Hackin9

InfoSec News

Samsung Display has terminated a contract to make LCD panels for Apple due to supply chain issues and financial strain, according to a news report published in The Korea Times on Monday.
 
Marissa Mayer, participating in her first Yahoo earnings conference call since becoming CEO, outlined a broad range of areas in which the company needs to improve.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Even before Apple sent invitations for the Tuesday launch event where it will likely unveil a smaller iPad, consumers were unloading their old tablets so they can trade up to Apple's latest, according to gadget buy-back firm Gazelle.
 
An upgrade of Microsoft's Office Web Apps has been finalized, and a combination of enhancements makes this Web-hosted Office version work much better on iPads than previous iterations.
 
Amazon Web Services confirmed that its Elastic Block Storage (EBS) service experienced degraded service, leading sites across the Internet to experience downtime, including Reddit, Imgur and many others.
 
Yahoo's revenue dropped slightly but earnings rose during the third quarter, the first complete one under the helm of new CEO Marissa Mayer.
 
Many IT organizations have neglected their help or service desks for years. But Land O'Lakes Inc. is going in a different direction, moving its help desk to ServiceNow, a cloud-based service.
 
Web companies using facial recognition technology should avoid identifying anonymous images of consumers to someone who could not otherwise identify them, unless the companies have the consumers' consent, a U.S. Federal Trade Commission report said.
 
Several years ago, SAP introduced enhancement packs, which were supposed to provide a much easier and less painful way to upgrade its ERP (enterprise resource planning) software. Executives extolled how customers could add new functionality without committing to a full-blown upgrade.
 
Even before Apple sent invitations for the Tuesday launch event where it will likely unveil a smaller iPad, consumers were unloading their old tablets so they can trade up to Apple's latest, according to gadget buy-back firm Gazelle.
 
At his company's European Research and Innovation Conference in Barcelona, Intel evangelist Manny Vara said wearable computers may be two to five years away.
 
The market for security professionals is hot, but several experts indicate that the talent pool for IT talent with security skills is dwindling.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Intel evangelist Manny Vara, at the company's European Research and Innovation Conference in Barcelona, said wearable computers may be two to five years away.
 
At IBM's Information On Demand and Business Analytics Forum, being held this week in Las Vegas, the company announced a number of new add-ons and services designed to help organizations analyze their expanding data sets more quickly.
 
(we took a break from our standard fair this weekend and didn't publish any standards related diaries. 20/21 will be skipped as a result)
Over the years, I collected quite a number of standard connectors/cables and interfaces. This is certainly an area where standards seem to be proliferating quickly. To stick with our theme of security and security awareness, I would like to focus on a couple of popular standards and particular outline security aspects of the standard.
First of all, pretty much all peripherals connected to a system require drivers to interact with the device. These device drivers frequently are part of the kernel and a vulnerability in the device driver will lead to a system compromise. I don't think the full potential of this class of vulnerabilities has been realized yet, but there have certainly been some notable exploits that were based on these vulnerabilities. Even simple devices like VGA monitors do send some data to the system, and could potentially be used to exploit vulnerabilities (I am not aware of a VGA vulnerability).
USB
The Universal Serial Bus is by now pretty old and you can't buy a laptop or desktop without a USB port. In the past, the main risk of USB has been the ability to automatically launch software as the USB memory stick is plugged into the system. This vulnerability has been mostly eliminated in modern operating system configurations. However, there are still plenty of possibly issues with USB:

USB is not just USB Memory stick. A memory stick like device may also emulate a key board. For example the YubiKey is an interesting security application of a simulated keyboard. But this can also be abused. A USB keyboard may issue commands, just like a user sitting in front of the system. Teensy is a very capable USB development board that can be configured to emulate a keyboard [1]. A device based on Teensy could be added to any existing USB device via a simple USB hub. USB devices do not use any meaningful authentication to the host, so there is little that can be done to limit access to good USB devices.
Some recent work points to possible file system driver vulnerabilities that can be exploited by mounting a specific file system. This would happen even if auto-execute is enabled. The system first needs to mount the file system to provide access to the user
There have been plenty of social engineering based exploits showing that people will click on files on USB sticks just about as likely as they open attachments in e-mail.

Firewire (IEEE 1394)
A lot of attention has been spent on USB. Firewire on the other hand provides for an entire different level of access to the system. Firewire extends the PCI bus, and allows access to the system in ways similar to PCI plugin boards. An attacker with access to the Firewire bus can read and manipulate memory and access devices (like hard drives) connected to the bus.

