Hackin9

InfoSec News

Cadillac introduced a high-end hyrbid electric vehicle called the ELR at the North American International Auto Show in Detroit Tuesday.
 
Keeping IT one step ahead of expansion plans at independent grocery chain Drakes Supermarkets is CIO Rod Koza's remit for 2013.
 
A resident of North Las Vegas, Nev., says owners of lost cell phones have repeatedly shown up at his house demanding phones that they tracked via software to his location.
 
Oracle E-Business Suite CVE-2013-0376 Remote Security Vulnerability
 
Oracle MySQL Server CVE-2013-0367 Remote Security Vulnerability
 
Oracle JD Edwards EnterpriseOne Tools CVE-2012-1678 Remote Security Vulnerability
 
Oracle MySQL Server CVE-2013-0389 Remote Security Vulnerability
 
Oracle E-Business Suite CVE-2013-0397 Remote Security Vulnerability
 
Oracle Enterprise Manager Grid Control CVE-2013-0353 Remote Security Vulnerability
 
Oracle E-Business Suite CVE-2012-3190 Remote Security Vulnerability
 
Oracle Database Mobile/Lite Server CVE-2013-0363 Remote Vulnerability
 

Cisco has announced that as of 16 JAN 2013 they will begin releasing a new publication type.

Cisco Security Notices will document low- and medium-severity security vulnerabilities that directly involve Cisco products but do not warrant the visibility of a Cisco Security Advisory.

Cisco Security Notices will be available on a separate tab from the PSIRT landing page:http://www.cisco.com/go/psirtfollowing the January 16th launch.

Review Ciscos updated Security Vulnerability Policy for all related updates and details: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Russ McRee|@holisticinfosec


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
OTG Management, which runs restaurants and other concessions in airports, has found that using iPads and self-service tech can be good for business. And it doesn't cost jobs.
 
Wireshark Versions Prior to 1.8.3 Multiple Security Vulnerabilities
 
Trimble® Infrastructure GNSS Series Receivers Cross Site Scripting (XSS) vulnerability
 
[SECURITY] [DSA 2608-1] qemu security update
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Two U.S. power companies reported infections of malware during the past three months, with the bad software apparently brought in through tainted USB drives, according to the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
 
Revenue in the IT segment of the world's smart electricity delivery industry is likely to have grown by 23 percent, to US$9.4 billion, in 2012, in support of smart grid deployments, according to a new study.
 
After about five months on the Martian surface, NASA's rover Curiosity is preparing to drill its first rock on Mars.
 
The AMA and the College of Healthcare Information Management Executives this week voiced concerns over the pace set by the U.S. government for healthcare organizations to adopt EHRs.
 
Facebook is rolling out a major new search engine designed to give users more options in sorting through topics and interests based on their friends.
 
[SECURITY] [DSA 2607-1] qemu-kvm security update
 
With the release of the first service pack for Microsoft System Center 2012, Microsoft is taking another step in its ambitious goal of helping customers manage their on-premises IT and Microsoft Azure cloud services with a single set of IT management controls.
 
Facebook is unleashing the collective knowledge and opinions of its one billion users to power a new feature called Graph Search.
 
Startup NuoDB is hoping to position itself as having the ideal database for the post-cloud world, now that its Cloud Data Management System is generally available.
 
Adobe ColdFusion CVE-2013-0629 Unauthorized Access Vulnerability
 
Adobe ColdFusion CVE-2013-0631 Information Disclosure Vulnerability
 
Adobe ColdFusion CVE-2013-0625 Authentication Bypass Vulnerability
 
Apple and Google's Android have the widest adoption among mobile BI (business intelligence) applications, as the products are becoming more mature, according to a report from market research company Ovum.
 
6Scan, a Web security startup based in Tel Aviv, Israel, launched a new service on Tuesday that can scan websites for security issues, like vulnerabilities and malware infections, and allows their owners to automatically fix the identified problems.
 
Microsoft has announced it will issue an out-of-band patch to the zero-day flaw affecting Internet Explorer versions 6 through 8.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
With buyout talks gaining steam, analysts say Dell Inc. could be looking to free itself from quarterly distractions and shareholder pressures.
 
