Security Weekly News 22 June 2011 – Full List

Category Index

Hacking Incidents / Cybercrime

 
Infamous hacking group LulzSec is claiming to have obtained the entire 2011 UK Census records, which amounts to the personal details of every UK citizen, according to a document posted to Pastebin.
The group has yet to confirm the authenticity of the document via its official Twitter account, but if true it could be the biggest data breach to date for the collective, which has managed to break the security systems of Sony, Nintendo and others in recent weeks.
 
New Scotland Yard has confirmed that it has arrested a 19-year old suspected hacker in Essex, UK, in connection with a series of hacks and denial-of-service attacks against a number of organisations.
It is being widely speculated that the arrest is in connection with the high-profile attacks by the LulzSec hacking group, which has claimed amongst its victims Sony, the CIA, the FBI, and the Serious Organised Crime Agency (SOCA).
 
Counterfeit certificates sought for high-profile sites
Yet another web authentication authority has been attacked by hackers intent on minting counterfeit certificates that would allow them to spoof the authenticated pages of high-profile sites.
Israel-based StartCom, which operates StartSSL suffered a security breach that occurred last Wednesday, the company said in a tersely worded advisory. The certificate authority, which is trusted by the Microsoft Internet Explorer, Google Chrome, and Mozilla Firefox browsers to vouch for the authenticity of sensitive websites, has suspended issuance of digital certificates and related services until further notice.
 
Japanese authorities have had enough of spam emails and viruses, and decided that there’s only one way to deal with them: Jail time.
Admittedly, that’s not the only option for those falling foul of the criminalization of computer viruses, nor for the sending of pornographic spam emails; prison can be avoided if you can afford fines of anywhere up to 500,000 yen (around $6,200).
A bill was passed earlier today by the Japanese House of Councillors that makes creation or distribution of a computer virus without reasonable cause punishable by up to three years in prison, and acquisition or storage of a virus punishable by up to two years.
 
Mt. Gox loses database; exchanges close after 500,000 coins are missing or stolen
The storm had been building for over a week now. Last Monday at around 5 p.m. 25,000 Bitcoins were transferred from 478 accounts on the currency’s largest exchange — Mt. Gox. But that was just the beginning. Now Mt. Gox is admitting to a major breach and has shut down, in an unprecedented action. In all, approximately $8.75M USD worth of Bitcoins appear to have — at least temporarily — been stolen in the intrusion.
 
The Obama administration has been lobbying congress to increase sentences for those who break into government computer networks, or potentially endanger the country’s national security.
The request includes doubling the maximum prison sentence to 20 years behind bars, according to Reuters.
Talks on changes to the cybersecurity bill have being going on for over a year.
Recent high-profile attacks, including attacks on the CIA, the International Monetary Fund and military contractors serve to underpin the government’s concern that its cyber laws may need updating to combat today’s threat.
 
Sega is the latest games company to be hacked after attacks on Sony, Nintendo and others
Sega has confirmed that the personal data of 1.29 million of its customers was stolen in an attack on its systems.
It comes after the computer games firm said on Friday that e-mail addresses and dates of birth stored on the Sega Pass database were accessed by hackers.
However, Sega continues to say that payment information, such as credit card numbers, remained safe.
 
ATM Scammers’ New Tactic: Glue*  [www.homesecuritysource.com]
You can almost hear the scammers’ “Eureka!” moment in their evil dungeon lair: “We don’t need no stinking $5000 high-tech remote access Russian-built skimmer – we just need Elmer’s!” And then a crime is committed and history is made.
The San Francisco Examiner reported, “thieves glued down the ‘enter,’ ‘cancel’ and ‘clear’ buttons on the keypad and wait until the customer goes into the bank for help before withdrawing money from their account.
 
Data Protection Commission ‘not surprised’ at extent of internet scam
Citi reveals full extent of cyber attack – 360,000 customers hit
The Data Protection Commissions plans to bring prosecutions against individuals found to be involved in the current spate of internet scams where ordinary individuals are being phoned up by fake computer engineers and are conned into giving up their credit card numbers.
It said it is not surprised at the extent of an internet scam that has resulted in one in four Irish people receiving a phone call from scammers claiming to be computer engineers who trick them into downloading malware or giving up their credit card numbers.
 
