Information Security News
As systems administrators and security folks, we've all had our fill of our users and customers using simple passwords. Most operating systems these days now enforce some level of password complexity by default, with options to "beef up" the password requirements for passwords.
The prevailing wisdom today is to use passphrases - demonstrated nicely by our bud at xkcd - http://xkcd.com/936/
So I routinely have very long pass phrases for public facing accounts. Imagine my surprise when I was creating a new account on major cloud service (the one that starts with an "O" and ends with a "365"), and found that I was limited to a 16 character password.
Needless to say I have a case open to see if that limit can be removed. I'm not looking for no limit / invitation to a buffer overflow status on the password field, but something bigger than 16 would really be appreciated !
Â(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
US Accountability Body Criticizes SEC Infosec Approach
The US Government Accountability Office (GAO) has released a critical report on information security practices at the Securities and Exchange Commission (SEC), finding that basic security measures are not taken by the regulator and that it must improve.
After some fun and games at one customer site in particular, I found that the SSL services on the earlier versions of the HP Proiliant Servers iLo ports (iL01 and iLO2) are not susceptible to heartbleed.
However, their implementation of SSL is fragile enough that scanning them for the Heartbleed vulnerability will render them inoperable. This affects Proliants from G1 all the way up to G6, as well as many of the HP Bladesystems.
A complete power down of the entire system - as in remove both of the AC cables - is required to reset the iLo card and bring it back to life. While this may seem like a quick fix for a single server, if that server is running a Hypervisor, or if it's a bladesystem with Hypervisors running on the blades, this can multiply to be a huge issue. Especially if your client scanned the server subnet, and effectively bricked all their iLO cards before they realized there was a problem (oops)
(And yes, the fact that we worked this out Easter weekend is somewhat ironic.)
Full details are in HP Support Document c04249852
This illustrates that even when scanning for simple things (with NMAP, Nessus or any other scanning tool really), it's best to scan a few test systems first - or if you have a test VLAN that replicates your production systems, even better! This isn't a problem with the scanners, almost always the problem is the fragility of the service being scanned. Many services are only written to deal with "the right" inputs, which is not how most scanners (or most attackers) tend to operate.
Safe Scanning Everyone!
Twitter has been hit by an avalanche of malicious tweets that are being sent by thousands of compromised user accounts. The ongoing attack, which was about two hours old and showed no signs of abating as this post was about to go live, appeared to be linked to security breaches affecting third-party sites and apps.
Early on, every single one of the tweets viewed by Ars contained the tag "via weheartit.com," prompting speculation the compromised Twitter accounts were linked to the social network by that name, which hosts services for image sharing and promotion. Later on, however, tweets that were part of the same campaign carried tags showing they were transmitted by apps such as the Twitter for iPhone, making it unclear exactly what was the source of the non-stop torrent.
In an e-mail, We Heart It President Dave Williams wrote: "We are definitely seeing some malicious activity which we have now blocked and are investigating further. Unfortunately I don't have any other information I can share at this point." We Heart It representatives later took to Twitter to say sign-in and sharing over Twitter had been temporarily disabled.
In IPv6, DHCP is taking somewhat a back seat to router advertisements. Many smaller networks are unlikely to use DHCP. However, in particular for Enterprise/larger networks, DHCPv6 still offers a lot of advantages when it comes to managing hosts and accounting for IP addresses in use.
One of the big differences when it comes to DHCPv6 is that a host identifies itself with a DUID (DHCP Unique Identifier) which can be different from a MAC address. There are essentially three ways to come up with a DUID:
Link Layer + Time: In this case, the host will on first boot create a DUID using one interfaces link layer address (MAC address for Ethernet), as well as the timestamp (seconds since Epoch) to derive a DUID. This DUID will be saved to disk and remain constant even if the network card is swapped later.
Link Layer: Some hosts may not be able to retain a DUID between reboots in this case, the link layer address is used.
Vendor Assigned: You can also just assign an arbitrary DUID, maybe a host name, to identify the host.
Regardless which method you use, the sad part is that each operating system, and in some cases different software on the same operating system, chooses to display the DUID differently, making correlation hard.
Here are a few examples:
Linux seems to like a mix of octal and ASCII characters (if the value represents a printable character). For example:
However, in Linux configuration files for DHCPv6 servers and clients, you may find a simpler hex format:
option dhcp6.client-id 0:1:0:1:1a:de:c6:fb:0:c:29:67:cf:2;
OS X on the other hand displays the time part in decimal, and the MAC address part in hexadecimal:
ipconfig getv6packet en0
CLIENTID (1) Length 14 DUID LLT HW 1 Time 389824106 Addr 40:6c:8f:11:d7:5c
Windows prefers to display the hexadecimal version as output for "ipconfig /all"
DHCPv6 Client DUID. . . : 00-01-00-01-13-0D-1E-A2-00-0C-29-A3-D3-30
To help myself a bit with this confusion, I started a little script that will convert DUIDs from different formats. It isn't quite done yet, but good enough to see if anybody finds it helpful and would like to test it. You can download the script from https://isc.sans.edu/diaryimages/duidconvert.pl
[To learn more about IPv6 Security, check out my class IPv6 Security Essentials]
A noted whitehat hacker who spent more than a year on Apple's security team has dealt her former employer some blistering criticism for fixing critical vulnerabilities in iOS three weeks after they became widely known to blackhats.
Kristin Paget, who recently took a security position at a major car manufacturer, took to her private blog Wednesday and catalogued more than a dozen separate security bugs that were patched in Tuesday's release of iOS 7.1.1. Some of them gave attackers the ability to surreptitiously execute malicious code on iPhones and iPads without requiring much or any interaction from end users. Paget noted that 16 of the vulnerabilities addressed had been fixed three weeks earlier in a separate update for OS X users. Such delays give malicious hackers the opportunity to reverse engineer the fixes for one platform and develop potent exploits to use against the same bugs surviving in unpatched platforms, security researchers have long charged.
"Apparently someone needs to sit Apple in front of a chalkboard and make them write out 100 lines: 'I will not use iOS to drop 0day on OS X, nor use OS X to drop 0day on iOS,'" Paget wrote in Wednesday's blog post. Addressing Apple officials directly, Paget continued:
Alex Stanford - GIAC GWEB,
Research Operations Manager,
SANS Internet Storm Center
US Accountability Body Criticizes SEC Infosec Approach
US Accountability Body Criticizes SEC Infosec Approach. By James Rundle; Sell-Side Technology; 23 April 2014. Tweet. LinkedIn. Facebook. Google plus. Send to Kindle. Send to. sec-building. The SEC has been found to have major faults in its approach to ...
Posted by InfoSec News on Apr 23http://krebsonsecurity.com/2014/04/states-spike-in-tax-fraud-against-doctors/
Posted by InfoSec News on Apr 23http://www.press-citizen.com/story/news/2014/04/22/data-breach-could-affect-30000-iowa-state-students/8007523/
Posted by InfoSec News on Apr 23http://www.nextgov.com/cybersecurity/2014/04/gsa-has-new-plan-cloud-providers-navigating-changing-security-standards/83014/
Think-tank to infosec: You're doing it wrong
Tomorrow's Internet is a scary, scary place, according to think-tank The Atlantic Council, so much so that we're all apparently on the brink of “a cyber sub-prime meltdown”. The council has published a report co-prepared with Zurich Insurance which ...