InfoSec News

Adobe Flash Player 'BitmapData.scroll' Remote Integer Overflow Vulnerability
 
Linux Kernel eCryptfs Multiple Vulnerabilities
 
WordPress Multiple Unspecified Remote Vulnerabilities
 
EFS Software Easy Chat Server Authentication Request Handling Remote Buffer Overflow Vulnerability
 
iDefense Security Advisory 08.09.11: Adobe Flash Player Integer Overflow
 
iDefense Security Advisory 08.09.11: Adobe Flash Player ActionScript Display Memory Corruption Vulnerability
 
CA20110809-01: Security Notice for CA ARCserve D2D
 
[oCERT-2011-002] libavcodec insufficient boundary check
 
PCI DSS tokenization can reduce the scope of a PCI assessment, according to new guidance issued Friday. One expert says it’s been a long time coming.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
A but in the BlackBerry Mobile Data Service (MDS) Connection Service component can be used to potentially gain network access.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
The research firm says corporate privacy policy requirements are outdated, due to new technology and legislation, and should be revisited now.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

At last week’s Black Hat 2011 conference, the Central Intelligence Agency’s former director of operations, Cofer Black, made the claim that the security community has a unique opportunity to influence and educate government decision makers about cybersecurity because awareness of the issue among power players in Washington has never been higher.

Proof of Black’s point has perhaps never been more evident than it was Thursday night during the Republican presidential debate. During the lively two-hour debate, which aired on Fox News Channel, moderator Bret Baier of FNC asked presidential candidate Jon Huntsman, former Utah governor and former ambassador to China under President Barack Obama, whether he would consider cyberattacks acts of war.

In his question, Baier seemed to reference Operation Shady RAT, the McAfee Inc. research effort revealed last week that led to the identification of 72 compromised, intruded parties, all relevant to the national security posture of the U.S. or other nations, broken down into 32 unique organization categories in 14 different countries over a five-year period. While McAfee’s report stops short of naming China as the perpetrator or addressing the China cyberwar issue specifically, experts believe China to be the source behind the attacks, which involved the theft of closely guarded and classified national secrets, negotiation plans and exploration details for new oil and gas field auctions, SCADA configurations, design schematics and numerous other pieces of sensitive information. Of course speculation in the industry has been rampant for years that China has been behind numerous other cyberattacks.

“Absolutely,” Huntsman said in response to whether a cyberattack should be considered an act of war. “This is the new warfield.” He added that the U.S. should use the cyberespionage issue as not only an economic development tool, but also a national security tool to improve early warning capabilities, safeguards and countermeasures.

“We need a strategic dialogue at the highest levels between the United States and China. That is not happening,” Huntsman said. “This is a relationship – the United States and China – we are both on the world stage. As far as you can see into the 21st century, we are going to have to deal with the Chinese. We better get it right.”



Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

The update to the Microsoft Malicious Software Removal Tool (MSRT) includes the removal of FakeSysdef, a pesky Trojan that poses as a system performance tool.

Microsoft has bolstered its Malicious Software Removal Tool this month to include a signature that detects and removes FakeSysdef, a Trojan that has been successfully tricking people by posing as a system performance tool. According to engineers at Microsoft’s Malware Protection Center blog, the Trojan masqueraded as a program called System Defragmenter last December. It’s also surfaced under different names including Scan Disk and Check Disk.

Victim’s run across the program in poisoned search engine results. As Microsoft explains, the malware spread fairly easily thanks to the multitude of exploit toolkits that have the search engine poisoning built in as a feature.

Creators of the Trojan and rogue security software are notorious for using exploit kits and “search result poisoning”, or Black SEO, to launch installers of their malware. For example, malware creators could use an image search poisoning scheme to deliver poisoned search results to users that search for a photo of a popular or public person. When opening a (malicious) returned search results page, the user could become infected by way of a drive-by download that executes

The bad news for victims is that the Trojan can be really pesky. If the message to purchase performance improvements is ignored, the malware “reboots the machine repeatedly until they activate the fake fix.”

FakeSysdef is very much like rogue antivirus programs, which latch onto potential victims by poisoning search engine results. We’ve been keeping track of the highs and lows of rogue antivirus. Brian Krebs of KrebsonSecurity reported last month that international law enforcement was making some headway against Russian cybercriminal gangs peddling rogue antivirus.

There’s no doubt that the game of wack-a-mole will continue in this area.



Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

"Anonymous" vows to "kill" Facebook
CBS News
Some of these so-called whitehat infosec firms are working for authoritarian governments, such as those of Egypt and Syria. Everything you do on Facebook stays on Facebook regardless of your "privacy" settings, and deleting your account is impossible, ...

 
Blackberry issued a critical update affecting components that process images on a Blackberry Enterprise Server which could allow remote code execution when processing PNG and TIFF image for rendering on their smartphone. These vulnerabilities have been assigned a Common Vulnerability Scoring System (CVSS) of 10.0 (high severity). The following CVEs have been assigned: CVE-2010-1205, CVE-2010-3087, CVE-2010-2595, CVE-2011-0192, CVE-2011-1167
Blackberry recommends applying the fix. These updates replace the installed image.dll file that the affected components use with an image.dll file that is not affected by the vulnerabilities.[1]
The advisory has a complete list of affected products and is posted here.


[1] http://btsc.webapps.blackberry.com/btsc/search.do?cmd=displayKCdocType=kcexternalId=KB27244
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 




------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
We got a number of submissions pointing to today's XKCD cartoon [1] . I think the cartoon is great, and illustrates a nice dilemma in password security. Yes, I know passwords don't work, but we still all use them and we still have to come up with reasonable passwords.
Even if you are using a password safe tool that comes up with new random passwords for each application and website, you still need to remember the password for the password safe, and there are a few applications (e.g. logging in to your system)that can't be covered by a password safe.
The basic dilemma is that you need to come up with a password that is hard to guess for others but easy enough for you to remember. Most password policies try to enforce a hard to guess password by forcing you to extend the range of characters from which you pick (different case letters, numbers, special characters). However, in real life, this may actually reduce the space of memorable passwords, or the total number of possible passwords.
Pass phrases, as suggested by the cartoon, are one solution. But once an attacker knows that you use a pass phrase, the key space is all for sudden limited again. There has been some research showing that a library of 3 word phrases pulled from wikipedia makes a decent dictionary to crack these passwords.
The qualify of a password is usually expressed in bits of entropy. The bits of entropy are calculated by the number of bits it would take to represent all possible passwords. Lets look at some common schemes:
a 4 digit PIN: 10,000 possible passwords, or 13.3 bits (ln2(10,000)=13.3)

12 characters using the full 95 characters ASCII set:5.4 10^23, or 78.8 bits. (this is the current NIST recommendation)
Pass phrases are harder to evaluate. It depends on the size of the vocabulary of the user, and of course the constraints of grammar. People will likely not choose some random words, but a phrase that makes some sense to them. One model that can be used to obtain a passphrase is called Diceware, but it assumes random phrases from 6^5 words (7,776).If you consider Diceware's 7,776 words, you would need 6 words to arrive at the same 77.5 bits, close to strength that NIST asks for.
What it all comes down to: How are people actually selecting passwords? People make pretty bad random number generators, in particular if you ask them to remember the result. A good password cracking algorithm takes this into account and tailors the password list based on password requirements and the targets background. For example, for web application pen testing, the simple ruby script cewl will create a custom password list from words it finds on the targets website. In past tests, I was easily able to double my password cracking success using this technique if compared to normal dictionaries.
In order to solve this, we need to figure out what passwords people really use. How about asking them for their password and offering them a candy bar in return :). And then there is always another XKCD cartoon for you [2]

[1] http://www.xkcd.org/936/

[2] http://xkcd.com/538/
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Samba just released a new version which includes some major enhancements:
- Changes in security default authentication to NTLMv2 with better CIFS/Kerberos support

- SMB2 support is fully functional but by default, is currently deactivated (see release note)

- Overhaul of Spollss code

- ID Mapping has been rewritten

- Endpoint Mapper requires more testing and by default, is currently deactivated (see release note)

- SMB Traffic Analyzer has been added

- A new NFS quota backend has for Linux has been added (based on code already in Solaris/FreeBSD)
A complete list of changes can be viewed here and the new tarball can be downloaded here.
[1] http://samba.org/samba/history/samba-3.6.0.html

[2] http://samba.org/samba/ftp/stable/samba-3.6.0.tar.gz

[3] http://msdn.microsoft.com/en-us/library/cc246482%28v=prot.13%29.aspx

[4] http://holger123.wordpress.com/smb-traffic-analyzer/

[5] http://wiki.samba.org/index.php/Spoolss
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
Community SANS SEC 503 coming to Ottawa Sep 2011 (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

