----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The following Cisco products that were previously identified as vulnerable and have been remediated:

Cisco Registered Envelope Service (CRES)
Cisco Webex Messenger Service
Cisco USC Invicta Series Autosupport Portal

This following software has been fixed and is available for download, for all affected products:

Cisco AnyConnect Secure Mobility Client for iOS - Fixed in version 3.0(9353)
Cisco WebEx Messenger Server - Fixed in 2.0MR2
Cisco TelePresence Video Communication Server (VCS) - Fixed in X8.1.1

For additional information on Cisco product, follow this Cisco Security Advisory.

[1] http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Nine people connected to the "Zeus" malware have been indicted, federal officials announced Friday as they declared the code "one of the most damaging pieces of financial malware that has ever been used."

An indictment (PDF) unsealed Friday charges nine people, most of them from the Ukraine. Two defendants—Yuriy Konovalenko, 31, and Yevhen Kulibaba, 36—were extradited to the United States and hauled Friday into Nebraska federal court, where the charges were unsealed. Most of the others remain at large.

The authorities said the defendants used Zeus to hijack account numbers, passwords, personal identification numbers, RSA SecureID token codes, and other data needed to illegally log in to online banking accounts, netting the defendants "millions of dollars." Prosecutors said they were responsible for "infecting thousands of business computers with malicious software."

Read 4 remaining paragraphs | Comments

Fortinet FortiADC 'locale' Parameter Cross Site Scripting Vulnerability
Better think before you post that Instagram selfie -- a government could want it.
You had to see this one coming.
Updating its platform for the hyper-connected cloud era, Tibco has equipped the new version of its flagship application-integration software with the ability to communicate with external applications.

Citing two anonymous sources “familiar with the matter,” Bloomberg News reports that the National Security Agency has known about Heartbleed, the security flaw in the OpenSSL encryption software used by a majority of websites and a multitude of other pieces of Internet infrastructure, for nearly the entire lifetime of the bug—“at least two years.” The sources told Bloomberg that the NSA regularly used the flaw to collect intelligence information, including obtaining usernames and passwords from targeted sites.

“When Edward Snowden warned that the NSA is ‘setting fire to the future of the internet,’ this is presumably the kind of thing he was talking about," said Jameel Jaffer, deputy legal director at the American Civil Liberties Union, in a statement emailed to Ars. "If this report is true, then the NSA is making hundreds of millions of people around the world more vulnerable to hacking and identity theft, and it’s compromising the trust that allows the internet to function. The NSA has lost sight of its mission, and it has lost sight of the values of the society it’s supposed to be protecting.”

The NSA has issued a statement denying the report. In an email to Ars, NSA spokesperson Vanee VInes provided this official statement: “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report. Reports that say otherwise are wrong.”

Read 7 remaining paragraphs | Comments

SAP ERP Enhancement Packages Security Bypass Vulnerability
SAP HANA Information Disclosure Vulnerability
Linux Kernel 'ping_init_sock()' Local Privilege Escalation Vulnerability
There's a new sign on the door to Courtroom 5 at the federal courthouse in San Jose, the home to the Apple v. Samsung battle that's playing out this month: "Please turn off all cell phones."
Several online protests in recent weeks mark a new trend in activism against companies and other entities, as activists grow empowered by the ability to affect change with just a few key strokes.
Intel this week showed off a laptop-tablet hybrid with Windows 8.1 for the education market, where Chromebooks and tablets are also fighting for position.
Independent Oracle and SAP support provider Rimini Street will now offer integration services for customers who want to adopt SaaS (software-as-a-service) offerings from the likes of Salesforce.com and Workday.
ESA-2014-026: EMC Documentum Content Server Information Disclosure Vulnerability

NJVC and InfoSec Institute partner to provide cyber security training services
Government Security News
Information technology solutions provider NJVC, of Chantilly, VA, and information security training company InfoSec Institute, have announced a partnership to provide cyber security training services. NJVC can now implement federal government and ...

