Hackin9

InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google has lost its appeal to keep a potentially damaging email away from the jury in the company's legal fight with Oracle over Java.
 
A worm is making the round infecting JBoss application servers. JBoss is an open source Java based application server and it is currently maintained by RedHat.
The worm exploits and older configuration problem in JBoss, which only authenticated GET and POST requests. It was possible to use other methods to execute arbitrary code without authentication. The problem has been fixed last year, but there are apparently still a number of vulnerable installs out there.
If you do run JBoss, please make sure to read the instructions posted by RedHat here:
http://community.jboss.org/blogs/mjc/2011/10/20/statement-regarding-security-threat-to-jboss-application-server
Analysis of the worm:
http://pastebin.com/U7fPMxet

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Feross Aboukhadijeh posted a blog post about a vulnerability in Flash that allows for a click jacking attack to turn on the clients camera and microphone. The attack is conceptually similar to the original click jacking attack presented in 2008. Back then Flash adjusted the control panel.
The original attack framed the entire Flash control page. To prevent the attack, Adobe added frame busting code to the settings page. Feross' attack doesn't frame the entire page, but instead includes just the SWF file used to adjust the settings, bypassing the frame busting javascript in the process.
Update: Adobe fixed the problem. The fix does not require any patches for client side code. Instead, adobe modified the control page and applet that users load from Adobe's servers.
Details from Adobe:http://blogs.adobe.com/psirt/2011/10/clickjacking-issue-in-adobe-flash-player-settings-manager.html

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Hewlett-Packard's chief strategy and technology officer, Shane Robison, is retiring and will not be replaced, the company said Thursday.
 
Last year, Twitter went over to OAuth; SuperTweet allows you to still use basic authentication.
 
SUSE Linux 'scsi_discovery tool' Insecure Temporary File Creation Vulnerability
 

SecurityNewsDaily

Anonymous Hackers Take Down Child Porn Websites, Leak Users' Names
SecurityNewsDaily
Only computers that have installed TOR browser plug-ins can access the TOR-based darknet, including its guidebook the Hidden Wiki, the security site Infosec Island reported. In another Pastebin posting, the hackers explained that their campaign against ...

and more »
 
Efforts to strengthen critical infrastructure targets continue to focus on front-end systems rather than on underlying industrial control systems where the real problems exist, security experts warned this week.
 
Microsoft kicked off its first quarter of fiscal 2012 with solid growth, reporting a 7 percent increase in revenue compared to a year ago, and a 6 percent increase in net income.
 
[SECURITY] [DSA 2324-1] wireshark security update
 
More specifics about Oracle's new Social Network software came to light on Thursday, following the product's debut at the OpenWorld conference earlier this month.
 
GotRoot Security Challenge
 
As most participants at the inaugural Open Networking Summit extolled the virtues of software-defined networking (SDN) and the OpenFlow protocol, others are waiting for key features to emerge before considering it for their networks.
 
Two days of rain may have wreaked havoc with the 2011 US Open tennis tournament schedule, but clouds of another sort are coming up aces for the United States Tennis Association (USTA).
 
Cisco Systems plans to acquire BNI Video, a privately held provider of video delivery software for service providers, for about $99 million.
 
EMC today announced the availability of an all-solid state drive midrange VNX array with 10X the performance of previous models, as well as a high bandwidth option for its hard drive VNX models, offering 50% more bandwidth.
 
There's a good chance that if you didn't access Facebook or Twitter last year, you do today.
 

Mark Weatherford will focus on cybersecurity operations and communications resilience at the Department of Homeland Security.

Mark Weatherford, vice president and CSO at the North American Electric Reliability Corporation (NERC), has been appointed to the position of Deputy Under Secretary for Cybersecurity for the National Protection and Programs Directorate at the Department of Homeland Security.

The appointment was announced by DHS Secretary Janet Napolitano today, and is effective mid-November. The newly created position will focus on cybersecurity operations and communications at DHS. Cybersecurity leadership at DHS has undergone some changes of late. Philip Reitinger resigned in May to take the position of CISO at Sony.

