Hackin9

You can play Flappy Bird on a POINT OF SALE TERMINAL
Register
Mobile Point of Sale (MPOS) devices can be easily hacked and leave banks and retailers wide open to fraud, warn infosec researchers. Security researchers from MWR InfoSecurity, the same security firm that researched serious vulnerabilities in chip-and ...

 

Posted by InfoSec News on Apr 08

http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/

By Dan Goodin
Ars Technica
April 7, 2014

Researchers have discovered an extremely critical defect in the
cryptographic software library an estimated two-thirds of Web servers use
to identify themselves to end users and prevent the eavesdropping of
passwords, banking credentials, and other sensitive data.

The warning about the...
 

Posted by InfoSec News on Apr 08

http://www.nytimes.com/2014/04/08/technology/the-spy-in-the-soda-machine.html

By NICOLE PERLROTH
The New York Times
APRIL 7, 2014

SAN FRANCISCO -- They came in through the Chinese takeout menu.

Unable to breach the computer network at a big oil company, hackers
infected with malware the online menu of a Chinese restaurant that was
popular with employees. When the workers browsed the menu, they
inadvertently downloaded code that gave the...
 

Posted by InfoSec News on Apr 08

http://www.israelnationalnews.com/News/News.aspx/179376

By Shimon Cohen
Arutz Sheva
4/7/2014

The threatened #opisrael cyber-attack turned out to be a dud - but Israel
does not have enough manpower to ward off a major cyber-attack.

Dr. Michael Orlov, head of the cyber-engineering department of Shamoon
College Engineering in Be'er Sheva, explained the problem to Arutz Sheva
Monday.

As Orlov explained, the hacking projects against Israel...
 

InfoSec spending must evolve as front lines blur
iT News
It's time for organisations to rethink how they allocate security budgets, and to acknowledge that preventative measures are no longer effective enough to ward off attacks. Today, more resources tend to be required to combat attacks in-progress and ...

 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A power problem caused a widespread outage on AT&T's U-verse broadband service Monday that some customers said affected both TV and Internet service.
 

Researchers have discovered an extremely critical defect in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other sensitive data.

The warning about the bug in OpenSSL coincided with the release of version 1.0.1g of the open-source program, which is the default cryptographic library used in the Apache and nginx Web server applications, as well as a wide variety of operating systems and e-mail and instant-messaging clients. The bug, which has resided in production versions of OpenSSL for more than two years, could make it possible for people to recover the private encryption key at the heart of the digital certificates used to authenticate Internet servers and to encrypt data traveling between them and end users. Attacks leave no traces in server logs, so there's no way of knowing if the bug has been actively exploited. Still, the risk is extraordinary, given the ability to disclose keys, passwords, and other credentials that could be used in future compromises.

"Bugs in single software or library come and go and are fixed by new versions," the researchers who discovered the vulnerability wrote in a blog post published Monday. "However this bug has left a large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitations and attacks leaving no trace this exposure should be taken seriously."

Read 8 remaining paragraphs | Comments

 

OpenSSL 1.0.1g has been released to fix "A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server. This issue did not affect versions of OpenSSL prior to 1.0.1."[1] known as the Heartbleed Bug [3].

/*** update by Johannes Ullrich ...: ***/

Ubuntu released a patch for affected versions:

http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0160.html

---

The quickest way to figure out which version of OpenSSL you are using is:

openssl version -a

But not that some software may be compiled statically with openssl.

For a vulnerable system, this will return a version of 1.0.1f (or anything but 'g'). Also there will be no complier flag-DOPENSL_NO_HEARTBEATS.

For example, on a current OS X Mavericks system, you will get:

$ openssl version -a
OpenSSL 1.0.1f 6 Jan 2014
built on: Mon Jan  6 23:30:17 PST 2014
platform: darwin64-x86_64-cc
options:  bn(64,64) rc4(ptr,char) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: /usr/bin/clang -fPIC -fno-common -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/opt/local/etc/openssl"
 
OS X is not listed in [3] as vulnerable, but it is assumed that the list published in [3] is incomplete. The following output comes from a CentOS system, and I used a custom compiled 1.0.1e RPM that had the -DOPENSSL_NO_HEARTBEATS option turned on.
 
# openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Mon Apr  7 21:56:27 EDT 2014
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -DOPENSSL_NO_HEARTBEATS -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  dynamic
 
You can downlaod the RPM at your own risk here: https://isc.sans.edu/diaryimages/opensslrpms.zip (it includes related RPMs from the same source RPM). Please note that I didn't update the version, so you need to install it with:
 
rpm -Uvh --force ./openssl-1.0.1e-16.el6.4.x86_64.rpm
 
INSTALL AT YOUR OWN RISK! LIGHTLY TESTED. The ZIP File includes a source RPM as well.
 