The man was convicted of six counts of computer sabotage
A Düsseldorf court convicts a man of extortion and computer sabotage against online betting sites. Such denial of service attacks have become more high-profile in recent months.
In a legal decision published online this week, a state court in Düsseldorf found that a denial of service attack against a website can be prosecuted under current German law.
The case, which was decided in late March 2011, revolved around a man living in the Frankfurt area, who was convicted on six counts of ‘computer sabotage’ and three counts of extortion. Computer sabotage is already part of the German criminal code, which has now been found to include distributed denial of service, or DDOS, attacks.
The defendant, who was not named in the legal decision, was convicted of having successfully blackmailed three online German betting sites and attempting to blackmail three others by threatening them with crippling DDOS attacks that would make their sites unusable.
 
A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week – if adopted by a U.S. district court in Maine – will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks.
 
In a sure sign that the virtual currency Bitcoin has hit the mainstream, a new Trojan horse program discovered in the wild Thursday seeks out and steals victims’ Bitcoin wallets, the same way other malware goes for their banking passwords or credit card numbers.
The malware, Infostealer.Coinbit, is fairly simple: It targets Windows machines and zeros in on the standard file location for a Bitcoin wallet. It then e-mails the wallet – a data file containing private crypto keys – to the attacker by way of a server in Poland, according to Symantec, which was first to alert on the attack.
 
Criminals are using a critical vulnerability in Flash to distribute malicious code on a large scale; the vulnerability was fixed by Adobe last week on its patch day. The security experts at Websense report that criminals have infected numerous web sites with contaminated Flash files that are used to inject malware onto a system.

Unpatched Vulnerabilities

 
Firebug Firefox Extension Cross Context Scripting Vulnerability  [www.80vul.com]
Author: www.80vul.com [Email:5up3rh3i#gmail.com]
80vul.com discovered firebug that a famous firefox extension is vulnerable to Cross Context Scripting, and this vul can execute evil codz in the chrome privileged Firefox zone.so successful exploitation allows execution of arbitrary code in user’s system.
 
The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a ‘file path injection vulnerability.’

Software Updates

 
Firefox 5 is here  [hacks.mozilla.org]
Today, three months after the release of Firefox 4, we release Firefox 5, thanks to our new development cycle. Developers will be able to create richer animations using CSS3 Animations. This release comes with various improvements, performance optimization and bug fixes.
 
Mozilla released Firefox 3.6.18 for Windows, Mac and Linux fixing several security and stability issues [1]. Mozilla Thunderbird released version 3.1.11 fixing vulnerabilities reported in version 3.1.10 [2].
Mozilla released Firefox 5.0 for Windows, Mac and Linux and it is the ‘First Web Browser to Support Do Not Track on Multiple Platforms.[3]’ This version includes more than 1,000 improvements and performance enhancements. It is available for download here.
 
The SpiderLabs team at Trustwave published a new advisory today, which details an issue identified in the IBM Web Application Firewall (WAF). The IBM Web Application Firewall capabilities, inside IBM IPS products, complement IBM Security’s portfolio of web application security offerings to deliver end-to-end Web application security solutions. The issue in question was discovered while a penetration test was being performed for a Trustwave client.
The bypass was discovered by Wendel Guglielmetti Henrique, who is a member of the SpiderLabs Network Penetration Testing team. Wendel discovered a method which allowed him to bypass the IBM WAF and perform a SQL injection attack on a vulnerble web server. IBM was very responsive in creating a fix to this issue, and has released a correction in the June ‘Super Tuesday’ patch release.
 
These issues are in the Adobe Flash Player and affect systems that support Adobe Flash. Adobe recommends that affected users update their installations of Adobe Flash Player. Read the following Adobe security bulletins for further information on the issues:
Adobe Security Bulletin APSB11-12, Security update available for Adobe Flash Player
Adobe Security Bulletin APSB11-18, Security update available for Adobe Flash Player
These vulnerabilities have Common Vulnerability Scoring System (CVSS) scores that range from 4.3 to 6.8 (medium severity). See the References section below for the CVSS scores of each issue, listed by CVE® issue identifier
 
Authentication bypass vulnerability in SAP NetWeaver J2EE engine can be exploited for multiple vectors such as Denial of service attack, Possible smb-relay attacks.
SAP NetWeaver J2EE Engine – Authentication bypass DSECRG-11-026 (Internal DSECRG-00182)
Application: SAP NetWeaver J2EE
Versions Affected: SAP NetWeaver
Vendor URL: http://www.sap.com
Bugs: Authentication Bypass
Exploits: YES
Reported: 20.08.2010
Vendor response: 23.08.2010
Date of Public Advisory: 17.06.2011
CVSS: 9.0
 
