InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A posting to pastebin, but a group that calls itself Cyber Warrior Team from Iran, claims to have breached a NASA website via a Man in the Middle attack. The announcement is a bit hard to read due to the broken english, but here is how I parse the post and the associated screenshot:
The Cyber Warrior Team used a tool to scan NASA websites for SSL misconfigurations. They came across a site that used an invalid, likely self signed or expired certificate. Users visiting this web site would be used to seeing a certificate warning. This made it a lot easier to launch a man in the middle attack. In addition, the login form on the index page isn't using SSL, making it possible to intercept and modify it unnoticed.
Once the attacker set up the man in the middle attack, they were able to collect username and passwords.
Based on this interpretation, the lesson should be to stop using self signed or invalid certificates for obscure internal web sites. I have frequently seen the argument that for an internal web site it is not important or too expensive or too complex to setup a valid certificate. SSL isn't doing much for you if the certificate is not valid. The encryption provided by SSL only works if the authentication works as well. Otherwise, you never know if the key you negotiated was negotiated with the right party.
And of course, the log in form on the index page should be delivered via SSL as well. Even if the form is submitted via SSL, it is subject to tampering if it is delivered via http vs. https.
good old OWASP Top 10 style lessons, but sadly, we still need to repeat them again and again. For a nice test to see if SSL is configured right on your site, see ssllabs.com .
Also, in more complex environments, you need to make sure that all of your SSL certificates are in sync. We recently updated SSL certificates, and forgot to update the one used by our IPv6 web server. (thnx Kees for pointing that out to us).
[1] http://pastebin.com/MFPMGZ4Z
[2] https://www.ssllabs.com

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
With several big data initiatives announced Wednesday at the Massachusetts Institute of Technology, Governor Deval Patrick said he wants to make the state a hub for big data research.
Multiple DeltaV Products Multiple Remote Vulnerabilities
Windows 8 and ultrabooks are expected to take center stage at the Computex trade show in Taipei next week, as industry giants Microsoft and Intel try to develop products that can compete better against Apple's iPad.
Asus' highly anticipated Transformer Pad Infinity TF700T tablet, a challenger to Apple's new iPad, will become available in late June or early July, a company spokeswoman said on Wednesday.
Consumer Watchdog, a privacy group, wants the California Assembly to keep Google's self-driving cars off the road until privacy protection for the cars' users is in place.
Verizon Communications is putting the pedal to the metal on its FiOS service with a new 300Mbps option next month, offering a majority of its customers a wild Internet ride, though it hasn't said how much that ride will cost.
The Recording Industry Association of America Wednesday accused Google of not doing enough to stop Internet users from accessing Websites that carry pirated music and other copyrighted content.
Flame, a package of components commonly available in most banking Trojans and remote access toolkits, is detectable by current antivirus, experts say.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Cisco Security Advisory: Cisco IOS XR Software Route Processor Denial of Service Vulnerability
FreeBSD Security Advisory FreeBSD-SA-12:02.crypt
Nailing down a timeline for the development of Flame, the super-cyber spying malware recently found infecting PCs in Iran and other Middle Eastern nations, will be critical to connecting it to Stuxnet and Duqu, experts said.
When I first looked at Codosaurus about five months ago, I though the iPad and iPhone code editor was functional, though it seemed like an unfinished product. An update arrived in the App Store earlier this month--the first in nearly year--so I downloaded version 1.3 eager to give Codosaurus another try. It appears that this new version has taken some baby steps forward and, unfortunately, one huge step backward.
Worldwide server shipments grew at a slower-than-expected clip during the first quarter of 2012, but Cisco, which has a small market share, beat market trends as top server makers struggled with slow demand and weak economic conditions, research firm Gartner said on Wednesday.
Global Internet Protocol traffic will reach an annual rate of 1.3 zettabytes in 2016 as more people connect more devices and download more video over the Internet, Cisco Systems predicted Wednesday.
FreeBSD Security Advisory FreeBSD-SA-12:01.openssl
2 Buffer Overflows in Wireless Manager Sony VAIO
Re: Progress Webspeed exploit for all releases
Horde IMP Webmail Client Multiple Cross Site Scripting Vulnerabilities
Microsoft has released a government-specific edition of its Office 365 cloud-based email and collaboration suite that offers U.S. public-sector customers a cordoned-off data center infrastructure just for them.
Even if the next iPhone has a mobile wallet app and a Near Field Communication chip inside, don't expect contactless payments to suddenly explode in the U.S.
Lenovo on Wednesday finally shipped the IdeaTab S2109 tablet after months of teasers, calling the $349 tablet one of the lightest in the market with a 9.7-inch screen.
[ MDVSA-2012:085 ] tomcat5
Mapserver for Windows (MS4W) Remote Code Execution
Microsoft .NET Framework Serialization CVE-2012-0161 Remote Code Execution Vulnerability
Microsoft .NET Framework Input Serialization CVE-2012-0160 Remote Code Execution Vulnerability
It's always great to hear from our readers, we just got this note in from Tom on a phish that he recently encountered:

One of my followers on Twitter (whose account was likely hacked or fell victim to this scam) sent me the following DM:

hilarious pic! bit.ly/KIbUqq

That bit.ly URL redirects to:


That site is clearly impersonating the Twitter.com site, and attempts to trick users into typing in their username and password. As of this writing (May 30, 2012 12:18pm EDT), the site is still available.

