InfoSec News

Computer users seem to be getting better at spotting fake websites that are trying to steal their passwords, but when it comes to mobile phones, the deck is most definitely stacked against them.
 
ViewVC 'cvsdb.py' Remote Denial of Service Vulnerability
 
Marius Haas, who led Hewlett-Packard's networking business through the 3Com acquisition that made it a broader competitor to Cisco Systems, is leaving the company for investment firm Kohlberg Kravis Roberts.
 
JavaFX 2.0, an upgrade to the Java-based rich client platform that originated at Sun Microsystems, was made available in a beta form this week by the Java team at Oracle.
 
Lyris ListManager 'words' Parameter Cross Site Scripting Vulnerability
 
Viewpoint: Security implications of IPv6
 
RETIRED: IBM Lotus Notes Attachment Handling Multiple Buffer Overflow Vulnerabilities
 
Joomla! and Mambo Comp Restaurante Component 'id' Parameter SQL Injection Vulnerability
 
RETIRED:Joomla! 'com_restaurante' Component 'id' Parameter SQL Injection Vulnerability
 
Apache Archiva Multiple Cross Site Request Forgery Vulnerabilities
 
The nation's No. 1 defense contractor, Lockheed Martin, today would neither confirm nor deny a Reuters story saying the company had experienced a major data breach.
 
There's a lot of interest these days in the notion of "controlling complexity," particularly when it comes to networks.
 
This insidious malware is hard to root out, which is why it's making a lot of money for its distributors.
 
Two space shuttle Endeavour astronauts Friday finished the final spacewalk of the craft's final mission.
 
Microsoft today downplayed the threat posed by an unpatched vulnerability in all versions of Internet Explorer (IE) that an Italian researchers has shown can be exploited to hijack people's online identities.
 
Firms reassessing their virtualized infrastructure should apply the same security best practices they’ve been using to secure their physical systems.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
One in every 20 Windows PCs whose users turned to Microsoft for cleanup help were infected with malware, Microsoft said this week.
 
Gibbs ponders how IT can provide great service come what may.
 
A U.S. senator has blocked a controversial bill that would enlist ISPs, search engines and other businesses in blocking access to alleged Websites infringing copyright.
 
Google's new Chromebook computers could prove costly to the company's business as users move away from the Web to a dependence on mobile apps.
 
[SECURITY] CVE-2011-1077: Apache Archiva Multiple XSS vulnerability
 
[SECURITY] CVE-2011-1026: Apache Archiva Multiple CSRF vulnerability
 

Google’s NFC service will be thoroughly vetted for vulnerabilities, access for cybercriminals. Cloning may be possible.

Google’s new near field communication (NFC) payment service, Google Wallet, will get a thorough review from security researchers, who have long been discussing the inherent weaknesses of NFC.

The Google Wallet service, announced this week uses the PayPass credit or debit system by Mastercard. For now the new payment system only works with Google’s Nexus S smartphone, but Google reportedly will sell kits so other Android devices could support the technology. In order to work, merchants must support Mastercard PayPass, a service which has gained acceptance with the payment card data security standards (PCI-DSS). Supported devices must also run Google’s payment app to complete transactions.

Google has set up a FAQ on Google Wallet security and privacy for merchants considering supporting the service. Google said it has designed “multiple elements” at the hardware level into its service to help prevent snooping or tampering.

According to Google, credit card credentials are stored using hardware-based encryption. The app itself is sandboxed. Sandboxing isolates the app from other processes to make it more difficult for cybercriminals to leverage device or other application vulnerabilities to gain access to the sensitive data.

Jimmy Shah, a mobile security researcher at McAfee wrote that up until now, researchers have focused on “ghost and leech attacks” as a threat to NFC technology.

“You’re more likely to be hit by a crook brushing by you with an RFID reader to steal or transmit your credentials to a fake RFID card,” Shah wrote.

The good news is that Google has introduced a third layer of protection, a PIN number, to initiate a tap-and-pay transaction. Google Wallet data won’t be transmitted without the user inputting the PIN. Shah said the step prevents anyone from stealing usable NFC data via a reader.

