InfoSec News

Ann Livermore, a member of Hewlett-Packard's board of directors and a longtime head of the company's enterprise business, will be the first witness called when a court in San Jose, California, hears HP's lawsuit against Oracle for ending future development on the Itanium platform.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft said on Thursday that it would kick off a Windows 8 upgrade program on Saturday, June 2, giving buyers of new Windows 7 PCs the chance to grab a copy of the not-yet-released operating system for $15.
A U.S. judge has ruled that the Java application programming interfaces used in Android are not protected by copyright, marking a defeat for Oracle in its high-stakes lawsuit against Google.
The next version of Oracle's database will be released in either December or January, CEO Larry Ellison said Wednesday during an onstage interview at the AllThingsD conference.
Tinba is among the smallest data-stealing banking Trojans discovered in the wild, according to Danish security firm CSIS Security Group.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Salesforce.com's Desk.com service is about to add multilingual support to the cloud-based help-desk software, the company said Thursday.
As expected, Microsoft today shipped Windows 8 Release Preview, the final sneak peek the company will offer the general public before the operating system goes on sale later this year.
The success of the SpaceX mission to supply the International Space Station is bolstering the fledgling commercial space industry.
Speaking at the All Things D conference on Tuesday night, Apple CEO Tim Cook essentially sent Facebook a friend request. "I think the [Apple-Facebook] relationship is very solid," Cook said. "We have great respect for them. I think we can do more with them."
A meeting of the United Nations International Telecommunication Union (ITU) in December could lead to broad new regulations of the Internet, including per-click taxes, if U.S. and other delegations don't work hard to oppose proposals, U.S. officials and Internet governance experts told lawmakers Thursday.
Dell on Thursday announced Latitude business laptops with latest Intel Core processors that can provide around 33 hours of battery life, but only when combined with attached battery packs.
Name: Harry Sverdlove
Officials at the University of Nebraska in Lincoln have identified an undergraduate student they say is responsible for an intrusion into a university database containing personal data on more than 650,000 students, parents and employees.
Apple CEO Tim Cook this week again slammed rival Microsoft's Windows 8 and its promise to be an operating system for all devices, whether tablets, desktops, laptops or hybrids that combine elements of all.
Type on PDF and its more expensive counterpart, Type on PDF Pro, are powerful apps that provide a number of sophisticated tools for both using and creating Acrobat files. Both enable you to simply fill in or annotate already-existing PDF documents. But what sets Type on PDF apart from similar apps is the inclusion of a simple programming language that enables you to create custom PDF templates which can restrict the types of information that are put into form fields and also perform simple calculations.
AT&T turned on 4G LTE wireless service to Cleveland on Thursday, marking the 39th market in the U.S. to get the service.
With the introduction of three new reference designs, Freescale Semiconductor wants to cut the cost of wireless charging and offer the technology for tablets and power tools, the company said on Thursday.
Brendan Eich says forthcoming ECMAScript 6 is sufficient and Native Client lacks necessary vendor support
SkyDrive for Windows now allows users to access the Photos app in Windows 8 so they can fetch photos stored on their other PCs that have SkyDrive installed.
Sprint will start selling the HTC Evo 4G LTE smartphone for $199.99 and a two-year contract on Saturday, 15 days after originally promised.
A watchdog group has slammed Apple and its supplier Foxconn for failing to take corrective action on the plight of factory workers in China, saying the companies continue to abuse employees while providing poor working conditions.
Linux Kernel 'sock_alloc_send_pskb()' Function Heap Buffer Overflow Vulnerability
[SECURITY] [DSA 2483-1] strongswan security update
Cricket Communications will offer the first pre-paid iPhone in the U.S. starting June 22, the company announced Thursday.
OpenSSL 1.0.1 Buffer Overflow Vulnerability
[security bulletin] HPSBMU02785 SSRT100526 rev.1 - HP LoadRunner Running on Windows, Remote Execution of Arbitrary Code
[ MDVSA-2012:086 ] acpid
We have gotten a number of submissions asking about Flame, the malware that was spotted targeting systems in a number of arab countries. According to existing write-ups, the malware is about 20 MB in size, and consists of a number of binary modules that are held together by a duct tape script written in LUA. A good part of the size of the malware is associated with its LUA interpreter.
If you ever find something like that using perl instead of LUA... maybe I did it. I love to tie together various existing binaries using perl duct tape. However, I am not writing malware... and any serious commercial malware writing company would have probably fired me after seeing this approach. Using LUA would probably not fair much better. Real malware is typically plugged together from various modules, but compiled into one compact binary. Pulling up a random Spyeye description shows that it is only 70kBytes large, and retails for $500. Whatever government contractor put together Flame probably charged a lot more then that. Like with most IT needs: If you run some government malware supply department, think going COTS.
Of course, Flame is different because it appears to be government sponsored. Get over it. Did you know governments hire spies? People who get paid big bucks (I hope) to do what can generally be described as evil and illegal stuff. They actually do that for pretty much as long as governments exist, and McAfee may even have a signature for it.
We are getting a lot of requests for hints on how to detect that your are infected with Flame. Short answer: If you got enough free time on your hand to look for Flame, you are doing something right. Take a vacation. More likely then not, your time is better spent looking for malware in general. In the end, it doesn't matter that much why someone is infecting you with the malware d'jour. The Important part is how they got in. They pretty much all use the same pool of vulnerabilities, and similar exfiltration techniques. Flame is actually pretty lame when it comes to exfiltrating data as it uses odd user-agent strings. Instead of looking for Flame: Setup a system to whitelist user-agents. That way, you may find some malware that actually matters, and if you happen to be infected with Flame, you will see that too.
But you say: Hey! I can't whitelist user-agents! Sorry: you already lost. On a good note: scrap that backup system. All your important data is already safely backed up in various government vaults. (recovery is a pain though... )
Sorry for the rant. But had to get it out of the system. Oh... and in case you are still worried... the Iranian CERT got a Flame removal tool [2]. Just apply that. I am sure it is all safe and such.


Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Those who continue to deem the cloud "rogue IT" fail to see the forest for the trees, CIO.com's Bernard Golden writes. Institutions dead set in their ways should prepare to see smaller, more innovative firms embrace the cloud and race past them.
The first commercial spacecraft to lift off from the U.S. arrived home today from a mission to deliver supplies to the International Space Station.
Freedom of choice when it comes to technology decisions has traditionally ended at the doors of the enterprise, where IT tells you what hardware and software you can use. But BYOD and consumerization of IT may be the new Glasnost.
[security bulletin] HPSBUX02784 SSRT100871 rev.1 - HP-UX Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
The first commercial spacecraft to lift off from the U.S. is on its way home from a mission to deliver supplies to the International Space Station.
The owner of GameReplays.org has invited ethical hackers to probe the website for vulnerabilities after a recent compromise that resulted in 10,000 member accounts being exposed.
The European Commission wants to improve its free and open-source software repository system using an enhanced metadata specification meant to help E.U. countries exchange more information about their free and open-source software projects.
things you can do with downloads

US companies, government not likely burned by Flame
CSO Magazine
In a blog post for Infosec Island, he wrote: "When you look at the code snippets, which Kaspersky published, in addition to the various use of the word "flame" in the code, there are also variables called 'gator' and 'frog' in there.

