Security Weekly News 18 February 2011 – Full list

Category Index

Hacking Incidents / Cybercrime

If you’re thinking of robbing a Las Vegas casino, and you’re not George Clooney, I have a word of advice: give up now. As Anthony Carleo recently found out, even if you leave the casino in one piece, the chips you stole are going to be worthless long before you make your get away. The 29 year old suspect is accused of robbing the Bellagio on December 14th of 2010, stealing chips whose face value totaled around $1.5 million dollars. Their real value, however, was zero. Thanks to RFID tags embedded inside them, the chips with denominations of $100 to $25,000 could be immediately deactivated rendering them unredeemable for cash value. Watch CCTV footage from the December 14th robbery in the video clip below, followed by the recent press conference from the Las Vegas Police concerning Carleo’s arrest. Stealing worthless chips and then getting caught trying to sell them to undercover officers? Danny Ocean this guy is not.
Prisoners at New York’s Rikers Island jail have been caught buying up iPads and Macs in an elaborate cyber-crime arrangement that saw them forging credit cards-your credit cards, people!-to buy $1m of Apple products.
This hip young thing with a taste for Apple kit? 28-year-old Shaheed Bilal, who tasked his three younger brothers, girlfriend and 22 other friends and family-members in the outside world with purchasing the gadgets, to sell on at discounted rates.
Last week, a Facebook dataset was released by a group of researchers (Amanda L. Traud, Peter J. Mucha, Mason A. Porter) in connection with their paper studying the role of user attributes – gender, class year, major, high school, and residence – on social network formations at various colleges and universities. The dataset – referred to by the researchers as the “Facebook 100? – consists of the complete set of users from the Facebook networks at 100 American schools, and all of the in-network “friendship” links between those users as they existed at a single moment of time in September 2005.
Police are investigating the discovery of snooping devices attached to public computers in two Cheshire libraries.
Staff found the keyloggers, USB devices which record keyboard activity, in the back of two PCs at Wilmslow Library and one at Handforth Library.
Late this week, I heard from several anti-spam activists who alerted me to a nice reminder that spammers don’t always win: Spammers have been promoting their rogue pharmacy sites via images uploaded to free image hosting service imageshack.com. In response, the company appears to have simply replaced those images with the following subtle warning:
The BBC has confirmed that BBC Radio’s 6Music and 1Xtra sites were hacked to serve malware. In a statement to The H, a BBC spokesperson said, ‘We can confirm that the 1xtra and 6Music websites were hacked yesterday. The issue was quickly dealt with, and the sites are now back to normal. We’re currently investigating what happened’.
Having a Ball with ATM Skimmers  [krebsonsecurity.com]
On February 8, 2009, a customer at an ATM at a Bank of America branch in Sun Valley, Calif., spotted something that didn’t look quite right about the machine: A silver, plexiglass device had been attached to the ATM’s card acceptance slot, in a bid to steal card data from unsuspecting ATM users.
But the customer and the bank’s employees initially overlooked a secondary fraud device that the unknown thief had left at the scene: A sophisticated, battery operated and motion activated camera designed to record victims entering their personal identification numbers at the ATM.
In a current report, anti-botnet specialists at Damballa write that the number of bot-infected PCs worldwide increased sevenfold within a year, although no absolute figures are mentioned. The researchers consider that the expansive growth in 2010 was caused by the increasing availability of ‘exploit packs’ and trojan toolkits. Such tools enable criminals without programming skills to assemble their attack weapons and malware with a few simple mouse clicks. Toolkit prices range between $100 and $1,000.
Simply browsing the sites would be enough to cause infection, Websense says
Two websites operated by the BBC have been infected by iFrame attacks and could be serving up malware, according to researchers
The BBC-6 Music site and areas of the BBC 1Xtra radio station site are affected, according to a blog by researchers at Websense.
The injected iFrame occurs at the foot of the BBC 6 Music Web page, and loads code from a site in the .co.cc top-level domain, Websense says. The iFrame injected into the Radio 1Xtra Web page leads to the same malicious site.

Unpatched Vulnerabilities

Rated as Critical
A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers to cause a denial of service or take complete control of a vulnerable system. This issue is caused by a heap overflow error in the ‘BowserWriteErrorLogEntry()’ function within the Windows NT SMB Minirdr ‘mrxsmb.sys’ driver when processing malformed Browser Election requests, which could be exploited by remote unauthenticated attackers to crash an affected system or potentially execute arbitrary code with elevated privileges.
VUPEN has confirmed this vulnerability on Windows Server 2003 SP2 and Microsoft Windows XP SP3.

