InfoSec News

As she approached her third anniversary as Yahoo's CEO, Carol Bartz couldn't overcome a recent string of missteps that apparently eroded the board's confidence in her and eclipsed her achievements as leader of the embattled Internet pioneer.
 
A report prepared by the IT security firm conducting an audit of the DigiNotar network, found serious lapses in security and more than two dozen compromised CA servers.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Presented By:
Prepare for Tomorrow, Today, with Cisco
  The way the world consumes and shares data will dramatically change in the next five years. Is your network ready to handle the load? Prepare for the future of the network with Cisco.
socialmedia.cisco.com

Ads by Pheedo

 
Carol Bartz has been replaced as the CEO of Yahoo by the company's chief financial officer, Tim Morse, according to a report Tuesday on the Wall Street Journal's All Things D blog.
 
There has been quite some coverage about Bitcoin in last couple of months. For those that did not pay attention, Bitcoin is a crypto currency that is decentralized and works in a peer-to-peer network. It is a pretty fascinating project by a Japanese researcher (maybe his real identity has not been confirmed) and in case you are interested in it you can find some information at http://www.bitcoin.org/.
Some background
Couple of weeks ago I started doing some research on how Bitcoin works. I found it amazing that for a scheme so wide spread (there are probably tens of thousands, if not hundreds of thousands of active users) that not a lot of technical documentation is available, apart from Satoshis paper available on the main web site, which does not really go into implementation details.
One of the features of Bitcoin that gets mentioned quite often is its anonymity. Basically, Bitcoin has a digital wallet which allows you to process incoming and create new transactions. A user has one or more (preferably many) public/private key pairs which identify him. In the Bitcoin system, when you want to send Bitcoins to someone, you sign a transaction that is taking some of your Bitcoins (which you received through a transaction or mining more about this later) to the destination address. All addresses are unique 40 digit hexadecimal numbers (RIPEMD160(SHA256(public key)) with some extra conversion to Base-58.
You can have as many as you want of these and this is one of the ways for Bitcoin to allow anonymity. Since you can use a different public/private key pair for every transaction (and you can transfer Bitcoins to your other addresses) it can be difficult (but not impossible) to track the owner. One thing to keep in mind is that all Bitcoin transactions are public every node knows everything about every transaction.

There is some interesting research about tracking Bitcoin owners and Dan Kaminsky posted some good ideas at this years Black Hat.
How do you get new coins?
In order to confirm a transaction, it has to be included in a block. A block (https://en.bitcoin.it/wiki/Blocks) contains a hash pointing to a previous block (so the blocks are chained, this is what makes spoofing exponentially difficult with generation of more blocks), some other data and a Merkle root hash of all transactions validated by this block.
Now comes the best part all this data is hashed together (SHA256(SHA256(block)) and the resulting hash has to satisfy some requirements. The requirements state that the resulting hash has to start with a certain number of zeros. So, for example if the resulting hash has 7 leading zeros it is valid. How do we find a valid block? Besides the payload a nonce is embedded to which gets constantly changed.
Simply speaking, the node that is generating the block brute forces all possible values until it finds a valid hash that satisfies the previously mentioned requirement. As you can see, this is an extremely complex task that, with fastest gear (and Im talking about loads of GPU cards) can take days if not months.
So a logical question is: why would anyone do that? The node that finds a valid block (mines it, in Bitcoins terminology) gets awarded (currently) 50 Bitcoin. With 1 Bitcoin being around 7.3 USD currently, this means that for each solved block the node that found it gets ~350 USD. Sounds good?
Besides this, the solver also gets a certain fee for transactions that have been validated so in reality more than 50 Bitcoin will be awarded to the solver (this is the incentive to keep solving the tasks even after all Bitcoins have been awarded).
Finally, another important thing about blocks is that it should take approximately 10 minutes to solve a block. The network itself measures how long it took to solve 2016 blocks (it should be about two weeks) and modifies the difficultly accordingly (so if more people start solving this, the difficulty gets higher).
My CPU your CPU
There are legitimate groups of users that join so called mining pools in order to find new valid hashes. The pool owner runs a special algorithm that sends partial tasks to all nodes participating in mining. Different pools have different rules, but today it is common that they share received Bitcoin between participating nodes, depending on how much each node has participated.
There are many open source, free Bitcoin mining programs that are specially optimized for GPUs.

And imagine this who has the most CPU power in the world (except government agencies)? Bot owners of course.

In other words, it was to be expected that bot owners will start playing this game after theyve stolen all valuable data off a machine, why wouldnt they use its resources (CPU, GPU and power) to mine Bitcoins and make some extra cash (which even looks anonymous!).
Couple of months ago we started first seeing malware stealing Bitcoin wallets (basically doing transactions to their owners) and lately Bitcoin mining pools used by malware started being increasingly popular.

