Hackin9
ESA-2013-089: EMC Connectrix Manager Converged Network Edition Remote Code Execution Vulnerabilities
 
[SOJOBO-ADV-13-05] - Vtiger 5.4.0 Reflected Cross Site Scripting
 
FlashCanvas 1.5 proxy.php XSS Vulnerability
 

The Herald | HeraldOnline.com (press release)

Anil Varghese Joins Targetbase as Chief Security Officer; Continues ...
The Herald | HeraldOnline.com (press release)
He holds many industry certifications, most notably Certified Information Systems Security Professional (CISSP) Certification, PGP Cryptography Certification, NSA-IAM National Security Agency-INFOSEC Assessment Methodology. Varghese is an active ...

and more »
 

If you think laptops used to move large sums of money are highly sensitive instruments, you're right. Just consider the experience of Jens Kyllönen, a high-rolling professional poker player who is a fixture in both real-world tournaments and online card rooms.

In September, while participating in the European Poker Tour event in Barcelona, Kyllönen returned to his hotel room to find that his room key no longer unlocked his door. After finally gaining access, he discovered the Fujitsu Celsius laptop that he left inside was missing. When he returned later, the computer was mysteriously back in its place. The poker player, who had winnings in the range of $2.5 million in the past year, suspected something was amiss, so he asked researchers at F-Secure, a Finland-based antivirus provider, to take a look.

Sure enough, the forensic examination revealed that a RAT—short for a remote access trojan—had been installed on the machine during a time coinciding with its brief disappearance in Barcelona. The RAT was programmed to silently start each time the computer was turned on. Among other things, it gave the operator the ability to view the cards Kyllönen was holding when playing online hands of poker. Assuming the operator was sitting at the same virtual table, this unfair advantage would allow him to know when to hold or fold based on the cards Kyllönen had.

Read 4 remaining paragraphs | Comments


    






 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Anil Varghese Joins Targetbase as Chief Security Officer; Continues ...
Business Wire (press release)
He holds many industry certifications, most notably Certified Information Systems Security Professional (CISSP) Certification, PGP Cryptography Certification, NSA-IAM National Security Agency-INFOSEC Assessment Methodology. Varghese is an active ...

and more »
 
Most Chromebooks on the market rely on Google for online services, but Dell's new Chromebook 11 adds another cloud option to extend file sharing across desktops, laptops and mobile devices.
 

Anil Varghese Joins Targetbase as Chief Security Officer; Continues ...
4-traders (press release)
He holds many industry certifications, most notably Certified Information Systems Security Professional (CISSP) Certification, PGP Cryptography Certification, NSA-IAM National Security Agency-INFOSEC Assessment Methodology. Varghese is an active ...

and more »
 
SAP has made a series of announcements aimed at bringing more software developers into its fold, making their jobs easier and bolstering the reach of its HANA in-memory computing platform.
 
Oracle has launched the fifth version of its Exadata database appliance, claiming the release provides in many areas double the performance of previous-generation machines.
 
From letting Facebook users simply comment 'sold' to buy an item to engaging your customers, CIO.com looks at how a small business should invest in Facebook as a social commerce channel.
 
An Arizona lawmaker is eyeing an unusual way of reigning in the National Security Agency, which has been under fire for questionable surveillance practices: Block it from operating in her state.
 

Encrypted traffic has long been a challenge for network monitoring. But even if traffic is encrypted, there is still plenty of information that can be extracted. In this little example, we are looking at "SSL Hello" messages. These messages are sent by the client to initiate the SSL connection. They include a number of parameters that may vary depending on the SSL library used or the SSL clients preference.

The SSL Hello message contains a couple of major parts [1]

  • a timestamp. This is the local time of the client, even if the RFC doesn't require it to be accurate.
  • 28 random bytes
  • a list of cipher suites the client supports
  • the SSL version the client is using (e.g. TLS 1.0)
  • any extensions the client may support (including compression)

This gives us quite a bit of data to fingerprint clients. The timestamp can be used to check if the clients time is in sync. The supported cipher suites and extensions may tell us what browser version the host is running and could for example be used to block out of date browsers at a gateway that is not able to decrypt traffic.

Ivan Ristic has published similar data in the past focusing on SSL ciphers [2], and p0f considered including some of that data.

My tool of choice to extract this information from packet captures is tshark. To run this test, I collected a couple minutes of traffic. I also extracted the IP addresses and user agents from the web server log to be able to link the "SSL Fingerprint" to the user agent. I ignored all IP addresses for which I saw multiple user agents (looks like mostly mobile devices that accessed the podcast via a podcast client as well as the web site via a browser).