Weatherford took on the CSO role at NERC in 2010, shortly after the Stuxnet worm surfaced. He is said to have bolstered information sharing there. He started a “Malware Tiger Team” to share accurate and usable Stuxnet related information among facilities.

He also called for more rugged software in the wake of Stuxnet, after it was discovered that the malware targeted four Microsoft zero-day vulnerabilities.

An Information Security magazine Security 7 Award winner, Weatherford was previously director and CISO of the state of California. He also spent six years as the CISO of the state of Colorado. He developed a Data Governance Working Group that defined the data security lifecycle for state agencies. Weatherford also formalized the state’s vulnerability management program to address Web application security issues.

In an essay he wrote for Information Security, Weatherford said that strategic planning often falls short in the security industry.

“We haven’t devoted the deep thought necessary to create a vision worthy of being called a Strategic Plan. I’ve done the annual strategic plan dance more times than I care to admit because creating a Strategic Plan takes real time and real effort, which is difficult to justify when you find yourself in more of a firefighter role than a CISO.”

Data governance and classification

In this video, Weatherford, who was CISO of California’s Office of Information Security and Privacy Protection, gave advice on the importance of data governance and classification.

“The fact that data is ubiquitous and resides everywhere means that you have to know where it is and what systems it resides on,” Weatherford told SearchFInancialSecurity in 2009. “An asset inventory is critical to knowing where the different types of data reside within your organization.”

Identifying assets is doable, he said, adding that business and IT need to work together to identify the most critical data that needs to be protected. The business people own the process and should be engaged and working with security professionals in order for data classification projects to be successful.



Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Adobe is working on a fix for a Flash Player vulnerability that can be exploited via clickjacking techniques to turn on people's webcams or microphones without their knowledge.
 
Verizon's 4G LTE network has been available in several major cities for awhile now, and it continues to expand to more regions across the U.S. We've done some early network testing, but now have tried two devices (a tablet and netbook) that integrate the 4G LTE network connectivity into the device.
 
Charting the differences between Samsung Galaxy Nexus and Motorola Droid RAZR
 
Oracle Java SE CVE-2011-3544 Remote Java Runtime Environment Vulnerability
 
Oracle Java SE CVE-2011-3521 Remote Java Runtime Environment Vulnerability
 
Deep Defender examines memory processes, enabling enterprises to block or deny actions to provide rootkit protection. Analysts say there may not be great demand for the protection.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

Mobility is one of the biggest challenges for information security professionals. Now we are in our offices with many customers that use wireless technology and not only laptops, but phones, tablets and other devices for corporate use. How can we provide access to the company's wireless network to devices that have staff members and third people?

We have to select a proper authentication and cyphermechanism for the wireless network. Known authentication schemes are:

1. PreShared Key (PSK): This is known as the standard personal network authentication scheme. The client must supply the PSK to gain association and connectivity to the wireless network.

2. Certificates| Username/password: This is known as the Enterprise authentication scheme. The client must supply valid credentials to log-in, including but not limited to username and password and certificates. RADIUS is mandatory for this type of authentication and it must include the appropiate dictionary to interact smoothly with the network equipment you have in your company. 802.1X is the best option you can use to enforce secure authentication to the wireless network. To determine which level of security you want to implement in the authentication level, thereis a wide range of authentication protocols within the Extensible Authentication Protocol standard to choose from like:

Lightweight Extensible Authentication Protocol (LEAP): This is a propietary Cisco protocol which sends the authentication information using MS-CHAP, which makes it vulnerable to password cracking attacks. I have seen this implementation in my country widely deployed because it is easy and fast to implement. I mention this option because it should not ever be used in corporate production environments.
Protected Extensible Authentication Protocol (PEAP): This is a protocol that encapsulates the authentication information (Username and password) in a TLS tunnel so it travels secure to the authentication server. It is an interesting alternative with a reasonable degree of complexity for implementation, because it is not necessary to deploy certificates on all clients that connect to the network, which easily allows mobile devices like phones and tablets connect to the network without major trouble.
EAP-Transport Layer Security (EAP-TLS): This is a protocol that provides great authentication security to the wireless network, because apart from the username and password it requires that each client has a valid certificate issuedin the certification authority's domain. One of the cons it has is the difficulty of implementation in mobile devices, since not all operating system versions support it and in some cases require additional software to work. This protocol is vulnerable to man-in-the-middle attacks.
EAP-Tunneled Transport Layer Security (EAP-TTLS): The difference with the previous protocol is the way that clients can authenticate, because is discretionary for the client device to present a valid certificatefrom the domain certificate authority. In this case, the server is the one that authenticates to the client with a valid certificate within the domain certificate authority. Once the secure tunnel is established, the client authenticates sending the username and password. This protects the information against eavesdropping and man-in-the-middle attacks. Many operating systems would need as well additional software to sucessfully authenticate to the wireless networks using this protocol.

