Nessus 'mi_malware_scan.nbin' Plugin Local Privilege Escalation Vulnerability
Attorneys say they're making progress toward a possible settlement in Silicon Valley's employee poaching case, in which Google, Apple and other companies are accused of conspiring not to hire employees from other tech giants.

The United States Department of Justice wants to broaden its ability to hack criminal suspects’ computers according to a new legal proposal that was first published by the Wall Street Journal on Thursday.

If passed as currently drafted, federal authorities would gain an expanded ability to conduct “remote access” under a warrant against a target computer whose location is unknown or outside of a given judicial district. It would also apply in cases where that computer is part of a larger network of computers spread across multiple judicial districts. In the United States, federal warrants are issued by judges who serve one of the 94 federal judicial districts and are typically only valid for that particular jurisdiction.

The 402-page document entitled “Advisory Committee on Criminal Rules" is scheduled to be discussed at an upcoming Department of Justice (DOJ) meeting next month in New Orleans.

Read 19 remaining paragraphs | Comments

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

ISC user Craig Cox wrote in alerting us of a fairly sophisticated phishing campaign that is currently in progress. The website appleidconfirm.net has a seemingly realistic Apple login page that is being sent out by email.

The site even includes JavaScript code which validates your Apple ID as an email in an attempt to obtain only valid credentials.

Upon submitting what it considers valid credentials, you're redirected to the /?2 page of the site which contains another form which appears to be Apple's site:

At this stage the site is collecting personal details about the account holder which may aid them in making changes to the account or stealing the victim's identity.  After submitting precious personal information, it's now time to give them your credit card information:

Only after supplying a valid Visa, Mastercard, American Express or Discover card number are you forwarded to the /?3 "Success" page.

Finally, after a just a couple of seconds on this page (before you have a chance to click one of the links which are actually a screenshot image of the real Apple site without any functional links) you are redirected to the real apple.com. At this point the attacker would have obtained all the necessary information to exploit the victim, and the victim would have absolutely no idea how this happened. Clever!

Technical Analysis

We're able to observe or infer several things through a quick analysis.

First of all, we can observe that the site is running on PHP:

	Set-Cookie: PHPSESSID=4b2be321acb0eac806780b7cd3ae1ba8;

In the phishing emails, they have /e=6256734589233312746396443f323368 appended to the URL. It's not clear what this parameter does, and may just be some form of tracking identifier. (If you have better ideas as to what this might be, please share in the comments.)

We can also see that the site is hosted by Lycos with a domain registered just a day ago via Tucows.

Looking at the front-end of the site, we can see that the phishers didn't actually replicate the full HTML/CSS page but rather overlayed screenshots of the real apple.com with forms. This is how they manage to so accurately mimic the appearence of the target site without affording much effort into the front-end development. The background screenshot of apple.com used on their main page can be seen at http://www.appleidconfirm.net/img/main.png

Lastly, we can see that the site is not using HTTPS. This is a key differentiator from the true apple.com login page which does utilize HTTPS. Yet another reason to pay close attention to the URL bar in your browser.


Obviously it's not very difficult to craft a successful phishing campaign, but from a technological standpoint it's difficult to thwart them. So, what can we do? We should invest in awareness through education. That means reconsidering the amount of time and budgeting you set aside to train the less less-technical staff about phishing and social engineering. Informally, it may be time to sit down with that friend or family member who keeps sending you ads for weight loss because they have fallen victim to the latest phish. Knowledge is power.

Finally, when you see a phish in progress take the time to write a few abuse emails to the relevant providers. (and forward the phish to us!)

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A pair of robotic legs will be heading to the International Space Station.
Along with Office on the iPad, Microsoft Thursday released a comprehensive Enterprise Mobility Suite for managing and securing mobile devices, mobile applications and user identity and access -- all from the cloud.

Internet-connected TVs manufactured by Philips running the latest firmware update are wide open to browser cookie theft and other serious attacks by hackers within radio range, a security researcher has warned.

