Hackin9
In a surprising TV interview, a 23-year-old living in Russia said he helped code a software program that experts believe was eventually modified to steal tens of millions of payment card details from Target.
 
Amazon has approached several major media conglomerates to discuss adding live cable TV channels to its Prime Instant Video service, according to a report in The Wall Street Journal on Monday.
 
Toshiba has completed its acquisition of OCZ Storage Solutions, a failed Silicon Valley maker of solid-state drives, the company said Tuesday.
 
Advanced Micro Devices has reported a profit for the fourth quarter, thanks largely to the sale of its chips in the latest game consoles from Microsoft and Sony.
 

Citrix has some interesting products like XenApp, which allow people to access corporate application from tablets, Windows Terminals and also Windows servers and PC. Depending on how are you using them, you might be creating vulnerabilities to your information assets.

  • If you are using it inside the corporate network, it will use Pass-Through authentication with your windows domain authentication protocol. If you already have kerberos, you have nothing to worry about. You should not have any (NT)LM hash circulating through your network.
  • If you are using Citrix on the Internet, it is published in a IIS Web Server. Implementations can be done using username/password authentication or username/password/One Time Password. Unfortunately, many companies still believe that having an extra authentication factor is too expensive and difficult to handle, including the misconception of "I will never have my identity stealed".

Let's talk about published applications on Citrix with no extra authentication factor in place, which corresponds to the majority of cases. Since people tend to use mobile devices these days and also when they are big bosses in the company they want to handle their information in the most easy way, most of them requires IT to publish the ERP payments module, because they can authorize them from any place in any situation that allows them to have two minutes to perform the operation.

If the company happens to handle lots and lots of money, attackers might talk to any inside employee willing to have some extra money. First thing to do is to determine if the Citrix Farm linked to the Citrix Access Gateway where the user is being authenticated publishes the ERP Payment Application. How can you you do that? you can use the citrix-enum-apps nmap script. The syntax follows:

nmap -sU --script=citrix-enum-apps -p 1604 citrix-server-ip

If the attacker gets an output like the following, the company could be definitely in big problems:

Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-21 17:38 Hora est. Pacífico, Sudamérica
Nmap scan report for hackme-server (192.168.0.40)
Host is up (0.0080s latency).
rDNS record for 192.168.0.40: hackme-server.vulnerable-implementation.org
PORT     STATE SERVICE
1604/udp open  unknown
|   OW ERP8 Payroll
|   OW ERP8 Provider payments
|   Internet Explorer
|   AD Users and Computers

Nmap done: 1 IP address (1 host up) scanned in 15.76 seconds

Bingo! Provider payments is being published. All we need to do is perform good-old-man-in-the-middle to the IIS Server and we will have a username/password to generate random payments.

How can you remediate this situation?

  • Using username/password authentication it's definitely a BAD idea. Extra authentication factors needs to be placed and specially for users with critical privileges.
  • Configure your mobile clients to accept the specific server certificates and instruct them to interrupt any connection that shows a certificate error.
  • Ensure that Citrix Access Gateway server is the only one allowed to contact to the Citrix Server via UDP port 1604 and also that Citrix Farm is not accessible to the Internet or the corporate Network.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Still hampered by slow hardware sales, IBM reported a 5.5 percent decline in revenue for the fourth quarter, even as it managed to post a 6 percent gain in net income.
 
The structure of a three-hop Tor circuit.

Computer scientists have identified almost two dozen computers that were actively working to sabotage the Tor privacy network by carrying out attacks that can degrade encrypted connections between end users and the websites or servers they visit.

The "spoiled onions," as the researchers from Karlstad University in Sweden dubbed the bad actors, were among the 1,000 or so volunteer computers that typically made up the final nodes that exited the Tor—short for The Onion Router—network at any given time in recent months. Because these exit relays act as a bridge between the encrypted Tor network and the open Internet, the egressing traffic is decrypted as it leaves. That means operators of these servers can see traffic as it was sent by the end user. Any data the end user sent unencrypted, as well as the destinations of servers receiving or responding to data passed between an end user and server, can be monitored—and potentially modified—by malicious volunteers. Privacy advocates have long acknowledged the possibility that the National Security Agency and spy agencies across the world operate such rogue exit nodes.

The paper—titled Spoiled Onions: Exposing Malicious Tor Exit Relays—is among the first to document the existence of exit nodes deliberately working to tamper with end users' traffic (a paper with similar findings is here). Still, it remains doubtful that any of the 25 misconfigured or outright malicious servers were operated by NSA agents. Two of the 25 servers appeared to redirect traffic when end users attempted to visit pornography sites, leading the researchers to suspect they were carrying out censorship regimes required by the countries in which they operated. A third server suffered from what researchers said was a configuration error in the OpenDNS server.

