InfoSec News

The Micro Express NBL5125 is a basic almost-a-desktop-replacement notebook. This all-purpose laptop is an excellent performer with a nice, bright screen, but its speakers and keyboard leave something to be desired.
 
Wi-Fi that can sustain multi-gigabit data rates? That fantasy is edging closer to reality: This week an industry group published the latest spec for gigabit Wi-Fi, and plans a first round of early interoperability tests with prototype products in fall 2011.
 
The Asus B43J is an example of this company's push to expand its credibility among business users--on the bottom of this laptop, Asus even adds a clear plastic business card slot. The B43J is attractive, fairly powerful, and supports up to three external monitors. I hear that the more monitors you have, the more productive you are (or something like that), so Asus is clearly trying to show its dedication to productivity in the workplace.
 
If you're impressed with the current generation of LTE services, wait until you get a load of LTE Advanced.
 
Twitter co-founder Biz Stone is stepping away from his day-to-day duties at Twitter.
 
Twitter co-founder Biz Stone is stepping away from his day-to-day duties at Twitter.
 
A newly patented Microsoft technology called Legal Intercept would allow the company to secretly intercept, monitor and record Skype calls. Privacy advocates are concerned.
 
An Oracle damages expert estimates that Google owes the company $2.6 billion for alleged Java patent violations, according to a court filing made Tuesday in U.S. District Court for the Northern District of California.
 
Ruby WEBrick UTF-7 Encoding Cross Site Scripting Vulnerability
 
Microsoft is pitching its hosted Office 365 as a less costly option for IT departments with flat budgets, assuming there's money in those budgets for a migration to the cloud.
 
Microsoft CEO Steve Ballmer on Tuesday played up ways Micorosft's new cloud office service could help small businesses.
 
The federal agency that regulates banks today issued new rules for online security for financial institutions, instructing them to use minimal types of "layered security" and fraud monitoring to better protect against cybercrime.
 
Cybercriminals will find ways to bypass native security restrictions on smartphones and other devices, says security luminary Winn Schwartau.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Mobile malware has been minimal, but attackers are developing attacks that target smartphones to gain access to sensitive data, says security luminary Winn Schwartau.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Cisco released earlier today a bulletin regarding a vulnerability in the Cisco VPN client for Windows 7. The vulnerability is pretty simple: The client runs as a service, and all users logged in interactively have full access to the executable. A user could now replace the executable, restart the system and have the replacement running under the LocalSystem account.
The fix is pretty simple: Revoke the access rights for interactive users.
The interesting part : NGS Secure Research found the vulnerability, and released the details after Cisco released the patch [1]. The vulnerability is almost identical to one found in 2007 by the same company in the same product [2]
Very sad at times how some vendors don't learn. Lucky that at least companies like NGS appear to be doing some of the QA for them.
[1] http://www.securityfocus.com/archive/1/518638

[2]http://www.securityfocus.com/archive/1/476812
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Email addresses and names of subscribers to DefenseNews, a highly-regarded website that covers national and international military and defense news, were accessed by hackers and presumed stolen.
 
More than half a million Android phones are activated every day, according to Google's Andy Rubin, head of the Android platform. Rubin tweeted about the activations today.
 
Mac OS X 10.6.8 supports an SSD optimization algorithm called TRIM, which improves a drive's ability to remove old data and consolidate and organize remaining data.
 
After months of speculation, Google has launched Google+, a social network that aims to compete with Facebook.
 
Cisco VPN Client for Windows Multiple Local Privilege Escalation Vulnerabilities
 
Apple Mac OS X JPEG-encoded TIFF Images Integer Overflow Vulnerability
 
Apple Mac OS X Image RAW Multiple Buffer Overflow Vulnerabilities
 
Apple Mac OS X TIFF Image Handling Heap Buffer Overflow Vulnerability
 
Along with today's launch of Office 365, Microsoft also released the first service pack for its Office 2010 business productivity suite.
 
After a short delay, Acer has started shipping its AC700 laptop with Google's Chrome OS in the U.S., priced at $349.
 
Multiple vulnerabilities in Open-Realty
 
NGS00057 Technical Advisory: Apple Mac OS X ImageIO Integer Overflow
 
Ashampoo 3D CAD Professional 3 ActiveX control Insecure Method
 
XSS in FlatPress
 
The world's information is doubling every two years with a colossal 1.8 zettabytes expected to be created and replicated in 2011 alone, according to IDC's fifth annual Digital Universe study.
 
The six-person crew of the International Space Station was forced to take shelter a 'lifeboat' when space debris came dangerously close to the orbiter.
 
Most Firefox 4 users updated to Firefox 5 in the first week, although the turnover speed was slower than when Chrome last shifted editions, Web usage data showed.
 
