InfoSec News

The appearance Monday of exploit code for the DLL loading issue that reportedly affects hundreds of Windows applications means hackers will likely start hammering on PCs shortly, security experts said.
 
A proposal by the National Association of Broadcasters (NAB) to require all mobile devices sold in the U.S. to include FM radio chips is meeting growing opposition from IT and mobile trade groups.
 
If you're a blogger in the city of Philadelphia and make money from your writing, be forewarned. City officials want you to register as a business and pay your fair share of taxes.
 
The International Telecommunications Union is may eliminate leap seconds from the time scale used by most computer systems, Coordinated Universal Time (UTC)
 
U.S. carriers with EV-DO mobile data networks are stepping up their coverage game with femtocells that offer extended coverage for the high-speed network, after long offering units that worked only with the slower CDMA2000-1x system.
 
Google is conducting limited testing of an instant search feature that which gives users search results that dynamically change the more they type.
 
While the MSI GT660, with its powerful Nvidia GPU and forceful looks, is aimed squarely at gamers, it's also a surprisingly competent desktop replacement laptop. Look past the slightly over-the-top styling and you'll not only find great performance, but outstanding input devices and state of the art connectivity. The only downside is that the 1366 by 768, 16-inch display doesn't allow full-resolution 1080p HD playback.
 
Raise your hand if this has happened to you: You're on an airplane, watching a movie on your laptop, when all of a sudden the screen goes dim. Or you're giving a PowerPoint presentation and your PC suddenly goes to sleep.
 
Microsoft Visual Studio LightSwitch 2010 beta 1 shows promise as an easy-to-use development tool, but doesn't seem to know its audience
 
Users of Apple's iTunes services should keep a close eye on PayPal and credit card statements for fraudulent iTunes charges.
 
HP's $1.6 billion offer to buy 3Par is a smart move that could keep a key cloud storage player out of Dell's hands while giving HP its own enterprise-class storage array. Are other suitors looking to join the fray?
 
The Windows Phone Developer Tools have been downloaded more than 300,000 times, Microsoft said, as the company prepares to offer a new application store and mobile operating system.
 
Thoma Bravo said it signed an agreement to buy LANDesk Software from Emerson Electric to further build out its security market portfolio.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

LANDesk - Thoma Bravo - Private equity - Business - Financial Services
 
For the last couple of days there have been a lot of discussions about a vulnerability published by a Slovenian security company ACROS. HD Moore (of Metasploit fame) also independently found hundreds of vulnerable applications and, as he said, the cat is now really out of the bag.
In order to see what is going here we first have to understand how modern applications are built. Modern applications come modularized with multiple DLLs (Dynamic Link Libraries). This allows the programmer to use functions available in other DLLs on the system Windows has hundreds of them. Now, if a DLL is not available on the system, the developer can decide to pack it with the main applications executable and store it, for example, in the applications directory.
The most important DLLs are specified in the KnownDLLs registry key (HKLM/System/CurrentControlSet/Control/Session Manager/KnownDLLs). These are easy if an application needs to load it, the system knows that they have to be in the directory specified by the DllDirectory registry key, which is usually %SystemRoot%/system32.
However, when another DLL is being loaded, the system dynamically tries to find the DLL. Historically, Microsoft made a mistake by putting the current directory in the first place (some of you Unix oldies might remember when . was at the first place in the PATH variable). This has been fixed by Microsoft by introducing the SafeDllSearchMode setting (registry value). This setting specifies the order in which a DLL will be searched for. For example, as specified in http://msdn.microsoft.com/en-us/library/ms682586%28v=VS.85%29.aspx this is the search order with the SafeDllSearchMode setting enabled:
1. The directory from which the application loaded.

2. The system directory. Use the GetSystemDirectory function to get the path of this directory.

3. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.

4. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.

