Security Weekly News 8 April 2011 – Summary

Thanks to Shaun for contributing to this security news bulletin!

Feedback and/or contributions to make this better are appreciated and welcome
Highlighted quotes of the week:
“Making connections is always easier when there’s alcohol involved” – Adam B. 😉
“Pretty much anyone can be breached at any time” – Jon Oltsik
“Wonder if my Safari exploit still works… ..Hmmm yeah it does I should report that I suppose” – Gareth Heyes

To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Unpatched Vulnerabilities, Software updates, Business Case for Security, Web Technologies, Network Security, Cloud Security, Funny
Highlighted news items of the week (No categories):
Not patched: IE9 exploit puts Windows 7 SP1 at risk
Updated/Patched: Dark Black Tuesday Coming Up: 17 Microsoft Bulletins, (Fri, Apr 8th), DHCP client allows shell command injection, WordPress 3.1.1 is now available. This maintenance and security release fixes almost thirty issues in 3.1, including:, Ruby on Rails update addresses security vulnerability, NetBSD and FreeBSD patch hole in IPComp implementation, Novell patches File Reporter vulnerability
How to deal with your RSA tokens from now?

I had a very interesting morning at McCann Fitzgerald who were kind enough to invite me in to give a legal update on data breaches – here’s a copy of the handout I provided:
Earlier today I had the opportunity to read a blog post by Uri Rivner, the Head of the Security Division of EMC. While the investigation into the RSA/EMC compromise is still ongoing, Mr. Rivner presents a very good summary of what they do know.
Some of the facts as written by Mr. Rivner:
The first part of the attack was a spear-phishing attempt aimed at non-high-profile targets. The information on the targets was most likely mined from social networking sites. All it took was one of the targeted employees who was tricked into opening an attached Excel spreadsheet.
Three-quarters of energy firms have experienced a breach in the last year; 69 percent expect more to come
Seventy-five percent of energy and utility companies have suffered an IT security breach in the past year, and the situation doesn’t seem likely to improve anytime soon, according to a study published today.
According to the ‘State of IT Security: Study of Utilities & Energy Companies’ report — which was conducted by Ponemon Institute and sponsored by security monitoring software vendor Q1 Labs — more than three-quarters of global energy organizations surveyed admit to having suffered at least one data breach during the past 12 months. Sixty-nine percent think a data breach is very likely or likely to occur in the coming year.
Unique malware and variants galore, and more than 40 percent more mobile vulnerabilities than a year ago
Last year will likely go down as the year of the targeted attack, with the litany of big-name breaches that began with Google’s revelation that it had been hit by attackers out of China and the game-changer Stuxnet. But it was also a record-breaking year for new malware and variants, with 286 million new samples identified by Symantec.
The newly published Symantec Internet Security Threat Report Trends for 2010 counted some 6,253 new bugs — the most ever in a year — that were mostly driven by malware attack toolkits. The ease of deployment that comes with these kits resulted in some 286 million new malware variants, according to Symantec.
In nearly 80 percent of cases, banks did not detect fraud before funds were transferred
Business banking fraud — particularly in small and midsize companies — is still causing major problems for both the businesses and the banks that serve them, according to a study published today.
The ‘2011 Business Banking Trust Study,’ a follow-up to a similar study conducted last year, was written by Ponemon Institute and sponsored by Guardian Analytics. This year’s numbers suggest that the banking fraud situation has not improved since 2010.

Cloud Security highlights of the week

Epsilon breach reignites cloud security fears  []
The March 30 data breach at the email marketing company Epsilon put millions of customer of such notable companies as Best Buy, Ethan Allen, Walgreens, Target and a host of banks vulnerable to a potential onslaught of spam and phishing attacks. The breach to Epsilon’s servers has left some important questions unanswered, and it spotlights some common concerns about the security of cloud-based services.

Secure Network Administration highlights of the week

This is probably the most practical and applicable IPv6 talk I’ve ever seen. Amazing job.
This talk will present research into services hosted internally on the I2P anonymity network, especially I2P hosted websites known as eepSites, and how the true identity of the Internet host providing the service may be identified via information leaks on the application layer. By knowing the identity of the Internet host providing the service, the anonymity set of the person or group that administrates the service can be greatly reduced. The core aim of this paper will be to test the anonymity provided by I2P for hosting eepSites, focusing primarily on the application layer and mistakes administrators and developers may make that could expose a service provider’s identity or reduce the anonymity set they are part of. We will show attacks based on the intersection of I2P users hosting eepSites on public IPs with virtual hosting, the use of common web application vulnerabilities to reveal the IP of an eepSite, as well as general information that can be collected concerning the nodes participating in the I2P anonymity network
Windows machines compromised by default configuration flaw in IPv6
As anyone who has watched the reimagined Battlestar Galactica will tell you, Sixes are trouble. They are undoubtedly alluring, but all the while they are working covertly, following The Plan, right under the noses of their targets. Nobody realizes the true nature of the threat until it’s too late.
The Internet also has its own Six, IPv6 (formerly IPng – IP Next Generation). Modern operating systems ship with it by default, but adoption has been slow for many reasons. Despite the passing of the IPocalypse, it lies largely dormant within today’s networks, waiting for the chance to rise up and usurp its IPv4 predecessor.
This article describes a proof of concept of an interesting application of IPv6. I’m going to show you how to impose a parasitic IPv6 overlay network on top of an IPv4-only network so that an attacker can carry out man-in-the-middle (MITM) attacks on IPv4 traffic.
As the day progresses more and more Epsilon clients are notifying their customers that their details have been compromised, I got to thinking about what information is readily given to third parties for many different purposes. The outsourcing of certain specialist tasks is nothing new. What I’ve found in the past though is that information is often handed over without really thinking through any of the consequences should the information be compromised. So here are some of the things I believe you should be doing when handing over client information to third parties. as per usual feel free to add your own experiences and suggestions.
You might be used to working with IPv4 on Linux, but like it or not IPv6 is on its way in. Roll up your sleeves, spit on your palms, and get ready to go to work because this is your crash course in actually using IPv6. It hardly hurts at all. Linux has supported it since the 2.1 kernel, so you shouldn’t have to install anything. Make sure you have the ping6, ip, and ifconfig commands.
Let’s get my favorite nitpick out of the way right now – we do not have IPs, we have IP addresses. IP stands for Internet Protocol. As my wise grandmother used to say, sloppy speech equals sloppy habits, which equals a trip to hell in a handbasket.

Secure Development highlights of the week

Add XSSF to Metasploit Framework on Ubuntu  []
What is XSSF or the Cross-site Scripting Framework?
The XSS Framework (XSSF) is able to manage victims of a generic XSS attack and hold an existing connection with JavaScript loop refreshing in order to allow future browser-based attacks. After injection of the generic attack (resource “loop” generated by XSSF), each victim will ask the attack server (every “x” seconds) if new commands are available:
Clickjacking Defense  []
Stanford Web Security Research recently published a paper on clickjacking defense:
The Stanford defense is lacking because Internet Explorer requires the full body to be loaded before the script will execute properly. That means that you need the