New York Daily News

Anonymous threatens Facebook with Guy Fawkes Day attack
CBS News
Some of these so-called whitehat infosec firms are working for authoritarian governments, such as those of Egypt and Syria," the news release detailed. One of the scariest quotes from Anonymous' message is when they stated: "This is our world now. ...
Anonymous: Facebook's going down November 5CNET (blog)
Anonymous To "Destroy" Facebook On 5th NovemberTechtree.com
Anonymous vows to 'destroy' Facebook on Nov5GMANews.TV
SlashGear -PC Pro -RedOrbit
all 479 news articles »
 
AMD is looking at tax and software costs as it looks for ways to reduce the number of its data centers.
 
ampnbspThe National Institute of Standards and Technology (NIST) today issued for public comment a draft strategic plan for the National Initiative for Cybersecurity Education (NICE) program. The plan, 'Building a Digital Nation,' ...
 
The agency that runs the commuter trains that rumble beneath San Francisco each day hit the panic button Thursday night, cutting off mobile-phone service to hundreds of thousands of commuters in an effort to thwart a protest that was expected to snarl up the evening commute.
 
A lot of the software written for Google's Android mobile phones falls short when it comes to user privacy and security.
 
Sprint has decided not to offer a WiMax version of the BlackBerry PlayBook, the company said Friday.
 
U.S. stock markets edged up for the day Friday afternoon, but fears of an economic slowdown and concerns about the debt crisis in Europe caused technology stocks to seesaw wildly along with shares of companies in other sectors this week.
 
Internet-enabled devices like Apple's iPad and even TVs and video game consoles are set to blow past PC shipments in 2013, according to IHS iSuppli.
 
Google+ took a big swing at its most prominent competitor this week when it added gaming to the fledgling site.
 
IT is inadequately prepared to fully exploit the opportunity that all those consumer devices in the workplace represent.
 
The latest trend (or over-hyped term, if you like) is "consumerization of IT." As with cloud computing, the term is somewhat ambiguous and is applied to a number of things that are recognizably related, but which differ in details.
 
People who make, buy and sell flash storage could detect counterfeit products based on the unique "fingerprints" of the chips, using techniques being developed by university researchers.
 

Posted by InfoSec News on Aug 10

http://www.darkreading.com/security/vulnerabilities/231300312/getting-root-on-the-human-body.html

By Ericka Chickowski
Contributing Editor
Dark Reading
Aug 05, 2011

BLACK HAT USA 2011 -- Las Vegas -- A security researcher at Black Hat
yesterday demonstrated how a hacker could remotely turn off a diabetic
person's insulin pump without his knowledge. The findings came after
months of research delving into the security of the portable...
 

Posted by InfoSec News on Aug 10

http://www.informationweek.com/news/cloud-computing/infrastructure/231300449

By Charles Babcock
InformationWeek
August 09, 2011

A lightning strike in Dublin, Ireland knocked Amazon's European cloud
services offline Sunday and some customers were expected to be down for
up to two days.

Amazon needed disaster recovery capability with live data replication to
be in place for many customers to avoid being caught in the outage.

Both...
 

Posted by InfoSec News on Aug 10

http://www.computerworld.com/s/article/9219056/Booz_Allen_CEO_downplays_effect_of_Anonymous_hack

By Robert McMillan
IDG News Service
August 9, 2011

A July cyberattack on Booz Allen Hamilton will not materially harm the
company's bottom line, its CEO said Tuesday.

The Anonymous hacking collective stole source code, e-mail addresses and
other data from Booz Allen and published it online on July 11. Still,
the company does not expect...
 

Posted by InfoSec News on Aug 10

http://news.cnet.com/8301-31921_3-20090434-281/security-flaw-found-in-feds-digital-radios/

By Declan McCullagh
Privacy, Inc.
CNet News
August 9, 2011

Expensive high-tech digital radios used by the FBI, Secret Service, and
Homeland Security are designed so poorly that they can be jammed by a
$30 children's toy, CNET has learned.

A GirlTech IMME, Mattel's pink instant-messaging device with a miniature
keyboard that's marketed...
 

Posted by InfoSec News on Aug 12

http://www.darkreading.com/security/attacks-breaches/231400084/operation-shady-rat-attackers-employed-steganography.html

By Kelly Jackson Higgins
Dark Reading
Aug 11, 2011

The attackers behind the "Operation Shady RAT" targeted cyberespionage
hacks hid some of their activities behind digital images.

They used steganography, a relatively rarely deployed technique for
hiding malicious code or data behind image files or other...
 

