Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Among the number of provocative points that Dan Geer, the CISO of In-Q-Tel, makes about embedded systems and supply chain risk, one stands out: The systems are immortal.
 
libvirt Unsafe Paths Usage Symlink Multiple Security Vulnerabilities
 
Volvo Car Groups Drive Me project, which will feature 100 self-driving Volvos on public roads, has kicked off and its first test vehicles are now cruising around the Swedish city of Gothenburg.
 
Intel is integrating its latest graphics capabilities found in Haswell PC chips into new Xeon chips, as the company looks to improve the quality of graphics on mobile devices.
 
Microsoft may be ready to roll out a small tablet later than rivals, but analysts say a petite Surface is still a good idea.
 
Displays such as this one can be hidden by exploiting a bug in a tweak being tested in Chrome Canary.

A change in some early versions of Google's Chrome browser is attracting the attention of security researchers who say it can make it harder for end users to know when they're visiting a malicious site trying to push malware or phish login credentials.

The change, which is said to affect a small fraction of people running version 36 of Chrome, aka Canary, causes the browser's address bar (Google calls it the Omnibox) to no longer display the URL currently open. Instead, the domain name and any subdomains of the open page are shown immediately to the left of the Omnibox in what's dubbed the Origin Chip. Google developers haven't given a definitive explanation for the experimental change, although Jake Archibald, a developer advocate for Google Chrome, recently gave his personal thoughts here. Presumably, it's designed to keep up with various features already available in Internet Explorer, Firefox, and Safari that highlight the precise domain a browser is visiting. The features are designed to thwart attacks that rely on long, confusing addresses that can sometimes conceal the true domain that's open.

Researchers at PhishMe, a company that helps prevent organizations from falling victim to phishing and malware attacks, have been testing the trial interface and have found behavior they say could make it easier for attackers to fool end users. By loading up an address with long strings of characters, the researchers were able to completely suppress both the domain name and other address parameters in both the Omnibox and Origin Chip. For instance, when the PhishMe researchers entered the URL "hxxp://this.is.a.test.for.longurl.to.test.the.canary.property.in.the.new.chrome.browser.and.see.if.it.works.DOMAINNAME.com/CheckingNowWithSampleURLInHere/eb31ac/?login_id=48ea2b9a-4f1b-4bbb-b573-89524db025e9" (minus the quotes), the Chrome interface looked like this:

Read 4 remaining paragraphs | Comments

 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Apache Struts 'getClass()' Method Security Bypass Vulnerability
 
The price war over data and voice costs among U.S. carriers is having an impact on first-time smartphone buyers.
 
Following a similar move by IBM, Hewlett-Packard is unifying its cloud portfolio under a single architecture and brand name, called HP Helion.
 
Since Al Jazeera America posted copies of emails between Google executives and National Security Agency officials on Tuesday, online criticism of the the Internet firm has spread quickly.
 
Huawei Technologies is hoping that a sleek, quarter-of-an-inch silhouette and the ability to take high-resolution pictures with an 8-megapixel front camera will make its flagship Ascend P7 a hit.
 
Epicor has been put up for sale by private equity firm Apax Partners, which is hoping to get up to $3.5 billion for the ERP (enterprise resource planning) vendor, according to a report in the Wall Street Journal, but analysts say it's difficult to pin down who might be interested in buying it.
 
Google is adding more features to Chromebook applications so that they can be used without accessing the Web, addressing a common complaint among users who want the laptops to function more like traditional PCs.
 
As the Internet of Things continues to take shape, what worries you most?
 
EMC's introductions this week of its Elastic Cloud Storage Appliance (ECS) and of ViPR 2.0, the latest generation of its enterprise storage virtualization software, are two sides of the same coin.
 
Microsoft's decision to patch Windows XP after its support deadline passed has sowed confusion and will likely encourage bad behavior by some customers, analysts said.
 