Modus operandi is typical here malware drops legitimate bitcoin mining executables which join a pool operated by the botnet owner. In most cases Ive seen so far they use standard protocols so be sure to check the 8333 TCP port. Bitcoin also uses IRC for initially finding other nodes so it might easily make your IDS/IPS shine like a Christmas tree (even if a legitimate user started it).
Perfect extortion weapon
Just about when I was to finish this diary (which will probably be only first in the series about Bitcoin), we received a very interesting e-mail from one of our readers who wanted to remain anonymous.
He received an e-mail from an attacker asking him to pay 100 Bitcoin to a certain address or his site will be a target of a DDoS attack. Weve seen such extortion e-mails many times in the past (as always do not pay) but using Bitcoin is a new twist.
As I previously wrote, while it is not 100% anonymous, it can be very close to this and, depending on how careful the attacker is, it can be very difficult to trace the transaction.
As Bitcoin is gaining more attention it will be interesting to see what future will bring. Rest assured that we will keep an eye on it.
--

Bojan

INFIGO IS
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
I've been following the DigiNotar story as it evolved for a few days now with growing concern and increasing alarm.
I'm by far not privy to the inside information to be able to really assess and audit the situation, so this is purely based on what is publicly known. Being a Dutch native speaker I have access to what the press in the Netherlands writes about it with the subtle nuances that an automated translation will not capture. I do lack the resources to independently double verify everything and as such some errors might still be in it, consider this a best effort at creating some overview and leading up to conclusions with the limited information that is available.
If we do attract the attention of DigiNotar and/or Vasco: please do contact us, we'd love to talk to you and get more information!
So who is DigiNotar and what do they do when all is normal?
DigiNotar is a CA. They sell SSL certificates, also the EV kind.
But there is more that's mostly of interest to those in the EU or the Netherlands only:
They are also (I'm simplifying a bit, I know) an accredited provider in the EU and provide qualified certificates and approved SSCDs to customers to create digital signatures that -by law- in the EU are automatically considered to be qualified digital signatures and as such they are automatically equivalent to manual signatures. This status forces regular 3rd party audits against the relevant Dutch law and standards such as ETSI TS 101 456.
They also provide certificates services under the PKIOverheid umbrella in the Netherlands. This has even more and stricter rules. e.g. Things that are suggested in the ETSI standards, but not mandatory, can become mandatory for PKIOverheid.
DigiNotar is a 100% daughter company of Vasco (since Jan 2011), so if you see Vasco sometimes doing things like press releases regarding the incident, that's why.
So what do we know in a chronological order ?

Dating back as far as May 2009, the portal of DigiNotar has been defaced, these hacks remained in place till this week after f-secure exposed them in their blog.

Source: f-secure blog


On July 10th 2011, 283 rogue certificates were signed

Source: spreadsheet released by torproject, and claimed to come from the Dutch government

This included one certificate that was issued with a CN of *.google.com by DigiNotar this is so far the only certificate we have seen.

Source: pasted certificate


On July 18th 2011, another 124 rogue certificates were signed

Source: spreadsheet released by torproject, and claimed to come from the Dutch government
On July 19th 2011, 128 rogue certificates were revoked

Source: spreadsheet released by torproject, and claimed to come from the Dutch government
On July 20th 2011, another 124 rogue certificates were signed

Source: spreadsheet released by torproject, and claimed to come from the Dutch government
On July 20th 2011, 130 rogue certificates were revoked

Source: spreadsheet released by torproject, and claimed to come from the Dutch government
On July 27th 2011, 75 rogue certificates were revoked

Source: spreadsheet released by torproject, and claimed to come from the Dutch government
On an unknown date, an unknown external auditor did not catch the fraudulent certificate for *.google.com. as well as any others that might be missed as well. Not did they catch the defaced pages.

The specialized press in the Netherlands seems to conclude the auditor was PwC, but there is not much solid proof of that to be found so far.

PwC was DigiNotar's certifying auditor for a lot of their PKI activities as can be seen in the DigiNotar certification list.
On Aug 28th 2011, (some sources claim 27th) a user from Iran posted on a forum using Chrome was warned by his browser the certificate was not to be trusted.

Source: Forum post

Chrome does additional protections for gmail since chromium 13.
On Aug 29th 2011, the *.google.com certificate was revoked by DigiNotar

This can be seen in the CRL at http://service.diginotar.nl/crl/public2025/latestCRL.crl [do not click on this URL, most browsers understand CRLs], see further.
On Aug 29th 2011, the response from Google and the other browser makers came: Basically the sh*t hit the fan as the browser vendors are pulling the plug on DigiNotar and not trusting their processes anymore.

Google
Microsoft blog and advisory
Firefox


On Aug 30th 2011, issue 7791032 in chromium was created. it blacklisted 247 Serial Numbers from certificates issued by DigiNotar and 2 more intermediate DigiNotar certificates. The Serial numbers are available in the patch.
On Aug 30th 2011, Vasco issued a press release reporting the incident.
On Aug 30th 2011, various claims of both Vasco, and the Dutch government try to stress that the activities of DigiNotar under the PKIOverheid root were not affected. Some arguments used in the press such as that the root certificate of PKIOverheid is not at DigiNotar (they have an intermediate) are obvious and irrelevant.
On Aug 30th 2011, DigiNotar released information for users of Diginotar certificates [in Dutch]. This includes a very painful statement:(my translation): Users of SSL certificates can depending on the browser vendor be confronted with a statement that the certificate is not trusted. This is in 99,9% of the cases incorrect, the certificate can be trusted. I've got nothing positive to say about that.

They also offer a free upgrade to the PKIOverheid realm for those holding a SSLor EVSSLcertificate.


On Aug 31st 2011, Jan Valcke, Operational director at Vasco in an interview with webwereld [in Dutch] claims that dozens of fake certificates were issued by intruders and that most were recoked on july 19th (minus the one of *.google.com and others that might have been missed).


On Aug 31st 2011, it is confirmed security company Fox-IT is performing a forensic audit of the systems of DigiNotar. Results are expected next week at the earliest.

