Hackin9

The FBI is warning that members of the Anonymous hacking collective have breached computers belonging to multiple government agencies and made off with sensitive information in a series of attacks that started almost a year ago, according to a published report.

The warning is linked to the case of a British resident indicted two weeks ago on charges that he hacked databases belonging to the Department of Energy, the Department of Health and Human Services, the US Sentencing Commission, and other US agencies, Reuters reported Friday, citing an FBI memo. Lauri Love, prosecutors have alleged, exploited a flaw in Adobe's ColdFusion Web application development software and used his access to install backdoors that allowed him to return on subsequent occasions.

"The majority of the intrusions have not yet been made publicly known," Thursday's FBI memo stated. "It is unknown exactly how many systems have been compromised, but it is a widespread problem that should be addressed."

Read 4 remaining paragraphs | Comments


    






 

----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The prospect of raising the cap on H-1B visas is worrying some academics, who say it would mean still competition for grads from lower-wage H-1B workers.
 

A hacking contest that makes sport out of serious security bugs paid $117,500 this week for exploits that compromised handheld devices powered by both Apple's iOS and Google's Android mobile operating systems.

The biggest of the three cash prizes was $50,000, paid to "Pinkie Pie," a pseudonymous hacker not yet past his 21st birthday, who already has collected at least two major bug bounties in the past 19 months. His previous hacks exploited vulnerabilities in Google's Chrome browser that gave him complete control of the underlying computer when it did nothing more than visit a booby-trapped website. At the Mobile Pwn2Own 2013 contest that wrapped up this week in Tokyo, he used similar drive-by attacks against Chrome to commandeer both a Nexus 4 and a Samsung Galaxy S4, which both run Android.

Like most modern browsers, Chrome is endowed with security mitigations designed to minimize the damage that can be done when hackers identify buffer overflows and other types of software bugs that are inevitable in just about all complex pieces of software. The security measures—which include "sandboxes" that contain Web content inside a carefully controlled perimeter—significantly increase the amount of work that attackers must put into developing working exploits. Also including address space layout randomization and data execution prevention, the mitigations require hackers to stitch together two or more attacks that exploit multiple vulnerabilities in the targeted device.

Read 6 remaining paragraphs | Comments


    






 
Conventional third party controls are no longer sufficient to cover the ever-expanding attack surface presented by web and mobile applications developed by service vendors and/or commercial software providers. The current third party controls established in the past 10-15 years were adopted by financial service firms and incorporated into their respective third party governance programs.
 
Facebook on Friday moved ahead with some proposed changes to its privacy policies to clarify that users' posts on the site can be used in advertisements, but that users have controls to limit their appearance.
 
The technology team working on the troubled HealthCare.gov has made significant progress in recent days, with error rates on the U.S. government's health insurance shopping site down to less than 1% from 6% just after its launch, officials said Friday.
 
A member of the hacker group Anonymous was sentenced Friday to 10 years in prison for hacking into the computers of a geopolitical analysis firm.
 
IBM Java CVE-2013-4041 Unspecified Security Bypass Vulnerability
 
IBM Java CVE-2013-5375 Unspecified Security Bypass Vulnerability
 
NASA's MAVEN spacecraft has been given the go to launch Monday on a mission to help scientists figure out what happened to all of the water that once flowed on the Martian surface.
 
The Internet Security Alliance, a multi-sector trade association, wants to know what adoption of a new cybersecurity framework will entail for companies in critical infrastructure industries
 
Microsoft's abandonment of its so-called "stack ranking" method of evaluating employees should not come as a surprise, said an expert in human resources today.
 
Apple's global marketing chief told a California courtroom on Friday that Apple had a tougher time selling the iPhone after Samsung launched its own smartphones with a similar design.
 
 
Google Play Music, a rival option to streaming services like Spotify and Rdio, is now available for iOS, six months after launching on the web and Android-based devices.
 
Jumping on the trend of using printers to churn out objects, Microsoft has developed a 3D printing app for Windows 8.1, betting that this will become mainstream.
 
With its new-found focus on IP networking and fast broadband access, Alcatel-Lucent is poised to take advantage of a worldwide explosion in mobile devices and the rush of service providers and operators to the cloud, company executives said at the networking vendor's tech symposium this week.
 
Google plans to build solar power plants in California and Arizona that are expected to be operational by early 2014 and will generate enough clean electricity to power more than 17,000 U.S. homes.
 
In the life of every device, there's a moment when you wonder whether it's finally obsolete. If you're wondering that about the original iPad, columnist Michael deAgonia has some advice.
 
With its new AppStream offering, Amazon is offering intensive graphics processing as a service, with the promise of freeing developers from worrying about the rendering capabilities of each user's device.
 
The suspects will likely be shipped out from Tallinn, Estonia's capital city.

On Thursday, the Estonian government announced that it would extradite three of its citizens to the United States: Dmitry Yegorov, Timur Gerasimenko, and Konstantin Poltev. Another suspect, Anton Ivanov, was extradited and appeared in US court last year.

