InfoSec News

The most 10 outstanding ICT events in 2011
VietNamNet Bridge
According to CMC Infosec, a security company, during that time, at least 300 big websites with the domain name of “.org.vn” and “.gov.vn” were hacked. VietNamNet online newspaper was the aiming point of a lot of attacks which led to the complete ...

Wi-Fi Protected Setup (WPS)is a Wi-Fi Alliance specification (v1.0 - available since January 2007)designed to ease the process of securely setup Wi-Fi devices and networks. Acouple of days ago US-CERTreleased a new vulnerability note, VU#723755, that allows an attacker to get full access to a Wi-Fi network (such as retrieving your ultra long secret WPA2 passphrase) through a brute force attack on the WPSPIN. The vulnerability was reported by Stefan Viehbck and more details are available on the associated whitepaper. In reality, it acts as a kind of backdoor for Wi-Fi access points and routers.
The quick and immediate mitigation is based on disabling WPS. Your holiday gift for the people around you these days is to tell them to disable WPS.
It is important to remark that this vulnerability affects both the WPSdesign (which typically means higher impact and longer fix times)and the current Wi-Fi vendor implementations. The design is affected as WPS presents serious weaknesses that allow an attacker to determine if half of the PINis correct (Do you remember Windows LANMAN (LM) authentication?7+7 !=14). Therefore the brute force process can be split in two parts, significantly reducing the time required to brute force the entire PIN from 100 million (108)to 11,000 (104 + 103)attempts.The vendor implementations (in Wi-Fi access points and routers)are also affected due to the lack of a proper (temporarily) lock out policy after a certain number of failed attempts to guess the PIN, plus some collateral DoSconditions.
The researcher used a Python (Scapy-based) tool that has not been release yet, although other tools that allow to test for the vulnerability have been made public, such as Reaver . The current tests indicate that it would take about 4-10 hours for an attacker to brute force the 8 digit PIN(in reality 7 digit PIN, 4+3+1 digits).
Lots of Wi-Fi devices available in the market implement WPS, a significant number seem to implement the PINauthentication option (the vulnerable mechanism - called PINExternal Registrar), as it seems to be a mandatory requirement in the WPSspec to become WPScertified (by the Wi-Fi Alliance), and still a very relevant number seem to have WPSenabled by default. Based on that, and the experience we had on similar Wi-Fi vulnerabilities over the last decade, it might take time to the Wi-Fi industry to fix the design flaw and release a new WPSversion, it will take more time to (all)vendors to release a new firmware version that fixes or mitigates the vulnerability, and it will take even extra time to end users and companies to implement a fixed and secure WPSversion and/or implementation, or to disable WPS (although this is the quickest option... we know it takes much more time than we would like :( ).

To sum up, millions of devices worldwide might be affected and it will take months (or years - think on WEP) to fix or mitigate this vulnerability... so meanwhile, it is time to start a global security awareness campaign:
Disable WPS!!
This diary extends the Wi-Fi security posture of previous ISCdiaries, were we covered the security of common Wi-Fi usage scenarios, and will be complemented by two upcoming Wi-Fi security end-user awareness resources: the SANSOUCH! January 2012 issue and lesson 12 of Intypedia (both will be available on mid January 2012).

Raul Siles

Founder and Senior Security Analyst with Taddong

www.taddong.com (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Windows IT Pro (blog)

Top Three Trending Info-sec Issues for 2012 and Beyond
Windows IT Pro (blog)
or a Infosec wish list for the new year. But this year I wanted to focus on a few of the issues I see as taking up more and more of your Infosec time in the coming years, if they haven't already been. These are emerging issues that have impact all ...

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
HP Database Archiving Software Remote Arbitrary Code Execution Vulnerability
Microsoft .NET Framework CVE-2011-3416 ASP.NET Forms Security Bypass Vulnerability
Microsoft .NET Framework ASP.NET Forms CVE-2011-3417 Security Bypass Vulnerability
Microsoft ASP.NET Hashe Collision Denial Of Service Vulnerability
Microsoft .NET Framework CVE-2011-3415 Forms Authentication URI Spoofing Vulnerability
Microsoft .NET Framework ASP.NET Forms Security Bypass Vulnerability
We have been tracking this issue. Microsoft has an excellent write up on this. Some of my clients and my own company received alerts directly from Microsoft. If you are a heavy ASP.Net user please look into these issues and take proper steps for work around and patch.