The IRS acknowledged this week that it missed the April 8 cut-off for Windows XP support, and will be paying Microsoft millions for an extra year of security patches.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
ESA-2014-003: RSA® Data Loss Prevention Improper Session Management Vulnerability
ESA-2012-032: RSA BSAFE® Micro Edition Suite Security Update for BEAST (Browser Exploit Against SSL/TLS) attacks
Computerworld offers a Tip of the Hat to The Register's Chris Williams for his insights on how a lack of oversight of open source technologies contributed to to the creation -- and the two-year spread -- of the Heartbleed bug.
WordPress Multiple Security Vulnerabilities
ESA-2014-019: RSA BSAFE® Micro Edition Suite Certificate Chain Processing Vulnerability
Woltlab Burning Board 3.9.1 pl1 - Persistent Web Vulnerability & Editor Reverse Encoding Issue
Android and IOS mobile applications are just as vulnerable to the Heartbleed bug as websites are, security vendor Trend Micro warned.
Google this week updated Chrome to version 34, patching 31 vulnerabilities and paying out nearly $30,000 in bug bounties to outside researchers.
The U.S. Department of Justice has brought charges against nine alleged members of a criminal organization that distributed the Zeus Trojan used to steal millions of dollars from bank accounts nationwide.
Fast-growing cloud software vendor Salesforce.com is planning to expand its San Francisco headquarters by more than 700,000 square feet, taking a 15.5-year lease on a 61-story office building under construction.

The software developer who inserted a major security flaw into OpenSSL has said the error was "quite trivial" despite the severity of its impact, according to a new report.

The Sydney Morning Herald published an interview today with Robin Seggelmann, who added the flawed code to OpenSSL, the world's most popular library for implementing HTTPS encryption in websites, e-mail servers, and applications. The flaw can expose user passwords and potentially the private key used in a website's cryptographic certificate (whether private keys are at risk is still being determined).

The Herald reports:

Read 4 remaining paragraphs | Comments


On April 9, Juniper Networks issued a security advisory for users of version 7 of its Secure Access SSL VPN (IVEOS) because of its vulnerability to the OpenSSL Heartbleed exploit, an attack that could expose user data through malicious use of the Transport Layer Security "Heartbeat" extension. This morning, the company added a number of other VPN and switch products to its  security advisory, including the most recent release of the Junos OS and its Junos Pulse and IVEOS SSL virtual private networks.

"We are working around the clock to provide fixed versions of code for our affected products," the company's security team said in the advisory.

The affected products are:

Read 2 remaining paragraphs | Comments

OpenStack Keystone V3 API Authentication Denial of Service Vulnerability
Rob VandenBrink
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Facebook's $2 billion acquisition of Oculus has given virtual reality a major boost. By delivering an altered sense of reality with a social experience Facebook could give users a more compelling reason to come back regularly.
The mainframe was supposed to go extinct decades ago, but it's abundant in many habitats. Same goes for the PC, which seems to have adapted for survival better than once thought. Both the mainframe and the PC offer evolutionary advantages that newer, more sophisticated species still struggle to match.
CVE-2014-2384 - Invalid Pointer Dereference in VMware Workstation and Player
SEC Consult SA-20140411-0 :: Multiple vulnerabilities in Plex Media Server
OpenSSL TLS 'heartbeat' Extension Multiple Information Disclosure Vulnerabilities
[security bulletin] HPSBMU02995 rev.1 - HP Software HP Service Manager, Asset Manager, UCMDB Browser, Executive Scorecard, Server Automation, Diagnostics, LoadRunner, Performance Center, "HeartBleed" OpenSSL Vulnerability, Remote Disclosure of Information
[SECURITY] [DSA 2900-1] jbigkit security update
[ MDVSA-2014:076 ] a2ps
Posts on Facebook that repeatedly urge users to like, share or comment on them are being targeted in a new effort to reduce News Feed spam, Facebook said.
As Google and AT&T race to provide super-fast 1 gigabit fiber networks to power users, more than a quarter of U.S. homes still have no broadband service at all.
Amazon announced it's buying Comixology, the leader in the digital-comic-book world. Comixology's technology powers the company's own popular Comics app and web store, and the main comic-reading apps by Marvel and DC.

Infosec teaching boost as security body (ISC)2 launches education programme
Security organisation (ISC)² has announced a new Global Academic Programme it hopes will boost the importance of security in higher education teaching programmes around the world. The larger purpose of the Programme is to address the growing skills ...

and more »
IOServer CVE-2014-0777 Out-of-Bounds Read Vulnerability

We're getting reports of client applications that are vulnerable to the heartbleed issue.  Just as with server applications, these client applications are dependant on vulnerable versions of OpenSSL.

