InfoSec News

Samsung Electronics received the largest-ever fine on Monday for obstructing an inquiry from South Korea's trade regulator, which was investigating deceptive mobile phone pricing practices.
It's never been cheaper or easier to make movies, but many budding amateur filmmakers are still put off by the initial expense of purchasing a good camera and audio equipment. Thankfully, there's plenty of free content available for public use if you know where to look. You can turn that raw material into creative and inventive works of cinema with a few free video editing tools, some hard work and a place to share your movie with friends and family.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
One of the special features of Stuxnet was the use of a stolen private key to sign drivers. This made it harder to detect the injected files as malicious. Since (and before) Stuxnet, we have seen stolen keys used a few times. Most recently, Kaspersky is reporting about malware which employs a key stolen from Swiss company Conpavi AG [1].
Time to re-visit some of the best practices to secure the private key. These rules are written with SSL keys in mind, but apply to other private keys as well (ssh, PGP, code signing...)
First of all, limit the machines that the private key touches. Ideally, you have an isolated system that is used to create the key and to back it up. Then, a dedicated USB key, a CD or another non-network medium is used to move the key to the server. At least one certificate authority I am aware of offers to create the private key for you. DONT. The certificate authority only needs the public key which is included in the certificate signing request. It does not need the private key and should never ask for it.
It is possible to encrypt the private key. It very much depends on the use case if this is appropriate or not. For a server SSL key, this would imply that you will need to enter the passphrase whenever you restart the service. On the other hand, the key should only be readable by root. In this case, if an attacker already has root, the attacker may be able to read the encrypted key directly from memory. However, for keys used for code signing or e-mail signatures or encryption, entering the pass phrase is more feasible.
In some cases, the private key can be stored on a smart card and secured with a PIN. This is preferred for interactive applications if the key is used to log in to a system. For ssh, it is frequently required to use the key for automatic cron/batch processes. In this case, a specific key can be generated and its permissions can be limited (this is a topic for a follow up diary on securing ssh).
Before generating a key pair, think about how it is used and what parameters should be selected. Here are some of the options:
- Key Strength: For RSA, a 2048 bit key is said to be equal in strength to a 112 bit symmetric cipher key. This is sufficient for most applications, but 4096 bits is typically preferred as it is still feasible and doesn't break the bank-) (you do want to install something that is part of the core OS install in order to avoid additional untrusted software).
- key transfer: if you don't create the key on the target server, you have to move it somehow to the target server. Even if you create it on the target server, a backup may be necessary. The key should only be moved over an encrypted connection or in hardware (= USB token). I would try and avoid having all keys on one USB token (imagine plugging it into an infected server!). The keys should be encrypted at rest . A backup to DVD or CD may sound wastefull (couple KB of keys on a GB of DVD), but its $1 per key, hopefully less money then you made reading this article. CDs and DVDs are easily archived and accounted for. However, not all servers have DVD/CD drives.
There are a number of harware solutions to store keys that are more appropriate for servers. They tend to be a bit more pricey (I have seen them for $500) and may not work in all cases.They are typically referred to as hardware security modules (HSM) and they may include random number generators.
Any other ideas? Anything I missed?

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
As companies sort out their cloud strategies, some are finding cloud-based single sign-on (SSO) can be a high-tech "perk" for customers.
Why is it that companies that should know better embark on programs of customer abuse when they should stop and think like a customer, at least for a few seconds? This is a small tale of a company getting it right, then making three all-too-common mistakes. These are not the only ways a company can abuse its customers, but is an example of the kind of non-thinking that should be avoided.
Apple today said it has sold three million new iPads since the tablet's unveiling earlier this month. Not surprisingly, the company is pleased with the launch.
The development of online privacy protections is at a critical moment as policy makers in both the U.S. and European Union push for changes to their privacy rules, but coordination of enforcement across the Atlantic Ocean may be tricky, several privacy experts said Monday.
The U.S. Federal Aviation Administration may take another look at limits on personal electronic devices like the new iPad on flights. But don't expect any changes anytime soon.

Researchers at Kaspersky Labs have determined the authors of Duqu, the remote access Trojan often linked to Stuxnet, used a custom version of the C programming language to write the module used to communicate with its command-and-control servers.

Kaspersky, which has done deep analysis of the Duqu Trojan code framework, was having difficulty identifying the programming language and put out a call for help to the development community to help identify it. Most malware, Kamluk said, is written in simpler and faster languages such as Delphi. The lab got more than 200 responses and after further analysis arrived at the conclusion that the code was written in a custom object-oriented C dialect known as OO C, which was compiled with the Microsoft Visual Studio Compiler2008, Kamluk said.