Linux Kernel ALSA 'hpioctl.c' Memory Corruption Vulnerability
 
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
We have covered DNSSEC before. But over the last few month, DNSSEC deployments have increased and yesterday's DNS poisoning diary by Manuel shows that attacks against unsecured zones certainly happen.
I wanted to put together a couple of tips to avoid common errors:

Patch your DNS server. Make sure you are running a recent version that supports current encryption algorithms. In particular, look for NSEC3 support.
Review your overall DNS configuration. Clean it up first before implementing DNSSEC.
Does your registrar have a facility to upload DS records?
If you are using DNSSEC on a resolver, make sure the root zone's key is kept up to date. Recent versions of BIND support RFC 5011 and can manage key updates for you.
Remember to regularly re-sign the zones. Signatures are typically valid for a month.
make sure your DNS server supports EDNS0 (should not be a problem)
make sure your firewall isn't blocking UDPDNS replies that are larger then 512 Bytes
pick an algorithm that supports NSEC3 (RSASHA1-NSEC3-SHA1, which is #7, is my preferred one as it appears to be well supported compared to other NSEC3 algorithms)
Test
Test
Test
only deposit DS records with your parent zone after you completed the prior three steps

Anything I forgot?Please add a comment...
Couple URLs to use as a reference:
http://dnsviz.net/ - Really nice visualization tool.

http://dnssec-debugger.verisignlabs.com/ - thorough test of DNSSEC settings

http://www.dnssec.net - links to standards and tools

https://addons.mozilla.org/en-US/firefox/addon/dnssec-validator/ - Firefox extension to validate DNSSEC

http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml - DNSSEC Algorithm Numbers

http://www.cymru.com/Documents/secure-bind-template.html - secure BIND template. Apply this first.

http://technet.microsoft.com/en-us/library/cc772661%28WS.10%29.aspx - Securing Microsoft DNS
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

ITProPortal

Anonymous Sets Up School For Hackers Complete With SQL Injection Tutorials
ITProPortal
Under the Anonymous banner of Operation InfoSec, the Hacking 101 offers information on hacking techniques including as the 'SQL injection' method used by both Anonymous and LulzSec in a number of their high-profile hacking attacks. ...
Anonymous launches hacking lessons at School4LulzTHINQ.co.uk

all 2 news articles »
 

LulzSec download carried Trojan
msnbc.com
"It turns out that the RAR file offered as a torrent download is infected with a backdoor of the 'RBOT' class of malware," wrote Kevin McAleavey on InfoSec Island, a website for IT and security professionals. "This type of malware was commonly used by ...

and more »
 
Microsoft CEO Steve Ballmer launched the much-awaited Office 365 on Tuesday after a beta program of about nine months, as the company responds to the rising popularity of cloud-based applications for collaboration and communication.
 
T-Mobile USA says the new MyTouch 4G Slide smartphone will go on sale in July, and it claims that the HTC device has the 'most advanced camera of any smartphone.'
 
Sony has followed Apple's example and included proprietary data transfer technology based on Intel's Light Peak interconnect in its latest Vaio Z Series laptop, which was announced earlier this week.
 
The U.S. Supreme Court has decided to hear a case involving the government's authority to conduct prolonged GPS tracking of suspects in criminal cases without first obtaining a court warrant
 
Joomla! 1.6.3 and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities
 
[slackware-security] pidgin (SSA:2011-178-01)
 
ZDI-11-227: Novell File Reporter Engine RECORD Tag Parsing Remote Code Execution Vulnerability
 
ZDI-11-226: Citrix EdgeSight Launcher Service Remote Code Execution Vulnerability
 

AsiaOne

Website owners urged to invest in security information security
AsiaOne
CMC Infosec sent its specialists to analyse the attacks and help organisations and businesses make the necessary repairs. It completed check-ups of main servers and software and showed them how to patch up possible mistakes. Experts said awareness of ...

and more »
 
