Share |

InfoSec News



Following up on the earlier post by fellow ISC handler Rob on the RSA Breach, here'sa couple practical things you can look for in the audit log of your RSA ACE(SecurID) server.In line with Rob's scenarios, an attacker who is in possession of the seed values of your SecurID tokensstill has to guess the userid and PIN to get a successful login. With ampleforesight :), the authors of the ACE/RSA software seem to have expected such ascenario, and have implemented an audit log that fits to the case:
AUTH_FAILED_BAD_PIN_GOOD_TOKENCODE will show up in the audit log whenever someonehas a good token (or the seed values) and either fumbles or tries to guess theassociated PIN. You'll get quite a few of these in normal use, simply becauseauthorized users sometimes forget or mistype their PIN. If you see a lot of these against one single userid, chances are it will lock after n failed attempts and no harm is done. But if you see 1-2 of these per user and enumerating several ofyour users .. then you should take a closer look for sure.
AUTH_PRINCIPAL_RESOLUTION / AUTH_ALIASES_NOT_FOUND will appear in the log if theuserid that tries to log in does not exist. Again, you can expect a couple of theseper day in normal operation, it is just a fact of life that users can't type their own names ... But if you get a lot of these, and especially if the username format is completely different than the userids in use, someone might be trying to guess your users from a phonebook or LinkedIn accounts. Take a closer look!
Irrespective of the recent RSA breach though, there is one audit log entry that youshould keep a close eye on:
NEW_STATIC_PCODE_AUTH_SUCCESS shows up in the log whenever someone logs in with astatic passcode. This means that the user has lost his token, or never had one, andthat someone with ACE Admin privileges has assigned a static password instead. Yes,this is possible, and it basically turns two factor authentication into two-passwordauthentication, while still everyone can claim to the auditors that login goes viathe SecurID server. There are legitimate emergencies for this kind of login, but itcertainly is a dangerous option to have - if someone can smooth-talk your Helpdesk,they can get in, without needing a token.
Considering the latter, you probably shouldn't worry all that much about what was orwasn't stolen in the recent RSA heist. But if you're not doing so yet, you certainly should check your ACE server audit log.
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The game of musical chairs continues at Twitter, where co-founder and former CEO Evan Williams will step down as product development leader, a role that will be taken over by Jack Dorsey, another co-founder who had distanced himself from the company's daily operations.
 
NASA has given up on the hope to build a 3D camera for the next robotic rover that the space agency will send to Mars.
 
Sprint Nextel has vowed to fight AT&T's proposed US$39 billion acquisition of T-Mobile USA, calling the deal a bid to create a new telecommunications duopoly.
 
There are several keys to effective fraud prevention, but some of the most important tools in the corporate toolbox are strong internal controls. Equally important, though, are the company's attitude towards fraud, internal controls and an ethical organizational culture. While ethical culture is driven by senior management's control environment ("tone at the top"), buy in from the company's Board of Directors and Audit Committee are also essential in promoting an ethical and transparent environment.
 
It has been quite a month for organizations mishandling bad situations. In all of these cases, delays in reporting the problem made it worse, and in one case the decision to not be forthcoming about the actual risk may cost a company most of its customers.
 
The game of musical chairs continues at Twitter, where co-founder and former CEO Evan Williams will step down as product development leader, a role that will be taken over by Jack Dorsey, another co-founder who had distanced himself from the company's daily operations.
 
How JetBlue's CIO instills a culture of innovation throughout his IT organization
 
Attack enabled hackers to gain access to various databases containing account credentials associated with the website.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
(Credit to fellow ISC handler Richard Porter for the idea given to someone who e-mailed in looking for ways to detect rogue APs)
Most organizations have policies to disallow wireless access points not controlled by the organization which then requires trying to find such devices when they crop up. There are commercial devices that can be deployed to do this and you could always have someone do a walkthrough with a laptop. However, there are some network tricks you can use to provide another dirty detection method.
If rogue APs are plugged into your network, they will decrease the TTL value in all packets by one that traverse through the access point. This can make it easy to detect the presence of those by using p0f/tcpdump/snort to look for packets that have TTL values that are lower than expected. This also works for unauthorized routers, virtual images, bad network stack configurations, etc. It won't detect APs that aren't plugged into your network and has some gaps (for instance, a savvy individual could modify the TTLthey use before sending packets out), but again it is a dirty method of detection. The advantage of looking for bad TTLs is that you will also have advance detection of network problems as well.
You can profile your network and find legitimate TTLvalues by running tcpdump -v and verifying the information with a network diagram (each router, NAT device, etc will lower TTL by 1).
--