In tshark, to extract the "fingerprint" I used:

tshark -r test.pcap -T fields -e ip.src -e ssl.handshake.ciphersuite -e ssl.handshake.version -e ssl.handshake.extension.type -R "ssl.handshake.type=-1"

Here is a partial result:

Firefox 25 on Windows 7 ( Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 )

Cipher Suites: 0x00ff,0xc00a,0xc014,0x0088,0x0087,0x0039,0x0038,0xc00f,0xc005,0x0084,0x0035,0xc007,0xc009,0xc011,0xc013,0x0045,0x0044,0x0033,0x0032,0xc00c,0xc00e,0xc002,0xc004,0x0096,0x0041,0x0005,0x0004,0x002f,0xc008,0xc012,0x0016,0x0013,0xc00d,0xc003,0xfeff,0x000a
SSL Version: 0x0301 (TLS 1.0) 
Extensions: 0x0301 0x0000,0x000a,0x000b,0x0023,0x3374

Chrome 31 on Windows 7 (Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36)

Cipher Suites:
0xc02b,0xc02f,0x009e,0x009c,0xc00a,0xc014,0x0039,0x0035,0xc007,0xc009,0xc011,0xc013,0x0033,0x0032,0x0005,0x0004,0x002f,0x000a
SSL Version: 0x0303 (TLS 1.2)
Extensions: 0x0000,0xff01,0x000a,0x000b,0x0023,0x3374,0x0010,0x754f,0x0005,0x000d

Internet Explorer 7 on Windows 7 (Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.2; .NET4.0E; Microsoft Outlook 14.0.7109; ms-office; MSOffice 14)

Cipher Suites:
0x003c,0x002f,0x003d,0x0035,0x0005,0x000a,0xc027,0xc013,0xc014,0xc02b,0xc023,0xc02c,0xc024,0xc009,0xc00a,0x0040,0x0032,0x006a,0x0038,0x0013,0x0004
SSL Version: 0x0303 (TLS 1.2)
Extensions: 0xff01,0x0000,0x0005,0x000a,0x000b,0x000d

These three examples, all from Windows 7, show how different browser result in very different fingerprints. The order of  ciphers and extensions appears to vary as well allowing for more detailed distinctions, and something that needs a bit more data to work with.

Timestamps

Timestamp fingerprinting was kind of interesting as well. Turns out that out of the times are actually very accurate.  Out of a total of 3814 Client Hello messages, 3109 where within 5 seconds. A couple of time stamps where "far outliers" with timestamps in 1970, likely indicating a "time since reboot" instead of the absolute time.

Time Difference Frequency up to 10 sec.

Figure 1: Time difference frequency up to 10 seconds

 

[1] http://www.ietf.org/rfc/rfc2246.txt
[2] http://blog.ivanristic.com/2009/07/examples-of-the-information-collected-from-ssl-handshakes.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Dell's debut of a Chromebook, an inexpensive laptop that runs Google's browser-based Chrome OS, is a sign that the platform has gone mainstream, an analyst argued today.
 

Investigative journalists have exploited a cryptographic weakness in a third-party website commenting service to expose politicians and other Swedish public figures who left highly offensive remarks on right-wing blogs, according to published reports.

People have been warning of the privacy risk posed by Gravatar, short for Globally Recognized Avatar, since at least 2009. That's when a blogger showed he was able to crack the cryptographic hashes the behind-the-scenes service uses to uniquely identify its users. The Gravatar hashes, which are typically embedded in any comment left on millions of sites that use the avatar service, are generated by passing a user's e-mail address through the MD5 cryptographic function. By running guessed e-mail addresses through the same algorithm and waiting for output that matches those found in comments, it's possible to identify the authors, many of whom believe they are posting anonymously.

According to a post published Wednesday by IDG News, that's precisely the hack the Swedish publication Expressen, working with an investigative journalism group, carried out to expose the public figures who participated in the right-wing forums. According to an English translation of this article: "It is the hatred of immigrants that ties [the participants] together."

Read 7 remaining paragraphs | Comments


    






 
Adobe patched several vulnerabilities in its Flash Player and Shockwave Player on Tuesday, including one for which an exploit is already available.
 
With Nokia reportedly working on its own version of Android for use on low-end smartphones, the company needs Google's OS to able to compete in that increasingly important segment of the market, according to Informa principal analyst Malik Saadi.
 
Hewlett Packard is making the case for private and hybrid clouds in Barcelona this week at its annual HP Discover user conference.
 
InstantCMS 'orderby' Parameter SQL Injection Vulnerability
 
Mozilla released Firefox 26, which kicked off a limited form of click-to-play and patched 15 security vulnerabilities, six marked "critical."
 
Photo Video Album Transfer 1.0 iOS - Multiple Vulnerabilities
 
SQL Injection in InstantCMS
 
Ecommerce and online marketing experts share their strategies on how to keep customers coming back after the Christmas rush -- and get new customers during the January doldrums.
 
