Hackin9

China calls for global hacking rules
The Canberra Times
Chinese Foreign Minister of China Yang Jiechi (L) leans over to talk with Chinese Premier Wen Jiabao (R) during a summit. Photo: LEE JAE-WON. Hackers breach Reserve Bank. SHANGHAI: China issued a new call on Saturday for international "rules and ...

 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A top U.S. official called on China to investigate and stop cyberattacks, which he said pose a growing threat to the countries' economic relationship.
 
3D printing's capabilities in art, sculpture and toys have generated considerable buzz at South by Southwest Interactive over the past few days. But one Austin, Texas-based group has a more controversial application in mind: guns.
 

Reserve Bank hacking raises questions — and false alarm
Crikey
“At no point have these attacks caused the bank's data or information to be lost or its systems to be corrupted,” it said in a statement — and the bank has confirmed to Crikey it meant no “data breach” and no “exfiltration” of data, to use the infosec ...

and more »
 
Linux Kernel 'MSR' Driver Local Privilege Escalation Vulnerability
 
Squid 'strHdrAcptLangGetItem()' Function Remote Denial of Service Vulnerability
 
Before you "like" a friend's or company's post on Facebook, think twice. A new study shows that your Facebook "likes" may be far more revealing than you ever thought.
 
The majority of students in computer science department graduate programs are from overseas, and that percentage is rising, according to data from the Computing Research Association.
 
Tripwire said it had acquired nCircle for an undisclosed price, a deal that will meld together two longtime rivals in the security and vulnerability-management industry.
 
Qualcomm has a big, well-funded research and development operation, but its program for commercializing new innovations is still a learning experience for the wireless chip maker.
 
U.S. government agencies will need the help of companies while developing a set of cybersecurity standards that President Barack Obama has called for in an executive order signed last month, administration officials said.
 
Video: Troy Lange discusses the issues thwarting BYOD at the NSA, and talks about promising mobile security technologies like hardware root of trust.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Concerns about the economy and budget battles on Capitol Hill have put a damper on the IT job scene, but not enough to thwart expansion.
 
Sepaton today announced its latest update to its enterprise-class data backup appliance, which almost doubles performance and increases connectivity by 2X over its predecessor.
 
Harvard University officials scrambled Monday to contain the fallout from a damaging report in The Boston Globe over the weekend disclosing how administrators secretly accessed email accounts belonging to 16 resident deans at the university.
 
A screenshot from Jeremi Gosney showing passwords cracked by the ocl-Hashcat-plus program.

Zoosk.com, an online dating service with about 15 million unique visitors each month, is requiring some users to reset their passwords. The move comes after someone published a list cryptographically protected passcodes that may have been used by subscribers to the website.

In the past, the San Francisco-based company has said it has more than 50 million users. With this dump, a small but statistically significant percentage of the 29-million-strong password list contained the word "zoosk," an indication that at least some of the credentials may have originated with the dating site. Jeremi Gosney, a password expert at Stricture Consulting Group, said he cracked more than 90 percent of the passwords and found almost 3,000 had links to Zoosk. The cracked passcodes included phrases such as "logmein2zoosk," "zoosk password," "myzooskpass," "@zoosk," "zoosk4me," "ilovezoosk," "flirtzoosk," "zooskmail."

Other passwords contained strings such as "flirt," "lookingforlove," "lookingforguys," and "lookingforsex," another indication that they were used to access accounts at one or more dating websites. Many users choose passwords containing names, phrases, or topics related to the specific website or generic type of service they're used to access. In December, Ars profiled a 25-GPU cluster system Gosney built that's capable of trying every possible Windows passcode in the typical enterprise in less than six hours..

Read 6 remaining paragraphs | Comments

 
Multiple Vendor Products 'ZeroClipboard10.swf' Cross Site Scripting Vulnerability
 
Microsoft on Monday kicked off a two-month promotion that gives college students Office 365 for up to six months free of charge.
 
Before an official pair has even been released, a Seattle cafe has banned customers from wearing Google's computerized eye glasses inside the business.
 
At 2:46 Monday afternoon, Japan went quiet.
 
Engenius Technologies announced a new line of weatherized 802.11n access points and bridges suitable for mounting in outdoor locations.
 
With companies running lean and mean, professional development has increasingly become an individual sport. IT workers have learned to fend for themselves to develop needed skills and gain new mindsets for managing more effectively and adding more value to the workplace.
 
You have great IT skills and impressive technology experience, but if you don't present your background effectively in your resume, your career may be going nowhere. To help position yourself for success, we talked to career experts to identify the 15 most common resumes mistakes. And now we can offer advice on how to fix them.
 