SHA512 Checksum: 
a81e25067bf41038cbd73034dc31c05fa7a72d511686ef9d4ddb50913aa7
10776c3cad27d7ffe3e6dbcc4073e89714768327b6a2566bf2f4a5958791
ad7512d7  opensslrpms.zip
 

[1] http://www.openssl.org/news/secadv_20140407.txt
[2] http://www.openssl.org/news/vulnerabilities.html#2014-0160
[3] http://heartbleed.com

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
When Microsoft ends support for Windows XP on Tuesday, a security sinkhole will likely open and gradually widen, threatening hundreds of millions of PCs worldwide in homes, companies, government agencies and schools.
 
A power problem caused a widespread outage on AT&T's U-verse broadband service Monday that some customers said affected both TV and Internet service.
 

Americans Distrust Tech Companies
TechNewsWorld
Many Americans are more wary about exposing their personal information to tech companies following revelations about their cooperation with government surveillance. It's not that Americans believe surveillance is wrong -- in fact, most believe it's ...

and more »
 
A power problem caused a widespread outage on AT&T's U-verse broadband service Monday that some customers said affected both TV and Internet service.
 
Intel is bringing peer-to-peer computer networking capabilities to Thunderbolt 2 with a feature that allows Macs -- and soon, PCs -- to connect directly for high-speed data transfers.
 

Researchers have uncovered a recent denial-of-service attack that employed an unusual, if not unprecedented, technique to surreptitiously cause thousands of everyday Internet users to bombard the target with a massive amount of junk traffic.

The attack worked by exploiting a Web application vulnerability on one of the biggest and most popular video sites on the Web, according to a blog post published recently by researchers at security firm Incapsula, which declined to identify the site by name. Malicious JavaScript embedded inside the image icons of accounts created by the attackers caused anyone viewing the users' posts to run attack code that instructed their browser to send one Web request per second to the DoS victim. In all, the technique caused 22,000 ordinary Web users to unwittingly flood the target with 20 million GET requests.

"Obviously one request per second is not a lot," Incapsula researchers Ronen Atias and Ofer Gayer wrote. "However, when dealing with video content of 10, 20, and 30 minutes in length, and with thousands of views every minute, the attack can quickly become very large and extremely dangerous. Knowing this, the offender strategically posted comments on popular videos, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos."

Read 7 remaining paragraphs | Comments

 

Blancco to Showcase SSD Erasure and Best Practices at InfoSec World
PR Newswire (press release)
Blancco, the global leader in data erasure and computer reuse solutions, will showcase innovative technologies and best practices for secure enterprise data disposal at the InfoSec World Conference & Expo in Orlando, Fla., on April 7 and 8.

and more »
 
Hewlett-Packard's new Z Turbo Drive solid-state drives will be faster than conventional SSDs that plug into hard-drive slots, the company said.
 

A drone operated by a film company crashed onto the course of an Australian triathlon on Sunday, injuring one triathlete. The operator of the drone claims that he lost control because someone deliberately jammed his communication link.

The drone, which was collecting footage of the event, was flying about 30 feet above the course before the incident. Triathlete Raji Ogden told the Australian Broadcasting Company that the drone hit her in the back of the head early in the run portion of the Endure Batavia Triathlon in Geraldton, Australia. The impact caused several injuries to her head, one of which required three stitches.

The operator of the drone, Warren Abrams of New Era Photography and Film, claimed that the video from the drone showed that the drone fell behind Ogden on the trail, and he says the athlete fell after being startled. Abrams believes that someone deliberately interfered with his operation of the device from nearby—an attacker using a “channel hop” attack to take control away from him. He added that a similar incident caused him to lose control over the drone earlier in the day.

Read 2 remaining paragraphs | Comments

 
The U.S. Supreme Court has declined to hear a lawsuit challenging the U.S. National Security Agency's collection of U.S. phone records filed by a conservative activist, despite a lower court's ruling that the program may be illegal.
 
Why should you use open-source software? The fact that it's usually free can be an attractive selling point, but that's not the reason most companies choose to use it. Instead, security and quality are the most commonly cited reasons, according to new research.
 
SK Hynix said it has developed the world's first 128GB DDR4 memory module, with twice the capacity of the company's current 64GB module.
 
Cisco IOS XR Software ICMPv6 Processing Denial of Service Vulnerability
 
Xen '/hvm/hvm.c' Remote Denial of Service Vulnerability
 
Microsoft is moving Windows to the car, again.
 
The U.S. government said today it has reached the H-1B cap, and if this year is similar to previous years, 70% of applicants are under the age of 35, and a major portion will take jobs at offshore outsourcing companies.
 
European lawmakers are concerned that cyber-squatting could undermine the entire wine industry and welcomed a decision to put the allocation of new top level domains on hold.
 
 
LinuxSecurity.com: PHP could be made to crash if it processed a specially crafted file.
 