How can we protect the WLAN traffic against eavesdropping? Known protection mechanisms are:

1. Wired Equivalent Privacy (WEP): It's a weak security algorithm that uses the RC4 stream cipher for confidentiality and the CRC-32 checksum for integrity. The vulnerability of this protocol lies in the stream cipher algorithm used, as the same key for encryption of traffic can not be used more than once. Because in practice there is no such scheme implemented for this protocol that allows different keys for each packet, you can get the encryption key for the network by monitoring wireless network packets. There are several documented attacks aboutthis protocol andmany tools asaircrack and kismet that implements them. This protection mechanism is deprecated and should not ever be used in production environments where unauthorized access is critical.

2. Wi-Fi Protected Access (WPA): This protocol is part of the IEEE 802.11i standard.The encryption key problem is solved by using Temporal Key Integrity Protocol (TKIP) generating 128-bit key per packet transmitted on the network. This protocol was deprecated by IEEE in January 2009.

3. Wi-Fi Protected Access 2 (WPA2): This protocol is also part of the IEEE 802.11i standard. As TKIP is insecure, WPA2 replaces it withCounter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). It combinesthe Counter-Mode block cipher mode (CTR) for data confidentiality and Cipher Block Chaining Message Authentication Code (CBC-MAC).

Which combination of authentication and encryption scheme should you choose? It should be done according to the level of risk to which you are exposed. I always recommend Enteprise PEAP authentication withWPA2 because it is not difficult to implement and provide a good level of security with a broad level of interoperability for devices that want to connect to the network.If you are paranoic, you can always use enteprise authentication with EAP-TLS/EAP-TTLSwith WPA2.

Please don't forget to review the quick wins list for this control. They are really helpful when developing a plan to implement a Wireless Device Control Architecture.
Manuel Humberto Santander Pelez

SANS Internet Storm Center - Handler

Twitter: http://twitter.com/manuelsantander

Web: http://manuel.santander.name

e-mail: msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Oracle DataDirect Multiple Native Wire Protocol ODBC Drivers HOST Attribute Stack Based Buffer Overflow Vulnerability
 
Yet Another CMS 1.0 SQL Injection & XSS vulnerabilities
 
Oracle Java SE CVE-2011-3556 Remote Java Runtime Environment Vulnerability
 
Oracle Java SE CVE-2011-3551 Remote Java Runtime Environment Vulnerability
 
[security bulletin] HPSBPI02711 SSRT100647 rev.1 - HP MFP Digital Sending Software Running on Windows, Local Information Disclosure
 
OCS Inventory NG 2.0.1 Persistent XSS (CVE-2011-4024)
 
OCS Inventory NG Unspecified HTML Injection Vulnerability
 
Colleges and universities have been aggressive in expanding campus mobility, but slower in shifting key systems to cloud computing, according to a new survey of IT in higher education.
 

iPhone FAQ

Businesses Turn Old Smartphones Into Cash, Go Green with HelloTotem
iPhone FAQ
This device erasure or wiping conforms to either HMG Infosec Standard 5 or US Department of Defense Directive 5220.22-M, labels which may mean little to many of us, but mean quite a lot to small or large business entities looking to protect private ...

 
AT&T's revenue was down slightly in the third quarter of 2011, compared to a year earlier, but net income rose by about $400 million, on a comparable basis, driven by strong growth in its mobile and broadband divisions.
 
