Security Weekly News 8 April 2011 – Full List

Category Index

Hacking Incidents / Cybercrime

RSA SecurID breach began with spear phishing attack  []
The assault against RSA, the security division of EMC Corp., began with two waves of spear phishing attacks using an attached Microsoft Excel file, which targeted an Adobe Flash zero-day flaw.
The phishing attacks took place over a two-day period and targeted two small groups of low-profile employees. Attackers were successful in getting at least one employee to retrieve it from their junk mail folder and open the Excel file titled ‘2011 Recruitment plan.xls.’
Electronic Frontier Foundation research digs up 37,244 ‘unqualified’ names that were given digital certificates
In yet another example of a flawed SSL website certificate registration process, researchers at the Electronic Frontier Foundation (EFF) found tens of thousands of unqualified website names that had been registered by certificate authorities.
The EFF via its SL Observatory project, which studies all of the certificates used to secure all HTTPS websites, discovered some 37,244 ‘unqualified’ names that had been given digital certificates, including ‘localhost’ (2,201 certificates), ‘exchange’ (806), ‘exchange’ in the name (2,383), and ’01srvech’ (5,657).
Security experts are warning consumers to be especially alert for targeted email scams in the coming weeks and months, following a breach at a major email marketing firm that exposed names and email addresses for customers of some of the nation’s largest banks and corporate brand names.
Late last week, Irving, Texas based Epsilon issued a brief statement warning that hackers had stolen customer email addresses and names belonging to a “subset of its clients.” Epsilon didn’t name the clients that had customer data lost in the breach; that information would come trickling out over the weekend, as dozens of major corporations began warning customers to be wary of unsolicited email scams that may impersonate their brands as a result

Unpatched Vulnerabilities

A new exploit for IE9 bypasses all security measures in even the latest fully patched version of Windows 7, according to a French security company Vupen.
The exploit uses an unpatched zero-day vulnerability in Internet Explorer 9 and bypasses all the extra security measures of Windows 7. The latest version of Microsoft’s operating system, fully up-to-date with service pack 1 (SP1), is vulnerable. The security hole was reported by the French security company Vupen, that previously discovered an IE8 vulnerability in December of last year.(MS11)

Software updates

Microsoft got big plans for everybody for next Tuesday, and I hope you haven’t made any dinner plans because you will be busy patching (or working with your old friends like WSUS to get the patches tested and released).
A total of 17 Bulletins are going to be released according to Microsoft’s pre-release. 8 bulletins are rated critical and 9 are rated important. It pretty much affects the usual suspects (Windows, Internet Explorer and Office)as well as some less regular guest starts like Microsoft’s developer tools.
The critical patches apply pretty much to all versions of Windows (XP, Vista, Windows 7 and 2008) with one or two exceptions.
The Internet System Consortium’s (ISC) open source DHCP client (dhclient) allows DHCP servers to inject commands which could allow an attacker to obtain root privileges. The problem is caused by incorrect filtering of metadata in server response fields. By using crafted host names, and depending on the operating system and what further processing is performed by dhclient-script, it can allow commands to be passed to the shell and executed. A successful attack does, however, require there to be an unauthorised or compromised DHCP server on the local network.
Some security hardening to media uploads
Performance improvements
Fixes for IIS6 support
Fixes for taxonomy and PATHINFO (/index.php/) permalinks
Fixes for various query and taxonomy edge cases that caused some plugin compatibility issues
Version 3.0.6 of Ruby on Rails has been released. According to the developers, the maintenance and security update to the open source web framework addresses a vulnerability in the auto_link functionality.
A hole in the IPComp protocol implementation of certain operating systems can be exploited to compromise a server. IPComp is used for compressing individual IP datagrams mainly in conjunction with IPSec and other VPN technologies. According to Tavis Ormandy, certain embedded datagrams can cause a recursion after they have been unpacked, which results in a kernel stack overflow.
Software and services firm Novell has warned of a security vulnerability (CVE-2011-0994) in its File Reporter product. According to a security advisory from the Zero Day Initiative (ZDI), Novell File Reporter is susceptible to a stack-based buffer overflow issue. This is caused by a boundary error in the File Reporter Agent (NFRAgent.exe) when handling the contents of a certain XML tag. This could, for example, be exploited by a malicious user to compromise a victim’s system, possibly leading to the execution of arbitrary code with system privileges.

Business Case for Security

I had a very interesting morning at McCann Fitzgerald who were kind enough to invite me in to give a legal update on data breaches – here’s a copy of the handout I provided:
Earlier today I had the opportunity to read a blog post by Uri Rivner, the Head of the Security Division of EMC. While the investigation into the RSA/EMC compromise is still ongoing, Mr. Rivner presents a very good summary of what they do know.
Some of the facts as written by Mr. Rivner:
The first part of the attack was a spear-phishing attempt aimed at non-high-profile targets. The information on the targets was most likely mined from social networking sites. All it took was one of the targeted employees who was tricked into opening an attached Excel spreadsheet.
Three-quarters of energy firms have experienced a breach in the last year; 69 percent expect more to come
Seventy-five percent of energy and utility companies have suffered an IT security breach in the past year, and the situation doesn’t seem likely to improve anytime soon, according to a study published today.
According to the ‘State of IT Security: Study of Utilities & Energy Companies’ report — which was conducted by Ponemon Institute and sponsored by security monitoring software vendor Q1 Labs — more than three-quarters of global energy organizations surveyed admit to having suffered at least one data breach during the past 12 months. Sixty-nine percent think a data breach is very likely or likely to occur in the coming year.
Unique malware and variants galore, and more than 40 percent more mobile vulnerabilities than a year ago
Last year will likely go down as the year of the targeted attack, with the litany of big-name breaches that began with Google’s revelation that it had been hit by attackers out of China and the game-changer Stuxnet. But it was also a record-breaking year for new malware and variants, with 286 million new samples identified by Symantec.
The newly published Symantec Internet Security Threat Report Trends for 2010 counted some 6,253 new bugs — the most ever in a year — that were mostly driven by malware attack toolkits. The ease of deployment that comes with these kits resulted in some 286 million new malware variants, according to Symantec.
In nearly 80 percent of cases, banks did not detect fraud before funds were transferred
Business banking fraud — particularly in small and midsize companies — is still causing major problems for both the businesses and the banks that serve them, according to a study published today.
The ‘2011 Business Banking Trust Study,’ a follow-up to a similar study conducted last year, was written by Ponemon Institute and sponsored by Guardian Analytics. This year’s numbers suggest that the banking fraud situation has not improved since 2010.

Web Technologies

Add XSSF to Metasploit Framework on Ubuntu  []
What is XSSF or the Cross-site Scripting Framework?
The XSS Framework (XSSF) is able to manage victims of a generic XSS attack and hold an existing connection with JavaScript loop refreshing in order to allow future browser-based attacks. After injection of the generic attack (resource “loop” generated by XSSF), each victim will ask the attack server (every “x” seconds) if new commands are available:
Clickjacking Defense  []
Stanford Web Security Research recently published a paper on clickjacking defense:
The Stanford defense is lacking because Internet Explorer requires the full body to be loaded before the script will execute properly. That means that you need the