Share |

InfoSec News

A hacker has broken into a Barracuda Networks database and obtained names and e-mail addresses of some of the security company's employees, channel partners and sales leads.
 
Acer's Aspire One 7552G-6436 may be packed with a quad-core processor and ATI Radeon graphics, but it can't keep up with most of PCWorld's top-ranked desktop replacement systems. Nevertheless, its light weight, bright screen, and affordable price may be just what some users are looking for.
 
For the second time in the last four weeks, Adobe has told users that hackers are exploiting an unpatched bug in Flash Player, again by embedding malicious code inside a Microsoft Office document.
 
libvirt Threads Local Denial of Service Vulnerability
 
Adobe released that a so far unpatched vulnerability has been used in recent targeted attacks.
Flash Player 10.2.153.1 is vulnerable, as is the flash player component used to execute flash in Adobe Reader / Acrobat. Adobe Reader X is vulnerable bu but not exploitable.
At this time, according to Adobe, the attack is performed using Flash files embedded in Word documents.
Note that Flash may be embedded in other Office document formats like Excel. Adobe is not planning on an out of band patch at this point, as Adobe Reader X is not exploitable.
[1]http://www.adobe.com/support/security/advisories/apsa11-02.html
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The Toshiba Mini NB305-N600 ($380 as of April 5, 2011) comes from the higher end of Toshiba's two-part netbook family. Nothing if not eager to meet your netbook needs, Toshiba offers its two basic models--the Mini NB300 and NB500 series--in a total of 11 configurations, and figuring out how they differ requires going through spec sheets with a magnifying glass. Of course, specs don't tell the whole story, anyway--and overall, the story isn't that compelling.
 
Last week, consumers in the U.S. were bombarded with e-mail messages warning them of what may be the most widely felt data breach in U.S. history. A company that most of them had never heard of, Epsilon Interactive, had been compromised and their names and e-mail addresses had been stolen.
 
Adobe's coming updates to its Flash Builder and Flex cross-platform software development tools, announced Monday, don't do anything to address the exclusion of the Flash Player from Apple's iOS products.
 
A U.S. federal appeals court has denied a request by the Winklevoss twins to release them from their settlement with Facebook over their allegations that Mark Zuckerberg improperly appropriated their idea for the social networking site.
 
The U.S. needs a cybersecurity emergency response capability to help businesses under major attacks, U.S. Sen. Sheldon Whitehouse, (D-R.I.), said Monday.
 
rPSA-2011-0013-1 openssl openssl-scripts
 
Google and the New York Times have teamed to create a daily question for users of the Web site and readers of the newspaper.
 
A new Trojan tries to extort money from users by convincing them to dial international telephone numbers to reactive Windows, a security researcher said today.
 
Microsoft has upgraded and renamed its Bing search engine's directory of local businesses, adding capabilities for owners to create, claim and manage their listings, as well as promote special deals.
 
In a scathing blog post, one of Microsoft's top lawyers alleged that Google has been falsely claiming that its Google Apps for Government service has an important certification.
 
rPSA-2011-0014-1 httpd mod_ssl
 
Passwords^11 - Call for Papers ending April 17!
 
ZDI-11-118: Novell ZENworks Asset Management Path Traversal File Overwrite Remote Code Execution Vulnerability
 
YouTube is offering live-streamed video to complement its catalog of recorded videos.
 
Microsoft is moving its Dynamics ERP applications to its Azure cloud platform, the company announced Monday at the Convergence conference in Atlanta.
 