All four men are accused of taking part in "Operation Ghost Click,” a massive malware scheme. The FBI added one of the suspects to its “Cyber Most Wanted List” earlier this month.

Back in 2011, the United States government indicted seven alleged Estonian and Russian hackers for hijacking over 4 million computers worldwide—many at government agencies and large companies—using a trojan. The government accused the group of making over $14 million from traffic they drove to legitimate advertisers through contracts for paid traffic.

Read 1 remaining paragraphs | Comments


    






 
Apple yesterday updated its online iWork for iCloud productivity apps, adding collaboration tools that let users simultaneously edit documents, spreadsheets and presentations.
 
Consolidation will dominate the mobile market over the next couple of years. If your enterprise is using mobile technology from a small company, expect to have to upgrade. Insider (registration required)
 
OpenStack Compute (Nova) XenAPI Information Disclosure Weakness
 
OpenVAS Manager CVE-2013-6765 Authentication Bypass Vulnerability
 
OpenVAS Administrator CVE-2013-6766 Authentication Bypass Vulnerability
 
Amazon Web Services this week rolled out a new cloud-based data analytics tool named Kenesis, which can analyze massive amounts of data in real time and be paid for by the hour.
 
Acer is trying to push down the prices of Chromebooks, announcing a new laptop with Chrome OS priced at $199.99.
 
LinuxSecurity.com: Updated ruby193-ruby packages that fix one security issue are now available for Red Hat OpenStack 3.0. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: Updated kernel packages that fix two security issues, one bug, and add two enhancements are now available for Red Hat OpenStack 3.0. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: Updated Foreman packages that fix one security issue are now available for Red Hat OpenStack 3.0. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: Updated python-django packages that fix two security issues are now available for Red Hat OpenStack 3.0. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
Perdition SSL/TLS Certificate Validation Security Bypass Vulnerability
 

Earlier this week, an update for Media-Wiki fixed a bug in how it used caching headers [2]. The headers allowed authenticated content to be cached, which may lead to sessions being shared between users using the same proxy server. I think this is a good reason to talk a bit about caching in web applications and why it is important for security.

First off all: If your application is https only, this may not apply to you. The browser does not typically cache HTTPS content, and proxies will not inspect it. However, HTTPS inspecting proxies are available and common in some corporate environment so this *may* apply to them, even though I hope they do not cache HTTPS content.

It is the goal of properly configured caching headers to avoid having personalized information stored in proxies. The server needs to include appropriate headers to indicate if the response may be cached.

Caching Related Response Headers

Cache-Control

This is probably the most important header when it comes to security. There are a number of options associated with this header. Most importantly, the page can be marked as "private" or "public". A proxy will not cache a page if it is marked as "private". Other options are sometimes used inappropriately. For example the "no-cache" option just implies that the proxy should verify each time the page is requested if the page is still valid, but it may still store the page. A better option to add is "no-store" which will prevent request and response from being stored by the cache. The "no-transform" option may be important for mobile users. Some mobile providers will compress or alter content, in particular images, to save bandwidth when re-transmitting content over cellular networks. This could break digital signatures in some cases. "no-transform" will prevent that (but again: doesn't matter for SSL. Only if you rely on digital signatures transmitted to verify an image for example).The "max-age" option can be used to indicate how long a response can be cached. Setting it to "0" will prevent caching.

A "safe" Cache-Control header would be:

Cache-Control: private, no-cache, no-store, max-age=0

Expires

Modern browsers tend to rely less on the Expires header. However, it is best to stay consistent. A expiration time in the past, or just the value "0" will work to prevent caching.

ETag

The ETag will not prevent caching, but will indicate if content changed. The Etag can be understood as a serial number to provide a more granular identifcation of stale content. In some cases the ETag is derived from information like file inode numbers that some administrators don't like to share. A nice way to come up with an Etag would be to just send a random number, or not to send it at all. I am not aware of a way to randomize the Etag.

Pragma

Thie is an older header, and has been replaced by the "Cache-Control" header. "Pragma: no-cache" is equivalent to "Cache-Control: no-cache".

Vary

The "vary" header is used to ignore certain header fields in requests. A Cache will index all stored responses based on the content of the request. The request consist not just of the URL requested, but also other headers like for example the User-Agent field. You may decide to deliver the same content independent of the user agent, and as a result, "Vary: User-Agent" would help the proxy to identify that you don't care about the user agent. For out discussion, this doesn't really matter because we never want the request or response to be cached so it is best to have no Vary header.

In summary, a safe set of HTTP response headers may look like:

Cache-Control: private, no-cache, no-store, max-age=0, no-transform
Pragma: no-cache
Expires: 0

The "Cache-Control" header is probably overdone in this example, but should cover various implementations. 

A nice tool to test this is ratproxy, which will identify inconsistent cache headers [3]. For example, ratproxy will alert you if a "Set-Cookie" header is sent with a cachable response.

Anything I missed? Any other suggestions for proper cache control?