Several cross-site scripting and information disclosure issues have
been fixed in Moodle, a course management system for online learning:
* MSA-11-0002 Cross-site request forgery vulnerability in RSS block
* MSA-11-0003 Cross-site scripting vulnerability in tag autocomplete
* MSA-11-0008 IMS enterprise enrolment file may disclose sensitive information
* MSA-11-0011 Multiple cross-site scripting problems in media filter
* MSA-11-0015 Cross Site Scripting through URL encoding
* MSA-11-0013 Group/Quiz permissions issue
 
Every day modern web applications are becoming increasingly sophisticated, and as their complexity grows so does their attack surface. Previously we introduced open source tools such as Skipfish and Ratproxy to assist developers in understanding and securing these applications.
As existing tools focus mostly on testing server-side code, today we are happy to introduce DOM Snitch – an experimental* Chrome extension that enables developers and testers to identify insecure practices commonly found in client-side code
 
Metasploit Framework 3.7.2 Released!  [community.rapid7.com]
It’s that time again! The Metasploit team is proud to announce the immediate release of the latest version of the Metasploit Framework, 3.7.2
 
Mona 1.0 released!  [www.corelan.be]
What is mona ?
For anyone who missed my talks (either at AthCon or Hack In Paris), mona is the long awaited successor to pvefindaddr. Named after my daughter (I’m sure she’s too young to realize or even care at this point), this Immunity Debugger PyCommands introduces a lot of improvements and new features compared to pvefindaddr, including :
 
Ever since a late-night conversation with Felix ‘FX’ Lindner, Brad Arkin and myself at Black Hat last summer, members of the ASSET and Adobe Flash engineering teams have been assisting researchers from Recurity Labs, the German security research and consultancy company, in their development of Blitzableiter (“Lightning Rod”). This mitigation technology filters malicious Flash (.SWF) files before they can carry out an attack against a vulnerability in the Adobe Flash Player.
Today, Recurity officially launched Blitzableiter v1.0 at the FIRST conference in Vienna (June 12-17, 2011). The Blitzableiter beta has already been used by several companies, including a large social networking site in Europe.
 
BSQLBF v 2.7  [www.notsosecure.com]
An updated version is now available for download. This supports “-nomatch” switch. The -nomatch switch is exactly opposite of the -match switch, ie, it will look for the supplied unique keyword which only appears in the false page and NOT in true page. Remember, the “-match” looks for a unique string which only appears in true and do not appear in false cases.

Business Case for Security

 
Importance of Log Files  [bhconsulting.ie]
The Sunday Times carries a story about the Fine Gael security breach back in January of this year. The paper states that the company, Election Mall, who were hosting the Fine Gael website at the time of the attack were not able/or would not provide the log files to An Garda Siochana and the Data Protection Commissioner so they could investigate the breach. I am quoted in the piece on why log files are a critical element for your overall security infrastructure.
Log files, when properly configured, can provide invaluable information in the detection and/or investigation of a security breach. Despite this we still find many organisations do not look after their log files properly. Election Mall found this to their cost as Fine Gael has now reportedly cut all ties with that company.
Here is a presentation that I gave a number of years ago on the importance of maintaining and managing your log files. Many of the points in the presentation are still relevant today;
 
In the din of all the hue and hacks, the Hyundai breach did not get as much attention as others, but the lessons this company’s CEO drew from the experience are quite refreshing. This made me jump up out of my chair and applaud (virtually) – I would suggest forwarding this to any execs you interact with
His biggest mistake, he says, was that he used to treat the information-technology department as simply one of many units that helped the company get its main job done. Today he treats it as central to everything the company does.
 
To help enterprises analyze the effectiveness of their data security measures and determine whether they need to be strengthened, Verizon is offering a new evidence-based risk management service that takes the guesswork out of security decision making while putting to work the insight gained from Verizon’s Data Breach Investigations Report (DBIR) series.
The offering, Incident Analytics Service (IAS), enables customers to describe, track, analyze and benchmark data breach incident metrics via a Web application that provides access to data from Verizon’s extensive historical and ongoing incident analysis research, one of the largest information risk repositories in the world.
 
All businesses in the UK that store data on customers will soon have to disclose any breaches, as the European Commission looks to widen the scope of recent changes to data protection laws.
Speaking at the British Bankers’ Association (BBA) Data Protection and Privacy Conference in London on Monday, European Union justice commissioner Viviane Reding said the move would ensure all businesses took data protection seriously.
 