Fortinet FortiWeb CVE-2014-3115 Multiple Cross Site Request Forgery Vulnerabilities
 
Offiria 'index.php' prameter Cross Site Scripting Vulnerability
 
Cisco Security Advisory: Multiple Vulnerabilities in the Cisco WebEx Recording Format and Advanced Recording Format Players
 
[security bulletin] HPSBMU03018 rev.3 - HP Software Asset Manager running OpenSSL, Remote Disclosure of Information
 
There's a reason the theme song at this year's Open Business Conference was 'Happy.'
 
There's a reason the theme song at this year's Open Business Conference was 'Happy.'
 
A three-fold increase in Microsoft Windows computers infected with malicious software in late 2013 came from an application that was for some time classified as harmless by security companies.
 
Samsung has made the second version of its Knox data and app security platform available worldwide, but at first only users and enterprises that have the new Galaxy S5 can take advantage of the improvements it offers.
 

The last couple of days, a lot of readers sent us links to articles proclaiming yet another new flaw in DNS. "Critical Vulnerability in BIND Software Puts DNS Protocol Security At Risk" [1] claimed one article, going forward to state: "The students have found a way to compel DNS servers to connect with a specific server controlled by the attacker that could respond with a false IP address. “

So how bad is this really?

First of all, here is a the "TL;DR;" version of the vulnerability:

A domain usually uses several authoritative DNS servers. A recursive DNS server resolving a domain will pick a "random" authoritative DNS server for this particular domain. The real question is: How random? Actually as it turns out, it isn't random at all, and this is a features. BIND attempts to use the fastest name server, and has a special algorithm ( Smoothed Round Trip Time or SSRT algorithm) to figure out which server to use. 

The vulnerability found here allows an attacker to influence the SSRT values in order to direct the name server to use a specific authoritative name server for a domain.

So the result is that the attacker can determine which authoritative name server is being used. BUT it has to be among the set of valid authoritative name servers. The attacker can not redirect the queries to an arbitrary name server of the attackers choosing.

So how does this make DNS spoofing easier?

The attacker has to guess three variables in order to spoof a DNS response:

  1. the query id (1/65535)
  2. the source port (theoretically 1/65535, but in most implementations more like 1/5000).
  3. the name server IP (average 1/4) 

By pinning the name server IP, the attacker will only gain a marginal advantage. The issue may be more of a problem if one of the servers is compromised. But in this case, DNS spoofing isn't really your #1 priority.

Without DNSSEC, DNS spoofing is certainly possible, and this attacks makes it a bit more likely. But this attack is hardly a game changer and only provides a minor advantage to the attacker. 

What should you do?

Relax... finish your coffee... read up on DNSSEC and apply BIND patches as they become available (because it is always good to patch.)

Also the original presentation/paper is available as well and a lot better then some of the news reports covering it.

How hard is it to implement DNSSEC? It isn't trivial, but more recent versions of BIND make it a lot easier by automating some of the re-signing tasks. It is easiest if your registrar supports it and you host your zones with them. For example the registrar I host a couple of my domains with automates the entire process for about $5/year. 

[1] http://thehackernews.com/2014/05/critical-vulnerability-in-bind-software.html
[2] https://www.usenix.org/conference/woot13/workshop-program/presentation/hay

We also had another recent article covering some new DNS spoofing techniques:

New tricks that may bring DNS spoofing back or: "Why you should enable DNSSEC even if it is a pain to do"

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Posted by InfoSec News on May 07

http://arstechnica.com/information-technology/2014/05/why-he-hacked-university-of-maryland-contractor-turned-hacker-tells-all/

By Sean Gallagher
Ars Technica
May 6, 2014

David Helkowski stood waiting outside a restaurant in Towson, Maryland,
fresh from a visit to the unemployment office. Recently let go from his
computer consulting job after engaging in some “freelance hacking” of a
client’s network, Helkowski was still insistent on...
 

Posted by InfoSec News on May 07

http://www.wantchinatimes.com/news-subclass-cnt.aspx?id=20140506000060&cid=1103&utm_content=buffer44f85

By Staff Reporter
WantChinaTimes.com
2014-05-06

In 2013, 552 million people around the world lost their personal
information to hackers. In China alone, 164 million people were affected
by internet crime, with combined losses reaching US$37 billion or a per
capita loss of US$224, the Guangzhou-based Dayoo reports, citing Symantec...
 