Rule validation should be on a list of checks. This should continue with any rule change but that can often not scale. At a minimum, testing of Access Control Lists and Firewall rules must be conducted when implanting dual stack. Enter story;

A little over four years ago I started my journey with IPv6, to the point of setting up tunneling at home, and getting my entire home network IPv6 enabled. This was actually quite simple with Tunnel Broker [1]. The interesting part of this story comes in when you take a look at how dual stack works and firewall traffic. To make a long story short, I did not test the home firewall and discovered that it routed tunneled traffic but did not filter the tunneled traffic (Big Thanks to Dr J, whom I was testing with at the time, for point this out).

For the record my open network gap was only about 15 minutes but lets make sure that yours is 0 minutes.

Talking about the dual stack, there are some applications that process packets in a separate process for IPv6 traffic and transition that packet into the application process. There are some applications that use the same memory stack to process IPv6 packets. For example, in some application cases you can bind to the IPv6 stack and listen for IPv4 and IPv6 packets. If I recall correctly, Samba 4.x does it this way, check your manuals and developer threads for specifics [2] and be sure to understand how internet facing applications bind their stacks!

What can we do about it? Well, what I do is fire up a SCAPY [3] on one end and a NetCat [4] on the other, and transmit traffic across the firewall boundary.

There is an RFC based set of address that you can use internally and or in a lab to test this process, even works on most Virtual Machine setups, call ULA or Unique local addresses [5]. This is an analog to RFC 1918 (Sort of) and can allow you to setup fully routable internal IPv6 networks for testing, ESPECIALLY firewalls and ACLs.

From RFC 4193:


Local IPv6 unicast addresses have the following characteristics:

Globally unique prefix (with high probability of uniqueness).

Well-known prefix to allow for easy filtering at site boundaries.

Allow sites to be combined or privately interconnected without creating any address conflicts or requiring renumbering of interfaces that use these prefixes.

Internet Service Provider independent and can be used for communications inside of a site without having any permanent or intermittent Internet connectivity.

If accidentally leaked outside of a site via routing or DNS, there is no conflict with any other addresses. (IPv6 Focus Month Note: that is if the ULA address generation process is followed)

In practice, applications may treat these addresses like global scoped addresses.




Check back later this week for part 2, which will have the demonstration on how I test along with some downloadable Virtual Machines for your own labs.



[1] http://tunnelbroker.net/

[2] http://www.samba.org/samba/docs/

[3] http://www.secdev.org/projects/scapy/

[4] http://netcat.sourceforge.net/

[5] https://tools.ietf.org/html/rfc4193



Richard Porter

--- ISC Handler on Duty
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

The Age

China calls for global hacking rules
The Age
Chinese Foreign Minister of China Yang Jiechi (L) leans over to talk with Chinese Premier Wen Jiabao (R) during a summit. Photo: LEE JAE-WON. Hackers breach Reserve Bank. SHANGHAI: China issued a new call on Saturday for international "rules and ...

and more »
 
A nearly two-year-long, ugly legal battle between Oracle and Montclair State University over a troubled PeopleSoft ERP (enterprise resource planning) project has ended in a settlement both sides are calling amicable.
 

Researchers have identified the Mac malware that infected employees of Apple, Facebook, and Twitter, and say it may have been used to compromise machines in other US organizations, including auto manufacturers, government agencies, and a leading candy maker, according to a published report.

Pintsized.A is a new family of Mac malware that uses an exploit to bypass Gatekeeper, an OS X protection that allows end users to tightly control which sources are permitted to install apps, according to an article published Monday by The Security Ledger. Mac antivirus provider Intego says the trojan masquerades on infected machines as Linux printing software known as cupsd, although it runs from a different location than the legitimate title. It's unclear exactly how the malware gets around Gatekeeper.

Once installed, Pintsized establishes a reverse shell to a command and control server controlled by the attackers. It uses a modified version of the OpenSSH utility to encrypt traffic, a measure that can help it remain undetected on infected networks. One of the domain names that hosted such a server was corp-aapl.com. It caught the attention of members of Facebook's security team, tipping them off that there was an infected machine inside their network. When they later took control of the domain, they discovered multiple other companies were also compromised by the same attackers. Around the same time, Apple, Twitter, and Microsoft were also hit with attacks that meet the same pattern.

Read 1 remaining paragraphs | Comments

 
AthCon 2013 Rev. Challenge 2013
 
SEC Consult SA-20130311-0 :: Persistent cross-site scripting in jforum
 
Host tracking in IPv6 (SI6 Networks' IPv6 toolkit v1.3.3)
 
Privoxy Proxy Authentication Credential Exposure - CVE-2013-2503
 
Dell on Monday said it had signed a confidentiality agreement with investor Carl Icahn, who has vocally opposed the company's proposed plan to be acquired for $24.4 billion in a leveraged buyout.
 