References:

[1] http://www.ietf.org/rfc/rfc2616.txt 
[2] https://bugzilla.wikimedia.org/show_bug.cgi?id=53032
[3] https://code.google.com/p/ratproxy/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A year ago, the U.S. Department of Energy unveiled a $120 million plan to develop technology that can radically extend battery life, with a target date of 2017. The research effort is making progress.
 
OLAT LMS 'Calendar' Module Multiple HTML Injection Vulnerabilities
 

Johnson Pledges InfoSec Fixes at DHS
BankInfoSecurity.com (blog)
Jeh Johnson may soon be the Obama administration's new face on cybersecurity, but at his confirmation hearing to be the next Homeland Security secretary, he had relatively little to say about the subject. Johnson pledged to fix internal cybersecurity ...

and more »
 
Google released emergency security updates for Chrome in order to patch critical vulnerabilities demonstrated Thursday by a security researcher at the Mobile Pwn2Own hacking competition.
 
The newly seated chairman of the U.S. Federal Communications Commission has told mobile operators to voluntarily ease up on cellphone unlocking or risk being forced to do so.
 
The creators of a Web-based attack tool called Angler Exploit Kit have added an exploit for a known vulnerability in Microsoft's Silverlight browser plug-in to the tool's arsenal.
 
Google Chrome CVE-2013-6632 Multiple Unspecified Memory Corruption Vulnerabilities
 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The U.S. Federal Communications Commission has released a smartphone app that will allow users to measure the speed of their mobile broadband connection while providing aggregate data to the agency for measuring nationwide mobile broadband network performance.
 
The Central Intelligence Agency secretly collects data in bulk on international money transfers, under a program similar to the government's collection of phone records, according to reports.
 
A pair of inventory trackers, including one resurrected after Apple demanded it stop collecting data from its online store website, are helping buyers locate scarce Apple smartphones and tablets.
 
The government's insistence, in its dispute with Lavabit, that cloud service providers hand over their encryption keys when asked, has refocused attention on key ownership and management in the cloud.
 
Part 3 of our annual offering of gift suggestions has recommendations for iPhones, Android phones and Windows phones; we also have a wide range of cool and useful add-ons.
 
Microsoft Windows XML Digital Signatures CVE-2013-3869 Remote Denial of Service Vulnerability
 
Oracle Java SE CVE-2013-5776 Remote Security Vulnerability
 

Posted by InfoSec News on Nov 15

http://www.bankinfosecurity.com/vendor-breach-exposes-card-data-pii-a-6221

By Tracy Kitten
Bank Info Security
November 14, 2013

The breach of an Ireland-based loyalty marketing company, which
authorities confirm exposed payment card data on more than 376,000
consumers plus other personally identifiable information about more than 1
million, illustrates, yet again, the privacy vulnerabilities third parties
pose, experts say.

Ireland's...
 

Posted by InfoSec News on Nov 15

http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone

By Thom Holwerda
osnews.com
12th Nov 2013

I've always known this, and I'm sure most of you do too, but we never
really talk about it. Every smartphone or other device with mobile
communications capability (e.g. 3G or LTE) actually runs not one, but two
operating systems. Aside from the operating system that we as end-users
see (Android, iOS,...
 

Posted by InfoSec News on Nov 15

http://english.yonhapnews.co.kr/national/2013/11/14/53/0301000000AEN20131114008100315F.html

By Kim Eun-jung
Yonhap News Agency
2013/11/14

SEOUL -- South Korea's defense ministry is making guidelines of
psychological warfare operations for its Cyber Warfare Command as part of
efforts to reform the scandal-ridden unit to stay politically neutral, a
senior military official said Thursday.

The latest move comes as suspicions have grown...
 

Posted by InfoSec News on Nov 15

http://www.independent.co.uk/life-style/gadgets-and-tech/news/cyber-war-games-dubbed-waking-shark-ii-begin-for-londons-financial-institutions-8934780.html

By JAMES VINCENT
independent.co.uk
12 November 2013

Banks and stock exchanges in London today will be testing their cyber
security with a series of "war games" co-ordinated by financial regulators
and government officials.

The operation, dubbed "Waking Shark II", will...
 

Posted by InfoSec News on Nov 15

http://www.abc.net.au/news/2013-11-15/cyber-security-expert-warns-of-growing-threat/5093758

By Peter Ryan
Business Editor
ABC News
11/15/2013

A former cyber security advisor to President Barack Obama and George W
Bush is warning computer hackers are becoming more sophisticated and pose
an escalating threat to global security.

Melissa Hathaway, now an advisor to the technology giant Cisco, wants
cyber security put on the agenda for the next...
 
Microsoft Windows #GP Trap Handler Local Privilege Escalation Vulnerability
 
NEW VMSA-2013-0013 VMware Workstation host privilege escalation vulnerability
 
Re: Superuser unsanitized environment vulnerability on Android <= 4.2.x
 
APPLE-SA-2013-11-14-1 iOS 7.0.4
 
Re: Superuser unsanitized environment vulnerability on Android <= 4.2.x
 
Internet Storm Center Infocon Status