5. The current directory.

6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.
If multiple directories hold a DLL with the same name, the first match wins. This setting is enabled by default on Windows XP SP2.
Now, the problem happens when, for example, the application tries to load a DLL that does not exist on the system. You can see one such example in the picture below, where I found out that one of my favorite applications is very much vulnerable. See how it tries to find the DLL in all those directories before if gets to the one on the share? Both names of the application and DLL have been blacked out no point in serving this on a silver plated dish :(

Ok, so what about attack vectors. Any place where the attacker can put both the file to be opened by an application and a malicious DLL can be used as the attack vector. Obviously, as in the example above, the most obvious attack place are Windows shares so I guess we are looking at another vulnerability that uses similar attack vectors such as the LNK vulnerability last month the difference here is that by just browsing to the directory nothing will happen since the user has to open the file.
In order to protect your networks/system be sure to audit permissions on shares to prevent unauthorized users from putting files where they shouldnt be. Of course, I expect that by now you already blocked SMB and WebDAV on the perimeter so an external share cannot be used.
What about a fix? This will be a difficult one, especially since we can look at SafeDllSearchMode as a fix. So in most cases, developers of vulnerable applications will have to fix them and judging by the numbers Ive seen around we are looking at a very difficult period. Hopefully those popular applications (such as the one I successfully exploited above) will get patched quickly so the final risk will be reduced.
We will keep an eye on this and update the diary as we get more information.



--

Bojan

INFIGO IS (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google's decision to push Adobe Flash security fixes using Chrome's silent update service has yielded a seven-fold increase in patching speed, a Google software engineer said.
 
Both versions of the third-generation 'smaller, lighter, faster' Kindle e-reader begin shipping on Friday, but Amazon.com said orders placed today will not ship until on or before Sept. 17
 
Reader BRothrock is unsatisfied with the way folders are displayed in Snow Leopard's Dock. B writes:
 
MIcrosoft has told a researcher that it won't patch a problem that has left scores of Windows applications open to attack.
 
As predictive analytics emerge as a sought-after business tool, Symantec continues to gather data that it uses to both analyze and predict trends in Internet security. Just like predictive analytics provides valuable information allowing businesses to make smart decisions, Symantec's predictions are based on analysis and give businesses and individuals important information on the changing threat landscape that helps them make smart decisions. In order to offer the best information possible, Symantec reevaluates its yearly predictions halfway through the year. Here's a look at each prediction for 2010 and an evaluation of where it stands at the midyear mark.
 
All around the world, governments declare they are gearing up for cyber war. I know, I know, to anyone who has been at this for any significant length of time, many of the news stories we are reading today could have, or should have, been written a decade ago, or more. The term "Cyber war" seems to be on everyone's lips again. (Cue the theme music for "Groundhog Day" - again!) In one way, it is hard to take it seriously anymore; in another way, it is incredible that so many governments sound like they are just getting started, again. Nevertheless, even though the chest-beating seems to be a redux, and much of the blustering rhetoric seems to be recycled, the reality on the virtual ground in cyber space is that the capabilities (the offensive ones, at least) have evolved over the last decade, and so have the opportunities. Furthermore, the appetite to use them seems to have grown apace.
 
Intel on Monday released a dual-core Atom N550 processor, which the company says will bring improved application and graphics performance to netbooks while retaining long battery life.
 
Hewlett-Packard today bid $1.6 billion for 3Par, just a week after Dell bid $1.15 billion for the storage vendor.
 
Until a few months ago, I fully expected Apple to announce Mac OS X 10.7 at this year's Worldwide Developer Conference. But it's now clear: iOS and the products it powers--the iPhone, iPod touch, and now the iPad--are the stars of Apple's software show.
 
Google said its Street View cars resumed their photography of French streets on Friday, annoying the French data protection authority, which launched an investigation into the privacy implications of the service earlier this year.
 
The proliferation of virtualization technologies is putting pressure on IT teams to start automating more processes. With little room in the budget for new products, it's critical that companies prioritize their investments.
 
Three years ago, I had never even held a touchscreen computer. Today I carry one everywhere I go. Apple changed the mobile phone industry with the launch of the iPhone, and appears to be creating a similar sensation with the iPad. Now it's doing everything it can to keep that momentum going, showering us with ads on television and elsewhere, singing the praises of their latest handheld, touch-driven devices.
 