AT&T will sell the BlackBerry Z10 touchscreen smartphone on March 22 for $199.99 with a two-year contract, the carrier confirmed.
 
Multiple HP LaserJet Pro Printers CVE-2012-5215 Unspecified Information Disclosure Vulnerability
 
[ISecAuditors Security Advisories] Reflected XSS in Asteriskguru Queue Statistics
 
OpenFabrics ibutils 1.5.7 /tmp clobbering vulnerability
 

Career Watch: Master's of infosec students don't wait for degree to get jobs
Computerworld Australia
IT-related academic programs tend to be judged on how well getting a degree correlates with getting a job. On that basis, Indiana University's Master of Science in Security Informatics program is beyond successful. Many of its students get job offers ...

and more »
 

Career Watch: Master's of infosec students don't wait for degree to get jobs
IDG News Service
IT-related academic programs tend to be judged on how well getting a degree correlates with getting a job. On that basis, Indiana University's Master of Science in Security Informatics program is beyond successful. Many of its students get job offers ...

 

The Canberra Times

China calls for global hacking rules
The Canberra Times
Chinese Foreign Minister of China Yang Jiechi (L) leans over to talk with Chinese Premier Wen Jiabao (R) during a summit. Photo: LEE JAE-WON. Hackers breach Reserve Bank. SHANGHAI: China issued a new call on Saturday for international "rules and ...

 
Mozilla won't be building Firefox for iOS unless Apple changes its rules, a company executive said Saturday.
 
Finding the right business tablet can be a daunting task. Do you want a 7-inch display or a 10 inch? Built-in keyboard? Snap-on keyboard? Which operating system? What apps? How about ruggedness, style, battery life, price?
 

Video: Josh Corman on why the infosec community doesn't control the story
CSO (blog)
Each year at RSA Conference, David Spark does a series of video interviews for the blog of security vendor Tripwire. His approach is particularly creative and I love watching them after the show. With his permission and that of Tripwire, I always run ...

 
Infor, the software industry's third-largest ERP vendor after SAP and Oracle, has been building out its own underlying technology platform in a bid to gain more revenue as well as provide customers with easier integration and system management. The company maintains that strategy is clicking as its ION middleware has become the fastest-growing product in the vendor's history.
 
Apple's App Store app used to connect to Apple's server through unencrypted connections. Despite being told what an attacker could do to these connections, it took Apple six months to close the vulnerability


 
Linux Kernel 'SCTP_GET_ASSOC_STATS()' Stack-Based Buffer Overflow Vulnerability
 
Linux Kernel CVE-2013-1825 Multiple Local Information Disclosure Vulnerabilities
 
Linux Kernel CVE-2013-1792 Local Denial of Service Vulnerability
 

Brisbane Times

Hackers breach Reserve Bank
Brisbane Times
Hackers took six RBA staff computers for a spin, but no information was stolen, the bank said. Photo: AFR. Hackers penetrated computers at the Reserve Bank of Australia in a "highly targeted" and "plausible" email phishing scam targeting employees.

 
Last year, Apple surprised developers and analysts alike by debuting a preview of OS X Mountain Lion, then announcing it was shifting to an annual release schedule for its Mac operating system.
 
Chinese e-commerce giant Alibaba Group named its new CEO to replace Jack Ma, choosing from within its ranks long-time company executive Jonathan Lu, who will start in his new role on May 10.
 
ST-Ericsson CEO Didier Lamouche has decided to resign from his post as owner Ericsson looks for a way to ensure its future.
 
The recent RSA conference in San Francisco was awash in talk of big data, but it was clear there was some disagreement about what people mean by big data and some outright skepticism about it being the answer.
 
libproxy 'print_proxies()' Function Format String Vulnerability
 
Perl CVE-2013-1667 Input Rehashing Denial of Service Vulnerability
 
Meet Greg Taffet, CIO at U.S Gas & Electric. He contributes his time and skills to expanding access to technology in his Florida community.
 
Geeks are often told that they are annoyingly literal, which they find confusing and unfair. But their colleagues have another way of listening.
 
Blame Apple's aesthetic: Even the stodgiest enterprise shops are engaging user experience experts who can design logical, beautiful interfaces for mobile computing's limited spaces.
 
Burger King saw a surprising upside after its Twitter stream was recently compromised: Tens of thousands of people began following its account.
 
Software engineers are using Intel tools to explore new ways people can use their voices, hand gestures and head-and-eye movements to operate computers.
 
