Security Weekly News 22 April 2011 – Catchup – Full List

Category Index

Hacking Incidents / Cybercrime

 
[4/22/11 UPDATE: Russian media this morning are reporting that Ivan Kaspersky has been freed after his captors’ ransom demands were met. No official word from Kaspersky Lab yet on this latest development.]
The 20-year-old son of Kaspersky Lab founder Eugene Kaspersky reportedly has gone missing in what may be a kidnapping plot, according to published reports in Europe today.
Russian news outlet Lifenews.ru reported that Ivan Kaspersky had been abducted on April 19, and that his kidnapper’s were demanding $4.09 million in ransom. The kidnappers contacted his father Eugene Kaspersky by phone, the report said, demanding the money.
 
Online statement separates HBGary from HBGary Federal, says some email content was taken out of context
HBGary, the security firm that was attacked by the hacker group Anonymous earlier this year, last week issued a new statement that attempts to clarify some of the reports and comments made about it by Anonymous and the press.
The statement says in part:
‘First, HBGary, Inc. and HBGary Federal are two distinct companies with completely different management, employees and missions. As is evident from the released emails, while members of HBGary Inc. served on the Board of Directors for HBGary Federal, the Board was not involved in the day to day activities of the Company but rather only in the overarching financial direction of the business, especially since much of the work of HBGary Federal is classified.
 
(WordPress) Security Incident  [en.blog.wordpress.com]
Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.
We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.
Based on what we’ve found, we don’t have any specific suggestions for our users beyond reiterating these security fundamentals:
 
WordPress Reports Multiserver Breach  [www.darkreading.com]
‘We presume our source code was exposed and copied,’ popular blog host says
WordPress, the popular blog-hosting site, is reporting a breach of several of its servers.
Automattic, the company that drives WordPress, as well as Akismet, ‘had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed,’ said WordPress in a blog.
 
The German software company Ashampoo, publishers of CAD, office, utility and security software for Windows has been the victim of an attack on its servers and, as a consequence, has issued a warning to its customers. The warning explains that the attackers gained access to one of the company’s servers, and were able to steal an unspecified number of customer names and associated email addresses. The company insists, however, that no credit card or banking information was compromised.
 
Unencrypted data was placed on an Internet-facing server, state comptroller says
The Texas Comptroller’s office Wednesday will begin sending notification letters to some 3.5 million employees and teachers whose personal information was inadvertently disclosed on an agency server that was accessible to the public.
The unencrypted data was placed in public-facing servers in violation of state policy, according to officials.
 
US security firm Barracuda Networks reports that, last Saturday (9 April), criminals hacked into its company website and stole customer and staff data. To prove that they were successful, the intruders have made available parts of the stolen database. Barracuda specialises in server and web application security and claims to be the ‘worldwide leader in email and web security appliances’.

Software Updates

 
 
Oracle has released 73 security patches on its April patch day, closing many holes in Solaris, eponymous database server, WebLogic application server, Fusion middleware and other products. Among the most critical of the holes closed, scoring 10.0 on the CVS scoring system, are one in Sun GlassFish Enterprise Server and Sun Java System Application Server and one in Oracle jRockit.
 
Critical vulnerabilities have been identified in Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems. These vulnerabilities, including CVE-2011-0611, as referenced in Security Advisory APSA11-02, could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that one of the vulnerabilities, CVE-2011-0611, is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat, as well as via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment targeting the Windows platform. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.
 
Security Update 2011-002 is recommended for all users and improves the security of Mac OS X. Previous security updates have been incorporated into this security update.
 
Microsoft has issued a security patch for Silverlight KB2526954. It fixes six issues. However, the Microsoft link to KB2526954 is still not live. If you have Microsoft update running, it is ready to install. This is rated as important and will auto install.
 
