Security Weekly News Catchup 11 February 2011

Category Index

Hacking Incidents / Cybercrime / Data Leakage

 
Feds arrest 27 in credit card forgery scam that compromised hundreds of bank accounts
Manhattan District Attorney Cyrus R. Vance, Jr., this week announced indictments of 27 individuals in connection with ‘S3,’ a credit card forgery and identity theft ring based in Brooklyn that compromised hundreds of bank accounts and fraudulently purchased Apple products from stores around the country to resell for profit.
According to documents filed in court and statements made on the record in court, beginning in June 2008 the defendants, who called themselves ‘S3,’ obtained personal identifying information, such as the names and credit card account numbers, of identity theft victims.
 
Hackers have repeatedly penetrated the computer network of the company that runs the Nasdaq Stock Market during the past year, and federal investigators are trying to identify the perpetrators and their purpose, according to people familiar with the matter.
The exchange’s trading platform-the part of the system that executes trades-wasn’t compromised, these people said. However, it couldn’t be determined which other parts of Nasdaq’s computer network were accessed.
Investigators are considering a range of possible motives, including unlawful financial gain, theft of trade secrets and a national-security threat designed to damage the exchange.
 
The title of strangest WTF story of my morning is Plentyoffish CEO Markus Frind recounting how his online dating site got hacked, he and his wife were harassed and someone clumsily attempted to extort his company in the aftermath of the events. If that is in fact what happened …
First up, Frind points out that the site has indeed been hacked last week in a “well planned and sophisticated attack”.
 
The source code of an older version of ‘Kaspersky Internet Security’ has been circulated on the internet. The code was created in late 2007 and was probably stolen in early 2008. Names contained in the sources indicate that the stolen code was probably a beta version of the 2008 software package – the current release is Kaspersky Internet Security 2011
 
Sourceforge.net attack  [sourceforge.net]
Yesterday our vigilant operations guys detected a targeted attack against some of our developer infrastructure. The attack resulted in an exploit of several SourceForge.net servers, and we have proactively shut down a handful of developer centric services to safeguard data and protect the majority of our services.
Our immediate priorities are to prevent further exposure and ensure data integrity. We’ve had all hands on deck working on identifying the exploit vector or vectors, eliminating them, and are now focusing on verifying data integrity and restoring the impacted services.
 
The ‘traffic’ probably stands for the number of records within the DB tables. The ‘goods’ in this case are probably the needed information for the ‘Level of Control.’ For ‘full site admin’ – probably the credentials and the URL of site administrator interface.
The hacker is also selling info personally identifiable information (PII) from hacked sites, for $20 per 1K records:
 
botnet teaser Trojan construction kit Carberp, which first emerged in the autumn, appears to be undergoing rapid development, according to reports from sources that include security services provider Seculert. F-Secure analyst Toni Koivunen is already calling it the rising star of the banking trojan world.
 
Hull and East Yorkshire Hospitals NHS Trust has apologised after patient data was stolen from a doctor’s home.
The data, that includes 1,000 patients’ names, dates of birth and hospital treatment, was on a laptop that had been taken home, contravening policy, and was stolen from the doctor’s home in November.
Talking to BBC News, Dr David Hepburn, medical director for Hull and East Yorkshire NHS Trust, said steps had been taken to prevent patient details being downloaded from computers but it was more difficult to control information being sent by email.
 
Registry not available  [en.emissionshandelsregister.at]
Umweltbundesamt GmbH as registry and ECRA GmbH as registry service provider inform that for security reasons all access to the Austrian emissions trading registry has been locked because of a hacker attack on 10 January 2011. The Austrian registry can therefore not be reached until further notice.
 
According to media reports, last August the London Stock Exchange was the victim of a cyber-attack which resulted in a collapse in the share prices of at least five companies. On the 24th of August, the value of BT’s shares fell by nearly £1 billion. The London Stock Exchange (LSE) responded by suspending trading.

Unpatched Vulnerabilities

 
Information on this vulnerability first started surfacing on Full-Disclosure on 1/15/2011.The vulnerability exists in all supported versions of MS Windows except for 2008 with server core. Other installed applications (Adobe Reader, etc) may be leveraged locally via Internet Explorer (including Outlook, etc.)
There appears to be a myriad of ways it can be leveraged and a lot of thought and creativity is being poured into that. So now would be a good time to: test and consider the registry workaround (see advisory); to review group policies for zone settings for Internet Explorer; and to review detection options for email gateways and proxies/NIDS/etc.
 
