Information Security News |
I mentioned this vulnerability earlier this week in a podcast, but believe it deserves a bit more attention, in particular as exploits are now public, and a metasploit module appears in the works.
Dana Taylor (NI @root) released details about the vulnerabilities first in her blog [1]. The post included quite a bit of details about respecitve vulnerabilities. Extended support for Oracle 10g ended July 2013 and a patch is not expected.
If for some reason you are still running Oracle 10g or earlier, please check on possible workarounds or upgrade to 11g
The vulnerabilities were assigned following CVE numbers
CVE-2012-3153 - PARSEQUERY keymap vulnerabiilty
Oracle details (requires login): https://support.oracle.com/rs?type=doc&id=279683.1
CVE-2012-3152 - URLPARAMETER code execution
Please let us know if you have any workarounds to share, or if you have any logs showing exploit attempts.
[1] http://netinfiltration.com
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Widely used management software running on Target's internal network may have given an important leg up to attackers who compromised 40 million payment cards belonging to people who recently shopped at the retail giant, according to an article published Wednesday by KrebsonSecurity.
As journalist Brian Krebs reported two weeks ago, malware that infected Target's point-of-sale terminals used the account name "Best1_user" and the password "BackupU$r" to log in to a control server inside the Target network. The malware used the privileged insider access to temporarily stash payment card data siphoned out of the terminals used in checkout lines so it could then periodically be downloaded to a different service for permanent storage. In Wednesday's post, Krebs filled in some intriguing new details that suggest a poorly secured feature inside a widely used server management program may have played a role. Krebs explained:
That “Best1_user” account name seems an odd one for the attackers to have picked at random, but there is a better explanation: That username is the same one that gets installed with an IT management software suite called Performance Assurance for Microsoft Servers. This product, according to its maker — Houston, Texas based BMC Software — includes administrator-level user account called “Best1_user.”
This knowledge base article (PDF) published by BMC explains the Best1_user account is used by the software to do routine tasks. That article states that while the Best1_user account is essentially a “system” or “administrator” level account on the host machine, customers shouldn’t concern themselves with this account because “it is not a member of any group (not even the ‘users’ group) and therefore can’t be used to login to the system.”
“The only privilege that the account is granted is the ability to run as a batch job,” the document states, indicating that it could be used to run programs if invoked from a command prompt.
Krebs went on to quote a part of the BMC article that said:
Read 3 remaining paragraphs | Comments
DKIM is one way to make it easier for other servers to figure out if an e-mail sent on behalf of your domain is spoofed. Your mail server will add a digital signature to each email authenticating the source. This isn't as good a signing the entire e-mail, but it is a useful tool to at least validate the domain used as part of the "From" header.
The problem is that DKIM can be tricky to debug. If you have mail rejected, it is useful to be able to manually verify what went wrong. For example, you may have different keys, and the wrong key was used, which is one of the trickier issues to debug.
Lets start with the basics: first make sure the e-mail you send is actually signed. Look for the "DKIM-Signature" header:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dshield.org;
s=default; t=1391023518;
bh=wu4x1KKZCyCgkXxuZDq++7322im11hlsCET+KxQ9+48=;
h=To:Subject:Date:From;
b=wVZQsIvZQe0i2YuhFNeUrpfet0wa7cIcwZ8LR9izWuF1E1NDQmpKUImCHO/RlPgYJ
wruW1IunQWRXtd4MQMuUZNsU1rGFzsYXoC4T6rVjHonQtQgoFSoEfo90KtZTC2riev
There are a couple of important pieces to look for:
Using these two values, we can retrieve the public keys from DNS:
"v=DKIM1\; k=rsa\; p=MIGfMA0G...AQAB"
At this point we know which key was used to sign the headers, and we got the public key to verify it. You probably already spotted the algorithm used to sign the header: "a=rsa-sha256".
DKIM only signs specific headers. In our case, we signed the To, Subject, Date and From headers which can be learned from the "h=..." field above.
For the sample e-mail above, these headers are:
Subject: Testing DKIM
Date: Wed, 29 Jan 2014 19:25:18 +0000 (UTC)
From: [email protected] (Johannes Ullrich)
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
The official Angry Birds website was briefly defaced on Tuesday by people protesting reports government spy agencies abuse it and other "leaky" mobile apps to mine the personal details of smartphone users.
For a brief span of time on Tuesday some visitors saw an image of the iconic bird and pig, but with some notable modifications. The image carried the caption "Spying Birds," and the bird had an NSA logo emblazoned on its forehead. The image was captured here on the Zone-H website.
Angry Birds developer Rovio has confirmed its website was briefly hijacked, most likely by hackers who managed to tamper with domain name system settings that ultimately control what server receives requests for a particular domain name. Differences in which servers cached the malicious domain name entries and the amount of time those malicious entries were allowed to persist mean that the spoofed page was visible to only some of the people who were trying to visit the site on Tuesday. The site was not available at the time this post was being prepared for publication.
Read 1 remaining paragraphs | Comments
by Ars Staff
This article originally appeared on Medium.com: How I Lost My $50,000 Twitter Username
I had a rare Twitter username, @N. Yep, just one letter. I've been offered as much as $50,000 for it. People have tried to steal it. Password reset instructions are a regular sight in my e-mail inbox. As of today, I no longer control @N. I was extorted into giving it up.
While eating lunch on January 20, 2014, I received a text message from PayPal for a one-time validation code. Somebody was trying to steal my PayPal account. I ignored it and continued eating.
Read 27 remaining paragraphs | Comments
Posted by InfoSec News on Jan 29
http://www.forbes.com/sites/tamlinmagee/2014/01/27/trustwave-demonstrates-malware-that-logs-touchscreen-swipes-to-record-your-pin/Posted by InfoSec News on Jan 29
http://theweek.com/article/index/255510/forget-hackers-squirrels-are-a-bigger-threat-to-americas-power-gridPosted by InfoSec News on Jan 29
http://www.technologyreview.com/news/523746/honey-encryption-will-bamboozle-attackers-with-fake-secrets/Posted by InfoSec News on Jan 29
http://www.latimes.com/nation/la-na-nsa-chief-20140128,0,7074152.storyPosted by InfoSec News on Jan 29
http://the-japan-news.com/news/article/0000977366