Software Updates

Microsoft has announced that the first service pack for Windows 7 and Server 2008 R2 is available to download for MSDN and TechNet subscribers. This is offered in three versions, one for 32- and two for 64-bit Windows (x64 and Itanium). All three will update both Windows 7 and Server 2008 R2, because both operating systems are based on the same kernel. The sizes of the packages are 550 MB (x86), 925 MB (x64) and 525 MB (Itanium).
Oracle released the February 2011 Critical Patch Update for Java SE and Java for Business today. As discussed in a previous blog entry, Oracle currently maintains a separate Critical Patch Update schedule for Java SE and Java for Business because of commitments made prior to the Oracle acquisition in regards to the timing for the publication of Java fixes.
Today’s Java Critical Patch Update includes fixes for 21 vulnerabilities. The most severe CVSS Base Score for vulnerabilities fixed in this CPU is 10.0, and this Base Score affects 8 vulnerabilities.
Update 1 for vCenter Server 4.1, vCenter Update Manager 4.1, vSphere Hypervisor (ESXi) 4.1, ESXi 4.1, addresses several security issues
Most versions of Java and some versions of PHP enter an infinite loop trying to turn the string ‘??2.2250738585072012e-308’? into a double precision floating point value. (Remember scientific notation? Floats and doubles are good for representing really big and really small numbers. Very important for getting the physicists to shell out for supercomputers.) Here are the details on the bugs.
This is a recipe for a quick and easy denial of service attack. If you have a Java application that does something as simple as this:
Double.parseDouble(request.getParameter(‘d’));
attackers can wedge a thread every time they make an HTTP request. Now Anonymous doesn’t need a botnet army to take your app offline. A laptop with an AOL dialup connection should be plenty.
The Management Center for Cisco Security Agent is affected by a
vulnerability that may allow an unauthenticated attacker to perform
remote code execution on the affected device.
Cisco has released free software updates that address this
vulnerability.
A workaround is available to mitigate this vulnerability.
Windows only: Sumatra PDF has always focused on being the faster, lighter, and less system-burdening alternative to Adobe and other PDF solutions, and its latest 1.3 update continues down that path. Images are rendered faster, in particular, and less memory is used.

Business Case for Security

The Spy Next Door: Stealing your life for £44  [blog.itsecurityexpert.co.uk]
How easy can it be to steal your life? For less than 44 quid is it possible to steal your bank account username, password and bank account security questions? For less than 44 quid is it possible to harvest your credit card details, including your credit card security code and Verified by Visa or MasterCard SecureCode password? Is it possible to read your private Emails and access your Email account? Is it possible to monitor all your private web surfing habits and instant messenger conversations, and obtain your username and passwords for all your websites?
Cyber crime costs the UK economy £27bn a year, the government has said.
The figures, published for the first time, are a mid-range estimate and the real cost could be much higher.
They are made up of £21bn of costs to businesses, £2.2bn to government and £3.1bn to citizens.
Security minister Baroness Neville-Jones said the government was determined to work with industry to tackle cyber crime.
At the moment, cyber criminals are ‘fearless because they do not think they will be caught’, she said in a briefing in central London.
Companies are failing to enforce personal data security laws  [www.thepost.ie]
Up to 60 per cent of Irish companies have suffered a data breach and only a third have proper data breach policies, according to a survey to be published by the Irish Computer Society.
The Data Protection Attitudes and Practices Survey 2011, also reveals that more than one in seven people have suffered a personal data breach over the past 12 months.
And almost half of IT staff are unaware that data breaches must be reported by law. Consequently, two thirds of Irish IT workers say that they are not confident that a data breach involving their own personal information would be reported to them.
The FREE ISO27k Toolkit  [www.iso27001security.com]
The FREE ISO27k Toolkit consists of a collection of ISMS-related materials contributed by members of the ISO27k Forum, either individually or through collaborative working groups organized on the Forum. We are very grateful for their generosity in allowing us to share them with you.
The toolkit is an incomplete work-in-progress: further contributions are most welcome, whether to fill-in gaps or provide additional examples of the items listed below.
Align your PCI-DSS v1.2 compliance activities with your ISO27k ISMS, for mutual benefit
A new ‘State of Application Security Survey’ conducted by the Ponemon Institute and commissioned by Barracuda Networks and Cenzic on respondents’ perceptions and experiences protecting Web applications has some disappointing results. The survey underscores the lack of adequate protection currently in use and overall insufficient resources and knowledge around Web application security.
According to 74 per cent of respondents, Web application security is either more critical or equally critical to other security issues faced by their organizations. Despite this, the study shows there are many misconceptions around the methods used to secure Web applications, primarily Web application firewalls and vulnerability assessment. And while website attacks are the biggest concern for companies, 88 per cent spend more on coffee than securing Web applications
Two of the top five most frequently observed flaws were patched more than five years ago, M86 study says
he availability of a patch for a security flaw doesn’t always solve the problem, according to a new study published today.
According to the new Security Labs Report from M86 Security, the top six most frequently observed vulnerabilities on the Web were all discovered at least four years ago, and have all been patched for at least two years.
Most of the top 15 flaws detected by M86 Security were on Windows or Adobe applications, and most have been around for some time — MS Office Web Components active script execution, for example, has been known since 2002, yet it is still No. 2 on the most frequently detected list.
Who’s got your back? Not your antivirus program, says study  [english.themarker.com]
The study found that over half the antivirus programs managed to detect fewer than 10% of the viruses active on the Internet.
If you think your antivirus software is protecting your computer, think again. Only 17% of all of the viruses on the web are detected by antivirus providers, according to research carried out by the Israeli firm Security Art, which examined the effectiveness of 42 antivirus programs, including programs sold by McAfee, Kaspersky, AVG and Aladdin as well as Symantec’s Norton antivirus program.
The study also found that over half the antivirus programs managed to detect fewer than 10% of the viruses active on the Internet. Among the antivirus programs tested, the one with the best record was Mcafee with Artemis/GW, with a 17% success rate, followed by Microsoft with 16% and Sophos with 13%. Lower rates were registered for Norton, at 12%. Other products, from Trend Micro, Aladdin eSafe, Fortinet, and the most common, full version of McAfee, registered success rates of less than 10% in detecting the viruses.
A security researcher who analyzed data from two recently leaked databases concluded that the rate of password reuse is higher than previously believed.
Joseph Bonneau, a PhD student with the Security Group at the University of Cambridge Computer Laboratory, analyzed user passwords stolen from Gawker and rootkit.com.
The Gawker user database was leaked by hackers in the first half of December, while the rootkit.com one made its way onto the Internet just recently, after Anonymous hacked HBGary.
The Gawker leak was much bigger, exposing some 1.3 million logins and password hashes, compared to the 81,000 stolen from rootkit.com.
When intersecting the two databases, Bonneau found a number of 522 email addresses registered at both sites. Of those, about 456 were determined to be valid pairs.
The Home Office has pledged to spend £63m on the fight against cyber crime.
The move follows David Cameron’s announcement in October that Britain is to spend £650m on a new cyber security programme, as part of sweeping reforms to the UK’s defence capabilities.

