Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
IBM Java SDK CVE-2014-3065 Local Arbitrary Code Execution Vulnerability
 

The No. 2 official at the Justice Department recently warned top Apple executives that stronger encryption protections added to iPhones would lead to a horrific tragedy, such as a child dying, because police couldn't access a suspect's device, The Wall Street Journal reported Wednesday.

The beefed up protections, Apple recently disclosed, mean that even when company officials are served with a court order, they will be unable to retrieve potentially crucial evidence such as photos, messages, or contacts stored on iPhones and iPads. Instead, the data can be accessed only by people who know the passcode that serves as the encryption key.

Justice Department officials wasted no time objecting to the changes and used the scenario of a child being kidnapped and murdered to drive home their claim that Apple was "marketing to criminals." According to the WSJ, Justice Department officials including Deputy Attorney General James Cole met with Apple General Counsel Bruce Sewell and two other company employees on October 1. Reporters Devlin Barrett, Danny Yadron, and Daisuke Wakabayashi gave the following account, which they attributed to the recollections of people who attended.

Read 1 remaining paragraphs | Comments

 
Beware, scammer!
Aurich Lawson

Windows tech support scams have been conning PC users out of money for years, and there's seemingly no end in sight. The Federal Trade Commission today announced that "a federal court has temporarily shut down two massive telemarketing operations that conned tens of thousands of consumers out of more than $120 million by deceptively marketing computer software and tech support services."

This is the third in a series of actions against such operations, the FTC said, and if the past is any indication, it won't be the last. The FTC announced a big crackdown in late 2012 and another in late 2013. But PC users continued to hand over money to nearly identical scammers, according to the latest FTC complaints. Today's FTC press release described a method that has tricked PC users time and again:

According to the FTC’s complaints, each scam starts with computer software that purports to enhance the security or performance of consumers’ computers. Typically, consumers download a free trial version of software that runs a computer system scan. The defendants’ software scan always identifies numerous errors on consumers’ computers, regardless of whether the computer has any performance problems.

The software then tells consumers that, in order to fix the identified errors, they will have to purchase the paid version of the software. In reality, the FTC alleges, the defendants pitching the software designed these highly deceptive scans to identify hundreds or even thousands of “errors” that have nothing to do with a computer’s performance or security. After consumers purchase the “full” version of the software at a cost of $29 to $49, the software directs them to call a toll-free number to “activate” the software.

When consumers call the activation number, however, they are connected to telemarketers who try to sell computer repair services and computer software using deceptive scare tactics to deceive consumers into paying for unneeded computer support services.

According to the FTC, the telemarketers tell consumers that, in order to activate the software they have just purchased, they must provide the telemarketers with remote access to their computers. The telemarketers then launch into a scripted sales pitch that includes showing consumers various screens on their computers, such as the Windows Event Viewer, and falsely claiming that these screens show signs that consumers’ computers have significant damage. After convincing consumers that their computers need immediate help, the telemarketers then pitch security software and tech support services that cost as much as $500.

The FTC teamed up with the State of Florida on the latest cases, winning federal court orders against the companies that "also temporarily freeze the defendants’ assets and place the businesses under the control of a court-appointed receiver." The complaints say the defendants have been scamming consumers since at least 2012.

Read 2 remaining paragraphs | Comments

 

When the fine folks at Portswigger updated Burp Suite last month to 1.6.07 (Nov 3), I was really glad to see NoSQL injection in the list of new features.

Whats NoSQL you ask? If your director is talking to you about Big Data or your Marketing is talking to you about customer metrics, likely what they mean is an app with a back-end database that uses NoSQL instead of real SQL.

Im tripping over this requirement this month in the retail space. Ive got clients that want to track a retail customers visit to the store (tracking their cellphones using the store wireless access points), to see:

  • if customers visit store sections where the sale items are?
  • or, if customers visit area x, do they statistically visit area y next?
  • or, having visited the above areas, how many customers actually purchase something?
  • or, after seeing a purchase, how many feature sale purchases are net-new customers (or repeat customers)

In other words, using the wireless system to track customer movements, then correlating it back to purchase behaviour to determine how effective each feature sale might be.

So what database do folks use for applications like this? Front-runners in the NoSQL race these days include MongoDB and CouchDB. Both databases do cool things with large volumes of data.">Ensure that MongoDB runs in a trusted network environment and limit the interfaces on which MongoDB instances listen for incoming connections. Allow only trusted clients to access the network interfaces and ports on which MongoDB instances are available.

CouchDB has a similar statement at http://guide.couchdb.org/draft/security.html ">it should be obvious that putting a default installation into the wild is adventurous

So, where do I see folks deploying these databases? Why, in PUBLIC CLOUDs, thats where!" />

And what happens after you stand up your almost-free database and the analysis on that dataset is done? In most cases, the marketing folks who are using it simply abandon it, in a running state. What could possibly go wrong with that? Especially if they didnt tell anyone in either the IT or Security group that this database even existed?