APT in a Nutshell  [blog.7elements.co.uk]
Recently I had the chance to present at Owasp AppSec EU (http://www.appseceu.org/) on the topic of APT (Advanced Persistent Threat). The talk went down well and as such here is a follow up based on my slides
 
Should I Change My Password?  [shouldichangemypassword.com]
LulzSec and other groups have been hacking an assortment of prominent organisations. For good or for bad, they have also been publishing their databases, which typically include emails and passwords. Given that most people re-use their passwords, this site allows the average person to check if their password(s) may have been compromised and need to be changed.
Note that no passwords are stored in this database.
 
I’m not talking about 100% perfect, bug-free code. For all practical purposes, that’s impossible. I’m also not talking about doing what Microsoft does, or did, either. They’ve invested who knows how many hundreds of millions and the better part of a decade hiring every available expert, instituting a month long new code moratorium, and constantly improving their program. A program perhaps only for a mega corporation with billions in cash.
I’m talking about developing software just secure enough for say online banking, shopping, social networking, office collaboration, and other common Web-based applications that process sensitive data. Software secure enough to successfully fend off attackers who might spend several days giving you a free pen-test for their own personal entertainment or monetary gain. Do we know how to make software at least that secure? Really truly?
Think about how you’d answer if someone asked you how.
 
Attacks on large organizations (RSA[1][2], Google & Others [3], DuPont[4], Lockheed Martin[5]) have given us a glimpse into the underbelly of targeted attacks.
To be clear, every mom and pop shop should not live in fear of a targeted attack/industrial espionage threat but a lot of companies do face this threat. If you make something that would be cheaper to steal than reverse engineer or if beating your competitor to market means a profit for this year or not you’re in the zone for some entity to decide to come after you and take it.
Recently at BlackHat DC and Shmoocon, Sean Coyne and Ryan Kazanciyan from Mandiant gave a great talk titled “The Getaway” [6][7] and it covered some of the methodologies and tools that Mandiant felt was common enough to talk about in public. McAfee also released their “Night Dragon” paper [8] which discusses “APT” style attacks and techniques.
 
Although HIPAA has been around for almost 15 years, organizations subject to it have done the bare minimum. Enforcement of HIPAA has been steadily increasing, finally reaching a level where organizations must begin paying serious attention to it. Now HIPAA/HITECH has emerged as a major force on the security scene for healthcare providers, insurance companies and their business partners. Because many organizations have not taken the regulation seriously, they’re looking for quick ways to get starting with or improve their HIPAA compliance program to protect patient data.
 
Logging vs. Privacy, Data Protection Laws & Codetermination Regulations  [www.dissectingthehack.com]
Are you keeping track of how many organizations have been breached and their data stolen this week?
I stopped counting.
But it is very interesting to see how different organizations react to data breaches. Those who obviously don’t have proper incident handling & response procedures mostly are hit much harder, detect the breach much later and in addition to that get very bad public reputation for it after the breach becomes public.
Those organizations who detect breaches or ongoing attacks early and respond to them appropriately are able to mitigate the impact of that attack.
Those who are able to tell what exactly happened, how it happened, when it happend and how they were able to stop it, earn credibility and good reputation
 
DEFENCE companies such as Lockheed Martin have seen some of their cyber-defences penetrated. Sony, Google, Citigroup and other firms have had sensitive customer data swiped by high-tech intruders. The IMF has been the victim of a digital attack, as has the website of America’s Senate. And a hackers’ collective, called Anonymous, has threatened to launch an online assault on the computer systems of America’s Federal Reserve unless its chairman, Ben Bernanke, agrees to step down.
These and other events-such as the attack on the public website of the CIA, which was disrupted briefly on June 15th-have led to speculation that there has been a big increase in the threat posed by hackers in recent months. They have also reinforced a belief in some quarters that America is already engaged in a cyber war of sorts, most notably with China. Yet such claims are controversial.

Web Technologies

 
News about intrusions into the servers of online stores, games vendors and other internet services can now be read on an almost daily basis. Often, the intruders obtain customers’ login data including their passwords. As many people use the same password in multiple places, criminals can use the passwords to obtain unauthorised access to further services.
 
WordPress is currently investigating a series of ‘[…] suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory.’ [1]
 
Please note that this article expects some prior knowledge of blind SQL injections.
Edit: If you want to read about this in Russisn, its been published here in 2009.
Usually a syntax error in a blind SQL injection will have some sort of visible effect in the output of a web application. So what if we could conditionally generate such an error instead of relying on conditionally delaying and timing a request using functions such as BENCHMARK or SLEEP?
There is no documented way of causing MySQL to throw an error based on a condition in a query. However, in both MySQL 4 and 5, there exists an operator named REGEXP (and it’s synonym RLIKE). This operator is used for pattern matching using regular expressions.
 