Source: webwereld article [in Dutch]
On Sept 3rd 2011, a press released by the Dutch government [in Dutch] shows that after a crisis meeting the Dutch government cancels the trust they had maintained in DigiNotar after the audits by Fox-IT cannot preclude there were no PKIOverheid rogue signatures issued. They take following measures:

They will switch to other providers in the short term
They chose for a controlled transition where they take over the operational management of all DigiNotar certificates
By taking over the operational management they hope to monitor for abuse during the transition. They will invite security specialists to complete the transition as soon as possible.

DigiNotar is reported to be cooperating with the Dutch government's takeover of the operational management and the transition to other providers.

Vasco actually issued a very short press release on the cooperation as well. It's dated Sept. 2nd (likely due to timezones).
On Sept 4th 2011, the torproject published a spreadsheet (excel and csv) claimed to come from the Dutch government that finally gives an overview of what known rogue certificates had been signed.

Analysis of the spreadsheet published by the torproject
A list of CAs was affected and has issued rogue certificates:

DigiNotar Cyber CA
DigiNotar Extended Validation CA
DigiNotar Public CA - G2
DigiNotar Public CA2025
Koninklijke Notariele Beroepsorganisatie CA
Stichting TTP Infos CA

Revocations:

128 revocations on July 19th
130 revocations on July 20th
75 revocations on July 27th
1 revocation in August 29th
198 with a revocation status of unknown

The CN list (some had multiple certificates):

*.*.com
*.*.org
*.10million.org
*.android.com
*.aol.com
*.azadegi.com
*.balatarin.com
*.comodo.com
*.digicert.com
*.globalsign.com
*.google.com
*.JanamFadayeRahbar.com
*.logmein.com
*.microsoft.com
*.mozilla.org
*.RamzShekaneBozorg.com
*.SahebeDonyayeDigital.com
*.skype.com
*.startssl.com
*.thawthe.com
*.torproject.org
*.walla.co.il
*.windowsupdate.com
*.wordpress.com
addons.mozilla.org
azadegi.com
Comodo Root CA
CyberTrust Root CA
DigiCert Root CA
Equifax Root CA
friends.walla.co.il
GlobalSign Root CA
login.live.com
login.yahoo.com
my.screenname.aol.com
secure.logmein.com
Thawte Root CA
twitter.com
Verisign Root CA
wordpress.com
www.10million.org
www.balatarin.com
www.cia.gov
www.cybertrust.com
www.Equifax.com
www.facebook.com
www.google.com
www.hamdami.com
www.mossad.gov.il
www.sis.gov.uk
www.update.microsoft.com

This spreadsheet shows revocation of 205 certificates between July 19th and the time of the interview with Jan Valcke, Operational director at Vasco where he claimed DigiNotar had revoked all but the *.google.com one that was found in the wild on the 19th.
Analysis of the Public 2025 CRL
DigiNotar claims all breaches were under the Public 2025 Root ref [in Dutch]. What root does in there is somewhat unclear to the technical inclined mind, and the public 2025 just seems to be some sort of internal name. Let's assume they meant the fraudulent certificates all were signed by the same intermediate.
The CRL indicated in the fraudulent *.google.com certificate does indeed point in the same public 2025 direction, so let's get that CRL:

$ wget http://service.diginotar.nl/crl/public2025/latestCRL.crl

Let's make this file human readable:

$ openssl crl -text -inform DER -in latestCRL.crl /tmp/t

And let's verify there is indeed the Serial Number in there of the *.google.com fake certificate we found on pastebin:

$ grep -i 05e2e6a4cd09ea54d665b075fe22a256 /tmp/t
Serial Number: 05E2E6A4CD09EA54D665B075FE22A256

So yes, it's revoked. Getting the other relevant lines (it means first figuring out how many, but I skip the boring part).

$ grep -i -A4 05e2e6a4cd09ea54d665b075fe22a256 /tmp/t
Serial Number: 05E2E6A4CD09EA54D665B075FE22A256
Revocation Date: Aug 29 16:59:03 2011 GMT
CRL entry extensions:
Invalidity Date:
Aug 29 16:58:47 2011 GMT

So that checks out nicely. [One should of course check that all signatures are valid everywhere]
Unfortunately one can only see the Serial Number of the certificates revoked, not the more juicy fields like the CN or so that would allow to see what and when other (fake) certificates were revoked.
But since we have the revocation date, maybe we can see the peak where they revoked the fraudulent certificates. I know the nature of revocation and any other work in a CA/RA can be highly cyclic with huge peaks in it, and I know not to worry about any revocation as such, users loosing control over a certificate happens all the time.
So let's see revocation activity in July 2011 split out per day:

$ grep Revocation Date: /tmp/t | sed 's/^.*Date: //' | sed 's/..:..:.. //'
|sed 's/GMT//' | sort -n | uniq -c | grep 'Jul .* 2011'
1 Jul 1 2011
3 Jul 4 2011
3 Jul 5 2011
6 Jul 6 2011
6 Jul 7 2011
1 Jul 8 2011
2 Jul 11 2011
6 Jul 14 2011
1 Jul 15 2011
1 Jul 18 2011
2 Jul 19 2011
1 Jul 20 2011
1 Jul 21 2011
3 Jul 22 2011
3 Jul 26 2011
7 Jul 28 2011
5 Jul 29 2011

