(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

While the drama about the lost airplane in Malaysia is still continuing, our hearts of course go out to the families of the missing. This ISC diary though is not about airplanes, or terrorism, it is rather about the related discovery that at least two passengers on the plane were using fake passports. Equally startling was the comment by Interpol that this is "common". What is the point of maintaining, for example, a no-fly list, if those listed on it anyway travel with stolen documents, and if the security checkpoint apparently fails to determine that a 19yr old doesn't look like a 40yr old, and that Italians who don't speak at least rudimentary Italian are, well, somewhat rare?

If we translate this to the virtual world, it turns into an everyday problem. How do we know that Joe using Joe's password is actually Joe, and not Jane? I probably should call them "Bob" and "Alice" to make this worthy of a scientific paper :), but the problem still stands: identification and authentication are hard, and finding out intentions is even harder. If we take from the airport physical security playbook, then it is "behavior" that makes the difference. The security checkpoint guys are (supposedly) trained to look for "clues" like nervousness, and carry-on baggage that is leaking 1,2,3-trinitroxypropane. Inevitably, there are numerous software products that claim to identify the "unusual" as well. Joe connecting from Connecticut, even though he lives in Idaho? Alert! Joe using Chrome even though he used Firefox last time? Alert! Joe typing his password faster than usual? Alert!

But like in the physical world, this kind of profiling only works well if you have a pretty homogenous and static "good guy" population, and a pretty well defined adversary. The real world, unfortunately, tends to be more diverse and complex than that. Which is why login fraud detection, just as airport security, often drowns in the "false positives", and as a result, de-tunes the sensitivity to the point where real fraud has stellar odds to just slip by. This is a fundamental issue with many security measures. Statisticians call this "base rate fallacy". If there are many many! more good guys than bad guys, finding the bad guys with a test that has a high error rate is pretty much: moot.

Checking the passports against the Interpol list of stolen passports .. wouldn't hurt though. Not doing this is akin to letting someone log in to an account that is suspended, or log in with a password that was valid two years ago.


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Mt. Gox may have collected a large sum in trading fees in the weeks before its closure, even though it was already aware that a vast number of bitcoins had gone missing, its U.S. bankruptcy filing suggests.
U.S. lawmakers had a chance to pose questions to the director of the National Security Agency on Wednesday but declined to ask him about reports that the agency plans to install malware on millions of computers.
The data transfer speed improvements that Seagate has made to their drives is remarkably impressive.
Cisco unveiled Wednesday an array of video conferencing products as it seeks to provide video collaboration systems for meeting rooms of all sizes.
As the World Wide Web celebrates its 25th year Wednesday, top techies are looking ahead to the next 25 years, when they say the Web will be woven more deeply, and seamlessly, into our lives.
Green America, a D.C.-based non-profit group, and The Nation magazine launched a campaign Wednesday intended to persuade consumers to boycott Apple products unless the company makes changes in its production and supply chain operations.
Searching on Yahoo will now deliver local business reviews from Yelp, through a partnership that could help Yahoo search compete against Google, or at least make it more useful.
Reusability is a key to any plan to making human life interplanetary, according to the CEO of SpaceX, one of the companies tasked with ferrying cargo, and someday astronauts, to the International Space Station.
Samsung's new DDR3 memory has shrunk transistor size from 25nm to 20nm, and uses 25% less power, meaning your next laptop or tablet could have longer battery life.
Congress needs to consider alternatives to a Senate-passed bill that would require online retailers to collect sales tax based on the location of their customers, the chairman of the House of Representatives Judiciary Committee said Wednesday.
Microsoft added G. Mason Morfit, president of ValueAct Capital, to its board of directors, making good on its part of the deal it struck with the activist shareholder last year.
LinuxSecurity.com: A security issue was fixed in libssh.
LinuxSecurity.com: CUPS could be made to run programs as the lp user if it processed aspecially crafted file.
LinuxSecurity.com: cups-filters could be made to run programs as the lp user if it processed aspecially crafted file.
LinuxSecurity.com: Several vulnerabilities have been found in file, a file type classification tool. Aaron Reffett reported a flaw in the way the file utility determined the [More...]
LinuxSecurity.com: Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having [More...]

The Android version of WhatsApp, the cross-platform instant messaging app purchased by Facebook for $16 billion, has a loophole that leaves chat histories wide open to other apps installed on the same smartphone, a security consultant says.

Consultant, system administrator, and entrepreneur Bas Bosschert documented the vulnerability in a blog post published Tuesday. It includes proof-of-concept code a rogue app requires to stealthily upload the chat history to an attacker-controlled server and, when working with newer versions of WhatsApp, to decrypt the file. The exploit is premised on the victim installing a malicious app that contains a game or some other useful feature and in the background accessing the database WhatsApp stores on the secure digital (SD) card of an Android device.

"The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card," Bosschert wrote. "And since [the] majority of the people allows [sic] everything on their Android device, this is not much of a problem."

Read 3 remaining paragraphs | Comments

LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Security Report Summary
ownCloud 'filename' Parameter Remote Code Execution Vulnerability
[SECURITY] [DSA 2876-1] cups security update
[SECURITY] [DSA 2875-1] cups-filters security update
[SECURITY] [DSA 2874-1] mutt security update
Libssh CVE-2014-0017 Random Number Generator Weakness
The Twitter website crashed on Tuesday -- the social network's second outage in the past nine days.
The White House urged tech workers, or "geeks," to sign up for health insurance under the Affordable Care Act, and said having the coverage will give them the "freedom and security" to start their own businesses.
Cisco IOS And IOS XE RSVP Interface Queue Wedge CVE-2013-5478 Remote Denial of Service Vulnerability
Arabic-Prawn Ruby Gems Command Injection Vulnerability
Cross-Site Scripting (XSS) in Open Classifieds
Remote Command Injection in Arabic Prawn 0.0.1 Ruby Gem
CVE-2014-2043 - SQL Injection in Procentia IntelliPen
Adobe released updates for Flash Player that fix two vulnerabilities that could allow attackers to bypass security controls in the software.
Cisco unveiled Wednesday an array of video conferencing products as it seeks to provide video collaboration systems for meeting rooms of all sizes.
CVE-2014-1222 - Local File Inclusion in Vtiger CRM
NEW VMSA-2014-0002 VMware vSphere updates to third party libraries
CVE-2014-1904 XSS when using Spring MVC
CVE-2014-0097 Spring Security Blank password may bypass user authentication
Microsoft has added features to the text editor of Outlook Web App to improve its handling of text, tables, images and hyperlinks.
Google yesterday said it would let developers of Chrome packaged apps issue free trials and offer in-app purchases, and allow creators of browser extensions to charge for their wares for the first time.
Google, Amazon and Microsoft have all made strategic moves to gain cloud market share -- and the 'cloud wars' are only getting started.
Laptops will get console-like gaming and up to two times the battery life with Nvidia's new GeForce GTX mobile graphics processors, unveiled on Wednesday.
Adobe released updates for Flash Player that fix two vulnerabilities that could allow attackers to bypass security controls in the software.
Adobe Flash Player and AIR CVE-2012-4168 Cross Domain Information Disclosure Vulnerability
[SECURITY] [DSA 2873-1] file security update
Medium severity flaw in BlackBerry QNX Neutrino RTOS
CORE-2014-0002 - Oracle VirtualBox 3D Acceleration Multiple Memory Corruption Vulnerabilities
The second desktop system to use Google's Chrome OS, the Asus Chromebox is a simple, inexpensive and unobtrusive alternative to traditional desktops.

Sucuri detected an interesting "reflective" attack using the Wordpress Pingback feature to attack web sites [1]. Unlike other reflective attacks that use UDP services like NTP and DNS, this attacks uses the Wordpress Pingback feature.

The intend of Pingback is to notify a site that you link to about the link hoping that the site you are linking to will return the favor. Some systems automate this and maintain automated lists linking back to sites that covered their article. In order to implement pingback, Wordpress implements an XML-RPC API function. This function will then send a request to the site to which you would like to send a "pingback".