Free Security Threat Guides  [maltainfosec.org]
Once again, in line with maltainfosec’s aim of disseminating useful information on common web vulnerability threats, Veracode have published a number of free easy-to-understand security threat guides proving useful for audiences ranging from IT executives to consumer-level cell phone users.
Each guide consists of key concepts, impacts and videos giving an explanation of the threat itself. You can grab free these guides through the following links
 
Vulnerabilities in a Flash  [blog.whitehatsec.com]
Flash Player-related vulnerabilities currently account for approximately 14% of all Web application vulnerabilities discovered by WhiteHat Security. This statistic is surprisingly high considering that HTTP Archive reports 47% of Web applications are currently using Flash technology.
Flash Media Player is an effective method for delivering stylish vector graphics across multiple platforms to enrich a Web user’s experience. When properly designed, Flash makes a website visit interactive and fun. Unfortunately, Flash can also introduce vulnerabilities to an otherwise safe application. Many Flash developers are primarily designers who may have some programming experience, but little – if any – knowledge about Web security.
 
Web Application Security is an important part of developing applications. As developers, I think we often forget this, or simply ignore it. In my career, I’ve learned a lot about web application security. However, I only recently learned and became familiar with the rapidly growing ‘appsec’ industry.
I found a disconnect between what appsec consultants were selling and what I was developing. It seemed like appsec consultants were selling me fear, mostly because I thought my apps were secure. So I set out on a mission to learn more about web application security and penetration testing to see if my apps really were secure. This article is part of that mission, as are the previous articles I’ve written in this series.
 
Deobfuscating Javascript can be tricky so why not make the job easier by using a tool? There’s several tools that can help you deobfuscate Javascript. Before I get to those tools, I wanted to show you how to deobfuscate them manually. I’ve been getting a lot of requests from folks who want to learn how to deobfuscate malscripts so this article is for you.
Let’s have a look at the malicious scripts. These scripts were found in the wild and randomly selected based on its difficulty. I’ve uploaded these scripts to Pastebin.com so you can play along (warning, these are real malicious scripts so take the necessary precautions!).
 
Since the thing went public before new PHP version has been released, I present full details of the latest PHP vulnerability I reported – together with some sweet demo exploit. The issue was found with fuzzing being part of my recent file upload research. And I still have some more to show in the future 🙂
 
Some interesting articles have surfaced lately regarding the Apple vs. Facebook on-going war over ‘apps’. There are two specifically – this one, and this one – that I’d like to reference here in this post. While some analyses of the super-secret Project Spartan that FaceBook is supposedly working on center around the Apple vs. FaceBook apps war brewing – I think the focus is something else entirely. I think the focus, from a technology perspective, is HTMLv5.
 
Mosaic of attacks from image upload  [ax330d.blogspot.com]
While auditing web-applications, I often stumble upon image upload functionality. One could think that today safe upload and processing of images is quite usual thing. However, still not all checks seems to be enough, thus leaving for attackers possibility to intrude. Recently I had to deal with some interesting case – not new, but some limitations with image upload capabilities made me to apply some tricks.
The most significant limitation was image resize. Even if the image met requirements of width and height, it was forcefully processed through PHP-functions, thus heavily changing order and bytes themselves in image
 
Hack in Paris 2011 Wrap-Up  [blog.rootshell.be]
Mario started with a presentation of SVG (or “Scalable Vector Graphic”) files. Basically, they are XML files with a lot of features. The most interesting are: they can contain links, scripting & events and inclusion of arbitrary objects. Enough to become scared! They may contain an applet, a Flash file or a PDF and are deployed using an , or tag, directly accessed or via CSS. Imagine a malicious beautiful SVG file, you download it and double-click on it. This file has full access to your files/directories!
Mario performed several demos and showed how the different browsers handled malicious SVG files. The most awesome demo was an SVG file within an tag. It contained a malicious PDF which started Skype and dial out a number. Brilliant!
 
XSS attack on CIA Website  [www.thehackernews.com]
 
Google hardens Chrome 13 and 14  [www.h-online.com]
Google is experimenting with blocking sites that mix HTTP and HTTPS scripts and with supporting DNSSEC validation of HTTPS sites in the ‘canary’ and development builds of Chrome and Chromium 14. Google has also detailed the enhancements to security in Chrome 13 which recently entered the beta channel.
Chrome 13 is already introducing a number of new experimental security features. It blocks HTTP authentication for resources within a page where the resources are from a different domain. It also adds a first implementation of Mozilla’s Content Security Policy to help mitigate cross site scripting, click jacking and packet sniffing attacks.
 
