InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Facebook is to settle a class-action lawsuit in California that accused it of appropriating its users' likenesses for its Sponsored Stories advertising feature, according to a court document filed Tuesday.
Businesses can now remotely control enterprise mobile applications developed for Apple's mobile platform with the latest version of Soti's MobiControl Software Developer Kit for iOS, announced Tuesday.
Touchscreen laptops and tablets with the upcoming Windows 8 OS will be priced higher than their non-touchscreen counterparts, Dell's CEO said on Tuesday.
Verizon Communications on Tuesday became the first service provider to say it will use Alcatel-Lucent's upcoming 7950 XRS core routing system, which will bring the French-American equipment vendor into the carrier core routing business for the first time in about a decade.
SAP is buying cloud-based e-commerce vendor Ariba for US$4.3 billion, the companies announced Tuesday.
Dell on Wednesday reported a drop in profits for the first quarter, weighed down by a revenue decrease and slower sales of consumer products.
Symantec Endpoint Protection Local Privilege Escalation Vulnerability
In its third day of trading, Facebook's stock is still in a slump, taking the shine off the frenzy that led up to the company's initial public offering last week.
CIOs face a common set of thorny challenges these days, namely the pressure to deliver innovations even as they seek to cut or hold down spending, according to an array of senior IT executives who spoke on Tuesday at the MIT Sloan CIO Symposium in Cambridge, Massachusetts.
SAP is buying cloud-based e-commerce vendor Ariba for US$4.3 billion, the companies announced Tuesday.
A growing number of smartphones have NFC (near-field communication) capabilities to make mobile payments, but accessories and ultrabooks also now increasingly have the same technology. DeviceFidelity is offering a protective case with NFC that allows iPhone users to make contactless payments, and Barclaycard is offering a sticker that attaches to a smartphone for users to make mobile payments. HP is offering an ultrabook with NFC for data exchange with mobile devices.
Besting a record set by Yahoo in 2009, the research arm of Microsoft have deployed a new technique for quickly sorting large amounts of data, called Flat Datacenter Storage (FDS).
The benefits of two factor authentication are pretty much Security 101 material. And we are also told, that two factors are more then password 1 and password 2. RSA for example, one of the leaders of two factor authentication, defines this pretty nicely:

Two-factor authentication is also called strong authentication. It is defined as two out of the following three proofs:

Something known, like a password,
Something possessed, like your ATM card, or
Something unique about your appearance or person, like a fingerprint.

There are a number of ways these factors can collapse. For example, for a one-time password token, the user typically needs to remember a password, or a PIN, as second factor. Users tend to write this password on the pack of the token, collapsing the factors. Now you only need to possess the token. In a more elaborate case, I ran into a user who had a webcam at home pointed at the token (he always forgot his token at home). Now all you needed to access the system was something known (the URL of the webcam and the password).
Tokens themselves pose a different threat to collapse factors. Tokens operate by calculating a hash of an internal secret (seed) and either a timestamp or a counter. You may not know the seed, but someone else may. This issue has come up with the recent breach of RSA that may have lead to the leak of these seeds. The seed should not be directly related to the serial number printed on the device, but in the RSA case, it was alleged that the stolen data included some form of lookup table like that. RSA's algorithm to calculate the token value had already been leaked years earlier. Of course in particular for software token, the algorithm can be reverse engineered. Evidently, someone now managed to do just that, and to be able to retrieve the seed value from the software token [3]. Physical tokens are usually hardened to prevent someone from stealing the seed value, in particular to do so undetected.In many ways, a token is a secret that you don't know.
What should you do about all this?
- know the limitations of two factor authentication and educate your users. They aren't the end of password attacks, but the make them substantially harder.

- stolen or lost tokens need to be deactivated immediately. This includes soft tokens. Soft tokens need to be invalidated even if the device is later recovered.

- If you are auditing an organization, watch for collapsed factors

- Some two factor authentication systems, like for example the standard based time based and HMAC based one time password systems [4][5] usually expose the seed during setup. It is also typically rather easy to clone tokens in these settings (e.g. Google Authenticator uses TOTP). You may want to set up the token for users, or at least ensure that the seed is transmitted and entered securely.
[1] http://www.rsa.com/glossary/default.asp?id=1056






Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Tftpd32 DHCP Server Denial Of Service Vulnerability
Microsoft said that a skew toward more exploits on Windows Vista can be attributed to the demise of support for the operating system's first service pack.
The price bar for PCs keeps dropping, with chip maker Via on Tuesday announcing a $49 APC computer with a customized version of Google's Android operating system.
The nation's space efforts entered a new chapter today with the launch of the first commercial vehicle to the International Space Station.
A new variant of SpyEye malware allows cybercriminals to monitor potential bank fraud victims by hijacking their webcams and microphones, according to security researchers from antivirus vendor Kaspersky Lab.
DC4420 - London DEFCON - May meet - Tuesday May 22nd 2012
[Announcement] CHMag's Issue 28, May 2012 Released
[SECURITY] [DSA 2477-1] sympa security update
Perl Config::IniFiles Module Insecure Temporary File Creation Vulnerability
[ MDVSA-2012:079 ] sudo
Acuity CMS 2.6.x <= Path Traversal Arbitrary File Access
[SECURITY] [DSA 2476-1] pidgin-otr security update
Call for Papers: The 7th International Conference for Internet Technology and Secured Transactions (ICITST-2012)
Advanced technologies such as HAMR could mean disk drive capacities from 30TB to 60TB by 2016, according to a new report by IHS iSuppli.
Moodle Multiple Access Permissions Security Bypass Vulnerabilities
Google said Tuesday morning that it has closed the deal to acquire Motorola Mobility for $12.5 billion
Google has finally closed its acquisition of Motorola Mobility, and will now start working on new devices while keeping Android open, it said on Tuesday.
Novell Client for Windows 'nicm.sys 'Local Privilege Escalation Vulnerability
PHP 'com_print_typeinfo()' Remote Code Execution Vulnerability
A recent proposal, supported by many current web browsers, suggests the addition of a Do Not Track (DNT) header to HTTP requests [1]. If a browser sends this header with a value of 1, it indicates that the user would not like to be tracked by third party advertisers. The server may include a DNT header of its own in responses to indicate that it does comply with the do-not-track proposal.
The proposal focuses on third party advertisements. It does suggest retention periods for first parties (2 weeks for all logs, up to 6 months for security relevant logs) to remain some compatibility with compliance standards that require specific logging schemes and retention times.
The biggest problem with this standard, aside from user awareness, is the fact that this is all voluntary. There is no technical means to enforce that a web site treats your data in accordance with the DNT header. Some legal protections are in the works, but as usual, they will probably only apply to legitimate advertisers who are likely going to comply. DNT will only matter if enough advertisers sign up to respect it. It is kind of like the robots.txt file, and could even be abused for user tracking as it will make browsers even more unique to allow them to be identified without the use of cookies or other tracking mechanisms. [3]
If you are concerned about tracking by third party sites, you need to not load content from third party sites, in particular ads and additional trackers (like cookies). Various ad blockers will help with this. Of course at the same time, you are violating the implicit contract that keeps many sites afloat: For letting you watch my content for free, my advertisers will track you.
At the same time, users overwhelmingly don't appear to care much about privacy. The Do Not Track header is usually not enabled by default. I don't think many users know about it, or how to enable it. The URL listed below has instructions on how to enable it, and will tell you if it is enabled in your browser. On the ISC website, the number of users with DNT enabled went from about 3.4% to 5.1%, which shows that while DNT adoption in our more technical readership is picking up, it is still rather low.
As far as this website is concerned: We do continuously try to refine our site to leak less of our visitors information. For example, we recently switched to a privacy enhanced social sharing toolbar. Our site is also using https for most parts. Aside from the obvious encryption advantage, this will prevent referrer headers from being included if you are clicking on a not-https link on our site.
Our biggest issue right now is the use of Google Analytics, and Google Ads in a couple spots, but I am reviewing these, and am looking for a replacement for Google analytics. Over time, I hope to have less and less third party content on the site that could be used to track visitors wether or not the have the Do Not Track feature enabled.

[2] http://tools.ietf.org/id/draft-mayer-do-not-track-00.txt


Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A pair of Microsoft-backed industry groups applauded the ultimatum European Union antitrust regulators issued to rival Google over alleged anti-competitive practices.
The Internet Corporation for Assigned Names and Numbers (ICANN) said its application system for new generic top-level domains (gTLDs) has reopened, more than a month after it was brought down because of a software glitch.
A judge at the U.S. International Trade Commission has determined that a Kodak patent asserted in a complaint against Apple and Research In Motion is invalid, Kodak said.
Schools in the U.S. will need broadband speeds of 100 Mbps per 1,000 students and staff members by the 2014-15 school year in order to meet a growing demand for Web-based instruction and a skyrocketing number of student-owned Web devices, according to a new report by a trade group representing state education agencies.
SuperNews 'noticia' Parameter SQL Injection Vulnerability

A report from the IT Security Analyst and CISO forum 2012
Computing (blog)
Following hot on from the InfoSec Europe trade show at the start of May 2012 was the IT Security Analyst's forum, organised by Eskenzi PR, brought forward this year to avoid the Olympic events over the summer. As usual, the forum attracted analysts ...

Need outside help for your next IT project? It's easy to hire tech freelancers online, but how do you separate the wheat from the chaff? Here are the resources and tips you need to know about.

Posted by InfoSec News on May 21


by Dan Goodin
Ars Technica
May 21 2012

A researcher has devised a method attackers with control over a victim's
computer can use to clone the secret software token that RSA's SecurID
uses to generate one-time passwords.

The technique, described on Thursday by a senior security analyst at a
firm called SensePost, has important implications for the...

Posted by InfoSec News on May 21


By Antone Gonsalves
May 21, 2012

Businesses in new study were five times more likely to have decreased
spending on managing security over three years.

As part of its marketing strategy for selling to small- and medium-size
businesses (SMBs), Microsoft this week released the results of a study
on the use of cloud-bases security. The survey of SMBs, whether...

Posted by InfoSec News on May 21


By Kelly Jackson Higgins
Dark Reading
May 21, 2012

A self-professed Iranian hacker gang announced in an online post that it
compromised an SSL certificate belonging to NASA and subsequently
accessed information on "thousands" of NASA researchers.

Word of the alleged...

Posted by InfoSec News on May 21


By Emil Protalinski
Zero Day
ZDNet May 21, 2012

The hacktivist group Anonymous claims to have leaked 1.7GB of data
belonging to the United States Bureau of Justice Statistics (BJS). The
file, which has been uploaded as a torrent and posted on The Pirate Bay,
reportedly contains internal e-mails as well as the website’s “entire

Posted by InfoSec News on May 21


By Hal Dardick
Chicago Tribune
May 21, 2012

Anti-NATO hackers brought down the city of Chicago's home page for hours
Sunday as leaders of the military alliance met in Chicago and thousands
of protesters took to the streets.

The page, cityofchicago.org, went down from midmorning until early
afternoon after a shadowy group posted a YouTube video...
Internet Storm Center Infocon Status