Hackin9
Twitter, in a much-needed move to keep its users safer from cyberattacks, is introducing a more secure login process.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

On the heels of the Syrian Electronic Army compromising a number of high-profile accounts—including those of the Associated Press, The Guardian, and The Onion—Twitter has introduced a two-factor authentication feature that should make such attacks more difficult. In a blog post today, Jim O'Leary of Twitter's security team announced the release of "login verification," an optional security measure that requires a verified phone number and e-mail address.

Twitter is a bit late to the two-factor authentication party. Word first spread that Twitter was working on a two-factor authentication scheme in February when the company advertised job openings for security engineers to develop "user-facing security features, such as multi-factor authentication and fraudulent login detection." Google has offered two-factor authentication since February of 2011, and Facebook introduced two-step login approval in May of 2011.

Like Google's two-factor authentication, Twitter's login verification sends a code via SMS to be entered to confirm login. But unlike Google's system, the code will be sent every time users sign into Twitter through its website. This is the case even if it's from a computer or device that they've logged in from before. The phone has to be enrolled through Twitter's existing SMS service first—you have to text a code to Twitter to verify the phone first, which may not work with some phone carriers. The relationship between phones and accounts is also strictly one-to-one: if you have a shared business account, you're going to need to share a phone number too. If you have multiple accounts and only one phone number, then you can only secure a single account.

Read 1 remaining paragraphs | Comments

 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Hewlett-Packard reported a 32% drop in profit for its second fiscal quarter, due partly to slower sales of PCs and servers.
 
Wal-Mart plans to use big data about a customer's usual shopping to automatically create shopping lists for them on its mobile app.
 
WordPress Spider Video Player Plugin 'theme' Parameter SQL Injection Vulnerability
 
FreeBSD NFS Server CVE-2013-3266 Memory Corruption Vulnerability
 
RadioCMS 'playlist_id' Parameter SQL Injection Vulnerability
 
WordPress Spiffy XSPF Player Plugin 'playlist_id' Parameter SQL Injection Vulnerability
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The U.S. government should bar foreign companies that repeatedly steal or use stolen U.S. intellectual property from selling their products in the country, a new report recommended.
 
By now, it's become a tired old tech industry bromide: CIOs need to be business-savvy.
 
With the H-1B fight over and lost, Sen. Charles Grassley (R-Iowa) lashed out, almost flailing in the minutes before the Senate Judiciary Committee's final vote Tuesday.
 
Google's Drive cloud storage service has been retooled for Android users and is now capable of capturing a document by converting a photo of it to text.
 
Last year the U.S. was the least riskiest place in the world to open a data center, according to a study released this week.
 
Saving a destination in Google Maps makes it easier to navigate to and also lessens the chance for error when entering or trying to remember an address.
 
Citrix Systems is making its cloud-based storage service ShareFile more Microsoft-friendly with SharePoint integration and the ability to store data on Azure.
 
Salesforce.com is hoping to set the standard for how government bodies deliver online services to citizens using mobile devices.
 
 
Improvements to Nvidia's virtualization technology are aimed at turning graphics processors into a more important resource in data centers and could speed deployment of virtual desktops and delivery of data over the cloud.
 
Citrix Systems is making its cloud-based storage service ShareFile more Microsoft-friendly with SharePoint integration and the ability to store data on Azure.
 

A Congressional survey of utility companies has revealed that the country's electric grid faces constant assault from hackers, with one power company reporting a whopping 10,000 attempted cyberattacks per month.

US Reps. Edward Markey (D-MA) and Henry Waxman (D-CA) sent 15 questions to more than 150 utilities and received replies from 112 of them. Only 53 of those actually answered all the questions—the others provided incomplete responses or only "a few paragraphs containing non-specific information" without answering any of the questions.

Results from those who did answer show utilities are under continuous assault:

Read 8 remaining paragraphs | Comments

 
RETIRED: Acme thttpd HTTP Server Directory Traversal Vulnerability
 
At a school event, I noticed my son sitting and talking with a younger boy. When I asked who he was, my son explained, "he's my kinder buddy!"
 
Mobile devices are getting hit by a boom in malware similar to the one that hit PCs starting with the rise of the Web, a security software executive said Tuesday.
 
Chrome 27.0.1453.93 closes 17 security vulnerabilities for which Google has paid out almost $15,000. The newest version of the browser also improves page load speed for pages with many assets
    


 
RETIRED: QEMU Guest Agent CVE-2013-2007 Insecure File Permissions Vulnerability
 
QEMU Guest Agent CVE-2013-2007 Insecure File Permissions Vulnerability
 
[waraxe-2013-SA#105] - Multiple Vulnerabilities in Spider Catalog Wordpress Plugin
 
[waraxe-2013-SA#104] - Multiple Vulnerabilities in Spider Event Calendar Wordpress Plugin
 

In my day job I spend about 90% of my time on the red team, performing vulnerability assessment and penetration testing. The rest is spent on threat research, incident response, and digital forensics. Interacting with clients as a consultant I often hear what I term 'interesting' responses. When a penetration tester calls something interesting you should probably pay attention :)

The IDS only listens external to the firewall? SharePoint is directly exposed to the Internet? The WAF protects against attacks therefore we don't have to fix the application? The VMs are all physically on the same host? The DMZ and the internal VLAN are physically on the same switch? You don't bother with privilege escalation patches? All quite interesting.

