the plug-in blocking planned for the Firefox browser.
 
LinuxSecurity.com: Several security issues were fixed in OpenJDK 6.
 
LinuxSecurity.com: Updated libtiff packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Moderate [More...]
 
LinuxSecurity.com: Updated libtiff packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate [More...]
 
LinuxSecurity.com: Updated postgresql92-postgresql packages that fix multiple security issues are now available for Red Hat Software Collections 1. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Multiple vulnerabilities have been found in Chrony, possibly allowing remote attackers to cause a Denial of Service condition.
 
LinuxSecurity.com: New subversion packages are available for Slackware 14.0, 14.1, and -current to fix denial-of-service issues. [More Info...]
 
LinuxSecurity.com: It was discovered that file, a file type classification tool, contains a flaw in the handling of "indirect" magic rules in the libmagic library, which leads to an infinite recursion when trying to determine the file type of certain files. The Common Vulnerabilities and Exposures project [More...]
 
LinuxSecurity.com: Multiple integer overflow vulnerabilities have been found in ArgyllCMS which could allow attackers to execute arbitrary code.
 
[CVE-2013-6233] Persistent HTML Script Insertion permits offsite-bound forms in SpagoBI v4.0
 
[CVE-2013-6232] Persistent Cross-Site Scripting (XSS) in SpagoBI v4.0
 
WordPress thecotton Themes Remote File Upload Vulnerability
 
Collaborative Lifecycle Management Applications Unspecified Remote Code Execution Vulnerability
 
[CVE-2013-6234] XSS File Upload in SpagoBI v4.0
 
Winners of the 2014 "Ones to Watch" awards -- administered by the CIO Executive Council -- say they're trying to reduce the distance between corporate IT and external customers.
 
Reacting to criticism from customers that upgrading from Windows XP was 'impossible,' Microsoft today announced it would give away a limited migration tool to help people move to a newer operating system.
 
One company is using gamification to change the customer service paradigm from frustrating to fun -- and customers are loving it.
 
The Cisco Nexus 9000 series, the fruit of Cisco's InsiemeA spin-in, is more than another fast router -- it's a change in the way that high-end routers are designed and built.
 
Hidden in Cisco's Nexus 9000 and Application Centric Infrastructure news was another nifty announcement: an optical transceiver that delivers 40Gbps speeds using older 10Gbps fiber and standard connectors. Cisco's "BiDi" optical transceivers solve a sticky cabling problem in an elegant way.
 
Cisco Unified Communications Domain Manager Multiple Cross Site Scripting Vulnerabilities
 
Multiple ASUS Routers Cross Site Scripting and Authentication Bypass Vulnerabilities
 
Xen 'xc_cpupool_getinfo()' Function Use After Free Memory Corruption Vulnerability
 
Oracle Supply Chain Products Suite CVE-2014-0372 Multiple SQL Injection Vulnerabilities
 
ESA-2014-003: RSA® Data Loss Prevention Improper Session Management Vulnerability
 
[CVE-2013-6231] Remote Privilege Escalation in SpagoBI v4.0
 
We've rounded up a bunch of experts' tips about how to retain your privacy -- as much as possible, anyway -- and how to surf the Web silently, among other things.
 
Apple has teamed with car manufacturers to let drivers use their iPhones to make calls, access music, get directions and send and receive messages with a touch or a voice command using a car's display and controls.
 
Fujitsu may incorporate its palm scanners in smartphones as a means of verifying a user's identity.
 
Android and Samsung Electronics were the big winners in the tablet market last year, as sales grew by 68%, according to Gartner.
 
Microsoft is making a special exception in the way it retires Windows XP in China, and will continue offering security support for the OS to users in the nation.
 
For the second month in a row, Windows XP and Windows 8 defied their maker's wishes, as XP gained user share, and Windows 8, the OS Microsoft hopes will fuel sales of new devices, flatlined in February.
 
Re: CVE-2014-5795 - Database Credentials Leak in Oracle Demantra
 
Re: CVE-2014-5880 - Authentication Bypass in Oracle Demantra
 
CVE-2014-5880 - Authentication Bypass in Oracle Demantra
 
Oracle Supply Chain Products Suite CVE-2014-0379 Multiple HTML Injection Vulnerabilities
 
CVE-2014-0372 - SQL Injection in Oracle Demantra
 
Oracle Supply Chain Products Suite CVE-2014-0371 Multiple Cross Site Scripting Vulnerabilities
 
Oracle Supply Chain Products Suite CVE-2013-5880 Remote Security Vulnerability
 
Oracle Supply Chain Products Suite CVE-2013-5795 Remote Security Vulnerability
 
Oracle Supply Chain Products Suite CVE-2013-5877 Remote Security Vulnerability
 
Internet Storm Center Infocon Status