With Wordpress, the Pingback is sent as a POST request to the /xmlrpc.php request. The body of the request will look like:


For the attack seen by Sucuri, the "victim" URL included a random parameter like "victim.com?123456=123456" to prevent caching.

The result of this request is that your Wordpress install will send a request to the victim's site. I don't think the attack will provide a significant traffic amplification, but it does obfuscate the actual source of the attack.

By default, this feature is enabled in all Wordpress installs, and isn't quite easy to turn off. Sucuri recommends to add the following API filter to Wordpress:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
   unset( $methods['pingback.ping'] );
   return $methods;
} );

Removing xmlrpc.php is not recommended as it will breack a number of other features that will use the API.


[1] http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Aruba Networks announced a package of software upgrades designed to better accommodate all-wireless workplaces, including sites where it's common to see employees using three different mobile devices with multiple applications.
MediaWiki CVE-2014-2242 Cross Site Scripting Vulnerability
The creators of the Roboy robot wanted it to move as much like a human as possible, using a skeleton of 3D-printed bones and joints, tendons -- and coiled springs in muscles.
Adobe Flash Player CVE-2014-0504 Information Disclosure Vulnerability
Adobe Flash Player CVE-2014-0503 Same Origin Security Bypass Vulnerability
The major consulting firms are all advising IT pros to remake their businesses into fully digital organizations. But as IT has known for years, transformation -- especially digital transformation -- is hard.
Tests of carrier aggregation, a technology that will help increase the speeds of LTE networks, have been a positive surprise, but another technology called small cells needs to become more mature before it can help offload mobile networks, according to two executives at Vodafone Germany.
Yokogawa CENTUM CS3000 'BKBCopyD.exe' Stack Based Buffer Overflow Vulnerability
Yokogawa CENTUM CS3000 'BKHOdeq.exe' Stack Based Buffer Overflow Vulnerability
MediaWiki 'text' Prameter HTML Injection Vulnerability

Posted by InfoSec News on Mar 12


By John Leyden
The Register
11 Mar 2014

Top UK e-commerce sites are not doing enough to safeguard users from their
own password-related foibles, according to a new study.

A review of password security at the top 100 e-commerce sites found two in
three (66 per cent) accept notoriously weak passwords such as "123456" or
"password", putting users in...

Posted by InfoSec News on Mar 12


By Brian Krebs
Krebs on Security
March 11, 2014

Adobe and Microsoft today each released software updates to fix serious
security flaws in their products. Adobe pushed an update that plugs a pair
of holes in its Flash Player software. Microsoft issued five updates,
including one that addresses a zero-day vulnerability in Internet Explorer
that attackers have been...

Posted by InfoSec News on Mar 12


By Kevin Poulsen
Threat Level

Silicon Valley shuttle buses have become a symbol of San Francisco’s
gentrification anxiety -- Facebook, eBay, Genentech, Yahoo, and most
famously Google all have their own private bus lines shuttling workers in
and out of the city, hiding them behind tinted glass and bathing them in
free Wi-Fi so the riders can have a productive...

Posted by InfoSec News on Mar 12


By Brendan Sasso
National Journal
March 11, 2014

A top U.S. military official said Tuesday he believes hackers are
attacking Ukrainian computer and communications networks -- but he
declined to point the finger at Russia.

"In an open unclassified forum, I'm not prepared to comment on the
specifics of nation-state behavior," Vice...

Posted by InfoSec News on Mar 12


By William Alden
The New York Times
March 11, 2014

With the prospect of cyberattacks keeping corporations on edge, the
Blackstone Group is investing in a company that aims to counteract such

Blackstone, the world’s largest private equity firm, announced on Tuesday
that it had agreed to buy a majority stake in Accuvant, a 12-year-old...
Ruby on Rails 'ActiveRecord' Module Security Bypass Vulnerability
Internet Storm Center Infocon Status