A security vulnerability in the Android browser which could be exploited to steal data, and was disclosed back in November 2010, is still exploitable in the latest version of the smartphone operating system (version 2.3, ‘Gingerbread’). Security researcher Xuxian Jiang of the University of North Carolina reports that it is possible to bypass the patch which was supposed to fix the vulnerability.
 
At the IT-Defense 2011 security conference, organised by services company cirosec, Mac security experts Dino Dai Zovi and Charlie Miller have demonstrated a further zero day exploit for the 64 bit version of Safari 5. Miller’s demonstration involved taking control of the Safari process on a fully patched MacBook by calling a simple URL. The two specialists are not keen to reveal too many details, as they may be able to profit by using the exploit at the Pwn2Own contest in early March.

Software Updates

 
 
Microsoft has released to manufacturing (RTM) Service Pack 1 (SP1) for Windows Server 2008 R2, and for Windows 7. According to the release announcement, SP1 will be provided to volume licensees, MSDN and TechNet subscribers on the 16 February, then from the 22 February all other customers will receive the update via the Windows Update service. It will also be available from the Windows Download Center
 
1. Vulnerability
Legacy certificates generated by OpenSSH might contain data
from the stack thus leaking confidential information.
2. Affected configurations
OpenSSH 5.6 and OpenSSH 5.7 only when generating legacy
certificates. These must be specifically requested using the
‘-t’ option on the ssh-keygen CA command-line.
3. Mitigation
Avoid generating legacy certificates using OpenSSH 5.6 or 5.7
If legacy certificates have been issued with a vulnerable
OpenSSH version, consider rotating any CA key used.
 
The phpMyAdmin developers have announced the release of version 3.3.9.1 and 2.11.11.2 of their database administration tool, security updates that fix a path disclosure vulnerability. According to the developers, when the README, ChangeLog or LICENSE files are removed from their original location, the scripts used to display these files can show their full path, possibly leading to further attacks.
 
Critical vulnerabilities have been identified in Adobe Reader X (10.0) for Windows and Macintosh; Adobe Reader 9.4.1 and earlier versions for Windows, Macintosh and UNIX; and Adobe Acrobat X (10.0) and earlier versions for Windows and Macintosh. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system. Risk for Adobe Reader X users is significantly lower, as none of these issues bypass Protected Mode mitigations.
 
The Ruby on Rails developers have released version 2.3.11 and 3.0.4 of Ruby on Rails which are maintenance and security updates that address four security vulnerabilities in the open source web framework. According to the developers, the latest updates address a cross-site scripting (XSS) vulnerability in the mail_to helper when used with the :encode => :javascript option, as well as a cross-site request forgery (CSRF) vulnerability that could allow an attacker to circumvent built-in protections. All versions up to and including 2.3.10 and 3.0.3 are said to be affected.
 
Less than one week after Chrome 9 was released into the browser’s stable branch, Google has released version 9.0.597.94 of Chrome for Windows, Mac OS X and Linux, a maintenance and security update. The security update addresses a total of five vulnerabilities in the WebKit-based browser, three of which are rated as ‘High’ priority.
 
OpenOffice Security Fixes  [www.openoffice.org]
OpenOffice.org has released several security bulletins affecting various components of OpenOffice. Some of these security issues may allow remote unprivileged user to execute arbitrary code.
 
Tandberg C Series Endpoints and E/EX Personal Video units that are running software versions prior to TC4.0.0 ship with a root administrator account that is enabled by default with no password. An attacker could use this account in order to modify the application configuration or operating system settings.
Resolving this default password issue does not require a software upgrade and can be changed or disabled by a configuration command for all affected customers. The workaround detailed in this document demonstrates how to disable the root account or change the password.
 
Posted February 7, 2011 by Andrew Nacin. Filed under Releases,Security,Testing.
WordPress 3.0.5 is now available and is a security hardening update for all previous WordPress versions.
This security release is required if you have any untrusted user accounts, but it also comes with important security enhancements and hardening. All WordPress users are strongly encouraged to update.
 