Addresses an issue where iTunes may become unresponsive when syncing an iPad.
Resolves an issue which may cause syncing photos with iPhone, iPad, or iPod touch to take longer than necessary.
Fixes a problem where video previews on the iTunes Store may skip while playing.
Addresses other issues that improve stability and performance
 
The iOS 4.3.2 software update for the iPhone, iPad and iPod Touch has been released and among its security updates is the addition to a blacklist of the fraudulent SSL certificates which were issued after an attacker compromised the Comodo SSL Certification Authority. A the end of March, browser makers began blocking the fake certificates for the login.live.com, mail.google.com, www.google.com, login.yahoo.com, login.skype.com and addons.mozilla.org domains
 
The latest update to Skype for Android addresses a security vulnerability in the app that could have allowed a malicious third-party application to access locally stored files. According to a post on the Skype Security blog by Chief Information Security Officer Adrian Asher, these files include cached profile information and instant messages.
 
Google has published version 10.0.648.205 of Chrome, a security update for the Windows, Mac OS X and Linux version, as well as Chrome Frame for Internet Explorer. According to Google, the update addresses three vulnerabilities related to support for GPU acceleration. They are all considered critical; Google says they allow an attack to break out of the sandbox and gain access to the operating system. One of the GPU vulnerabilities, however, only affects the Windows version of Chrome
 
The VideoLAN project has released version 1.1.9 of its VLC media player, the free open source cross-platform multimedia player for various audio and video formats. According to the developers, the tenth release of the 1.1.x branch of VLC is a maintenance and security update that addresses several issues found in the previous update from the end of March.
 
Qubes Beta 1 has been released!  [theinvisiblethings.blogspot.com]
I’m very proud to announce that we have just released Qubes Beta 1! Some new features that have come into this release include:
Installer (finally!),
Improved template sharing mechanism: service VMs can now be based on a common template, and you can now easily create many net- and proxy- VMs; template upgrades now don’t require shutting down all the VMs;
Standalone VMs, convenient for development, as well as for installing the least trusted software,
 
Armitage 04.10.11 Released  [www.liquidmatrix.org]
 
Wireshark 1.4.6 released  [www.wireshark.org]
 

Business Case for Security

 
Data loss through cyber attacks decreased sharply in 2010, but the total number of breaches was higher than ever, according to the ‘Verizon 2011 Data Breach Investigations Report.’ These findings continue to demonstrate that businesses and consumers must remain vigilant in implementing and maintaining security practices.
The number of compromised records involved in data breaches investigated by Verizon and the U.S. Secret Service dropped from 144 million in 2009 to only 4 million in 2010, representing the lowest volume of data loss since the report’s launch in 2008. Yet this year’s report covers approximately 760 data breaches, the largest caseload to date.
According to the report, the seeming contradiction between the low data loss and the high number of breaches likely stems from a significant decline in large-scale breaches, caused by a change in tactics by cybercriminals. They are engaging in small, opportunistic attacks rather than large-scale, difficult attacks and are using relatively unsophisticated methods to successfully penetrate organizations. For example, only 3 percent of breaches were considered unavoidable without extremely difficult or expensive corrective action.
 
IT Temptation To Snoop Too Great  [www.darkreading.com]
Separate reports from Cyber-Ark, BeyondTrust show the pitfalls of privileged user access
The users with the organization’s highest and most powerful privileges are also the most likely to use their access to snoop around the network for confidential information.
A new survey from Cyber-Ark Software found that 28 percent of IT managers in North America have snooped, and 44 percent of those in Europe, the Middle East, and Africa have done so, too. Around 20 percent of respondents in North America and 31 percent in EMEA say one or more of their co-workers have used administrative privileges to reach confidential or sensitive information.
 
Eighty percent of critical infrastructure operators say they have experienced a large-scale attack
Eighty percent of organizations that operate smart grid or other critical infrastructure components have experienced a large-scale denial of service (DDoS) attack, and a quarter of them have been victims of extortion through network attacks, according to a study published today.
According to In the Dark: Crucial Industries Confront Cyberattacks, a report issued by McAfee and the Center for Strategic and International Studies (CSIS), many critical infrastructure organizations remain unprepared to stop the next attack.

Web Technologies

 
About a couple of weeks ago we talked about the new Firefox 4 security features. Today is Google’s Chrome turn, due to the recently added and short term upcoming security features:
 
A couple of bugs affecting WordPress core here. On line 73, we see that $_SERVER[‘REQUEST_URI’] is passed to add_query_arg(). From the provided code sample, it’s difficult to see that this results in XSS. The developers addressed this by encoding the return value from add_query_arg().
 