Experts from Kaspersky Lab have uncovered a large-scale cyber-espionage campaign in which unknown perpetrators have obtained confidential geopolitical information from a large number of public sector organisations globally


 
Adobe Flash Player and AIR CVE-2012-4165 Memory Corruption Vulnerability
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0755 Remote Code Execution Vulnerability
 
freeSSHd Authentication Mechanism Authentication Bypass Vulnerability
 

Were getting a whole lot of bad advice regarding the latest crop of vulnerabilities. Folks are saying things like disable Java, or Migrate away from IE6/7/8, or even Migrate to IE10 or Firefox.



While these will certainly mitigate the current vulnerability, its often not a practical way to go. If you pick the right week, almost anything could be your target disable that component - everyone has a zero day at one time or another. Specific to this weeks issues, there are lots of business applications that are tied to older browsers - Ive got a number of clients who have business critical applications that are tied to a specific version of IE (often IE6), or to a specific, old version of Java. Or if you still have a few thousand XP workstations, youre going to top out at IE8.



In the several fields, there are applications that *must* be used, that can only be run from within older browsers. For instance, some common K-12 education applications require an older version of the browser. More commonly, some healthcare and pharmaceutical manufacturing applications are only certified on specific - and often older - versions of the browser.

The worst situation is on embedded devices. Its not uncommon to see embedded OSs running on any number of things: SCADA components, hospital gear (IV pumps, heart monitors and the like), barcode scanners, price guns, elevator controls, ABM Banking Machines almost anything really. These are sometimes running old Linux versions, but just as frequently these days youll see an embedded Windows OS on these units.

Even today, youll find manufacturers who will void your warantee if you upgrade an embedded OS - this is often the case when you are dealing with obsolete product (where the vendor wants to sell you the new version), but in lots of cases it costs big money / effort for the manufacturer to re-certify the product on a different OS. Or the upgrade may require different hardware (another way to spell this is no budget or sometimes next years budget, neither of which helps you today). Even if you can upgrade, these embedded units might not be centrally managed or remotely upgradable. In that case you need to go find these units, which might be squirreled away all over a manufacturing facility, hospital or university that might be multiple buildings and millions of square feet.



So, in a lot of cases were just stuck with these old browsers and/or old java versions - what to do?



What we normally recommend is - first of all, stop finger pointing and making blanket recommendations that cant be followed (like disable Java). At a practical level, almost always you can limit your exposure. In the case of barcode scanners for instanced, well often put them on their own SSID (and matching subnet) that only has access to the host that theyre scanning to, and the management server if there is one. This is also a good recommendation for manufacturing gear or healthcare appliances - theyre usually well-known devices that can be segragated by subnet.



But in more mobile situations, you might have healthcare appliances on wheels, conference call units or video projectors, which might be plugged into any handy ethernet port. Because of this, its also advisable to start filtering outbound browser traffic by looking at the user agent string. In this way, you can user the required older version of a browser or Java on a specific subnet, but when the traffic leaves that network, likely to get to the public internet, you can enforce a minimum version of your browser (IE in this case), or Java.



The user agent strings for various versions of Java are simple, its just the version of Java. So for Java 6.0 Update 26, the User Agent String is Java/1.6.0_26. This same standardized format is followed for all versions.



So its simple enough to block by version, or if you want to block all outbound Java to a network (for instance, the internet or part of it), using the expression Java/ is a decent way to go.



IE has various user agent strings, but using expression matching you can simplify the criteria tremendously. For instance, depending on the version of the browser and OS, IE6 can have any one of dozens of strings, but for the purposes of blocking or permitting traffic, you can usually simplify to a match on MSIE 6.



Similarly, you can permit or block based on user agent strings of Firefox, Safari, Opera or any other browser. Note that these in particular may have different strings on different OSs - youll find these on tablets, phones, and various desktop/laptop OSs.