ClamAV 0.97 has been released!  [blog.clamav.net]
Since the release of ClamAV 0.97rc, there have been several bug fixes:
* libclamav/vba_extract.c: fix error path double free (bb#2486)
* libclamav/phishcheck.c: fix some missed safebrowsing URLs (bb #2514)
* libclamav/matcher-bm.c: fix error message (bb#2513)
* libclamav/matcher-hash.c: stop leaking virusnames (nopool mode)
 
Snort 2.9.0.4 is currently slated for release on Thursday. It brings about several improvements to the Snort code and documentation (thanks to those members of the Snort Community who submitted bugs for both the code and documentation!), as well as the inclusion of SaaC (Snort as a Collector) code for Razorback.
 
This Security Alert addresses security issue CVE-2010-4476 (Java Runtime Environment hangs when converting ‘2.2250738585072012e-308’ to a binary floating-point number), which is a vulnerability in the Java Runtime Environment component of the Oracle Java SE and Java for Business products. This vulnerability allows unauthenticated network attacks ( i.e. it may be exploited over a network without the need for a username and password). Successful attack of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete Denial of Service) of the Java Runtime Environment. Java based application and web servers are especially at risk from this vulnerability.
 
Critical vulnerabilities have been identified in Adobe Flash Player 10.1.102.64 and earlier versions for Windows, Macintosh, Linux, and Solaris. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Flash Player 10.1.102.64 and earlier versions for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.2.152.26.
 
Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.9.615 and earlier
versions on the Windows and Macintosh operating systems. These vulnerabilities could allow an
attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected
system. Adobe recommends users of Adobe Shockwave Player 11.5.9.615 and earlier versions
update to Adobe Shockwave Player 11.5.9.620 using the instructions provided below.
 
Important vulnerabilities have been identified in ColdFusion 9.0.1 and earlier versions for Windows, Macintosh and UNIX. These vulnerabilities could lead to cross-site scripting, Session Fixation, CRLF injection and information disclosure. Adobe recommends users update their product installation using the instructions provided below
 
Updated versions of the Cisco Nexus 1000V virtual switch address a denial of service in VMware ESX/ESXi.
 
Chrome 9.0.597.84 on Mac OS X. Previously only available in the Beta channel, Google has released version 9 of the Chrome web browser into the stable channel. This major update to the WebKit-based browser now brings the Chrome Web Store to all users in the United States and features the addition of support for WebGL.
 
The PostgreSQL developers have released security updates for the database system, with new versions, 9.0.3, 8.4.7, 8.3.14 and 8.2.20 released for the 9.0, 8.4, 8.3 and 8.2 active branches. The update includes a fix to prevent a buffer overrun in the contrib intarray module’s input function which could allow a return address to be overwritten by malicious code. As the affected module is an optional install, the only users affected are those that have installed the intarray module; this contains useful functions for manipulation of one dimensional arrays of integers.
 
The Internet Systems Consortium (ISC) has released an update to address a denial of service (DoS) vulnerability for the DHCPv6 server. According to the ISC report, when the DHCPv6 server processes a message for an address that was previously declined it can trigger an assert failure resulting in the server crashing. This can be remotely exploited to disrupt the allocation of IPv6 addresses. This issue only affects DHCPv6 servers – DHCPv4 servers are unaffected.
According to the ISC, versions 4.0.x to 4.2.x of the DHCPv6 server are affected. Upgrading to 4.1.2-P1, 4.1-ESV-R1 or 4.2.1b1 solves the problem.
 
A bug in the way path names are evaluated means that it is possible to view the content of arbitrary files on a Majordomo mailing list system using the help command. The vulnerability can be exploited via both the web and email interfaces in Mojordomo2. According to a security advisory, simply sending an email with the content help ../../../../../../../../../../../../../etc/passwd to the Majordomo account is sufficient to receive a response containing the content of the /etc/password file. The bug is fixed in snapshot versions majordomo-20110125 (direct download) and later.
 
The VideoLAN project has issued version 1.1.7 of its VLC Media Player, a free open source cross-platform multimedia player for various audio and video formats. This eight release of the 1.1.x branch of VLC is a maintenance and security update that addresses a critical vulnerability that was reported earlier this week.
 
The new version of the Opera web browser closes the critical hole that was reported early this week; this vulnerability allows attackers to gain control of a computer. The problem was caused by a flaw in the code for processing HTML documents which contain select elements with a large number of child elements. In combination with further tricks, this flaw allows arbitrary code to be injected and executed.
 