The hacks work against Philips Smart televisions that have a feature known as Miracast enabled, Luigi Auriemma, a researcher with Malta-based ReVuln (Twitter handle @revuln), told Ars. Miracast allows TVs to act as Wi-Fi access points that nearby computers and smartphones can connect to so their screen output can be displayed on the larger set. The hacking vulnerability is the result of a recent firmware update that allows anyone within range to connect to the TV, as long as they know the hard-coded authentication password "Miracast."

Once someone has connected to the Miracast-enabled Wi-Fi network, they can use publicly available software to download any personal files that may be contained on USB drives plugged in to the Philips Smart TV. More troubling, connected devices can steal the highly sensitive browser cookies that many websites rely on to authenticate users when they access their private accounts.

Read 5 remaining paragraphs | Comments

Industry efforts to shore up payment card security after the massive data breach at Target appear to be devolving into a battle over chip vs. PIN technology between retailers and credit card companies.
As expected, Microsoft CEO Satya Nadella today hosted a press conference where the company unveiled Office for iPad, breaking with its past practice of protecting Windows by first launching software on its own operating system.
Lenovo is recalling certain ThinkPad battery packs that could be a fire hazard due to overheating, which could ultimately also lead to computer damage.
Five IT and equipment companies have formed a group to drive standards for the so-called Internet of Things, a network that would feed data back and forth between computers and all kinds of industrial gear.
The Turkish government has followed through on a threat to block YouTube from within its borders.
Along with Office on the iPad, Microsoft Thursday released a comprehensive Enterprise Mobility Suite for managing and securing mobile devices, mobile applications and user identity and access -- all from the cloud.
Email, social media, texts. Today's business and project managers have more electronic distractions than ever. So how can busy managers successfully navigate the electronic jungle? Organization and productivity experts share their top tips for beating information overload.
JBoss RichFaces 'PushHandlerFilter.java' Remote Denial of Service Vulnerability
The $160 price for U.K. carrier EE's smartphone Kestrel without a contract gives a glimpse of a future with low-cost LTE devices, and is also an aggressive move by Qualcomm as competition in the chipset sector increases.
Facebook has joined a number of other Internet services heavyweights, such as Google and LinkedIn, to better equip the MySQL relational database management system for large- scale work.
What IDC deems the third platform of computing -- social, mobile, cloud and big data -- is transforming IT much faster than the first (mainframe) or second (client/server) platforms ever did. This has tremendous implications for the IT industry, yes, but also for anyone doing business in today's world.
Intel is investing in distributed computing software company Cloudera as it looks to tune more software to its x86 processors.
As expected, Microsoft today announced Office for the iPad at a press event in San Francisco led by CEO Satya Nadella.

One of the best ways to create a random yet memorable password is to use "Diceware." This involves literally rolling dice and matching the resulting numbers to a list containing 7,776 English words, each identified by a five-digit number. Five Diceware words has long been thought to provide enough security for the average user.

A five-word Dice password could be something like "boseenricoglennlardheath" or "mastkeithhaagquirttulip."But five words is no longer enough, Diceware creator Arnold Reinhold wrote earlier this month. Since creating Diceware in 1995 Reinhold had recommended at least six random words for people "with more stringent requirements and where the passphrase was being used directly to form a cryptographic key," but for average users he had said that five would do.

Now, for average users he recommends "a passphrase with six Diceware words, or five words with one extra character chosen and placed at random."

Read 9 remaining paragraphs | Comments


In writing web applications PHP developers often find themselves repeatedly calling the htmlentities function, or the htmlspecialchars function. These will encode the special characters of a string to their HTML entities, ensuring that output can safely avoid being executed by browser parsing engines.

The problem with this is a human one. Humans do make mistakes, and even those well aware of the consequences and solutions will eventually suffer from an oversight that results in an XSS vulnerability. How can we limit the possibility of creating vulnerabilities in such a situation?

We’ve seen a very fair share of approaches to mitigating XSS in PHP but one in particular seems to fly under the radar. PHP has a couple of configuration directives in php.ini which will automagically filter input by various sanitization and/or validation flags of your choosing. So, can we make it work like htmlentities? Yes!