For IT leaders, the two biggest looming challenges are learning to think outrageously and to be brutally honest. Insider (registration required)
 
Samsung's next-gen Galaxy S4 smartphone, to be unveiled Thursday in New York City, will reportedly have a larger display with ultra-high resolution, a faster processor, and Eye Scroll software that tracks a user's eyes to determine when to scroll through pages on the display.
 
Off-the-shelf consumer devices are showing up in some of the most precarious of workplaces, such as the toolboxes of technicians working on massive wind turbines run by Florida utility NextEra Energy. Insider (registration required)
 
Many students never even finish Indiana University's Master of Science in Security Informatics program, having gotten job offers they couldn't refuse.
 
Out of the blue, phishing attacks previously caught in the spam filter are getting through to employee inboxes.
 
Google says no-one managed to defeat the defences of ChromeOS despite $3.14159 million being up for grabs at the Pwnium contest


 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0787 Remote Code Execution Vulnerability
 
FreeIPA CVE-2012-4546 Certificate Revocation List Security Vulnerability
 

The Canberra Times

Hackers breach Reserve Bank
The Canberra Times
Hackers took six RBA staff computers for a spin, but no information was stolen, the bank said. Photo: AFR. Hackers penetrated computers at the Reserve Bank of Australia in a "highly targeted" and "plausible" email phishing scam targeting employees.

 
From the No Good Deed Goes Unpunished Department: Security experts trying to tell a Pennsylvania hospital that a pile of its sensitive data belonging to staff -- and possibly patients -- was sitting exposed on the Internet were stymied for five days recently by the fact that no one at the medical facility would respond to their repeated warnings.
 

Sydney Morning Herald

China calls for global hacking rules
Sydney Morning Herald
Hackers breach Reserve Bank. SHANGHAI: China issued a new call on Saturday for international "rules and cooperation" on internet espionage issues, while insisting that allegations of Chinese government involvement in recent hacking attacks were ...

and more »
 

WA today

China calls for global hacking rules
WA today
Chinese Foreign Minister of China Yang Jiechi (L) leans over to talk with Chinese Premier Wen Jiabao (R) during a summit . File Photo: LEE JAE-WON. Hackers breach Reserve Bank. SHANGHAI: China issued a new call on Saturday for international "rules ...

and more »
 

Posted by InfoSec News on Mar 10

http://arstechnica.com/security/2013/03/pwn2own-carnage-continues-as-exploits-take-down-adobe-reader-flash/

By Dan Goodin
Ars Technica
March 8, 2013

Thursday was another grim day for Internet security as contestants at the
Pwn2Own hacker competition exploited flaws in Adobe's Reader and Flash
programs, allowing them to take full control of the computers they ran on.
Oracle's Java was also, once again, felled.

The exploits, which...
 

Posted by InfoSec News on Mar 10

http://www.washingtontimes.com/news/2013/mar/10/obama-rejected-tough-options-countering-chinese-cy/

By Bill Gertz
The Washington Free Beacon Sunday
March 10, 2013

President Obama two years ago rejected a series of tough actions against China,
including counter-cyber attacks and economic sanctions, for Beijing’s
aggressive campaign of cyber espionage against the U.S. government and private
businesses networks, according to administration...
 

Posted by InfoSec News on Mar 10

http://www.thejakartaglobe.com/home/tifatul-names-4-countries-as-sources-of-hackers-attacking-indonesian-govt-sites/579085

Jakarta Globe
March 11, 2013

Communications and Information Technology Minister Tifatul Sembiring has named
four countries as sources of hackers who have attacked Indonesian government
websites, a report said on Monday.

Tifatul was quoted by Indonesian news portal Tempo.co as saying that the
hackers who have attacked...
 

Posted by InfoSec News on Mar 10

http://www.monitor.co.ug/News/National/Forensics-lab-for-computer-crime-opened-in-Kampala/-/688334/1716526/-/1590cm1z/-/index.html

By Stephen Otage
Daily Monitor
March 11, 2013

With computer aided theft now becoming rampant in the country, a private
hacking forensics consulting company has opened a laboratory to train Ugandans
in cyber security.

According to Mr Mustapha Mugisa, one of the consultants at Summit Consulting,
their forensics...
 

Posted by InfoSec News on Mar 10

http://www.theage.com.au/it-pro/security-it/hackers-breach-reserve-bank-20130311-2fv8i.html

By Lia Timson
IT Pro Editor
March 11, 2013

Hackers penetrated computers at the Reserve Bank of Australia in a "highly
targeted" and "plausible" email phishing scam targeting employees.

The incident, reported in the Australian Financial Review on Monday, took place
in November 2011. Details of the attack were included in a FoI...
 
Internet Storm Center Infocon Status