Hackin9

InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
SAP's flagship Business Suite enterprise resource planning (ERP) software can now run on top of the HANA in-memory database, in a move that stands to open new frontiers of competition with the likes of Oracle, IBM and Microsoft.
 
The latest TVs and tablets are only part of the fun that International CES has to offer. This is about the biggest tech trade show in the world, after all, with thousands of vendors falling over each other to get noticed. Live demos go wrong, marketing tricks backfire and the antics on the show floor can take your breath away. Here are 10 things that caught our eye at CES this week that didn't necessarily make the headlines.
 
SAP's flagship Business Suite enterprise resource planning (ERP) software can now run on top of the HANA in-memory database, in a move that stands to open new frontiers of competition with the likes of Oracle, IBM and Microsoft.
 

This month starts a new format for the ISC Monthly Threat Update!

You can find the most recent podcasts including the daily StormCast at https://isc.sans.edu/podcast.html.

The monthly podcast is now split into two parts. We are releasing the Microsoft Patch Tuesday overview as Part1 and each months feature as Part2. There will be part1/2 screencasts posted to youtube.com and audio links available in mp3 and ogg for each part. The youtube.com, audio and PDF slides are linked in the podcast show notes. There is also single audio file of both parts in mp3 and ogg formats like usual.

Please visit the newest ISC Threat Update details page at https://isc.sans.edu/podcastdetail.html?id=3043 and let us know what you think in the comments on the podcast page or below!



Dont forget to give your feedback on our Daily StormCast at http://www.surveymonkey.com/s/stormcast

Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form

--

Adam Swanger, Web Developer (GWEB, GWAPT)

Internet Storm Center https://isc.sans.edu
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
SAP's flagship Business Suite ERP (enterprise resource planning) software is now able to run on top of the vendor's HANA in-memory database, in a move that stands to open new frontiers of competition with the likes of Oracle, IBM and Microsoft.
 
Apple CEO Tim Cook met today with Xi Guohua, head of China Mobile, the world's largest wireless carrier, triggering speculation that the two firms will strike a deal this year.
 
IBM has always been bullish on patents and 2012 proved to be no exception. IBM once again amassed more patents than any other company in a single year, a distinction it has enjoyed for the past 20 years.
 
Mobile application developers should minimize privacy surprises for their customers by limiting their data collection and retention and giving users access to the data collected.
 
Sharp has developed a high-definition touchscreen that can be used with a stylus that resembles a conventional pen.
 
General Motors CIO Randy Mott Thursday said the automaker plans to have the "best jobs in the IT industry" at its four "IT Innovation Centers" in the U.S. At the same time, Mott criticized Hewlett-Packard's move to contest GM's hiring of some HP IT managers to work at the centers.
 
Point-of-view camera makers iON and GoPro hawked new devices at the International CES, in the wake of explosive growth in the market in recent years.
 
DefenseCode Security Advisory (UPCOMING): Cisco Linksys Remote Preauth 0day Root Exploit
 
Detailed examples of two vulnerabilities in whitelisting software: SE46 (Cryptzone) and Application Control (McAfee)
 
Renewed talk of a cheaper iPhone shuffled into view this week, with sources as varied as the spotty DigiTimes to the more mainstream Wall Street Journal and Bloomberg claiming Apple will enter the low-price fray this year.
 
An exploit for a previously unknown and currently unpatched vulnerability in Java is being used by cybercriminals to infect computers with malware, according to security researchers.
 
SAP's flagship Business Suite enterprise resource planning (ERP) software is now able to run on top of the HANA in-memory database, opening open new frontiers of competition with the likes of Oracle, IBM and Microsoft.
 
Wordpress gallery-3.8.3 plugin Arbitrary File Read Vulnerability
 
OrangeHRM 2.7.1 Vacancy Name Persistent XSS
 
CES attendees took to the FCC's plan for more Wi-Fi spectrum, which was announced at the show on Wednesday, like hungry gamblers to a buffet.
 
