Hackin9

InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Facebook is close to reaching a deal with the Federal Trade Commission over charges that the social network engaged in "deceptive behavior" when changing its privacy settings, according to a report.
 
Legislation in the U.S. Congress that would allow federal law enforcement officials to block websites accused of copyright piracy is necessary because of the vast number of foreign sites trading in infringing music and movies and counterfeit products, two supporters of the bills said.
 
Growing enterprise interest in Hadoop and related technologies is driving demand for professionals with big data skills.
 
More than three times as many shoppers for tablet computers are considering the $199 Amazon Kindle Fire over the bestselling iPad, according to a new survey.
 
DataDirect Network's new SFA12K series storage array represents a new high-water mark for networked storage performance with the ability to scale to 6.7 petabytes in two racks and offer up to 40GB/sec performance.
 

eCrime Symposium wrap: Satisfaction tinged with frustration
CSO Magazine
But in the full spectrum of infosec concerns LulzSec and Anonymous are little more than amusing nuisances. And the rest of it adds up to saying, "Well, if I'm not Lockheed Martin or News of the World then I'll be right." Which of course isn't true. ...

and more »
 
The space agency announced Thursday that the Mars Science Laboratory, its most advanced mobile robot yet, is set to lift off Nov. 25.
 
Companies need to educate developers, leverage asset inventories and vet cloud providers, panelists advise.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
With operations disrupted at more than a dozen hard disk drive (HDD) factories due to flooding in Thailand, PC manufacturers should prepare for significant supply shortages, market research firm IDC said.
 
Apple today released iOS 5.0.1, the anticipated update designed to fix multiple unspecified bugs that drained the iPhone's battery much faster than expected.
 
An Infosys Technologies employee, who alleged that the Indian offshore outsourcing company wrongly used visitor visas in its work, won a federal court decision that will allow him to bring his case to a jury.
 

===============
Rob VandenBrink
Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Keep up with the latest tablet news and reviews with Computerworld's complete coverage.
 

===============
Rob VandenBrink
Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
View and compare mobile phone models by size, weight, OS, carrier, screen and more.
 
iCloud can be a ray of sunshine for iOS device owners looking to keep their documents synced between multiple devices and computers. Apple's own iWork suite, unsurprisingly, already offers deep iCloud integration for keeping your Pages, Numbers, and Keynote documents in sync between devices. At this writing, however, only Apple's iOS iWork apps support iCloud; it's not yet possible to sync your documents directly with the Mac versions of the apps unless you use workarounds.
 
ARM on Thursday said that co-founder and President Tudor Brown will retire in May next year after helping turn the firm into a dominant mobile processor company.
 
The U.S. Senate has voted against a Republican measure that would have overturned net neutrality rules passed by the U.S. Federal Communications Commission last December.
 
The European Commission is preparing a major reform of the E.U. Data Protection Directive, which will focus on how foreign companies handle European consumer data.
 
A collection of articles to help you understand the mobile threat and plan your security program accordingly. Insider (registration required)
 
Research In Motion will continue to use Adobe Flash Player, at least for the BlackBerry PlayBook tablet, even after Adobe announced it will discontinue Flash for the mobile Web.
 
Softer-than-usual sales numbers last month by several of Apple's component suppliers has one analyst puzzled and worried at the same time.
 
[security bulletin] HPSBMA02659 SSRT100440 rev.2 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Unauthorized Access
 
[security bulletin] HPSBMU02708 SSRT100633 rev.1 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Cross Site Scripting (XSS)
 
Amazon appears to have quietly acquired Yap Inc., a speech recognition start-up company, fueling speculation that the online giant is getting ready to produce a voice command service such as Apple's Siri or Google's Voice Actions for Android.
 
Re: foofus.net security advisory - Lexmark Multifunction Printer Information Leakage
 
Major technology companies, including Amazon, Apple, and Google, are lining up alongside smaller service providers to help consumers store and stream their music collections online. Whether you want to listen on your PC, your tablet, or your smartphone, you can find a number of online services that cater to your particular needs.
 
Re: Local file inclusion in VtigerCRM
 
[SECURITY] [DSA 2342-1] iceape security update
 
The lab credited with discovering the Duqu malware has built an open-source toolkit that administrators can use to see whether their networks are infected.
 