Researchers will have to wait for Google Wallet to reach consumers before it can be fully vetted, he said. No doubt, Google has put it through various tests to ensure device configuration errors and other issues don’t expose it to attacks.

The Google Wallet app has not yet been widely released, so it’s difficult to properly identify possible weaknesses. Once it’s available on more phones, we’re bound to see more research from both the criminal element and legitimate security researchers.

Reverse engineering, cloning may be possible

The Google Wallet app will likely be reverse engineered by cybercriminals, Shah said. It’s a feat that is not too difficult today with the availability of free tools on the Internet. A possible hole, according to Shah is its secure chip, which uses asymmetric encryption to authenticate access to the data. “This implies that an attacker has a good chance of extracting the authentication key from the Google Wallet app,” he said.

The next step would be to create a malicious application that emulates the official Wallet app to fool the “secure element” chip into giving up your credentials. From here, the attacker can collect account information for sale or for attempts at cloning the data to new NFC cards.

It’s a safe bet that the PCI Council (and Mastercard) will be watching developments closely. The council said earlier this year that its new mobile payment task force would review NFC payment systems and other mobile payment technologies.

“We’re trying to dissect the mobile area now because there are just so many unknowns out there and so many different devices that don’t have any security we can see,” said the Council’s General Manager Bob Russo in an interview with SearchSecurity.com back in March.

SmartCard Alliance on NFC payment systems

The SmartCard Alliance, a non-profit organization backed by a number of technology companies pushing mobile payment systems, issued a video last month addressing NFC payment systems. The Alliance is supporting “chipless pin.” (Chipless is seen as cheaper, though the rest of the world is moving toward chip and PIN.) The video is an interview with payment systems consultant Steve Mott. He said everyone has a stake in providing services and technology to the “mobile ecosystem.” New NFC infrastructure could ultimately do away with the old mag stripe, physical card payment system.

“It’s clearly outlived its usefulness,” Mott said of current credit card payment systems in the interview.

“It’s too costly, it’s too fraud prone, it creates ungodly expenses like PCI compliance. We’ve spent enough in the United States on PCI compliance since 2004 to implement EMV chipless PIN three times over.”

yle="clear: both;"/>
Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

 

Acquisition of Clearwell Systems Inc. bolsters Symantec’s eDiscovery capabilities in a crowded market for software that helps contain civil litigation costs.

Symantec Corp. has agreed to acquire privately-held data achiving and backup vendor Clearwell Systems, Inc., in a $390 million deal that launches the security vendor into the eDiscovery market.

The agreement is subject to customary closing conditions, including regulatory approval, and is expected to close in September.

The market for electronic discovery software has been booming as businesses are required to tap into archived emails and other documents during the discovery process in civil litigation cases. Specialized software helps reduce the costs and risks associated with legal discovery.

Storage and database vendors have tapped into the market, including EMC Corp acquired Kazeon Systems Inc. in 2009 for $75 million. It also sells RSA’s Archer platform for eDiscovery and compliance management. Gartner Inc. calculates the annual growth rate for eDiscovery at 14% and estimates that it will reach $1.7 billion by 2014.

Brian W. Hill, an analyst with Forrester Research Inc. said Clearwell and Symantec have had a longstanding partnership across their archiving and eDiscovery offerings. Clearwell has been focused on processing, search and review to support eDiscovery, he wrote in the Forrester Research blog.

Clearwell offerings have some overlap so I anticipate a period of assessment and rationalization. The two vendors, however, have joint partners and some existing product integration and Symantec certainly recognizes the importance of the intersection of archiving and eDisovery.

Symantec, which acquired Veritas in 2004, will add the eDiscovery capabilities as an offering for its customers. The company said it would integrate Clearwell’s capabilities into its Enterprise Vault archiving product.

“As information continues to grow at unprecedented rates, the biggest challenge for customers is to protect, manage and backup this information as well as have the ability to categorize and discover it efficiently,” said Deepak Mohan, senior vice president, Information Management Group, Symantec in a statement.