John Bambenek

Bambenek Consulting

bambenek at gmail /dot/ com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Undisclosed federal authorities are seeking the work laptop of an Infosys worker who sued the firm after it allegedly asked him to help get temporary B-1 visas for some workers.
 
Although Apple today announced that its Worldwide Developers Conference (WWDC) will begin June 6, analysts are starting to question whether the company will introduce its next iPhone at the event.
 
Kaminario has released a new version of its KS DRAM Storage Appliance that starts at $50,000, offers 150,000 IOPS and 1.6GB/sec throughput.
 
Billionaire investor Warren Buffett warned others to be wary of sinking their money into overinflated social networking companies.
 
Google is said to be working with MasterCard and Citigroup to deploy NFC technology inside of Android phones to allow mobile payments. Apple is expected to deliver NFC on its next iPhone, which could create critical mass for mobile payments. Will you ditch your wallet and use your smartphone for payments?
 
Java founder James Gosling has taken a job with Google, he revealed in a blog post.
 
A former owner of an Illinois tech firm pleads guilty to conspiracy related to E-Rate fraud.
 
Organizations are failing to protect corporate trade secrets, despite cybercriminals finding a corporations' proprietary information growing in value.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
As storage grows more complex, tech support becomes utterly indispensable -- so it pays to learn how to get the info you need.
 
They're working on a Web-based service and want to build in the authentication capability. But why not just use Active Directory?
 
Google, MasterCard and Citigroup are reportedly working together on Near-Field Communication technology inside Android phones to allow quick, contact-less payments at 150,000 NFC-ready terminals in the U.S.
 
Mozilla's Firefox 4's browser usage share grew over two-and-a-half times in the six days since its March 22 launch, a Web analytics company said today.
 
ZDI-11-113: Zend Server Java Bridge Design Flaw Remote Code Execution Vulnerability
 
American Express now allows users to make online payments on iOS- and Android-based devices.
 
EBay has agreed to acquire for about US$2.4 billion GSI Commerce, whose suite of e-commerce and digital marketing tools and services are expected to boost eBay's online marketplace and PayPal e-payment businesses.
 
Paul Baran, whose Cold War era invention of packet-switching technology helped to lay the foundation for the Internet, has died at the age of 84.
 
Intel today released the next generation of its consumer-class solid-state drive, replacing the retail market's best-selling X25-M line and likely heralding the end of an era for SLC-based enterprise-class NAND flash drives.
 
[AntiSnatchOr] OpenCMS <= 7.5.3 multiple vulnerabilities
 
[ MDVSA-2011:054 ] java-1.6.0-openjdk
 
Name: Tom Saftig
 
[security bulletin] HPSBMA02649 SSRT100430 rev.1 - HP Diagnostics, Remote Cross Site Scripting (XSS)
 
Wordpress plugin BackWPup Remote and Local Code Execution Vulnerability - SOS-11-003
 
TSSA-2011-01 xpdf : multiple vulnerabilities allow remote code execution
 
[SECURITY] [DSA 2204-1] imp4 security update
 
Yahoo is planning to release some technologies to the open source community
 
Oracle's MySQL.com customer website was compromised over the weekend by a pair of hackers who publicly posted usernames, and in some cases passwords, of the site's users.
 