One of the responses I have heard multiple times is that privilege escalation vulnerabilities are a low priority because they require the attacker have local access. Meaning that that would be very difficult to pull off, therefore we don't have to worry about it. This also assumes that every single account holder is 100% gruntled all of the time, and that nobody ever makes a mistake. Meaning that we can trust everyone who accesses our networks and applications. Which I also find to be 'interesting' :)

There are multiple types of privilege attacks. The first is privilege escalation, where someone who has valid credentials or means to access a network or application can raise their level of access to a more privileged level. Like getting root on a Unix system for example, or becoming Domain admin before lunch on day 1, or assuming a higher role within an application. Impersonation attacks are similar however they entail becoming a different user, often with the same level of privilege, but with way more money in their account :) which soon finds its way to a non-extradition treaty country.

If the major difference between a remote exploit and a local one is that a network connection is required for the former, and not for the latter, does this mean that local priv escalation attacks cannot be performed across the network? Actually no. If an attacker can gain access to a system through a client side exploit, they may then effectively become the local user, and escalate to local system. Local system priv on a Windows computer is just a hop, skip, and jump away from being Domain administrator.

In a recent discussion about the priority to be assigned to patch one comment was "It's only a privilege escalation!". Yes, you are correct, and that is an interesting statement was my response.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
LinuxSecurity.com: Updated kernel packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: LibTIFF could be made to crash or run programs as your login if it opened aspecially crafted file.
 
LinuxSecurity.com: A vulnerability has been discovered and corrected in krb5: The kpasswd service provided by kadmind was vulnerable to a UDP ping-pong attack (CVE-2002-2443). [More...]
 
Unscrupulous profiteers are openly offering DDoS attacks as a service. They have no fear of being prosecuted - according to a reputable US blogger, the prosecutors themselves might be on board
    


 
VUPEN Security Research - Microsoft Internet Explorer 10-9-8-7-6 VML Remote Integer Overflow (MS13-037 / Pwn2Own)
 
[ MDVSA-2013:166 ] krb5
 
Trend Micro DirectPass 1.5.0.1060 - Multiple Vulnerabilities
 
VUPEN Security Research - Microsoft Internet Explorer 10-9 Object Confusion Sandbox Bypass (MS13-037 / Pwn2Own)
 
Blue Coat Systems, a provider of Web traffic filtering and business assurance products and services, plans to buy security analytics specialist Solera Networks, which uses data mining techniques to classify network traffic and detect potential security threats.
 
Salesforce.com is hoping to set the standard for how government bodies deliver online services to citizens using mobile devices.
 
A new variant of the Citadel financial malware is targeting users of the Payza online payment platform by launching local in-browser attacks to steal their credentials, according to researchers from security firm Trusteer.
 
Healthcare providers are under siege by massive amounts of data. This is forcing the industry to upgrade its aging storage infrastructures, architectures and systems. Where that data is being stored may come as a surprise.
 
Competition in the tech jobs industry is fierce, so how do you differentiate yourself from the pack? Whether you're a job seeker or just looking to grow professionally, creating an impressive and meaningful brand is the best place to start.
 
Samsung's Galaxy S4 infringes on 5 Apple patents, according to a court filing by Apple.
 
Available free of charge, the Clueful app exposes Android programs that don't take users' privacy seriously enough, for example by sending personal information to advertising networks
    


 
RETIRED: Google Chrome Prior to 27.0.1453.93 Multiple Security Vulnerabilities
 
China's Baidu has long dominated the country's search market. But a local rival to the company is bolstering its own search services with the help of e-commerce giant Alibaba Group.
 
Apple will build Macs in Texas using some parts made in the U.S., CEO Tim Cook said Tuesday, putting a little flesh on a pledge from last December.
 
The hacker attacks on Google in late 2009 may have had a greater impact than previously thought. The attackers reportedly had access to information on foreign agents collected by the US counterintelligence service
    


 
Moodle CVE-2013-1833 HTML Injection Vulnerability
 
New features for detecting and analyzing malware in Sourcefire's FireAMP and FirePOWER products supplement flagging signature-based antimalware.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Sony will leverage its streaming technology to bring PlayStation games to devices other than dedicated consoles as part of its ongoing turnaround, but said gaming profits will still suffer and lowered sales targets for its smartphones and cameras.
 
Debian openssh-server Forced Command Handling Information Disclosure Vulnerability
 
Internet Storm Center Infocon Status