Merry Christmas to all.  We will be taking a few days off to enjoy the Christmas Holiday.  We will be back on the 28th with Episode 35.

Vulnerabilities of Interest:

1. IBM Tivoli Storage Manager is prone to multiple vulnerabilities with multiple buffer-overflow issues and multiple unauthorized-access issues.  Exploiting these issues to cause a denial-of-service condition, code execution, as well as the ability to read, copy, edit, or delete files on a victim’s computer.  Core Security has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.  A Metasploit exploit module is available.
2. PHP is subject to an ‘open_basedir’ restriction-bypass vulnerability because of a design error.  This vulnerability could be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code. In such cases, ‘open_basedir’ restrictions are expected to isolate users from each other. PHP 5.2.11 and 5.3.0 are vulnerable; other versions may also be affected. Attackers may exploit these issues by crafting and executing standard PHP code.   Exploits are available in the wild.
3. HP Operations Manager is subject to a remote unauthorized-access vulnerability that could allow uploading and execution of code with SYSTEM-level permissions.  Operations Manager 8.1 for Windows is vulnerable; other versions may also be vulnerabl.  Attackers can use readily available tools to exploit this issue.  Core Security has  a working commercial exploit for its CORE IMPACT product.   Additionally, a working commercial exploit is available through VUPEN Security – Exploit and PoCs Service.
4. The JEEMA Article Collection component for Joomla! is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could result compromising the application, access or modify data in the underlying database. URL example: http://www.example.com/index.php?view=longview&catid=null/**/union/**/select/**/concat(username,0x3a,password),2/**/from/**/jos_users&Itemid=107&option=com_jeemaarticlecollection
5. Simple PHP Blog is subject to a local file-include vulnerability because it fails to properly sanitize user-supplied input.  This can be leveraged to obtain potentially information or to execute local scripts in the context of the webserver process.  Additionally, this may allow a compromise of the application and the underlying computer; other attacks are also possible.  Simple PHP Blog 0.5.1 is vulnerable; other versions may also be affected. Exploit code is available in the wild.

News item 1: http://online.wsj.com/article/SB126102247889095011.html?mod=googlenews_wsj
The Wall Street Journal is reporting the insurgents in Iraq have been able to use $26 off-the-shelf software to intercept live video feeds from U.S. Predator drones.  U.S. officials say there is no evidence that militants were able to take control of the drones or otherwise interfere with their flights. Still, the intercepts could give America’s enemies battlefield advantages by removing the element of surprise from certain missions and making it easier for insurgents to determine which roads and buildings are under U.S. surveillance.

The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s

News item 2: http://blogs.computerworld.com/15234/google_ceo_if_you_want_privacy_do_you_have_something_to_hide
Apparently, Eric Schmidt CEO Google said while appearing on CNBC … “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.” Suggesting that folks seeking privacy might not want to look to the Internet to find it.

EFF’s Richard Esguerra reminds us why we should care:

Schmidt’s statement makes it seem as if Google … is not even concerned enough to understand basic lessons about privacy and why it’s important. … Schmidt’s statement is painfully similar to the tired adage of pro-surveillance advocates that incorrectly presume that privacy’s only function is to obscure lawbreaking: “If you’ve done nothing wrong, you’ve got nothing to worry about.”
…

News item 3:  http://news.cnet.com/8301-13506_3-10416383-17.html?part=rss&subj=news&tag=2547-1_3-0-20

Career site Glassdoor.com has announced the employees’ choice awards for the top 50 best places to work. No tech companies made the top five, but according to Glassdoor, Southwest Airlines, General Mills, Slalom Consulting, Bain & Co., and McKinsey & Co. were the best places to work this year. Only General Mills and Bain & Co. were in the top five last year.

On the tech side, it was enterprise-solution provider Juniper Networks that led the way for the industry, placing 10th in the list with a 3.9 (out of 5) company rating from employees. Google placed 14th with a 3.9 rating, followed by NetApp, which also received a 3.9 rating. Last year, Google was ranked seventh on the list. NetApp was ranked 10th.

Some other tech notables from the list: Apple placed 22nd with a 3.8 company rating, which is a little lower than last year’s 19th place. Online career site CareerBuilder took the 26th spot with a 3.7 rating. The site experienced a steep decline, dropping eight spots from its 2008 ranking of 18th.

