Security Weekly News 1 April 2011 – Full List

Category Index

Hacking Incidents / Cybercrime

Comodo has confirmed that two other resellers have been compromised since the ‘Comodogate’ attacks which saw an attacker generate forged certificates for login.live.com, mail.google.com, www.google.com, login.yahoo.com, login.skype.com and addons.mozilla.org. According to Comodo’s CTO, Robin Alden, no further certificates were issued as a result of these compromises at the two RAs (Registration Authorities). The disclosure will do little to reduce the worry that other forged certificates could be in circulation.
This trojan is supposedly from the German police and it wants money
Source: AV-Test Security firm AV-Test has warned of a new trojan that targets Windows PCs (XP, Vista, Windows 7) and displays a notice allegedly sent by the German Federal Criminal Police Office about illegal PC content. The notice says that the computer has been locked down because of this illegal content and will only be unlocked once the user has paid €100 through an anonymous payment service, and that otherwise the user’s hard disk will be erased. This is, of course, a scam.
LizaMoon mass injection hits over 226,000 URLs (was 28,000)  [community.websense.com]
Websense Security Labs and the Websense Threatseeker Network have identified a new malicious mass-injection campaign that we call LizaMoon. Websense customers are protected with the Advanced Classification Engine.
The LizaMoon mass-injection is a SQL injection attack that inserts the following line into the code of the page:
MySQL.com Database Compromised By Blind SQL Injection  [techie-buzz.com]
An email was sent out earlier today on the Full-Disclosure mailing list, detailing the compromise of numerous MySQL websites along with portions of their database containing usernames and passwords.
MySQL offers database software and services for businesses at an enterprise level as well as services for online retailers, web forums and even governments. The vulnerability for the attack, completed using blind SQL injection and targeted servers including MySQL.com, MySQL.fr, MySQL.de and MySQL.it, was initially found by ‘TinKode’ and ‘Ne0h’ of Slacker.Ro (according to their pastebin.com/BayvYdcP dump of the stolen credentials) but published by ‘Jackh4x0r’.
The stolen database contain both member and employee email addresses and credentials, as well as tables with customer and partner information and internal network details. Hashes from the database have been posted, with some having been already cracked.
A submission to XSSed.com also details an XSS (Cross Site Scripting) vulnerability affecting MySQL.com that may have provided a secondary entry point for compromising visitors or employees with the organization since early January of 2011.
Hackers steal usernames and passwords from Oracle customer site
If you’re a TripAdvisor member, check your in-box.
Here’s a message from the CEO that landed in mine:
‘To our travel community:
This past weekend we discovered that an unauthorized third party had stolen part of TripAdvisor’s member email list. We’ve confirmed the source of the vulnerability and shut it down. We’re taking this incident very seriously and are actively pursuing the matter with law enforcement.
How will this affect you? In many cases, it won’t. Only a portion of all member email addresses were taken, and all member passwords remain secure. You may receive some unsolicited emails (spam) as a result of this incident.
The reason we are going directly to you with this news is that we think it’s the right thing to do. As a TripAdvisor member, I would want to know. Unfortunately, this sort of data theft is becoming more common across many industries, and we take it extremely seriously.
The very existence of the c:WindowsSL directory is enough to trigger and alarm
Source: AV-Test On Wednesday, the US news site NetworkWorld posted a dramatic story that Samsung was supposedly installing keyloggers on laptops it sold. The story turns out to be a false alarm from the VIPRE anti-virus software.

Software Updates

A vulnerability exists in some Cisco Secure Access Control System (ACS) versions that could allow a remote, unauthenticated attacker to change the password of any user account to any value without providing the account’s previous password. Successful exploitation requires the user account to be defined on the internal identity store.
This vulnerability does not allow an attacker to perform any other changes to the ACS database. That is, an attacker cannot change access policies, device properties, or any account attributes except the user password.
Cisco Network Admission Control (NAC) Guest Server system software contains a vulnerability in the RADIUS authentication software that may allow an unauthenticated user to access the protected network.
Cisco has released free software updates that address this vulnerability
VMware vmrun is a utility that is used to perform various tasks on
virtual machines. The vmrun utility runs on any platform with VIX
libraries installed. It is installed in VMware Workstation by
default.
In non-standard filesystem configurations, an attacker with the
ability to place files into a predefined library path, could take
execution control of vmrun.
Nowadays, administrators have to keep an eye on more than just the security of servers and desktop computers. Even mostly inconspicuous peripheral devices such as network printers can present security issues if they contain vulnerabilities.
Security specialist Secunia reports that a hole in Google’s Picasa image management and editing software that allows attackers to compromise Windows computers. According to Secunia’s advisory, the vulnerability (CVE-2011-0458), rated as ‘highly critical’. It involves what is called ‘DLL hijacking’ or ‘binary planting’. An application is vulnerable to the attack when it loads libraries in an insecure manner. This, in turn, may allow an attacker to execute arbitrary code. For a remote attack to be successful, a victim must first be tricked into opening a specially crafted file on a remote WebDAV or SMB share via the built-in ‘Locate on Disk’ function.
Google has released version 10.0.648.204 of its Chrome web browser, a maintenance and security update to the Chrome 10 stable branch. The update addresses a total of six vulnerabilities in the WebKit-based browser that can be ‘exploited by malicious people to compromise a system’ and rates all of them with a ‘High’ priority. Secunia, for example, rates the vulnerabilities as highly critical.
In a post on the project’s security announce mailing list, Ubuntu Release Manager Kate Stewart has reminded users that Ubuntu 9.10, code named Karmic Koala, will reach its end of life at the end of April. As such, after Friday 29 April 2011, no new updates, including security updates and critical fixes, will be available.