India's Bharti Enterprises has set up a joint venture with Japan's Softbank to focus on social media, gaming, and e-commerce for India's booming mobile market, it said Thursday.
 
China Mobile, the country's largest mobile operator, saw net profit in its third quarter increase by about 3.7$ from the same period year ago, according to data published by the company Thursday.
 
China on Thursday responded to U.S. concerns about its blocking of company websites, saying that China's Internet policies are open and clear. However, China said it objected to the U.S. exploiting the issue of Internet freedoms to interfere in its internal affairs.
 
OCZ today launched its highest capacity 1TB laptop solid state drive that has blazing fast throughput, data encryption and twice the lifespan of its previous consumer-grade SSDs.
 
Opera Software has released an update for its desktop browser in order to address a critical vulnerability in its handling of Scalable Vector Graphics (SVG) files, disclosed a week ago. The company denies refusing to patch the flaw when it was brought to its attention earlier this year.
 
Nokia reported a net loss and a fall in revenue for the third quarter, despite selling more phones than analysts had expected.
 
Sony said Thursday it has been forced to postpone the launch of a new camera and cut production of another because a factory in Thailand has been affected by the widespread flooding there.
 
The patent and copyright dispute between Oracle and Google won't go to trial on Oct. 31 as initially scheduled, according to the judge overseeing the case.
 
The migration toward software-defined networks will move faster than carriers' migration to IP (Internet Protocol) in the late 1990s, Facebook's former technical operations chief.
 
Along with new enterprise-friendly management features, iOS 5, iCloud and the newest iPhone bring some major security headaches. Here's what you need to know. Insider (registration required)
 
The economy has done a number on enterprises' Windows 7 deployment plans. If you're behind, take heart -- you're not alone.
 
The uncertain economy has put a ding in many corporate Windows 7 implementation plans, although a good number of shops plan to keep running XP even after the support deadline passes. Here are our most recent survey results.
 

Posted by InfoSec News on Oct 20

http://www.informationweek.com/news/security/vulnerabilities/231901118

By Mathew J. Schwartz
InformationWeek
October 19, 2011

One in four IT professionals say they know of at least one IT co-worker
at their business who's used privileged login credentials to
inappropriately access sensitive information. Furthermore, 42% report
that IT staff freely share passwords and access to multiple business
systems and applications.

Those findings...
 

Posted by InfoSec News on Oct 20

http://www.nextgov.com/nextgov/ng_20111018_4438.php

By Aliya Sternstein
NextGov
10/18/2011

Cybersecurity spending is expected to accelerate during the next five
years at the Defense Department and civilian agencies, despite overall
flat information technology budgets, according to a new industry
forecast.

The increasing severity of computer network breaches likely will
influence funding levels, with Defensewide cyber spending starting at...
 

Posted by InfoSec News on Oct 20

http://www.chinadaily.com.cn/cndy/2011-10/20/content_13937379.htm

By Cheng Guangjin
China Daily
2011-10-20

NEW YORK - A US State Department official dismissed on Tuesday the
possibility of a cyber war between China and the United States, while
calling for building mutual confidence to avoid such an eventuality.

"People talk about cyber war. Frankly, I don't think we've really seen
it," said Christopher Painter,...
 

Posted by InfoSec News on Oct 20

http://www.wired.com/dangerroom/2011/10/military-not-quite-sure-how-drone-cockpits-got-infected/

By Noah Shachtman
Danger Room
Wired.com
October 19, 2011

It’s been more than a month since a virus infected the remote “cockpits”
of America’s drone fleet. And the U.S. military still doesn’t know
exactly how the machines at Creech Air Force Base in Nevada got
infected.

“We’re not quite sure how that happened yet,” General Robert...
 

Posted by InfoSec News on Oct 20

http://www.networkworld.com/news/2011/101911-sql-injection-attack-252188.html

By Julie Bort
Network World
October 19, 2011

Hackers are in the midst of a massively successful SQL injection attack
targeting websites built on Microsoft's ASP.Net platform. About 180,000
pages have been affected so far, security researchers say.

Attackers have planted malicious JavaScript on ASP.Net sites that causes
the browser to load an iframe with one...
 
Internet Storm Center Infocon Status