ISD Podcast Episode 71 for February 19, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com will be putting on their SANS version of the Data Recovery Class in Orlando at SANS 2010 March 8th to 12th. https://www.sans.org/registration/register.php?conferenceid=2191
Data Recovery Class April 12th to the 16th in Washington DC goto MyHardDriveDied.com or email smoulton at nicservices dot com for more information.
The next dc404 meeting is THIS Saturday, February 20th, at 2pm at the Vortex Midtown. This month’s topic is “Social Engineering,” and Beau W. will be presenting. We hope to see a big group on Saturday!
March 15 – 20, 2010 SANS Audit 507: Auditing Networks, Perimeter and Systems (http://www.sans.org/atlanta-auditing-networks-perimeters-2010-cs)
April 15 – 21, 2010 SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression (TM) (http://www.sans.org/atlanta-security-leadership-2010-cs)
May 17 – 21, 2010 SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth (http://www.sans.org/atlanta-critical-controls-2010-cs)
Vulnerabilities of Interest:
- SystemTap is subject to multiple local memory-corruption vulnerabilities. An attacker may exploit these issues to execute arbitrary code with SYSTEM privileges. Failed exploit attempts will result in a denial of service. SystemTap 1.1 is vulnerable; other versions may also be affected.
#!/bin/bash
while [ "0" = "0" ] ; do
HOME=1
/bin/echo /usr/src/kernels/2.6.18-128.el5-PAE-i686/include/*/*cat /proc/slabinfo
done - New-CMS is subject to multiple local file-include vulnerabilities and an HTML-Injection vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit the local file-include vulnerabilities using directory-traversal strings to view and execute a crafted ‘cmd.php’ script within the context of the webserver process. Information harvested may aid in further attacks. The attacker may leverage the HTML-Injection issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. New-CMS 1.08 is vulnerable; other versions may also be affected. Example URL: http://www.sample.com/pdf.php?lng=cmd.php
http://www.sample.com/newcms/struttura/manager.php?lng=cmd.php
http://www.sample.com/newcms/struttura/editor/quote.php?lng=cmd.php
- OCS Inventory NG is subject to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The issues affect versions 1.02.3, 1.3.0 and 1.3.1. Other versions may also be affected.To exploit these issues, an attacker must entice an unsuspecting victim into following a malicious URI.
- PortWise SSL VPN is subject to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. PortWise SSL VPN 4.6 is vulnerable; other versions may also be affected. Exploit code is available: https://www.sample.com/wa/auth?&authmech=Assess&reloadFrame=%22;%3Cscript%3Eblah%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
News Items of Interest:
News item 1: http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=222900539
The Department of Defense has signaled its intention to develop new policies requiring its vendors to meet increased standards for cybersecurity for unclassified military information residing on or being carried over private sector systems and networks.
In a memo issued in late January, Department of Defense chief information officer Cheryl Roby laid out a number of leadership responsibilities and strategic guidance on the development of stronger cybersecurity plans.
“It is DoD policy to establish a comprehensive approach for protecting unclassified DoD information transiting or residing on unclassified [Defense industrial base] systems and networks and create a timely, coordinated, and effective partnership with the [Defense industrial base]”
News item 2: http://www.krebsonsecurity.com/2010/02/hackers-steal-150000-from-mich-insurance-firm/
An insurance firm in Michigan lost nearly $150,000 this month as a result of a single computer virus infection.
Port Austin, Mich. based United Shortline Insurance Service Inc., an insurance provider serving the railroad industry, discovered on Feb. 5 that the computer used by their firm’s controller was behaving oddly and would not respond. The company’s computer technician scoured the system with multiple security tools, and found it had been invaded by “ZeuS,” a highly sophisticated banking Trojan that steals passwords and allows criminals to control infected hosts remotely
The following Monday, Feb. 8, United Shortline received a call from the Tinker Federal Credit Union at Tinker Air Force Base in Oklahoma, inquiring about a suspicious funds transfer one of its customers had received for slightly less than $10,000.
After that call, United Shortline President Louis M. Schillinger said the firm found 14 other such unauthorized transfers had been made from the company’s account to individuals across the United States who had no prior business with Shortline.