Reading memory: This has been used in forensics to retrieve system memory without having to install additional tools. Of course, an attacker would be able to retrieve encryption keys and the like that are stored in memory.
Manipulating memory: Tools exist to patch system processes in memory . For example, a proof of concept tool allows bypassing the Windows XP login dialog by patching the password comparison function in memory.
Low level system access: Even low level elements, like BIOS passwords, have been read via firewire.

(sorry for the lack of links/URLs for this section. but the main source of these tools,http://www.storm.net.nz/projects/16, hasn't been up in a while)
Thunderbolt (Light Peak)
This is a relatively new technology, initially introduced by Apple and Intel. Currently, first non-Apple laptops start to appear with Thunderbold port. Thunderbolt is pretty much a further development of the firewire concept. It does allow direct access to the newer PCIe bus, and includes a video bus via display port. At this point, not a lot of work has been done exploiting Thunderbolt. But more or less all exploits that worked against Firewire should in principle work with Thunderbolt. The bus is not authenticated and a device like a monitor may disguise an internal second devices that will then read and manipulate data on the system via the thunderbolt interface. There is very little visibility into the data exchanged via thunderbolt (we need something like tcpdump for these ports).
[1]http://www.pjrc.com/teensy/

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Motorola Solutions has unveiled a head-mounted, voice-controlled computer that's targeted at the military and other industries where workers need hands-free access to information.
 
Samsung Display has terminated a contract to make LCD panels for Apple due to supply chain issues and financial strain, according to a news report published in The Korea Times on Monday.
 
Microsoft today said that a free Windows 8 and Windows RT Skype app will be ready for downloading from the Windows Store on Friday, Oct. 26.
 
Motorola's Droid Razr HD makes a lasting impression with its first-class build quality and outstanding battery life -- but the Android smartphone also has its fair share of flaws.
 
Intel CTO Justin Rattner predicts that driverless cars will be available within 10 years and that buyers by then will increasingly be more interested in a vehicle's internal technology than the quality of its engine.
 
HP, which has a long history in providing service management tools in the enterprise as on-premise systems, managed services and SaaS offerings, is releasing on Monday an entirely new SaaS product for the service desk, called HP Service Anywhere
 
Big data is becoming an engine of job creation as businesses discover ways to turn data into revenue, according to research firm Gartner.
 
Dotproject SQL Injection and Cross Site Scripting Vulnerabilities
 
Spammers have found a way to abuse a URL shortener service destined for U.S. government social media activities in order to craft rogue .gov URLs for work-at-home scams.
 
The Isis joint venture of three wireless carriers announced the launch of its new mobile wallet system in Salt Lake City and Austin that uses nine NFC-ready and Isis-ready smartphones sold by the carriers.
 
A 20-year-old French hacker has reportedly defrauded over 17,000 people with a trojan disguised as several popular smartphone applications, mostly on Android


 
Oracle Java SE CVE-2012-5071 Remote Java Runtime Environment Vulnerability
 
Microsoft has reached a settlement with the second named defendant, a Russian software programmer, in the legal complaint against Kelihos botnet operators


 
Google's product unveiling event next Monday will feature a 10-in. tablet running Android 4.2, possibly named the Samsung 10, and an LG Nexus 4 smartphone, according to reports.
 
Oracle is augmenting its Oracle Application Development Framework (ADF) to allow developers to create mobile applications for Apple and Android devices.
 
Hewlett-Packard has launched a hosted offering called HP Service Anywhere, providing IT service management software over the Internet.
 
Linux Kernel 'binfmt_script.c' Local Information Disclosure Vulnerability
 
RETIRED: Joomla Kunena 'id' Parameter SQL Injection Vulnerability
 
hostapd 'hostapd.conf' Configuration File Insecure File Permissions Vulnerability
 
Microsoft has run through all pre-launch supplies of its Surface RT tablet, forcing U.S. and Canadian customers who want one Friday to head to the company's permanent and special holiday "pop-up" stores.
 
Apple's much-maligned iPhone exclusivity agreement with AT&T Mobility, started in 2007 but now ended, is once again the target of a class-action suit.
 