LinuxSecurity.com: File could be made to crash if it processed a specially crafted file.
 
LinuxSecurity.com: A vulnerability in CUPS may allow for arbitrary file access.
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 
Multiple Vendors XMPP server XMPP-Layer Compression Denial of Service Vulnerability
 
Splunk Multiple Command Injection Vulnerabilities
 
MacOSX/XNU HFS Multiple Vulnerabilities
 

The Great Hash Bakeoff: Infosec bods cook up next-gen crypto
Register
Cryptographers are limbering up for a competition aimed at developing a next-generation password hash to create a better means for websites to store users' login credentials. In total 24 submissions have been made to the Password Hashing Competition.

 
European lawmakers are concerned that cyber-squatting could undermine the entire wine industry and welcomed a decision to put the allocation of new top level domains on hold.
 
Almost a year and a half after the HTTP Strict Transport Security (HSTS) mechanism was established as a standard, its adoption rate by websites remains low because developers are not aware of its benefits and Internet Explorer still doesn't support it, according to advocacy group the Electronic Frontier Foundation.
 

Reviewing my logs, I found this odd request:

GET /infocon.htmlppQ/detail/20130403164740572kode-til-boozt-10/basura-que-va-acumulando/_medium=twittersideIM&lang=en&brand=nokiaokseen-fortumin-joensuun-voimalaitokselle/)&utm_term=inspirationfeedistan%20Tehreek-e-Insaf)%e0%b9%89%e2%86%90_%c3%96k%e2%98%bc%e0%b9%84%e0%b8%a1%e0%b9%88%e0%b9%84%e0%b8%8a%e0%b9%88%e2%99%a5His%c3%b6%e2%86%94ll%e0%b8%95%e0%b9%88%e0%b8%81%e0%b9%89%c3%b6%e0%b8%a1%e0%b8%b1%e0%b9%88%e0%b8%a2%e0%b8%94%e0%b9%89%e0%b8%b2E%e2%86%90n%c3%96%e2%86%90m%c3%96neY%c2%ae%e2%97%84%e2%97%84--html26eu1=0&eu2=0&x=50&y=16&dataPartenzaDa=20121001&dataPartenzaA=20121010&orderBy=Prezzo HTTP/1.0" 302 154 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)" "2a03:2880:20:4ff7::"

It does look like a valid request from Facebook. "facebookexternalhit" is used by Facebook to screen links people post for malware. However, the link "doesn't make sense". Doesn't really look like an attack to me, just weird. Any ideas how this may happen?

------

Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Law firm Holland & Knight already had a who's who of best-of-breed communications products deployed when the firm's IT team decided it needed to replace the tangled mess of PBX systems that provided voice lines at its many offices. It chose to jettison them all in favor of an infrastructure built on Microsoft Lync Server 2013.
 
The Hash is on the road this week, but while yours truly is flying the friendly skies, the following round-up will keep you in the loop on current events and interesting research. Today's cache includes a unique attack on Microsoft Outlook, using XSS to launch DoS attacks, and a note on the end of Windows XP.
 
SFR BOX Router CVE-2014-1599 Multiple Cross Site Scripting Vulnerabilities
 

Blancco to Showcase SSD Erasure and Best Practices at InfoSec World
Broadway World
Blancco, the global leader in data erasure and computer reuse solutions, will showcase innovative technologies and best practices for secure enterprise data disposal at the InfoSec World Conference & Expo in Orlando, Fla., on April 7 and 8.

and more »
 
Raspberry Pi -- popular for its $25 PC -- plans later this year to ship new hardware in the form of a smaller board that plugs into a custom motherboard slot, which could appeal to a new audience of makers, enthusiasts and enterprise users.
 
Official Microsoft support for Windows XP ends tomorrow. However, as many as 20 percent of business endpoints still use the popular operating system. If your company ranks among those still using XP, here's how you can protect your machines from the forthcoming onslaught of security vulnerabilities.
 
Pearson eSIS Enterprise Student Information System SQL Injection
 
Pearson eSIS Enterprise Student Information System Stored XSS
 
Qualcomm is getting high on 64-bit chips with its fastest ever Snapdragon processor, which will render 4K video, support LTE Advanced and could run the 64-bit Android OS.
 
It's already started, with a refrigerator that sent out email spam. The Internet of Things trend shows how even a benign consumer appliance could pose a danger to enterprises if connected to the Internet without proper security.
 
Apple and Samsung were back in San Jose federal court last week arguing over more patents and another set of devices. Apple is demanding more than $2 billion in damages, in the second case between the companies in California.
 
[SECURITY] [DSA 2895-1] prosody security update
 
[SECURITY] [DSA 2894-1] openssh security update
 
Call for Papers
 
Vulnerability in PHPFox v3.7.3, v3.7.4 and v3.7.5 all build [ CVE-2013-7195, CVE-2013-7196 ]
 
When it comes to IT pay, some industries fare much better than others. Find out who the winners and losers are in our 2014 Salary Survey.
 
