Hackin9

InfoSec News

In response to a number of attacks on SHA , NISTstarted to look for the successor to SHA-2, figuring that it was likely that it to may fall. To date that hasn't occurred and SHA-512 still looks strong. The competition proceeded and was whittled down from 64 candidates over a number of rounds. Yesterday NIST annouced the winner of the SHA-3 competition Keccak http://csrc.nist.gov/groups/ST/hash/sha-3/winner_sha-3.html .
Keccak (pronounced catch-ack) was developed by:Guido Bertoni, Joan Daemen, Michal Peeters and Gilles Van Assche. More details on the actual algorithm can be found here http://keccak.noekeon.org/.


What does it mean for us? Well you will start seeing SHA-3 folded into FIPS 180-4. You'll start to see the algorithm becoming available within the various security products that require hashing functions. Until then and possible still even then you can use SHA-512.
Cheers
Mark H


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The wave of cyberattacks against a half-dozen U.S. financial institutions has subsided this week, but the recent demonstration of force shows a careful honing of destructive techniques that could continue to cause headaches.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Oracle Sun Products Suite CVE-2012-3126 Local Solaris Cluster Vulnerability
 
Now that we've settled into Mountain Lion, the iPhone 5, and iOS 6, it's time we devoted several minutes to a feature that's common to all of them--iCloud syncing and backup. I'm joined in that devotion by staff writer Lex Friedman who recently penned How to Free Up iCloud Storage Space, available right here on Macworld.com.
 
Video: Board member David Melnick discusses the "interesting challenge" of growing (ISC)2's ranks while still creating value for existing members.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
jabberd XMPP Server Dialback Protection Bypass Component Security Bypass Vulnerability
 
U.S. Mint CISO Chris Carpenter said his cloud provider wasn't ready for either his security questions or to share continuous monitoring and log data.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
U.S. officials today struck at six long-running scams, freezing assets of 14 companies charged with bilking consumers by posing as tech support from Microsoft, Symantec and others.
 
Greetings ISC Readers,
Today's Standards topic for Cyber Security Awareness Month will begin a Two Part Diary that ties in standardization and UNIX Privileged Accounts. Part One will get our conversation started and tie some things together. Part Two will lay out some technical options for consideration. I touched upon this in my 2011 October Diary on Critcal Control 8 - Controlled Use of Administrative Privileges [1]. Both parts in whole will be an overall extension of the discussion last year as they overlap quite a bit.



The ISO has a working draft under development for a Framework for Identity Management (IdM) named ISO/IEC 24760. A sub-component of IdM is Privileged Identity Management which addresses accounts used to administer servers and manage critical services. Privileged accounts carry a different risk profile than ordinary user accounts.



It is still very common for organizations to accept these risks and continue operations with less accountability. This increased risk is created mainly by poor password management of the privileged accounts coupled with the poor accountability for its use. There are some products on the market that manage passwords for privileged accounts with varying OS support and degrees of accountibility . The difficulty of this task has varies greatly which can depend on an organizations budget and committment to provide this control. The use of tools to manage privileged account passwords is a growing expectation of auditors. The main objective of this effort is to limit routine need to have unfettered and unaccountable access.



Now, as a former UNIX admin, I have been part and parcel to many meetings and debates on limiting root access. The notion implies tying the hands of the very good people that keep the servers operating. However, we are in a new era that affords different challenges and opportunities. Using the UNIX sudo utility bridges gaps between access, need and accountability. Ultimately, it lowers the risk profile of the business.



The sudo utility is currently free software [2] that operates on most flavors of UNIX. Sudo has been a staunch staple of the UNIX community since the early 1990's and is maintained by Todd C. Miller [3]. Today it ships on many UNIX distributions as a means to control privileged user escalation. Some of the newer features in sudo help managing a Standard Sudo environment much easier than in versions past. The reality is that some organizations will not true up sudo versions on every server, especially the larger environments ( 100 servers, or even 10oo UNIX servers!, yes they exist!).



The basic idea is to create standard command sets that suit a given operating environment, then push them out with scp/rsync. Part Two of this diary will illustrate how to profile command sets by consistent format of the sudoers file. With standard command sets in place, the privileged account passwords can be protected further and only checked out when an event occurs that requires full command line access.



This at a basic level is a perfect model for smaller environments ( 25 servers), yet very challenging for larger environments with too many needs of the business to meet. When the newer INCLUDEDIR [4] feature arrived, it made medium size environments ( 100 sever s) easier to reach. Again, this only works great as long as all of your servers have a sudo version with the INCLUDEDIR option avai lable. Most UNIX Admin's already have rsync scripts to adapt a new process like this one in a very short time period. So, if the INCLUDEDIR feature is there, then standardizing the sudoers file should be a snap. Larger environments are an entirely different story, without INCLUDEDIR, the simple suggestion above will lie dead on this page. There is hope however! In Part Two, I will lay out some options for implementation of standardizing your sudoers file.



