Prosody XMPP Server CVE-2014-2745 XMPP-Layer Compression Denial of Service Vulnerability

Security researchers have uncovered an active malware campaign in the wild that steals the Apple ID credentials from jailbroken iPhones and iPads.

News of the malware, dubbed "unflod" based on the name of a library that's installed on infected devices, first surfaced late last week on a pair of reddit threads here and here. In the posts, readers reported their jailbroken iOS devices recently started experiencing repeated crashes, often after installing jailbroken-specific customizations known as tweaks that were not a part of the official Cydia market, which acts as an alternative to Apple's App Store.

Since then, security researcher Stefan Esser has performed what's called a static analysis on the binary code that the reddit users isolated on compromised devices. In a blog post reporting the results, he said unflod hooks into the SSLWrite function of an infected device's security framework. It then scans it for strings accompanying the Apple ID and password that's transmitted to Apple servers. When the credentials are found, they're transmitted to attacker-controlled servers.

Read 6 remaining paragraphs | Comments

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Here's one yardstick that I use before signing up for any new online service: I first search the Interwebs for stories from users who tried to close their account and to leave same service, and were given a hard time.  I understand that commercially it is "rewarding" to show 300 million subscribers, even if 90% of them are stale accounts. But from a privacy and data security point of view, it does NOT make any sense for a user to leave an account behind that he/she knows for sure will never be used again.  Some services, also larger ones, are handling this issue professionally, and have a decently findable link on their home page that allows the closing of an account and deletion of stored data. Others .. give you the run-around via six levels of customer "service", and in the end, they basically change your username to username.inactive, but leave everything else as-is. And keep spamming you, too.

If you have stories to share about online services that don't let you leave, please do so below. Keep it PG-13 and factual, please, but if a little ire shines through, we understand ...

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Aurich Lawson / Thinkstock

If you want to protect yourself against the 500,000 or so HTTPS certificates that may have been compromised by the catastrophic Heartbleed bug, don't count on the revocation mechanism built-in to your browser. It doesn't do what its creators designed it to do, and switching it on makes you no more secure than leaving it off, one of the Internet's most respected cryptography engineers said over the weekend.

For years, people have characterized the ineffectiveness of the online certificate status protocol (OCSP) as Exhibit A in the case that the Internet's secure sockets layer and transport layer security (TLS) protocols are hopelessly broken. Until now, no one paid much attention. The disclosure two weeks ago of the so-called Heartbleed bug in the widely-used OpenSSL cryptography library has since transformed the critical shortcoming into a major problem, the stuff of absurdist theater. Security experts admonish administrators of all previously vulnerable websites to revoke and reissue TLS certificates, even as they warn that revocation checks in browsers do little to make end users safer and could indeed weaken the security and reliability of the Internet if they were made more effective.

Certificate revocation is the process of a browser or other application performing an online lookup to confirm that a TLS certificate hasn't been revoked. The futility of certificate revocation was most recently discussed in a blog post published Saturday by Adam Langley, an engineer who was writing on his own behalf but who also handles important cryptography and security issues at Google. In the post, Langley recites a litany of technical considerations that have long prevented real-time online certificate revocations from thwarting attackers armed with compromised certificates, even when the digital credentials have been recalled. Some of the considerations include:

Read 6 remaining paragraphs | Comments

U.S. broadband giant AT&T could roll out 1Gbps fiber-optic service to up to 21 new metropolitan areas, including Atlanta, Chicago, Los Angeles, San Francisco and San Jose, California, the company said Monday.
The price of Samsung's latest 28-inch 4K monitor has dropped by $100 to just under US$600, which could be a precursor to 4K monitor prices further plummeting as the technology goes mainstream.
Just what you wanted for Easter: a re-gifted backdoor from Christmas.

First, DSL router owners got an unwelcome Christmas present. Now, the same gift is back as an Easter egg. The same security researcher who originally discovered a backdoor in 24 models of wireless DSL routers has found that a patch intended to fix that problem doesn’t actually get rid of the backdoor—it just conceals it. And the nature of the “fix” suggests that the backdoor, which is part of the firmware for wireless DSL routers based on technology from the Taiwanese manufacturer Sercomm, was an intentional feature to begin with.

Back in December, Eloi Vanderbecken of Synacktiv Digital Security was visiting his family for the Christmas holiday, and for various reasons he had the need to gain administrative access to their Linksys WAG200G DSL gateway over Wi-Fi. He discovered that the device was listening on an undocumented Internet Protocol port number, and after analyzing the code in the firmware, he found that the port could be used to send administrative commands to the router without a password.