Symantec said the Clearwell platform can also be integrated and cross-sold along with its NetBackup, Data Loss Prevention and Data Insight software.

Some experts say the market is still immature and includes a myriad of small vendors. Forrester’s Hill said enterprises have had difficulties with the complexity of using different eDiscovery providers with different applications. Clearwell competed against Autonomy Corp., Recommind Inc. and ZyLAB North America LLC. In addition, Informatica, Oracle and SAP offer their own branded eDiscovery software suites.

According to Hill:

Given how long litigation and investigations often take, buyers want to make sure that their provider will be there when it counts. With about 200 employees, Clearwell is bigger than many of its counterparts, but Symantec will clearly be around for the long haul.



Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
May 27, 2011: Mac owners hurt by Apple delay, Google offers new ways to pay
 
Vulnerability Advisory: User clicks on something that they shouldn't have (CVE-0)
Description: There exists a vulnerability in all versions of user. An attacker can execute arbitrary code on a system by sending a specifically crafted message to a vulnerable user.

Exploit: There are numerous exploits in the wild.

Remediation: Patches do not currently exist. For workarounds, see below.

Impact:

CVSS Base Score: 10

CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:W/RC:C)
How the Exploit Works
An attacker crafts a message and delivers the attack to the victim via a service such as email or Instant Message. A vulnerable user will click on the link (directing the system to another attack) or the message contains the malicious payload which is executed when the user activates it.

This gives the defender 4 leverage-points:
A The incoming message
Depending on the service that is used to deliver the message, the defender may be able to employ spam-filtering or anti-virus if they payload is included with the message.
B On the system
Anti-virus on the system, process white-listing, and limited privileges could all help protect a vulnerable user from themselves.
C The user
An alert and educated user (see below) may resist attacks that evade other protection mechanisms.
D Outgoing requests
Web proxy filtering and anti-virus may succeed where all other methods have failed.
The Bad News
This is a typical defense-in-depth strategy. Although it's the current best-practice, I see it fail constantly. However, this is no reason to abandon the strategy. Because things would be much worse without it.
Vulnerability Management of Users
When there is an announced system vulnerability, it is common practice to deploy patches and workarounds to reduce the number of vulnerable systems in your environment. One should strive to similarly reduce the population of vulnerable users on your network.
Everyone is Vulnerable The User Vulnerability Model
Remember that everyone is vulnerable, even you, dear reader. There will come a time when you haven't had your morning wake-up juice, or you are distracted, or one of your friends/family/clients gets compromised and they send you a message, or you become specifically targeted, then you will likely click on something that you shouldn't have. Users are either vulnerable to CVE-0 or resistant to CVE-0, but no user is 100% CVE-0 proof all of the time. Users may shift state from vulnerable to resistant and back over time. The ratio of vulnerable to resistant users is one (albeit difficult to measure) indicator of your environment's welfare.

As mentioned earlier, a user may change state from resistant to vulnerable if they are distracted, and alertness can change a user from a vulnerable state into a resistant state. New attack methods or schemes can shift a large population of users from resistant back to vulnerable. While timely communication out to the users can counter this shift, returning them to a resistant state.
New-hire/new-user training is key. As your user population increases, you want them to start off resistant. This also means that your training must be flexible and updated to keep pace with new attacks. Training is not perfect, and it there is no guarantee that the user will be receptive to it.
Realizing that users will make errors, that training will not be perfect, and new techniques will emerge to further drive down the number of users resistant to CVE-0 can make make one feel that defeat is inevitable. If you can train the majority of your users to be link-suspicious they will be remarkably resilient. This, coupled with the other layers in your defenses, should keep the number of CVE-0 events that you have to respond to down to manageable levels. Manageable levels is what you want, chasing for zero will cause other issues as we'll see below.
A System Model of the Attack
To gain more insight into the problem, I propose the following model of the typical attack:

Criminals that are motivated financially to exploit CVE-0 style attacks are going to spend enough effort to achieve a certain level of vulnerable users to meet their profit goals.
Defenders attempt to drive the level of vulnerable users down as low as possible.
Users need to use systems and consume information resources.