In your (recent) default php.ini file you will find the following:

	; http://php.net/filter.default
	;filter.default = unsafe_raw
	; http://php.net/filter.default-flags
	;filter.default_flags =

Modify these as follows:

	; http://php.net/filter.default
	filter.default = full_special_chars
	; http://php.net/filter.default-flags
	filter.default_flags = 0

This will encode all $_GET, $_POST, $_COOKIE, $_REQUEST and $_SERVER values. (The original data can be accessed through the filter_input() function.)

Example In Action

As a quick proof of concept I built a simple login form that does no sanitization or encoding. The first (Username) field is pre-filled with the data you submitted if an error occurs, such as not providing any password. To exploit the first form field, I entered "><script>alert("XSS");</script> with no password at all.

Without the php.ini configuration changes:

The input data is parsed by the browser as code and the JavaScript alert is displayed, thereby proving the presence of an XSS vulnerability.

Now, with the php.ini configuration changes:

The input data is safely output into the form field as content instead of code, thereby mitigating the XSS vulnerability.

Common Questions

  • Do I still need to perform output encoding in my application?
    Yes. This approach will handle a large portion of the repetitive cases, but some necessity for output encoding will remain. A simple example would be the importance of using the urlencode function upon outputting a URL which contains user input.
  • What about JSON/JavaScript output?
    Any input you place into JSON or JavaScript from PHP’s superglobals would still be encoded.
  • Does this work for distributable web apps that run in shared hosting environments?
    This approach may not always be feasible in shared environments due to the potentially limited access to php.ini directives. If you’re building distributable web apps which support running in shared environments, it is not safe to rely on this approach. However, if you’re working in an environment with a custom PHP back-end running on a dedicated server(s) this approach may be your best bet.
  • Won’t this result in double encoding?
    Yes, quite possibly. That said, double encoding is far lower risk and more easily identifiable than XSS vulnerabilities.
  • How can I check that the directives are properly set before outputting anything from my application?
    The following code will check that the php.ini settings are in place as expected and discontinue execution with a relevant error otherwise. It should be placed at the beginning of your application before any other code is executed.
        die('Missing and/or incorrect filter.default and/or filter.default_flags directives in php.ini');

Not a Replacement for Defense in Depth

While this approach can simplify output encoding and limit the risk of developer oversight, it should not be considered an end-all solution. You may have input data sources in your application other than PHP's superglobals. You should still consider the results of a SQL query or cURL request, for example, as potentially malicious. Finally, you should continue performing penetration testing and code reviews to catch that inevitable XSS vulnerability before they do.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Kaspersky and McAfee shun Infosec silverback contest
Neither McAfee nor Kaspersky will have stands at the annual chest-beating contest that is Infosec this year, as the two industry giants look to splash their marketing moolah in a more targeted manner. Taking place from 29 to 31 April at Earls Court ...

Cisco Systems released security updates for its IOS software used on routers, switches and other networking gear in order to fix seven vulnerabilities that could be exploited by attackers to impact the performance of affected devices or force them to reboot.
LinuxSecurity.com: PlRPC uses Storable which allows for code execution prior to Authentication
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Samba did not properly enforce the password guessing protection mechanism.
LinuxSecurity.com: A vulnerability in grep could result in execution of arbitrary code or Denial of Service.
Although rumors have pegged today as the day when Microsoft will announce a long-awaited Office for iPad, some remain skeptical that the company will actually pull the trigger.
The cornerstone of CRM systems (and any sales or service transaction) is interaction between your people and your customers. But more people records in the system isn't necessarily better, as many data quality problems in CRM are caused by the cacophony of too many contacts.
Google Chrome 'Clipboard::WriteData()' function Security Bypass Vulnerability
OpenSSH Certificate Validation Security Bypass Vulnerability
Microsoft had no choice but to bite the bullet and take the inevitable public relations backlash stemming from last week's disclosure that it accessed a customer's Hotmail account, an expert in corporate messaging and public relations said.
A recent report from Cisco predicts that global mobile data traffic, which hit 1.5 exabytes per month in 2013, will be 10 times as high by the end of 2018. Smartphones will drive the bulk of this traffic growth, but the Internet of Things will also play a role.
Mozilla Firefox for Android CVE-2014-1506 Directory Traversal Vulnerability
Mozilla Firefox for Android 'file' Protocol Information Disclosure Vulnerability
Mozilla Firefox for Android Profile Paths Leak Information Disclosure Vulnerability