Uhmm, where is the dozens on July 19th ?
Since the *.google.com one was made on Jul 10th, there is no dozens neither before nor shortly after the 19th.
They might have been added to another CRL, hard to say as DigiNotar does not allow directory listing and doesn't have an easy to find list of CRLs they publish either.
Still, even if we look at the normal workload in 2011:

$ grep Revocation Date: /tmp/t | sed 's/^.*Date: //' | sed 's/..:..:.. //'
|sed 's/GMT//' |grep 2011| sed 's/ .. 2011//'| sort -n | uniq -c
93 Apr
34 Aug
112 Feb
144 Jan
52 Jul
18 Jun
118 Mar
118 May

We see that the Jun/Jul and Aug months are very light on revocations. [Note that August was not yet complete in GMT time when I downloaded the CRL file].
I know my sed, grep commands could be optimized to save a few CPU cycles, but this isn't a unix lesson.
I'd love to see the dozens of revocations around July 19th in a DigiNotar CRL, but I simply cannot find them.
[for a time we showed here that a number of SNs we had found (246 to be exact) were not included in this CRL]
It's now clear that by far not all fraudulent certificates were revoked in this CRL as the initial information from DigiNotar that all was under the public 2025 CAis simply shown to be untrue. Still it should be carefully examined that all of the known bad certificates were indeed revoked and when that was done.
So what's the known impact right now:

If you're a general Internet user: you're unlikely to see much impact, maybe you'll run into a website with a DigiNotar certificate somewhere that will now warn the certificate is not trusted anymore.

Keep your browser up to date!

The longer term impact will still have to manifest itself, and for sure breaches such as these will prompt thinking of other solutions.

If the add-ons of Mozilla were indeed attacked using a MitM approach, impact might be more widespread, but that becomes somewhat less likely.

If you really need to access a website that is using a DigiNotar SSL certificate that your browser is not trusting anymore, I'd encourage you not to ignore the warning of the browser, certainly not to add the yanked DigiNotar root certificate back in. Instead the safe procedure is to go examine the certificate and contact the website operator out of band (e.g. by phone). Make them tell you what the fingerprint is of their certificate, verify that with what you see and only then accept the certificate. If you want to be sure you're talking to the right website, you need to perform the work the 3rd party used to do for you, not blindly click OK.
If you're a user in Iran, and had something to hide from your government, odds are you're in trouble with your government.
Tor users: the torproject confirms the tor network itself is not reliant on SSL certificates. Downloading their client should be done with great care, but the fraudulent certificates that DigiNotar informed them about have by now all expired on their own - revocation can't be confirmed yet.
You're a customer of DigiNotar: DigiNotar lost the trust from the browser makers and the Dutch government, how permanent that is is too soon to say, but it's a huge unprecedented dent.

Your best option is to seek another provider, if you have not done so already.
If you're a CA or RA, this is yet another big wake-up call. If you're a 3rd party auditor of said, it's the exact same thing. CAs are now a target. Trying to keep breaches such as these secret is hopefully proven to be a disastrous recipe.

What is the biggest thing we all lack to better see what impact there is/was ?

Full list of fraudulent certificates (CN, SN fields at the very least)

After the publication of the list on Sept 4th we're getting there slowly, but there are still a lot of certificates with an SN as unknown.
Clarity on when each certificate was created and when it was revoked

After the publication of the list on Sept 4th, we're getting there slowly, but there are still a lot of certificates with a status of revocation as unknown.
In order too keep trust in other CAs/RAs that were audited by the same auditor that missed the fraudulent *.google.com certificate as well as the defaced pages on the portal, it becomes critical for the auditor in question to speak up and reassure the world this will not repeat itself. This is not intended to publicly humiliate the auditor, but much more a matter of getting confidence back into the system. So a compromise that an unnamed auditor working for well known audit company X is now not an auditor anymore due to this incident is maybe a good start. Add in some measures and guarantees to prevent it from occurring again.
Clarity over what was affected by the hackers, a full report would be really nice to read. Special attention should be given to explain how it is sure PKIOverheid, the qualified certificates etc. are for sure not affected and how privacy of other customers e.g. was affected. Similarly the defacements should be covered in detail as well as how they could be missed for so long.

Obviously it's unlikely we'll get all those details publicly, but the more we get the easier it will be to keep the trust in the SSL system in general.
Trust
A CA has the function of a trusted third party. Their business at the core is based on getting and keeping that trust.

Getting hacked, being reluctant to report the hack, being slow in detecting the hack, being slow in responding to the hack, not being willing or able to provide clarity about the impact of the hack, ... all are tremendously damaging to that trust.
Getting caught spreading incorrect or incomplete information about the hack is however of a whole other magnitude in loosing trust. Compare e.g. this:

Apress release on Aug 30th by DigiNotar containing a statement in Dutch Gebleken is dat vanuit n subroot (de zogenaamde Public 2025 Root) voor een aantal domeinen ten onrechte certificaten in omloop zijn gekomen.Uit het ingestelde onderzoek is gebleken dat hethier louter om SSL certificaten en EVSSL certificaten gaat die onder deze specifieke subroot zijn uitgegeven. Andere roots zijn onaangetast gebleven, zo ook de root waaruit PKIOverheid certificaten worden uitgegeven en de subroot waaruit de DigiNotar gekwalificeerde certificaten worden uitgegeven. DigiNotar trok toen onmiddellijk alle gecompromitteerde certificaten die uit het onderzoek naar voren zijn gekomen, inwaardoor deze onbruikbaar zijn. my (somewhat free)translation to English:It is apparent that from one subroot (the so-called Public 2025 Root) certificates for a number of domains have unrightfully been put in circulation. From the investigation it is apparent that it is limited to SSLcertificates and EVSSLcertificates issued under this specific subroot. Other roots have been unaffected, such as the root from wich the PKIOverheid certificated are issued and the subroot from where the qualified DigiNotar certificates are issued. DigiNotar immediately revoked all compromised certificates revealed by the investigation, making them unusable. It then goes on to cover the missed *.google.com one.