Companies that have offices in Atlanta:

News item 4: http://www.heraldtribune.com/article/20091223/ARTICLE/912231066?Title=U-S-faces-shortage-of-cyber-defenders

Apparently the federal government is struggling to fill a growing demand for skilled computer-security workers, from technicians to policy-makers, at a time when network attacks are rising in frequency and sophistication.

Demand is so intense that it has sparked a bidding war among agencies and contractors for a small pool of special talent: skilled technicians with security clearances. Their scarcity is driving up salaries, depriving agencies of skills, and in some cases affecting project quality.

News item5: http://www.examiner.com/x-3693-NY-Internet-Examiner~y2009m12d23-Hackers-and-Spammers-Exploiting-Brittany-Murphys-Death?cid=channel-rss-Gadgets_and_Tech

The Examiner is reporting that less than 24 hours after her sudden death, hackers and spammers had already begun using her name in poisoned search results and spam messages. They used SEO techniques to move their malicious links to the top of the search results for her name and keywords related to her and her death. When clicked on the links led to sites that attempted to download fake anti-virus software onto the visitor’s computer.

News item 6: http://www.networkworld.com/community/node/49237

Network World has an article on the Obama appointment of Howard Schmidt to become the nations first Cybersecurity Coordinator. Schmidt will report to the National Security Council (NSC) and National Economic Council (NEC).

The article asks the question if Schmidt is the right person for this job? They state that Schmidt has experience at US-CERT, DHS, the U.S. Air Force, the White House, Microsoft, and eBay. He is also a well respected father figure in the security industry.  The article goes on to state that Schmidt must begin to address several major challenges such as:

1. Sophisticated adversaries. On the day that Schmidt was announced, the major security story centered on a multi-million dollar cybersecurity attack of Citigroup last summer. Citigroup is no security lightweight so if its systems can be compromised there are a lot of sitting ducks out there. Cyberwar is a real threat in the next decade.

2. A cybersecurity hot potato. As of this writing, there are a number of cybersecurity bills in committee and a lot of rhetoric on the Hill. Meanwhile, DHS, DOD, and NSA have complementary and competitive cybersecurity roles that need to be ironed out. There has also been massive spending on cybersecurity — some useful and some wasteful. We desperately need a non-elected leader to seperate cybersecurity needs from politics and pork.

3. A real lack of knowledge. Cybersecurity knowledge is in short supply. Business guys know they need to do something but are unsure what to do. Technologists often look at security in myopic terms related to IT. Consumers haven’t a clue. We need a federally-driven education program that spans public awareness campaigns all the way through scholarships and continuing education.

DC404 Meeting report:
While at the DC404 meeting on Saturday, we were privileged to have CEO Nick Owen from WikiD Systens discuss his companies product.   Nick began by giving us an overview of how WikiD works.  Which begins with a user selecting the domain they wish to use and enters the PIN into their WiKID Two-factor client. It is encrypted with the WiKID Server’s public key – assuring that only that server can decrypt it with its private key. If the server can decrypt the PIN and it is correct and the account is active, it generates the one-time passcode (OTP) and encrypts it with the client’s public key. The user then enters their username and the OTP into whatever service they are using, a VPN e.g., which forwards it to the WiKID Server for validation.

He then touched on the WiKID supported operating systems which includes Windows, Mac, Linux, J2ME, PocketPC/SmartPhone/Windows Mobile or Blackberry.  Finally, he discussed the network clients that WiKID supports such as RADIUS, LDAP, and SSL via both a Java bean and a COM object.  He also indicated that they have plug-ins for Juniper (formerly Funk) Steel Belted Radius and Citrix Web Interface.

Over all, WikiD looked interesting and is probably something that we should look into.

Tonight we are joined by a very special guest, Kevin Johnson from Inguardians. Kevin who is also affectionately known as the “Hacker Princess” gives us some insight into what it’s like to work at Inguardians with such luminaries as Ed Skoudis and Mike Poor.  We also get some information on his Social Network Security research and Samurai WTF.

Announcements:

Community SANS Atlanta 2010 Spring Schedule has been posted. There are 5 classes currently being offered. Leading off with Scott Moulton’s SEC606. SEC-606: Drive and Data Recovery Forensics 2/9/10 to 2/13/10 SEC-502: Perimeter Protection In-Depth 2/22/10 to 2/27/10 AUD-507: Auditing Networks, Perimeters, and Systems 3/15/10 to 3/20/10 MGT-512: SANS Security Leadership Essentials For Managers with Knowledge Compression 4/15/10 to 4/21/10 SEC-566: 20 Critical Security Controls – In Depth 5/17/10 to 5/21/10 Go online to register by emailing sales@sans.org or call (301) 654-SANS(7267).