In this blog post Context demonstrates how to steal user data through web browsers using a vulnerability in Firefox’s implementation of WebGL. This is a continuation of our research into serious design flaws that could affect any browser which implements WebGL, currently Chrome and Firefox.
Context has been researching the new 3D graphics technology, WebGL, which allows web pages to draw fast 3D graphics in a similar manner to computer games. This exciting technology has the capability to deliver a much richer experience to web users.
However, to enable this impressive breakthrough in online technology, web browsers (currently Chrome and Firefox) have had to expose low level parts of their operating systems which previously could not be directly accessed by potentially malicious web pages, thus creating a number of potential security vulnerabilities.
 
Mozilla’s VP of Technical Strategy, Mike Shaver has rejected Microsoft’s criticism of WebGL in which it said it would not implement the 3D graphics standard because of security issues in the design. Shaver says that ‘there is no question that the web needs 3D capabilities’ to enable developers to create ‘advanced visualisations, games or new user interfaces’ and points at Molehill (Adobe’s 3D for Flash) and Microsoft’s Silverlight 3D which are offering just those capabilities.
 
Agnitio 2.0
I had originally planned to release v2.0 of Agnitio at Hack in Paris but I have been a victim of scope creep and real life getting in the way of my development time! I did show off some of the new features in v2.0 during my talk and rather than showing some images and lots of text I’ve uploaded a short video below.
 
Issue 10: Hijacking en “redes inseguras”
Tras el análisis en el issue 9 de lo que es una “red insegura” o no en un entorno como el de Tuenti, hay que hablar del clásico del robo de la sesión o hijacking de una cuenta en Tuenti. Para que sea entendible por todos, baste decir que cuando un usuario se autentica contra una aplicación web, esta genera un conjunto de variables en el servidor que le identifican de forma única, y que se entregan al usuario en forma de cookie. Esa cookie se convierte en un token que le permite entrar en todas las partes de su cuenta, y debe ser enviada en cada petición.

Network Security

 
Stealing Passwords from mRemote  [cosine-security.blogspot.com]
If you don’t know mRemote is a tabbed remote connection manager for Windows. It can store and manage a number of different connections, chief among them RDP,VNC, and SSH. It is a popular tool among IT Support people who have to remote into a lot of machines.
When you save connections in mRemote it outputs all of that data into an XML report in your local AppData folder. The passwords are saved in an encrypted format, however this is trivial to circumvent. The passwords are encrypted with AES-128-CBC Rijndael Encryption, and then the IV is pre-pended to the encoded passwords and the whole thing is base64 encoded for output into the XML. The encryption key that is used is the md5 hash of the string ‘mR3m’. So to decrypt these passwords we follow a simple process
 
Backtrack 5 VPS  [www.hackingmachines.com]
HackingMachines provides hosting services for penetration testers and security professionals. We do it because we are pentesters ourselves and there is no similar product on the Internet. From experience we know what a good pentesting VPS should be and we can communicate with our customers on the same level.
Furthermore we will try to stand out and deliver something special. When purchasing a VPS, you can choose to base it on BackTrack5, an excellent penetration testing distribution. We publish various tips and tricks in our wiki, to let you make the most our of your VPS. If you have some input, don’t hesitate to contact us.
 
When writing the SET interactive shell for the Social-Engineer Toolkit, I had to ponder what the best route in creating a flexible reverse shell. This backdoor had to be a familiar programming language (to me) and be modular for me to add new things onto it. Python being my strongest language posed some significant challenges as it was not a compiled language. Fortunately there is a way to compile python into a binary by wrapping the interpreter and necessary modules into an executable. As you can imagine this can be somewhat large.
 
Hack in Paris 2011 Wrap-Up  [blog.rootshell.be]
Hopefully, the next part of the presentation was more interesting. Nice tools were presented like OVAL (“Open Vulnerability Assessment Language”). Based on a huge XML configuration file, this tools analyzes your host. It builds a list of installed software and associated vulnerabilities if they are. You could roughly compare it to the Secunia PSI. The most important fact given during the presentation: 95% of attacks are using known vulnerabilities. That’s why patching your systems and applications is so important!
 
Information security of RSA SecurID devices has been weakened because of a data break-in. Users should change token PIN codes and organisations should watch out for possible break-in attempts. SecurID devices should be exchanged for new ones as soon as possible.
Security company RSA will exchange SecurID password-generating tokens for new ones because of a data break-in last March. The attackers managed to steal information that affects the information security of systems secured with SecurID products. This information has been used in break-in attempts against the data systems of the defence company Lockheed Martin.
 