This week’s patch is a good one. The code sample was basically a library that only contained functions. While there isn’t a blatant vulnerability in the library, there is a startling function called ‘PrepDataForScript’. Looking at PrepDataForScript, it’s obvious this function is meant to provide some sanitization. Unfortunately, the routine isn’t very robust. When you see things like the code snippet below, you know the developer is headed in the wrong direction:
 
Spot the Vuln Charming – SQL Injection  [software-security.sans.org]
This patch was full of interesting tidbits. First, the change log for this patch is as follows:
**1.9.1**
+ fix a flaw allowing a remote cross-site scripting attack
Keep the change list description in mind as we go over the patch submitted by the developers. The submitted patch is pretty simple. There is an additional qualifier set for an if statement that checks to see if $_GET[‘where$i’] is contained within array $f. It’s difficult to determine whether this is true but it doesn’t really matter. The second change is an addslashes to $_GET[‘what$i’] before using the tainted query string parameter to build a dynamic SQL statement. This is to prevent an obvious SQL injection bug in the LIKE operator of the SQL statement.
 
NIST has published a fantastic project (its been out since late December, but I only just became aware of it) where they’ve created vulnerable code test cases for much of MITRE’s CWE project in Java and c/c++

Network Security

 
Cooking the Cuckoo’s Egg  [taosecurity.blogspot.com]
February I spoke at the DoJ Cybersecurity Conference. My abstract for the talk was the following:
In 1989 Berkeley astronomer Cliff Stoll wrote the most important book in the history of computer incident response, The Cuckoo’s Egg. Twenty years after first reading the book, Richard Bejtlich, [then] Director of Incident Response for General Electric, re-read The Cuckoo’s Egg in search of lessons for his Computer Incident Response Team (GE-CIRT). In the first ten pages, Bejtlich identified seven lessons for his team, and in the next twenty pages, ten more lessons. By the time he finished re-reading the book, Bejtlich identified dozens of lessons that are key to the incident response process, whether it’s 1990, 2000, 2010, or beyond
 
Though I didn’t realize what I was seeing, Stuxnet first came to my attention on July 5 last summer when I received an email from a programmer that included a driver file, Mrxnet.sys, that they had identified as a rootkit. A driver that implements rootkit functionality is nothing particularly noteworthy, but what made this one extraordinary is that its version information identified it as a Microsoft driver and it had a valid digital signature issued by Realtek Semiconductor Corporation, a legitimate PC component manufacturer (while I appreciate the programmer entrusting the rootkit driver to me, the official way to submit malware to Microsoft is via the Malware Protection Center portal).
 
IPv6, just like IPv4, is a layer 3 (Network Layer) protocol. However, it does depend on Layer 2 (Link Layer) to reach the next hop. Historically, Layer 2 has been a fertile attack breeding ground. Layer 2 protocols like Ethernet do not address these security issues and are build to be lightweight rather then secure. The assumption is that physical access to the network is restricted, and with that physical access controls can be used to mitigate most Layer 2 risks.
 
Problem
An older Symantec root certificate, SymRoot1, will expire on April 30, 2011. With an expired certificate, older LiveUpdate clients would no longer authenticate, download, or install content such as AntiVirus definitions or product updates.
Solution
To allow customers additional time to plan migrations, Symantec has introduced a workaround that allows LiveUpdate to continue to successfully authenticate valid content from Symantec through July 4, 2012.
 
MSFU Updates – April 2011  [www.offensive-security.com]
This past month has seen more additions to our free Metasploit Unleashed training course, primarily in our on-going effort to build out the Metasploit Module Reference section. Also, with the Metasploit team moving away from meterpreter scripts in favor of post-exploitation modules, we have been updating the relevant sections of MSFU.
 
Microsoft has released its free Microsoft Safety Scanner (MSS). This scans for and removes malware from Windows systems without requiring prior installation. According to AV-Test’s Andreas Marx, the on-demand anti-virus scanner appears to be based on the Malicious Software Removal Tool (MSRT), but with the addition of a complete signature database. MSRT used a mini database of widely distributed threats and is distributed monthly via the automatic update function.

