InfoSec News

Posted by InfoSec News on Apr 09


By Kim Zetter
Threat Level
April 9, 2012

Think twice if you live outside the U.S. and plan to sell your used
gaming console.

The Department of Homeland Security has launched a research project to
find ways to hack into gaming consoles to obtain sensitive information
about gamers stored on the devices.

One of the first contracts for the project was awarded last week to...
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
It's time once again to return to the wonderful world of iPhone rumors. Will the new model have a faster processor? Will it come out in October? Will it come in mauve? Meanwhile, Universal makes its movies more...well, universal. The remainders for Monday, April 9, 2012 have, in their lifetime, mongered rumors, cheese, and fish.
WordPress TagGator 'tagid' Parameter SQL Injection Vulnerability
Symantec pcAnywhere Authentication Request Handling Denial of Service Vulnerability
The scope of a data breach involving a Medicaid server at the Utah Department of Health is much worse than originally thought.
Microsoft plans to build a new data center, this time in Cheyenne, Wyo.
Jack Tramiel, a pioneer in the computing industry and founder of Commodore, died on Sunday at age 83, his son Leonard Tramiel confirmed Monday.
Symantec pcAnywhere Session Closure Access Violation Vulnerability
If the field of computer security is to be fixed, the only hope we have is building security in, says software security expert Gary McGraw.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Back in the good old days, wireless threats could be summarized in security your 802.11x access point by picking a strong passphrase and do not connect to evil unknown access points. I am not sure if this was every quite right, but it certainly isn't right today. Cheaper hardware, in particular software defined radios with easily accessible open drivers make larger ranges of the spectrum available to intrusion and detection by non-nation state funded attackers. At the same time, wireless technologies are proliferating at an amazing pace. As much as possible, I am trying to write up a very brief summary of the various technologies. I am sure I forgot some. If so, please add via comments:
802.11: This set of standards deals with wireless LAN communication, and the most commonly known parts of it, a,b,g and n are probably the most common and easiest accessible wireless networking technologies. It uses frequencies in the 2.4 GHz and 5GHz band. (for all frequency mentions here: There tend to be local /national differences in what part of the spectrum is exactly used). At this point, speeds in excess of 100MBit/sec can be reached, and extensions are in the works to push this beyond 1 GBps. The range is typically in the residential property scale but can be extended over several km with special gear. Various optional encryption and authentication methods are available, but have to be configured. The cost to an attacker to sniff/attack 802.11 is probably in the $10 range.
Bluetooth: Meant to be a standard to replace pesky cables to connect devices like headsets to phones, the focus of this standard is low power and low cost. There is a simple but pretty effective encryption mechanism built in. However, it frequently is limited by the ability of the user to enter a complex PIN code using a one button headset. The range is typically shorter then 802.11 but can reach 10s of meters. Bluetooth uses the 2.4 GHz band. To effectively attack bluetooth, you need to be a bit more specific on what blue tooth dongle to use then with 802.11, which is why I rate the cost of attack at $50.
DECT: This standard is mostly used in cordless phones again operating in the unlicensed spectrum (900MHz, 2.4GHz, 5GHz). Range is similar to 802.11. Encryption is somewhat optional. Equipment to sniff DECT calls is not as readily available as only very specific cards can be used. Typically you need to import equipment, and you may be breacking some US import laws if you do so. However, the equipment still tends to be pretty cheap consumer grade PCMCIA cards. I will assign them a value / cost of $100.
Zigbee (802.15.4): Zigbee is a bit the new kid on the block, but it is growing quickly in the home automation and alarm system world. The Killerbee project is providing open source tools to attack and sniff zigbee. The hardware supported by kllerbee costs around $50. Range is very similar to bluetooth.
RFID: RFID is very different from the technologies above as it is frequently used with remote power. The RFID reader has to send out a sufficiently strong signal to power the RFID tag and to read the information embedded in it. There are a number of different sub-standards in how the information is exactly encoded. Readers are pretty cheap, also in the $50 range. If you want to create your own cards, you may need to pay a bit more (lets say $100?). RFID attacks can be dangerous if they are used to clone touchless door access keys. Some credit cards allow reading of the name and card number. Realistically, the range of RFID is a couple meters. Defense is pretty easy. You don't need a full faraday cage wallet. Just adding a credit card size piece of aluminum to your wallet will typically provide enough interference to make the tag not readable.
NFC: an extension to RFID which starts to show up in mobile phones. Just like RFID it is low power and limited to short distances. Attackers cost: $100
Cell phones: That may make a nice diary in itself in the future. I am just wrapping them all up in one for the quick discussion here (GSM, GPRS, EDGE, LTE...) . Attacking these systems is technically and legally more difficult. It typically requires specific equipment and some expertise. But once set up, an attacker may setup a fake cell phone tower used to record or re-route phone calls. I would rate the cost of the attack in the $1000-$10,000 range (hard to tell with all the different standards. Some old analog standards can be sniffed with a decent radio scanner). There isn't much you can do to defend against this, other then using encrypted connections inside the cell phone channel.
X10: A home automation wireless standard. Pretty much unencrypted. All you need is a transmitter set to the right house code (one out of sixteen). Cost: $50
Wireless mice/keyboards: These devices typically use more propriotery standards, but they have shown to be quite week cryptographically and easy to attack. It does require a bit customized hardware is some cases. However, recently more and more of these devices use bluetooth (cost: $50-$100).
other standards: z-wave (home automation, 900Mhz or 2.4GHz uses 128bit AES), WiMax (wireless network technology in licenses spectrum for larger distances, aka 4G by some carriers competing with LTE)
Many of these standards can be used to exfiltrate short range data. Or if they are used in alarm systems and door access controls, they can be used to assist in a physical attack.


Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Private WiFi is a $10-per-month ($85 per year) service that secures your data from Wi-Fi hacking by placing it within a VPN (Virtual Private Network). It does this with client software (PC and Mac) that connects to the company's own secure servers.
India's highly touted US$35 tablet, set to ship in two to three weeks, is getting a makeover with improved hardware and Google's Android 4.0 OS, according to the company assembling the device for the Indian government.
As Joomla grows in popularity as an open source CMS more and more individuals and businesses of all sizes rely on the platform to get their products and services online. In fact, more than 2.5 percent of websites are running on a Joomla CMS -- and for good reason.
E-book price fixing will cost consumers more than $200 million this year, and U.S. antitrust authorities should take action against Apple and a group of publishers, the Consumer Federation of America said Monday.
Soon after Facebook announced that it was buying Instagram, maker of the popular photo-sharing app, Twitter began to light up with talk about it.
A Mac developer has posted a tool that detects a Flashback malware infection on Apple's computers.
What are CISOs working in healthcare concerned about when it comes to protecting medical data in the future? There are a variety of concerns associated with who should and shouldn't be able to access your individual medical record. This is both a policy issue and a technology issue for the CISO.
Microsoft plans to build a new data center, this time in Cheyenne, Wyoming.
The U.S. Department of Health and Human Services released a proposed rule change to the Affordable Care Act that it estimates will eventually save healthcare providers and payers $4.6 billion by simplifying administrative chores.
Facebook is buying Instagram, a popular mobile photo-sharing app, in a cash-and-stock deal valued at $1 billion.
The announcement last week that the Wikimedia Foundation will switch from Google Maps to OpenStreetMap for its cartographic needs marks the latest in an increasingly long line of high-profile defections.
Since its debut in 2010 as an iPhone application, Instagram has been one of the most-popular photo-sharing services around. Monday, that popularity paid off: Facebook announced it was buying the service for a cool $1 billion.
Quicken Loans and two affiliated Detroit venture capital firms have issued a call for the roughly 2,000 Yahoo employees who received pink slips last week to move to the Motor City to bolster the blighted city's efforts at revitalization.
OpenStack Compute (Nova) Denial Of Service Vulnerability
Perl YAML-LibYAML Module 'perl_libyaml.c' Multiple Format String Vulnerabilities
Microsoft will shift Windows Vista and Office 2007 into what it calls extended support over the next two days.
Hacktivist group Anonymous has hit the United States Telecom Association and TechAmerica with distributed denial-of-service attacks, apparently for the trade groups' support of a controversial cybersecurity bill in the U.S. Congress.
Using VoIP via satellite links can have bandwidth issues, but Cisco today said it's introducing an IP multiplexing technology for its Cisco Mobile Ready Net package that dramatically improves the number of IP-based calls on a satellite link.
Python 'trytond' Module 'Many2Many' Field Security Bypass Vulnerability
Oracle Java SE CVE-2012-0498 Remote Code Execution Vulnerability
CVE-2012-0769, the case of the perfect info leak
Secunia Research: Helix Server SNMP Master Agent Service Two Denial of Service Vulnerabilities

There probably isn’t a more consistent theme we write about than the alignment of IT security with business goals: Understand your business first, then build your security empire to support and protect the business; lofty goals and heady stuff for sure.

