Your daily source of Pwnage, Policy and Politics.

ISD Episode 25

Play
Sponsors: This podcast is sponsored in part by Webspeedway, your Virtual IT Department.  When your systems are down, as a small and medium-sized businesses the resulting downtime can have a devastating impact.Webspeedway specializes in providing proactive solutions to mitigate the risks of downtime, data loss, e-mail viruses and the many other threats to your business systems. Webspeedway provides the services of a Fortune 500 IT department, including 24 x 7 monitoring and on-site support, all at a fraction of the cost of even one employee.

Goto www.webspeedway.com today to learn about their cost-effective IT management solutions for your business.

Vulnerabilities of Interest:

  1. JBoss Enterprise Application is prone to multiple cross-site scripting vulnerabilities and a local information-disclosure vulnerability.  JBoss is a free software/open-source Java EE-based cross-platform application server.  An attacker can exploit these issues to gain access to sensitive information, or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. An attacker may use readily available tools to exploit these issues. To exploit cross-site scripting vulnerabilities the attacker must entice an unsuspecting victim into following a malicious URL.
  2. Adobe Flash Player ActiveX Control Information Disclosure Vulnerability – Adobe Flash Player ActiveX control is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain potentially sensitive information that may lead to further attacks. Attackers can exploit this issue by tricking an unsuspecting victim into viewing a malicious webpage.
  3. Achievo Document Types Section Arbitrary File Upload Vulnerability – Achievo is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.  An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. Versions prior to Achievo 1.4.3 are vulnerable.  An attacker can use readily available tools to exploit this vulnerability.
  4. Achievo Scheduler Category HTML Injection Vulnerability – Achievo is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. Versions prior to Achievo 1.4.3 are vulnerable. Attackers can use a browser to exploit this issue.
  5. VLC Media Player is prone to a remote heap-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. Exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
    VLC Media Player 1.0.3 is vulnerable; other versions may also be affected. The vendor refutes this issue because they cannot reproduce it with the exploit provided.  A proof of concept is available.  Tested on OSX 10.6.2 (v1.0.3) and Ubuntu 9 [2.6.28-15-generic]  (v0.9.9a) successfully, but the PoC didn’t appear to work on Windows
  6. Sun Solaris AnswerBook2, which is the Sun online documentation system. It uses a web-browser interface that lets you view and print a variety of Solaris information, including SGML-based AnswerBook collections, Display PostScript AnswerBook collections, and man pages is reported prone to multiple cross-site scripting vulnerabilities. These issues arise due to insufficient sanitization of user-supplied data facilitating execution of arbitrary HTML and script code in a user’s browser. It is reported that the Search function of the application is affected by a cross-site scripting vulnerability.  The AnswerBook2 admin interface is prone to cross-site scripting attacks as well. These issues can lead to theft of cookie based credentials and other attacks.  AnswerBook2 1.4.4 and prior versions are affected by these issues.  An exploit is not required. Proof of concept code is available: For the cross-site scripting issue in the Answerbook2 search function: http://www.example.com/ab2/Help_C/@Ab2HelpSearch?scope=HELP&DwebQuery=%3Cscript%3Ealert%28%22hello%22%29%3C%2Fscript%3E&Search=+Search+.  For the admin interface ‘View Log Files’ function: http://www.example.com/ab2/@Ab2Admin?command=view_access.
News Items of Interest:
News item 1:http://www.linuxinsider.com/story/Is-Ethical-Malware-an-Oxymoron-or-a-Best-Practice-68824.html <Rick>
Linux Insider has interesting atticle on wither malware can be Ethical and would calling it such be an Oxymoron.   The article poses the question “Do circumstances EVER warrant the use of malware?”.   Apparently this question has been bandied about the blogosphere this week, after a well-meaning developer wondered whether it would be ethical to expose vulnerabilities that others might then exploit.My opinion is that there would be circumstances where malware use is warranted and not just to expose a vulnerability.

News item 2: http://www.darkreading.com/vulnerability_management/security/encryption/showArticle.jhtml?articleID=222000888&cid=RSSfeed <Rick>
DarkReading has an article on an Israeli mobile security firm, Gold Lock,  previously offered $100,000 in gold to anyone that could hack its voice encryption technology has upped the ante to $250,000. Gold Lock posted a sample of an encrypted voice conversation on its Website and is offering the golden reward to any hackers who can crack it and send the company a transcript of the call.

Gold Lock, which sells military-grade mobile devices and data and voice encryption tools, says the voice call file has been downloaded more than 1,000 times in the Gold Lock Hacker Challenge contest. But that’s nowhere near the number the vendor had expected, so it decided to make the contest more attractive with a bigger bounty.

