Microsoft will publish 9 bulletins next patch tuesday, with 7 important and 2 critical bulletins. More information at https://technet.microsoft.com/library/security/ms14-aug

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Infosecurity Magazine Home » Interviews » Lay Your Chips Down: An Infosec ...
Infosecurity Magazine
Even just a few short years ago, infosecurity firms were far from the top of most venture capitalists' investment list. Security vendors, the argument went, were too slow-burning to interest the VC community. Investors wanted growth companies, and ...

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SCADA systems are not composed the same way as regular IT systems. Therefore, the risk and vulnerability assessment cannot be performed as it is done for any other IT system. The most important differences are:

  • SCADA Pentesting should not be done in production environment: SCADA devices are very fragile and some activities that could pose harmless to regular IT environments could be catastrophic to the process availability. Think of massive blackouts or no water supply for a city.
  • SCADA devices have specific outputs for the industrial process they are controlling. The architecture and operating systems are not the same, so risks assessment approach is not performed in the same way. For electrical systems, we need to address devices belonging to the Advanced Metering Infrastructure (AMI), Demand Response (DR), Distributed Energy Resources (DER), Distributed Grid Management (DGM), Electric Transportation (ET) and Wide Area Monitong, Protection and Control (WAMPAC). This means we need to address devices like the following, instead of conventional network devices, services, laptops, desktop computers or mobile devices:
AMI Meters
Access points
DR Energy Resources
Digital Control Unit
DER DER Managed generation and storage devices
Customer Energy Management System
DGM Automated Reclosure
Remote Fault Indicators
Capacitor Banks
Automated Switches
Load Monitor
Substation Breakers
WAMPAC Phasor Measurement Units
Device which includes Phasor Measurement Unit capabilities
Field Deployed Phasor Data Concentrator
Field Deployed Phasor Gateways

Table 1: Devices in the Smartgrid Network

This means we need to considering a specific methodology for this type of infrastructure that leads to effective risk mitigation for proper detection of vulnerabilities in the smartgrid system. I want to recommend one today named Guide to Penetration Testing for Electric Uitilities created by the National Electric Sector Cybersecurity Organization Resource (NESCOR). This metodology is composed by the following steps:


NESCOR Pentest Model

Source: http://www.smartgrid.epri.com/doc/NESCORGuidetoPenetrationTestingforElectricUtilities-v3-Final.pdf

Let's explain the steps a little bit:

  • Penetration Test Scoping: You need to decide which sector of the entire system will be the target of the assessment. Could be a substation, generation plant or any other device listed in table 1. The scope could even be the entire system.
  • Architecture Review: You want to learn the context of the entire system. This is the first step of information acquisition. Can be done checking the documentation of the system and analyzing the configuration of the devices part of the scope.You can also check for information in the same way as it is done with conventional pentesting like google, shodan, maltego and social networks.
  • Target System Setup: You don't want to perform a pentesting in a smartgrid live production environment. Instead, you need to setup an environment with the same configuration, as much as possible, to the live configuration of the smartgrid production environment. That's how we can get a full list of the vulnerabilities performing even dangerous test without affecting the availability of the electrical service.
  • Server OS, Server application, Network Communication and Embedded device penetration tasks: Those are the specific pentest tasks within the target systems. You can use several tools like
  • End to end penetration testing analysis: You need to ensure that all possible inputs from external systems to all systems in the scope have been tested and evaluated as possible vulnerable points for attacks.
  • Result interpretation and reporting: As always, you need to develop a report including the vulnerabilities that could be exploited, the risks associated, the remediation steps and other recommendations that could be applied.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
OpenSSL CVE-2014-3509 Remote Denial of Service Vulnerability
Intel was the target of an elaborate hoax Thursday that drew attention to its plan to invest almost US$6 billion in a chip plant in southern Israel.

Yahoo Chief Information Security Officer Alex Stamos announced today at Black Hat 2014 that starting in the fall of this year, the purple-hued company will begin giving users the option of seamlessly wrapping their e-mails in PGP encryption. According to Kashmir Hill at Forbes, the encryption capability will be offered through a modified version of the same End-to-End browser plug-in that Google uses for PGP in Gmail.