Posted by InfoSec News on Aug 12

http://www.theregister.co.uk/2011/08/11/cyberwar_fallacies_revealed/

A: 'Ant smarts' not 'asymmetry'

By Dan Goodin in San Francisco
The Register
11th August 2011

Forget everything you've read on The Reg or anywhere else about wars that
target computer networks, power grids and other essential electronic
infrastructure because it's loaded with fallacies, a prominent security
consultant said Wednesday.

Contrary...
 

Posted by InfoSec News on Aug 12

========================================================================

The Secunia Weekly Advisory Summary
2011-08-04 - 2011-08-11

This week: 53 advisories

========================================================================
Table of Contents:

1.....................................................Word From Secunia...
 

Posted by InfoSec News on Aug 12

http://www.eweek.com/c/a/Security/Security-Breach-Hits-Wisconsin-University-Server-with-Student-Faculty-SSNs-842032/

By Fahmida Y. Rashid
eWEEK.com
2011-08-11

University of Wisconsin reported malware was found on a server that stored the
names and Social Security numbers of 75,000 students and faculty members.

Former and current faculty and students at the University of
Wisconsin-Milwaukee may have had their Social Security numbers exposed...
 

Posted by InfoSec News on Aug 11

http://www.massdevice.com/news/medtronic-insulin-pump-hacker-not-big-deal

By MassDevice staff
Medical Devices Industry News
August 10, 2011

A diabetic's successful hack of his own insulin pump raised the spectre
of malicious device-based attacks, but Medtronic doesn't think there's
much to worry about.

Medtronic Inc. (NYSE:MDT) isn't in an uproar over recent reports of a
hacked insulin pump that could discretely deliver...
 

Posted by InfoSec News on Aug 11

http://fcw.com/articles/2011/08/08/home-page-tech-briefing-apt-cybersecurity.aspx

By John Zyskowski
FCW.com
Aug 10, 2011

Unlike in politics, it’s rather important in the world of cybersecurity
that words and labels mean something specific. Routinely mislabeling
hacking and other incidents of computer mischief could lead to
overreactions to garden-variety illicit activity or a tendency to
downplay the need for a new kind of response to...
 

Posted by InfoSec News on Aug 11

http://www.theregister.co.uk/2011/08/10/gprs_cellphone_call_snooping/

By Dan Goodin in San Francisco
The Register
10th August 2011

A cryptographer has devised a way to monitor cellphone conversations by
exploiting security weaknesses in the technology that forms the backbone
used by most mobile operators.

Karsten Nohl, chief scientist of Berlin-based Security Research Labs,
said the attack works because virtually all of the world's...
 

Posted by InfoSec News on Aug 11

https://www.fas.org/blog/secrecy/2011/08/af_cyber.html

By Steven Aftergood
Secrecy News
August 10th, 2011

Even the most highly classified offensive cyberwar capabilities that are
acquired by the Air Force for use against enemy computer systems will be
subject to “a thorough and accurate legal review,” the U.S. Air Force
said in a new policy directive (pdf).

The directive assigns the Judge Advocate General to “ensure all cyber...
 

Posted by InfoSec News on Aug 11

http://www.computerworld.com/s/article/9219081/Microsoft_patches_final_Pwn2Own_IE_bug

By Gregg Keizer
Computerworld
August 10, 2011

Microsoft on Tuesday patched the last vulnerability in Internet Explorer
(IE) used by a researcher in March to win $15,000 at the annual Pwn2Own
hacking contest.

The company had patched IE twice before to quash bugs exploited by
Stephen Fewer of Harmony Security to bring down IE8 on Windows 7 at
Pwn2Own. For...
 

Posted by InfoSec News on Aug 10

http://news.xinhuanet.com/english2010/china/2011-08/10/c_131041172.htm

English.news.cn
2011-08-10

DALIAN, Aug. 10 (Xinhua) -- China has become one of the world's biggest
victims of cyberattacks, with Chinese Internet operators and users being
harassed nearly "every moment," a computer security official said
Wednesday.

China was hit by nearly 493,000 cyberattacks last year, about half of
which appeared to have originated from...
 

Posted by InfoSec News on Aug 12

http://www.computerworlduk.com/news/security/3296294/uk-admins-lack-skills-to-spot-hackers-says-pentest-expert/

By John E Dunn
Computerworld UK
10 August 11

Many UK admins lack the skills, resources and time necessary to keep
firewalls secure from well-drilled hackers, one of the country’s loading
penetration testing experts has claimed while launching a new defence
training course.

The problems start with expert oversight of the firewall...
 
Internet Storm Center Infocon Status