Given that weve got hundreds of new ways to collect data that weve never had access to before, its pretty obvious that if big data infrastructures like these arent part of our current plans, they likely should be. All I ask is that folks do the risk assessments tha they would if this server was going up in their own datacenter. Ask some questions like:

  • What data will be on this server?
  • Who is the formal custodian of that data?
  • Is the data covered under a regulatory framework such as HIPAA or PCI? Do we need to host it inside of a specific zone or vlan?
  • What happens if this server is compromised? Will we need to disclose to anyone?
  • Who owns the operation of the server?
  • Who is responsible for securing the server?
  • Does the server have a pre-determined lifetime? Should it be deleted after some point?
  • Is the developer or marketing team thats looking at the dataset understand your regulatory requirements? Do they understand that Credit Card numbers and Patient Data are likely bad candidates for an off-prem / casual treatment like this (hint - NO THEY DO NOT).

Smartmeter applications are another big data thing Ive come across lately. Laying this out end-to-end - collecting data from hundreds of thousands of embedded devices that may or may not be securable, over a public network to be stored in an insecurable database in a public cloud. Oh, and the collected data impinges on at least 2 regulatory frameworks - PCI and NERC/FERC, possibly also privacy legislation depending on the country. Ouch!

Back to the tools to assess these databases - Burp isnt your only option to scan NoSQL database servers - in fact, Burp is more concerned with the web front-end to NoSQL itself. NoSQLMAP (http://www.nosqlmap.net/) is another tool thats seeing a lot of traction, and of course the standard usual suspects list of tools have NoSQL scripts, components and plugins - Nessus has a nice set of compliance checks for the database itself, NMAP has scripts for both couchdb, mongodbb and hadoop detection, as well as mining for database-specific information. OWASP has a good page on NoSQL injection at https://www.owasp.org/index.php/Testing_for_NoSQL_injection, and also check out http://opensecurity.in/nosql-exploitation-framework/.

Shodan is also a nice place to look in an assessment during your recon phase (for instance, take a look at http://www.shodanhq.com/search?q=MongoDB+Server+Information )

Have you used a different tool to assess a NoSQL Database? Or have you had - lets say an interesting conversation around securing data in such a database with your management or marketing group? Please, add to the story in our comment form!

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
[CORE-2014-0010] - Advantech WebAccess Stack-based Buffer Overflow
 
Aurich Lawson / Thinkstock

Cyber criminals have started targeting the password managers that protect an individual's most sensitive credentials by using a keylogger to steal the master password in certain cases, according to research from data-protection company IBM Trusteer.

The research found that a configuration file, which attackers use to tailor the Citadel trojan for specific campaigns, had been modified to start up a keylogger when the user opened either Password Safe or KeePass, two open-source password managers. While malware has previously targeted the credentials stored in the password managers included in popular Web browsers, third-party password managers have typically not been targeted.

While the current impact of the attack is low, the implications of the attacker’s focus is that password managers will soon come under more widespread assault, Dana Tamir, director of enterprise security for IBM Trusteer, told Ars Technica.

Read 8 remaining paragraphs | Comments

 
[CORE-2014-0009] - Advantech EKI-6340 Command Injection
 
[CORE-2014-0008] - Advantech AdamView Buffer Overflow
 
HP Operations Agent CVE-2014-2630 Local Privilege Escalation Vulnerability
 
libvirt 'domain_conf.c' Denial of Service Vulnerability
 
libvirt CVE-2014-7823 Information Disclosure Vulnerability
 
CVE-2014-7137 - Multiple SQL Injections in Dolibarr ERP & CRM
 
Oracle Java SE CVE-2014-6532 Remote Security Vulnerability
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Updated gnutls package fix security vulnerability: An out-of-bounds memory write flaw was found in the way GnuTLS parsed certain ECC (Elliptic Curve Cryptography) certificates or certificate signing requests (CSR). A malicious user could create a [More...]
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Updated libvirt packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security [More...]
 
LinuxSecurity.com: Updated kernel packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 6.4 Extended Update Support. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Updated libXfont packages that fix three security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Updated dbus packages fixes the following security issues: Alban Crequy and Simon McVittie discovered several vulnerabilities in the D-Bus message daemon: [More...]
 
LinuxSecurity.com: Updated curl packages fix security vulnerability: Symeon Paraschoudis discovered that the curl_easy_duphandle() function in cURL has a bug that can lead to libcurl eventually sending off sensitive data that was not intended for sending, while performing [More...]
 
[SECURITY] [DSA 3074-2] php5 regression update
 
Reflected Cross-Site Scripting (XSS) in Simple Email Form Joomla Extension
 
Apple iOS CVE-2014-4457 Security Bypass Vulnerability
 
[ MDVSA-2014:215 ] gnutls
 
libdigidoc DDOC Routine Arbitrary File Overwrite Vulnerability
 
Linux Kernel 'trace_syscalls.c' Multiple Local Denial of Service Vulnerabilities
 
Linux Kernel CVE-2014-7841 SCTP NULL Pointer Dereference Denial of Service Vulnerability
 
Cisco IOS CVE-2014-7992 Information Disclosure Vulnerability
 
Internet Storm Center Infocon Status