Now I gotta tell you that 250K in gold is enough to get most hackers out of bed, unlike that measly 10K that a company was offering a while ago.

News item 3:http://www.theregister.co.uk/2009/12/07/phishing_hit_rate/ <Rick>
The Register has a story on a 1 in 200 success rate for Phishing attacks.  Stats culled from Trusteer’s anti-phishing browser plug-in, which is offered by banks to their clients as a transaction security add-on, revealed that 0.47 per cent of a bank’s customers fall victim to phishing attacks each year. The figure comes from the number of users who visited and attempted to enter data onto a known phishing site but escaped because they were using Trusteer’s Rapport browser security plug-in.

Half (45 per cent) of bank customers who are redirected towards a phishing site attempted to hand over their login credentials.

The overall response rate to phishing scams translates to between $2.4m-$9.4m in annual fraud losses (per one million online banking clients), according to Trusteer.

Trusteer’s report (PDF).

News item 4: http://voices.washingtonpost.com/securityfix/2009/12/jmtest.html <Rick>

What’s in your wallet?  Apparently, an electronics testing firm in Louisiana wants to lighten what is in Capital One’s wallet.  They are alleging that the financial institution was negligent when it failed to stop hackers from transferring nearly $100,000 out of its account earlier this year.  It seems that JM test Systems lost more than $97,000 from two separate unauthorized bank transfers a week apart back in February.

According to JM Test, Capital One has denied any responsibility for the losses. On Friday, JM Test filed suit in a Louisiana district court, alleging breach of contract and negligence by the bank. The firm says it is still out a total of $89,000, and that it has spent roughly $70,000 investigating and responding to the breaches.  This is yet another example of consumers challenging whether banks are doing enough to help prevent losses when a virus infection, phishing attack or hacker break-in jeopardizes a company’s online banking credentials,

News item 5: http://www.verizonbusiness.com/resources/security/reports/rp_2009-data-breach-investigations-supplemental-report_en_xg.pdf<Rick>
Data compiled by Verizon in an addendum to its Data Breach Investigations Report shows that the vast majority of reported and investigated data breaches are the result of external incidents, not insider threats.

“Incidents that result in data compromise and that prompt disclosure or outside investigation are most likely to be perpetrated by external threat agents,” the report says.  This flies in the face of conventionally held beliefs that the majority of data compromises come from internal attacks.
What the report does show, is that the data compiled by Verizon matches up very closely with slightly normalized data contained in the DataLoss Database. So it appears that in order to make the Data Loss Database information map more closely to the data that gathered by Verizon, it appears that the Verizon researchers removed incidents from the DataLoss DB that were the result of “lost assets, improper disposal and postal mail errors.”

The result is that Verizon’s data show that 73 percent of incidents are the result of external events, while the modified DataLossDB data shows that 79 percent of incidents came from external sources. That’s a remarkably similar result.

Have we had it wrong all along?

Tech Segment: http://www.kismetwireless.net
Kismet 2009-11-R1 was recently released. Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.
Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and infering the presence of nonbeaconing networks via data traffic.
This release is a major change in how Kismet works and is configured. While some things are similar, most such as the client, configuring sources and channels, etc are very different.

So the question is should you upgrade? The simple answer is No. In order to take advantage of the new features, you really need to replace your existing installation with this newer version.

Some of the changes you will notice are that sources are defined differently. As well, all UI configuration is handled inside the Kismet client and stored in the users home directory in ~/.kismet/kismet_ui.conf. There are new filtering and alerting options, not to mention to completely new UI. Of most significance is the fact that it utilizes less CPU even with a high numbers of networks

This release breaks almost everything from previous releases, but it adds some significant feature enhancements.


  1. Download Kismet from http://www.kismetwireless.net/download.shtml
  2. Run “./configure”. Pay attention to the output! If Kismet cannot find all the headers and libraries it needs, major functionality may be missing. Most notably, compiling Kismet yourself will require the development packages and headers, usually called foo-dev or foo-devel.
  3. Compile Kismet with “make”.
  4. Install Kismet with either “make install” or “make suidinstall”.
  5. If you have installed Kismet as suid-root, add your user to the “kismet” group
  6. Run “kismet”. If you did not install Kismet with suid-root support, you need to start it as root in nearly all situations. This is not recommended as it is less secure than privsep mode, where packet processing is segregated from admin rights.
  7. When prompted to start the Kismet server, choose “Yes”
  8. When prompted to add a capture interface, add your wireless interface.
  9. Logs will be stored in the directory you started Kismet from, unless changed via the “logprefix” config file or “–log-prefix” startup option.