SEC-606: Drive and Data Recovery Forensics    2/9/10 to 2/13/10
SEC-502: Perimeter Protection In-Depth    2/22/10 to 2/27/10
AUD-507: Auditing Networks, Perimeters, and Systems    3/15/10 to 3/20/10
MGT-512: SANS Security Leadership Essentials For Managers with Knowledge Compression    4/15/10 to 4/21/10
SEC-566: 20 Critical Security Controls – In Depth    5/17/10 to 5/21/10

Go online to register by emailing sales@sans.org or call (301) 654-SANS(7267).

DC404 meeting is this Saturday, December 19th @ 2PM at the Vortex Midtown.  Nick Owen will be presenting on “WiKiD Two-factor Auth and Securing Network Access with Open Source Solutions”.  For more information and direction go to dc404.kaos.to or simply google DC404.
Vulnerabilities of Interest:

1. Mozilla Firefox and Sea Monkey are affected by a spoofing vulnerability. An attacker could exploit  this issue to place a legitimate-looking but invalid URL in the location bar and inject HTML and JavaScript into the body of the webpage, To exploit this issue, an attacker must entice an unsuspecting user to view a maliciously crafted web document.
2. Xpdf is prone to multiple integer-overflow vulnerabilities. Exploiting these issues may allow remote attackers to execute arbitrary code in the context of an affected application or cause denial-of-service conditions. A commercial proof of concept is available through VUPEN Security – Exploit and PoCs Service. A seperate proof of concept is publicly available and known to be circulating in the wild.
3. Winamp is prone to multiple integer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied input. Attackers may leverage these issues to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. These issues affect versions *prior to* Winamp 5.57. A commercial proof of concept is available through VUPEN Security – Exploit and PoCs Service.
4. Zen Cart is prone to a security vulnerability that may allow attackers to obtain sensitive information or delete the application’s database. An attacker can exploit this issue to view files in the context of the webserver process and delete the application’s database. Successful exploits may lead to further attacks. An attacker can exploit this issue via a browser.
5. WHMCS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Attackers can use a browser to exploit this issue. The following is an example URL: http://www.example.com/weblink_cat_list.php?bcat_id=-1+UNION+SELECT+1,GROUP_concat(id,0x3a,username,0x3a,password),3,4+from+user
6. WP-Forum WordPress plugin is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Versions prior to WP-Forum 2.4 are vulnerable. Attackers can use a browser to exploit these issues. The following URL strings are available:

   http://www.example.com/blog/?page_id=3&wpforumaction=editpost&id=1%20and%201=0&t=.0

   http://www.example.com/blog/?page_id=3&wpforumaction=editpost&id=1%20and%201=1&t=.0

   http://www.example.com/blog/?page_id=3&wpforumaction=viewforum&f=2.0&delete_topic&topic=3%20and%201=0

   http://www.example.com/blog/?page_id=3&wpforumaction=viewforum&f=2.0&delete_topic&topic=3%20and%201=1

   http://www.example.com/blog/?page_id=3&wpforumaction=viewtopic&t=1.0&sticky&id=1%20and%201=0

   http://www.example.com/blog/?page_id=3&wpforumaction=viewtopic&t=1.0&sticky&id=1%20and%201=1

   http://www.example.com/blog/?page_id=3&wpforumaction=viewforum&f=1.0&delete_topic&topic=5%20or%201=1

   Exploit code is available in the wild.

7. OSSIM is prone to multiple vulnerabilities that attackers can leverage to execute arbitrary commands because the application fails to adequately sanitize user-supplied input.Successful attacks can compromise the affected application and possibly the computer. These issues affect OSSIM 2.1.5; other versions may be affected as well. The following URL strings are available:

   http://www.example.com/ossim/sem/wcl.php?uniqueid=1;ls%20%3E%20/tmp/listing

   http://www.example.com/ossim/sem/storage_graphs.php?uniqueid=;ls%20%3E%20/tmp/listing;

   http://www.example.com/ossim/sem/storage_graphs2.php?uniqueid=;ls%20%3E%20/tmp/listing;

   http://www.example.com/ossim/sem/storage_graphs3.php?uniqueid=;ls%20%3E%20/tmp/listing;

   http://www.example.com/ossim/sem/storage_graphs4.php?uniqueid=;ls%20%3E%20/tmp/listing;

8. Quick Heal AntiVirus is prone to a local privilege-escalation vulnerability. A local attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges, resulting in a complete compromise of the affected computer. Quick Heal AntiVirus 2010 is vulnerable; other versions may also be affected.  An attacker can use readily available command-line utilities to exploit this issue.