The browser cookies that online companies use to track Internet customers for targeted advertising are also used by the National Security Agency to track surveillance targets and break into their systems.
 
LinuxSecurity.com: Several security issues were fixed in Samba.
 
LinuxSecurity.com: An updated Adobe Flash Player package that fixes two security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...]
 
LinuxSecurity.com: Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having critical [More...]
 
LinuxSecurity.com: Updated php53 and php packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6 respectively. The Red Hat Security Response Team has rated this update as having critical [More...]
 
LinuxSecurity.com: Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical [More...]
 
Oracle Java SE CVE-2013-5852 Remote Security Vulnerability
 

We got a couple reports of pretty convincing Facebook spam redirecting users to malware and a Facebook phishing site.

The initial bait is a message that you may receive from one of your Facebook friends, whose account was compromised. The message claims to contain a link to images that show a crime that was committed against the friend or a close relative of the friend. The image below shows an example, but the exact message varies. The images then claim to be housed on Tumblr.

Facebook scam message

The Tumblr links follow a pattern, but appear to be different for each recipient. The host name is always two or three random English words, and the URL includes a few random characters as an argument. The preview of the Tumblr page lists some random words and various simple icons.

Once the user clicks on the link to the Tumblr page, they are immediately redirected to a very plausible Facebook phishing page, asking the user to log in. The links I have seen so far use the "noxxos.pw" domain, which uses a wildcard record to resolve to 198.50.202.224 . For example, the URL would look like:

hxxp:// facebook.com .accounts.login.userid.243534.noxxos.pw/awks/  

Due to the size of the URL, and the fact that the host name starts with "facebook.com", it is hard for the victim to realize that this is not a valid Facebook page. 

The fake Facebook page will ask the user for a username and password as well as for a "secret question".

Finally, the site attempts to run a java applet (likely an exploit, but haven't analyzed it yet), and the user is sent to a Youtube look-alike page asking the user to download and install an updated "Youtube Player". The player appears to be a generic downloader with mediocre AV detection. 

https://www.virustotal.com/en/file/d23456ffeaad7183176e71870957a222d20025a35e8e1070bd81bc7491ab625b/analysis/1386730327/

(was 3/42 when I first saw it. Now 10/42 improved)

As an indicator of compromise, it is probably best right not to look for DNS queries for "noxxos.pw" as well as connections to 198.50.202.224 (which is likely going to change. The server only returns 404 errors right now)

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Disqus is updating its widely used comments platform after a Swedish tabloid exposed politicians and other public figures for allegedly making highly offensive comments on right-wing websites.
 
Oracle Java SE CVE-2013-5844 Remote Security Vulnerability
 
A third-party advertising framework integrated in hundreds of Android apps contains a vulnerability that could allow hackers to steal sensitive information from users' phones, according to security researchers from antivirus firm Bitdefender.
 
The U.S. Federal Communications Commission should limit the amount of spectrum that giant mobile carriers AT&T and Verizon Communications are able to buy in an auction scheduled for mid-2015, some U.S. senators said Tuesday.
 
Dell said it would join a growing market of thin-and-light Chrome OS laptops with the new Chromebook 11, but the system will initially be available only to educational institutions.
 
Twitter has made its direct messaging service easier to use and added the ability to send photos, in an update to the Twitter app for Android and iOS released Tuesday.
 
Cloud adopters face serious risk in the next two years because of the strong possibility that their provider will be acquired or forced out of business, according to Gartner.
 
Single sign-on for all apps -- both cloud and on-premises -- is a big reason to go this route. But cost and customization, especially for very large organizations, can be sticking points.
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-6671 Remote Code Execution Vulnerability
 
Festival Server 'LD_LIBRARY_PATH' Insecure Library Loading Arbitrary Code Execution Vulnerability
 
Adobe Flash Player and AIR CVE-2013-5332 Remote Code Execution Vulnerability
 
Dell's latest update to the Compellent Storage Center includes a novel approach to tiered SSDs, but it comes with caveats
 
Xen CVE-2013-4553 Remote Denial of Service Vulnerability
 
Symfony Password Hash Denial Of Service Vulnerability
 
Xen 'hvm_do_hypercall()' Function Local Privilege Escalation Vulnerability
 
Linux Kernel CVE-2013-6405 Memory Leak Multiple Local Information Disclosure Vulnerabilities
 
[security bulletin] HPSBPI02945 rev.1 - HP Officejet Pro 8500 (A909) All-in-One Printer, Cross-Site Scripting (XSS)
 
CORE-2013-1107 - IcoFX Buffer Overflow Vulnerability
 
[security bulletin] HPSBUX02944 rev.1 - HP-UX Running Java7, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
 
Android Fragment Injection vulnerability
 
Internet Storm Center Infocon Status