These forces combine to form a dynamic, non-linear system, that can express some surprising behaviors and respond unexpectedly to your attempts to control it.
Your security efforts may have unexpected results for the following reasons:

Non-linearity-- There isn't a linear relationship between the defenders' efforts and its impact on the level of vulnerable users. Doubling your rule set will not block twice as many attacks, and sometimes increasing effort only leads to even fewer results.
Externalities-- There is more going on outside of this model that can have an impact on the level of vulnerable users.
Linked requirements-- a security manager may have a number of levers to pull to define their strategy, but due to interrelated systems, and limited resources, cranking up one lever may have little to no effect, because that effort may starve another effort or a different lever is set to low.
Delays-- it takes a while for policy changes to be communicated out to the staff, or for increased law-enforcement to reduce the number of cyber-criminals. It may take more time than expected to detect the results of a change in strategy.
Bounded Rationality-- every actor in the system is going to act in his or her own best interest based upon how they perceive the world. With incomplete and imperfect information they are going to make decisions that may not be in the best interest of the whole.

This particular system of criminals, defenders, and users can express a number of vexing scenarios for the users and the defenders.
In our model there is a clear conflict between the goals of the criminals and the defense. The harder that the defenders try to push down the vulnerability rate, the more effort and resources the criminals will leverage against them. New tools will be circumvented, take-down efforts will be countered with bullet-proof hosting, and fast-flux networks. The result is a never-ending arms-race. The fix is to not push so hard. Instead, you must push smarter.
Don't let CVE-0 events get to the point where they become business as usual. It may be disheartening to realize that as more users come on-line, they'll breathe new life into old scams, or feel frustrated when delays allow criminals to operate with seeming impunity. New ground gained by the criminals should not redefine the new normal. This will result in a race to the bottom where these events are tolerated or ignored. CVE-0 events should not become proceduralized and outsourced to your managed security service provider. Each incident is an opportunity to improve the defender's strategy and position.
Users are caught in the middle between the defenders as they apply new rules, tools and policies to counter the criminals' change in message and tactics. Depending on how the defender reacts the users can end up as one of the following: allies, wards, or enemies.
If the defender deploys too many rules, or too restrictive policies, the users (in their bounded rationality) will organize solutions that circumvent these controls so that they can get their jobs done. In the worst cases, this can turn the users hostile to the defenders. When these solutions and workarounds are discovered, you have to resist the urge to clamp down harder, because this is a clear sign that your policy lever is already pushed too far, and now is not the time to push on it harder. It's time to rethink and redesign your strategy and try to leverage the creativity of the users to your benefit.
Another common result of this conflict between defenders and criminals is that the defenders assume more and more control from the users so that they eventually they become wards of the defenders. This works for a while as the team deploys new tools and processes. Unfortunately these efforts only serve to mask the root cause of the problem (vulnerable users in this case.) As time goes on, the defenders' resources will dwindle and when the layers of the defenses are circumvented, the users won't have any experience in dealing with the threat on their own and will likely fail. They essentially become addicted to the security tools and no longer make security decisions on their own.
Finally, a note on metrics. Another trouble point for the defense's efforts is how they are measured. If the security of the firm is measured by the size of security budgets, then security budgets will grow. If it's measured by the number of detections, then rule-sets will expand. The goals have to measure the real welfare of the system. Otherwise the system will head off in unwanted and unexpected directions.
Integrating Incident Response with Vulnerability Management
CVE-0 caused incidents should be handled like any other system compromise. While you can't reimage a user and move on, you can educate and inoculate them. The user's team and peers should also be educated at that time. The lessons learned from the incident should be captured and any new-hire or ongoing training should integrate those results. When delivering education remember that everyone is sometimes vulnerable to CVE-0.
Acknowledgement
I'd like recognize the large influence that Donella H. Meadows' Thinking in Systems, had on this analysis. I strongly recommend it as a source of new ways to look at the problems you currently face everyday.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A federal jury convicted two people this week over a scheme to import and sell counterfeit Cisco-branded networking equipment.
 