The Apache CouchDB Project developers have issued version 1.0.2 of their NoSQL document-oriented database, a maintenance and security update. According to security specialist Secunia, the update addresses several cross-site scripting (XSS) vulnerabilities that could be exploited by an attacker, possibly leading to the execution of arbitrary HTML and script code in a user’s browser session. The issue is caused by certain unspecified input not being properly sanitised before being returned to the user. Versions 0.8.0 to 1.0.1 are reportedly affected. All users are encouraged to upgrade to the latest release.
 
The sendmail mechanism of the Ruby mail gem has been found to be vulnerable to crafted email addresses which can inject arbitrary commands to the underlying system. Any application that implements sendmail-based delivery, and which uses the Ruby mail gem 2.2.14 or earlier, is vulnerable.The issue will also affect Ruby on Rails 3.0.x applications which use the sendmail delivery mechanism.
Version 2.2.15 of the mail gem has been released in order to fix the problem.
 
The Exim developers have released version 4.74 of their message transfer agent (MTA), a maintenance and security update that addresses a privilege escalation vulnerability. The problem, which could allow attackers to gain root privileges, is caused by an error in the ‘open_log()’ function that does not check a return value before creating log files. This could allow an attacker with ‘run-time’ user privileges to append malicious content to arbitrary files with root privileges. Versions up to and including Exim 4.73 are reportedly affected. All users are encouraged to upgrade to the latest release
 
Security update for RealPlayer  [www.h-online.com]
RealNetworks has released an update for RealPlayer that eliminates a security vulnerability related to the parsing of AVI files. According to a security bulletin on the Zero Day Initiative web site, a buffer overflow occurs in vidplin.dll. Prepared file headers can be used to inject and execute code.

Business Case for Security

 
INSIDER THREAT TESTING  [www.room362.com]
This day and age everyone is worried about the insider threat. Internal Penetration Testing doesn’t really test what would happen if your janitor got paid 50 bucks to put a USB stick in one of your servers. External Penetration Tests are never scoped for that sort of testing. So what is a company to do? How can they know what the risk is? The answer? Usually they guess or assume. Mostly because they are scared to find out, it’s happened to them before, or one of a million different justifications. I’ve got a webinar coming up to describe exactly this type of testing, but I thought I’d go into it a bit here.
 
The European statistics agency Eurostat, based in Luxembourg, announced on Monday that in the last year nearly one in three internet users in European Union countries has experienced a problem with malware. According to the Eurostat report, 31% of computer users had a malware infection in 2010, which led to a loss of data or time. Any financial losses were not quantified. In compiling the survey, Eurostat used data mostly for the second quarter of 2010 from people in the 27 EU member states in the age range of 16 to 74.
 
Six months ago, the Zero Day Initiative (ZDI) announced that it would no longer tolerate vendors taking a long time to fix security flaws in their products and would release information on vulnerabilities after a maximum of 180 days. They’ve now lived up to their promise and released information on 22 long-running security problems.
 
Cost of a Data Breach  [www.encryptionreports.com]
This Ponemon Institute annual survey documents the high costs that result when companies lose customer data.
 
My last post outlined 3 things that virtually guaranteed the swift and untimely demise of any software security assurance program. One of you loyal readers (actually, it was eventually more than just one) then pointed out that simply pointing out what was wrong just wasn’t my way of doing things – so I had to write a follow up post that outlined the things that I felt that a solid SSA program needed.
Luckily, I just so happen to have a Top 4 handy. Why top 4, you ask? Because there really are 4 components that make up a successful software security assurance program. More importantly there are 4 things that I have personally witnessed and implemented that have contributed greatly to the success of many programs – and so without further ado here is my list of 4 Components of a Successful Sofware Security Assurance Program.
 
Attackers exploited more new vulnerabilities in January than usual, writing exploits for half of ‘critical’ vulnerabilities
The number of exploited vulnerabilities jumped dramatically last month, with more than 60 percent of new vulnerabilities being exploited, a new report says.
Exploit activity is typically at a rate of 30 to 40 percent, according to Fortinet’s newly released January 2011 Threat Landscape report. Close to half of ‘critical’ vulnerabilities were exploited by attackers, the report found.

