As systems administrators and security folks, we've all had our fill of our users and customers using simple passwords.  Most operating systems these days now enforce some level of password complexity by default, with options to "beef up" the password requirements for passwords.

The prevailing wisdom today is to use passphrases - demonstrated nicely by our bud at xkcd - http://xkcd.com/936/

So I routinely have very long pass phrases for public facing accounts.  Imagine my surprise when I was creating a new account on major cloud service (the one that starts with an "O" and ends with a "365"), and found that I was limited to a 16 character password. 

Needless to say I have a case open to see if that limit can be removed.  I'm not looking for no limit / invitation to a buffer overflow status on the password field, but something bigger than 16 would really be appreciated !



(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

US Accountability Body Criticizes SEC Infosec Approach
The US Government Accountability Office (GAO) has released a critical report on information security practices at the Securities and Exchange Commission (SEC), finding that basic security measures are not taken by the regulator and that it must improve.

The U.S. Federal Communications Commission will propose new net neutrality rules Thursday that will allow broadband providers to charge companies like Netflix for preferential traffic management, according to a news report.
The U.S. Federal Communications Commission will take public comments before moving forward with a new set of net neutrality rules that sparked controversy when they were leaked in a news report earlier Wednesday.
Apple on Wednesday said it sold 4.1 million Macs in the March quarter, growing sales during a period when the personal computer industry overall continued to contract.
Apple CEO Tim Cook thinks Microsoft could have benefitted from bringing the Office suite to iPads earlier, but it was better late than never.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

After some fun and games at one customer site in particular, I found that the SSL services on the earlier versions of the HP Proiliant Servers iLo ports (iL01 and iLO2) are not susceptible to heartbleed.

However, their implementation of SSL is fragile enough that scanning them for the Heartbleed vulnerability will render them inoperable.  This affects Proliants from G1 all the way up to G6, as well as many of the HP Bladesystems. 

A complete power down of the entire system - as in remove both of the AC cables - is required to reset the iLo card and bring it back to life.  While this may seem  like a quick fix for a single server, if that server is running a Hypervisor, or if it's a bladesystem with Hypervisors running on the blades, this can multiply to be a huge issue.  Especially if your client scanned the server subnet, and effectively bricked all their iLO cards before they realized there was a problem (oops)

(And yes, the fact that we worked this out Easter weekend is somewhat ironic.)

Full details are in HP Support Document c04249852

This illustrates that even when scanning for simple things (with NMAP, Nessus or any other scanning tool really), it's best to scan a few test systems first - or if you have a test VLAN that replicates your production systems, even better!   This isn't a problem with the scanners, almost always the problem is the fragility of the service being scanned.  Many services are only written to deal with "the right" inputs, which is not how most scanners (or most attackers) tend to operate.

Safe Scanning Everyone!

Rob VandenBrink

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
An IBM project to widen the use of its Power server chips inched forward Wednesday with Big Blue trying to challenge Intel for a bigger role in the hyperscale data centers run by the likes of Google and Facebook.
Note the "via weheartit.com" tag in the bottom right of the malicious tweet.

Twitter has been hit by an avalanche of malicious tweets that are being sent by thousands of compromised user accounts. The ongoing attack, which was about two hours old and showed no signs of abating as this post was about to go live, appeared to be linked to security breaches affecting third-party sites and apps.

Early on, every single one of the tweets viewed by Ars contained the tag "via weheartit.com," prompting speculation the compromised Twitter accounts were linked to the social network by that name, which hosts services for image sharing and promotion. Later on, however, tweets that were part of the same campaign carried tags showing they were transmitted by apps such as the Twitter for iPhone, making it unclear exactly what was the source of the non-stop torrent.

In an e-mail, We Heart It President Dave Williams wrote: "We are definitely seeing some malicious activity which we have now blocked and are investigating further. Unfortunately I don't have any other information I can share at this point." We Heart It representatives later took to Twitter to say sign-in and sharing over Twitter had been temporarily disabled.

Read 2 remaining paragraphs | Comments

Oracle Java SE CVE-2014-2397 Remote Security Vulnerability

In IPv6, DHCP is taking somewhat a back seat to router advertisements. Many smaller networks are unlikely to use DHCP. However, in particular for Enterprise/larger networks, DHCPv6 still offers a lot of advantages when it comes to managing hosts and accounting for IP addresses in use.

One of the big differences when it comes to DHCPv6 is that a host identifies itself with a DUID (DHCP Unique Identifier) which can be different from a MAC address. There are essentially three ways to come up with a DUID:

Link Layer + Time: In this case, the host will on first boot create a DUID using one interfaces link layer address (MAC address for Ethernet), as well as the timestamp (seconds since Epoch) to derive a DUID. This DUID will be saved to disk and remain constant even if the network card is swapped later.

Link Layer: Some hosts may not be able to retain a DUID between reboots in this case, the link layer address is used.

Vendor Assigned: You can also just assign an arbitrary DUID, maybe a host name, to identify the host.