Honeywell EBI TEMA Remote Installer ActiveX Control Arbitrary File Download Vulnerability
 

As a side note to todays iSeries / Mainframe story, and a follow-up to one I wrote last year (https://isc.sans.edu/diary/12103), another thing Im seeing is more and more on telnets (tcp port 992 - https://isc.sans.edu/port.html?port=992) is voice gateway and videoconferencing unit problems.



Specifically, when scanning for port tcp/992, you will likely run across more videoconferencing systems than mainframes. Theyll often show up with less fingerprinting than the SNA platforms we discussed, for instance a videoconferencing unit (the host information in this story is from a recent penetration test, and is released with permission) might look like:


PORT STATE SERVICE VERSION

992/tcp open telnets?

For the videoconferencing unit in my clients test scope, the telnets session was unprotected by anything as crass as a a userid and a password if you open up a tn3270 (telnet over ssl) session, youll get something like this:








Funny, no credentials were needed to get to this screen. Not knowing exactly what were on yet, lets type help, maybe well find that this box is helpful:






Helpful indeed, looks like weve got full admin access, with no credentials! But from that first terminal screenshot, we see that an HTTP website is enabled, maybe things will be easier if we try that? From the screenshot below, we see this host gives you all the same admin information and rights as we had on the terminal session, also without a password!




What leaps out at me from this screenshot (aside from the vendor and model number ,greyed out in these examples) is the firmware date (2006), and the remote control selection, which does exactly what it sounds like!



The Admin Settings page gives you all the most common items youll need to change if you were actually going to attack this host (remember, Im still on that session from the internet, with no authentication):








And yes, you did see Place a Call in that last screenshot! This particular option can add up to real dollars very quickly - theres an active community of folks stealing and reselling long distance service from units like this!

Note also, the install date and firmware date are the same (2006). This is one *vintage* videoconferencing unit. For some reason, people seem to think that maintenance of IP voice gear involves cleaning products rather than firmware updates! As long as the unit is shiny, it must be fine!

We also found SNMP open, with the default community strings (public and private). From this we found that this host was internet connected, then connected to the customers PBX (by listing the interfaces). Ill spare you those screenshots, youll find similar in the story we ran on Voice Gateways last year ( https://isc.sans.edu/diary/12103 )



So, the main lessons here are:



Never trust the vendor to correctly install anything. This particular unit was installed as part of an RFPd project by a VOIP vendor, who didnt see any issue with putting this on the internet. Its just too common to see things configured to a minimum standard, with no regard for security. This is not specific to voice or video gear, though we see this a lot in VOIP projects

Scan your own perimeter. In fact, scan your own internal network also. There was no reason for you to wait for a paid security assessment to find the easy stuff like telnet interfaces open, admin interfaces with no credentials or default credentials, or SNMP open with default community strings. Wed much rather find the fun stuff (problems in websites for instance) than easy stuff like this.

Never trust documentation when the vendor docs tell you what ports need to be open to a host. I cant tell you how often I see vendors insist that they need inbound port 25 to *send* email, or inbound 53 to make DNS requests (both are incorrect of course).

Never put stuff outside your firewall unless you know exactly why it should be there. The gateway we found in this story was indeed outside the firewall, the documentation for the unit actually states that there is a firewall onboard (there is no such thing)

Patch. Your VOIP gear - the PBX, the phones, gateways, all of it, are really just a collection of computers. If you dont patch them, they will be exploited - VOIP gear is a real target these days! The difference between exploits in your computer network and voice network is that when your VOIP gear is exploited, it will show up as a large long distance bill at the end of the month. Hopefully your accounting group will see this as a problem, rather than just paying the invoice when this happens!



===============

Rob VandenBrink

Metafore
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
This is the fourth in my series of interviews with C-level executives who also happen to be thought leaders in cyber security and privacy. Remember? I enjoy pointing out that "C-level executive" and "thought leader" are not synonyms. Previously, I interviewed:
 
Cyber-criminals are using specially crafted web sites to exploit a previously unknown Java vulnerability and infect computers with malicious code. Users who have Java installed should take immediate action


 
The recently disclosed holes in all versions of Ruby on Rails now have exploits in widespread circulation and a Metaspolit module can take advantage of them. Upgrading Rails applications should therefore be the highest priority


 
Microsoft has acquired id8 Group R2 Studios to boost its Xbox team, in a deal leaked to some media outlets last week.
 