Web Technologies

 
Senior developers and architects often make decisions related to application performance or other areas that have significant ramifications on the security of the application for years to come. Some decisions are obvious: How do we authenticate users? How do we restrict page access to authorized users? Others, however, are not so obvious. The following list comes from empirical data after seeing the architecture of many enterprise applications and the downstream effects of security.
1. Session Replication
Load balancing is a must have for applications with a large user base. While serving static content in this way is relatively easy, challenges start to arise when your application maintains state information across multiple requests. There are many ways to tackle session replication- here are some of the most common:
 
Spot the Vuln – Light  [blogs.sans.org]
 
 
 
 
Web Browsers and Opt-In Security  [jeremiahgrossman.blogspot.com]
The last decade has taught us much about computer and information security. We’ve learned the importance of Secure-By-Default because people rarely harden their “security” settings as standard practice. We’re also painfully aware that security is often a trade-off between functionality and usability, which requires a balance be made. Ideally this balance is decided between what level of security a product claims and the customer’s expectations. Operating systems and Web servers have taken a strong supporting stance with regards to Secure-By-Default. Web browsers, well, I think there is much room for improvement.
 
Modern browsers are incredibly complex beasts, pushed well beyond their intended limits – and in that capacity, broken in more ways than we can imagine. We are only beginning to scratch the surface of all the design problems ahead of us – say, new and unexpected classes of UI vulnerabilities – but even within the bounds of what we understand and know how to fix, some fascinating and very human discourse patterns emerge… and will ultimately shape the future of the web.
The dominant theme of some of the security-relevant debates we are having today is that of aesthetics – an argument most prominently embodied by the controversy around Mozilla’s Content Security Policy, an ambitious (and now scaled back) vision for controlling the interactions between all content on the web.
 
HTTP statuses graph  [www.aisee.com]

Network Security

 
When a call starts off with ‘I think we’ve had an incident’ or ‘something isn’t right’ actual proof of an event or incident has really occurred is a must*. If it’s some odd happening on Windows, then it’s time to look at the Windows event logs. Windows has three standard event logs: application, system and security. The one most security folks need to keep an eye on is the security event log.
Some questions to ask or ponder about your Windows security logs
Do you review or monitor them?
How big are the log files?
What happens when the log file are full?
Do you know if security audit policies in place?
Do you have different audit policies for certain systems?
Are all your machines using the same time reference?
Can you recognize the event ID that could mean trouble?
 
Today, IANA announced that it had handed out two more /8 IPv4 assignments to APNIC. As a result, IANA is down to 5 /8s, triggering its special policy to hand out one address to each regional registrar (RIR). The 5 RIRs are AFRNIC (Africa), APNIC (Asia Pacific), ARIN (North America), LACNIC (Latin America) and RIPE (Europe). [1]
IANA hands IP address space to the RIRs in chunks of /8s, who then pass it on to ISPs, who then pass it on to end users. Some large end users may approach their RIR directly, and some ‘legacy assignments’ are managed by IANA directly.
But in the end, what does this all mean?
 
The European Network and Information Security Agency (ENISA) has issued a new guide on good practice, practical information and guidelines for the management of network and information security incidents by CERTs.
Recent reports of increased cyber attacks has made the need for and use of the Agency report on how to fight cyber attacks even more topical and current.
 
Recently I saw an email at Full Disclosure (here & here?), which provides a typical File Descriptor exhaustion bug and I decided to use it as a demonstration bug for this post. There are situations in which a File Descriptor exhaustion issue can help when trying to take advantage of certain conditions (in many cases local). In most of these cases exploitation will involve some kind of race condition.
The example described bellow aims in disabling a Linux security countermeasure and possibly of other OSs which implement the same type of protection in a similar way. Note that below I am demonstrating this issue in older kernel/libc versions due to changes in the way that this protection is implemented in newer versions which protects against this.
 
 
move over tsgrinder/tscrack hello ncrack!  [carnal0wnage.attackresearch.com]
Wed, 02/09/2011 – 17:53 by cg
So thanks to mubix for telling me that ncrack now supports RDP. very cool stuff.
user@ubuntu:~/pentest/ncrack$ ncrack -vv -d7 –user administrator 192.168.1.100:3389,CL=10

Mobile Security

 
Google’s revamp of its Android Market allows Android users to initiate the download and installation of apps from their PCs. To do this, users merely have to enter the Google mail account which links the Android smartphone to Android Market.
This is certainly practical, but unfortunately the smartphone itself does not then ask the user to confirm that they want to install the app. This means that an attacker with access to Google mail details, perhaps stolen by a trojan, could remotely install an app placed on Android Market onto a user’s device. This would allow infection of the PC to lead to infection of the smartphone. Banking trojan’s such as ZeuS already do this, but in a somewhat different manner.
 