News item 1:http://www.neowin.net/news/main/09/12/16/us-and-russia-hold-secret-talks-on-fighting-cyber-crime?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+neowin-main+(Neowin.net+Main+News)
An update to the news item that we had on the U.S. joining the UN talks on Cybersecurity are that they have apparently been in secret talks with Russia. This may be directly related to the Albert Gonzalez attacks involving Russian citizens.

News item 2: http://www.csoonline.com/article/511269/Hackers_Take_Twitter_Offline_Again?source=rss_news
Twitter went offline for a while Friday after hackers calling themselves the Iranian Cyber Army apparently managed to change DNS records, redirecting traffic to another Web page.  Iranian hackers are responsible for the attack wasn’t immediately clear. However, Twitter and other Internet sites have been used by Iranian opposition groups and protestors to share details of anti-government protests in that country.

Twitter blamed the outage on changes made to the company’s DNS (Domain Name System) records, which match the company’s domain name with the IP addresses of its servers.

“Twitter’s DNS records were temporarily compromised but have now been fixed. We are looking into the underlying cause and will update with more information soon,” Twitter said on its Twitter Status page.

News item 3: http://government.zdnet.com/?p=6507
According to Doug Hanchard at ZDNet, Regulators such as CRTC, Ofcom, FCC should be concerned with the opening up of wireless phone operating systems.  The article goes on to explain that there should be a set of standards and verification tools that regulators use to verify software code on a phone and must be LOCKED DOWN prior to release. Because a wireless phone has access to both communications platforms – the public switched telephone network (PSTN) and internet, the danger is significant and no software application should be released without vetting its ability to withstand attacks to and from the user’s device. There is a genuine threat to national security of every country’s phone network. There should be penalties for software applications that create vulnerabilities impacting the telephone network.

News item 4:  http://www.theregister.co.uk/2009/11/11/hooksafe_rootkit_protection/
Researchers at North Carolina State University and a researcher from Microsoft released a hypervisor-based system called  “HookSafe.”  http://www.sigsac.org/ccs/CCS2009/techprogram.shtml (Session 17).  Hooksafe relocates kernel hooks in a guest host to a page-aligned memory space.  Hooksafe successful prevented nine “real-world” rootkits targeting a Ubuntu 8.04 guest with only a 6% reduction in performance benchmarks.  In the test, Hooksafe achieves this protection by relocating 5.881 kernel hooks across 41 physical pages with some in dynamic kernel heap.  Their paper:  http://discovery.csc.ncsu.edu/pubs/ccs09-HookSafe.pdf Notes:  By leveraging hardware-based virtualization support to intercept and validate write attempts to hardware registers, HookSafe has hardware register protection capabilities, which in turn subverts attempts to overwrite HookSafe’s protected memory.  The paper assumes that the system is trusted at boot, and subsequently a trustworthy hypervisor can be securely loaded and that runtime integrity of hypervisor is maintained.  So while HookSafecan can potentially resolve and protect kernel hooks that it relocates,  it doesn’t address VMBRs(Virtual Machine Based Rootkits) or SMBRs(System Managemnt Mode Based Rootkits).  Check out the Press and Resources sections over at http://invisiblethingslab.com for more information on VMBRs and SMBRs.  BlackHat paper from ’08 on SMM Rootkits:  http://www.eecs.ucf.edu/~czou/research/SMM-Rootkits-Securecom08.pdf.  For information on VMBRs, you might want to checkout SubVirt (remember the “Blue Pill” discussions?).

News item 5: http://blog.seattlepi.com/microsoft/archives/188706.asp
Anti-COFEE tool DECAF revealed as spoof.  Two developers said they created a tool, called DECAF, that compromises Microsoft’s COFEE computer-forensics tool by killing its processes, disabling a computer’s connection ports and even conjuring up fake MAC addresses.

It’s fake.

The developers posted an explanatory video, highlighted DECAF’s supposed features, promised pie-in-the-sky updates (such as the ability to send DECAF a text message to trigger “Lockdown Mode”) and appealed to expert developers for help in making better forensics tools.