ISC BIND 9 Large RRSIG RRsets Remote Denial of Service Vulnerability
 
Sony's PlayStation Network online gaming service will reopen for millions of gamers across Asia on Saturday, more than five weeks after it was taken offline following a cyber attack.
 
A federal jury convicted two people this week over a scheme to import and sell counterfeit Cisco-branded networking equipment.
 
PayPal and parent eBay have filed a suit against Google and two former executives alleging that they have misappropriated their trade secrets in the area of mobile payments and point-of-sale strategies.
 
Google has dropped offline Gmail support in several operating systems until this summer, when HTML5 upgrade is released.
 
Metropolitan Museum of Modern Art CIO Steve Peltzman and analyst Frank Gillett presented on near-term future tech at Forrester's IT Forum in Las Vegas, noting that 'we are entering a period of significant turmoil.'
 
The Kobo eReader Touch Edition offers e-reading at its simplest; a touch interface and reasonable price could make it a competitor.
 
dbus-glib 'access' Flag Local Denial Of Service Vulnerability
 
InfoSec News: InsecureID: No more secrets?: http://www.cringely.com/2011/05/insecureid-no-more-secrets/
By Robert X. Cringely I, Cringely May 25th, 2011
Back in March I heard from an old friend whose job it is to protect his company’s network from attack. “Any word on just what was compromised at RSA? [...]
 
InfoSec News: Manal al-Sharif Imprisoned For 10 More Days For Driving in Saudi Arabia: http://www.care2.com/causes/womens-rights/blog/manal-al-sharif-imprisoned-for-10-more-days-for-driving-in-saudi-arabia/
By Kristina Chew Care2.com May 26, 2011
Manal al-Sharif, the Saudi woman who was arrested early Sunday morning for defying her country's ban on women driving and calling for a June 17th "mass drive" on Facebook, created. was supposed to be released from prison today. But authorities say that she will be held for ten more days, the Guardian reports. According to her lawyer, al-Sharif is being charged with driving "without a licence, provoking other women to do the same and provoking public opinion in Saudi Arabia":
It is disputed by lawyers whether it is illegal for women to drive under national law but it is socially and religiously unacceptable in many quarters.
"The investigator needs another 10 days to complete his investigation," said Al Sharif's lawyer, Adnan Al Salah. "He will decide whether Manal is innocent and has to be released or he will refer her to the prosecution unit, a government organisation and they might refer her to a special prosecutor to deal with the case. I feel the fair and right thing would have been to release her on bail."
Al-Sharif had also posted a video online of her driving and another video in which she described how women could participate in the June 17 protest.
...
Manal al-Sharif is, says the Saudi Women weblog, a woman whom Saudi Arabia should be proud of:
She is one of the first women in the world to be a Certified Ethical Hacker-EC-Council CISSP-(ISC)2 Certified ISO 27001 Implementer and Lead Auditor -BSI & ISO. She is an IT security consultant at the biggest oil company in Saudi, ARAMCO.
[...]
 
InfoSec News: Experts: Pressure SCADA developers on security as you would software vendors: http://www.csoonline.com/article/682990/experts-pressure-scada-developers-on-security-as-you-would-software-vendors
By George V. Hulme CSO May 26, 2011
The discovery of a number of what have been described as serious vulnerabilities within industrial control systems built by manufacturing [...]
 
InfoSec News: Senior Defense Official Caught Hedging on U.S. Involvement in Stuxnet: http://www.wired.com/threatlevel/2011/05/defense-department-stuxnet/
By Kim Zetter Threat Level Wired.com May 26, 2011
If you want to see a top Pentagon official squirm, tune into CNBC’s cyberwar documentary Thursday night, and watch Deputy Defense Secretary [...]
 