Posted by InfoSec News on May 07

http://www.networkworld.com/news/2014/050614-fireeye-buying-npulse-281356.html

By Ellen Messmer
Network World
May 06, 2014

Threat protection company FireEye Tuesday announced it's acquiring nPulse
Technologies, a privately-held maker of high-speed packet-capture, network
analysis and forensics gear, for $70 million in a cash-stock deal expected
to close during the second quarter.

Charlottesville, Va.,-based nPulse makes a line of data...
 

Posted by InfoSec News on May 07

http://www.canada.com/news/Colombian+authorities+arrest+purported+hacker+allegedly+trying/9812951/story.html

BY CESAR GARCIA
THE ASSOCIATED PRESS
MAY 6, 2014

BOGOTA - Authorities arrested a suspected hacker for trying to obtain
information to sabotage government peace talks with Colombia's biggest
rebel movement, the chief prosecutor's office said Tuesday.

The announcement described Andres Sepulveda as the leader of a spying ring...
 

Posted by InfoSec News on May 07

http://www.theregister.co.uk/2014/05/06/mandia_infosec_interview/

By John Leyden
The Register
6 May 2014

Infosec 2014 Mandiant boss Kevin Mandia says he has cut back on email and
only uses an iPad to check his inbox as he fends off counterattacks from
hackers.

In 2013, the company published a landmark report on the so-called APT1
espionage crew: the detailed dossier claimed Shanghai-based People's
Liberation Army Unit 61398 had hacked...
 
LinuxSecurity.com: Updated struts packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: OpenStack Quantum could be made to expose sensitive information over thenetwork.
 
LinuxSecurity.com: OpenStack Cinder could be made to expose sensitive information over thenetwork.
 
LinuxSecurity.com: OpenStack Swift would allow unintended access to files over the network.
 
LinuxSecurity.com: OpenStack Horizon did not properly process Heat templates.
 
LinuxSecurity.com: LibTIFF could be made to crash or run programs as your login if it opened aspecially crafted file.
 
Cross-Site Scripting (XSS) in Offiria
 
SOAPpy XML External Entity Injection and Denial of Service Vulnerabilities
 
They spread lies. They push products you don't care about. They make unpopular people look popular. Sometimes, they take over your machine with malware.
 
Why have recent vulnerabilities gotten so much more attention than the ones that preceded them? It's hard to say, but the new awareness is a mixed blessing.
 
Joining Red Hat, Oracle, Canonical and others, Hewlett-Packard is releasing its own distribution of the OpenStack cloud hosting software.
 
The IT systems of the past 20 years won't be able to handle the emerging Internet of Things, which will call for cloud computing, virtualization, efficient storage and big-data analysis, according to EMC.
 
At an Internet of Things conference in Boston, people are well beyond thinking about sensors and analytics. They are considering what happens once these tools are a part of every product sold. The implications are, potentially, huge.
 
Squeezing software cost savings from virtualization projects is tricky for lots of reasons, but can be particularly challenging when it comes to Oracle databases. Here's why, and some tips to help.
 
Alibaba Group is the e-commerce player from China that you may have never heard of. But it's set to make one of the biggest initial public offerings in the U.S., possibly raising over $20 billion, analysts say.
 
Leaders of key technology companies including Microsoft, Google, Twitter and Salesforce.com have written to California Gov. Jerry Brown offering to partner with the state to increase computer education in kindergarten to 12th grade schools.
 
Breakpoint 2014 Call For Presentations
 
[security bulletin] HPSBMU02994 rev.4 - HP BladeSystem c-Class Onboard Administrator (OA) running OpenSSL, Remote Disclosure of Information
 
Word Online and Excel Online are surprisingly capable, but PowerPoint Online and Office document compatibility are still half-baked
 
Apache Struts ClassLoader Manipulation CVE-2014-0114 Security Bypass Vulnerability
 
Internet Storm Center Infocon Status