This is the second story in this Stuff I Learned Scripting series. As I write scripts, I tend to stumble over commands or methods that I didn't know even existed before, and I thought I'd share these with our readers as they come up. Since I'm finding some of these commands for the first time, I invite you to post any more elegant or correct methods in our comment form.
If you're like me, you have a generally good feeling when you see config files set up as XML, it's an open standard with loads of tools to parse it out.
However ... I was recently tasked with parsing variables out of an XML file, using *only* what is available in Windows. This turned out to be trickier than I thought - XML is a tad more complex than your tradional variable=value windows INI file (or registry key for that matter). This is one of the reasons I've been (subconsciously Ithink) avoiding writing automation scripts against XML.
On the face of it, it might look easy - for instance:

some variable value /some variable
is easy to get with the find command. But the same construct could just as easily be represented as:

some variable

value

/some variable
which is *not* so easy to pull out using the find command in Windows.
Also, XMLis heirachal, so:

config

var

value

/var

/config
is different altogether from:

servername

var

value

/var

/servername
At that point, I took a deep breath and decided it was time to dive into Powershell. Powershell has everything needed to parse and write XML out of the box, and it fills the requirement that it's actually on every box (well, every new Windows box anyway). There's a ton of sites out there that will explain how to do complex XML gymnastics, but in security audits generally all that is needed is a simple read of specific target variables. For instance, if you are auditing a VMware vCenter configuration against the VMware Hardening Guide, you should be looking at variables in the vpxd.cfg file, which is formatted in XML. One of the variables you'll want to look at is enableHttpDatastoreAccess, which if enabled allows you to browse your ESX/ESXi datastores with a web browser (and appropriate credentials of course). The Hardening Guide recommends that this is turned off in some circumstances (their term is SSLF - Specialized Security Limited Functionality), so during an audit this value should at least be noted. In the config file, this value is represented as:

config

... other config variables and constructs ...

enableHttpDatastoreAccess

value

/enableHttpDatastoreAccess

/config
You can do this in 2 lines in powershell (though they may wrap on your display, depending on your screen resolution), with something like:



[xml]$vpxdvars = Get-Content ./vpxd.cfg


reads in an entire xml-formatted file into a Powershell variable vpxdvars


write-Host $vpxdvars.config.enableHttpDatastoreAccess
you can see in this example that the heirarchal format of the xml file is done by dot-separation. In this example we simply print (using write-Host) the target variable - represented as config.enableHttpDatastoreAccess from the XML file



But how do you stuff this into a CMD file in windows? Simple - use the powershell -Command option, and string the Powershell commands together with semicolons. The line shown here will run from the command line or (more usefully) from within a CMD File:

powershell -Command [xml]$vpxd = Get-Content ./vpxd.cfg write-Host $vpxd.config.enableHttpDatastoreAccess


And yes, I know, I know, this probably has existed in Linux forever, but in most enterprises, Windows scripts tend to be preferred (he said as he looks hastily up for thunderclouds and lightning bolts). Having said that (and survived, so far anyway), I tend to use xpath in Linux if I need something simple in a bash script. It comes as part of the Perl Library XML::XPath, and is preinstalled on most major distributions (if you install perl). For instance, the query above might be represented as (command output is also shown):

# xpath -e '/config/enableHttpDatastoreAccess' ./vpxd.cfg

Found 1 nodes in ./test.xml:

-- NODE --

enableHttpDatastoreAccess

FALSE

/enableHttpDatastoreAccess
To get just the value, we'll use the q (for quiet) option, which filters out the Found and NODE lines, leaving only the path. Then we'll filter out the path by using grep to ignore anything with a in it:

# xpath -q -e '/config/enableHttpDatastoreAccess' ./vpxd.cfg | grep -v ''

FALSE
And yes, you could do this simple example query in SED (though every time I think I have it right I find a case where it also breaks), GREP and AWK are also tools you can use XMLparsing, with a similar caveat. But xpath commands are but much easier and much more readable - and readable scripts are REALLY important if you are planning to give them to a client, especially if they're not a SED / AWK / GREP / scripting guru. If you expect someone else to read your script, complex is NOTbetter. So you'll tend to see understandable, simple scripts in this series.,



For more complex XML operations and results, a more complex tool is usually required - if you need true XML gymnastics, it might be time to write a more complex program in Perl, Powershell or Python (or your favourite language that supports XML, it doesn't necessarily need to start with a P).



As always, I'm sure that there are true XML and Powershell experts out there (I'm not an expert at either) - if there's a better / simpler way to get this done than the one method I've described, please share on our comment form !!