A team of security researchers has created a proof-of-concept Trojan for Android handsets that is capable of listening out for credit card numbers – typed or spoken – and relaying them back to the application’s creator.
Once installed, Soundminder sits in the background and waits for a call to be placed – hence the access to the ‘Phone calls’ category. When triggered by a call, the application listens out for the user entering credit card information or a PIN and silently records the information, performing the necessary analysis to turn it from a sound recording into a number.’
 
Lost iPhone = lost passwords  [www.h-online.com]
Fraunhofer researchers Jens Heider and Matthias Boll have succeeded in reading saved passwords from an iPhone despite it being locked with a passcode. This means that a lost or stolen iPhone continues to represent a serious security problem even with the latest iPhone version.
 
Angelos Stavrou who teaches computer science at George Mason University near Washington DC and his student Zhaohui Wang have rewritten the Android operating system’s USB driver so that any connected device can be controlled without authentication and in some cases without alerting the host user.
The attacker is able to type commands and manipulate the mouse pointer as if he were in control of the primary mouse and keyboard.
If you’ve ever allowed someone to charge their phone using your PC’s USB port you’ll be aware of the implications here, but we would be more worried about what would happen if you added a wirelss USB dongle into the mix.
How many of us regularly check exactly what is hanging out of the back of our boxes? We know in our case that temporary USB connections are made using either the front panel ports or a desk-dwelling hub. It could feasibly be months before something going bang or a dropped bacon sandwich would force us to assume the position and go crawling around in the dust-ridden zone of spidery doom under our desks.
 
The new generation of mobile phone technology makes it possible to communicate directly from one telephone to another without having to rely on base stations. A dissertation at Linköping University presents a program that runs on telephones and can deliver messages even when the infrastructure for telecommunication has been knocked out.
Natural disasters in recent years have shown how vulnerable our society is to unforeseen and disruptive events. At the same time we have seen that there is a strong will to help people in crisis areas. But for rescue operations to work, telecommunications need to be up and running.
Mobile telephone base stations and satellite telephones are of major importance, but they have their limitations in terms of cost, construction time, and access on a large scale. Mikael Asplund, a doctoral candidate in computer science, is now presenting, among other things, a complement to existing communication channels in a crisis.

Wireless Security

 
Huawei models HG520b, HG520c and HG530
Huawei HG520 and HG530 routers are vulnerable to weak cipher attacks. It is possible to generate the default WEP/WPA key of Huawei HG520 routers. The purpose of this document is to explain the process of developing a key generator for these devices.
Huawei router models HG520b and HG520c contain a key generator command (mac2wepkey) in their TELNET interface. They also contain a command to change the MAC address (fakemac).

Cryptography / Encryption

 
Another english post? Yes because this is related to the first Security By Default Wargame that took place a few days ago. Congratulations to Int3pids!
Nowadays, I think most security related people know the importance of random numbers in cryptography. We need to generate IVs, session keys, challenges, tokens, etc. that make our crypto systems secure, if the PRNG is predictable the whole system is shattered (right Sony? btw, remember the “Crypto Tales” talk? check the slide 29 xD)

Privacy and Censorship

 
The Facebook social networking site now offers secure data transmissions via SSL, not only during log-in, but also for all its other pages. This means that even cookies are now transmitted in encrypted form and can no longer be read and exploited for fraudulent activities by attackers using such tools as Firesheep.
 
Every time you post a photo online from your smartphone, you’re potentially identifying exactly where you were when you shot the picture. Digital images are encoded with geotags that record the coordinates, which can be easily uncovered by anyone with the software and know-how.
Fox News speaks to a security expert behind the ominously named site icanstalku, which uncodes images at random to give Twitter shutterbugs a reality check.
 
DUBAI, United Arab Emirates — Iran’s top police chief envisions a new beat for his forces: patrolling cyberspace.
‘There is no time to wait,’ Gen. Ismail Ahmadi Moghaddam said last week at the opening of a new police headquarters in the Shiite seminary city of Qom. ‘We will have cyber police all over Iran.’
 