to the analysis of the Sept 4th excel reportedly from the Dutch government that lists:

6 CAs that issued rogue certificates, including the DigiNotar Public CA2025 one.
That the revocations happened on July 19th, 21st and 27th, and that almost 200 still have an unknown revocation status. [The rogue certificates were issued on July 10th, 18th and 20th].

With the browser vendors and the Dutch government cancelling their trust in DigiNotar and said government taking over the operational management till it can transition, the fate of DigiNotar seems sealed.
Glossary

CA: Certificate Authority
CN: Common Name, in case of a SSL certificate for a web server this contains the name of the website, can be a wildcard as well in that case.
CRL: Certificate Revocation List a machine readable list of revoked certificates, typically published over http. Contains the Serial Numbers (SN) of the revoked certificates along with some minimal supporting data.
dozens used in my text above is a somewhat freely translation of the Dutch tientallen, literally, multiple tens
ETSI TS 101 456: A technical specification on policy requirements for certification authorities issuing qualified certificates used as a norm in audits of said providers.

Can be freely downloaded from ETSI: version 1.4.3.
EV: extended validation: essentially the same SSL certificate, but with a slightly stricter set of rules on issuing. Most browsers render something like the URL in the address bar in a green color when they see such a certificate
PKIOverheid: a PKI system run under very strict requirements by and for the Dutch Government. There are 7 providers recognized to deliver certificates under a root certificate held by the Dutch government. This PKI not only issues certificates to (web) servers, but also to companies and individuals to do client authentication against government websites as well as provide means to create qualified digital signatures.
RA: Registration Authority
SN: Serial Number
SSCD: Secure Signature Creation Device. Mostly a smartcard or smart USB token that holds key pairs used for signing and protects the secret keys

Update History

version 1: initial release
version 2: updated with more information from the torproject, thanks for the pointer Gary!
version 3: update to include the DigiNotar press release of Aug 30th.
version 4: update to add information from the chromium source code
version 5: update after checking the SNs found in the chromium source code if they appear in the known CRL
version 6: update with information of the Dutch government as published by the torproject
version 7: update with information that the Dutch government is stopping their trust in Diginotar and moving away from them
version 8: some clean up and additions

--

Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Oracle officially released Java 7, including some security updates and several new features and enhancements. Thanks ISCreader Alex for notifying us about it.
The new Java 7 version coexists with the latest Java 6 Update 27 version and is available for download from the Oracle web site, http://www.oracle.com/technetwork/java/index.html, and still makes use of different installers for the 32 and 64-bit versions for all operating systems (Linux, Solaris Windows).
As you can see in the release notes, the main security enhancements affect the JSSE(Java Secure Socket Extension) and TLScommunications, including TLSIguess this is the intended behavior as this is a major release. From a security perspective, if Java 7 is installed (using Windows as the sample platform)on a system that already has Java 6 installed, both versions will remain, so if you only want to run the latest version, ensure you uninstall any previous versions (as we had to do in the past but with the same major release) and do not leave vulnerable Java 6 releases around.
Considering Java is one of the most targeted pieces of client software today, be ready for future updates on both, Java 6 and Java 7 in your ITenvironments (perhaps Java 6u28 and Java 7u1), and plan in advance how to manage them.
UPDATE 1: Let's clarify this diary post title a little bit based on txISOcomment (thanks!). If you consider Java to be officially released only when it is available at java.com, then Java has not been officially released yet (see quote on 3rd comment below). However, if you consider that Java 7 is available out there, not only in its JDK version (what Iconsider the version for developers), but the JRE(Java Runtime Environment)version too, then IMHO, it has been released - although only at oracle.com. Besides that, if you are old Java school and go to the old java.sun.com, you will be redirected to the oracle.com page where Java 7 is available to the public. For our ISCaudience, officially or not, get ready for Java 7 as soon as possible: it is out there :)
----

Raul Siles

Founder and Senior Security Analyst with Taddong

www.taddong.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
3rd Update: Update with more details of the incident from The Register itself:http://www.theregister.co.uk/2011/09/05/dns_hijack_service_updated/ (thanks Alex)
2nd Update: The root problem appears to be mitigated now. However, many DNS servers now have bad results cached. Please flush the cache of your recursive DNS servers.
Host names and IP addresses to watch:
ns1.yumurtakabugu.com. or 68.68.21.195

ns2.yumurtakabugu.com. or 68.68.21.196

ns3.yumurtakabugu.com. or 68.68.21.197

ns4.yumurtakabugu.com. or 68.68.21.198


IP Address used as A record for affected domains: 68.68.20.116
In particular IP addresses may change at any time. Please keep watching them and remove from blacklist as appropriate.
---
There have been several widespread defacements reported to us today. It appears their DNS name server entries all point to the same thing as seen below:
ups.com.85621INNSns1.yumurtakabugu.com.

ups.com.85621INNSns2.yumurtakabugu.com.

ups.com.85621INNSns4.yumurtakabugu.com.

ups.com.85621INNSns3.yumurtakabugu.com.