VRT IP, DNS and URL lists
This is a collection of IP, DNS and URL information gathered from our Malware data feeds.

Cloud Security

 
With the recent announcement of iCloud, Apple joins Google, Amazon and Microsoft in their aggressive push into cloud computing, in a race to reel customers into their media ecosystems.
The general idea of the “cloud” is to store your media on the internet so you can access it from any device anywhere, as opposed to leaving it on a hard drive. Now with cloud services, we can juggle around our data between multiple gadgets.
Have music on your PC that you want to listen to on your smartphone? Boom, stream it from the cloud. Want to access a document on another computer? Bam, grab it from your web-connected “cloud” drive. Ideally, with cloud services you can access other types of media, such as photos, e-books and videos, across multiple devices, too.
 
Amazon published a tutorial about best practices in creating public AMIs for use on EC2 last week:
How To Share and Use Public AMIs in A Secure Manner
Though the general principles put forth in the tutorial are good, some of the specifics are flawed in how to accomplish those principles. (Comments here relate to the article update from June 7, 2011 3:45 AM GMT.)
The primary message of the article is that you should not publish private information on a public AMI. Excellent advice!
Unfortunately, the article seems to recommend or at least to assume that you are building the public AMI by taking a snapshot of a running instance. Though this method seems an easy way to build an AMI and is fine for private AMIs, it is is a dangerous approach for public AMIs because of how difficult it is to identify private information and to clear that private information from a running system in such a way that it does not leak into the public AMI.
 
Amazon customers often have poor security practices, inadvertently publishing security keys and passwords
Researchers in Germany have found abundant security problems within Amazon’s cloud-computing services due to its customers either ignoring or forgetting published security tips.
Amazon offers computing power and storage using its infrastructure via its Web Services division. The flexible platform allows people to quickly roll out services and upgrade or downgrade according to their needs.
Thomas Schneider, a postdoctoral researcher in the System Security Lab of Technische Universität Darmstadt, said on Monday that Amazon’s Web Services is so easy to use that a lot of people create virtual machines without following the security guidelines.
 
With the news that Dropbox managed to leave every single user account wide open for four hours, it’s time to review encryption options.
We are fans of Dropbox here at Securosis. We haven’t found any other tools that so effectively enable us to access our data on all our systems. I personally use two primary computers, plus an iPad and iPhone, and with my travel I really need seamless synchronization of all that content. I always knew the Dropbox folks could access my data (easy to figure out with a cursory check of their web interface code in the browser), so we have always made sure to encrypt sensitive stuff. Our really sensitive content is on a secure internal server, and Dropbox is primarily for working documents and projects – none of which are highly sensitive.
 
While companies are adopting cloud computing at an ever faster rate, company executives are wondering whether it’s been too fast for comfort, according to research.
Some 60 per cent of leaders surveyed by Avanade are worried about the level of “cloud sprawl” (unauthorised software) within their organisations, a problem that’s been compounded by a rate of cloud adoption of 25 per cent over the past two years.

Crytography

 
I’ve written some cautionary articles on using cryptographic hashes to create content-based addresses (compare-by-hash). This page brings together everything I’ve written and keeps an updated table of the status of popular cryptographic hash functions.
Quick summary of my take on compare-by-hash: If you are using compare-by-hash to generate addresses for data that can be supplied by malicious users, you should have a plan to migrate to a new hash every few years. For example, BitTorrent falls into this category, but rsync doesn’t. Keep in mind that new, more secure hashes are likely to have larger outputs (e.g., 256 bits for SHA-2 vs. 160 bits for SHA-1) and be more computationally expensive.
 
Grab Bag 400  [cryptocrap.blogspot.com]
I just love crypto contests, so I was counting down the days for most of the year until Defcon CTF 2011 Quals, priming my crypto tool chest… and then they had no crypto category this year. However, there was one crypto problem in the ‘Grab Bag’ category, but it defied all of my cryptanalysis as well as that of my friend Israel Torres, and he makes his own crypto challenges.
After the contest part of the answer was revealed, but not the complete solution. I began working on it and after putting in 10-15 hours on it over a week hit a roadblock and contacted some help. We then worked on it together for another week or 2 to finally come to this: how to solve the problem. (I think.)