Business Case for Security

Hacks so far… WHID Stats  [yfrog.com]
Log management, compliance reporting, real-time monitoring, forensic investigation, and incident response still not coordinated, according to SenSage study
Many enterprises think their security processes are failing to meet their potential due to a lack of coordination, benchmarking, and proactive improvement among the various ‘silos’ of functionality, according to a new survey published yesterday.
The survey, conducted by SIEM vendor SenSage at the 2011 RSA Conference in San Francisco, polled more than 375 show attendees on the effectiveness of five critical security processes: log management, compliance reporting, real-time monitoring, forensic investigation, and incident response

Network Security

Though I didn’t realize what I was seeing, Stuxnet first came to my attention on July 5 last summer when I received an email from a programmer that included a driver file, Mrxnet.sys, that they had identified as a rootkit. A driver that implements rootkit functionality is nothing particularly noteworthy, but what made this one extraordinary is that its version information identified it as a Microsoft driver and it had a valid digital signature issued by Realtek Semiconductor Corporation, a legitimate PC component manufacturer (while I appreciate the programmer entrusting the rootkit driver to me, the official way to submit malware to Microsoft is via the Malware Protection Center portal).
Most organizations have policies to disallow wireless access points not controlled by the organization which then requires trying to find such devices when they crop up. There are commercial devices that can be deployed to do this and you could always have someone do a walkthrough with a laptop. However, there are some network tricks you can use to provide another ‘dirty’ detection method.
If rogue APs are plugged into your network, they will decrease the TTL value in all packets by one that traverse through the access point. This can make it easy to detect the presence of those by using p0f/tcpdump/snort to look for packets that have TTL values that are lower than expected. This also works for unauthorized routers, virtual images, bad network stack configurations, etc. It won’t detect APs that aren’t plugged into your network and has some gaps (for instance, a savvy individual could modify the TTL they use before sending packets out), but again it is a ‘dirty’ method of detection. The advantage of looking for bad ‘TTLs’ is that you will also have advance detection of network problems as well.
The Changing Wireless Attack Landscape  [www.willhackforsushi.com]
I’m en-route to the SANS Orlando 2011 conference, getting ready to teach SEC617 Ethical Hacking Wireless. I’m really excited about some new material and a changing focus on the SEC617 course.
Over the past couple of years we’ve seen a definite change in wireless hacking techniques and tools. While we are still seeing attacks against weak deployments of WPA/WPA2 and EAP-based authentication protocols, more and more wireless attacks are targeting ‘other’ wireless protocols.
Years ago, while working as a Network Engineer, I did a bit of sniffing of our wireless access points. I noticed that some access point, mainly Cisco, broadcast the Access Point’s name. I also noticed that the same access point will use a slightly different MAC Address (BSSID) for each SSID (ESSID). Typically the last nibble (half byte), or two, changes. I thought that was interesting, and moved on.
Changing Passwords  [www.schneier.com]
How often should you change your password? I get asked that question a lot, usually by people annoyed at their employer’s or bank’s password expiration policy: people who finally memorized their current password and are realizing they’ll have to write down their new password. How could that possibly be more secure, they want to know.
The answer depends on what the password is used for.
Adobe Flash CVE-2011-0609  [blog.metasploit.com]
Recently, I spent about a week and a half working on the latest 0-day Flash vulnerability. I released a working exploit on March 22nd 2011. The original exploit was just an attempt to get something working out the door for all of our users. The first attempt left a lot to be desired. To understand the crux of this vulnerability and what needed to be done to improve the first attempt at exploiting it I had to dig in deep into ActionScript.