Joomla 1.6.3 and Prior Multiple Vulnerabilities
 
rgboard 'bbs_code' Parameter SQL Injection Vulnerability
 
After talking about SQLInjection, this is the second part of the mini series to help you protect yourself from simple persistent attacks as we have seen them in the last couple months. A common MOemployed in these attacks is to steal passwords from a database via sql injection. Later, the attacker will try to use these passwords to break into other sites for which users may choose the same password. Of course, part of the problem is password reuse. But for now, we will focus on the hashing of passwords to make it harder for an attacker to retrieve a users plain text password.
First of all: What is hashing? According to NIST, A hash algorithm (alternatively, hash function) takes binary data, called the message, and produces a condensed representation, called the message digest. A cryptographic hash algorithm is a hash algorithm that is designed to achieve certain security properties. [1] A good cryptographic hash will make it hard to find two messages with the same hash, or find clear text for a specific hash value. Common hashing algorithms are MD-5 (old), or the Secure Hashing Algorithms (SHA) family of hashing algorithms (SHA-1, SHA-256...). Another common but less popular algorithm is RIPE-MD.
Storing a password as a hash will make it difficult to figure out the actual password a user used. In order to verify the password, it is first hashed, then compared to the stored hash in the database.
A hash isn't fool proof. All hashes are vulnerable to brute forcing. If I can get the hash, I can try various passwords, hash them and check if they match. I may actually end up with a different password then the correct one. Hashes do have collisions (same hash for two different plain text values). A good hash is slow enough to calculate to make brute forcing difficult. Brute forcing can be improved by using databases with pre-calculated hash values, or so called rainbow tables. These systems reduce the brute forcing to a simple database look-up, but require storage space. Rainbow tables are practical for strings up to 10 characters in length (lower case alpha numeric). Of course, the size of a rainbow table will increase fast as the length of the plain text increases or the complexity of the plain text increases .
Probably the most important defense against rainbow tables is the idea of introducing a salt. First of all a salt will ensure that two users who happen to use the same password, will end up with a different hash. A salt can also be used to increase the length of the plain text beyond the point where rainbow tables become practical.
In order to use a salt, the salt value and the users password are first concatenated, then the string is hashed.
Another trick to harden a hash is to just apply the same algorithm multiple times. For example, if we take the SHA-1 algorithm, and apply it 100 times, we will slow down a brute force attempt by a factor of 100. However, the delay in validating an individual password will be hard to notice.
When selecting an algorithm to hash passwords, it is important to select carefully as it is difficult to change the algorithm later. You will have to ask users to change their password if you do as you no longer know what password they picked.
Here a proposal to create difficult to reverse hashes with salt:
- as salt, do use a complex string that is different for each user. I like to use the username or email address (of course, this means the user will have to enter their password whenever they change their e-mail address, but that is usually a good idea anyway). You could just create a salt for each user and store it with the hash (similar to what the unix /etc/shadow file does).
- first, hash the salt (e-mail address)and the password by themselves. This way, we end up with simple fixed length strings. We no longer have to worry about odd characters in either.
- concatenate the two hashes, and hash them again.
So the complete formula to create our password hash would look like (using sha1 as an example, you could also mix and match hashing algorithms):

sha1(sha1(password)+sha1(username))

You could also add a secret, in addition to the salt. If the secret is not stored in the database, it would not be easily reachable via a SQLinjection exploit (yes, you can use them to read files, but it requires sufficient privileges). The formula would now look like:

sha1(sha1(password)+sha1(username)+secret)

Introducing minimum password strength requirements may also help, but can also lead to annoyed users. The best defense against brute forcing a password hash is a long password using a diverse character set. Even if you do not require strong passwords, you should at least not restrict the length or the character set. Hashing the password as soon as received (for example as part of input validation) will help mitigate any risks due to odd characters a user may use. Passwords should never be echoed back to the user.
As a user, how do you know if your password is hashed? There isn't a bullet proof way to figure it out. But there are some indications that it is not hashed:
- the length or characters you are allowed to use is limited. If the password is hashed, it doesn't matter how long the original password was.

- As part of the password recovery, the site is returning your old password (very bad... and well, proof that the password was not hashed)
For the paranoid, you may want to do the hashing on the client side (javascript) . This way, the server never receives the plain text password. We do this here for the ISC website on our login form [2]. This implementation falls back to server side hashed passwords if the user does not enable javascript.
If you want to read more about this, Heise.de recently published a nice article about password hashing [3]. This is of course also a topic we cover in our secure coding / defending web application classes like DEV522.
NIST is currently finalizing a competition to come up with a new hashing standard, that will be known as SHA-3. The winner should be announced in 2012. Until then, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 are suggested. I usually recommend to stick to these standards. As programming languages change, it is likely that they will keep supporting these standard algorithms. Other less popular algorithms may on the other hand be dropped.
[1] http://csrc.nist.gov/groups/ST/hash/index.html

[2] https://isc.sans.org/login.html

[3] http://www.h-online.com/security/features/Storing-passwords-in-uncrackable-form-1255576.html

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Offshoring IT work to India, China, Eastern Europe, and even South America has been a staple of IT cost reduction. And by definition the Cloud means location independence. Generally speaking, they're practically made for each other.
 
MasterCard's main website was unavailable for Tuesday as it appeared hackers were again targeting the company for its refusal to process donations for the whistle-blowing site WikiLeaks.
 
Alcatel-Lucent is charting a course to the next generation of carrier routers with new silicon that is focused today on delivering services from the edge of a network but could also power a massive packet engine for the core.
 
Apple's iOS and Google's Android smartphone platforms are more secure than traditional desktop-based operating systems, but are still susceptible to many existing categories of attacks, according toa 23-page report from security software vendor Symantec.
 
With Office 365 now available in final form, here's what you need to know to decide if Office 365 or Google Apps (or neither) is right for your organization
 
Joomla! CMS Multiple Cross Site Scripting Vulnerabilities
 
Cellcrypt released a version of its voice encryption software for Apple's iPhone on Tuesday, adding to its portfolio of software to prevent eavesdropping on calls.
 
A French publishing company has filed suit against Google, alleging anti-competitive practices and claiming $420 million U.S. in damages.
 

Posted by InfoSec News on Jun 28

http://latimesblogs.latimes.com/technology/2011/06/hacker-group-claims-to-expose-identitites-of-lulzsec-members.html

By Salvador Rodriguez
Technology
Los Angeles Times
June 27, 2011

An Internet hacker group calling itself the A-Team has published a
document it claims reveals the identities of at least some members of
the recently retired hacker network LulzSec, including phone numbers,
addresses, Facebook URLs and even the identities of some...
 

Posted by InfoSec News on Jun 28

http://www.theaustralian.com.au/australian-it/insiders-suspected-in-victoria-web-host-hack/story-e6frgakx-1226083028299

By Chris Griffith
The Australian
June 28, 2011

THE new owner of a web hosting company ruined by a devastating hacking
event over the Queen's Birthday weekend has not ruled out an inside job.

The 30-minute hacking episode that led to the downfall of
Victorian-based distribute.IT has been referred to the Australian...
 

Posted by InfoSec News on Jun 28

http://www.federalnewsradio.com/?nid=35&sid=2438535

By Jared Serbu
Reporter
Federal News Radio
June 27, 2011

Experts from outside government criticized the White House's legislative
proposal for cybersecurity Friday, saying the bill the administration
has proposed could make the nation's critical infrastructure less
secure.

The House Homeland Security Subcommittee on Cybersecurity invited
testimony from witnesses outside...
 

Posted by InfoSec News on Jun 28

http://www.computerworld.com/s/article/9217968/DHS_releases_software_security_scoring_system

By Jaikumar Vijayan
Computerworld
June 28, 2011

The Department of Homeland Security (DHS), along with the SANS Institute
and Mitre, released a scoring system on Monday designed to help
enterprises verify whether the software they are using meets reasonable
standards for secure coding.

The organizations released an updated list of the Top 25 most...
 

Posted by InfoSec News on Jun 28

http://www.kvoa.com/news/dps-response-to-recent-cyber-attack/

KVOA.com
June 27, 2011

ARIZONA - The Arizona Department of Public Safety released the following
statement Monday regarding the recent cyber attack on the department's
computer system.

DPS Statement:

The week of June 20, 2011, the Arizona Department of Public Safety
became aware that their email system had been compromised by a known
cyber terrorism group, known as LulzSec....
 
Google's personal health record service, Google Health, failed to take off because of poor marketing and a lack of functionality that consumers insist is required if they're to use the online medical records.
 
Geeks like to play outdoors too -- as long as they have the right equipment. These 10 high-tech toys are perfect for summer adventures.
 
On Monday, Microsoft's top IE executive joined a fellow exec at the software giant to criticize Mozilla for new Firefox support plans.
 
A 27-year-old man has been sentenced to 13 years in prison for managing a phishing operation in conjunction with Egyptian hackers that looted consumer bank accounts.
 
Google's personal health record service, Google Health, failed to take off due to poor marketing and a lack of functionality that consumers insist is required if they're to use the online medical records.
 
Yasser El kady survived Egypt's revolution to remain CEO of Egypts IT development arm. He is now in the U.S. traveling city to city to meet with IT companies to assure them that Egypt remains a good place to do business.
 
The Department of Homeland Security, along with the SANS Institute and Mitre, released a scoring system on Monday designed to help enterprises verify whether the software they are using meets reasonable standards for secure coding.
 
With Office 365 now available in final form, here's what you need to know to decide if Office 365 or Google Apps (or neither) is right for your organization
 
Citrix EdgeSight Remote Code Execution Vulnerability
 
Novell File Reporter Engine 'RECORD' Tag Remote Code Execution Vulnerability
 
The LulzSec hacking group sailed off into the sunset Saturday, leaving behind a treasure trove of stolen data along with what some antivirus programs identified as a nasty surprise for anyone who downloaded the Torrent file: a Trojan horse program.
 
Internet Storm Center Infocon Status