A group of companies sent a letter to to Attorney General Eric Holder and ICE boss John Morton today (with cc’s to VP Joe Biden, Homeland Security boss Janet Napolitano, IP Czar Victoria Espinel, Rep. Lamar Smith, Rep. John Conyers, Senator Patrick Leahy and Senator Charles Grassley), supporting the continued seizure of domain names they don’t like, as well as the new COICA censorship bill, despite the serious Constitutional questions raised about how such seizures violate due process and free speech principles. While many reporting on this letter refused to actually post a copy of the full letter, kudos to Greg Sandoval over at News.com for doing so (full text also included after the jump on this post).
The companies try to present a united front that censoring the internet is a good thing. It includes the usual suspects of Viacom and NBC Universal on the content side and Louis Vuitton and Tiffany on the counterfeiting side, but there are a few other interesting names
 
Man fought the law and the law man won
A Seattle man has been acquitted of all charges brought against him when he refused to show ID to TSA officials and videotaped the incident at an airport security checkpoint.
Prosecutors’ case against Phil Mocek was so weak that he was found not guilty without testifying or calling a single witness, the Papers, Please! blog reported. The Daily Conservative said Friday’s acquittal was the first time anyone has “successfully challenged the TSA’s assumed authority to question and detain travelers.”
 
Couple of days ago one of our readers, Thomas, wrote about weird DNS requests that he is seeing coming from his machine. After spending some time he found out that Chrome is sending those requests that he could not explain every time it is started.
Since I spent some time on this (long) time ago, I decided to pay more attention to Chrome’s DNS request (besides that, this diary might help someone who stumbles upon the same thing in the future).

Social Engineering

 
A pedido de mi ahijado, continuo con otra anecdota de Ingeniería Social pero esta vez en un banco.
Durante un test de intrusion a un cliente, en particular un Banco, se nos solicito realizar diferentes pruebas de Ingeniería Social. Una de ellas, consistia en ingresar fisicamente al edificio central y tratar de llegar hasta las oficinas del Gerente.

General

 
Kevin Butler: Sony’s fictional character created for one of its advertising campaigns.
Source: Sony Computer Entertainment Kevin Butler, a fictional character created for a Sony Computer Entertainment America advertising campaign and played by actor Jerry Lambert in the company’s commercials, has the gift of the gab and is always up for a quick joke. However, when Twitter user exiva sent him the cryptic message ’46 DC [string shortened] B2 C2 Come at me, @TheKevinButler’, he obviously didn’t realise that the string of hexadecimal codes was, in fact, the Playstation 3 ‘HMAC Dongle Master Key’ which hackers have long used to jailbreak PS3 devices.
 
Media attention to crimes involving ATM skimmers may make consumers more likely to identify compromised cash machines, which involve cleverly disguised theft devices that sometimes appear off-color or out-of-place. Yet, many of today’s skimmer scams can swipe your card details and personal identification number while leaving the ATM itself completely untouched, making them far more difficult to spot.
The most common of these off-ATM skimmers can be found near cash machines that are located in the antechamber of a bank or building lobby, where access is controlled by a key card lock that is activated when the customer swipes his or her ATM card. In these scams, the thieves remove the card swipe device attached to the outside door, add a skimmer, and then reattach the device to the door. The attackers then place a hidden camera just above or beside the ATM, so that the camera is angled to record unsuspecting customers entering their PINs.
 
Linux vulnerable to USB worms  [www.h-online.com]
At the ShmooCon hacker conference, security expert Jon Larimer from IBM’s X-Force team demonstrated that Linux is far from immune from attacks via USB storage devices: during his presentation, the expert obtained access to a locked Linux system using a specially crafted USB flash drive, taking advantage of a mechanism that allows many desktop distributions to automatically recognise and mount newly connected USB storage devices and display the contents of the device, in this case, in the Nautilus file explorer. The desktop will do this even if the screensaver is already active.
 
There’s hardly a more prominent financial product in America today than the almighty credit card. Nearly everybody has at least one – almost 80% of consumers in 2008, according to the Federal Reserve Bank of Boston – and many use it on a daily basis. Without a doubt, there are also those consumers who know their credit card numbers by heart (makes online shopping and booking travel so much easier, if anything). But how many of you know what those numbers really mean? Contrary to what you may think, they aren’t random. Those 16 digits are there for a reason and, knowing a few simple rules, you could actually learn a lot about a credit card just from its number. This infographic shows you how to crack that code.
 
Security specialist Sami Koivu has released details of a security vulnerability in Java which he reported to Sun in 2008. Tests by heise Security confirm that it remains unpatched.
The vulnerability concerns the JFileChooser dialog, which can be used by Java applets to rename files without user interaction. A slightly modified version of the demo applet running under the current version 1.6.0_23 of Java is able to move a link from the desktop to another folder. With a little refinement, this modification of the local file system (something which unsigned applets are not supposed to be able to do) could be used to far more iniquitous ends.