Web Technologies

Abraham’s note: Do you ever use $_SERVER[‘PHP_SELF’]?
Content Security Policies are designed to prevent cross-site scripting and other attack types. Firefox 4 is the first browser to support this new concept.
Cross-site scripting (XSS) has become the plague of the internet, and even the banks haven’t managed fully to tackle this problem on their web sites. However, XSS attacks on browsers could soon be a thing of the past, at least for Firefox users: the Mozilla Foundation’s latest version 4 of Firefox supports the concept of Content Security Policy (CSP). This allows web administrators to tell browsers which domains to accept as trusted sources of JavaScript code by sending the special X-Content-Security-Policy HTTP header.
When CSP is enabled, JavaScript code embedded in HTML documents is no longer executed by default. Whether the code was already included in the original HTML document or injected during an attack will make no difference – the code will simply be ignored by the browser. CSP will consequently also thwart typical XSS attacks that use specially crafted URLs containing embedded JavaScript.
(Mostly) good password resets  [www.skullsecurity.org]
This is part 3 to my 2-part series on password reset attacks (Part 1 / Part 2). Overall, I got awesome feedback on the first two parts, but I got the same question over and over: what’s the RIGHT way to do this?
So, here’s the thing. I like to break stuff, but I generally leave the fixing to somebody else. It’s just safer that way, since I’m not really a developer or anything like that. Instead, I’m going to continue the trend of looking at others’ implementations by looking at three major opensource projects – WordPress, SMF, and MediaWiki. Then, since all of these rely on PHP’s random number implementation to some extent, I’ll take a brief look at PHP.
Mythbusting: Static Analysis Software Testing – 100% Code Coverage  [blog.whitehatsec.com]
Many Web security professionals believe that because Static Analysis Software Testing (SAST) has access to the source code and / or the binary of an application, it can deliver “100% code coverage.” Proponents of this assertion also claim that SAST therefore offers a more comprehensive vulnerability analysis than Dynamic Analysis Software Testing (DAST). This belief is a myth.
Arbitrarily declaring that one form of testing is superior to another is like saying that a household thermostat is better at measuring heat than a meat thermometer. Sure, both devices do measure heat, but that’s where the similarity ends. Source code access absolutely has its benefits, but just like comparing the functions of a room temperature gauge and a meat temperature thermometer, there are many other important distinctions between SAST and DAST that must be considered.
client side filtering
Spot the Vuln – Proportion  [software-security.sans.org]
creepy  [ilektrojohn.github.com]
A geolocation information aggregator.
creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.
Introducing Gmail Motion  [gmailblog.blogspot.com]
In 1874 the QWERTY keyboard was invented. In 1963, the world was introduced to the mouse. Some 50 years later, we’ve seen the advent of microprocessors, high resolution webcams, and spatial tracking technology. But all the while we’ve continued to use outdated technology to interact with devices. Why?
This is a question that we’ve been thinking about a lot at Google, and we’re excited to introduce our first attempts at next generation human computer interaction: Gmail Motion. Gmail Motion allows you to control Gmail – composing and replying to messages – using your body

Privacy

Abstract: Tor is a popular low-latency anonymity network. However, Tor does not protect against the exploitation of an insecure application to reveal the IP address of, or trace, a TCP stream. In addition, because of the linkability of Tor streams sent together over a single circuit, tracing one stream sent over a circuit traces them all. Surprisingly, it is unknown whether this linkability allows in practice to trace a significant number of streams originating from secure (i.e., proxied) applications. In this paper, we show that linkability allows us to trace 193% of additional streams, including 27% of HTTP streams possibly originating from “secure” browsers.
Microsoft has restored the continuous SSL encryption capability to Hotmail users around the world after users in countries such as Bahrain, Iran, Syria and Uzbekistan found themselves unable to use the option. Microsoft said that ‘we do not intentionally limit support by region or geography and this issue was not restricted to any specific region of the world’ and apologised for the inconvenience in a Solution Center entry.
creepy  [ilektrojohn.github.com]
A geolocation information aggregator.
creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.

General

According to a report published on 28 March by NASA’s Office of Audits, a key NASA network is vulnerable to internet-based cyber attacks. Specifically, the report found that six servers on the agency-wide mission network ‘that control spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable.’
Researchers at Rice University have discovered an interesting property of a new synthetic material they’ve developed – repeated stress applied to this new polymer-based nanocomposite makes it stiffer.
Most of the time I cover technical topics. I regularly give classes and presentations on ‘how this protocol works’ or ‘how do I hack X?’, those sorts of things. This time, I want to delve into a little psychology/sociology. Normally I like to stick to technology because the answers are easier to test and less subjective. When people are being measured things become a lot more muddy and less definitive. When I think of the social sciences I think of the Ernest Rutherford quote:
“All science is either physics or stamp collecting.”
There are a lot of people we have to thank for our current Information Age, not least Paul Baran, one of the founding fathers of Arpanet, the precursor to the Internet as we know it. While working at RAND in the 1960s, Baran created a system for information exchange called “packet switching” that was able to send “message blocks” from node to node in an electronic network. The packets could route around damage, a primary requirement for maintenance of data transmission during catastrophic failures (read “nuclear explosions”) on the physical network.

Funny

How to fill your census  [1.bp.blogspot.com]
How Peer Review Doesn’t Work  [www.schneier.com]
In this amusing story of a terrorist plotter using pencil-and-paper cryptography instead of actually secure cryptography, there’s this great paragraph: