Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

The Age

Bounty hunters hound out computer bugs
The Age
More hunters on the prowl... crowd-sourced security testing provides "an extra level of comfort". Photo: Anthony Johnson. Phishing your employees in the name of security. Increasing rates of cybercrime are leading more companies to call on the very ...

and more »
 

Brisbane Times

Bounty hunters hound out computer bugs
Brisbane Times
More hunters on the prowl... crowd-sourced security testing provides "an extra level of comfort". Photo: Anthony Johnson. Phishing your employees in the name of security. Increasing rates of cybercrime are leading more companies to call on the very ...

 
Micron has introduced what it said is the industry's smallest 128Gbit NAND-flash chip using Micron's 20 nanometer process technology, which is targeted at low-cost removable storage devices.
 
EMC AlphaStor CVE-2013-0930 Buffer Overflow Vulnerability
 
Adobe Flash Player and AIR CVE-2013-0647 Memory Corruption Vulnerability
 
Adobe Flash Player and AIR CVE-2013-1374 Use After Free Remote Code Execution Vulnerability
 
Anacrypt '.tuz' Configuraton File Information Disclosure Vulnerability
 
JBoss Web Services W3C XML Encryption Standard Information Disclosure Vulnerability
 
Several Certificate Authorities (CAs) have formed an advocacy group called the Certificate Authority Security Council (CASC), which will focus on promoting new security standards, policies and best practices for SSL (Secure Sockets Layer) deployment on the Web.
 
Asia is fast becoming the epicenter of the PC market as Chinese and Taiwanese companies challenge the turf occupied for more than a decade by prominent U.S. PC makers Hewlett-Packard and Dell, whose laptop and desktop shipments are stumbling.
 
The judge overseeing Apple's two lawsuits against Samsung in California has indicated she would like to put the second case on hold pending resolution of the first case, the trial for which ended last summer with a big win for Apple.
 
A large group of U.S. lawmakers has reintroduced legislation that would require online retailers to collect sales tax for state and local governments, essentially raising the cost of many online purchases by 10 percent or more.
 
Facebook scored an initial legal victory in its IPO case following a federal judge's dismissal of a group of investor lawsuits filed against the company.
 
This week is Android week here in Gearhead land, starting with a tool that will let you run pretty much any Android app on your Mac or Windows PC.
 
Oracle is firing back hard at a recently released Forrester Research report that suggested most customers aren't interested in moving up to the vendor's next-generation Fusion Applications, which were released about a year-and-a-half ago following a long and expensive development process.
 
Multiple Vulnerabilities in Edimax EW-7206-APg and EW-7209APg
 
Multiple Vulnerabilities in TP-Link TL-WA701N / TL-WA701ND
 
[IA46] Photodex ProShow Producer v5.0.3297 ColorPickerProc() Memory Corruption
 
[SECURITY] [DSA 2623-1] openconnect security update
 
Opera's announcement yesterday that it would ditch its own browser and JavaScript engines in favor of the open-source WebKit and V8 engines will let it compete in the lucrative iOS market.
 
In what is turning out to be a repeat of last year, privacy rights groups launched an assault against the Cyber Intelligence Sharing and Protection Act (CISPA), barely a day after the controversial legislation was reintroduced in Congress on Wednesday.
 
The largest single users of H-1B visas are offshore outsourcers, many of which are based in India, or, if U.S. based, have most employees located overseas, according to government data obtained and analyzed by Computerworld.
 
Stevey, admitted confused by the benefits of RAIDs, asked the Answer Line forum to explain these hard drive groups.
 
Adobe Acrobat And Reader CVE-2013-0641 Remote Code Execution Vulnerability
 
[security bulletin] HPSBMU02815 SSRT100715 rev.5 - HP SiteScope SOAP Security Issues, Remote Disclosure of Information, Remote Code Execution
 
Re: Aastra IP Telephone encrypted .tuz configuration file leakage
 
Oregon State University researchers have discovered a way to use sound waves to enhance magnetic data storage.
 
The Large Hadron Collider, which discovered what is believed to be the elusive Higgs boson, is being shut down for a two-year overhaul.
 
Privacy and digital rights groups are overstating the privacy concerns in a controversial cyberthreat information bill introduced this week in the U.S. Congress, the bill's sponsors and leaders of some business groups said.
 
Apple yesterday confirmed that a bug in iOS 6.1 causes devices to aggressively ping Microsoft Exchange email servers, shortening iPhone and iPad battery life.
 
Adobe Flash Player and AIR CVE-2013-0638 Memory Corruption Vulnerability
 
Adobe Flash Player and AIR CVE-2013-0639 Remote Integer Overflow Vulnerability
 
[slackware-security] pidgin (SSA:2013-044-01)
 
Through its new Smart Plan platform, Alcatel-Lucent wants to make mobile subscription plans more flexible and allow data packages to be shared among users and handed out by companies to their customers using an application on smartphones and tablets.
 
Looking to have a romantic Valentine's Day with your sweetheart? Maybe you should use Facebook a little less.
 
Verizon Wireless recently began listing "High Risk Android Apps" on its Web site and now alerts customers to 13 apps that prevent a smartphone or tablet from going into sleep mode, causing heavy battery and data usage.
 
Sonicwall Scrutinizer v9.5.2 - SQL Injection Vulnerability
 
Sonicwall OEM Scrutinizer v9.5.2 - Multiple Vulnerabilities
 
CA20130213-01: Security Notice for CA ControlMinder
 
At one time, a typical Mac user would no more have connected a couple of computers to the Internet via a local network than they would have extracted their own kidney. If you just mentioned the word networkingA (outside the context of calling former business associates to seek a better job), those around you shook with fear.
 
Business software purchasing, particularly at the enterprise level, can be a lengthy and difficult process, something startup G2 Crowd is hoping to alleviate with a new Yelp-like review site aimed at enterprise applications.
 
The suspected developer of the BKA trojan has been arrested in Dubai. The Spanish police have also apprehended ten other suspects who are believed to have used the software to extort around €1 million per year


 
Samsung Electronics has launched REX, a new series of "smart feature phones" that it will sell in emerging markets.
 
Google is hanging onto its dominant share of the search market, while its competitors inch up and down.
 
Microsoft this week patched 14 vulnerabilities in Internet Explorer, preparing the browser for its time as a target early next month at the annual Pwn2Own hacking contest.
 
A recently found exploit that bypasses the sandbox anti-exploitation protection in Adobe Reader 10 and 11 is highly sophisticated and is probably part of an important cyberespionage operation, the head of the malware analysis team at antivirus vendor Kaspersky Lab said.
 
Belkin's WeMo is, in a few words, a home automation system. It works to give you Wi-Fi control over your appliances and electronics, using a plug-in connector that connects to your wall socket or powerboard, remotely switching on and off your home's technology when you want.
 
Several months ago, Google changed its profile pages to include cover photos. Not unlike Facebook's, these cover photos are wide and short, and integrate with a profile picture of your choosing. Unlike Facebook, though, these cover photos require rather weird dimensions: 940 x 180 pixels. In a recent attempt to create a new cover photo, I found it very hard to find anything that would fit these dimensions properly. In addition, Google profiles don't come with a preview feature, which brings a lot of trial and error and repeated resizing into the mix, and in the end, my results were less than desirable. One way to solve this annoying yet common problem is Slicetige-G ($2, free demo with watermarking).
 
WordPress Classipress Theme Multiple HTML Injection Vulnerabilities
 
SAP Netweaver Multiple Security Vulnerabilities
 
xNBD '/tmp/xnbd.log' Insecure Temporary File Handling Vulnerability
 
LimeSurvey Survey Text Field HTML Injection Vulnerability
 
Chances are, if you don't know the dangers involved, you shouldn't jailbreak.
 
 
The Google Play Store is giving developers email addresses, post codes and names of purchasers, but they do so to allow the developers to work out how much tax they owe. The real problem is that they don't tell customers or developers about that


 
Roundup Multiple Cross Site Scripting Vulnerabilities
 
President Barack Obama's cybersecurity executive order, signed on Tuesday, could significantly expand the list of companies categorized as part of U.S. critical infrastructure sector, security experts said Wednesday.
 
IT is one of the last corporate functions to embrace telecommuting. It turns out the last remaining barriers are more cultural than technical.
 
Adobe has confirmed that critical security holes are gaping in the current version of Reader. Until a patch becomes available, users can protect themselves against attacks by activating a security feature. Acrobat is also vulnerable


 

Help Net Security

Infosec pros don't trust their own networks
Help Net Security
A SafeNet survey of 230 United States security professionals, revealed that, despite continued investments in network perimeter technologies, respondents are not confident that they are employing the right technologies to secure their high-value data.

and more »
 
Instagram has asked a court to dismiss a class-action lawsuit against changes in its terms of use, holding that the petitioner had the option to terminate her account if she disagreed with the new terms.
 
Twitter will soon give developers the ability to filter messages by popularity and language.
 
Google filed a patent infringement lawsuit against BT Group companies in a court in the U.S. stating it was defending itself against the British communications services company's own "meritless patent claims" and its arming of patent trolls.
 
The company is expanding its participation in open source endeavors, no longer believes Linux is a 'cancer'
 
There were a number of glaring IT problems facing the Illinois Department of Corrections. The answer: A cloud-based replacement system.
 
Microsoft .NET Framework Parameter Validation Remote Integer Overflow Vulnerability
 
WordPress Pinboard Theme 'tab' Parameter Cross Site Scripting Vulnerability
 
Microsoft Internet Explorer SLayoutRun Use-After-Free Remote Code Execution Vulnerability
 
Adobe Acrobat And Reader CVE-2013-0640 Remote Code Execution Vulnerability
 

Recently Ive been working on several incidents that included attackers getting shell access to the compromised host and somehow elevating their privileges to root. Of course, once they have access to the box, one of the first things they want to do is to be able to establish that same level of access again.