Another "patch soon" problem, you say?  The patch will be installed when the vendor ...  oh, wait a minute.  Just exactly when will your TV's manufacturer update the web browser on your TV?  And when will you be applying that patch?  How about your in-laws TV?  This vulnerability on the client side has the potential to be much longer-lived than on servers.

This combines the problem of the specific heartbleed vulnerabilty with the problem of embedded devices that may never be updated.  Or devices that are updated by vendors for a year or two after release, then abandoned when the new model comes out - home routers and TV sets are great examples of this situation, but so are medical devices.

To add to that list, there is a large contingent of Android phones that have updates maintained by the carrier instead of the manufacturer (google), and do not see frequent updates, or may never see an update.  These devices are used daily for almost everything - online banking comes immediately to mind.  The combination of a general purpose device and a vulnerability that exposes memory to an attacker (in this case, a malicious or infected server) has the potential for some widespread mayhem, for as long as that device remains in service (years instead of weeks or months)

Other applications that encrypt but we don't often think of as "clients" include traditional database software, cloud services clients, dedicated / custom browsers for online services like entertainment, even device drivers for hardware all need to be assessed.  It's also easy to say "client application XX is vulnerable", but that client application might exist on your PC, multiple tablet or phone platforms, TVs, DVRs, excercise equipment, fridges, thermostats - the list grows to include things that are smaller and smaller, that are less and less likely to be updated.

Client applications that are currently reported as vulnerable are:

  •     MariaDB 5.5.36
  •     wget 1.15 (leaks memory of earlier connections and own state)
  •     curl 7.36.0
  •     git 1.9.1 (tested clone / push, leaks not much)
  •     nginx 1.4.7 (in proxy mode, leaks memory of previous requests)
  •     links 2.8 (leaks contents of previous visits!)
  •     OwnCloud

(from http://security.stackexchange.com/questions/55119/does-the-heartbleed-vulnerability-affect-clients-as-severely )

If you've got confirmation of other vulnerable client applications, please post the relevant information (with links) in our comment section. 

Rob VandenBrink

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

du's newly-launched Student InfoSec Award invites UAE students to change the ...
Zawya (registration)
In the spirit of fostering innovation and nurturing the progression of local talent in the field of information security, du invites students across the UAE to participate in its newly-launched Student InfoSec Award. The Student InfoSec Award is a ...

and more »

Posted by InfoSec News on Apr 11


The Smoking Gun
April 10, 2014

APRIL 10 -- A group of alleged hackers has been charged with breaking into
the computer systems of the U.S Army, Microsoft, and several other firms
to steal pre-release copies of popular video games like “Call of Duty,”
simulation software for Apache attack helicopter pilots, and confidential
data that was used to create counterfeit...

Posted by InfoSec News on Apr 11


Korea JoongAng Daily
April 11, 2014

Fear of hacked personal information being used in financial fraud and
leading to actual losses, which the financial authorities promised was
unlikely to happen, has been realized.

As a result, public mistrust and frustration is growing over the
assurances by the financial authorities.

Yesterday, the financial authorities issued a...

Posted by InfoSec News on Apr 11


By Theo Merz
The Telegraph
10 Apr 2014

A computer security expert took less than two minutes to exploit an
"embarrassing" flaw in the Metropolitan Police’s website, which he claims
could have left computer users vulnerable to malicious attacks.

Ilia Kolochenko, a consultant who is employed by...

Posted by InfoSec News on Apr 11


By Lia Timson
April 11, 2014

German computer programmer Robin Seggelman has been outed as the man whose
coding mistake, now known as Heartbleed, has left millions of internet
users and thousands of websites vulnerable to hackers.

The discovery, by Google engineers, has prompted experts to call on people...

Posted by InfoSec News on Apr 11


By Sean Gallagher
Ars Technica
April 9, 2014

A whitehat hacker from the Baltimore suburbs went too far in his effort to
drive home a point about a security vulnerability he reported to a client.
Now he’s unemployed and telling all on reddit.

David Helkowski was working for Canton Group, a Baltimore-based software
consulting firm on a...
Microsoft Word File Converting CVE-2014-1757 Remote Code Execution Vulnerability
Internet Storm Center Infocon Status