Read 8 remaining paragraphs | Comments

 
No need to panic. NASA Tuesday offered a reasonable explanation for the mysterious appearance of a rock in a photo of the Mars rover Opportunity.
 
AT&T will start selling pre-orders of the LG G Flex smartphone on Friday, with full availability of the Android device set for Feb. 7, the company announced Monday.
 
Android and iOS tablets will both begin to lose global market share in 2014, while Windows ramps up slightly, according to research firm IDC.
 
Overall, Western Digital's drives on average lasted the longest; Seagate's came in last
 
MIT scientists said they used nanotechnology to develop a thin plastic coating that can be applied to glass and used to display navigation or dashboard information while looking through the windshield of a car or plane, or to project video onto a window or a pair of eyeglasses.
 
iPad sales shifted over the last year, with fewer buyers purchasing the aged iPad 2 and more choosing the lower-priced iPad Mini, a research firm said today.
 
For years, Intel has been battling to replace ARM-based chips used in smartphones and other mobile devices. Now it has partly succumbed to the low-power ARM approach.
 
Researchers at the University of Oxford have discovered a new material that could someday turn a 1TB hard drive into one that can store 10TB of data on the same volume.
 

A growing number of security and privacy technology experts, disillusioned by news that security firm RSA was paid by the National Security Agency to use an exploitable algorithm in its encryption technology, feel they can no longer trust the company. They've called for a boycott of RSA’s annual conference in San Francisco in February, and now a group of them has taken this effort a step further—creating their own “trust-based” conference just a few blocks from RSA’s event.

"TrustyCon" will be held on February 27 at the AMC Metreon Theater in San Francisco. That's the same day as the RSA's event, and the location is a multiplex cinema just around the corner from the Moscone Convention Center. To add fuel to this dissenting fire, TrustyCon has already picked up sponsorships from Microsoft, Cloudflare, and security firm iSEC Partners.

The RSA concerns started with documents leaked by Edward Snowden and published by the New York Times in December. These indicated that the NSA had worked with the National Institute of Standards and Technology to create a “backdoor” in the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG), a pseudorandom number generator designated as a standard for encryption. According to the documents, in 2004—even before NIST approved it as a standard—the NSA paid RSA $10 million to use Dual EC DRGB as part of its RSA BSAFE cryptographic library. This meant that much of the encryption software sold by RSA would allow the NSA to break the encryption using the known backdoor. RSA, for its part, has denied that it took money to put a backdoor in its encryption software. The company said that it followed NIST’s guidance on use of the code. But that hasn’t been enough to convince many security experts who believe the Snowden documents that state the RSA conspired with the NSA.

Read 3 remaining paragraphs | Comments

 
Adhering to the saying "be quick but don't hurry," the State of Maryland is in the midst of three and a half year migration to Google Apps, saying the measured, deliberate rollout is a better approach than a big-bang implementation.
 
The U.S. Supreme Court rejected an appeal from SAP of a US$391 million judgment given to Versata Software in a patent lawsuit the latter filed, but SAP is vowing to fight onward.
 
 
Cisco Secure ACS Portal CVE-2014-0668 Cross Site Scripting Vulnerability
 
Verizon Communications posted revenue of $31.1 billion for the fourth quarter of 2013, a 3.4% increase from a year earlier, with the gains driven again by mobile and broadband growth.
 
Security is all about the big picture now. Here are some pointers from George Viegas on how the "CSO 2.0" can take a more effective approach to security in 2014 and the future
 
Even if you aren't currently looking for a job, both errors of omission and errors of commission can come back to haunt when you are looking for a new position or gunning for that promotion. Here are five common career-limiting mistakes IT pros make.
 
LinuxSecurity.com: Multiple vulnerabilities has been discovered and corrected in java-1.7.0-openjdk: An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger Java [More...]
 
LinuxSecurity.com: Multiple vulnerabilities have been found in cURL, allowing attackers to execute arbitrary code or cause Denial of Service.
 
LinuxSecurity.com: Multiple vulnerabilities have been found in VirtualBox, allowing local attackers to escalate their privileges or cause a Denial of Service condition.
 
LinuxSecurity.com: Several security issues were fixed in MySQL.
 
LinuxSecurity.com: Several security issues were fixed in HPLIP.
 
LinuxSecurity.com: devscripts could be made to run programs if it opened a specially craftedfile.
 
LinuxSecurity.com: A vulnerability has been discovered and corrected in libxfont: Stack-based buffer overflow in the bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont 1.1 through 1.4.6 allows remote attackers to cause a denial of service (crash) or possibly execute [More...]
 
LinuxSecurity.com: Multiple vulnerabilities have been found in Asterisk, the worst of which may allow execution of arbitrary code.
 