MSFTis listing a WebCast on the OOBPatch [1]
Also a couple of great write ups and release. [2]
[1] https://msevents.microsoft.com/CUI/EventDetail.aspx?culture=en-USEventID=1032502798
[2] http://technet.microsoft.com/en-us/security/bulletin/ms11-100

Richard Porter
--- ISC Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
HP Managed Printing Administration Multiple Remote Security Vulnerabilities
Apache Tomcat Hash Collision Denial Of Service Vulnerability
Jetty Hash Collision Denial Of Service Vulnerability
Ruby Hash Collision Denial Of Service Vulnerability
Rack Hash Collision Denial Of Service Vulnerability
Rubinius Hash Collision Denial Of Service Vulnerability
Plone Hash Collision Denial Of Service Vulnerability
Security advisory for Bugzilla 4.2rc1, 4.0.3, 3.6.7 and 3.4.13
Winn Guestbook v2.4.8c Stored XSS
Hackers armed with a single machine and a minimal broadband connection can cripple Web servers, researchers said Wednesday. Microsoft today shipped an emergency update to fix the flaw.
Verizon on Thursday said its third 4G network problem this month was resolved over night.
Oracle GlassFish Server Hash Collision Denial Of Service Vulnerability
PHP Web Form Hash Collision Denial Of Service Vulnerability
Re: Wordpress flash-album-gallery plugin Cross-Site Scripting Vulnerabilities
[oCERT-2011-003] multiple implementations denial-of-service via hash algorithm collision
[ MDVSA-2011:196 ] ipmitool
[security bulletin] HPSBPI02728 SSRT100692 rev.2 - Certain HP Printers and HP Digital Senders, Remote Firmware Update Enabled by Default
[security bulletin] HPSBPI02732 SSRT100435 rev.1 - HP Managed Printing Administration, Remote Execution of Arbitrary Code and Other Vulnerabilities
A critical update affects all versions of Microsoft .NET Framework and other programming languages. The vulnerability could allow denial-of-service attacks.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
[ MDVSA-2011:195 ] krb5-appl
Jonah Langlieb asked how to send Google Calendar notifications to any cell phone.
I was fairly positive in my review of the 2010 version of Apple's smallest server, and fortunately, I can say that it's very easy to be happy with the 2011 Mac mini with Lion Server.
We're living in an exciting time in technology: From consumer products such as phones and tablets to the way your home computer accesses the Internet, everything is changing, and mostly for the better. We predict that next year the following ten developments will change the way you interact with the digital world.
Many web app frameworks are vulnerable to a denial-of-service attack targeting the way they handle hash tables, researchers revealed Wednesday, prompting Microsoft to announce an "out-of-band" patch for its ASP.NET platform just hours later.
The new year will see one more regional Internet registry run out of IPv4 addresses, but 2012 will be more about prepping for the inevitable shift to IPv6 than an Internet doomsday.
2011 was a consequential year for Apple in good ways -- the iPad 2 and Siri -- and bad -- the loss of Steve Jobs. With the year pretty much in the rear-view mirror, columnist Ryan Faas looks at what's coming for 2012.

Posted by InfoSec News on Dec 28


By Lee Kaelin
December 28, 2011

Stratfor, a global intelligence firm based in Austin, Texas recently
became the latest victim of the online hacker collective Anonymous after
their servers were breached over the Christmas weekend and information
was stolen. Up until now the website of the security think tank remains
offline, with...

Posted by InfoSec News on Dec 28


Yonhap News

SEOUL, Dec. 28 (Yonhap) -- The military has lowered the level of its
cyber warfare readiness system to normal, about a week after raising it
a notch in the aftermath of North Korean leader Kim Jong-il's death, an
official said Wednesday.

The Joint Chiefs of Staff (JCS) official said the information operations

Posted by InfoSec News on Dec 28


By Adam Segal
Council on Foreign Relations
December 27, 2011

Chinese analysts and officials like to point out that it was the United
States that first set up Cyber Command and thus, in their view,
militarized cyberspace. Yet Chinese military thinkers are clearly
thinking about what type of organizations and institutions they will
need to conduct offensive cyber...

Posted by InfoSec News on Dec 28


By Fahmida Y. Rashid

Securely sanitizing hard disk drives and other IT equipment is critical
when retiring old and obsolete equipment to prevent leaking sensitive

A new computer, mobile device or other IT equipment generally requires
some effort setting up and migrating data. Enterprises also need...

Posted by InfoSec News on Dec 28


BorneoPost Online
December 29, 2011

KUALA LUMPUR: Malaysia needs to produce its own cyber information
security software as depending on foreign software may risk information
leaks and intelligence breaches, said a software expert here yesterday.

Universiti Putra Malaysia (UPM) Computer Science and Information
Technology Faculty dean Prof Dr Ramlan...
Internet Storm Center Infocon Status