Hackin9

Recently we seem to have a theme of new bugs in old code - first (and very publically) openssl and bash. This past week weve had a bunch more, less public but still neat bugs.

First, a nifty bug in strings - CVE-2014-8485, with more details here http://lcamtuf.blogspot.ca/2014/10/psa-dont-run-strings-on-untrusted-files.html
a problem in wget with ftp: https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access
and now the ftp client (found first in BSD) - http://cxsecurity.com/issue/WLB-2014100174

These all share some common ground, where data that the code legitimately should be processing can be crafted to execute an arbitrary command on the target system. The other common thing across these as that these utilities are part of our standard, trusted toolkit - we all use these every day.

Who knew? Coders who wrote stuff in C back in the day didnt always write code that knew how much was too much of a good thing. Now that were all looking at problems with bounds checking on input data, expect to see at least a couple more of these!

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

The latest version of the Android operating system, Lollipop, adds encryption by default, along with a variety of easy-to-use ways to lock and unlock the phone and a more secure foundation to help protect devices against current threats.

In a blog post published on Tuesday, Google described the features, which will begin shipping with the Lollipop operating system in new Android devices in the coming weeks. While some of the capabilities, such as encryption, are already included in the current Android OS, the new version will turn them on by default.

Many of the security features were born of Android’s open-source foundations and the fact that other researchers and companies can create and test new security features for the operating system, Adrian Ludwig, lead security engineer for Android at Google, said during a briefing on the security features.

Read 11 remaining paragraphs | Comments

 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

I think that I will start this Diary with the following statement:

If you use an open source CMS, and you do not update it frequently, there is a very high chance that your website if not only compromised but also part of a botnet.

You probably already saw several of our diaries mentioning vulnerabilities in very well-known CMS systems like WordPress and Joomla, which are quite powerful and easy to use/install, and also full of vulnerabilities and requires frequent updates.

The third one in this list is Drupal. We mentioned last week, on our podcast about a criticalvulnerability fixed by the developers, and today they released a Public Announcement in regards to that vulnerability. And it is scary (yes, Halloween pun intended...).

The PSAmentions that within hours of the Patch announcement, there were already several automated attacks looking for the SQL injection vulnerability in the Drupal implementations.

As our reader Gebhard noted, there is a very interesting quote in the PSA:

You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement

This means, that by now, evenif you updated your server, there is very high chance that your server is now part of a botnet...so, if you have a website with Drupal, I would highly recommendthe Recovery section of the PSA document.

---

Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Apache OpenOffice Calc CVE-2014-3524 Command Injection Vulnerability
 

What IBM can learn from its own cybersecurity business
Network World
If you asked an IBMer about infosec a few years ago, they would point you toward Tivoli identity management or mainframe tools like RACF. Even more recently, IBM acquired network security leader ISS and then buried it within its services group ...

 

A CIO's Interop Takeaways
InformationWeek
Straight, the senior vice president and chief privacy officer of UnitedLex, offered guidelines for developing an infosec strategy that focuses on assessing insider risk. He also shared steps organizations can take to turn this potential liability into ...

 
SEC Consult SA-20141029-1 :: Persistent cross site scripting in Confluence RefinedWiki Original Theme
 
CVE-2014-8399 SQL Injection in NuevoLabs flash player for clipshare
 
SEC Consult SA-20141029-0 :: Multiple critical vulnerabilities in Vizensoft Admin Panel
 
Multiple vulnerabilities in EspoCRM
 
[ MDVSA-2014:212 ] wget
 
[ MDVSA-2014:211 ] wpa_supplicant
 

The unclassified network of the Executive Office of the President—the administrative network of the White House—was breached by attackers thought to be working for the Russian government, according to multiple reports. The Washington Post reported that an investigation is ongoing, and White House officials are not saying what data, if any, was stolen from the computers on the network. “We are still assessing the activity of concern,” an unnamed White House official told the Post.

According to the Post’s anonymous sources, the breach was discovered in early October after a friendly foreign government alerted US officials. The network’s virtual private network access was shut down, and some staff members were told to change passwords. "We took immediate measures to evaluate and mitigate the activity,” the Post’s source at the White House said. “Unfortunately, some of that resulted in the disruption of regular services to users. But people were on it and are dealing with it.”

This isn’t the first time attackers, apparently sponsored by a foreign state, have targeted the White House’s network. In 2008 and 2012, Chinese hackers penetrated the White House’s network. On the first occasion, the attackers gained access to the White House’s e-mail server; in 2012, a phishing attack against White House staffers gave attackers access to the network, though officials said no sensitive data was exposed.