and more »
We live in an exciting new world of Web development languages. But pitches selling the productivity benefits of one language over another miss the point
More and more users are making smartphones and tablets their primary devices. If your website isn't adaptive, chances are users aren't seeing your company the way you want.
Looking to become an Excel power user? Excel has a number of features that will make it easier for you and your colleagues to enter data into your spreadsheets. If you're developing a spreadsheet that you'll use over and over again, inserting a spin button or scrollbar will allow you to choose from a predefined range of values using your mouse, instead of typing numbers in with the keyboard. Or, if you wish to limit a spreadsheet user to selecting from a few preset choices, a set of option buttons will do.
The Intel-based San Diego smartphone, previously known as Santa Clara, will go on sale in the U.K. on June 6 via Orange, the operator said on Thursday.
One of my interest recently has been what I call [email protected] I use this term to refer to all the Internet connected devices we surround ourself with. Some may also call it the Internet of devices. In particular for home use, these devices are built to be cheap and simple, which hardly ever includes secure. Today, I want to focus on a particular set of gadgets: Healthcare sensors.
Like [email protected] in general, this part of the market exploded over the last year. Internet connected scales, blood pressure monitors, glucose measurement devices, thermometers and activity monitors can all be purchased for not too much money.I personally consider them gadgets, but they certainly have some serious health care uses.
I will not mention any manufacturer names here, and anonymized some of the dumps. The selection of devices I have access to is limited and random. I do not want to create the appearance that these devices are worse then their competitors. Given the consistent security failures I do consider them pretty much all equivalent. Vendors have been notified.
There are two areas that appear to be particularly noteworthy:
- Failure to use SSL: Many of the devices I looked at did not use SSL to transmit data to the server. In some cases, the web site used to retrieve the data had an SSL option, but it was outright difficult to use it. (OWASP Top 10: Insufficent Transport Layer Protection)
- Authentication Flaws: The device does use weak authentication methods, like a serial number. (OWASP Top 10: Broken Authentication and Session Management)
First of all, there are typically two HTTP connections involved: The first connection is used by the device to report the data to the server, in some cases, the device may retrieve settings from the server. The second HTTP connection is from the users browser to the manufacturers website. This connection is used to review the data. The data submission uses typically a web service. The web sites themselves tend to be Ajax/Web 2.0 heavy with the associated use of web services.
The device is typically configured by connecting it via USB to a PC or to a Smartphone. The smart phone or desktop software would provide a useable interface to configure passwords, a problem that is common for example among bluetooth headsets which don't have this option. Most of the time, the data is not sent from the device itself, but from a smartphone or desktop application. The device uploads data to the PC, then the PC submits the data to the web service. This should provide access to the SSL libraries that are available on the PC. In a few cases, the device sends data directly via WiFi. In the examples I have seen, these devices still use a USB connection to configure the device from a PC.
Example 1: Step Counter / Activity Monitor
The first example is an activity monitor. Essentially a fancy step counter. The device clips on your belt, and sends data to a base station via an unspecified wireless protocol. The base station also doubles as a charger. The user has no direct control over when the device uploads data, but it happens frequently as long as the device is in range of the base station. Here is a sample POST:

POST /device/tracker/uploadData HTTP/1.1
Host: client.xxx.com:80
Content-Length: 163
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=1A2E693AD5B28F4F153EE9D23B9237C8
Connection: keep-alive

beaconType=standardclientMode=standardclientId=870B2195-xxxx-4F90-xxxx-67CxxxC8xxxxclientVersion=1.2os=Mac OS X 10.7.4 (Intel%2080486%10)
The session ID appears to be inconsequential, and the only identifier is the client ID. Part of the request was obfuscated with xxx to hide the identity of the manufacturer. The response to this request:

?xml version=1.0 ?
xxxClient version=1.0
response host=client.xxx.com
port=80 secure=false/response
device type=tracker pingInterval=4000 action=command
remoteOps errorHandler=executeTillError responder=respondNoError
remoteOp encrypted=false
It is interesting how some of the references in this response suggest that there may be an https option. For example in line 5: port=80 and secure=false may indicate an HTTPS option.
Example 2: Blood Pressure Sensor

The blood pressure sensor connects to a smart phone, and the smart phone will then collect the data and communicate with a web service. The authentication looks reasonable in this case. First, the smart phone app sends an authentication request to the web service:

GET /cgi-bin/[email protected]=xxxxx
duration=60apiver=6appname=wiscaleapppfm=iosappliver=307 HTTP/1.1
The hash appears to be derived from the user provided password and a nonce that was sent in response to a prior request. I wasn't able to directly work out how the hash is calculated (which is a good sign) and assume it is a Digest like algorithm. Based on the format of the hash, MD5 is used as a hashing algorithm, which isn't great, but I will let it pass in this case.
All this still happens in clear text, and nothing but the password is encrypted. The server will return a session ID, that is used for authentication going forward. The blood pressure data itself is transmitted in the clear, using proprietary units, but I assume once you have a range of samples, it is easy to derive them:

action=storesessionid=xxxx-4fc6c74e-0affade3data=* TIME unixtime 1338427213
* ID mac,hard,soft,model
02-00-00-00-xx-01,0003000B,17,Blood Pressure Monitor BP
* ACCOUNT account,userid
[email protected],325xxx
* BATTERY vp,vps,rint,battery %25
* RESULT cause,sys,dia,bpm
* PULSE pressure,energy,centroid,timestamp,amplitude

(some values are again replaced with x-)
In my case, the device sent a total of 12 historic values, in addition to the last measured value. So far, I only had taken 12 measurements with the device.
Associated web sites
The manufacturers of both devices offer web sites to review the data. Both use SSL to authenticate, but later bounce you to an HTTP site, adding the possibility of a firesheep style session hijack attack. For the blood pressure website, you may manually enter https and it will stick. The activity monitor has an HTTPS website, but all links will point you back to HTTP. A third device, a scale, which I am not discussing in more detail here as it is very much like the blood pressure monitor, suffers from the same problems.
A quick summary of the results:

Device Authentication
Data Encryption
Website Auth SSL
Website Data SSL

Blood Pressure Sensor
encrypted password
login only
only if user forced

Activity Monitor
device serial number
login only
hard for user to force

I have no idea if HIPAA or other regulation would apply to data and devices like this. Like I said, these are gadgets you would find in a home, not in a doctor's office. I also tested a scale that was very much like the blood pressure monitor. It used decent authentication but no SSL. If you have any devices like this, let me know if you know how they authenticate and/or encrypt.
So how bad is this? I doubt anybody will be seriously harmed by any of these flaws. This is not like the wireless insulin pumps or infusion drips that have been demonstrated to be weak in the past. However, it does show a general disrespect for the privacy of the user's data, and an unwillingness to fix pretty easy to fix problems.

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

After working hard to create sound security policies, it’s easy for enterprise information security managers to be dismayed when users ignore the rules and knowingly bypass security controls. When those rule-breakers are executives, it feels like salt on the wound. After all, who should understand the importance of protecting an organization’s assets better than its top executives? Yet, a survey at Infosecurity Europe revealed that, in 43% of organizations, senior managers and even the board of directors do not follow their organizations’ security policies and procedures.

The survey was conducted last month by security consulting firm Cryptzone Group. They asked 300 IT professionals who within their organizations is least likely to follow security policies and procedures. According to the Cryptzone report, Perceptions of security awareness (.pdf), 20% said senior managers are least likely to follow the rules, and 23% pointed their finger directly at the CEO or CTO.

The Cryptzone report didn’t dig into the reasons behind these perturbing findings, but I’d venture there are five primary reasons why executives disobey corporate security policies. (You’ll either laugh or cry about the last one.)

1. They are discreetly excused from taking security training programs;
2. They do not agree wholeheartedly with the security policy;
3. They believe the risks they are taking aren’t all that bad;
4. They are in a hurry;
5. They think IT will take care of things if something (like a data breach) occurs.

The antidote for all these reasons can, of course, be found in corporate security training. But because senior managers probably can’t or won’t take time out of their workdays to attend more training (see reason #4), security pros will have to keep finding creative ways to get the message out. Multimedia playing in the office kitchen, occasional text reminders sent to managers’ phones, and other friendly methods of interjecting bits of the security policy into managers’ minds must be a never-ending process in every organization.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Help Net Security

Securing the Cloud
Help Net Security
He is a published InfoSec and cyber security researcher as well as an expert in intrusion/anomaly detection. "Securing the Cloud" is a book aimed at anyone who is considering using, building or securing a cloud implementation, but can also come in hand ...

and more »
QR codes are being used for more than just advertisements in Marin County, Calif. There, paramedics hope the stickers could help save lives in emergency situations.
CGI Group, a Canadian IT services and business process services company, has agreed to acquire its larger European competitor Logica for APS1.7 billion (US$2.65 billion) in cash, in a bid to expand its European presence, the companies said Thursday.
Microsoft will ship Windows 8 Release Preview today, several days earlier than expected, according to a blog briefly posted by the company.
Megaupload cannot be brought within the jurisdiction of a federal court in Virginia for criminal proceedings without its consent, as federal rules do not contemplate service of a criminal summons on a wholly foreign corporation without an agent or offices in the U.S., its lawyers said in a filing on Wednesday.
Since taking over HP last year, CEO Meg Whitman has continued to help Republican presidential candidate Mitt Romney. That stance may carry risks ranging from public perception of the company to closer scrutiny by the government.
Maine's health information exchange has announced a pilot image archive that will eventually allow all of its healthcare provider facilities to share patient radiology images regardless of where the patient is being treated.

NetClarity Receives Expansion Capital from Rose Park Advisors Disruptive ...
Albany Times Union
NetClarity, Inc., the leading provider of Next Generation Network Access Control (NAC) technology in the marketplace, on the heels of receiving the “Most Innovative New Security Product for 2012” award from InfoSec Products Guide, today announces ...

and more »
PHP Volunteer Management Arbitrary File Upload and HTML Injection Vulnerabilities
A fresh crop of ultrabooks sporting Intel's latest "Ivy Bridge" Core processors will start to go on sale next month, including 30 models with touchscreens, Intel said Thursday.
Internet Storm Center Infocon Status