The whois record shows it as registered to XIN NET TECHNOLOGY CORPORATION in Shanghai, China. The whois record also have an HTML script tag in it, which may be an attempt to XSS users using web-based WHOIS services (though I did not try loading the JS file to find out).

While I've certainly seen reply spam on Twitter, I don't recall ever seeing this type of DM spam leading to phishing before. I thought that you guys might find it interesting!

I sent a message using Twitter's online support form, and I also submitted the URL to Google's SafeBrowsing list.

This was just too good an example to pass up writing about. Things to watch out for:

Any link you're asked to click on, in any context is a risk - READTHEUNDERLYINGLINK to verify that you're going where you think you are.
If it's a shortened link (bit.ly or whatever), check it with a sacrificial VM or from a sandboxed browser that you trust is actually partiitioned and safe
Before you click the link - READTHELINKAGAIN - the vv instead of a w character in twitter is a nice touch, easy to miss
Finally, before clicking the link, DON'TCLICKTHELINK. Cut and paste it into your browser rather than clicking it directly.

If you've got any other pointers, or if I've missed anything, please use our comment to .. well... comment !


Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Following through on promises to shuffle the ranks of upper management, Hewlett-Packard has hired George Kadifa to head the company's software division and has promoted Bill Veghte, who formerly led the division, to the role of chief operating officer.
The U.S. government has launched a coordinated effort with several trade groups and private companies to combat botnets and educate affected computer users, the White House announced Wednesday.
Google today unveiled a tool that promises to make it easier for people on the run to find the perfect restaurant.
Nearly a fifth of Windows PCs in the U.S. lack any active security protection, an antivirus vendor said today, citing numbers from a year-long project.
Rogue copies of Green Simurgh, an Internet proxy software application used in Iran and Syria, have been found to contain malware that records users' activities and keystrokes.
There's an interesting trend that I've been noticing in datacenters over the last few years. The pendulum has swung towards infrastructure that is getting too expensive to replicate in a test environment.

In years past, there may have been a chassis switch and a number of routers. Essentially these would run the same operating system with very similar features that smaller, less expensive units from the same vendor might run. The servers would run Windows, Linux or some other OS, running on physical or virtual platforms. Even with virtualization, this was all easy to set up in a lab.

These days though, on the server side we're now seeing more 10Gbps networking, FCoE (Fiber Channel over Ethernet), and more blade type servers. These all run into larger dollars - not insurmountable for a business, as often last year's blade chassis can be used for testing and staging. However, all of this is generally out of the reach of someone who's putting their own lab together.

On the networking side things are much more skewed. In many organizations today's core networks are nothing like last year's network. We're seeing way more 10Gbps switches, both in the core and at top of rack in datacenters. In most cases, these switches run completely different operating systems than we've seen in the past (though the CLI often looks similar).

As mentioned previously , Fiber Channel over Ethernet is being seen more often - as the name implies, FCoE shares more with Fiber Channel than with Ethernet. Routers are still doing the core routing services on the same OS that we've seen in the past, but we're also seeing lots more private MPLS implementations than before.

Storage as always is a one-off in the datacenter. Almost nobody has a spare enterprise SAN to play with, though it's becoming more common to have Fiber Channel switches in a corporate lab. Not to mention the proliferation of Load Balancers, Web Application Firewalls and other specialized one-off infrastructure gear that are becoming much more common these days than in the past.

So why is this on the ISC page today? Because in combination, this adds up to a few negative things:

Especially on the networking and storage side, the costs involved mean that it's becoming very difficult to truly test changes to the production environment before implementation. So changes are planned based on the product documentation, and perhaps input from the vendor technical support group. In years past, the change would have been tested in advance and likely would have gone live the first time. What we're seeing more frequently now is testing during the change window, and often it will take several change windows to get it right.
From a security point of view, this means that organizations are becoming much more likely to NOT keep their most critical infrastructure up to date. From a Manager's point of view, change equals risk. And any changes to the core components now can affect EVERYTHING - from traditional server and workstation apps to storage to voice systems.
At the other end of the spectrum, while you can still cruise ebay and put together a killer lab for yourself, it's just not possible to put some of these more expensive but common datacenter components into a personal lab

What really comes out of this is that without a test environment, it becomes incredibly difficult to become a true expert in these new technologies. As we make our infrastructure too big to fail, it effectively becomes too big to learn. To become an expert you either need to work for the vendor, or you need to be a consultant with large clients and a good lab. This makes any troubleshooting more difficult (making managers even more change-adverse)

What do you think? Have I missed any important points, or am I off base? Please use our comment for for feedback !

Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

ed cloud providers for several months now has been the assumption among cloud customers and service providers outside the U.S. - especially in Europe - that the Patriot Act gives the U.S. more access to cloud data than other governments. The idea, then, is that it’s safer to store your data with a cloud provider in a location free from such governmental access. A recent study debunked this Patriot Act cloud notion by showing that, in fact, other governments have just as much access as the U.S. for national security or law enforcement reasons.

The study, published by the global law firm Hogan Lovells (.pdf), looked at the laws of ten countries, including the U.S., France, Germany, Canada and Japan, and found each one vested authority in the government to require a cloud service provider to disclose customer data. The study showed that even countries with strict privacy laws have anti-terrorism laws that allow for expedited government access to cloud data.

“On the fundamental question of governmental access to data in the cloud, we conclude …that it is not possible to isolate data in the cloud from governmental access based on the physical location of the cloud service provider or its facilities,” wrote Christopher Wolf, co-director of Hogan Lovells’ privacy and information practice, and Winston Maxwell, a partner in the firm’s Paris office.

In a blog post, Dave Asprey, vice president of cloud security at Trend Micro, said the research “proves a bigger point; that your data will be disclosed with or without your permission, and with or without your knowledge, if you’re in one of the 10 countries covered.”

The only solution to this problem, he added, is encryption. But how encryption keys are handled is critical; encryption keys need to be on a policy-based management server at another cloud provider or under your own control, Asprey wrote. Now, Trend Micro has a vested interest here since it provides encryption key management, but it’s a point worth noting for organizations concerned about protecting cloud data not just from governments, but from cybercriminals.

For another examination of the Patriot Act’s impact on cloud computing, check out the article by SearchCloudSecurity.com contributor Francoise Gilbert. She looks at the rules for the federal government to access data and how they undercut concerns about the Patriot Act and cloud providers based in the U.S.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
The discussion about labs got me thinking about what we all have in our personal labs. The What's in your lab? question is a standard one that I ask in interviews, it says a lot about a person's interests and commitment to those interests.

I just revamped my lab (thanks to my local cheap servers off lease company and eBay). Previously I was able to downsize and host my entire lab on my laptop with a farm of virtual machine and a fleet of external USB drives, but as I ramp up my requirements for permanent servers (an MS Project server, an SCP server, a web honeypot and an army of permanent, cpu and memory hungry pentest VMs), I had to put some permanent hosts back in.

So to host all this, I put in 3 ESX servers with 20 cores altogether (thanks eBay!). I picked up a 4 gig fiber channel switch and 4 HBAs for a song, also on eBay. I had an older XEON server with lots of drive bays, so I filled it up with 1TB SATA drives and a SATA raid controller - with a fiber channel HBA and Openfiler, I've now got a decent Fiber Channel SAN (with iSCSI and NFS thrown in for good measure). Add a decent switch and firewall for VLAN support and network segmentation, and this starts to look a whole lot like something useful !! The goal was that after it's all bolted together, I can do almost anything in the lab without physically being there.

I still keep lots of my lab on the laptop VM farm - for instance my Dynamips servers for WAN simulation are all still local, so are a few Linux VMs that I use for coding in one language or another for instance.

Enough about my lab - what's in your lab? Have you found a neat, cheap way of filling a lab need you think others might benefit from? Do you host your lab on a laptop for convenience, or do you have a rack in your basement (or at work)? Please use our comment form and let us know!


Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[SECURITY] [DSA 2480-2] request-tracker3.8 regression update
The National Cybersecurity Center of Excellence (NCCoE) will host a kickoff workshop on Tuesday, June 26, 2012. The workshopamp's goal is to introduce the center, which will bring together experts from industry, government and academia ...
For a clear view of cloud computing, the National Institute of Standards and Technology (NIST) has issued a new publication that explains cloud systems in plain language.The final version of Cloud Computing Synopsis and Recommendations ...
The head of TED, the organizer of conferences around brainy presentations on a wide variety of subjects, says online video will continue to play a central role for the group and he has high hopes for its new education platform.
A Chinese edition of Windows 8, reportedly the same build that Microsoft will launch in the next week as the Release Preview, has leaked to file-sharing sites.
10gen, one of the leading vendors of NoSQL database technologies, has secured $42 million in fresh funding from New Enterprise Associates and existing investors such as Sequoia Partners and Flybridge Capital.
Get started by focusing on the device(s) and the data plan, security issues and general policies.
WikiLeaks founder Julian Assange may be extradited to Sweden for questioning about allegations of sexual offenses, the U.K. Supreme Court ruled on Wednesday, upholding a lower court ruling and dismissing Assange's appeal.
A court in New Zealand has granted Kim Dotcom, founder of the Megaupload file-sharing site, access to documents which contain evidence against him, and are held by prosecuting authorities both in New Zealand and the U.S.
Internet Storm Center Infocon Status