LinuxSecurity.com: Multiple vulnerabilities have been discovered in Drupal, a fully-featured content management framework. The Common Vulnerabilities and Exposures project identifies the following issues: [More...]
 
LinuxSecurity.com: Updated augeas packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: A vulnerability has been discovered and corrected in Mozilla NSS: The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof [More...]
 
Nearly two-thirds of mobile device users own three or more network-connected devices, according to an online survey of 5,000 people conducted in November in the U.S. and eight other countries.
 
Numerous owners of Microsoft's Surface Pro 2 tablet said that their devices had received the long-awaited firmware update meant to fix problems introduced by a faulty December update
 
Why would anyone be comfortable with social networking sites sending out messages in their name?
 
After hijacking several of Microsoft's Twitter accounts and compromising its official blog over the past two weeks, the Syrian Electronic Army hacked into the Microsoft Office Blogs site Monday.
 
[ MDVSA-2014:012 ] nss
 
[ MDVSA-2014:011 ] java-1.7.0-openjdk
 
RETIRED: Oracle October 2013 Critical Patch Update Multiple Vulnerabilities
 
[ MDVSA-2014:013 ] libxfont
 
[SECURITY] [DSA 2847-1] drupal7 security update
 
Going beyond Office 365's native admin GUI, 365 Command provides powerful Exchange admin capabilities without the need to run PowerShell
 
NFL CIO Michelle McKenna-Doyle talks about plans to encourage NFL teams to deploy Wi-Fi and analytics engines in their stadiums. The goal is to improve the in-stadium experience, to allow fans the ability to use their mobile devices to consume more football content and share the experience.
 
Your smartphone can be a beacon telling the world where you are, with increasing precision. Is that good commerce or bad privacy, or maybe a bit of both?
 
The IT job market is slowing down, use of contingency workers is picking up, and Congress has an unfinished fight ahead on the H-1B visa. These factors and others are among the IT hiring trends to expect in 2014.
 

Don't be a DDoS dummy: Patch your NTP servers, plead infosec bods
Register
Security researchers have responded to recent denial of service attacks against gaming websites and service providers that rely on insecure Network Time Protocol servers by drawing up a list of vulnerable systems. Network Time Protocol (NTP) offers a ...

and more »
 

Posted by InfoSec News on Jan 21

http://www.timesofisrael.com/top-good-guy-hackers-to-tackle-biggest-cyber-challenges-yet/

By David Shamah
The Times of Israel
January 20, 2014

Hackers -- even the "good guy" breed -- tend to be a shadowy bunch,
keeping their identities as secret as they can. But on January 28, the
identities of some of the best hackers in Israel will be unveiled, as they
try to win an all-expense paid trip to the U.S., to see how security giant...
 

Posted by InfoSec News on Jan 21

http://www.computerworld.com/s/article/9245568/Two_coders_closely_tied_to_Target_related_malware

By Jeremy Kirk
IDG News Service
January 20, 2014

A Los Angeles security company has named a second individual living in
Eastern Europe whom they suspect coded malicious software that was
modified and used against Target.

The information comes from an analysis of "cyberprints," or a collection
of data and postings on underground...
 

Posted by InfoSec News on Jan 21

http://arstechnica.com/information-technology/2014/01/internet-users-ditch-password-as-password-upgrade-to-123456/

By Jon Brodkin
Ars Technica
Jan 20 2014

An annual list of the most commonly used passwords, a source of both humor
and sadness to the human race, shows a change at the top for the first
time in three years.

SplashData, a maker of password management software, started analyzing
passwords leaked by hackers in 2011 and for the...
 

Posted by InfoSec News on Jan 21

http://www.defenseone.com/technology/2014/01/blackberrys-will-make-98-mobile-devices-new-dod-system/77129/

By Aliya Sternstein
Nextgov
January 17, 2014

A Pentagon system intended to secure a mix of brand name smartphones for
warfighters will primarily support BlackBerrys when the tool starts
launching later this month, according to Defense Department officials.

About 80,000 BlackBerrys and 1,800 Defense-owned Apple and Android-based
phones...
 

Posted by InfoSec News on Jan 21

http://www.wired.com/threatlevel/2014/01/target-hack/

By Kim Zetter
Threat Level
Wired.com
01.17.14

A gang of shadowy hackers tears through the systems of big-box retailers,
making off with millions of credit and debit card numbers in a matter of
weeks and generating headlines around the country.

Target and Neiman Marcus last week? Nope. This oh-so-familiar attack
occurred in 2005.

That’s when Albert Gonzalez and cohorts -- including two...
 
A Los Angeles security company has named a second individual living in Eastern Europe whom they suspect coded malicious software that was modified and used against Target.
 
Internet Storm Center Infocon Status