Web Technologies

Java is out of date on more than 40 percent of machines
Wolfgang Kandeck, CEO of Qualys, said during a presentation at the RSA Security Conference in San Francisco that 80 percent of browsers his company’s BrowserCheck service checked were missing one or more patches, ComputerWorld has reported.
BrowserCheck checks for vulnerabilities in browsers (on Windows, Linux and Mac) and 18 browser plug-ins. Plugins include Flash and Reader (Adobe), Java (Oracle) and Silverlight (Microsoft) and Windows Media Player (Microsoft).
Ever wonder about that mysterious Content-Type tag? You know, the one you’re supposed to put in HTML and you never quite know what it should be?
Did you ever get an email from your friends in Bulgaria with the subject line ‘???? ?????? ??? ????’?
I’ve been dismayed to discover just how many software developers aren’t really completely up to speed on the mysterious world of character sets, encodings, Unicode, all that stuff. A couple of years ago, a beta tester for FogBUGZ was wondering whether it could handle incoming email in Japanese. Japanese? They have email in Japanese? I had no idea. When I looked closely at the commercial ActiveX control we were using to parse MIME email messages, we discovered it was doing exactly the wrong thing with character sets, so we actually had to write heroic code to undo the wrong conversion it had done and redo it correctly. When I looked into another commercial library, it, too, had a completely broken character code implementation. I corresponded with the developer of that package and he sort of thought they ‘couldn’t do anything about it.’ Like many programmers, he just wished it would all blow over somehow.
Some less obvious benefits of HSTS  [scarybeastsecurity.blogspot.com]
HSTS, standing for HTTP Strict Transport Security, is a relatively new standard that aims to bolster the strength of HTTPS connections.
Hopefully it’s about to catch on. Google Chrome has supported HSTS for a while now, and Firefox support is imminent.
The stated benefits of HSTS include:
* Defenses against sslstrip-like attacks. The initial navigation to blah.com is automatically upgraded to HTTPS.
* Zero tolerance for certification problems. The user is not permitted to ‘click through’ anything such as a self-signed cert.
 [blog.ivanristic.com]
IronBee, a new Apache-licensed web application firewall
It is my great pleasure to announce the launch of IronBee, a brand new open source web application firewall. It’s a project whose main goal is build a universal application security sensor through focus on community-building first , code second. To that end, not only is the project open source, but it uses the Apache 2 license and does not require copyright assignments from contributors. How’s that for a conversation starter?
Spot the Vuln – Radical  [blogs.sans.org]
When you are right, you cannot be too radical; When you are wrong, you cannot be too conservative.
– Martin Luther King, Jr.
Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.
Google is developing a set of extensions for Java that should aid in better securing Java programs against buffer overflow attacks.
Last Friday, Google announced that it open sourced a project that its engineers were working on to add a new functionality into Java called Contracts, or Design-By-Contract (DBC).
Yet another operation permitted across domains with no specific security checks is the ability to seamlessly merge