Demand keeps growing and salaries keep rising for tech workers with the right skills. Our survey of more than 3,500 IT professionals reveals which jobs are hot -- and which are not.
 
Pursue the right IT career, and you're practically guaranteed a free lunch.
 
While traditional incentives like salary and benefits still rule, IT staffers are placing more importance on intangibles such as corporate culture, challenging work and recognition -- a trend that employers ignore at their peril.
 
There's never been a better time to explore opportunities as a technology contractor. The potential payoffs can benefit both workers and companies.
 
Thanks to factors ranging from BYOD and flexible work arrangements to the global economy, a broad range of IT roles demand around-the-clock accessibility. IT professionals say it's part of the territory and are devising strategies to cope.
 
Salaries continue their modest rise, while demand for workers with key tech skills coupled with business acumen keeps employers scrambling to find and keep talent.
 
Too often we make self-limiting assumptions about position, status and the need to rigidly follow a career path.
 
With low single-digit unemployment for IT workers and a scarcity of qualified candidates, it's critical for employers to become more effective in their recruiting efforts. Here are four fresh approaches.
 
A look at the methodology used to collect data for Computerworld's 2014 IT Salary Survey.
 
[security bulletin] HPSBGN02986 rev.1 - HP IceWall Identity Manager and HP IceWall SSO Password Reset Option Running Apache Commons FileUpload, Remote Denial of Service (DoS)
 

Microsoft Xbox pwned by 5-year-old security researcher
Naked Security
The world of infosec needs more like Kristoffer: a load of talent stuffed into one small package and tied up with a responsible-disclosure bow. Mom and Dad, you must be very proud. You should be! Follow @LisaVaas · Follow @NakedSecurity. Image of from ...

and more »
 

New Horizons Computer Learning Centers Joins InfoSec Institute as a Platinum ...
Virtual-Strategy Magazine (press release)
New Horizons Computer Learning Centers, a provider of IT training with over 300 centers in over 70 countries, has added InfoSec Institute, the leading provider of information security and other IT training to more than 40 of its training centers. With ...

 
ASUS RT-N56U Router Remote Command Injection Vulnerability
 

Posted by InfoSec News on Apr 07

http://www.chicagotribune.com/news/local/breaking/chi-chicagoarea-doctors-group-announces-data-breach-20140404,0,5815884.story

By Mitch Smith
Tribune reporter
April 5, 2014

Surgical information for more than 1,200 patients may have been
compromised in February when an unknown person accessed a doctor’s Gmail
account, a Chicago-area physicians’ group announced Friday.

Midwest Orthopaedics at Rush said in a news release that names and...
 

Posted by InfoSec News on Apr 07

http://phrack.org/papers/fall_of_groups.html

By Strauss
Phrack.org
April 4, 2014

--[ 1 - Introduction

The earlier, bigger part of hacking history often had congregations as
protagonists. From CCC in the early 80s to TESO in the 2000s, through LoD,
MoD, cDc, L0pht, and the many other sung and unsung teams of hacker
heroes, our culture was created, shaped, and immortalized by their
articles, tools, and actions.

This article discusses why...
 

Posted by InfoSec News on Apr 07

http://www.nytimes.com/2014/04/07/world/us-tries-candor-to-assure-china-on-cyberattacks.html

By DAVID E. SANGER
The New York Times
APRIL 6, 2014

WASHINGTON -- In the months before Defense Secretary Chuck Hagel's arrival
in Beijing on Monday, the Obama administration quietly held an
extraordinary briefing for the Chinese military leadership on a subject
officials have rarely discussed in public: the Pentagon's emerging
doctrine for...
 

Posted by InfoSec News on Apr 07

http://www.itproportal.com/2014/04/04/security-flaws-could-give-hackers-control-of-power-plants-and-oil-rigs/

By Alex Hamilton
IT Pro Portal
04 Apr 2014

Power plants, oil rigs and refineries could be at risk from hackers, new
research shows, as there are vital bugs in their software that could allow
an outsider to gain remote access.

Around the world about 7,600 plants are using the vulnerable software that
could allow an attacker with the...
 

Posted by InfoSec News on Apr 07

http://www.computerworld.com/s/article/9247465/5_year_old_hacks_Xbox_now_he_s_a_Microsoft_39_security_researcher_39_

By Zach Miners
IDG News Service
April 4, 2014

A 5-year-old San Diego boy has been commended by Microsoft for his
security skills after finding a vulnerability in the company's Xbox games
console.

Kristoffer Von Hasssel's parents noticed earlier this year that he was
logged into his father's Xbox Live account...
 
Internet Storm Center Infocon Status