“Few [malware writers] write in assembler and C; this is pretty rare,” Kamluk said. “Using custom frameworks is quite specific. We think they are software programmers, not criminals. This is what we call ‘civil code.’”

So what’s the big deal? Well, this likely confirms nation-state involvement in the development of Duqu. No organized band of credit card thieves or hacktivists is going to invest the time and money to build a Trojan using a reusable development framework in a language used for complex enterprise applications. Kaspersky also indicated a level of separation between developers on the team, groups of which could have been developing different components of the Trojan without knowing the full mission—plausible deniability.

The primary mission of Duqu, unlike Stuxnet, is to gather and forward information from its targets. Duqu has nowhere near the penetration of Stuxnet because it has no worming capabilities. Instead, Kamluk said, it is targeted toward specific computers or people. “It has to be sent to a target and the target must execute it,” he said.

Kamluk characterized the authors as “old-school professional developers” with a comfort level in C, which works faster and is more efficient when compiled versus languages such as Delphi. Also, Kamluk said, the framework is reusable.

“This framework could be designed by someone and other developers would use this approach to write code. This is a bigger development team, possibly 20 to 30 people,” he said. “There was a special role too of a software architect who oversaw the project and development of the framework that was reused. Other roles were likely command-and-control operators, others developing zero-day attacks, others in propagation and social engineering.”

“We suspect it could be within different organizations and each responsible for a particular part of the code, not knowing what it would be used for. They didn’t know they were developing malware probably,” Kamluk said.

While he wasn’t ready to identify the authors by name or location, Kamluk said Kaspersky was seeing some Duqu infections in Sudan, Iran and some European countries. Stuxnet, which is widely believed to be a joint U.S.-Israel operation targeting a nuclear facility in Iran, is linked to Duqu because of similarities in code and code structure.

“We are not close to answering which country might be behind Duqu,” Kamluk said. “They try to hide their identities by not using any language constructions in the code. There are no words inside the code, no random names of files or system objects. They stayed language independent.”

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Warren Kruse, VP of Data Forensics with Altep Inc. to Lecture at MIS Infosec World
PR.com (press release)
Altep, Inc. announced that Warren Kruse, VP of Data Forensics, will teach a special session on computer forensics at the Infosec World Conference. El Paso, TX, March 19, 2012 --(PR.com)-- Altep, Inc., a leader and innovator in the fields of electronic ...

March Madness may be fun for college basketball fans, but it can be a nightmare for IT departments trying to keep their networks running normally.
The Duqu Trojan, an espionage tool that last year attracted lots of attention for its many Stuxnet-like features, may have been written by experienced old school programmers, a security researcher at Kaspersky Labs said Monday.
[SECURITY] [DSA 2436-1] libapache2-mod-fcgid security update
Re: [oss-security] Case YVS Image Gallery
Aruba Networks multiple advisories: OS command injection in RAP web interface and 802.1X EAP-TLS user authentication bypass
As desktop as a service (DaaS) continues to mature as a potential option for enterprises, service providers are attempting to automate and optimize their DaaS offerings, which officials at Citrix say will ultimately lead to lower costs and more choices for end users.
Although NetZero generated some buzz today with headlines heralding free no-contract WiMAX services, you might not want to utilize them unless you don't use a lot of data.
ManageEngine DeviceExpert 5.6 Java Server ScheduleResultViewer servlet Unauthenticated Remote Directory Traversal Vulnerability
Tor Browser Bundle for Linux (2.2.35-8) "EVIL bug"
VUPEN Security Research - Adobe Flash Player "Matrix3D" Remote Memory Corruption (CVE-2012-0768)
Apple today said sales of the new iPad over the weekend set a record, and not surprisingly, that it is pleased with the tablet's debut.
Dell Webcam Software Bundled ActiveX Control CrazyTalk4Native.dll sprintf Remote Buffer Overflow Vulnerability
Here's a look at a few Wi-Fi stumblers for your Android smartphone or tablet, which makes it even more convenient for quick and simple wireless checks. Insider (registration required)
Computer hackers could create malicious software that crosses the line from technology to biology, crafting viruses that could spread dangerous epidemics, researchers said at Black Hat Europe.
[security bulletin] HPSBPI02728 SSRT100692 rev.5 - Certain HP Printers and HP Digital Senders, Remote Firmware Update Enabled by Default
ESA-2012-014: RSA enVision Multiple Vulnerabilities
at32 ReverseProxy - Multiple HTTP Header Field Denial Of Service Vulnerability
Android wipe unreliable
The good news for enterprises: Mobile devices are packed with power. A new iPhone is 100 times lighter, 100 times faster, and 10 times less expensive than the luggable notebooks of the early 1980s.
Apple today announced it would begin paying quarterly stock dividends, and later this year, will begin to buy back shares of its stock.
Version 3.3 of the Linux kernel, now available after a short delay, includes kernel code from Android as well as an upgrade of networking features and support for an additional processing architecture.
VMSA-2012-0005 VMware vCenter Server, Orchestrator, Update Manager, vShield, vSphere Client, ESXi and ESX address several security issues
Hackers claimed to have figured out a way to bypass Apple's technical restrictions and install unauthorized applications on the company's latest iPad upon its release last Friday.
Microsoft is planning to roll out its first "cloud-enabled" Dynamics ERP (enterprise resource planning) applications by the end of this year, the company announced Monday during the Convergence conference in Houston.
Things I'd like to see in upcoming editions of OS X:
Microsoft has kicked off a new marketing campaign for Internet Explorer 9 that urges users of rival browsers to run it, even if only sparingly for 'a few sites that you go to every day.'