IPv6, just like IPv4, is a layer 3 (Network Layer) protocol. However, it does depend on Layer 2 (Link Layer) to reach the next hop. Historically, Layer 2 has been a fertile attack breeding ground. Layer 2 protocols like Ethernet do not address these security issues and are build to be lightweight rather then secure. The assumption is that physical access to the network is restricted, and with that physical access controls can be used to mitigate most Layer 2 risks.
Of course, this hasn't been true for most networks. Wireless access, access to unsecured network jacks in public areas and even remote access via compromised hosts inside the network have been shown to provide access to layer 2. 802.1x is probably the best option to mitigate most of these threats, but even 802.1x will not protect you from a compromised authenticated workstation, and 802.1x can be difficult to implement in many scenarios.
So how does this all apply to IPv6? One of the big changes in IPv6 is that ARP is replaced with the Neighbor Discovery Protocol (NDP). NDP is based on ICMPv6. In addition, Router Advertisements (RA) are used to configure hosts.
Probably the most important thing to understand: Neither NDP or RA prevent by default any attacks we have seen against ARP or DHCP. Just like for ARP and DHCP, we need to be able to detect and mitigate spoofing.
NDP Spoofing
By default, NDP messages are not authenticated, just like ARP is not authenticated. In its simplest form, we can use the NDP to impersonate a legitimate host on the local network to play man in the middle (MITM). MITM attacks work and can be applied just like with IPv4
Variations of the attack can be used in denial of service as well. Just like for IPv4, an IPv6 host will check if the address it is about to use is already used. By just responding to these checks (gratuitous ARP in IPv4), we are able to to prevent a host from obtaining an address.
RA Spoofing
The RA protocol replaces DHCP in many cases and can be used to assign IP addresses. Spoofing router advertisements can help with MITM attacks as the attack is now pretending to be a router. In a regular IPv6 network, this may only be partially successful as the rogue router is competing with legitimate routers. But by assigning itself a high priority and creating a DoS against the legitimate router, the attack has a decent chance of succeeding.
Recently (see a few diaries back), this attack was demonstrated against IPv4 networks by combining it with NAT-PT and the preference of current operating systems to route over IPv6 if both IPv4 and IPv6 are available.
Of course, if you just spoof random RA, you will be able to mess up hosts sufficiently to stop responding at all.
Attack Tools
There is probably at least one tweet/slashdot/digg event a day advertising a new tool to implement these attacks. To save yourself some time: Check out the THC IPv6 attack library. It already implements a lot of these tools including a nice library to implement more. Implementing the same tools again in scappy gets you some python brownie points though.
Defenses
For the IPv4 versions of these attacks, many vendors implemented defenses, and there are open source tools like arpwatch to help you detect these attacks. In addition, we have just gotten used to watching out for these attacks and a reasonably skilled network admin is usually able to spot ARP spoofing.
For IPv6, we are a bit behind the curve when it comes to defenses. RFC 6105 outlines a mechanism calls RA Guard [1] that can be used to identify legitimate routers and only allow RA messages from switch ports connected to authorized routers, just like we are used to when configuring DHCP Snooping.
RFC3971 defines a mechanism called SEND (Secure Neighbor Discovery which uses PKI to sign ND messages. In addition, cryptographically generated addresses (CGA) are used to avoid spoofing on the local network. However, this protocol is not yet widely implemented and the overhead associated with it can cause DoS conditions itself.
Unlike ARP messages, the ICMPv6 messages could be routed. However, a host is not supposed to accept any ND or RA message with a TTL of less then 255.
Summary
Layer 2 defense is not easy. In particular defending against DoS. The best thing you can probably do is to know what's supposed to be on your network, and be able to quickly detect and disconnect misbehaving hosts.

[1] http://tools.ietf.org/rfc/rfc6105.txt

[2]http://tools.ietf.org/rfc/rfc3971.txt

[3] http://tools.ietf.org/rfc/rfc3972.txt


------
Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Verizon Wireless and LiveCast Media announced 4G Mobile Reporter for use with Verizon's LTE network to send live high-definition video wirelessly with a laptop and USB modem.
 
AOL 9.5 '.rtx' File Remote Buffer Overflow Vulnerability
 
ZDI-11-117: McAfee Firewall Reporter GeneralUtilities.pm isValidClient Authentication Bypass Vulnerability
 
[ MDVSA-2011:073 ] dhcp
 
[Tool] sqlmap 0.9 released
 
WOOT '11 Call for Papers (reminder)
 

Infosec revolution: SOURCE Boston 2011, BeaCon
CSO (blog)
by CSO, Salted Hash – IT security news analysis, over easy! SOURCE Boston 2011 is next week, followed by a smaller get-together called BeaCon. I won't be there for reasons I explained here. But anyone else who can make it should, because it's really ...