In the mean time, post a comment below to share what you're doing. If I can incorporate them in, then I will be sure to include itand credit you.



-Kevin


[1]https://isc.sans.edu/diary.html?storyid=11794

[2]http://www.sudo.ws/sudo/

[3]http://www.sudo.ws/sudo/history.html

[4]http://www.sudo.ws/sudo/man/1.8.6/sudoers.man.html#includedir
--

ISC Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A hacking group that calls itself Team GhostShell this week claimed credit for breaking into servers at 100 major universities from around the world, including Harvard, Stanford, the University of Pennsylvania and the University of Michigan.
 
Hewlett-Packard CEO Meg Whitman says she won't be able to say whether she has completely turned this company around until 2016.
 
While T-Mobile USA announced a deal to merge with MetroPCS Wireless on Wednesday, Dish Network Chairman Charlie Ergen said regulatory delays have prevented his company from securing partners and spectrum it will need to build a viable mobile broadband business.
 
Hewlett-Packard has outlined a turnaround plan that includes slashing the number of PC models it sells by 25 percent over the next two years.
 
[security bulletin] HPSBMU02817 SSRT100950 rev.1 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Disclosure of Information
 
T-Mobile USA's planned merger with MetroPCS promises to create the 'leading value' wireless carrier in the U.S., according to officials from both companies.
 
EMC appointed former Huawei Technologies executive John Roese as its new CTO. Roese will play a key role in shaping EMC's technology strategy. Roese replaces Jeff Nick, who has been EMC's CTO for eight years.
 
T-Mobile USA's merger with MetroPCS, announced today, promises to create the "leading value" wireless carrier in the U.S., officials from both companies said.
 
Apple's rumored November launch of a smaller, less-expensive iPad will put the company in a tight spot -- tighter than usual -- if it's not able to build up and maintain adequate supplies through the holiday season, analysts said today.
 
ocPortal 'redirect' Parameter URI Redirection Vulnerability
 
Our Cyber Security Awareness Diary on Standards will be up in a little bit. I wanted to share as a reminder that fake phone phishing scams are still alive and well. Reader Joe D. shared an event that ended well, but provided him and now us some further awareness that the fake IT Support Call to phish your information from you are still alive and well out there. The human is still our weakest link in the chain.



The incident as told was an unsolicited call by a man with an accent claiming to be from Microsoft. The caller attempts to bait the victim by stating 'We are seeing errors being generated from your computer.



We need everyone to stay vigilant and be suspicious of any unsolicited calls about your computer. If you or someone you know has experienced an incident such as this, then please encourage them to submit it to the Internet Storm Center. [1] An account is not needed to submit the form.


[1] https://isc.sans.edu/reportfakecall.html





-Kevin
--

ISC Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The session-securing HSTS protocol designed to reduce the possibility of internet users' connections being hijacked has been approved as a proposed standard


 
Drupal Stickynote Module Unspecified Cross Site Scripting Vulnerability
 
Joomla! Quickl Form Component Unspecified Cross Site Scripting Vulnerability
 
[ MDVSA-2012:158 ] gc
 
Multiple vulnerabilities in Template CMS
 
[ MDVSA-2012:157 ] openjpeg
 
Omnistar Mailer v7.2 - Multiple Web Vulnerabilities
 
At this week's Fall 2012 DEMO conference, big data was in a category by itself - and for good reason.
 
The foreman of the jury that recently handed Apple a $1 billion patent victory over Samsung Electronics was untruthful and biased, the South Korean company alleged in a filing with a U.S. court.
 
Research in Motion Wednesday released a BlackBerry PlayBook OS update that adds full device encryption to secure personal data stored on the device to go along with the already-available encryption for corporate data.
 
Swedish police confiscated three servers allegedly connected to copyright infringements during a raid on PRQ, a hosting service that was once home to The Pirate Bay. The main target was the Swedish torrent site tankafett.nu, according to the hosting company's owner.
 
The Keccak hashing algorithm has won the competition to be named as the next generation hashing function by NIST. Security expert Bruce Schneier expressed his approval of the choice


 
CPE17 Autorun Killer Stack Buffer Overflow Vulnerability
 
[ MDVSA-2012:153-1 ] dhcp
 
Deutsche Telekom's T-Mobile USA and MetroPCS Communications have signed an agreement to merge in a deal that will see MetroPCS shareholders receive US$1.5 billion in cash and 26 percent of the new company.
 
OptiPNG Use-After-Free Remote Code Execution Vulnerability
 
Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form

--

Adam Swanger, Web Developer (GWEB, GWAPT)

Internet Storm Center https://isc.sans.edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Futurist and computer pioneer Ray Kurzweil says it will be possible to 'repurpose' human brains to learn new things.
 
