Share |

InfoSec News

CSO contributor Bob Violino recently interviewed Rosie Rivel, senior manager of IT global risk and compliance at Kelly, regarding risk and the cloud.
 

Chinese consult with Australian online expert on e-Commerce Information Security
PRWire
The Chinese officials contacted the company to learn more about the Australian Information Security Industry and Exa's experience in Infosec audits. Exa's Managing Director Peter Ball said the hour long meeting allowed him to express Exa's commitment ...

 
Yahoo has started beta testing a search feature that displays answers to queries and links to websites on the fly as people type their queries.
 
High-tech companies in Japan are slowly starting to get some of their manufacturing plants up and running after a massive 9.0-magnitude earthquake and subsequent tsunami hammered the country nearly two weeks ago.
 
RETIRED: libTIFF TIFF Image 'StripByteCounts' Field Stack Buffer Overflow Vulnerability
 
Smartphone apps that locate drunk-driving traps may help police, defenders say.
 
Research in Motion said Wednesday that it would comply with a request made by four U.S. senators and will pull BlackBerry apps that alert drivers of police drunk-driving checkpoints.
 
The relative inability of MySQL database technology to handle large data sets is pushing companies to consider so-called NoSQL alternatives for their 'big data' analytics requirements. One company that's hoping to stem that tide is Tokutek.
 
Metrico tested six "4G" phones from T-Mobile and Sprint and found that in a mobile scenario Sprint's HTC EVO Shift had the best data download speed of all the devices, delivering nearly 6 Mbit/sec.
 
Progea Movicon 'TCPUploadServer.exe' Security Bypass Vulnerability
 
7T Interactive Graphical SCADA System Malformed Packet Remote Memory Corruption Vulnerability
 
The security giant is expanding into the database security market, announcing its intention to acquire Sentrigo. The terms of the deal were not released.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
A breach at a registration authority caused Comodo to issue nine fraudulent certificates, enabling an attacker to impersonate some major websites and servers.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
LinkedIn this week announced that its membership list passed the 100 million mark as it continues working toward an initial public offering.
 
Hewlett-Packard shareholders on Wednesday reelected all 13 directors to serve on the company's board for the next year, ending controversy surrounding CEO Leo Apotheker's alleged role in identifying potential nominees.
 
Tokutek offers an alternative MySQL storage engine for on-the-fly schema changes.
 
CORE-2011-0208: VLC Vulnerabilities handling .AMV and .NSV files
 

7 communication mistakes CSOs still make
Network World
CSO spoke with three infosec veterans to learn what effective communication looks like in an organization where security lives in harmony with the rest of the company. Here they tell us what NOT to do if you want to get everyone on board with what ...

and more »
 

Useful IT. Bringing Health Record Transfer into the 21st Century.
SYS-CON Media (press release) (blog)
... a centralized location for records is a big screaming target from many people's perspectives, while it is a potentially life-saving technological advancement to others (they're both right, but I think the infosec crowd has the stronger argument). ...

 
Re: Vulnerabilities in some SCADA server softwares
 
Re: Vulnerabilities in some SCADA server softwares
 
Re: Vulnerabilities in some SCADA server softwares
 
Re: Vulnerabilities in some SCADA server softwares
 
Iran may have been involved in an attack that resulted in hackers acquiring bogus digital certificates for some of the Web's biggest sites, including Google and Gmail, Microsoft, Skype and Yahoo, a certificate-issuing firm said.
 
Two-thirds of businesses don't reap the desired range of benefits from enterprise collaboration tools, according to a Forrester Research report. Here are four pieces of expert advice on how to drive adoption and capture greater results.
 
At the Pepcom Mobile Focus event at CTIA Wireless 2011, Matt Hamblen gets a closer look at Samsung's new Galaxy Tab 10.1 tablet, which has a 10.1-inch display and weighs 1.3 pounds.
 
At CTIA 2011, Keith Shaw gets an overview of Kyocera's new Echo smart phone, a dual-display Android smartphone that will be available for Sprint customers on April 17. The two screens allow for easier multi-tasking and optimized apps.
 
I'm still poking and prodding Firefox 4, which made its official debut just yesterday. So far, I like what I see--but a few interface quirks are driving me nuts.
 
ZDI-11-112: (0 day) Hewlett-Packard Data Protector Media Operations DBServer.exe Remote Code Execution Vulnerability
 
Re: Vulnerabilities in some SCADA server softwares
 
Finally Comodo spoke up to let us know more about the certificate issue we have been covering this morning with Firefox and Microsoft releasing certificate black list updates. [1]
Comodo states that none of the keys and signing/intermediate CAs were compromissed. Instead, systems at an affiliate were compromised to trick the affiliate into signing fraudulent certificates. The attacker obtained username and password to log into the partners systems, and was thus able to to issue the fraudulent certificates.
According to Comodo, the breach was discovered quickly and they are pretty sure that the attacker only issued the now blacklisted certificates.