If this particular example (and the certificate example I used on Monday) are of particular interest to you, they are both from the Security Class SANS SEC579 - Virtualization and Private Cloud Security ( http://www.sans.org/security-training/virtualization-private-cloud-security-1651-mid ), which will be offered first in January. (shameless plug - I'm a co-author for that course)
===============

Rob VandenBrink

Metafore
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The Mali-T658 graphics processor announced by ARM on Wednesday can be equipped with up to eight cores to help it deliver ten times the graphics performance of the company's existing GPU.
 
The botnet takedown announced Wednesday by the U.S. Department of Justice was the biggest in history, according to a security company.
 
Microsoft, Siemens and AT&T are just a few of the corporations discovering the value of veterans' tech training, global perspective and surprising arsenal of soft skills.
 
User experience and UI nuances pose the biggest challenge to tap into gesture-savvy iOS, Android, and Windows 8
 

Posted by InfoSec News on Nov 10

http://threatpost.com/en_us/blogs/financial-records-millions-risk-after-computershare-insider-copies-data-usbthen-loses-usb-1108

By Paul Roberts
ThreatPost.com
November 8, 2011

Computershare, the investor services firm, has filed suit against a
former employee it charges with making off with thousands of pages of
proprietary company documents, including information on shareholder
names, account numbers and financial holdings.

The company...
 

Posted by InfoSec News on Nov 10

http://www.japantimes.co.jp/text/nn20111109a6.html

The Japan Times Online
Nov. 9, 2011

TAIPEI -- Computer networks of the Diet and Japan's largest defense
contractor have been attacked by alleged Chinese hackers, but Japan is
not the only target in the region.

Taiwan has long been a key target of such attacks, especially from
China. The attacks began in 1999 after then President Lee Teng-hui upset
Beijing by saying negotiations...
 

Posted by InfoSec News on Nov 10

http://www.itworld.com/security/222273/darpa-nsa-dod-launch-new-cybersecurity-effort-operation-schmooze-hackers

By Kevin Fogarty
ITworld.com
November 08, 2011

In its unending effort to find more technologically innovative ways to
accomplish things most of the government agencies that are its clients
can't do at all, DARPA called a conference this week to ask for help
security military and government networks against hackers.

Who did it...
 

Posted by InfoSec News on Nov 10

http://www.darkreading.com/cloud-security/167901092/security/vulnerabilities/231902718/cloud-services-credentials-easily-stolen-via-google-code-search.html

By Tim Wilson
Dark Reading
Nov 09, 2011

The access codes and secret keys of thousands of public cloud services
users can be easily found with a simple Google code search, a team of
security researchers says.

Researchers at Stach & Liu, a security consulting firm that develops
Google...
 

Posted by InfoSec News on Nov 10

http://www.thesmokinggun.com/buster/grady-sizemore-hacking-sentence-765921

The Smoking Gun
November 8, 2011

A Minnesota woman today pleaded guilty to hacking into the e-mail
account of a former Playboy Playmate and swiping racy photos of baseball
star Grady Sizemore, images that later were widely distributed online.

Leah Ayers, 20, copped this morning to a misdemeanor count of
unauthorized computer access during a District Court hearing in...
 

Posted by InfoSec News on Nov 10

http://www.itwire.com/business-it-news/security/51019-critical-infrastructure-exploitable-vulnerability-will-not-be-patched

By David Heath
iTWire
09 November 2011

In April this year, a vulnerability was discovered in a commonly used
critical infrastructure Web Access product. Exploitable code was also
made available. The manufacturer has announced that no patch will be
released.

According to ISC-CERT, advisory ICSA-11-094-02A spells out...
 

Posted by InfoSec News on Nov 10

http://gcn.com/articles/2011/11/09/stuxnet-style-threat-prison-scada-systems.aspx

By Kevin McCaney
GCN.com
Nov 09, 2011

Federal authorities have confirmed an assertion by security researchers
earlier this year that Stuxnet-like malware poses a potential threat to
controls at prisons and penitentiaries across the country.

The researchers made their claim in a white paper published July 31, in
which they say that the programmable logic...
 

Posted by InfoSec News on Nov 10

http://www.businessweek.com/news/2011-11-09/hackers-hijack-millions-of-computers-in-massive-fraud-case.html

By Patricia Hurtado and Michael Riley
Bloomberg
November 09, 2011

The U.S. charged seven people with a “massive” computer intrusion scheme
that used malicious software to manipulate online advertising, diverted
users to rogue servers and infected more than 4 million computers in
more than 100 countries.

One Russian and six...
 
Internet Storm Center Infocon Status