Microsoft has fallen behind in the IT market's biggest growth areas: the Internet and mobile devices. The company could turn things around, but doing so will require some strong medicine.
 
Hewlett-Packard Monday bid $1.6 billion for 3Par, just a week after Dell bid $1.15 billion for the storage vendor
 
A security researcher who investigated electronic voting machines (EVM) used in Indian elections was arrested by police in Mumbai on Saturday. He is charged with stealing one of the machines, police sources said Monday.
 
Hewlett-Packard has offered to buy 3PAR, a vendor of virtualized storage systems, for $1.6 billion in cash, topping Dell's $1.15 billion bid.
 
Hewlett-Packard Monday bid $1.6 billion for 3Par, just a week after Dell bid $1.15 billion for the storage vendor
 
Hewlett-Packard Monday bid $1.6 billion for 3Par, just a week after Dell bid $1.15 billion for the storage vendor
 
Microsoft has known since at least February that dozens of Windows applications harbor bugs that hackers can exploit to seize control of computers, an academic researcher said.
 
User demand for increased smartphone performance should be somewhat satisfied early next year, when manufacturers are expected to release devices based on new dual-core processors.
 
As Hewlett-Packard looks for a new leader after the sudden departure of Mark Hurd, customers offer their thoughts about how the company should move ahead.
 
Smartphones, tablet PCs and the mobile Internet are on the verge of transforming health care delivery.
 
Things are messy, and if history is any guide, they will get even more messy, not less.
 
Patricia Calkins, vice president of environment, health, safety and sustainability at Xerox, sees the IT world evolving toward a more conscious effort to reduce waste, and to measure, track and provide feedback on green practices and behaviors.
 
A Verizon study of 2009 data breaches says hackers are increasingly exploiting configuration errors -- not the software holes that are plugged by vendor patches.
 
Cloud computing offers a speedy way to set up experimental testbeds to accelerate business innovation, according to a report by consulting firm PricewaterhouseCoopers.
 
A new survey indicates that many IT professionals, irked at their employers and growing more confident about the economy, are thinking about jumping to another company.
 
By the year 2020, says columnist Thornton May, the IT workforce will be drastically altered by cloud labor. Just as servers, storage and desktops have been virtualized, so too will the labor component of IT.
 
InfoSec News: Call for Papers: CPSRT 2010 - Due Date Extended to Sept. 5, 2010.: Forwarded from: George Yee <gmyee (at) sce.carleton.ca>
CALL FOR PAPERS (For HTML version, please visit http://CPSRT.cloudcom.org/)
INTERNATIONAL WORKSHOP ON CLOUD PRIVACY, SECURITY, RISK & TRUST (CPSRT 2010)
In conjunction with 2nd IEEE International Conference on Cloud Computing [...]
 
InfoSec News: Seymour police beef up computer security in wake of breach: http://www.nhregister.com/articles/2010/08/20/news/valley/doc4c6df71ec18f0675112063.txt
By Lauren Garrison Register Staff newhavenregister.com August 20, 2010
SEYMOUR -- The Board of Police Commissioners acted Thursday to secure the Police Department’s computer system in the wake of an officer [...]
 
InfoSec News: Inside the Russian Cyber-Underground: http://www.eweek.com/c/a/Security/Inside-the-Russian-CyberUnderground-517933
By Brian Prince eWEEK.com 2010-08-22
When people think of cyber-crime, the typical image being pushed today is that of highly organized criminal operations. New research, however, [...]
 
InfoSec News: Linux Advisory Watch: August 20th, 2010: +----------------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | August 20th, 2010 Volume 11, Number 34 | | | [...]
 
InfoSec News: ICANN asks Demand Media for answers after report: http://www.computerworld.com/s/article/9181278/ICANN_asks_Demand_Media_for_answers_after_report
By Robert McMillan IDG News Service August 20, 2010
The group responsible for managing the Internet's domain name system is asking Demand Media's eNom division for answers following complaints [...]
 