Here are a few examples of the sites so far:
ups.com

theregister.co.uk

acer.com

telegraph.co.uk

betfair.com

vodafone.com

nationalgeographic.com
The one commonality is they allappear to be all registered via ascio.com
More details as we learn more.

UPDATE: This IP is hosted by BlueMile. We have contacted themand they are aware of the situation and working on it. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Microsoft released an advisory [1] earlier today announcing that they will place a number of DigiNotar root certificates on the not trusted list.
A blog article further explains how certificate stores can be manipulated manually [2].
One important difference between this most recent advisory, and an earlier advisory [3] is that Windows Mobile 6.x/7/7.5 is no longer listed as affected. The earlier advisory stated that Windows Mobile 6.x and 7 are affected. It didn't mention Windows Mobile 7.5. (thanks to a read for pointing this out)

[1]http://www.microsoft.com/technet/security/advisory/2607712.mspx

[2]http://blogs.technet.com/b/srd/archive/2011/09/04/protecting-yourself-from-attacks-that-leverage-fraudulent-diginotar-digital-certificates.aspx

[3]http://technet.microsoft.com/en-us/security/advisory/2524375
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Today the Dutch government released a letter signed by the minister of internal affairs and the minister of security and justice addressed to their house of representatives. The letter has as attachment an interim report by security company Fox-IT's CEO who has been heading an audit at DigiNotar.
The report itself is well worth a read [in English].
For those on limited time, some of the most interesting news and observations:

The defaced pages dating back to 2009 found by F-secure appear to have been copied during a re-installation of the web server in August.
The OCSP server's working at DigiNotar has been reversed since Sept 1st. Normally these servers respond with good to all certificates except those on the CRL (a blacklist). The OCSPnow operates in whitelist mode: it will call all unknown certificates signed by DigiNotar as revoked (a whitelist).

Hence we need to make sure to use the OCSP server to validate DigiNotar certificates -should we want/need to- and not rely on the published CRLs anymore.
DigiNotar operates multiple CA servers, all of them seem to have been compromised by the hackers and having had Administrator level access, including those used for Qualified certificates and PKIOverheid certificates.
Some of the CA servers have had parts of their logs deleted, leading to DigiNotar not knowing what certificates were issued.
Hacker tools including CainAbel as well as specialized dedicated scripts -written in a language specific to the PKI environment- were found. Intentional fingerprints left in one of the scripts links it back to the Comono breach.
There is a list of 6 CAs that have been found to have emitted rogue certificates
There is an incomplete list of 24 additional CAs that have had their security compromised but have not shown to have emitted rogue certificates
The rogue certificate for *.google.com detected in the wild was verified against the DigiNotar OCSP service from August 4th till it was revoked on August 29th. 300 000 different IP addresses verified that certificate. More than 99% of those addresses trace back to Iran.

The report notes that those who had their connections to gmail intercepted could have exposed their authentication cookies and that would expose their email itself, and through that also allow access to reset functionality of other services such as e.g. facebook. It is recommended that those in Iran logout and change passwords.
2 certificates were found on the PKIOverheid and Qualified environment that cannot be related to a valid certificate.Yet the logs appear to be intact and do not show rogue certificates created.
There is a list of failures of basic best security practices that have clearly not worked, implemented badly or were omitted. Yet the servers are housed in a tempest protected room.
The hackers breached the systems possible June 6th already, this got detected by DigiNotar on June 19th, The rogue certificates were created in July and the first time the *.google.com certificate that was detected in the wild was presented on July 27th to the OCSP server. Yet it took till DigiNotar was notified by govCERT.nl before they revoked the certificate.

The letter [in Dutch] summarizes the report itself, and contains some additional information not in the report that is of interest:

There is now an inquiry into DigiNotar for possible responsibility and negligence
The search for the hackers continues
DigiNotar filed an official reported the incident on September 5th
They suggest leniency and agreements for those cases where the revocation of trust in DigiNotar leads to problems such as with the timely filing of tax information in the Netherlands

--

Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu SEC 503 coming to Ottawa Sep 2011 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Carol Bartz has been replaced as the CEO of Yahoo by the company's chief financial officer, Tim Morse, according to a report Tuesday on the Wall Street Journal's All Things D blog.
 
----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu SEC 503 coming to Ottawa Sep 2011 (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Digital certificates issued by GlobalSign have come under scrutiny after a hacker's claim that he broke into the company's computer systems. If true, it would be the second such compromise in the past few weeks.
 
Carol Bartz has been replaced as the CEO of Yahoo by the company's chief financial officer, Tim Morse, according to a report Tuesday on the Wall Street Journal's All Things D blog.
 

Fair punishment for data breaches?
SC Magazine Australia
Remember to sign up to our Security bulletin for the definitive summary and analysis of Infosec threats. “They don't train their staff properly. They don't supervise their staff properly. They don't have adequate firewalls,” he suggested. ...

 
Taiwanese smartphone maker HTC has been on a buying spree to reshape its business and help defend against lawsuits, though it remains to be seen if the strategy will help it gain ground on rivals such as Apple, Samsung and Research In Motion.
 
Google will address concerns the Korean Fair Trade Commission may have about its Android mobile platform, a company spokeswoman said Tuesday after reports emerged that South Korean government officials had raided Google offices there.
 

