Information Security News
The FBI is warning that members of the Anonymous hacking collective have breached computers belonging to multiple government agencies and made off with sensitive information in a series of attacks that started almost a year ago, according to a published report.
The warning is linked to the case of a British resident indicted two weeks ago on charges that he hacked databases belonging to the Department of Energy, the Department of Health and Human Services, the US Sentencing Commission, and other US agencies, Reuters reported Friday, citing an FBI memo. Lauri Love, prosecutors have alleged, exploited a flaw in Adobe's ColdFusion Web application development software and used his access to install backdoors that allowed him to return on subsequent occasions.
"The majority of the intrusions have not yet been made publicly known," Thursday's FBI memo stated. "It is unknown exactly how many systems have been compromised, but it is a widespread problem that should be addressed."
----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A hacking contest that makes sport out of serious security bugs paid $117,500 this week for exploits that compromised handheld devices powered by both Apple's iOS and Google's Android mobile operating systems.
The biggest of the three cash prizes was $50,000, paid to "Pinkie Pie," a pseudonymous hacker not yet past his 21st birthday, who already has collected at least two major bug bounties in the past 19 months. His previous hacks exploited vulnerabilities in Google's Chrome browser that gave him complete control of the underlying computer when it did nothing more than visit a booby-trapped website. At the Mobile Pwn2Own 2013 contest that wrapped up this week in Tokyo, he used similar drive-by attacks against Chrome to commandeer both a Nexus 4 and a Samsung Galaxy S4, which both run Android.
Like most modern browsers, Chrome is endowed with security mitigations designed to minimize the damage that can be done when hackers identify buffer overflows and other types of software bugs that are inevitable in just about all complex pieces of software. The security measures—which include "sandboxes" that contain Web content inside a carefully controlled perimeter—significantly increase the amount of work that attackers must put into developing working exploits. Also including address space layout randomization and data execution prevention, the mitigations require hackers to stitch together two or more attacks that exploit multiple vulnerabilities in the targeted device.
On Thursday, the Estonian government announced that it would extradite three of its citizens to the United States: Dmitry Yegorov, Timur Gerasimenko, and Konstantin Poltev. Another suspect, Anton Ivanov, was extradited and appeared in US court last year.
All four men are accused of taking part in "Operation Ghost Click,” a massive malware scheme. The FBI added one of the suspects to its “Cyber Most Wanted List” earlier this month.
Back in 2011, the United States government indicted seven alleged Estonian and Russian hackers for hijacking over 4 million computers worldwide—many at government agencies and large companies—using a trojan. The government accused the group of making over $14 million from traffic they drove to legitimate advertisers through contracts for paid traffic.
Earlier this week, an update for Media-Wiki fixed a bug in how it used caching headers . The headers allowed authenticated content to be cached, which may lead to sessions being shared between users using the same proxy server. I think this is a good reason to talk a bit about caching in web applications and why it is important for security.
First off all: If your application is https only, this may not apply to you. The browser does not typically cache HTTPS content, and proxies will not inspect it. However, HTTPS inspecting proxies are available and common in some corporate environment so this *may* apply to them, even though I hope they do not cache HTTPS content.
It is the goal of properly configured caching headers to avoid having personalized information stored in proxies. The server needs to include appropriate headers to indicate if the response may be cached.
This is probably the most important header when it comes to security. There are a number of options associated with this header. Most importantly, the page can be marked as "private" or "public". A proxy will not cache a page if it is marked as "private". Other options are sometimes used inappropriately. For example the "no-cache" option just implies that the proxy should verify each time the page is requested if the page is still valid, but it may still store the page. A better option to add is "no-store" which will prevent request and response from being stored by the cache. The "no-transform" option may be important for mobile users. Some mobile providers will compress or alter content, in particular images, to save bandwidth when re-transmitting content over cellular networks. This could break digital signatures in some cases. "no-transform" will prevent that (but again: doesn't matter for SSL. Only if you rely on digital signatures transmitted to verify an image for example).The "max-age" option can be used to indicate how long a response can be cached. Setting it to "0" will prevent caching.
A "safe" Cache-Control header would be:
Cache-Control: private, no-cache, no-store, max-age=0
Modern browsers tend to rely less on the Expires header. However, it is best to stay consistent. A expiration time in the past, or just the value "0" will work to prevent caching.
The ETag will not prevent caching, but will indicate if content changed. The Etag can be understood as a serial number to provide a more granular identifcation of stale content. In some cases the ETag is derived from information like file inode numbers that some administrators don't like to share. A nice way to come up with an Etag would be to just send a random number, or not to send it at all. I am not aware of a way to randomize the Etag.
Thie is an older header, and has been replaced by the "Cache-Control" header. "Pragma: no-cache" is equivalent to "Cache-Control: no-cache".
The "vary" header is used to ignore certain header fields in requests. A Cache will index all stored responses based on the content of the request. The request consist not just of the URL requested, but also other headers like for example the User-Agent field. You may decide to deliver the same content independent of the user agent, and as a result, "Vary: User-Agent" would help the proxy to identify that you don't care about the user agent. For out discussion, this doesn't really matter because we never want the request or response to be cached so it is best to have no Vary header.
In summary, a safe set of HTTP response headers may look like:
Cache-Control: private, no-cache, no-store, max-age=0, no-transform Pragma: no-cache Expires: 0
The "Cache-Control" header is probably overdone in this example, but should cover various implementations.
A nice tool to test this is ratproxy, which will identify inconsistent cache headers . For example, ratproxy will alert you if a "Set-Cookie" header is sent with a cachable response.
Anything I missed? Any other suggestions for proper cache control?
Johnson Pledges InfoSec Fixes at DHS
Jeh Johnson may soon be the Obama administration's new face on cybersecurity, but at his confirmation hearing to be the next Homeland Security secretary, he had relatively little to say about the subject. Johnson pledged to fix internal cybersecurity ...
Posted by InfoSec News on Nov 15http://www.bankinfosecurity.com/vendor-breach-exposes-card-data-pii-a-6221
Posted by InfoSec News on Nov 15http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone
Posted by InfoSec News on Nov 15http://english.yonhapnews.co.kr/national/2013/11/14/53/0301000000AEN20131114008100315F.html
Posted by InfoSec News on Nov 15http://www.independent.co.uk/life-style/gadgets-and-tech/news/cyber-war-games-dubbed-waking-shark-ii-begin-for-londons-financial-institutions-8934780.html
Posted by InfoSec News on Nov 15http://www.abc.net.au/news/2013-11-15/cyber-security-expert-warns-of-growing-threat/5093758