Posted by InfoSec News on Aug 23

Forwarded from: George Yee <gmyee (at) sce.carleton.ca>

CALL FOR PAPERS (For HTML version, please visit http://CPSRT.cloudcom.org/)

INTERNATIONAL WORKSHOP ON CLOUD PRIVACY, SECURITY, RISK & TRUST (CPSRT 2010)

In conjunction with 2nd IEEE International Conference on Cloud Computing
Technology and Science (CloudCom 2010), November 30 - December 3, 2010
Indiana University, USA, http://2010.cloudcom.org/

IMPORTANT DATES - EXTENDED!...
 

Posted by InfoSec News on Aug 23

http://www.nhregister.com/articles/2010/08/20/news/valley/doc4c6df71ec18f0675112063.txt

By Lauren Garrison
Register Staff
newhavenregister.com
August 20, 2010

SEYMOUR -- The Board of Police Commissioners acted Thursday to secure
the Police Department’s computer system in the wake of an officer
breaching the e-mail accounts of fellow officers.

The board unanimously voted to spend about $3,000 on a Cisco firewall
for security purposes,...
 

Posted by InfoSec News on Aug 23

http://www.eweek.com/c/a/Security/Inside-the-Russian-CyberUnderground-517933

By Brian Prince
eWEEK.com
2010-08-22

When people think of cyber-crime, the typical image being pushed today
is that of highly organized criminal operations. New research, however,
suggests the underbelly of cyber-space may be less mafia-like than some
think.

In an effort to improve the level of understanding of today's black
hats, security researchers Fyodor...
 

Posted by InfoSec News on Aug 23

+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| August 20th, 2010 Volume 11, Number 34 |
| |
| Editorial Team: Dave Wreski <dwreski () linuxsecurity com> |
| Benjamin D. Thomas <bthomas () linuxsecurity...
 

Posted by InfoSec News on Aug 23

http://www.computerworld.com/s/article/9181278/ICANN_asks_Demand_Media_for_answers_after_report

By Robert McMillan
IDG News Service
August 20, 2010

The group responsible for managing the Internet's domain name system is
asking Demand Media's eNom division for answers following complaints
from Internet security groups.

ENom, the world's second-largest domain name registrar, came under fire
last week in a report from HostExploit, a...
 
VMware's vSphere 4.0 cloud operating system, which we tested last June ushered in new methods to manage virtual machines on internal and external hosts. The 4.1 version, which shipped last month, delivers some much needed polish.Additions to the product include an updated vCenter Configuration Manager (formerly EMC's Ionix Application Stack Manager and Server Configuration Manager) as well as vCenter Application Discovery Manager (formerly EMC's Ionix Application Discovery Manager).
 
We tested VSphere 4.1 using HP DL580 (16 Intel cores) and HP DL585 G5 (16 AMD cores) servers, along with Dell 1950 servers (eight Intel cores, lots of memory) on a switched GBE network, that's, in turn, peered at 100mbps, located at nFrame in Carmel, Indiana.
 
In our continuing series of groundbreaking tests of cloud computing services, we take a look at what enterprises can expect if they decide to entrust data to a cloud storage provider.
 
We discovered that there are some limitations to Rackspace CloudFiles. You can build large file objects, but they can't be larger than 5GB. There are no subdirectories, per se, but it's easy to build subdirectory translation into filenames, and the third party client software we used can simulate folders pretty simply.
 
Nirvanix's SDN was both highly flexible, and comparatively fast in our testing. Nirvanix allows access to the SDN via two methods, an API that supports SOAP or REST protocols over secure-HTTP, or one can directly mount partition(s) using their CloudNAS as a gateway.
 
Natively, the Amazon S3 storage system is surprisingly flexible, and can be used for the public/private cloud computing components aforementioned, as well as Web apps, backups, temporary storage use, file distribution, plus distribution via BitTorrent.
 
The principle advantage to Nasuni storage interface is its simplicity for network file system expansion, where the cloud storage vendor's resources become extensions of the storage network infrastructure. Nasuni makes branch rollouts specifically simple.
 
Egnyte's secret sauce is Web-based Distributed Authoring and Versioning or WebDAV, an HTTP extension developed by the IETF that allows computer users to edit and manage files collaboratively on remote Web-based machines.
 