I’m as guilty as anyone of writing stuff centered on the notion of alignment. But maybe that’s too abstract a notion? Maybe it’s the word “goals” that’s off? Maybe we should be writing about the alignment of security with business mandates? The goal of the majority of, if not all, businesses is to make money. And IT security leaders certainly don’t call the shots inside an enterprise. You’re told what to do, what to buy and when to buy it. If your CIO or CFO says your top priority is SOX compliance, guess what’s at the top of your to-do list every day?

It’s easy for journalists or industry experts, like last week’s panel at InfoSecWorld, to wedge ourselves onto a lofty perch atop that ivory tower and pontificate about what those who hold actual enterprise security management titles should be doing with their programs, policies and buying decisions. But how often is it realistic for a CISO to march into the CFO’s office, stomp their feet and hold their breath until they turn blue or until the CFO signs off on a major overhaul of the perimeter security investments someone else made 10 years ago?

Ideally, those things should be overhauled because they don’t work anymore. But the Titanic couldn’t turn on a dime 100 years ago, and neither does big business today. Other priorities that make money get the attention of business decision makers before budgeting for the latest and greatest security widget is stamped “approved” by the CFO or CEO.

Taking shots at security managers who are handed a budget that essentially maintains the status quo does nothing to advance the industry. Taking shots at security managers who have no choice but to listen to auditors first does nothing to advance the industry.

Ideally, yes, alignment of security and business goals is awesome. You do need to know how and why your business makes money. You do need to prioritize your efforts in that direction. You do need to understand who your adversaries are and what tactics they’re using to penetrate your defenses. But at the end of the day, if your boss tells you do something that keeps you from being idealistic, that doesn’t necessarily mean you’re not a leader or not a good security manager. It just means you’re employed.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
The University of Texas at San Antonio (UTSA) later this month will host the three-day National Collegiate Cyber Defense Competition for the seventh consecutive year.
Last year I made the switch to Google Chrome from Mozilla Firefox, and I haven't looked back. Google's browser feels faster, smarter, and more streamlined -- which helps explain why it's a top choice for business users.
Nearly 2% of the Macs whose owners have checked their computers have been infected with the Flashback malware, according to a Russian antivirus company.
What do application security programs and onions have in common? Layers, says Ken Pfeil, global security officer at Pioneer Asset Management.
Apple Mac OS X CVE-2011-3460 Buffer Overflow Vulnerability
Secunia Research: RealNetworks Helix Server Credentials Disclosure Security Issue
OWASP ZAP 1.4.0 released
[Suspected Spam] Astaro Security Gateway v7.504 - Multiple Web Vulnerabilities
[Suspected Spam] Astaro Command Center v2.x - Multiple Web Vulnerabilities
idev Game Site CMS v1.0 - Multiple Web Vulnerabilites
[Suspected Spam] AnvSoft Any Video Converter 4.3.6 - Multiple Buffer Overflow Vulnerabilities
CitrusDB 2.4.1 - LFI/SQLi Vulnerability
The upshot will have surprising implications for IT.
IBM is trying to replicate the success it's had with WebSphere in the mobile market.
Toshiba said it has developed hardware for servers that encodes and sends video streams without using CPU or memory, greatly increasing the number of streams that can be broadcast from a single machine.
An email marketing platform is the foundation of modern business marketing, but you must look beyond the basic function of "create and send" to be more than simply competitive.
An IT reorganization predicated on the questions 'Who?' and 'Where?' is doomed. Instead, ask 'Why?' and 'How?'
[waraxe-2012-SA#085] - Reflected XSS in Uploadify Integration Wordpress plugin
[CVE-2012-1574] Apache Hadoop user impersonation vulnerability
PHPNuke Module's Name Download SQL Injection Vulnerabilities
Online tracking is a hot topic these days, with the Obama administration and the Federal Trade Commission calling for tougher online privacy protections. The FTC recently issued a report urging voluntary practices for online businesses regarding data collection. Another popular proposal suggests building a universal do-not-track function into future Web browsers.
Amid the growing crowd of great iPad note-taking apps in the App Store, Notes Plus distinguishes itself by appearing to give more thought than most about how a stylus-wielding iPad owner might actually write and draw on a touchscreen tablet.
Security researchers from antivirus vendor ESET have come across new Web-based malware attacks that try to evade URL security scanners by checking for the presence of mouse cursor movement.
The head of Fujitsu's main research division says it is a mistake to cut back on investing in new technologies during hard economic times.
As more and more corporate workers use their favorite social networking tools for job-related tasks, IT executives are left with little choice but to find ways to manage the consumer software.
TRENDnet TV-IP121WN ActiveX Control 'OpenFileDlg()' Method Buffer Overflow Vulnerability
Csound 'getnum()' Multiple Buffer Overflow Vulnerabilities
AOL has entered into a definitive agreement to sell over 800 of its patents and their related patent applications to Microsoft, it said Monday.
Best known as a producer of PC chips, Intel now plans to win in the Chinese market for tablets and smartphones as well, a company executive said Monday.
Lenovo ThinkManagement Console Multiple Security Bypass Vulnerabilities
Liferay Portal Multiple Security Vulnerabilities
CastRipper '.m3u' File Remote Stack Buffer Overflow Vulnerability
Sectool DBus File Local Privilege Escalation Vulnerability
Pronoun problems, IT ghosts, the runaway mouse -- when it comes to computers, the customer isn't always right
Many companies haven't bothered to flesh out their unified communications strategies because 1) it can be hard to calculate ROI, and 2) the deployment effort is often daunting given so much custom work is required to piece together the various components that make up an integrated UC system.
Are you one of the Old Skool types to whom detail and quality really matter? Where you strive for (and maybe rave about) the need for standards and are appalled by sloppiness?
AOL decommissioned nearly 10,000 servers and saved itself $5 million along the way to winning an Uptime Institute contest designed to show the high cost of running inefficient or underutilized IT equipment.
Melissa P. Dodd, CIO of the Boston Public Schools, shares her ideas on running a large school system's IT department. Insider (registration required)
Use data from Computerworld's 2012 Salary Survey to compare IT salaries across a sampling of industries and job titles.
A long-awaited resurgence in the IT industry holds both promise and peril for the tech workforce.
IT is hiring again, but after years of stalled projects and training cuts, tech workers worry their skills aren't worthy.
TEKsystems research shows that IT professionals rank career development -- not compensation -- as their top priority.
A look at the methodology used to collect data for the 2012 Computerworld Salary Survey.
As IBM's CIO, Jeanette Horan oversees a range of big IT projects, but one of the most pressing is the company's ongoing rollout of a program to enable all employees to use personal devices on the job. Insider (registration required)
Cloud migrations don't need to result in wholesale layoffs of in-house IT staffers, says Greg Pierce, cloud strategy officer at Tribridge.
Despite rising concern that cyberattacks are becoming increasingly sophisticated, hackers used relatively simple methods in 97% of data breaches in 2011, according to a report compiled by Verizon.
A former Intel employee has pleaded guilty to stealing confidential documents from the company, according to court records.
A data breach on a server of the Utah Department of Technology Services appears to have compromised the Social Security numbers of 25,096 individuals, the department of health of the western U.S. state said.