Nokia sold 4.4 million Lumia smartphones during the fourth quarter of last year, exceeding expectations, according to preliminary data.
 
Foxit Reader, a PDF viewer application often used as an alternative to the more popular Adobe Reader, contains a critical vulnerability in its browser plug-in component that can be exploited by attackers to execute arbitrary code on computers.
 
NetSuite has acquired Point of Sale (POS) software vendor Retail Anywhere in a bid to flesh out its family of SuiteCommerce applications.
 
[slackware-security] mozilla-thunderbird (SSA:2013-009-02)
 

We havent had an unpatched Java vulnerability in a while (a month?). To make up for this lack of Java exploitability, the creators of the Blackhole and Nuclear exploit pack included an exploit for a new, unpatched, Java vulnerability in their latest release [1]. The exploit has been seen on various compromissed sites serving up the exploit kit. The latest version of Java 7 is vulnerable [2].

Leave Java disabled (I am not going to recommend to disable it. If you still have it enabled, you probably have an urgent business need for it and cant disable it)

If you have any business critical applications that require Java: try to find a replacement. I dont think this will be the last flaw, and the focus on Java from people behind exploit kits like blackhole is likely going to lead to additional exploits down the road.

[1]https://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/

[2]http://malware.dontneedcoffee.com

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
[ MDVSA-2013:004 ] tomcat5
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0770 Memory Corruption Vulnerability
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0749 Memory Corruption Vulnerability
 
[slackware-security] seamonkey (SSA:2013-009-03)
 
[slackware-security] mozilla-firefox (SSA:2013-009-01)
 
If you need to connect several wired clients to your 802.11ac network, you should set up a wireless bridge. If you have just one client--especially a laptop, or maybe a home-theater PC--Netgear offers a better, cheaper alternative: Plug its A6200 USB Wi-Fi adapter into your PC and establish a wireless connection that's fast enough to stream Blu-ray-quality video.
 
Micron today announced its highest capacity and lowest priced consumer SSD, undercutting the average price of an SSD by up to 30 cents per gigabyte, while still offering advanced features such as native, hardware-based encryption.
 
Analytics help you find out what brings visitors to your small business website. With that information, you can better design your site to give visitors what they are looking for--and turn them into customers. Here's a primer on linking your site to Google Analytics and getting the most out of the data it gives you.
 
Microsoft .NET Framework CVE-2013-0004 Remote Privilege Escalation Vulnerability
 

Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form

--

Adam Swanger, Web Developer (GWEB, GWAPT)

Internet Storm Center https://isc.sans.edu
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Ruby on Rails CVE-2013-0155 Unsafe SQL Query Generation Vulnerability
 
Foxconn Technology Group is being investigated by authorities over allegations that some of its employees accepted bribes from suppliers.
 
Security researchers say a patch released by Yahoo earlier this week for a serious email vulnerability did not fix the problem, leaving users at risk.
 
Computerworld reporters have been roaming around the 2013 CES show this week, video cameras in hand, to give you an idea of what the big event is all about.
 
Augmented reality app maker Aurasma demonstrated how its software can bring magazines, posters and any enabled object to life by simply pointing a smartphone's web camera at it.
 
Fabless semiconductor maker Wilocity and Qualcomm announced at CES what they're calling the first multi-gigabit wireless chipset reference architecture based on the new WiGig 60GHz and 802.11ad standards for high-speed downloads, docking, networking.
 
A collection of 10 diverse Joomla extensions that can help you build and maintain your sites.
 
EC3, the European Cybercrime Centre, will officially begin work this Friday with the aim of providing a Europe-wide response to cybercrime and other threats


 
cronie CVE-2012-6097 Local Information Disclosure Vulnerability
 
A cybersecurity proposal released Wedneday by the influential Business Roundtable supports many of the provisions contained in the controversial Cyber Intelligence Sharing and Protection Act (CISPA) that was passed by the U.S. House of Representatives last year.
 
A highly critical security hole that is gaping in the PDF display program's browser plugin makes it advisable to disable the plugin immediately


 
Internet Storm Center Infocon Status