We downloaded each vendors software into our lab, and network operations center. We used scripts running on a virtual Ubuntu 9.10 Server running on ESX 4.0 at our NOC at n|Frame in Carmel, Ind., to test upload and download speeds on Nirvanix, Amazon S3, Rackspace Cloudfiles and Egnyte. We performed two sets of tests with multiple files uploaded and downloaded, first during the day, then at night. The second set was run from our XServe running Mac OS X Server 10.5.8 using the same criteria (day and night uploads/downloads).
 
This beef is a trivial matter, I realize; virtually all e-mail etiquette issues are minor by definition. But every time I read that smarmy greeting my blood pressure ticks up just a notch, meaning that I am -- ever so briefly -- less well.
 

One of the most interesting challenges of working as Chief Information Security Officer in a utility company is the variety of infrastructure types that supports the business process. I refer here to the infrastructure that supports real-time management systems for generation transmission and distribution of energy and the system that are responsible for coordinating the pumping of water to individual households and industries.

The implementation of a information security management system that includes this kind of critical infrastructure to the business processes provides a number of interesting challenges which are not covered in the conventional security model for IT processes:

Information Security risks associated to the delivery process of energy and water utility services process, can lead to disruption of both services for a large number of people in a country. If errors in the handling of SCADA equipment have been responsible of cascading effects that collapse most of the electrical system of a country, what if someone is doing an identity theft in the energy SCADA system and performs tasks such as increasing the rotation of the generation turbines, increasing the energy flow exceeding the capacity of a transmission line or simply turning off the turbines of a power plant? Imagine the chaos that would plunge a country or region.
What if in the water tanks of a city begins to overflow its maximum level and the pressure causes the pipes bursting in the streets? Imagine scenarios like the following in every city: http://www.youtube.com/watch?v=kbz_zxsJCfgfeature=related
The cost of repairing damage of any of the above scenarios is enormous. If we add the inability of the company to generate money for generation, transmission and distribution of energy, how much time passes before the company cease to exist?


SCADA systems have a very particular operating environment. Because they are real-time systems, data monitoring and orders sent to the RTU should arrive in the shortest time possible, since an additional delay of even 10 ms can mean a massive blackout by activation of the protections of a substation. Similarly, suppliers of these systems tend to provide support on these only on a specific configuration, which is usually not too safe and lacks basic security controls such as security patches, data encryption, authentication and non default configurations.

The architecture for a SCADA system is as follows:



The components are:

Remote Terminal Unit (RTU): The RTU is defined as a communication device within the SCADA system and is located at the remote substation. The RTU gathers data from field devices in memory until the MTU request that information. It also process orders from the SCADA like switch off a transmission line.
Master Terminal Unit (MTU):The MTU is defined as the heart of a SCADA system and is located at the main monitoring center. MTU initiates communication with remote units and interfaces with the DAS and the HMI.
Data Acquisition System (DAS):The DAS gathers information from the MTU, generates and store alerts that needs attention from the operator because it cancauseimpact on the system.
Human Machine Interface (HMI):The HMI is defined as the interfacewhere the operator logs on to monitor the variables of the system. It gathers information from theDAS.


Due to its criticality, SCADA operators are reluctant to implement any type of information security controls that can change the operating environment for the system. How to implement a security scheme that does not interfere with the functionality needed for the business process? We took the following items specified in the standards of North American Reliability Corp (NERC) Critical Infrastructure Protection (CIP) to implement controls for an Energy SCADA:

Project 2008-06 Cyber Security Order 706

CIP0022 Critical Cyber Asset Identification
CIP0032 Security Management Controls
CIP0042 Personnel and Training
CIP0052 Electronic Security Perimeter(s)
CIP006-2a Cyber Security Physical Security
CIP0072 Systems Security Management
CIP0082 Incident Reporting and Response Planning
CIP0092 Recovery Plans for Critical Cyber Assets

For point number two, we took the same table to classify information assets for the corporate information security management system and applied it to the energy processes:






Consequence



Value



Criteria





Catastrophic



5



a) Generates loss of confidentiality of information that can be useful for individuals, competitors or other internal or external parties, with non-recoverable effect for the Company.





b) Generates loss of integrity of information internally or externally with non-recoverable effect for the Company.





c) Generates loss of availability of information with non-recoverable effect for the Company.





