Information Security News
Citrix has some interesting products like XenApp, which allow people to access corporate application from tablets, Windows Terminals and also Windows servers and PC. Depending on how are you using them, you might be creating vulnerabilities to your information assets.
Let's talk about published applications on Citrix with no extra authentication factor in place, which corresponds to the majority of cases. Since people tend to use mobile devices these days and also when they are big bosses in the company they want to handle their information in the most easy way, most of them requires IT to publish the ERP payments module, because they can authorize them from any place in any situation that allows them to have two minutes to perform the operation.
If the company happens to handle lots and lots of money, attackers might talk to any inside employee willing to have some extra money. First thing to do is to determine if the Citrix Farm linked to the Citrix Access Gateway where the user is being authenticated publishes the ERP Payment Application. How can you you do that? you can use the citrix-enum-apps nmap script. The syntax follows:
nmap -sU --script=citrix-enum-apps -p 1604 citrix-server-ip
If the attacker gets an output like the following, the company could be definitely in big problems:
Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-21 17:38 Hora est. Pacífico, Sudamérica
Nmap scan report for hackme-server (192.168.0.40)
Host is up (0.0080s latency).
rDNS record for 192.168.0.40: hackme-server.vulnerable-implementation.org
PORT STATE SERVICE
1604/udp open unknown
| OW ERP8 Payroll
| OW ERP8 Provider payments
| Internet Explorer
| AD Users and Computers
Nmap done: 1 IP address (1 host up) scanned in 15.76 seconds
Bingo! Provider payments is being published. All we need to do is perform good-old-man-in-the-middle to the IIS Server and we will have a username/password to generate random payments.
How can you remediate this situation?
Computer scientists have identified almost two dozen computers that were actively working to sabotage the Tor privacy network by carrying out attacks that can degrade encrypted connections between end users and the websites or servers they visit.
The "spoiled onions," as the researchers from Karlstad University in Sweden dubbed the bad actors, were among the 1,000 or so volunteer computers that typically made up the final nodes that exited the Tor—short for The Onion Router—network at any given time in recent months. Because these exit relays act as a bridge between the encrypted Tor network and the open Internet, the egressing traffic is decrypted as it leaves. That means operators of these servers can see traffic as it was sent by the end user. Any data the end user sent unencrypted, as well as the destinations of servers receiving or responding to data passed between an end user and server, can be monitored—and potentially modified—by malicious volunteers. Privacy advocates have long acknowledged the possibility that the National Security Agency and spy agencies across the world operate such rogue exit nodes.
The paper—titled Spoiled Onions: Exposing Malicious Tor Exit Relays—is among the first to document the existence of exit nodes deliberately working to tamper with end users' traffic (a paper with similar findings is here). Still, it remains doubtful that any of the 25 misconfigured or outright malicious servers were operated by NSA agents. Two of the 25 servers appeared to redirect traffic when end users attempted to visit pornography sites, leading the researchers to suspect they were carrying out censorship regimes required by the countries in which they operated. A third server suffered from what researchers said was a configuration error in the OpenDNS server.
by Sean Gallagher
A growing number of security and privacy technology experts, disillusioned by news that security firm RSA was paid by the National Security Agency to use an exploitable algorithm in its encryption technology, feel they can no longer trust the company. They've called for a boycott of RSA’s annual conference in San Francisco in February, and now a group of them has taken this effort a step further—creating their own “trust-based” conference just a few blocks from RSA’s event.
"TrustyCon" will be held on February 27 at the AMC Metreon Theater in San Francisco. That's the same day as the RSA's event, and the location is a multiplex cinema just around the corner from the Moscone Convention Center. To add fuel to this dissenting fire, TrustyCon has already picked up sponsorships from Microsoft, Cloudflare, and security firm iSEC Partners.
The RSA concerns started with documents leaked by Edward Snowden and published by the New York Times in December. These indicated that the NSA had worked with the National Institute of Standards and Technology to create a “backdoor” in the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG), a pseudorandom number generator designated as a standard for encryption. According to the documents, in 2004—even before NIST approved it as a standard—the NSA paid RSA $10 million to use Dual EC DRGB as part of its RSA BSAFE cryptographic library. This meant that much of the encryption software sold by RSA would allow the NSA to break the encryption using the known backdoor. RSA, for its part, has denied that it took money to put a backdoor in its encryption software. The company said that it followed NIST’s guidance on use of the code. But that hasn’t been enough to convince many security experts who believe the Snowden documents that state the RSA conspired with the NSA.
Don't be a DDoS dummy: Patch your NTP servers, plead infosec bods
Security researchers have responded to recent denial of service attacks against gaming websites and service providers that rely on insecure Network Time Protocol servers by drawing up a list of vulnerable systems. Network Time Protocol (NTP) offers a ...
Posted by InfoSec News on Jan 21http://www.timesofisrael.com/top-good-guy-hackers-to-tackle-biggest-cyber-challenges-yet/
Posted by InfoSec News on Jan 21http://www.computerworld.com/s/article/9245568/Two_coders_closely_tied_to_Target_related_malware
Posted by InfoSec News on Jan 21http://arstechnica.com/information-technology/2014/01/internet-users-ditch-password-as-password-upgrade-to-123456/
Posted by InfoSec News on Jan 21http://www.defenseone.com/technology/2014/01/blackberrys-will-make-98-mobile-devices-new-dod-system/77129/
Posted by InfoSec News on Jan 21http://www.wired.com/threatlevel/2014/01/target-hack/