Guy Fawkes Night cyber attack against Facebook?
Daily News Engine
Some of these so-called whitehat infosec firms are working for authoritarian governments, such as those of Egypt and Syria. " Facebook officials could not be found in order to comment on the video or the alleged future attack. The video was also shared ...
Hacker group Anonymous threatens to destroy world's largest social networking ...The Huntsville Times - al.com

all 479 news articles »
 
Oracle has updated the commercial edition of its MySQL database for Windows, adding a graphical installer and the ability to do failover clustering, the company announced Tuesday.
 
Rice University researchers today announced they have successfully demonstrated full-duplex wireless technology that would allow a doubling of network traffic without the need for more cell towers.
 
A customer of ERP (enterprise-resource-planning) vendor Infor has filed suit in hopes of warding off the company's demand for roughly $400,000 in additional license fees, which it calls an "absurdity."
 
Google+ is trying to help users expand their Circles by offering them a new Suggested User list, but some some users are taking exception to what they're calling an elitist system.
 
HP management has not been good to the company over the last few years. One would have to do a lot of searching to find a management team that has so thoroughly messed up in the court of public opinion.
 
[SECURITY] [DSA 2301-1] rails security update
 
[SECURITY] [DSA 2300-2] nss security update
 
[ MDVSA-2011:132 ] pidgin
 
Sprint isn't letting the Department of Justice have all the fun when it comes to filing suits against the proposed AT&T-T-Mobile merger.
 
Ruby on Rails 'strip_tags()' Non-Printable Character Cross Site Scripting Vulnerability
 
[SECURITY] [DSA 2298-2] apache2 regression fix
 
[Announcement] ClubHack Mag Issue 20- September 2011 Released
 
Multiple vulnerabilities in MantisBT
 
[ MDVSA-2011:131 ] libxml
 
Microsoft released an advisory [1] earlier today announcing that they will place a number of DigiNotar root certificates on the not trusted list.
A blog article further explains how certificate stores can be manipulated manually [2].
One important difference between this most recent advisory, and an earlier advisory [3] is that Windows Mobile 6.x/7/7.5 is no longer listed as affected. The earlier advisory stated that Windows Mobile 6.x and 7 are affected. It didn't mention Windows Mobile 7.5. (thanks to a read for pointing this out)

[1]http://www.microsoft.com/technet/security/advisory/2607712.mspx

[2]http://blogs.technet.com/b/srd/archive/2011/09/04/protecting-yourself-from-attacks-that-leverage-fraudulent-diginotar-digital-certificates.aspx

[3]http://technet.microsoft.com/en-us/security/advisory/2524375
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Information and financial services giant Thomson Reuters has more than 55,000 employees spread over 100 countries.
 
Microsoft today updated Windows to permanently block all digital certificates issued by a Dutch company that was hacked months ago.
 
New features in Java 7 aim at bolstering security by switching off weaker encryption schemes.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Recovering from a massive, high-profile breach of its systems, Sony Corp. is looking to Philip Reitinger to lead its security initiatives.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Presented By:
Visualize the Future of the Network
  Do you know what a zettabyte is? Does the cloud confuse you? Why will your company need a CIO? Make sure you?re in the know with Cisco and be prepared for what?s in store. Read, learn, share and discuss the future of the Internet.
socialmedia.cisco.com

Ads by Pheedo

 
Real Networks RealPlayer 'qcpfformat.dll' Remote Code Execution Vulnerability
 
[ MDVSA-2011:130 ] apache
 
t2â?²11 Challenge to be released 2011-09-10 10:00 EEST
 
Extended submission deadline for: The 6th International Conference for Internet Technology and Secured Transactions (ICITST-2011)!
 
Pranian Group e107 Cross Site Scripting Vulnerabilities
 
Cybercriminals are trying to trick Windows users into paying [euro]100 ($143) by claiming that they're running a counterfeit copy of the operating system, a security expert said today.
 
Hitachi today announced that is has achieved yet another milestone by squeezing 1TB capacity onto a single disk.
 
Gibbs delves into why a megabyte and a gigabyte are not good terms.
 
The National Security Agency has submitted new label-based data store software, called Accumulo, to the Apache Software Foundation, in hopes that other parties will further develop the technology for use in secure systems.
 
OpenVAS Scanner Symlink Attack Local Privilege Escalation Vulnerability
 
Abarkam (detail.php?input) Remote SQL injection Vulnerability
 
MaiNick (ricetta.php?id) Remote SQL injection Vulnerability
 
WSTAFF Remote SQL injection Vulnerability
 
BvCom (dettaglio.php?idnews) Remote SQL injection Vulnerability
 
Google is retiring Desktop, an application it launched in 2004 that is designed to let people search for files and data stored in their computers' hard drives.
 
[ MDVSA-2011:129 ] mozilla
 
ZDI-11-279: (0day) Witness Systems eQuality Unify Remote Code Execution Vulnerability
 
ZDI-11-278: Novell Cloud Manager Insufficient Framework User Validation Vulnerability
 
XSS Ebuddy (responsible disclosure)
 
WordPress KNR Author List Widget 'listItem' Parameter SQL Injection Vulnerability
 
Much of the conversation around IPv6 has been based on the fear of IPv4 address exhaustion and the impending collapse of the Internet if we don't migrate. If we don't comply, customers will be unable to reach our sites and we will simply disappear from the electronic world.
 
Open Text has purchased Operitel, maker of learning and portal software that is integrated with Microsoft SharePoint, the companies announced Tuesday. Terms of the deal were not disclosed.
 