The announcement was tweeted by Yan Zhu, who has reportedly been hired by Yahoo to adapt End-to-End for use with Yahoo Mail. Zhu formerly worked as an engineer at the Electronic Frontier Foundation, an organization that has consistently been outspoken in its call for the widespread use of encryption throughout the Web and the Internet in general.

In an interview with the Wall Street Journal, Stamos acknowledged that the introduction of encryption will require some amount of education for users to make sure their privacy expectations are set appropriately. For example, he explained that PGP encryption won’t cloak the destination of your e-mail. "We have to make it clear to people it is not [a] secret you’re emailing your priest, but the content of what you’re e-mailing him is secret," Stamos said.

Read 3 remaining paragraphs | Comments


Hundreds of thousands of websites running a popular WordPress plugin are at risk of hacks that give attackers full administrative control, a security firm warned Thursday.

The vulnerability affects Custom Contacts Form, a plugin with more than 621,000 downloads, according to a blog post by researchers from Sucuri. It allows attackers to take unauthorized control of vulnerable websites. It stems from a bug affecting a function known as adminInit(). Hackers can exploit it to create new administrative users or modify database contents.

"The vulnerability was disclosed to the plugin developer a few weeks ago, they were unresponsive," Sucuri researcher Marc-Alexandre Montpas wrote. "The developers were unresponsive so we engaged the WordPress Security team. They were able to close the loops with the developer and get a patch released, you might have missed it."

Read 1 remaining paragraphs | Comments

OpenSSL CVE-2014-3511 Man in the Middle Security Bypass Vulnerability
OpenSSL DTLS CVE-2014-3505 Remote Denial of Service Vulnerability
OpenSSL NULL Pointer Dereference CVE-2014-5139 Local Denial of Service Vulnerability
OpenSSL DTLS CVE-2014-3506 Remote Denial of Service Vulnerability
Listen to an executive speak for 10 seconds, and you'll know instantly whether that person is a CIO or CMO. Their use of words and the way they talk about their jobs are polar opposite to each other.
Want to measure heart rate or weight? Google can help you.
President Obama has signed legislation focused on overhauling the Department of Veteran Affairs' troubled health-care system, including an IT review of the VA's process of scheduling patients.
News that Russian hackers amassed log-in credentials belonging to more than 1.2 billion Internet users hammers home why companies that have not implemented strong authentication measures really need to get moving on it.
Say what you will about Satya Nadella's first six months as Microsoft CEO, but no one can deny the man jumped in with both feet from day one and has led the company with decisiveness.
Microsoft plans to deliver nine security updates next week, incljuding a pair of critical patches for Internet Explorer and all versions of Windows.
Facebook Thursday moved to beef up its servers by agreeing to buy cybersecurity startup PrivateCore.
Despite years of hype, some SAP customers remain puzzled over how the vendor's Hana in-memory computing platform can fit into their IT strategies, a newly released survey from the Americas' SAP Users' Group has found.
Google announced that book buyers in three metropolitan areas in the U.S. will be able to order books from local Barnes & Noble stores and get them delivered the same day with Google Shopping Express, the company's fledgling online shopping and delivery service.
IBM has taken another step toward its ambitious goal of creating a processor that acts like a human brain, creating a second, more advanced chip that mimics the way the mammalian brain operates.
When astronauts are living and working on Mars, they'll be able to thank MIT's Michael Hecht for their ability to breathe on the Red Planet.
The Russian government will allow Edward Snowden, the former U.S. National Security Agency contractor who leaked details of the agency's worldwide surveillance programs, to stay in the country for three more years, according to Russia news reports.

In a shift aimed at fostering wider use of encryption on the Web, Google is tweaking its search engine to favor sites that use HTTPS to protect end users' privacy and security.

Sites that properly implement the transport layer security (TLS) protocol may be ranked higher in search results than those that transmit in plaintext, company officials said in a blog post published Wednesday. The move is designed to motivate sites to use HTTPS protections across a wider swath of pages rather than only on login pages or not at all. Sites that continue to deliver pages over unprotected HTTP could see their search ranking usurped by competitors that offer HTTPS. Facebook is also getting more serious about encryption, with plans to acquire PrivateCore, a company that develops encryption software to protect and validate data stored on servers.