In staging an Apple event on Tuesday to unveil the long-awaited iPad Mini, Apple is poised to steal a lot of Microsoft's Windows 8 launch thunder. That's symbolic of a confident Apple, says columnist Ryan Faas.
 
Research in Motion CIO Robin Bienfait's last name means 'well done' in French. She hopes customers will agree that those two words apply to the upcoming BlackBerry 10 smartphones.
 
The U.S. Supreme Court refuses to hear an appeal of a lower-court court decision upholding legal immunity for telecom companies that allegedly participated in an NSA surveillance program during the last decade.
 
Research firm Gartner is predicting the demise of the help desk, but tech support veterans say reports of the death of the help desk are greatly exaggerated. Insider (registration required)
 
Working with startup vendors requires a lot of legwork and a plan for managing the risk. But the payoff can be great.
 
Most IT predictions are two-dimensional, featuring forecasts in which the big trend of the day takes over and completely changes IT.
 
Communication specialist and author Cara Hale Alter talks about how to project confidence and competence.
 
Discussions about technology issues are complex and not amenable to sound bites. But they are quite important nonetheless.
 
As Computerworld celebrates its 45th anniversary, IT executives and pundits look back over decades of change that brought stunning technological advancements -- and put more power in users' hands.
 
A look at some of the products that have helped push rapid change in the IT industry over the past few decades.
 
A look at some wildly-off-the-mark predictions made about technology over the years -- some of them from some of the biggest names in computing history.
 
Google Chrome Prior to 22.0.1229.94 Multiple Security Vulnerabilities
 
libpng 'png_formatted_warning()' Function Off-By-One Error Buffer Overflow Vulnerability
 
Ruby CVE-2012-4522 Local File Creation Vulnerability
 
LibTIFF TIFF Image Heap Buffer Overflow Vulnerability
 
GNU Bash Remote Stack Based Buffer Overflow Vulnerability
 
bash-doc Insecure Temporary File Creation Vulnerabilities
 
TurboFTP Server 'PORT' Command Processing Stack Based Buffer Overflow Vulnerability
 

Posted by InfoSec News on Oct 21

http://arstechnica.com/information-technology/2012/10/live-fire-cyberwar-in-a-box-tests-mettle-of-military-it-pros/

By Sean Gallagher
Ars Technica
Oct 20 2012

In August, a collection of military, government, and nongovernmental
humanitarian organizations from 22 countries in the Pacific gathered in
Singapore for Pacific Endeavor 2012, a joint exercise to test how
quickly and how well they could communicate in the face of a disaster.
While...
 

Posted by InfoSec News on Oct 21

http://www.computerworld.com/s/article/9232614/DHS_official_suggests_sharing_resources_to_mitigate_cyberattacks

By Martyn Williams
IDG News Service
October 19, 2012

Groups of companies in the same industry could pool infrastructure
resources to help each other mitigate the effects of cyberattacks and
work together on security issues, a senior official in the U.S.
Department of Homeland Security suggested on Friday.

The comments by Mark...
 

Posted by InfoSec News on Oct 21

http://fcw.com/articles/2012/10/19/nist-partnership.aspx

By Camille Tuutti
FCW.com
Oct 19, 2012

The federal agency tasked with developing measurements and standards is
looking for companies to help solve pressing cybersecurity challenges in
a new effort: the National Cybersecurity Excellence Partnerships.

In an Oct. 12 Federal Register notice, the National Institute of
Standards and Technology’s Information Technology Laboratory calls on...
 

Posted by InfoSec News on Oct 21

http://www.forbes.com/sites/andygreenberg/2012/10/19/darpa-funded-radio-hackrf-aims-to-be-a-300-wireless-swiss-army-knife-for-hackers/

By Andy Greenberg
Forbes Staff
Security
10/19/2012

Since the days of Alan Turing, the promise of a digital computer has
been that of a universal machine, one that can be a word processor one
minute and a robot brain the next. So why are radios, a technology even
older than computers, still designed stubbornly...
 

Posted by InfoSec News on Oct 21

http://www.theregister.co.uk/2012/10/19/us_weather_service_hack/

By John Leyden
The Register
19th October 2012

Hackers have lifted potentially sensitive data from the US National
Weather Service after exploiting a vulnerability in the weather.gov
website.

A previously-unknown group called Kosova Hacker's Security claimed
credit for the hack in a lengthy post on pastebin, containing a stream
of data lifted as a result of the hack....
 
Internet Storm Center Infocon Status