The hacker responsible for a stunning attack on a Dutch company that issues security certificates for websites warned on Monday that he would "strike back again," after previously breaching another company earlier this year.
 
Manifattura Web (prodotto.php?id) Remote SQL injection Vulnerability
 
Loop (ricetta.php?id) Remote SQL injection Vulnerability
 
Virtualismi (prodotto.php?id) Cross Site Scripting Vulnerabilities
 
With Microsoft's big BUILD conference right around the corner on September 12, people are buzzing about the Windows 8 news that's sure to come, and for the last couple of weeks, Microsoft has been parceling out information. So far, the features we’ve seen look colorful, fast, flashy, and flexible—but how much of a difference will they make for small business users?
 
With telecommuters and outside contractors now serving vital roles in most small to midsize companies, it has become increasingly important to be able to meet face-to-face with people across the building, across town, or across the ocean without physically transporting ourselves around.
 
Perhaps you’ve never felt motivated to assemble your collected photographs into comic book form, with all the stylings you’d expect from a graphic novel. That may well be because you weren’t aware that many iPad apps exist with the single goal of making just such a thing possible.
 
Solid-state storage based on NAND flash can be a pricey option to install in a data center, but I/O hungry applications such as server and desktop virtualization are prompting IT managers to install them -- with the caveat that they must be strategically placed for the best, most cost-effective results.
 
No matter the size of your Windows desktop, you can get more out of it with the help of free and low-cost tools. Here's how.
 
Product launches at the IFA consumer electronics fair in Berlin are giving consumers an unprecedented choice of screen sizes. But analysts are questioning whether consumers can learn to love them all.
 
About 300,000 Iranians had their Gmail accounts compromised and their messages read by hackers, according to a forensics firm that has investigated the theft of hundreds of digital certificates from a Dutch company.
 

Posted by InfoSec News on Sep 06

http://www.computing.co.uk/ctg/news/2105591/expert-uk-cyber-spooks-preoccupied-launching-attacks

By Stuart Sumner
Computing.co.uk
01 Sep 2011

A security expert has claimed that the UK is devoting most of its cyber
crime fighting efforts to cyber attack, leaving limited resources for
defence.

Speaking exclusively to Computing, Ross Anderson, professor of security
engineering at the Cambridge University computer laboratory, stated that
90...
 

Posted by InfoSec News on Sep 06

http://www.pcworld.com/businesscenter/article/239461/exemployee_wiped_financial_data_while_at_bikini_bar.html

By Robert McMillan
IDG News
Sep 2, 2011

At the Bikinis Sports Bar and Grill in Austin, Texas, you can get
burgers and beer served to you by cute waitresses wearing denim shorts
and bikini tops. And if you're David Palmer, a recently fired IT worker,
you can also break into a U.S. military contractor's computer systems
and...
 

Posted by InfoSec News on Sep 06

http://www.theregister.co.uk/2011/09/05/cyber_crime_the_cutting_edge_of_future_threats/

By Brid-Aine Parnell
The Register
5th September 2011

Cyberattacks are the top threat to future national security, according
to the former head of the US Department of Homeland Security (DHS)
Michael Chertoff.

It's well known that Chertoff, who is now the co-founder and managing
principal of private security consultancy the Chertoff Group, has a...
 

Posted by InfoSec News on Sep 06

http://www.eweek.com/c/a/Midmarket/Apple-iPhone-Prototype-Loss-Prompts-Security-Job-Listings-Report-723545/

By Nathan Eddy
eWEEK.com
2011-09-05

The rumor that an employee of computer maker Apple had lost a prototype
iPhone in a bar earlier this summer has drawn considerable attention
from the media, and while the report remains unconfirmed, Apple may be
taking steps to help ensure an incident does not occur again. The
company recently...
 

Posted by InfoSec News on Sep 06

http://www.computerworld.com/s/article/9219727/Hackers_steal_SSL_certificates_for_CIA_MI6_Mossad

By Gregg Keizer
Computerworld
September 4, 2011

The tally of digital certificates stolen from a Dutch company in July
has exploded to more than 500, including ones for intelligence services
like the CIA, the U.K.'s MI6 and Israel's Mossad, a Mozilla developer
said Sunday.

The confirmed count of fraudulently-issued SSL (secure socket...
 

Posted by InfoSec News on Sep 06

http://www.bloomberg.com/news/2011-08-31/to-defeat-terrorists-do-a-little-research-in-the-library-scott-helfstein.html

By Scott Helfstein
Bloomberg
Aug 30, 2011

The information glut that marks the 21st century is evidenced in some
unexpected places. Last month, my organization, the Combating Terrorism
Center at West Point, released a report that sharply disputed
conventional wisdom about terrorism along the Afghanistan-Pakistani
frontier....
 

Posted by InfoSec News on Sep 06

========================================================================

The Secunia Weekly Advisory Summary
2011-08-25 - 2011-09-01

This week: 44 advisories

========================================================================
Table of Contents:

1.....................................................Word From Secunia...
 
Dell has partnered with China's largest search engine Baidu to launch a smartphone, in a move that could help both companies tap the country's growing mobile phone market.
 
Close to 300,000 unique IP addresses from Iran requested access to google.com using a rogue certificate issued by Dutch digital certificate authority DigiNotar, according to an interim report by security firm, Fox-IT, released on Monday.
 
Internet Storm Center Infocon Status