Information Security News
Infosec still a concern for state's Auditor-General
Information security remains an area of concern for the state's Auditor-General. Photo: Michele Mossop. Information security remains an area of concern for Queensland's Auditor-General, with the number of “significant control weaknesses” identified ...
In addition to the Java vulnerabilities that I covered earlier, there is at least one more vulnerability that warrants attention. CVE-2013-3751, a problem in the XML parser of Oracle Database. Reading the description, I had a bit of a dÃ©jÃ -vu, also because of the CVE number from last year. And digging into past alerts, I found that, yes, this has indeed been patched before:
Looks like the Oracle 12 code was forked before the 11g patch went in, and nobody ported it over, so Oracle 12 remained exposed to the same bug until now. This speaks volumes about Oracle's software development life cycle and security processes... Dear Larry Ellison: how about writing a "Trustworthy Computing" memo for your staff, and then following through on it? I'm sure Bill Gates won't mind much if you simply copy his from 2002 and do a little search-and-replace.
For other untrustworthy computing features brought to you by this month's CPU patch bundle, see https://blogs.oracle.com/security/ and http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
Â(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
by Sean Gallagher
What appears to be an internal Wiki page detailing the cyber-weaponry used by the British spy agency GCHQ was published today by Glenn Greenwald of The Intercept. The page, taken from the documents obtained by former NSA contractor Edward Snowden, lists dozens of tools used by GCHQ to target individuals and their computing devices, spread disinformation posing as others, and “shape” opinion and information available online.
The page had been maintained by GCHQ’s Joint Threat Research Intelligence Group (JTRIG) Covert Internet Technical Development team, but it fell out of use by the time Snowden copied it. Greenwald and NBC previously reported on JTRIG’s “dirty tricks” tactics for psychological operations and information warfare, and the new documents provide a hint at how those tactics were executed. GCHQ’s capabilities included tools for manipulating social media, spoofing communications from individuals and groups, and warping the perception of content online through manipulation of polls and web pages’ traffic and search rankings.
Originally intended to inform other organizations within GCHQ (and possibly NSA) of new capabilities being developed by the group, the JTRIG CITD team noted on the page, “We don’t update this page anymore, it became somewhat of a Chinese menu for effects operations.” The page lists 33 “effects capability” tools, as well as a host of other capabilities for collecting information, tracking individuals, attacking computers, and extracting information from seized devices.
"You should be able to use the Web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets, or monitor your communications," writes Google security researcher Chris Evans. To help make that a reality, Google has put together a new team of researchers whose sole purpose is to find security flaws in software—any software—that's used on the Internet.
Google employees have found and reported security flaws in the past, but only as a part-time effort. The new "Project Zero" team will be dedicated to hunting for the kind of exploitable flaws that could be used to spy on human rights activists or conduct industrial espionage. Aiming to disrupt targeted attacks, the team will look at any software that's depended on by a large number of people.
Project Zero will report bugs it finds only to the software vendor, and it will give those vendors 60 to 90 days to issue patches before public disclosure. This time frame may be reduced for bugs that appear to be actively exploited.
Welcome to the n-th iteration of "patch now" for Java on Workstations. Oracle today published their quarterly patch bulletin, and Java SE is once again prominently featured. This Critical Patch Update (CPU) contains 20 new security fixes for Oracle Java SE. Most of the vulnerabilities are remotely exploitable without authentication, and CVSS scores of 10 and 9.3 indicate that they can be readily exploited, and lead to full compromise. Which means that keystroke loggers, ebanking trojans, etc, will soon follow.
Oracle/Java is probably by now one of the most successful charities in the world, it continues to do an outstanding job at enabling significant wealth transfer to support poor cyber criminals and their families. Except that the sources of the funds usually have no idea, and didn't agree to donate directly from their bank accounts ...
After the past three years of repeated gaping holes in Java, we hope that by now you have found a way to remove Java from your computers entirely, or to at least no longer run the Java plugin within the web browser. Otherwise, it is back to the hamster wheel, to yet again re-test all your applications that still require Java, to check for the inevitable incompatibilities with this latest release, and then to expedite the roll-out. This is definitely a patch that you don't want to skip or delay.
The full Oracle patch bulletin is available here: http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html#AppendixJAVA .
The other Oracle patches (for database, etc) released in today's patch CPU are still under analysis here at SANS ISC. I'll post about them later, if warranted.(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Update: A few hours after this article was published, OpenBSD founder Theo de Raadt emailed Ars and wrote: "It is way overblown. This will never happen in real code." The vulnerability, cataloged as CVE-2014-2970, already has been patched, with modified code located here.
The first "preview" release of OpenSSL alternative LibreSSL is out, and already a researcher says he has found a "catastrophic failure" in the version for Linux.
The problem resides in the pseudo random number generator (PRNG) that LibreSSL relies on to create keys that can't be guessed even when an attacker uses extremely fast computers. When done correctly, the pool of numbers supplied is so vast that the output will almost never be repeated in subsequent requests, and there should be no way for adversaries to accurately predict which numbers are more likely than others to be chosen. Generators that don't produce an extremely large pool of truly random numbers can undermine an otherwise robust encryption scheme. The Dual EC_DRBG influenced by the National Security Agency and used by default in RSA's BSAFE toolkit, for instance, is reportedly so predictable that it can undermine the security of applications that rely on it.
Posted by InfoSec News on Jul 15http://www.infosecnews.org/hacking-a-100k-tesla-model-s-for-fun-and-10k-profit/
Posted by InfoSec News on Jul 15http://thehill.com/regulation/212134-fcc-mulls-emergency-alert-system-overhaul-for-broadcasters
Posted by InfoSec News on Jul 15http://variety.com/2014/tv/news/mr-robot-usa-sam-esmail-1201262044/
Posted by InfoSec News on Jul 15http://www.eweek.com/security/chinese-hacker-charged-with-stealing-u.s.-defense-contractor-secrets.html
Posted by InfoSec News on Jul 15http://blogs.wsj.com/riskandcompliance/2014/07/11/survey-roundup-cybersecurity-complacency-threatens-ma-deals/
Posted by InfoSec News on Jul 15Forwarded from: "Jackie Blanco" <jackie (at) sdiwc.info>
Posted by InfoSec News on Jul 15http://www.timesofisrael.com/us-firm-helps-hamas-netanyahu-keep-hackers-at-bay/