CSO Online

Report: Infosec women make progress in governance, risk and compliance
CSO Online
Women account for just 10 percent of the information security workforce, a new report shows, but are making progress in governance, risk and compliance jobs. The absolute number of women in cybersecurity jobs has been growing, but they're not even ...

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Adobe today released a surprise patch for Shockwave [1]. The patch fixes one vulnerability,CVE-2015-7649 and Adobes Shockwave Player on Windows and OS X is affected. The vulnerability is used in targeted exploit and Adobe learned about it fromFortinets Fortiguard Labs. The latest version of Shockwave Player is now12.2.1.171 and it replaces version12.2.0.162.


Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Enlarge (credit: Yan Zhu)

Over the past decade, there's been a privacy arms race between unscrupulous website operators and browser makers. The former wield an ever-changing lineup of so-called zombie cookies that can't be easily deleted and attacks that sniff thousands of previously visited sites, while browser makers aim to prevent such privacy invasions by closing the design weaknesses that make them possible. Almost as soon as one hole is closed, hackers find a new one.

Over the weekend, a researcher demonstrated two unpatched weaknesses that Web masters can exploit to track millions of people who visit their sites. Taken together, the attacks allow websites to compile a list of previously visited domains, even when users have flushed their browsing history, and to tag visitors with a tracking cookie that will persist even after users have deleted all normal cookies. Ironically, the techniques abuse relatively new security features that are already built into Google Chrome and Mozilla Firefox and that may make their way into other mainstream browsers in the future.

The history-sniffing attack works against people who visit sites that use HTTP strict transport (HSTS). The specification allows websites to instruct browsers to connect only when an encrypted HTTPS connection is available and to reject any attempts to use an unsecured HTTP link. The measure, which is used by banks, cloud services, and other sensitive sites, is designed to prevent downgrade attacks, in which a hacker with the ability to tamper with traffic passing between an end user and server resets an HTTPS connection to use HTTP so the data isn't protected against snooping or modification.

Read 11 remaining paragraphs | Comments


Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
WASHINGTON, DC ? As part of the U.S. Department of Commerces Skills for Business initiative, the National Institute of Standards and Technology (NIST) is funding the development of a visualization tool that will show the demand for and ...

(credit: Jerk Alert Productions)

Every three years, the Librarian of Congress issues new rules on Digital Millennium Copyright Act exemptions. Acting Librarian David Mao, in an order (PDF) released Tuesday, authorized the public to tinker with software in vehicles for "good faith security research" and for "lawful modification."

The decision comes in the wake of the Volkswagen scandal, in which the German automaker baked bogus code into its software that enabled the automaker's diesel vehicles to reduce pollutants below acceptable levels during emissions tests.

"I am glad they granted these exemptions," said Sherwin Siy, vice president for legal affairs for Public Knowledge in Washington, DC. "I am not glad it was necessary for them to do so in the first place."

Read 9 remaining paragraphs | Comments

[ERPSCAN-15-027] Oracle E-Business Suite - Cross Site Scripting Vulnerability
[ERPSCAN-15-026] Oracle E-Business Suite - SQL injection Vulnerability
[ERPSCAN-15-025] Oracle E-Business Suite Database user enumeration Vulnerability

This weekend, I worked on a pentest report that was already pending for a while. Im honest: Im lazzy to write reports (like many of us, no?).During a pentest, it is mandatory to keep evidences of all your findings. No only the tools you used and how you used them but as much details as possible (screenshots, logs, videos, papers,etc). Every day, we had a quick debriefing meeting with the customer to make the point about the new findings. The first feedback was often a Yes, but...:

Me: We were able to connect a USB stick and to drop unwanted tools to the laptop!
Customer: Yes, but it will be disabled soon, the deployment processis ongoing!

Me: We were able to find sensitive documents onan admins desktop!
Customer: Yes, but the admin forgot to delete it

Me: We were able to connect to remote servers using the same credentials!
Customer: Yes, but the operators are not supposed to connect on this network segment

I could write tons of examples like these! When youre engaged in a pentest, it is executed within a defined scope at a time t. If your targeted infrastructure is not ready yet, postpone the project. And if you think to beready, accept to be compromised!

When speaking to customers, I like to compare a pentest to a plane crash. If a plane crash result often in many dead people, planes can be considered as safe. Statistically, flying is less dangerous than driving to the airport with your car! Modern planes are very reliable: critical components are redundant, strong procedures and controls are in place. Planes are designed to fly under degraded mode. The cabincrew is also trained to handle such situations. Finally, planes maintenance are scheduled at regular interval.

How to explain that, from time to time, a plane crash occurs? Most of the time, post-crash investigations reveal that the crash is the result of a suite of small or negligible issues which, taken out of context, are not critical. But, a small incident might introduce a second one, then a third one, etc. If a suite of such small incidents occur, nasty things may happen up to... a crash! This is called the butterfly affect which describes how a small change in a deterministic nonlinear system can result in large differences in a later state (definition by Wikipedia).

Keep in mind that the same may occur during a pentest. A small issue in a configuration file associated to files left in a public directory, anunpatched system and a lack of security awarenessof the operatorsmight result in a complete compromisation of your infrastructure. Avoid Yes, but... comments and take appropriate action to solve the issues.

Xavier Mertens
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status