Horde IMP Webmail 'fetchmailprefs.php' HTML Injection Vulnerability
 
Debian/Ubuntu Linux 'shadow' Package Local Security Bypass Vulnerability
 
Oracle Java SE and Java for Business CVE-2010-4472 Remote Java Runtime Environment Vulnerability
 
Japanese DRAM maker Elpida Memory on Monday said its factories are operating "at close to normal levels" two weeks after the 9.0-magnitude earthquake in Japan, and that it has "sufficient parts and materials to continue supplying out customers as usual until the end of July."
 
InfoSec News: (Slightly Off-Topic) The Greatest Pre-Launch Start-Up Pitch Ever?: This is slighty off-topic for InfoSec News, but I've started paying attention to the venture capital security space for possible inclusion in the next version of ISN.
BUT... if you're an angel or venture capitalist and would like to hear a couple of interesting security and networking ideas, please drop me a line at wk (at) infosecnews [Dot] org and I'll be happy to put you in touch with those parties.
So I've watched this YouTube video below about three times, and I was convinced this was one of the best social engineering stunts ever caught on video, til I started 'lightly' researching 'Rachel Sequoia' and found the article below, now I'm not so sure, I think she's serious.
http://www.youtube.com/watch?v=wyrFWbGiGOc
Enjoy!
William Knowles @ InfoSecNews.org
-==-
http://networkeffect.allthingsd.com/20110325/viral-video-the-greatest-pre-launch-start-up-pitch-ever/
By Liz Gannes NetworkEffect AllThingsD March 25, 2011
It’s start-up demo season in Silicon Valley (not that pitching start-ups ever goes out of season in California). And here is a video of the Silicon Valley start-up pitch in its most ultimate form. I have watched this at least four times tonight.
Let’s not give away too much of the big idea, but every good pitch needs…Stories of personal relevance! Mumbo-jumbo about a big market! A plan to spend and make money! Boasts of differentiated technology! A check-in app!
“Share the Air” lacks none of these.
How real is this? Well, presenter Rachel Sequoia apparently did participate in an investor pitch session at the one (and only?) meeting of the Venture Capital Fundraising Club of Silicon Valley in February.
[...]
 
InfoSec News: Medical identity theft a rising and significant threat: http://www.csoonline.com/article/678229/medical-identity-theft-a-rising-and-significant-threat
By George V. Hulme CSO March 25, 2011
When most people think of identity theft, it's credit card transaction fraud or perhaps a criminal taking out a car loan or a mortgage in someone else's name. [...]
 
InfoSec News: Computer files lost at Maryville: http://www.chicagobreakingnews.com/news/local/chibrknews-computer-files-lost-at-maryville-20110325,0,783981.story
Chicago Breaking News Staff report March 25, 2011
A Des Plaines-based social service agency that serves abused children announced today that computer files containing personal and medical information on almost 4,000 children who lived at agency facilities dating back to 1992 are missing.
Maryville Academy, which last year worked with about 1,600 children in residential, shelter and hospital programs, lost three files with information on about 3,900 people, the agency said in an email this afternoon. The files were either stolen or misplaced.
The files were in a locked storage room in Maryville’s facility in Des Plaines. The agency is investigating how they may have disappeared, Sister Catherine F. Ryan, Maryville’s executive director, said in the statement.
Data in the files may include birth dates, relatives’ names, Social Security numbers, medical treatment and other information.
[...]
 
InfoSec News: Russian Security Team to Upgrade SCADA Exploit Tool: http://www.pcworld.com/businesscenter/article/223317/russian_security_team_to_upgrade_scada_exploit_tool.html
By Jeremy Kirk IDG News March 25, 2011
A Russian security company plans to release an upgraded exploit pack for industrial control software that incorporates a raft of new [...]
 
InfoSec News: Bank Of America Accounts Hacked: http://www.clickondetroit.com/news/27328557/detail.html
WDIV Detroit March 26, 2011
ROYAL OAK, Mich. -- Thousands of Bank of America customers' account information could be in jeopardy after a major security breach.
Christy Clark went to a Royal Oak drug store Friday, but when her debit [...]
 
InfoSec News: Solo Iranian hacker takes credit for Comodo certificate attack: http://www.computerworld.com/s/article/9215245/Solo_Iranian_hacker_takes_credit_for_Comodo_certificate_attack
By Gregg Keizer Computerworld March 27, 2011
A solo Iranian hacker on Saturday claimed responsibility for stealing multiple SSL certificates belonging to some of the Web's biggest sites, [...]
 