[1] http://blogs.comodo.com/it-security/data-security/the-recent-ca-compromise/
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Yahoo has started beta testing a search feature that displays answers to queries and links to websites on the fly as people type their queries.
 
Father Tom Gillespie (a father, not a Father) seeks advice to help his son. He writes:
 
The European Commissioner in charge of Europe’s digital program has put interoperability and standards at the forefront of the cloud computing agenda.
 
Dell on Wednesday said it will start reaching out directly to affected customers to replace motherboards in PCs with Intel's flawed Sandy Bridge chipset.
 
Motorola Mobility has signed an agreement to acquire Dreampark, a Swedish IPTV software provider.
 
Microsoft on Wednesday rolled out updates to its Bing for Mobile browser service, including real-time public transportation updates for select cities and the inclusion of apps in results when searching on the iPhone.
 
It's been a little hard of late to find references to SOA (service-oriented architecture), the buzz-phrase that once saturated the IT industry but in recent years has succumbed to "cloud computing." But SOA remains alive and relevant, according to a new Forrester Research report.
 
RE: Vulnerabilities in some SCADA server softwares
 
Re: Vulnerabilities in some SCADA server softwares
 
Re: Buffer overflow in libtiff in Imagemagick
 
[ MDVSA-2011:053 ] php
 
Update: Looks like the update is marked important, but will not install automatically. You may have to run Windows Update to install it
Update 2:And Comodo just published an advisory: http://blogs.comodo.com/it-security/data-security/the-recent-ca-compromise/

also not that this is still the same issue we talked about this morning with respect to Firefox 4.

Microsoft just released an advisory [1] alerting its customers that a total of 9 certificates where issued using the leaked/stolen CA certificated from Comodo.
The affected domains are according to Microsoft:

login.live.com
mail.google.com
www.google.com
login.yahoo.com (3 certificates)
login.skype.com
addons.mozilla.org (already known from an earlier announcement by Mozilla)
Global Trustee

The advisory states that Comodo has revoked these certificates and listed them in its revocation list. Microsoft also is releasing an update that will blacklist these certificates.
Of course, this issue is serious, not just considering the household brand names affected. Probably even worse then the possible man in the middle attacks that may have happened is the simple fact that this fundamentally breaks the trust model of SSL. SSL is using a trust pyramid, A few certificate authorities are trusted to issue certificates to entities they trust. Of course this trust should be based on some kind of verification and the ability to secure the private key that goes with the root certificates and the signing certificates based on it. This event more and more looks like the trust pyramid was really more a stinking pile of doo . No surprise given the rush to the no paper work required bargain basement certs. I recently started using free certs from startssl.com just for that reason: At least startssl doesn't charge me for not verifying who I am.
In short: Patch... and hope you will be ok until the next time this happens. It would be nice if Comodo would come forward with details. It was probably the APT Monster that ate it.
[1] http://www.microsoft.com/technet/security/advisory/2524375.mspx
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
IBM introduces a new pre-engineered technology services model
 
Firefox 4 was downloaded some 7 million times during its opening day, nearly triple the first day Internet Explorer 9 downloads last week.
 
PHP Stream Component Remote Denial of Service Vulnerability
 
PHP 'Zip' Extension 'zip_fread()' Function Denial of Service Vulnerability
 
PHP 'OpenSSL' Extension Multiple Denial of Service Vulnerabilities
 
While embedded service processors are "free" in servers from major suppliers, in reality they have hidden costs.
 
Panasonic and NEC on Wednesday restarted production at some factories that had been halted after a major earthquake hit eastern Japan on March 11.
 
Intel's McAfee unit is the latest major security vendor to move to buy a maker of tools to protect databases.
 
Done wrong, cloud software projects can subject you to all the pitfalls of traditional software projects. Consider these three no-no's carefully.
 
HP OpenView Network Node Manager 'OvJavaLocale' Cookie Value Remote Code Execution Vulnerability
 
Joomla! 1.6.0 | Information Disclosure/Full Path Disclosure Vulnerability
 
XSS in Oracle default fcgi-bin/echo
 
ZDI-11-110: (0day) IBM Lotus Domino Server Controller Authentication Bypass Remote Code Execution Vulnerability
 