When Apple introduced iCloud in 2011, it announced that every customer with an Apple ID would receive 5GB of iCloud storage space for free. You can add more storage at a rate of $2 per gigabyte per year, in 10GB, 20GB, or 50GB increments. But if you're not interested in ponying up extra cash for iCloud storage, that 5GB can quickly get tight.
 
The Samsung Galaxy S III loads Web pages 9% faster over LTE wireless than Apple's new iPhone 5, according to tests by Strangeloop Networks, a vendor of network optimization software.
 
Google Chrome Prior to 22.0.1229.79 Multiple Security Vulnerabilities
 
Though product cycle times are accelerating, the underlying technologies unfold over many years.
 
The Last Pictures project is scheduled to blast off this fall, sending a communications satellite into space with a gold-plated, photo-filled disc attached to it that is meant to be a cultural artifact for aliens to find.
 
Swedish police confiscated three servers allegedly connected to copyright infringements during a raid on PRQ, a hosting service that was once home to The Pirate Bay. The main target was the Swedish torrent site tankafett.nu, according to the hosting company's owner.
 
Watch out Google, here comes Nissan: The Japanese car maker has unveiled a concept car based on the all-electric Leaf that is able to drive and park itself.
 
Japan's Murata Manufacturing has developed a tiny sensor that, if embedded in a computer or tablet device, allows the user to swipe and zoom without touching the display panel.
 
InterNetNews 'STARTTLS' Implementation Plaintext Arbitrary Command Injection Vulnerability
 
Individuals have no reasonable expectation of privacy in historical cell phone location data collected by phone companies, a federal prosecutor said in oral arguments Monday before the Fifth Circuit Court of Appeals in New Orleans.
 
The Last Pictures project is scheduled to blast off this fall, sending a communications satellite into space with a gold-plated, photo-filled disc attached to it that is meant to be a cultural artifact for aliens to find.
 
Using only two scripts, cyber criminals have accessed home users' routers and redirected them and their PCs to arbitrary, specially crafted internet sites. The security hole has been known about since March 2011


 
IBM has started to roll out a new processor for its Power family of servers, a staggered affair that will start with higher-end systems and eventually reach the midrange and low-end boxes.
 

Posted by InfoSec News on Oct 03

http://thotcon.org/cfp.html

What: THOTCON 0x4 - Chicago's Hacking Conference
When: 04.26.13
Where: TOP_SECRET
Call for Papers: Opens 10.01.12

*** ABOUT *****************************************************************
THOTCON (pronounced \ˈthȯt\ and taken from THree - One - Two) is
a small venue hacking conference based in Chicago IL, USA. This is a non pro
non-commercial event looking to provide the best conference
possible on very...
 

Posted by InfoSec News on Oct 03

http://www.wired.com/threatlevel/2012/10/dhs-false-water-pump-hack/

By Kim Zetter
Threat Level
Wired.com
10.02.12

When an Illinois fusion center distributed a report last year stating
that hackers from Russia had broken into a water district’s SCADA system
and sabotaged a water pump, the Department of Homeland Security stepped
in publicly to denounce the report as false, blaming the regional fusion
center for spreading unsubstantiated...
 

Posted by InfoSec News on Oct 03

http://www.smithsonianmag.com/history-archaeology/The-CIA-Burglar-Who-Went-Rogue-169800816.html

By David Wise
Smithsonian magazine
October 2012

The six CIA officers were sweating. It was almost noon on a June day in
the Middle Eastern capital, already in the 90s outside and even hotter
inside the black sedan where the five men and one woman sat jammed in
together. Sat and waited.

They had flown in two days earlier for this mission: to break...
 

Posted by InfoSec News on Oct 03

http://www.dailymail.co.uk/sciencetech/article-2211108/Could-phones-camera-secretly-taking-pictures-right-Hackers-use-lens-steal-private-data--build-3D-model-home.html

By Eddie Wrenn
Daily Mail
1 October 2012

A new app can 'virtually steal' from your home - by turning on your
phone's camera and beaming images back to thieves.

The software can even build up a 3D model of your home, from which the
hackers can inspect your rooms,...
 

Posted by InfoSec News on Oct 03

http://www.businessweek.com/articles/2012-10-02/the-battle-to-protect-confidential-data

By Verne Kopytoff
BusinessWeek
October 02, 2012

Countries with nuclear aspirations would love to get their hands on
Silicon Graphics International’s (SGI) supercomputer technology, says
Franz Aman, the company’s chief marketing officer.

There are export controls to block a sale of such information, of
course. But, Aman says, product designs,...
 
Windows security has improved, but longstanding Unix and network vulnerabilities remain an easy target for determined attackers.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Internet Storm Center Infocon Status