Tools

 
Metasploit Framework 3.5.2 Released!  [blog.metasploit.com]
On February 1st, Eduardo Prado of Secumania notified us of a privilege escalation vulnerability on multi-user Windows installations of the Metasploit Framework. The problem was due to inherited permissions that allowed an unprivileged user to write files in the Metasploit installation directory. Today we are releasing version 3.5.2 to fix this vulnerability
 
rdp2tcp  [rdp2tcp.sourceforge.net]
rdp2tcp is a tunneling tool on top of remote desktop protocol (RDP). It uses RDP virtual channel capabilities to multiplex several ports forwarding over an already established rdesktop session.
Available features:
* tcp port forwarding
* reverse tcp port forwarding
* process stdin/out forwarding
* SOCKS5 minimal support
The code is splitted into 2 parts:
* the client running on the rdesktop client side
* the server running on the Terminal Server side
 
Volatility is a popular open source framework for performing memory forensics. The current production version of Volatility is 1.3. The Volatility development team is putting finishing touches on version 1.4, which is currently in the Release Candidate 1 status. While there may still be some bugs to be ironed out, Volatility 1.4 RC1 is sufficiently stable for general exploration and experimentation.
 
Welcome to Debug Analyzer.NET !  [www.debuganalyzer.net]
Having a job where you need to deal with memory dumps for customer issues, it’s always good to have some cool tools to ease your job. When you start analysing for same kind of issues, this thought arises ‘why not automate’ the analysis.
Two years ago I started working on Debug Analyzer.NET since I was unable to find a debug automation tool suitable as per my requirements.
Unlike a typical developer I put a lot of effort thinking how the experience should be and how it could cater to everyone with different levels of Debugging knowledge.
It boiled down to usefulness and ease of writing analysis without learning an entirely new way of programming by using the worlds Best developer framework ‘.NET’
 
Educational Malware (Spanish)  [www.elladodelmal.com]
 
PREfast for Drivers  [www.microsoft.com]
PREfast for Drivers (PFD), an extension of PREfast, is a compile-time static verification tool that detects errors missed by the compiler and by conventional runtime testing. It detects common coding errors in C and C++ programs, and is designed to detect errors in kernel-mode driver code. You can run PFD very early in the development cycle-as soon as the code compiles correctly. PFD is integrated into the Windows 7 build environments in the Windows Driver Kit (WDK) as well as into Windows Automated Code Review (known as OACR). PFD supports a large vocabulary of annotations beyond those supported for generic PREfast, including annotations for IRQLs, resource-object leaks, memory leaks, and stricter type checking.
 
Nmap 5.50 released  [nmap.org]

Funny

 
Most users have at least wished for bad things to happen to their machines, Avira study says
 
A UK immigration officer decided to get rid of his wife by putting her on the no-fly list, ensuring that she could not return to the UK from abroad. This worked for three years, until he put in for a promotion and — during the routine background check — someone investigated why his wife was on the no-fly list.
 
Found a way to speed up waking up/coffee cosumption…  [yfrog.com]
 
 
 
eff the world  [boxerhockey.fireball20xl.com]
 
Life in the trenches  [yfrog.com]
 
Toolbar hell  [webmaster-bibel.de]
 
Parchear un parche (Spanish)  [www.elladodelmal.com]
Apple, cuando en Noviembre sacó la versión de actualización de Mac OS X Snow Leopard 10.6.5 hizo muchos amigos. Después de que usuarios se quejasen de problemas varios, lo más preocupante fue que los equipos Mac OS X que tenían cifrado todo el disco duro con Symantec PGP se quedaron sin arrancar. Muchos tildaron la actualización de basura y Apple tuvo que, sin decir ni mú, re-publicar la actualización 10.6.5 parcheada.
 
Puppy Tweets  [puppytweet.com]
Puppy Tweets™ is the electronic dog tag that sends messages to your home computer, then Tweets to you! Puppy Tweets™ is a tag with a sound and motion sensor that you attach to your pet’s dog collar and connect its USB receiver to your computer.
 
A New Zealand woman was temporarily partially paralyzed by a hickey on her neck from her amorous partner, AFP reported Friday.
The 44-year-old woman went to the emergency department of Middlemore Hospital in Auckland last year after experiencing loss of movement in her left arm while watching television, doctors reported in the New Zealand Medical Journal.