Database Security

 
David has released four new papers on Oracle security topics a few days ago. Two of the papers seem to be from his ill fated book on Oracle Forensics as they are labelled ‘chapter 3 – How attackers break in’ and ‘chapter 4 – Preventing break ins’ respectively but one is perhaps too short for a book.
The other two papers are on ‘Oracle data blocks’ and ‘a forensic analysis of PL/SQL injection attacks in Oracle’.

Mobile Security

 
iPhone Tracker  [petewarden.github.com]
This open-source application maps the information that your iPhone is recording about your movements. It doesn’t record anything itself, it only displays files that are already hidden on your computer.
 
BackTrack 5 on a Motorola Xoom  [www.offensive-security.com]
In the past few days we have been toying with some Motorola hardware, and have managed to get a basic build of BackTrack 5 (+ toolchain) on a Motorola Xoom. The possibilities look exciting as we are slowly building several experimental arm packages. Our team does not have much experience with the Android OS nor ARM hardware, but so far – so good. We will not promise an ARM release on May 10th, as this new “experiment” was not planned in any way – but we’ll do our best.
 
Exploitable Mobile App Challenge- Now Open!!  [blog.nvisiumsecurity.com]
Today, we are opening up the submissions portal for the Exploitable Mobile App Challenge. The submission period kicks off today (April 12, 2011) and will run through May 20, 2011. We want you to show us your mobile application development and security skills by writing highly hackable, completely insecure applications. Why on Earth would we do this? We want to raise the bar for awareness of mobile risks while having a little bit of fun in the process. As mobile platforms become increasingly complex and increasingly important in society, we are only going to see a greater number of attacks and vulnerabilities hitting the news. This is truly the golden age for mobile application security!

Privacy

 
I didn’t know about this:
The law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers.
This includes users’ full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.

General

 
In Japan, lots of people — especially older people — keep their life savings in cash in their homes. (The country’s banks pay very low interest rates, so the incentive to deposit that money into bank accounts is lower than in other countries.) This is all well and good, until a tsunami destroys your home and washes your money out to sea. Then, when it washes up onto the beach, the police collect it:
 
Qubes Beta 1 has been released!  [theinvisiblethings.blogspot.com]
I’m very proud to announce that we have just released Qubes Beta 1! Some new features that have come into this release include:
Installer (finally!),
Improved template sharing mechanism: service VMs can now be based on a common template, and you can now easily create many net- and proxy- VMs; template upgrades now don’t require shutting down all the VMs;
Standalone VMs, convenient for development, as well as for installing the least trusted software,
 
Vein scanner, shrunk  [www.h-online.com]
The size of a 500 yen coin: Fujitsu’s vein scanner.
Source: Fujitsu A new photographic optical system has allowed Fujitsu to build a palm vein scanner that’s only about the size of a coin. According to the company, the palm vein structure is much harder to replicate than finger prints and offers a higher number of reference points to provide secure user authentication.
 
In an extraordinary intervention, the Justice Department has sought and won permission from a federal judge to seize control of a massive criminal botnet comprising millions of private computers, and deliver a command to those computers to disable the malicious software.
The request, filed Tuesday under seal in the U.S. District Court in Connecticut, sought a temporary restraining order to allow the nonprofit Internet Systems Consortium, or ISC, to swap out command-and-control servers that were communicating with machines infected with Coreflood – malicious software used by computer criminals to loot victims’ bank accounts.
 
Toshiba’s self-encrypting drives are designed to securely delete their data when they are a connected to an unknown computer.
Source: Toshiba Toshiba has extended its range of 2.5-inch drives with hardware data encryption – also called Self-Encrypting Drives (‘SEDs’) – to include models with an automatic deletion feature (‘wipe’). Developed to comply with the Trusted Computing Group’s (TCG) Opal specification, Toshiba’s series MKxx61GSYD drives encrypt all written data via AES-256 without causing performance loss. They can be associated with the hardware of a specific computer via a Trusted Platform Module (TPM). If an unauthorised person attempts to access the drive, the integrated firmware will automatically delete the cryptographic key.