Share |

InfoSec News

At the Computerworld Premier 100 leadership conference, Steve Phillips from Avnet chats with Johanna Ambrosio about 5 ways that IT can deal with mergers and acquisitions.
 
Adobe ColdFusion 'cfform' Tag Cross Site Scripting Vulnerability
 
Adobe ColdFusion (CVE-2011-0581) CRLF Injection Vulnerability
 
Adobe ColdFusion (CVE-2011-0584) Session Fixation Vulnerability
 
Adobe ColdFusion Administrator Console Information Disclosure Vulnerability
 
Computerworld's annual Premier 100 conference is better than ever in 2011, showcasing an all new kind of business and IT transformation that sets the stage for innovation, revenue growth and a fully engaged organization.
 
CIOs at Computerworld's Premier 100 conference share their responses to the IT trends, including mobile devices, ubiquity and cloud computing.
 
Linux Kernel 'ib_uverbs_poll_cq()' Function Local Information Disclosure Vulnerability
 
Linux Kernel TKIP Countermeasures Security Vulnerability
 
Linux Kernel 'security_filter_rule_init()' Local Security Bypass Vulnerability
 
Research In Motion opened up its beta offering of BlackBerry Protect, a free service that lets users locate their lost phones and remotely wipe them, to users in North America and parts of Latin America.
 
Now that another season of NFL games has come to an end and our national summer pastime is about to begin, it's time to swap one set of cliches for another. Sports broadcasting is replete with cliches—nice, comfortable, familiar, predictable phrases that connect current sports fans with previous and future generations of sports enthusiasts.
 
Mozilla has urged users to update their graphics cards' drivers if they want to take advantage of Firefox 4's hardware acceleration.
 
Not getting enough sleep these days? You may have to blame your computer or your cell phone.
 
CIOs are drawn to flexible-cost structures and cloud computing because of the financial advantages. But these setups offer other benefits.
 
CIOs at Computerworld's Premier 100 conference share their responses to the IT trends, including mobile devices, ubiquity and cloud computing.
 
While Western Digital faces hurdles with product overlap, its planned buyout of hard drive maker Hitachi GST is a good thing for both it and the marketplace, analysts say.
 
Mozilla Firefox and SeaMonkey JavaScript Non-Local Variables Buffer Overflow Vulnerability
 
Plaintext injection in STARTTLS (multiple implementations)
 
Google's Android smartphones took the top spot in the U.S. for the first time, hitting 31.2% in the latest comScore survey of 30,000 subscribers.
 
Dell will release an ultrathin laptop with Intel's latest Sandy Bridge chips in the next few weeks.
 
[ MDVSA-2011:042 ] mozilla-thunderbird
 
Cisco Secure Desktop ActiveX Control Executable File Arbitrary File Download Vulnerability
 
HP Performance Insight Remote Command Execution Vulnerability
 
Adobe Acrobat and Reader CVE-2011-0594 Font Parsing Remote Code Execution Vulnerability
 
Adobe Acrobat and Reader CVE-2011-0598 Image Parsing Remote Code Execution Vulnerability
 
Adobe Acrobat and Reader CVE-2011-0604 Cross Site Scripting Vulnerability
 
The Codegate CTF last weekend was finally an event that I was able to spend some time playing with it was unfortunately only couple of hours but it was fun nevertheless!
As I havent seen any writeups about the crypto 400 here go hell come (bonus question guess the E! channel's host name who likes exploiting this :).

So, we are presented with a log file (mirror available at http://repo.shell-storm.org/CTF/CodeGate-2011/Crypto/400/2404656D5DA22F5DBA41CDD7AA1C1F7B) that has 2468 HTTP requests coming from a single host. An excerpt is shown below:

We can see a valid request (HTTP status code 200) and then a series of 500 requests, as well as a single 403 request. If you were paying attention last year you almost certainly heard about oracle padding attacks that were demonstrated at BlackHat Europe these attacks allow an attacker to decrypt certain data (and encrypt, depending on some other circumstances) when CBC encryption is used. An excellent description of how these attacks work is available at http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/.
Knowing how oracle padding attacks work, we can analyze the logs of our (Codegate) server. The URLs shown in the picture are base64 URLSafe encoded after decoding we are left with 32 bytes. Since the attacker started changing the 16-th byte, this means that the block size here is 16 bytes too.
The 500 server errors were clearly caused by an incorrect padding sequence. However, we can see one 403 error (forbidden) it means that the attacker guessed a correct padding sequence. The attacker simply cycles from byte 0x00 to 0xFF, until the response is something different than 500. When the first value has been guessed, the attacker has to XOR it with 0x01 to get the intermediate value (read more at the link shown above). Now the attacker needs to find the second byte of the intermediate value, so the padding needs to be 0x02 the value that has been already found is first XORed with 0x02 and the second byte is again cycled from 0x00 to 0xFF until a valid sequence has been found. And the process repeats for 0x03 to 0x10.
This can all be seen in the log file as there are 16 requests that resulted in HTTP status code 403 (among thousands of other requests).

The challenge here was to guess what the attacker retrieved with the first (200) request. In order to decypher this we need to find all the intermediate values by following the process described above. Then we need to XOR the intermediate values with the initialization vector (IV) of the 200 request -).
Anyway, in case you havent checked your servers/web applications for oracle padding please do so (there are lots of resources describing how to protect from such attacks). The attacks are real, they work and there are dozens of tools out exploiting this vulnerability.



--

Bojan

INFIGO IS (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
We had a user over the weekend send us some interesting traffic primarily destineto port 80. The TCP option used is in an option kind that appears to be in unassigned range, the sequence numbers are not changing, but the source IPs are. They also throw in a packet here and there to destination ports other than 80 such as ports 21, 22 and 1. If anyone is seeing something similar and has logs or preferrably packets, please send them to us. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A New York manufacturer is suing ERP (enterprise resource planning) vendor Infor following a dispute over whether it should have to pay nearly $150,000 in additional license fees.
 
RIM's Chief Marketing Officer Keith Pardy is leaving the company, a move that has provoked renewed concerns about RIM's marketing efforts among analysts.
 
Maybe you use your administrator-level Windows user account so rarely that you forgot the password. Or perhaps you've acquired a used PC, don't know the logon password, and have a good reason not to reformat the drive. Either way, if you want to keep using that computer, you have to either find out what that password is or remove it from the logon procedure.
 
Google Monday announced the beta release of an update to its Google Maps Navigation tool set.
 
After receiving a wake-up message from Star Trek's William Shatner Monday morning, the crew of NASA's space shuttle Discovery undocked from the International Space Station and began its final voyage back to Earth.
 
Oracle has introduced a Windows-based mobile client that will allow workers to access its supply chain management software directly from the retail floor or warehouse.
 
Many organizations are cautious when investing in anything new -- especially technology. Familiarity often leads companies to stick with what they know or have always used. Holding on to the past, however, can be costly. Stepping out of your comfort zone is crucial if you want your IT department, and your organization as a whole, to stay competitive in today's business world.
 
As enterprises move towards virtualizing more of their servers and data center infrastructure, the security technologies that are plentiful and commonplace in the physical world become few and far between.
 
For only the second time, Google has remotely deleted Android apps from users' phones, moving to erase malware-infected applications that users had downloaded from the Android Market.
 
A reader who wishes to remain anonymous seeks a way to create form letters with Office 2011. Said reader writes:
 
While Google gained greater control over malware poisoned search results, cybercriminals turned to other search engines and took advantage of opportunities on social networks.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
We had some readers (kuddos for watching your traffic closely!) report outbound traffic from HPVirtual Connect Blades to 49.48.46.53 on port 22.
No response is received from this IPaddress, and we guess it is a bug. Interestingly (Ithink Daniel noted it first), 49, 48, 46, 53 happens to be the ASCII code for 1, 0, . , 5 . So we suspect some buggy code trying to use an IP address starting with 10.5 (in this case, the blade's IPaddress started with 10.5).
To confirm this guess: If you have an HPVirtual Connect Blade, do you see similar traffic? Is it directed at a different IP address? Does the ASCIIrule still apply for you?
This workaround helped some users affected by this problem:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02720395lang=encc=ustaskId=101prodSeriesId=3794423prodTypeId=3709945
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
While virtual servers have proven a boon in the data center, they don't address the challenge of incrementally adding server capacity and automatically distributing load across them. As a result, the responsiveness and availability of a highly utilized Web application, such as Microsoft SharePoint, can deteriorate when the virtual machine it runs on is out of capacity.
 