This method is easily implemented on most firewalls, and given the current state of Browsers and Java, this is something that should be set up on your at your internet perimter. The blocking policy is likely something that will change with the security landscape, but if you still have IE6 or 7 for business reasons, blocking those outbound is a good idea. Watching the agent strings that are logged going outbound can be a good way to find those mouldy-oldy computers that got installed 6 (or 10) years back and havent been updated in a while, if ever.



As in most least privilege configurations, wed recommend a list of permitted browsers, with a default deny for all other versions. This does mean that youll need to be quick when new browser versions come out though. It might be prudent to permit newer versions that do not yet exist (for instance, as of today IE 9.1 and 11 do not exist), so that when one thing or another auto-updates at 1am one evening, youve at least got a shot that you wont be disrupting service for your user community. Using regular expressions to winnow out the good from the bad is likely a better way to go here as well.



Its important to note that you can modify your user agent strings, either in the browser configuration or in the registry (for IE), but the goal here is to protect yourself from the folks who dont know any better. Hopefully anyone whos savvy enough to change their identifiers like this will be running a brand-new browser, and will want it to masquerade as something older or from a different vendor, so that one app or another will run for them.



As a side note, Microsoft has a few articles on how they construct their user agent strings, one is here http://msdn.microsoft.com/en-us/library/ms537503%28v=vs.85%29.aspx

and another:

http://blogs.msdn.com/b/ieinternals/archive/2009/10/08/extending-the-user-agent-string-problems-and-alternatives.aspx



There are a bunch of sites that describe how exactly to filter on user agent strings at your firewall or IPS, Im not covering the details in this article. Some decent starting points (though not actual how-to type documentation) for Snort and Bluecoat are here:

http://vrt-blog.snort.org/2012/11/web-proxies-user-agent-strings-and.html

and here:

www.bluecoat.com/doc/457



The SANS Reading Room is also a good place to start for material of this type - for instance Dan Manners has a good paper here that starts towards the detection aspect (not blocking) using Snort and tcpdump/wireshark:

http://www.sans.org/reading_room/whitepapers/hackers/user-agent-field-analyzing-detecting-abnormal-malicious-organization_33874.



There are a ton of sites out there dedicated to listing user agent strings for various browsers, languages and apps out there - if youve got a particular favourite reference site, please share on our comment form. Or if youve had a situation where filtering of this type has saved your bacon (or caused a problem), wed love to hear about that as well!

===============

Rob VandenBrink

Metafore
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A resident of North Las Vegas, Nev., says owners of lost cell phones have repeatedly shown up at his house demanding phones that they tracked via software to his location.
 
Oracle has launched a set of infrastructure-as-a-service (IaaS) systems that companies can run in-house and pay for on a monthly basis, a project the company announced at OpenWorld in September.
 
The hundreds of government, military and research organizations targeted in a large-scale cyberespionage operation dubbed Red October were not only attacked using malicious Excel and Word documents, but also with Web-based Java exploits, according to Seculert researchers.
 
EMC is building on its acquisition of the Syncplicity file-sharing and collaboration service by combining it with its Isilon scale-out NAS to provide the enterprise what the storage giant claims provides the convenience of a cloud-based file-sharing service with the administrative and governance capabilities of an on-premise solution.
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0768 Stack Buffer Overflow Vulnerability
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0752 Remote Code Execution Vulnerability
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0745 Remote Denial of Service Vulnerability
 
SAP's revenue from software and software-related services showed ample growth thanks in part to its HANA in-memory database and to strength in its portfolio of cloud applications, the company said Tuesday as it reported preliminary numbers for the quarter and year ended Dec. 31.
 
Cloud Sherpas is continuing its string of acquisitions of boutique consulting firms for cloud services, with the purchase of Innoveer Solutions and Navigis. Terms of the deals, which were announced Tuesday, were not disclosed.
 
Making sense of social media analytics while juggling IT priorities across Asia Pacific for eyewear distributor Luxottica Retail is a role that CIO, Stephen McKinnon, relishes.
 
The suicide of Internet activist and pioneer Aaron Swartz has focused attention on what some activists say is the overzealous use of the federal Computer Fraud and Abuse Act anti-hacking statute.
 