 
[SECURITY] [DSA 2214-1] ikiwiki security update
 
[SECURITY] [DSA 2213-1] x11-xserver-utils security update
 
Remotely controlled construction machinery rolled into the site of the stricken Fukushima Daiichi nuclear power plant last week to help clear roads and passages of radioactive debris, the plant's operator said Monday.
 
AT&T announced a new service today to help retailers design, deploy and manage mobile commerce Web sites, as well as applications optimized for smartphones.
 
Intel this week is expected to provide a glimpse into the future of low-power Atom chips for netbooks and tablets as it tries to ratchet up competition with rival ARM in the tablet market.
 
Intel is working with Google to bring Android 3.0 to tablets running on low-power Atom chips code-named Oak Trail, according to an Intel executive.
 
Apple's iOS will dominate the tablet market through the middle of the decade, Gartner analysts said today.
 
When you can buy a sever for 12 cents an hour it changes everything about how you run your IT department
 
With nearly $100 million in new funding, Internet2, the faster, better Internet reserved for research and education, has embarked on an upgrade that will boost backbone capacity to a staggering 8.8Tbps and expand services to hundreds of thousands of libraries, schools and medical centers.
 
To become irreplaceable to a customer, one must throw open the doors, not build higher fences.
 
Editor in chief of CIO magazine Maryfran Johnson shares highlights from our special cloud computing issue.
 
14 ways CIOs under estimate the costs of cloud computing
 
The inside story of how Lehman Brothers is being dismantled in the cloud
 
Michael Friedenberg, President and CEO of IDG Enterprise, shares data from our recent survey on cloud computing that shows actual adoption is well under way.
 
Technology attorney Matthew Karlyn tells CIOs how to avoid poisonous cloud contracts
 
Level 3 announces plans to aquire Global Crossing in an all-stock deal.
 
For Coty, IHG, Synaptics and Lojas Renner, using cloud computing is a key part of a strategy to expand business operations and increase profits.
 
Ecava IntegraXor Unspecified SQL Injection Vulnerability
 
Sharp has halted production of LCD panels for televisions in Japan because last month's massive earthquake and tsunami disrupted supply of industrial gases.
 
RealNetworks GameHouse 'InstallerDlg.dll' ActiveX Control Multiple Vulnerabilities
 

eWEEK Europe UK

Don't Cloud Over – But Be Cloud Aware
eWEEK Europe UK
Enjoy InfoSec; you won't be able to avoid discussions about the cloud, but you can get more out of them if you establish the angle a given vendor is taking. Don't cloud over – but be cloud aware. Bob Tarzey, analyst and director of Quocirca, ...

and more »
 
U.K. police arrested three men late last week in connection with using the SpyEye malware program to steal online banking details.
 
VLC Media Player 'MP4' Heap Based Buffer Overflow Vulnerability
 
Windows 7 has passed the 10-year-old Windows XP in U.S. usage share, according to data from an Irish Web analytics company.
 
Scope change, empty suits, kickbacks -- beware IT consultants looking to turn your IT project into their cash cow
 
Whether you support a raft of users or a busy network, there are many Android-based smartphone tools that can make life easier. Here are 10 mostly free apps to help you do your job on the go.
 

TAKEDOWNCON, The Brand New Technical IT Security Conference, Premieres in ...
PRLog.Org (press release)
It will also provide real-world infosec training through the EC-Council, including its flagship course, Certified Ethical Hacker (CEH) – an accepted certification by the US Department of Defense (DoD) Directive 8570.

and more »
 
InfoSec News: CSET '11 Submission Deadline Is Monday, April 18: Forwarded from: Lionel Garth Jones <lgj (at) usenix.org>
We're writing to remind you that the submission deadline for the 4th Workshop on Cyber Security Experimentation and Test (CSET '11) is quickly approaching. Please submit your work by April 18, 2011, at 11:59 p.m. PDT.
http://www.usenix. [...]
 
InfoSec News: Hyundai Capital admits to unprecedented information leak: http://english.hani.co.kr/arti/english_edition/e_national/472385.html
By Jung Hyuk-june The Hankyoreh April 11, 2011
A recently announced hacking incident at Hyundai Capital marked an unprecedented systematic accessing of customer financial information by hackers, resulting in major aftereffects. [...]
 