Higher



4



a) Generates loss of confidentiality of information that can be useful for individuals, competitors or other internal or external parties, with mitigated or recoverable effects in the long term.





b)Generates loss of integrity of information internally or externally with mitigated or recoverable effects in the long term.





c)Generates loss of availability of information with mitigated or recoverable effects in the long term.





Moderate



3



a) Generates loss of confidentiality of information that can be useful for individuals, competitors, or other internal or external parties, with mitigated or recoverable effects in the medium term.





b) Generates loss of integrity of information internally or externally with mitigated or recoverable effects in the medium term.





c)Generates loss of availability of information with mitigated or recoverable effects in the medium term.





Minor



2



a) Generates loss of confidentiality of information that can be useful for individuals, competitors, or other internal or external parties, with mitigated or recoverable effects in the short term.





b) Generates loss of integrity of information internally or externally with mitigated or recoverable effects in the short term.





c)Generates loss of availability of information with mitigated or recoverable effects in the short term.





Insignificant



1



a) Generates loss of confidentiality of information that is not useful for individuals, competitors or other internal or external parties.





b) Generates loss of integrity of information internally or externally with no effects for the company





c)Generates loss of availability of information with no effects for the company.






From the previous table, we assigned controls to implement and ensure the security level for the asset. For point 3 and 4 we adopted all definitions from the corporate Information Security Management System. See all the required controls here: http://www.nerc.com/files/CIP-003-1.pdfand http://www.nerc.com/files/CIP-004-2.pdf.

The biggest issue here was authentication and clear-text traffic. Many devices from our SCADA system did not support authentication and also information was sent using cleartext protocols. Every time we tried to introduce a VPN or crypto level-2 devices, the network latency increased and functions of the system were degraded, which is why we had to remove those controls. When we askedour vendor for those controls as native functions for the system,we receiveda request to purchase the next version of the SCADA System.

The corporate antivirus didn't work because it consumed all the resources of the DASand the HMI. Same happened with the Host IPS. The solution we found for the problem was SolidCore S3 product(http://www.solidcore.com/products/s3-control.html), as it was non-intrusive, did not add extra layers and virtual devices to the operating system and controlled very good the zero-day problems.

For configuration changes, we established a weekly maintenance schedule in which the service of the SCADA system would stop for three hours changing the operation mode to contingency, so the IT operators could perform screening for viruses, install security patches and modifying security baselines. If the change was not successful and the system is degraded, the changes were removed and tried again the following week. This was not an easy task, because the vendor would not support us and we had to learn a lot on how the system components worked.

For point 5, We tried to redraw the SCADAnetwork socritical traffic would not mix with other type of traffic. For wireless devices, we managed to implement 802.1X authentication.Wedivided theSCADAnetwork into the following perimeters:



CiscoFirewall Service Module inside Catalyst 6509 with VSSsupervisors (VS-6509E-S720-10G) gave us the required bandwith and no disruptions were presented within the SCADA environment. It also have IPS (IDSM-2) that sends the alerts along with the log firewalls to our RSAenvision correlator.

For point 6, all the place has armored doors, CCTV, biometric authentication and security guards patrolling around the physical perimeter.

Now we are able to managethesecurity controls inside the corporate IT network and the SCADA systems. I still know that I have many things to dototo achieve the other points of NERC, butstill will be an interesting and challenginggoal.

-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Jhaddix wrote an interesting blog posting showing some tools that can be added to firefox to perform penetration testing activities. The ones I like most are FoxyProxy(for TOR navigation), Wappalizer(to recognize content management system), Add N Edit Cookies(to evaluateand inspectcookies)and SQL Inject Me(for SQL Injection).
Please read the article at http://www.securityaegis.com/hacking-with-your-browser/
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Internet Storm Center Infocon Status