Users and Oracle both need to do their part against a malware industrial complex that can quickly attack any security hole
 
Alibaba Group's Jack Ma will step down from his position as CEO of the Chinese e-commerce giant in May, to help usher in its next generation of leaders. But he will stay on as executive chairman to focus on company strategy.
 
China's Internet population reached 564 million at the end of December, an increase of 26 million over the past six months, according to a non-profit research group in the country.
 
Cryptocat, a project building an instant messaging platform that provides more privacy and security for activists, plans a host of improvements this year, including developing an application for mobile devices.
 
Apple on Friday will bring its 3G enabled fourth-generation iPad and iPad mini to China, a market where the vendor's tablets continue to dominate.
 
Not immune to sluggish sales, Apple sold about the same number of Macs in 2012's fourth quarter as the same period the year before, research firm IDC has estimated.
 
Microsoft have now released the update for Internet Explorer 6, 7 and 8 which have been suffering from a critical vulnerability being exploited on a number of sites


 
US law on computer crime should be reformed says the EFF, as the death of Aaron Swartz shows the law to be overly punitive and broad. Open access advocates are memorialising Swartz by releasing and collating academic papers using the #pdftribute hashtag


 
Linux Kernel KVM CVE-2012-4461 Local Denial of Service Vulnerability
 
The Australian Attorney-General's Department wants to permit the country's secret service agency, the ASIO, to hack third party IT systems in order to gain access to computers belonging to security targets such as terrorist suspects


 
FreeType Versions Prior to 2.4.11 Multiple Remote Security Vulnerabilities
 
RETIRED: BackupPC 'RestoreFile.pm' Cross Site Scripting Vulnerability
 
BackupPC 'index.cgi' Multiple Cross Site Scripting Vulnerabilities
 

Posted by InfoSec News on Jan 14

http://www.darkreading.com/advanced-threats/167901091/security/vulnerabilities/240146180/how-cybercriminals-choose-their-targets-and-tactics.html

By Randy George
Contributing Writer
Dark Reading
Jan 13, 2013

[Excerpted from "How Cybercriminals Choose Their Targets and Tactics," a
new, free report posted this week on Dark Reading's Advanced Threats
Tech Center.]

When police officers go undercover, they must successfully blend...
 

Posted by InfoSec News on Jan 14

http://news.techworld.com/security/3420347/important-scada-systems-secured-using-weak-logins-researchers-find/

By John E Dunn
Techworld
14 January 2013

Thousands of critical SCADA systems reachable from the Internet are
secured by dangerously weak default passwords, a survey carried out with
the help of the US Department of Homeland Security has found.

According to a third-party report, Bob Radvanovsky and Jacob Brodsky of
consultancy...
 

Posted by InfoSec News on Jan 14

“Nullcon’s 5th International Security Conference”, on 27th Feb - 2 March
2013 @ Bogmallo Beach Resort, Goa (http://nullcon.net)

Nullcon security conference is well known for its speakers and talks where
new vulnerabilities , risks and attacks on systems are responsibly disclosed
along with their prevention mechanisms.   

The conference ensures of a great learning experience and networking.

The conference is attended by the whos who in...
 

Posted by InfoSec News on Jan 14

http://www.slate.com/articles/technology/future_tense/2013/01/zero_day_exploits_should_the_hacker_gray_market_be_regulated.html

By Ryan Gallagher
Slate
Jan. 14, 2013

Behind computer screens from France to Fort Worth, Texas, elite hackers
hunt for security vulnerabilities worth thousands of dollars on a
secretive unregulated marketplace.

Using sophisticated techniques to detect weaknesses in widely used
programs like Google Chrome, Java, and...
 

Posted by InfoSec News on Jan 14

http://arstechnica.com/security/2013/01/massive-espionage-malware-relied-on-java-exploit-to-infect-pcs/

By Dan Goodin
Ars Technica
Jan 14 2013

Attackers behind a massive espionage malware campaign that went
undetected for five years relied in part on a vulnerability in the
widely deployed Java software framework to ensnare their victims, a
security researcher said.

The unknown attackers infected computers operated by the Russian...
 
Internet Storm Center Infocon Status