After Vanderbecken published his results, others confirmed that the same backdoor existed on other systems based on the same Sercomm modem, including home routers from Netgear, Cisco (both under the Cisco and Linksys brands), and Diamond. In January, Netgear and other vendors published a new version of the firmware that was supposed to close the back door.

Read 7 remaining paragraphs | Comments

U.S. iPhone and iPad sales skewed more toward devices with less storage space in the March quarter compared to the final three-month period of 2013.
libmms MMSH Server Response Heap-Based Buffer Overflow Vulnerability
Following a public comment period and review, the National Institute of Standards and Technology (NIST) has removed a cryptographic algorithm from its draft guidance on random number generators. Before implementing the change, NIST is ...
The Securities and Exchange Commission plans to review the cyber defenses of 50 Wall Street broker-dealers and investment advisers to determine whether they are prepared for potential cyber threats.
Many Americans think the next 50 years will bring custom-ordered, made-to-order organ generation, teleportation and robots that care for the elderly and sick. But not everyone's so hopeful.
Apache Tomcat CVE-2014-0033 Session Fixation Vulnerability
Apache Tomcat CVE-2013-4590 XML External Entity Information Disclosure Vulnerability
Dr. John Halmaka tells how his IT team invented a real-time security plan in the midst of the chaos.
Technology chiefs in the federal government say they struggle with their role within their departments and agencies. A bill passed in the House and pending in the Senate could give federal CIOs more authority, though.
Google Glass-wearing, iPhone-toting techies who can't be bothered to look at their smartphones for texts can instead peer into a different screen out of the corner of their eye.

Now that the frantic frenzy around "Heartbleed" has calmed, and most sites are patched, it is time to circle back. For a server at a community college that I knew had been affected, I wanted to see if someone had pulled any data via Heartbleed during the roughly 36 hours between when the vulnerability became widely known, and when IDS signatures and patches were deployed to protect the site.

Problem is, Heartbleed leaves basically no traces in the httpd server log, so checking there for attacks didn't help. After a bit of pondering, we came up with the idea to correlate the firewall log with the web server log. If the firewall had seen a number of tcp/443 (HTTPS) connections to the web server from a certain IP, but these same connections were not in the web server log, chances were that we had found ourselves a bleeder.

The first IP that the correlation script identified as potentially fishy turned out to be owned by SSLlabs, and likely belongs to their public SSL scanner that everyone was using at the height of the panic. So .. the script seemed to be working well, and was pulling out the "right" types of connections.

A bit later, we found another IP, registered to an ISP in Malaysia. Twenty minutes of hits only on the firewall, at a rate of about one every 5 seconds, followed by a 5 minute pause, followed by hits both on the firewall and on the web server. Hmm, peculiar :). Chances are high this was in fact someone who tried to steal cookies of active sessions first, and then tried to re-use the cookies to break in. For the second part of the attack, the web server log shows GET requests to the application, followed by a 302 redirect to the "login" page, so "something" must have gone wrong on the attacker's side in either stealing the cookies, or in splicing them back into his fake requests. After another 20 minutes and about 60 requests which all were answered with a redirect, the attacker gave up.

Which tools or methods did you use to identify "heartbleed" leaks that occurred in the time span where your site was vulnerable, but IDS instrumentation and patching wasn't really available yet?  Feel free to let us know via the contact form, or share in the comments below!

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The ability of television viewers to control and watch programs may be at stake when the U.S. Supreme Court hears arguments Tuesday in a copyright infringement case brought by TV networks against Aereo, a service that streams over-the-air television online.
phpMyID 'openid_error' Parameter Cross Site Scripting Vulnerability
Linux Kernel 'bpf_jit_compile()' Function Denial of Service Vulnerability
Microsoft today said that it will close the $7.2 billion acquisition of Nokia's handset business on Friday, about eight months after revealing the deal.
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Security Report Summary
How will the IoT affect social, mobile, the cloud and analytics? (Insider; registration required)

OpenSSL, in spite of its name, isn't really a part of the OpenBSD project. But as one of the more positive results of the recent Heartbleed fiasco, the OpenBSD developers, who are known for their focus on readable and secure code, have now started a full-scale review and cleanup of the OpenSSL codebase.