Posted by InfoSec News on Apr 09


By Ha Sun-young, Sarah Kim
Korea JoongAng Daily
April 09, 2012

David Cho is the founder of the Gangnam-based Hackers Education Group, a
hagwon or cram school that students flock to for its supreme ability to
predict the kind of questions that will turn up on standardized exams.

Cho and Hackers hit the headlines in February when prosecutors started
uncovering how...

Posted by InfoSec News on Apr 09


By Cassondra Strande
The Arizona Republic
12 News Breaking News Team
April 5, 2012

One of the men accused of breaching the security of Sony Picture's
Entertainment database pleaded guilty in a U.S. District Court in Los
Angeles on Thursday, according to officials at the U.S. Attorney's
Office in California.


Posted by InfoSec News on Apr 09


The Secunia Weekly Advisory Summary
2012-03-30 - 2012-04-06

This week: 72 advisories

Table of Contents:

1.....................................................Word From Secunia...

Posted by InfoSec News on Apr 09


By Pamela Owen
Mail Online
7 April 2012

The Home Office website has gone down after an apparent cyber attack in
protest against Government surveillance plans.

A message on the site said the page was currently unavailable 'due to a
high volume of traffic', suggesting a denial of service attack had been...

Posted by InfoSec News on Apr 09


By Tracy Kitten
Bank Infosec News
April 6, 2012

It's major news: A payments processor is breached, fraud alerts are
circulated, security standards are questioned, and banking institutions
are left to monitor for signs of financial fraud.

That summary describes the Global Payments Inc. breach, which has
captured this week's headlines. But it also summarizes the Heartland...
Novell iManager Long TREE Field Off-By-One Denial of Service Vulnerability
Internet Storm Center Infocon Status