Privacy

 
A survey finds more people (47 percent of the entire adult population) are using social networking sites.
National survey findings show that use of social networking sites is growing and that those who use these sites, especially Facebook users, have higher measures of social well-being.
In a national phone survey of 2,255 American adults last fall, the Pew Research Center’s Internet & American Life Project found that controlling for other factors, a Facebook user who uses the site multiple times per day is 43 percent more likely than other Internet users and more than three times as likely as non-Internet users to feel that most people can be trusted.
 
Cookie laws  [www.out-law.com]
This guide is based on UK law. It was last updated in June 2011.
Cookies are small text files that most websites use to recognise their visitors. A European law of 2002 required that these visitors be given certain information about cookies. From 26 May 2011 the law changed meaning that in addition to the provision of certain information visitors must give their consent to the placing of cookies.
This guide explains the new UK regime and outlines the current advice on how to achieve compliance. The law comprises of the Privacy and Electronic Communications Regulations 2003 as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (‘UK Regulations’).
 
Data retention beyond six months delivers no safety or security gains. It is just a gross imposition on privacy
GETTING RID of data retention – the mandatory storage of every citizen’s telephony and internet usage information – will have absolutely no effect on the successful prosecution of criminal cases.
 
The executive chairman of Google has warned governments against facial recognition technology – saying it is ‘too creepy’ even for the search engine.
Eric Schmidt said that the technology has advanced rapidly in recent years and that it could be rolled out across the internet.
But the controversial technique has angered privacy campaigners who claim that it would be a further erosion of privacy and civil liberties.
Now Schmidt has dispelled any suggestions that internet giant Google would be the first company to employ the system.

Security FAIL

 
Online storage service Dropbox accidentally turned off password authentication for its 25 million users for four hours on Monday — although ‘much less than 1%’ of those accounts were accessed during the period, the company said. It is still investigating whether any of those accounts were improperly accessed.

General

 
EADS adds cyber protection to its aircraft business
Europe’s largest aerospace and defense contractor, EADS, plans to wage war on cyber crime. The group is set to launch a new Internet security unit within its Cassidian security subsidiary.
The European Aeronautic Defence and Space company aims to enter the potentially lucrative, high-growth market for cyber security services, in a move to grow beyond its core aircraft and aerospace manufacturing business.
In an interview with Financial Times Deutschland, Stefan Zoller, CEO of EADS security subsidiary Cassidian, said the company plans to invest a couple hundred million euros to launch a new cyber security unit.
 
‘Paper or plastic?’ That question isn’t asked frequently at grocery stores anymore, but it may be poised for a comeback – at Canadian banks.
The Bank of Canada will start issuing high-tech currency made of polymers instead of the traditional cotton paper and featuring transparent windows (one shaped like a maple leaf) to frustrate counterfeiters.
Security and verification features include raised ink in the numerals and the featured portrait, color-shifting images embedded in the large window, and a number hidden in the maple-leaf window.
 
Some time ago I had a crazy/funny idea for a local privilege escalation: run a privilege granting operation in an infinite loop and wait for a random bit flip in CPU/RAM that would make a ‘can this user do this’ check return ‘true’ instead of ‘false’. Is this theoretically possible? Yes. And practically? Almost impossible, due to the unlikeliness of a bit flip and even more, the unlikeliness of a bit flip in the just right place. Nevertheless, I thought this idea was quite interesting and decided to dig into the topic. This post will summarize what I’ve found out and mention a few papers/posts might be worth reading.
As a start note: most of the data I found is kinda outdated (year 2003, etc), so links to newer data are most welcomed!
Is a random bit flip possible?
Yes. Actually more possible then I’ve expected and that’s why ECC RAM (ECC being Error-Correction Code) dices are so widely used in servers.

Outrageous

 
Verone chose prison over pain.
James Richard Verone of North Carolina spent his whole life playing by the rules and staying out of trouble. Having worked as a delivery man for Coca Cola for 17 years, Verone was known as a hard worker and honest man.

Funny / Hilarious

 
 
The Cloud  [www.dilbert.com]
 
 
 
 
 
German Lesson for Beginners  [www.youtube.com]
 
French Lesson for Beginners  [www.youtube.com]
 
The Frontier  [abstrusegoose.com]
 
 

Free Consultation

sales@7asecurity.com [ PGP ]

Ireland: Global Headquarters7ASecurity Ltd.
50 Richmond Street South,
Dublin 2, D02 FK02, Ireland, EU
EU-VAT No: IE-4242720BH,
Reg. No. 754736

Poland Office7ASecurity sp. z o.o.
Kujawska 12,
85-031 Bromberg (Bydgoszcz), Poland, EU
EU-Vat No: PL-9532764607,
Reg. No. 382862866

---A---
Follow Us
Free-4-You