InfoSec News: Saskatchewan privacy commissioner dumpster dives to recover medical files: http://www.winnipegfreepress.com/arts-and-life/life/health/saskatchewan-privacy-commissioner-wades-through--dumpster-to-recover-files-118588064.html
By Jennifer Graham The Canadian Press 03/24/2011
REGINA - Dumpster diving isn't something Saskatchewan's privacy [...]
 
Apple received good and bad news from the U.S. International Trade Commission on Friday.
 
Developing a résumé for a CIO position requires a different approach than for midlevel IT roles. Here are three key areas you need to focus on.
 

Posted by InfoSec News on Mar 28

http://www.clickondetroit.com/news/27328557/detail.html

WDIV Detroit
March 26, 2011

ROYAL OAK, Mich. -- Thousands of Bank of America customers' account
information could be in jeopardy after a major security breach.

Christy Clark went to a Royal Oak drug store Friday, but when her debit
card was declined, she knew something was wrong. “I was very
embarrassed,” Clark said.

She went straight to the Bank of America branch near 12 Mile...
 

Posted by InfoSec News on Mar 28

http://www.computerworld.com/s/article/9215245/Solo_Iranian_hacker_takes_credit_for_Comodo_certificate_attack

By Gregg Keizer
Computerworld
March 27, 2011

A solo Iranian hacker on Saturday claimed responsibility for stealing
multiple SSL certificates belonging to some of the Web's biggest sites,
including Google, Microsoft, Skype and Yahoo.

Early reaction from security experts was mixed, with some believing the
hacker's claim, while others...
 

Posted by InfoSec News on Mar 28

http://www.winnipegfreepress.com/arts-and-life/life/health/saskatchewan-privacy-commissioner-wades-through--dumpster-to-recover-files-118588064.html

By Jennifer Graham
The Canadian Press
03/24/2011

REGINA - Dumpster diving isn't something Saskatchewan's privacy
commissioner makes a habit of, but this time Gary Dickson says he was
left with little choice.

Dickson and two assistants had to wade through a massive recycling
dumpster this week...
 

Posted by InfoSec News on Mar 28

http://www.csoonline.com/article/678229/medical-identity-theft-a-rising-and-significant-threat

By George V. Hulme
CSO
March 25, 2011

When most people think of identity theft, it's credit card transaction
fraud or perhaps a criminal taking out a car loan or a mortgage in
someone else's name. What doesn't t always come to mind is someone
stealing identity and medical credentials and then using those to obtain
needed medical care, or selling...
 

Posted by InfoSec News on Mar 28

http://www.chicagobreakingnews.com/news/local/chibrknews-computer-files-lost-at-maryville-20110325,0,783981.story

Chicago Breaking News
Staff report
March 25, 2011

A Des Plaines-based social service agency that serves abused children
announced today that computer files containing personal and medical
information on almost 4,000 children who lived at agency facilities
dating back to 1992 are missing.

Maryville Academy, which last year worked...
 

Posted by InfoSec News on Mar 28

http://www.pcworld.com/businesscenter/article/223317/russian_security_team_to_upgrade_scada_exploit_tool.html

By Jeremy Kirk
IDG News
March 25, 2011

A Russian security company plans to release an upgraded exploit pack for
industrial control software that incorporates a raft of new
vulnerabilities released by an Italian security researcher.

The three-person company, called Gleg, is based in Moscow and
specializes in vulnerability research....
 

Posted by InfoSec News on Mar 28

This is slighty off-topic for InfoSec News, but I've started paying
attention to the venture capital security space for possible inclusion
in the next version of ISN.

BUT... if you're an angel or venture capitalist and would like to hear a
couple of interesting security and networking ideas, please drop me a
line at wk (at) infosecnews [Dot] org and I'll be happy to put you in
touch with those parties.

So I've watched this YouTube video...
 


Internet Storm Center Infocon Status