If you are interested in writing secure code in C (not necessarily a contradiction in terms), I recommend you take a look at http://opensslrampage.org/archive/2014/4, where the OpenBSD-OpenSSL diffs and code changes are coming in fast, and are often accompanied by cynical but instructive comments. As one poster put it, "I don't know if I should laugh or cry". The good news though definitely is that the OpenSSL code is being looked at, carefully and expertly, and everyone will be better off for it.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Sfpagent Ruby Gem Remote Command Injection Vulnerability
[SECURITY] [DSA 2901-3] wordpress regression update
[SECURITY] [DSA 2895-2] prosody regression update
Support for open source software is 'unbundled' from the software itself. That actually makes it much easier to get the right level of support at the right price.
Blind SQL Injection Vulnerability in KnowledgeTree <=
Multiple Vulnerabilities in MODX Revolution < = MODX 2.2.13-pl
[security bulletin] HPSBMU02994 rev.2 - HP BladeSystem c-Class Onboard Administrator (OA) running OpenSSL, Remote Disclosure of Information
OS X Mavericks powered half of all Macs that went online in March, the largest percentage of any individual version of Apple's operating system since 2009's Snow Leopard.
If you don't mind being represented by a feline avatar, NTT Communications has a quirky video chatroom just for you.
[security bulletin] HPSBMU02995 rev.4 - HP Software HP Service Manager, Asset Manager, UCMDB Browser, UCMDB Configuration Manager, Executive Scorecard, Server Automation, Diagnostics, LoadRunner, and Performance Center, running OpenSSL, Remote Disclosure
Remote Command Injection in Ruby Gem sfpagent 0.4.14
Siemens SINEMA Server CVE-2014-2733 Denial of Service Vulnerability
Siemens SINEMA Server CVE-2014-2731 Remote Code Execution Vulnerability
Siemens SINEMA Server CVE-2014-2732 Directory Traversal Vulnerability
[SECURITY] CVE-2013-2251: Apache Archiva Remote Command Execution
[security bulletin] HPSBMU03012 rev.1 - HP Insight Management VCEM Web Client SDK (VCEMSDK) running OpenSSL, Remote Disclosure of Information
There is no one 'best.' All we can really do is determine the best smartphone for you.
Loads of IP-addressable sensors and other smart devices are descending on the enterprise. Here's how you'll need to pull them all together.
Dr. C. Martin Harris, CIO at Cleveland Clinic and a former health technology adviser to President Obama, is using technology to redefine healthcare for patients and caregivers alike. Insider (registration required)
Here are some things that IT management can do to identify problems in a timely manner.
The world's top 1,000 websites have been patched to protect their servers against the "Heartbleed" exploit, but up to 2% of the top million were still vulnerable as of last week.
Was HP's EVP of technology and operations the best paid tech leader in the U.S. in 2012? Possibly.
The privacy maps being created today are primarily designed to avoid lawsuits.
When Internet and phone service are impaired at a development center, the problem is traced to VM images installed in a classroom.
Oracle Java SE CVE-2014-0459 Remote Security Vulnerability
Oracle Java SE CVE-2014-0454 Remote Security Vulnerability
Oracle Java SE CVE-2014-2427 Remote Security Vulnerability

Posted by InfoSec News on Apr 21


By Jeffrey Roman
Bank Info Security
April 17, 2014

Arts and crafts retailer Michaels has now confirmed its stores were hit by
a data breach that potentially compromised account information for 3
million payment cards.

The breach, which involved "criminals using highly sophisticated malware,"
potentially affected about 2.6 million cards used at Michaels stores...

Posted by InfoSec News on Apr 21


By Aliya Sternstein
April 19, 2014

Federal officials are telling Obamacare website account holders to reset
their passwords, following revelations of a bug that could allow hackers
to steal data.

Officials earlier in the month said the government's main public sites,
including HealthCare.gov, were safe from the...

Posted by InfoSec News on Apr 21


By Kelly Jackson Higgins
Dark Reading

A new report highlights the prevalence and persistence of SQL injection

In the past 12 months, 65% of organizations have suffered a SQL injection
attack, and it took them close to 140 days to realize they had been hit.

According to a report by the Ponemon Institute published yesterday, it
took an average of 68...

Posted by InfoSec News on Apr 21


By Joe Gould
Staff writer
Army Times
April 7, 2014

The Army’s academy has established a cyber warfare research institute to
groom elite cyber troops and solve thorny problems for the Army and the
nation in this new warfighting domain.

The U.S. Military Academy at West Point, N.Y., plans to build a cyber
brain trust unprecedented...

Posted by InfoSec News on Apr 21


By Dan Goodin
Ars Technica
April 17, 2014

Mission-critical satellite communications relied on by Western militaries
and international aeronautics and maritime systems are susceptible to
interception, tampering, or blocking by attackers who exploit easy-to-find
backdoors, software bugs, and similar high-risk vulnerabilities, a...
Internet Storm Center Infocon Status