InfoSec News: China confirms deployment of online army: http://english.peopledaily.com.cn/90001/90776/90786/7392068.html
chinadaily.com.cn May 26, 2011
The development of China's "Online Blue Army" unit is for improving the defense capabilities of the People's Liberation Army (PLA), a Chinese Defense Ministry spokesman said on Wednesday, citied by Beijing News.
Launching the "Online Blue Army" is based on the PLA's needs, and enforcing the ability of Internet security protection is an important issue in its military training programs, Defense Ministry spokesman Geng Yansheng said.
Geng's comments came in response to questions during the ministry's news conference in Beijing asking if the "Online Blue Army" is China's Internet squad aimed at carrying out attacks on other countries' Internet systems.
The PLA Daily reported earlier the PLA's Guangzhou command had invested tens of millions of yuan in building the specialized Internet squad.
[...]
 
InfoSec News: Secunia Weekly Summary - Issue: 2011-21: ========================================================================
The Secunia Weekly Advisory Summary 2011-05-19 - 2011-05-26
This week: 54 advisories [...]
 
InfoSec News: PSN Hack Dings Sony’s Bottom Line: http://mashable.com/2011/05/26/sony-playstation-network-170m/
By Todd Wasserman Mashable.com May 26, 2011
Sony expects the hacker attack on its PlayStation network to cost the company about $170 million.
The company says it expects a “significant” decline in operating profits [...]
 

Posted by InfoSec News on May 27

http://www.care2.com/causes/womens-rights/blog/manal-al-sharif-imprisoned-for-10-more-days-for-driving-in-saudi-arabia/

By Kristina Chew
Care2.com
May 26, 2011

Manal al-Sharif, the Saudi woman who was arrested early Sunday morning
for defying her country's ban on women driving and calling for a June
17th "mass drive" on Facebook, created. was supposed to be released from
prison today. But authorities say that she will be held...
 

Posted by InfoSec News on May 27

http://www.csoonline.com/article/682990/experts-pressure-scada-developers-on-security-as-you-would-software-vendors

By George V. Hulme
CSO
May 26, 2011

The discovery of a number of what have been described as serious
vulnerabilities within industrial control systems built by manufacturing
giant Siemens AG -- and the subsequent nixing of a presentation about
those very vulnerabilities -- has raised questions about how the nature
of...
 

Posted by InfoSec News on May 27

http://www.wired.com/threatlevel/2011/05/defense-department-stuxnet/

By Kim Zetter
Threat Level
Wired.com
May 26, 2011

If you want to see a top Pentagon official squirm, tune into CNBC’s
cyberwar documentary Thursday night, and watch Deputy Defense Secretary
William Lynn face an uncomfortably direct question about the Stuxnet
worm.

In “CodeWars: America’s Cyber Threat,” correspondent Melissa Lee asks
Lynn outright: “Was the U.S....
 

Posted by InfoSec News on May 27

http://english.peopledaily.com.cn/90001/90776/90786/7392068.html

chinadaily.com.cn
May 26, 2011

The development of China's "Online Blue Army" unit is for improving the
defense capabilities of the People's Liberation Army (PLA), a Chinese
Defense Ministry spokesman said on Wednesday, citied by Beijing News.

Launching the "Online Blue Army" is based on the PLA's needs, and
enforcing the ability of Internet...
 

Posted by InfoSec News on May 27

========================================================================

The Secunia Weekly Advisory Summary
2011-05-19 - 2011-05-26

This week: 54 advisories

========================================================================
Table of Contents:

1.....................................................Word From...
 

Posted by InfoSec News on May 27

http://mashable.com/2011/05/26/sony-playstation-network-170m/

By Todd Wasserman
Mashable.com
May 26, 2011

Sony expects the hacker attack on its PlayStation network to cost the
company about $170 million.

The company says it expects a “significant” decline in operating profits
for its networked products and services unit, which includes gaming,
over the coming fiscal year (April 1, 2011 to April 1, 2012).

The report comes as the company...
 

Posted by InfoSec News on May 27

http://www.cringely.com/2011/05/insecureid-no-more-secrets/

By Robert X. Cringely
I, Cringely
May 25th, 2011

Back in March I heard from an old friend whose job it is to protect his
company’s network from attack. “Any word on just what was compromised at
RSA?” he asked, referring to how the RSA Data Security division of EMC
had been hacked. “I suspect it was no more than a serial number, a seed,
and possibly the key generation time....
 
Internet Storm Center Infocon Status