SANS Institute Helps Organizations Deflect Cyber Attacks with Web Application ...
Sacramento Bee
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, newsletters, and it operates the Internet's early warning system - the Internet Storm Center. At the heart of SANS are the many security ...

and more »
A hard-to-detect piece of malware that doesn't create any files on the affected systems was dropped onto the computers of visitors to popular news sites in Russia in a drive-by download attack, according to security researchers from antivirus firm Kaspersky Lab.
The big data revolution is creating a new breed of business-IT jobs -- and threatening to destabilize dyed-in-the-wool IT careers
As the General Services Administration (GSA) migrates to a work-anywhere, work-anytime strategy, the real estate arm of the U.S. federal government is discovering that having an iron-clad security strategy is critical to its adoption of cloud-based applications.
Blue Coat Systems today said it's unified the real-time reporting in its cloud-based security service with that in its full line of ProxySG security appliances so that enterprises receive real-time information related to both.
EBay subsidiary PayPal plans to enter China and India's online payment markets, marking a major push by the U.S. company in the region.
After the loss of Steve Jobs in October, there was concern that Apple would lose its way. The arrival of the new iPad shows those fears were unfounded; it remains the epitome of what a tablet computer should be.
Mozilla Firefox/Thunderbird/Seamonkey CVE-2012-0461 Memory Corruption Vulnerability
An order granted to law enforcement allowing them to seize luxury cars and other personal effects from the estate of Megaupload founder Kim Dotcom is invalid, a judge in New Zealand ruled on Friday.
The site/forum which is dedicated to helping out webmasters who have adult based sites by providing information and a community to share ideas.

TYPSoft FTP Server 'APPE' and 'DELE' Commands Remote Denial of Service Vulnerability

Posted by InfoSec News on Mar 18


By Josh Smith
National Journal

Cyberattacks on the federal government continue to increase, but most
were "phishing" attempts and reports of threats largely leveled out in
the past year, according to the Office of Management and Budget.

OMB reported a 5 percent increase in cyberattacks on federal networks in
2011, based on reports to the U.S. Computer Emergency...

Posted by InfoSec News on Mar 18


By Dino Grandoni
The Atlantic Wire
March 15, 2012

By one study's measure, slightly more than half of all the Internet's
traffic comes from computers not being used by fleshy humans that might
actually purchase products.

That's according to study released today by Incapsula, an Internet
security firm, begging the question: What...

Posted by InfoSec News on Mar 18


By Dan Goodin
Ars Technica
March 16, 2012

Attack code privately submitted to Microsoft to demonstrate the severity
of a critical Windows vulnerability is circulating on the 'Net,
prompting the researcher who discovered it to say it was leaked by the
software maker or one of its trusted partners.

The precompiled executable...

Posted by InfoSec News on Mar 18


By Emil Protalinski
Zero Day
March 18, 2012

112 Indian government websites were hacked in the last three months,
according to Sachin Pilot, Minister of State for Communications and IT.
The hacked websites were part of government agencies belonging to Andhra
Pradesh, Madhya Pradesh, Rajasthan, Tamil Nadu, Maharashtra, Gujarat,
Kerala, Orissa, Uttar...

Posted by InfoSec News on Mar 18


By Oded Yaron
Haaretz Daily Newspaper

Israel's Justice Ministry on Sunday released guidelines forbidding
unnecessary collection of personal national identification numbers. The
Authority for Technology and Information Law, a subsidiary of the
Justice Ministry, decided to release the stricter...
Internet Storm Center Infocon Status