[TEHTRI-Security] Security and iPhone iOS 4.3 Personal Hotspot feature
 
[USN-1085-1] tiff vulnerabilities
 
[USN-1084-1] avahi vulnerability
 
Seriously, its a good trend and should be encouraged.

Here are two efforts that recently came to my attention.
DOD is launching a program that will send members of their IT teams to industry to improve the government's IT expertise particularly in cyber security.

http://www.washingtonpost.com/wp-dyn/content/article/2010/12/30/AR2010123003292_pf.html
Estonia is building a Cyber Defense League with private sector cyber defense experts and government agencies.

http://www.npr.org/2011/01/04/132634099/in-estonia-volunteer-cyber-army-defends-nation?sc=twcc=share


I have been involved in several similar efforts in the past and while not all produced the desired results IMO such sharing benefits the parties involved. Private industry has people that, as part of their day to day job, watch for cyber security threats and trends. Government agencies have personal with the similar responsibilities and similar abilities.
Both have different views into various portions of cyber land and may see different things at different times but eventually will probably see whatever the other is seeing. Sharing that type of information just makes sense. The bad guys share. If the good guys don't we will always be one step behind them.
Other Government and private industry cyber security sharing forums in no particular order include but are NOT limited to:


nsp-security, ops-trust, infragard, NCFTA, ICASI, ISACS, and many others.
http://www.ncfta.net/about-ncfta
Since 1997, the NCFTA, a non-profit corporation, evolved from one of the nations first High Tech Task Forces and has established an expansive alliance between subject matter experts (SMEs) in the public and private sectors (more than 500 worldwide) with the goal of addressing complex and often internationally-spawned cyber crimes. These SMEs, from industry, academia and government, each bring specific talents and experiences to the partnership. Through a steady cycling of such cross-sector national and international resources, both embedded at the NCFTA and through initiative-specific intelligence channels, the NCFTA is well positioned to adapt and regularly reinvent itself to better address todays evolving threat landscape.
http://puck.nether.net/mailman/listinfo/nsp-security
The nsp-security [NSP-SEC] forum is a volunteer incident response mailing list, which coordinates the interaction between ISPs and NSPs in near real-time and tracks exploits and compromised systems as well as mitigates the effects of those exploits on ISP networks. The list has helped mitigate attacks and will continue to do so.
https://ops-trust.net/
OPSEC-Trust (or ops-trust sphere of trust, sphere of action, and the ability to maintain a need to know confidentiality. OPSEC-Trust (or ops-trust) members are in a position to directly affect Internet security operations in some meaningful way. The community's members span the breath of the industry including service providers, equipment vendors, financial institutions, mail admins, DNS admins, and DNS registrars, content hosting providers, law enforcement organizations/agencies, CSIRT Teams, and third party organizations that provide security-related services for public benefit (e.g. monitoring or filtering service providers). The breadth of membership, along with a an action/trust vetting approach provides creates a community which would be in a position to apply focused attention on the malfeasant behaviors which threaten the Internet.
http://www.infragard.net/
InfraGard is an information sharing and analysis effort serving the interests and combining the knowledge base of a wide range of members. At its most basic level, InfraGard is a partnership between the Federal Bureau of Investigation and the private sector. InfraGard is an association of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States.
http://www.icasi.org/
The Industry Consortium for Advancement of Security on the Internet (ICASI) is a forum of trust through which IT industry leaders address multi-product security challenges to better protect the IT infrastructures that support the worlds enterprises, governments, and citizens.



A few articles about Government and private sector sharing wrt cybersecurity intel:
http://www.enisa.europa.eu/act/sr/reports/econ-sec

http://www.nationaljournal.com/njmagazine/id_20090502_5834.php
http://gcn.com/Articles/2006/08/16/Sharing-data-is-crucial-to-cyberdefense.aspx?Page=2
http://www.dailyherald.com/article/20101227/news/101229642/
http://www.ncs.gov/nstac/reports/2009/NSTAC%20CCTF%20Report.pdf

If you know of any other good sharing being done feel free to add comments to this diary to educate everyone. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Western Digital announced it has entered into an agreement to buy Hitachi's hard drive subsidiary in a cash and stock deal valued at $4.3 billion.
 