While there are many, many ways for an attacker to plant a backdoor that will allow him access to the server later, the easiest way is, of course, to create a new, privileged account that the attacker can use to access the server.

Now, when analyzing what happened during the attack we figured that this was exactly what the attacker did, however there were no logs on the system and subsequently the central logging system and SIEM implemented by the victim were of no use.

As this was a Linux server, you can probably already guess what the attacker did: they simply opened the /etc/passwd and /etc/shadow files and added their backdoor accounts (with an UID of 0). Of course, since they did this directly by modifying the system files there were absolutely no logs.

Very simple, yet also very effective!

So, what can we do against this? One obvious answer is to monitor any changes to these two and some other important files (for example, /etc/hosts, /etc/sudoers .. there are actually many). On Linux servers it is actually really easy to do this thanks to auditd the Linux Audit daemon.

Auditd is the userspace part of the Linux Auditing system, which integrates deeply with the kernel. Being integrated with the kernel allows it to inspect every little detail of whats happening on the system. In fact, many administrators turn auditd off due to huge amounts of logs it can create, and potential performance impact on the system. However, it is a true gem in auditing, if used correctly.

In our example on monitoring /etc/passwd we just need to add one rule to the /etc/audit/audit.rules file:

-w /etc/passwd -p wa

This tells auditd to monitor and log any changes (trigger on write and attribute change of the file). So when our attacker tries to modify this file directly, we will get log similar to the following:

type=SYSCALL msg=audit(1360781410.961:24122): arch=40000003 syscall=15 success=yes exit=0 a0=8357590 a1=81a4 a2=1 a3=1 items=1 ppid=17480 pid=8437 auid=510 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=210 comm=vim exe=/usr/bin/vim key=(null)

type=CWD msg=audit(1360781410.961:24122): cwd=/etc/audit

type=PATH msg=audit(1360781410.961:24122): item=0 name=/etc/passwd inode=4786344 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00

Pretty cool! So we had the UID and GID of the user who modified the /etc/passwd file, as well as the full path to the process (command) that was used to edit it.

Since auditd creates logs in /var/log/audit/audit.log, we can now send the same file to our SIEM and create a rule to trigger an alert on such actions, so we can catch any modifications to this (and other) system critical files.

For the bonus part, we can even setup a simple cron job (it will suffice in most cases) that will calculate an SHA1 sum of the /etc/passwd file, trigger on any changes and do a diff on the old file (saved before) and the new one.

What other things do you do to monitor your critical files? Let us know!



--

Bojan

INFIGO IS
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Posted by InfoSec News on Feb 13

http://www.wired.com/threatlevel/2013/02/executive-order-cybersecurity/

By Kim Zetter
Threat Level
Wired.com
02.12.13

President Barack Obama signed an executive order on Tuesday designed to make it
easier to disseminate classified information on threats against critical
infrastructure systems and to lay the groundwork for obtaining information from
the private sector that would help the government protect critical
infrastructures in the...
 

Posted by InfoSec News on Feb 13

http://www.technologyreview.com/news/507971/welcome-to-the-malware-industrial-complex/

By Tom Simonite
MIT Technology Review
February 13, 2013

Every summer, computer security experts get together in Las Vegas for Black Hat
and DEFCON, conferences that have earned notoriety for presentations
demonstrating critical security holes discovered in widely used software. But
while the conferences continue to draw big crowds, regular attendees say...
 

Posted by InfoSec News on Feb 13

http://arstechnica.com/tech-policy/2013/02/dod-mints-new-medal-for-drone-pilots-and-cyber-warriors/

By Sean Gallagher
Ars Technica
Feb 13 2013

The Department of Defense announced the creation of a new medal to honor the
actions of members of the military who directly affect the course of battle
without physically being there—in other words, drone pilots, cyber warfare
experts, and other remote warriors.

The Distinguished Warfare Medal...
 

Posted by InfoSec News on Feb 13

https://www.computerworld.com/s/article/9236758/Emergency_Alert_System_devices_vulnerable_to_hacker_attacks_researchers_say

By Lucian Constantin
IDG News Service
February 13, 2013

Devices used by many radio and TV stations to broadcast emergency messages as
part of the U.S. Emergency Alert System (EAS) contain critical vulnerabilities
that expose them to remote hacker attacks, according to researchers from
security consultancy firm IOActive....
 

Posted by InfoSec News on Feb 13

http://www.healthcareitnews.com/news/new-healthcare-breach-report-sheds-light

By Erin McCann
Associate Editor
Healthcare IT News
February 13, 2013

A new report suggests some improvement with regard to healthcare data breaches
in 2012, compared with previous years. Still, the study shows there's much work
to be done.

The report, conducted by IT security assessment provider Redspin, examines some
538 incidents affecting more than 21.4...
 
Internet Storm Center Infocon Status