In Wednesday's post, Google Webmaster Trends Analysts Zineb Ait Bahajji and Gary Illyes noted that Google was among the first sites to offer end-to-end HTTPS protection by default across virtually all of its properties. It has also offered a variety of tools to help sites detect and recover from security breaches. They went on to write:

Read 2 remaining paragraphs | Comments

Two weeks ago, Amazon announced its quarterly earnings, reporting a much larger net loss than expected. There was much speculation by pundits about the reasons for the scale of the loss (including me in a CNBC segment). Many commentators placed responsibility for size of the loss on Amazon Web Services -- after AWS responded to an approximately 30 percent price cut by Google, the size of the "other" AWS category, in which Amazon places AWS revenues, fell 3 percent from the previous quarter.
Information leaked from an AMD site in China shows the company plans to release a series of solid-state drives for gamers and professionals later this year.
[SECURITY] [DSA 2998-1] openssl security update
Struggling PC maker Acer is showing signs of recovery with its report of improved profits in the second quarter, albeit on a smaller revenue base than a year earlier.
Vulnerabilities found in remote management software that carriers insist be installed on smart phones and other mobile-enabled devices they sell are likely to put many devices at risk of compromise for some time to come.
(kind of) new tool: american fuzzy lop
[ MDVSA-2014:151 ] cups

Defense One

Black Hat 2014 Keynote: What InfoSec Needs to Do
Infosecurity Magazine
In a far-ranging speech, Geer outlined 10 policy proposals “on a suite of pressing current topics,” such as government surveillance, embedded systems security, net neutrality, the right to be forgotten, and the state of vulnerability research and ...
CIA infosec guru: US govt must buy all zero-days and set them freeRegister
Black Hat 2014: Dan Geer says system dependencies threaten securityTechTarget

all 24 news articles »
(CVE-2014-3501/2/3) Apache Cordova for Android - Multiple Vulnerabilities
nullcon CFP is open
[ MDVSA-2014:150 ] tor
[ MDVSA-2014:155 ] kernel
All of the major wireless carriers "throttle" customers who use what the companies think is too much data, but Verizon's policy is tougher than its competitors.
With Microsoft moving into a "mobile first, cloud first" world, an Apple smartwatch coming any day now and everyone else buying into the cloud computing hype, it can be easy to lose sight of what all of these developments do: Drive business forward by enabling employees to be more productive. Essentially, it's about the future of work.
LinuxSecurity.com: Multiple vulnerabilities has been found and corrected in the Linux kernel: Multiple buffer overflows in drivers/staging/wlags49_h2/wl_priv.c in the Linux kernel before 3.12 allow local users to cause a [More...]
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Updated kernel packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 6.2 Advanced Update Support. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Updated mediawiki packages fix security vulnerabilities: MediaWiki before 1.23.2 is vulnerable to JSONP injection in Flash, XSS in mediawiki.page.image.pagination.js, and clickjacking between OutputPage and ParserOutput. [More...]
LinuxSecurity.com: Updated readline packages fix security vulnerability: Steve Kemp discovered the _rl_tropen() function in readline insecurely handled a temporary file. This could allow a local attacker to perform symbolic link attacks (CVE-2014-2524). [More...]
LinuxSecurity.com: Updated glibc packages fix security issues: Stephane Chazelas discovered that directory traversal issue in locale handling in glibc. glibc accepts relative paths with .. components in the LC_* and LANG variables. Together with typical OpenSSH [More...]
LinuxSecurity.com: Updated cups packages fix security vulnerability: In CUPS before 1.7.4, a local user with privileges of group=lp can write symbolic links in the rss directory and use that to gain '@SYSTEM' group privilege with cupsd (CVE-2014-3537). [More...]
Blu Products has launched four new low-cost, no-contract smartphones that all run Android 4.4.
Two U.S. federal agencies have halted background checks with a contractor that said Wednesday its networks had been breached in a cyberattack suspected to have been coordinated by an unnamed country.
Researchers have developed mobile robots that can use Wi-Fi signals to effectively "see through" walls. It's raising the possibility of flying drones using the technology to see inside buildings.
Nine software fixes were released Wednesday for OpenSSL, a critical encryption component for exchanging data on the web, although none of the problems are as severe as the 'Heartbleed' issue found in April.
Google, Microsoft and Facebook are cranking up an emerging wireless technology known as Wi-FAR to help reduce the digital divide in remote and unconnected regions of the world.
Internet Storm Center Infocon Status