InfoSec News: Government made me do it, imprisoned TJX hacker claims: http://www.computerworld.com/s/article/9215670/Government_made_me_do_it_imprisoned_TJX_hacker_claims
By Jaikumar Vijayan Computerworld April 8, 2011
Convicted hacker Albert Gonzalez, who is currently serving a 20-year prison sentence after pleading guilty to the massive hacks at TJX, [...]
 
InfoSec News: Secunia Weekly Summary - Issue: 2011-14: ========================================================================
The Secunia Weekly Advisory Summary 2011-03-31 - 2011-04-07
This week: 71 advisories [...]
 
InfoSec News: Thousands Of US Airways Pilots Victims Of Possible Insider Data Breach: http://www.darkreading.com/database-security/167901020/security/attacks-breaches/229401204/thousands-of-us-airways-pilots-victims-of-possible-insider-data-breach.html
By Kelly Jackson Higgins Darkreading Apr 07, 2011
The US Airline Pilots Association (USAPA) said it has been working with [...]
 
PHP-Jokesite 2.0 Multiple SQL Injection Vulnerabilities
 
PHP-Lance Multiple SQL Injection Vulnerabilities
 

TakeDownCon, the Brand New Technical IT Security Conference, Premieres in ...
PR Web (press release)
It will also provide real-world infosec training through the EC-Council, including its flagship course, Certified Ethical Hacker (CEH) – an accepted certification by the US Department of Defense (DoD) Directive 8570.

and more »
 

Posted by InfoSec News on Apr 11

http://www.darkreading.com/database-security/167901020/security/attacks-breaches/229401204/thousands-of-us-airways-pilots-victims-of-possible-insider-data-breach.html

By Kelly Jackson Higgins
Darkreading
Apr 07, 2011

The US Airline Pilots Association (USAPA) said it has been working with
the FBI for several months in the wake of a leak of personal information
of 3,000 of the airline union's pilots.

A spokesman for US Airways today...
 

Posted by InfoSec News on Apr 11

Forwarded from: Lionel Garth Jones <lgj (at) usenix.org>

We're writing to remind you that the submission deadline for the 4th
Workshop on Cyber Security Experimentation and Test (CSET '11) is
quickly approaching. Please submit your work by April 18, 2011, at 11:59
p.m. PDT.

http://www.usenix.org/cset11/cfpb/

CSET '11 is designed to be a workshop in the traditional sense.
Presentations are expected to be interactive, 45...
 

Posted by InfoSec News on Apr 11

http://english.hani.co.kr/arti/english_edition/e_national/472385.html

By Jung Hyuk-june
The Hankyoreh
April 11, 2011

A recently announced hacking incident at Hyundai Capital marked an
unprecedented systematic accessing of customer financial information by
hackers, resulting in major aftereffects. The breach in the computer
network has not only sunk confidence levels to rock bottom for financial
companies, for whom security is essential, but...
 

Posted by InfoSec News on Apr 11

http://www.computerworld.com/s/article/9215670/Government_made_me_do_it_imprisoned_TJX_hacker_claims

By Jaikumar Vijayan
Computerworld
April 8, 2011

Convicted hacker Albert Gonzalez, who is currently serving a 20-year
prison sentence after pleading guilty to the massive hacks at TJX,
Heartland and numerous retailers, now claims that he thought he was
authorized and directed by the government to carry out the illegal
activities.

In a...
 

Posted by InfoSec News on Apr 11

========================================================================

The Secunia Weekly Advisory Summary
2011-03-31 - 2011-04-07

This week: 71 advisories

========================================================================
Table of Contents:

1.....................................................Word From...
 
Gitolite 'ADC' Security Bypass Vulnerability
 
Verizon announced a digital media utility service on Monday designed to help advertising, media and entertainment companies automate delivery of on-demand content to consumers on their TVs, smartphones and tablets.
 
Adobe announced software to develop, test and deploy mobile applications on devices running Android, BlackBerry and Apple's iOS.
 


Internet Storm Center Infocon Status