[SECURITY] [DSA 2198-1] tex-common security update
 
HP OpenView Network Node Manager 'execvp_nc()' Code Execution Vulnerability
 
At the heals of yesterday's Firefox 4 release, we today got 3.6.16 and 3.5.18. As usual, Mozilla will provide security updates for some older browsers after the release of a new major version. If you are not planning to update to Firefox 4 soon, you should update to the newest 3.x version.
This wouldn't be worth a full diary (usually we just publish a one liner) if it wouldn't be for one interesting change: Mozilla decided to add some new blacklisted SSL certificates.
SSL certificates are usually considered valid if signed by a trusted certificate authority. My version of Firefox 4 on a Mac includes certificates from about 80 trusted organizations. If a certificate authority finds out tht a certificate was signed by mistake, they may add the bad certificate to a revocation list. Each certificate includes a URL for a revocation list, and the browser may check if the certificate is listed as revoked.
However, browsers are not required to check revocation lists. In addition, if a certificate authority is compromised, it may lead to compromised revocation lists as well. The black list feature in Firefox (same feature exists in Chrome) lists a small number of certificates that the browser will not trust.
The recent addition is rumored to be due to a compromised certificate authority, which has been used to issue fraudulent certificates. [1] In particular it is suggested that a certificate for addons.mozilla.org, the site used for Firefox plugins, was created using the compromised CA.

[1]https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion
Also see:
https://github.com/ioerror/crlwatch#readme

https://www.eff.org/observatory

http://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudulent-certificates
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
High Tech Computer named its first chief content officer this week.
 
SAP is hoping to cement its foothold in the growing market for governance, risk and compliance software with a new suite, announced Wednesday, that is nearly three years in the making.
 
Unisys is packaging existing and new consulting and management services aimed at helping enterprises better manage cloud implementations.
 
Vendors of network management tools are finding new ways to reduce mobile data bottlenecks.
 
Indian users are disappointed that Apple is delaying in launching the iPad 2 in the country
 
Standards, tools, platforms, prewritten components and services are available to help make semantic deployments less time-consuming, less technically complex and (somewhat) less costly.
 
Like no other release before it, Firefox 4 includes a number of significant security features. These features are addressing attacks that are in particularly hard to avoid by developers and in which the browser is more so the victim then the server.
These attacks, Cross Site Scripting (XSS), redirects to HTTP pages from HTTPS and Clickjacking use vulnerable web applications more as a mirror to bounce attacks into the browser. The browser can provide meaningful protection against these attacks, unlike for more server centric attacks like sql injection, for which the attacker is in full control of the client.
XSS and Content Security Policy (CSP)
We have seen a couple of prior attempts to assist browsers to detect XSS attacks. All of these attempts, (the NoScript plugin or the IE 8 X-XSS-Protection: header had the same problem: They had no idea what kind of script to expect on a particular page. In some cases, they could prevent reflected XSS just by comparing strings sent by the browser to strings being returned by the server. Neither NoSpring nor IE 8 did a sufficient job in preventing XSS and many users or web developers turned it off due to high false positive rates.
CSP takes a different approach: It uses server headers to tell the browser what kind of content to expect. That way, the browser can make a more intelligent decision as to how to block content that does not match the policy communicated by the server. I will probably discuss this feature in more detail in the future, but if you are interested, last months Monthly Threat Update webcast covered the main points. [1]
One CSP feature I would like to point out: The server may communicate as part of its policy a Report-URI which the browser can use to report any violations of the CSP. This is not only great to detect attacks, but even more so to detect legitimate features on your site that are not sufficiently covered by your policy.
If you would like to experiment: Just add ?csp=Y to any isc.sans.edu URL. It will enable our test CSP. Right now, it is not very restrictive as I am still refining some of our content. We do also have a little CSP test page at http://isc.sans.edu/tools/csptest.html which highlights some of the features.
Strict-Transport-Security
Another neat feature to tell the browser more about how to connect to a given site. If the Strict-Transport-Security header is set, the browser will refuse any attempt to connect to the site via HTTP. The threat model here is that an attacker will inject a redirect to the HTTP version of the site while the user is browser a non HTTPS site (any site, not just the target). This could lead to the disclosure of confidential information like authentication cookies. Sure. This attack can be mitigated in part by setting the secure option of your session cookie. But it may not be so easy if the injection of the redirect happens during the login process.
This header has two parameters: A max-age indicating for how long this rule should be obeyed and a includeSubdomain parameter that will extend the rule to all subdomains. This header should be used on all HTTPS only sites.
Other changes
A few other changes:
- X-FRAME-OPTIONS Header: it can be used to prevent a site from being included in a frame. This option exists in other browsers as well (IE, Safari, Chrome). Some of the recent 3.6 versions of Firefox already included it and NoScript implemented it. CSP implements a more fine grained restriction on framing.
- User-Agent Header: Firefox 4 uses a less verbose user agent header which makes it a bit harder to track users
- Do-Not-Track Features: More about this later. It does signal sites if you don't want to be tracked.
[1]https://www.sans.org/webcasts/isc-threat-update-20110308-94078

[2]https://developer.mozilla.org/en/Firefox_4_for_developers#Security
------

Johannes B. Ullrich, Ph.D.