Read 1 remaining paragraphs | Comments

 

Posted by InfoSec News on Oct 29

http://www.washingtonpost.com/world/national-security/hackers-breach-some-white-house-computers/2014/10/28/2ddf2fa0-5ef7-11e4-91f7-5d89b5e8c251_story.html

By Ellen Nakashima
The Washington Post
October 28, 2014

Hackers thought to be working for the Russian government breached the
unclassified White House computer networks in recent weeks, sources said,
resulting in temporary disruptions to some services while cybersecurity
teams worked to...
 
LinuxSecurity.com: Updated wget package fixes security vulnerability: Wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP (CVE-2014-4877). [More...]
 
LinuxSecurity.com: Updated wpa_supplicant packages fix security vulnerability: A vulnerability was found in the mechanism wpa_cli and hostapd_cli use for executing action scripts. An unsanitized string received from a remote device can be passed to a system() call resulting in arbitrary [More...]
 
LinuxSecurity.com: Updated kernel packages that fix several security issues and bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Several security issues were fixed in Pidgin.
 
Linux Kernel KVM CVE-2014-3645 Denial of Service Vulnerability
 

Posted by InfoSec News on Oct 29

http://www.washingtontimes.com/news/2014/oct/28/army-fitness-standards-for-fat-cyber-warriors-may-/

By Douglas Ernst
The Washington Times
October 28, 2014

There U.S. Army’s recruitment pool keeps getting bigger — around the
waistline — a reality that is forcing its top brass to consider relaxing
fitness standards for future “cyber warriors.”

Maj. Gen. Allen Batschelet, commanding general for the U.S. Army
Recruiting Command at...
 

Posted by InfoSec News on Oct 29

http://english.chosun.com/site/data/html_dir/2014/10/29/2014102901755.html?

By chosun.com
Oct. 29, 2014

Some 20,000 smartphones in South Korea are infected with malicious apps as
a result of a recent North Korean hacking campaign.

National Intelligence Service data revealed on Tuesday say the apps were
posted by North Korean hackers on South Korean websites from May 19 to
Sept. 16 this year.

The NIS claims it has taken steps to delete the...
 

Posted by InfoSec News on Oct 29

The International Conference on Cyber-Crime Investigation and
Cyber Security (ICCICS2014)

November 17-19, 2014
Asia Pacific University of Technology and Innovation (APU), Kuala Lumpur,
Malaysia

http://sdiwc.net/conferences/2014/iccics2014/

iccics2014 () sdiwc net

All registered papers will be included in the publisher's Digital Library.
==============================================================
The conference aims to enable...
 

Posted by InfoSec News on Oct 29

http://arstechnica.com/security/2014/10/research-links-massive-cyber-spying-ring-to-russia/

By Robert Lemos
Ars Technica
Oct 28, 2014

A professional espionage group has targeted a variety of Eastern European
governments and security organizations with attacks aimed at stealing
political and state secrets, security firm FireEye stated in a report
released on Tuesday.

The group, dubbed APT28 by the company, has targeted high level officials...
 

Posted by InfoSec News on Oct 29

http://www.theregister.co.uk/2014/10/29/blackenergy_crimeware_pwning_us_control_systems_cert_warns/

By Darren Pauli
The Register
29 Oct 2014

Industrial control systems in the United States have been compromised by
the BlackEnergy malware toolkit for at least three years in a campaign the
US Computer Emergency Response Team has dubbed "ongoing" and
sophisticated.

Attackers had compromised unnamed industrial control system operators...
 
python-oauth2 Signed URL Nonce Verification Security Bypass Vulnerability
 
python-oauth2 CVE-2013-4347 Multiple Predictable Random Number Generator Weaknesses
 
Multiple Sensys Networks Products CVE-2014-2378 Security Bypass Vulnerability
 
Multiple Sensys Networks Products CVE-2014-2379 Man in the Middle Vulnerability
 

Posted by InfoSec News on Oct 29

http://www.csoonline.com/article/2838369/data-protection/incoming-pci-council-head-ready-to-take-on-the-hackers.html

By Taylor Armerding
CSO
Oct 27, 2014

Stephen W. Orfei is the incoming general manager of the PCI Security
Standards Council. He succeeds the council’s first general manager, Bob
Russo, who will retire at the end of 2014.

Orfei has decades of experience in payment technology, including 13 years
in telecom with MCI...
 
Linux Kernel KVM CVE-2014-3611 Denial of Service Vulnerability
 
Linux Kernel KVM CVE-2014-8369 Denial of Service Vulnerability
 
Linux Kernel KVM CVE-2014-3646 Local Denial of Service Vulnerability
 
Linux Kernel KVM CVE-2014-3690 Local Denial of Service Vulnerability
 
Internet Storm Center Infocon Status