Information Security News
Recently we seem to have a theme of new bugs in old code - first (and very publically) openssl and bash. This past week weve had a bunch more, less public but still neat bugs.
First, a nifty bug in strings - CVE-2014-8485, with more details here http://lcamtuf.blogspot.ca/2014/10/psa-dont-run-strings-on-untrusted-files.html
a problem in wget with ftp: https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access
and now the ftp client (found first in BSD) - http://cxsecurity.com/issue/WLB-2014100174
These all share some common ground, where data that the code legitimately should be processing can be crafted to execute an arbitrary command on the target system. The other common thing across these as that these utilities are part of our standard, trusted toolkit - we all use these every day.
Who knew? Coders who wrote stuff in C back in the day didnt always write code that knew how much was too much of a good thing. Now that were all looking at problems with bounds checking on input data, expect to see at least a couple more of these!
by Robert Lemos
The latest version of the Android operating system, Lollipop, adds encryption by default, along with a variety of easy-to-use ways to lock and unlock the phone and a more secure foundation to help protect devices against current threats.
In a blog post published on Tuesday, Google described the features, which will begin shipping with the Lollipop operating system in new Android devices in the coming weeks. While some of the capabilities, such as encryption, are already included in the current Android OS, the new version will turn them on by default.
Many of the security features were born of Android’s open-source foundations and the fact that other researchers and companies can create and test new security features for the operating system, Adrian Ludwig, lead security engineer for Android at Google, said during a briefing on the security features.
I think that I will start this Diary with the following statement:
If you use an open source CMS, and you do not update it frequently, there is a very high chance that your website if not only compromised but also part of a botnet.
You probably already saw several of our diaries mentioning vulnerabilities in very well-known CMS systems like WordPress and Joomla, which are quite powerful and easy to use/install, and also full of vulnerabilities and requires frequent updates.
The third one in this list is Drupal. We mentioned last week, on our podcast about a criticalvulnerability fixed by the developers, and today they released a Public Announcement in regards to that vulnerability. And it is scary (yes, Halloween pun intended...).
The PSAmentions that within hours of the Patch announcement, there were already several automated attacks looking for the SQL injection vulnerability in the Drupal implementations.
As our reader Gebhard noted, there is a very interesting quote in the PSA:
You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement
This means, that by now, evenif you updated your server, there is very high chance that your server is now part of a botnet...so, if you have a website with Drupal, I would highly recommendthe Recovery section of the PSA document.
Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
What IBM can learn from its own cybersecurity business
If you asked an IBMer about infosec a few years ago, they would point you toward Tivoli identity management or mainframe tools like RACF. Even more recently, IBM acquired network security leader ISS and then buried it within its services group ...
A CIO's Interop Takeaways
Straight, the senior vice president and chief privacy officer of UnitedLex, offered guidelines for developing an infosec strategy that focuses on assessing insider risk. He also shared steps organizations can take to turn this potential liability into ...
by Sean Gallagher
The unclassified network of the Executive Office of the President—the administrative network of the White House—was breached by attackers thought to be working for the Russian government, according to multiple reports. The Washington Post reported that an investigation is ongoing, and White House officials are not saying what data, if any, was stolen from the computers on the network. “We are still assessing the activity of concern,” an unnamed White House official told the Post.
According to the Post’s anonymous sources, the breach was discovered in early October after a friendly foreign government alerted US officials. The network’s virtual private network access was shut down, and some staff members were told to change passwords. "We took immediate measures to evaluate and mitigate the activity,” the Post’s source at the White House said. “Unfortunately, some of that resulted in the disruption of regular services to users. But people were on it and are dealing with it.”
This isn’t the first time attackers, apparently sponsored by a foreign state, have targeted the White House’s network. In 2008 and 2012, Chinese hackers penetrated the White House’s network. On the first occasion, the attackers gained access to the White House’s e-mail server; in 2012, a phishing attack against White House staffers gave attackers access to the network, though officials said no sensitive data was exposed.
Posted by InfoSec News on Oct 29http://www.washingtonpost.com/world/national-security/hackers-breach-some-white-house-computers/2014/10/28/2ddf2fa0-5ef7-11e4-91f7-5d89b5e8c251_story.html
Posted by InfoSec News on Oct 29http://www.washingtontimes.com/news/2014/oct/28/army-fitness-standards-for-fat-cyber-warriors-may-/
Posted by InfoSec News on Oct 29http://english.chosun.com/site/data/html_dir/2014/10/29/2014102901755.html?
Posted by InfoSec News on Oct 29The International Conference on Cyber-Crime Investigation and
Posted by InfoSec News on Oct 29http://arstechnica.com/security/2014/10/research-links-massive-cyber-spying-ring-to-russia/
Posted by InfoSec News on Oct 29http://www.theregister.co.uk/2014/10/29/blackenergy_crimeware_pwning_us_control_systems_cert_warns/
Posted by InfoSec News on Oct 29http://www.csoonline.com/article/2838369/data-protection/incoming-pci-council-head-ready-to-take-on-the-hackers.html