SANS Technology InstituteTwitter: johullrich (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
InfoSec News: Nasdaq Hasn't Lost Any Clients Because Of Hacking - Executive: http://online.wsj.com/article/BT-CO-20110322-714075.html
By Kristina Peterson DOW JONES NEWSWIRES MARCH 22, 2011
NEW YORK (Dow Jones) -- Nasdaq OMX Group Inc. (NDAQ) hasn't lost any clients at its corporate-communications service because of last month's [...]
 
InfoSec News: USENIX LEET '11 in Two Weeks: Forwarded from: Lionel Garth Jones <lgj (at) usenix.org>
I'm writing to remind you that the 4th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '11) is just a week away. There's still time! Register today and join us in Boston, MA, on March 29, 2011. [...]
 
InfoSec News: RSA hack -- a lesson in how not to handle a PR disaster!: http://eskenzi.wordpress.com/2011/03/21/rsa-hack-%E2%80%93-a-lesson-in-how-not-to-handle-a-pr-disaster/
By yvonneeskenzi March 21, 2011
I’ve been doing PR for the IT security industry for 16 years and there has never been such a major breach to an IT security vendor, as the one [...]
 
InfoSec News: Facebook traffic mysteriously passes through Chinese ISP: http://www.theregister.co.uk/2011/03/23/facebook_traffic_china_telecom/
By Dan Goodin in San Francisco The Register 23rd March 2011
For a short time on Tuesday, internet traffic sent between Facebook and subscribers to AT&T's internet service passed through hardware belonging [...]
 
InfoSec News: SecurID Customers Advised To Prepare For Worst Case: http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=229301337
By Mathew J. Schwartz InformationWeek March 22, 2011
How serious is the security threat posed by the theft of inside information about SecurID, the two-factor authentication system sold by [...]
 
Geolocation, Web Workers, History manipulation, iFrame sandboxes, and other HTML5 specs laying the groundwork for a safer and smarter Web
 
A U.S. president, especially if they win reelection, will have a much better chance of staying in the same job longer than many CIOs, new survey data suggests.
 
Apple Mac OS X Libinfo Denial of Service Vulnerability
 
Oracle on Tuesday became the latest software maker to say it will stop developing applications for Intel Itanium microprocessors, following a similar announcement by Microsoft last year and Red Hat the year before.
 

Posted by InfoSec News on Mar 23

http://eskenzi.wordpress.com/2011/03/21/rsa-hack-%E2%80%93-a-lesson-in-how-not-to-handle-a-pr-disaster/

By yvonneeskenzi
March 21, 2011

I’ve been doing PR for the IT security industry for 16 years and there
has never been such a major breach to an IT security vendor, as the one
to hit RSA on Friday. And rarely has a PR disaster been dealt with so
badly. From where I’m sitting, resellers, distributors, customers as
well as bloggers,...
 

Posted by InfoSec News on Mar 23

http://www.theregister.co.uk/2011/03/23/facebook_traffic_china_telecom/

By Dan Goodin in San Francisco
The Register
23rd March 2011

For a short time on Tuesday, internet traffic sent between Facebook and
subscribers to AT&T's internet service passed through hardware belonging
to the state-owned China Telecom before reaching its final destination,
a security researcher said.

An innocent routing error is the most likely explanation for...
 

Posted by InfoSec News on Mar 23

http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=229301337

By Mathew J. Schwartz
InformationWeek
March 22, 2011

How serious is the security threat posed by the theft of inside
information about SecurID, the two-factor authentication system sold by
EMC division RSA? "It is important enough that it required an official
note to the stock markets," said Martin Kuppinger, founder and principal
analyst...
 

Posted by InfoSec News on Mar 23

http://online.wsj.com/article/BT-CO-20110322-714075.html

By Kristina Peterson
DOW JONES NEWSWIRES
MARCH 22, 2011

NEW YORK (Dow Jones) -- Nasdaq OMX Group Inc. (NDAQ) hasn't lost any
clients at its corporate-communications service because of last month's
disclosure that its systems were hacked in the past year, a company
official said Tuesday.

The February divulgence that hackers had breached Nasdaq's Directors
Desk service hasn't...
 

Posted by InfoSec News on Mar 23

Forwarded from: Lionel Garth Jones <lgj (at) usenix.org>

I'm writing to remind you that the 4th USENIX Workshop on Large-Scale
Exploits and Emergent Threats (LEET '11) is just a week away. There's
still time! Register today and join us in Boston, MA, on March 29, 2011.
Now in its fourth year, LEET continues to be a unique and leading forum
for the discussion of threats to the confidentiality of our data, the
integrity of digital...
 


Internet Storm Center Infocon Status