Report: VA Needs to Improve InfoSec
The Department of Veterans Affairs has a list of long-standing information security issues that need to be addressed, including those related to the protection of veteran's health information, according to a new report issued by the Government ...

and more »

Posted by InfoSec News on Mar 27

Forwarded from: security curmudgeon <jericho (at) attrition.org>

: http://www.au.af.mil/au/ssq/digital/pdf/spring_2014/Libicki.pdf
: Strategic Studies Quarterly (SSQ)
: The Strategic Journal of the United States Air Force
: Volume 8, Issue 1 - Spring 2014
: By Martin C. Libicki
: Even assuming the cyber domain has yet to stop evolving, it is not clear
: a classic strategic treatment of cyber war is possible, or, if it were,
: it would...

Posted by InfoSec News on Mar 27


March 26, 2014

From U.S. 4th Fleet Public Affairs

U.S. 4th Fleet on March 21 concluded a weeklong cyber security inspection
by a team from U.S. Fleet Cyber Command, earning a passing score on its
first attempt.

The inspection was a comprehensive, graded evaluation of all cyber
security areas, including...

Posted by InfoSec News on Mar 27


By jerichoattrition
March 26, 2014

After John Cartwright abruptly announced the closure of the Full
Disclosure mail list, there was a lot of speculation as to why. I mailed
John Cartwright the day after and asked some general questions. In so many
words he indicated it was essentially the emotional wear and tear of
running the list. While he did not...

Posted by InfoSec News on Mar 27


By Ellen Messmer
Network World
March 26, 2014

Knock, knock! Secret Service here. "Is this your customer payment card

By all accounts, many of the massive data breaches in the news these days
are first revealed to the victims by law enforcement, the Secret Service
and Federal Bureau of Investigation (FBI). But how do the agencies figure

Posted by InfoSec News on Mar 27


By Donna Chisholm
March 18, 2014

From schoolboy dropout to world-famous hacker, Auckland-born Barnaby Jack
lived hard and died young. On the way, he changed the technological world.

The Jagermeister shot glasses are piling up along with the stories in the
outside bar of Galbraith's in Mt Eden Rd. It's a stormswept Sunday in...
Postfix Admin 'functions.inc.php' SQL Injection Vulnerability
Hypercube Multiple Remote Command Execution Vulnerabilities
China's Ministry of National Defense blasted the U.S. over recent allegations that it spied on Huawei Technologies, and said it plans to shore up the nation's Internet security in response.
Intel is now a direct seller of wearable devices with the acquisition this week of Basis, a company selling fitness trackers, but the chip maker is taking a cautious approach to selling more products directly.
Add date and time stamps, jump to next corner of a selection and more -- all with time-saving keyboard shortcuts from "Mr. Excel" Bill Jelen.
For people who frequently travel overseas, it sounds almost too good to be true: unlimited international data roaming and texting at no extra cost. But that's exactly what T-Mobile USA started offering its U.S. users earlier this year as part of its price battle with AT&T.
Power generated through solar power now costs the same as conventionally generated electricity in three European countries, according to a new report.
Creditors of failed Bitcoin exchange Mt. Gox are trying to force its CEO Mark Karpeles to go to the U.S. for questioning related to a fraud lawsuit.
As it heads toward an estimated US$250 million initial public offering, cloud storage and collaboration provider Box is thinking outside, well, itself.
Twitter users on mobile devices can now tag people in photos and upload multiple images to form a collage.
Apache Xalan-Java Library CVE-2014-0107 Security Bypass Vulnerability
The global decline in sales of laptops and desktops is expected to continue in 2014 -- and Gartner envisions another decline of nearly 5% in 2015

Infosec seen as a grudge purchase
ITWeb Africa
Infosec seen as a grudge purchase. Published on 26 March 2014. Infosec seen as a grudge purchase. So says Maiendra Moodley, divisional head GM for financial systems and processes at the State IT Agency (SITA). Moodley, who has trained and consulted ...

Internet Storm Center Infocon Status