GovInfoSecurity.com

3 Infosec Challenges States Face
GovInfoSecurity.com
For former New York State CISO Will Pelgrin, mobile devices, insiders and old infrastructure represent the major challenges local and state governments face in 2011 in securing information technology. Pelgrin should know. He spent more than a decade as ...

 
IT-oriented colleges such as University of Phoenix, DeVry, Kaplan, and others have come under fire for high costs and deceptive practices
 
Wells Fargo imposes strict regulations on employee-owned mobile devices and social networking sites because of security risks.
 
There have been a couple of glimmers of hope lately, but company has a long way to go.
 
Kodak InSite Login Page Cross-Site Scripting
 
InSite Troubleshooting Cross-Site Scripting
 
RECON 2011 CFP
 
Mozilla Firefox SeaMonkey and Thunderbird CVE-2011-0053 Multiple Memory Corruption Vulnerabilities
 
The 64-bit Itanium chip, introduced as a challenger to the RISC systems that dominated enterprise shops at the time, hits the 10-year-mark next month.
 
It seems I am not alone in doubting that e-wallets will eliminate the leather variety any time soon, as many of you have written in reply to an earlier column listing the contents of my wallet contents that even the smartest of mobile phones might find difficult to replicate.
 
While the term "cloud" still puts many people off, chances are good that within a few years most companies will have a mix of legacy infrastructure, private cloud pods, public cloud services (SaaS or other), and resources at co-location or hosted facilities. Some people look at that say that's just business as usual, while others say it adds up to one big IT cloud. Nomenclature aside, the question remains: how will you manage it holistically?
 
Google says its adding safeguards to its Android Market store to protect against malware attacks like that that hit thousands of phones last week.
 
TinyBrowser Remote File Upload Vulnerability
 
Networks of LED lights will become one part of computerized building systems that use sensors and chips to reduce energy consumption, says an IDC analyst.
 
IT doesn't celebrate its heroes enough. To rectify that, Thornton May is bestowing what he calls the OC-DASS Awards.
 
CIOs who have to deliver bad news to the boss might want to adopt communication techniques used by hospice care providers.
 
University of Michigan researchers last month announced that they have created a millimeter-scale computing system -- one so small it just covers the letter N on a penny.
 
The use of femtocells -- small base stations that extend cellular coverage inside buildings -- is spreading from homes to corporate office buildings.
 
We've all heard -- endlessly -- why Borders went bankrupt. But those things are just technology. What are the IT lessons?
 
Robert Half International's list of the top 11 jobs for 2011 include six that are technology-related.
 
Our manager's company is trying out the latest generation of firewalls, which offer some exciting possibilities.
 
Many storage and security experts were surprised by a UC San Diego study that found that solid-state drives are harder to erase than hard disk drives.
 
Concerns about latency and questions about legal and regulatory issues aren't stopping CIOs from moving key systems to the cloud, even if it means using applications that are hosted in data centers located overseas.
 
vtiger CRM Multiple Input Validation Vulnerabilities
 
We did not test performance. We concentrated on what it took to setup new policies, hosts, reports, and user roles in each product, and how the various parts of each product worked to protect a typical multi-host ESX installation.
 
Asterisk UPDTL Packets Buffer Overflow Vulnerabilities
 
socat 'nestlex()' Command Line Argument Buffer Overflow Vulnerability
 
MoinMoin 'refuri' Cross-Site Scripting Vulnerability
 
Network Block Device Server (CVE-2011-0530) Remote Buffer Overflow Vulnerability
 
XSS in CubeCart <= 2.0.7
 
'Quick Polls' Local File Inclusion & Deletion Vulnerabilities (CVE-2011-1099)
 
[SECURITY] [DSA 2184-1] isc-dhcp security update
 
[SECURITY] [DSA 2183-1] nbd security update
 


Internet Storm Center Infocon Status