Regardless which method you use, the sad part is that each operating system, and in some cases different software on the same operating system, chooses to display the DUID differently, making correlation hard.

Here are a few examples:

Linux seems to like a mix of octal and ASCII characters (if the value represents a printable character). For example:


However, in Linux configuration files for DHCPv6 servers and clients, you may find a simpler hex format:

option dhcp6.client-id 0:1:0:1:1a:de:c6:fb:0:c:29:67:cf:2;

OS X on the other hand displays the time part in decimal, and the MAC address part in hexadecimal:

ipconfig getv6packet en0
CLIENTID (1) Length 14 DUID LLT HW 1 Time 389824106 Addr 40:6c:8f:11:d7:5c

Windows prefers to display the hexadecimal version as output for "ipconfig /all"

DHCPv6 Client DUID. . . : 00-01-00-01-13-0D-1E-A2-00-0C-29-A3-D3-30

To help myself a bit with this confusion, I started a little script that will convert DUIDs from different formats. It isn't quite done yet, but good enough to see if anybody finds it helpful and would like to test it. You can download the script from https://isc.sans.edu/diaryimages/duidconvert.pl


[To learn more about IPv6 Security, check out my class IPv6 Security Essentials]

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
OpenStack Dashboard (Horizon) CVE-2014-0157 Multiple Cross Site Scripting Vulnerabilities
Facebook reported a nice 72 percent boost in sales for the first quarter, as the company continues to make strides expanding its advertising business on mobile devices.
Apple's iPad shipments declined, but iPhone sales were strong as the company reported a hike in profit and revenue during the second quarter of 2014.
Unrelenting privacy concerns finally derailed a controversial big data initiative that promised to deliver more individualized instruction to public school students in the U.S.
Oracle Java SE CVE-2014-2402 Remote Security Vulnerability
CIO.com's Tom Kaneshige had resisted watching HBO's new comedy about life in the Silicon Valley. After all, he's lived it since the '90s. But a funny thing happened during his week of binge viewing.
Raspberry Pi isn't planning a hardware upgrade of its popular $25 computer anytime soon, but faster options are emerging for users attracted to such board-like devices.
Roughly a year after settling an ugly, protracted legal battle with Oracle, Montclair State University is planning to implement a rival vendor's ERP (enterprise-resource-planning) system.
How much real work can one get done on a tablet? Or are tablets mostly designed for entertainment? The questions arise as a recent survey of college students showed a small decline in tablet ownership.
Oracle Java SE CVE-2014-0451 Remote Security Vulnerability
Oracle Java SE CVE-2014-2428 Remote Security Vulnerability
An Android Trojan app that sends SMS messages to premium-rate numbers has expanded globally over the past year, racking up bills for users in over 60 countries including the U.S., malware researchers from Kaspersky Lab said.
Microsoft CEO Satya Nadella will participate in Thursday's quarterly earnings call, a departure from the company's past practice, when former chief executive Steve Ballmer rarely joined calls with Wall Street analysts.
Google added past images of places noted in Street View for the desktop version of Google Maps. The goal is to give users the ability to see how places have changed over time.
Korean researchers have shown it's possible to wirelessly transmit power over a distance of 16 feet and charge up to 40 smartphones.

A noted whitehat hacker who spent more than a year on Apple's security team has dealt her former employer some blistering criticism for fixing critical vulnerabilities in iOS three weeks after they became widely known to blackhats.

Kristin Paget, who recently took a security position at a major car manufacturer, took to her private blog Wednesday and catalogued more than a dozen separate security bugs that were patched in Tuesday's release of iOS 7.1.1. Some of them gave attackers the ability to surreptitiously execute malicious code on iPhones and iPads without requiring much or any interaction from end users. Paget noted that 16 of the vulnerabilities addressed had been fixed three weeks earlier in a separate update for OS X users. Such delays give malicious hackers the opportunity to reverse engineer the fixes for one platform and develop potent exploits to use against the same bugs surviving in unpatched platforms, security researchers have long charged.

"Apparently someone needs to sit Apple in front of a chalkboard and make them write out 100 lines: 'I will not use iOS to drop 0day on OS X, nor use OS X to drop 0day on iOS,'" Paget wrote in Wednesday's blog post. Addressing Apple officials directly, Paget continued:

Read 2 remaining paragraphs | Comments

Three versions of the new Galaxy Tab 4 tablet line will go on sale in the U.S. on May 1, with the new 7-in. Wi-Fi model priced at $199.99.
The U.S. Federal Communications Commission voted Wednesday to shift US$9 billion over five years from traditional telephone subsidies to broadband subsidies, in an effort to bring high-speed Internet services to 5 million U.S. residents who don't have access.
[security bulletin] HPSBMU02997 rev.2 - HP Smart Update Manager (SUM) running OpenSSL, Remote Disclosure of Information
[security bulletin] HPSBMU02995 rev.5 - HP Software HP Service Manager, Asset Manager, UCMDB Browser, UCMDB Configuration Manager, Executive Scorecard, Server Automation, Diagnostics, LoadRunner, and Performance Center, running OpenSSL, Remote Disclosure
Xerox DocuShare '/docushare/dsweb/ResultBackgroundJobMultiple/1' SQL Injection Vulnerability
Microsoft yesterday opened its ad-free Bing search engine option to all U.S. K-12 schools, both public and private, after running a pilot program since August.
Linux Kernel CVE-2013-3229 Local Information Disclosure Vulnerability
Android smartphones and tablets now get the most mobile ad traffic worldwide, but iPhones and iPads still get 52% of the revenue.
Project management experts and executive IT recruiters provide tips to project managers on what they can do to give their careers a boost.
Three versions of the new Galaxy Tab 4 tablet line will go on sale in the U.S. on May 1, with the new 7-in. Wi-Fi model priced at $199.99.

Alex Stanford - GIAC GWEB,
Research Operations Manager,
SANS Internet Storm Center

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Ilio Kolochenko, CEO of High-Tech Bridge, a Swiss information security company, gave the keynote address on governments' role in cybersecurity this past Sunday at the Regional cybersecurity Summit in Oman.
The RCMP have managed to track down and arrest the first ne'er do well in London, Ontario. The RCMP have not indicated how they managed to puzzle out who attacked the Canada Revenue Agency. I am curious myself but, not for the same reasons. I'm curious what led a 19 year old from Southern Ontario to think that activity was acceptable.
Recent pan-industry data breach reports from Symantec and Verizon Business largely confirm what healthcare already knows about the root cause of its data breaches. But how can organizations step up to improve security?
Amazon Web Services has increased the number of simultaneous queries its hosted data warehouse Redshift can handle, improving performance in cases where many small queries are now forced to wait.
Google AdWords does not infringe a location-based search patent owned by a company called GeoTag, a U.S. judge ruled in a case in which Google and Microsoft teamed up to come to the aid of customers who use their mapping services.
QEMU 'vhdx' Block Driver Local Denial of Service Vulnerability
QEMU CVE-2014-0145 Multiple Buffer Overflow Vulnerabilities
QEMU CVE-2014-0144 Multiple Buffer Overflow Vulnerabilities
QEMU CVE-2014-0146 NULL Pointer Dereference Local Denial of Service Vulnerability
AirPhoto WebDisk v4.1.0 iOS - Code Execution Vulnerability
CVE-2014-2042 - Unrestricted file upload in Livetecs Timelive
CVE-2014-1217 - Unauthenticated access to sensitive information and functionality in Livetecs Timelive
CVE-2014-2383 - Arbitrary file read in dompdf
Some Android apps thought to be vulnerable to the Heartbleed bug were spared because of a common coding error in the way they implemented their own native OpenSSL library.
AT&T and Google have talked up plans to extend supercharged broadband speeds to several U.S. cities and offer lesser service for free to underserved areas. But whether they, and other providers, can bridge the nation's digital divide without federal help remains to be seen.
Using lambda expressions can make your Java code leaner, more powerful, and easier to read
Partners Toshiba and SanDisk have developed 15-nanometer process technology for NAND flash memory widely used in smartphones and tablets.
The U.S. Federal Communications Commission will vote Wednesday on a proposal to pump $1.8 billion into a fund that subsidizes broadband deployments in rural communities.


US Accountability Body Criticizes SEC Infosec Approach
US Accountability Body Criticizes SEC Infosec Approach. By James Rundle; Sell-Side Technology; 23 April 2014. Tweet. LinkedIn. Facebook. Google plus. Send to Kindle. Send to. sec-building. The SEC has been found to have major faults in its approach to ...

and more »
In just a few mouse clicks, Tableau Desktop users can create forecasts from time series data.

Posted by InfoSec News on Apr 23


By Brian Krebs
Krebs on Security
April 22, 2014

An unusual number of physicians in several U.S. states are just finding
out that they’ve been victimized by tax return fraud this year,
KrebsOnSecurity has learned. An apparent spike in tax fraud cases against
medical professionals is fueling speculation that the crimes may have been
prompted by a data breach at...

Posted by InfoSec News on Apr 23


By Sharyn Jackson
Des Moines Register
April 22, 2014

Servers containing the social security numbers of almost 30,000 Iowa State
University students were compromised in a security breach, university
officials announced Tuesday.

Information technology staff discovered a breach of five departmental
servers that contained social...

Posted by InfoSec News on Apr 23


By Frank Konkel
April 22, 2014

The General Services Administration released a transition plan on Tuesday
that provides guidance to cloud computing service providers that will have
to adhere to new baseline security standards slated for release in June.

The transition plan will govern how CSPs adhere to...

Think-tank to infosec: You're doing it wrong
Tomorrow's Internet is a scary, scary place, according to think-tank The Atlantic Council, so much so that we're all apparently on the brink of “a cyber sub-prime meltdown”. The council has published a report co-prepared with Zurich Insurance which ...

Internet Storm Center Infocon Status