Pwn2Own contest next month will award cash prizes of $15,000 to anyone who can break into an iPhone, BlackBerry Bold, Droid or Nokia
smartphone.
The prizes are 50% more than the top awards given last year at Pwn2Own,which will kick off March 24 at the CanSecWest security conference in
Vancouver, British Columbia. Altogether, $100,000 could be handed out by3Com TippingPoint, the contest sponsor.
Pwn2Own will again offer a dual-track challenge with both browser and mobile OS targets, said Aaron Portnoy, a TippingPoint security research
team lead, on a company blog that announced details of this year’s contest.
Now in its fourth year, Pwn2Own has repeatedly made headlines for hacks of Apple’s Mac OS X and Microsoft’s Internet Explorer. In 2009, for
example, researcher Charlie Miller broke into a Mac in less than five seconds to win $5,000.
News item 4: http://news.techworld.com/security/3213110/billboard-porn-hacker-busted/
When a Russian hacker last month broke into a giant video advertising billboard located in Moscow to run a pornographic film on it, it caused chaos in city traffic. But Russian news sources report police in the southern city of Novorossiisk have arrested the suspected billboard hacker.
Though not identifying him by name, a statement from the Interior Ministry’s high-tech crime unit says the suspected billboard hacker is a 41-year-old unemployed man who police believe used the IP address of an organisation based in Chechnya to breach a Moscow server in order to upload his pornographic video, according to The Moscow Times.
News item 5: http://www.eweek.com/c/a/Security/Researcher-Uncovers-eBay-Security-Vulnerabilities-684970/
eBay is working to patch a cross-site request forgery vulnerability recently uncovered by a security researcher. The Avnet researcher also discovered cross-site scripting and blind SQL injection bugs in eBay’s online auction site, which eBay has fixed.
eBay is working on a fix for a cross-site request forgery problem that could allow an attacker to change a user’s password and get access to that user’s account.
News item 6: http://www.msnbc.msn.com/id/35456838/ns/technology_and_science-security/
A computer botnet is known to have breached almost 75,000 computers in 2,500 organizations around the world, including user accounts of popular social network Web sites, according Internet security firm NetWitness.The “Kneber botnet,” as it’s known, gathers login credentials to online financial systems, social networking sites and e-mail systems from infested computers and reports the information back to hackers.
A suburban Philadelphia school district remotely activates the cameras in school-provided laptops to spy on students in their homes, a lawsuit filed in federal court Tuesday alleged.
According to the lawsuit filed by a high school student and his parents, the school has spied on students and families by “indiscriminate use of and ability to remotely activate the webcams incorporated into each laptop issued to students by the School District.”
Approximately 1,800 students at the district’s two high schools have been given laptops as part of a state- and federally-funded “one-to-one” student-to-laptop initiative.
News item 8:http://www.computerworld.com/s/article/9159258/Chinese_school_linked_to_Google_attacks_also_linked_to_01_attacks_on_White_House_site
One of two Chinese academic institutions identified in a New York Times report Thursday as the apparent source of the recent attacks against Google, has also been linked to a hacker who may have been involved with the takedown of whitehouse.gov in 2001.
The Times yesterday reported that the recent cyberattacks against Google and more than 30 other organizations appeared to have originated from computers at two schools in China. One of the schools was identified as the Shanghai Jiaotong University; the other, as the Lanxiang Vocational School, an academic institution in China’s Shandong Province with apparent ties to the country’s military.
News item 9:http://www.theregister.co.uk/2010/02/18/firefox_zero_day_report/
A Russian security researcher on Thursday said he has released attack code that exploits a critical vulnerability in the latest version of Mozilla’s Firefox browser.
The exploit – which allows attackers to remotely execute malicious code on end user PCs – triggers a heap corruption vulnerability in the popular open-source browser, said Evgeny Legerov, founder of Moscow-based Intevydis. He recently added it as a module to Vulndisco, an add-on to the Immunity Canvas automated exploitation system sold to security professionals.
News item 10: http://www.wired.com/dangerroom/2010/02/hackers-troops-rejoice-pentagon-lifts-thumb-drive-ban/
U.S. Strategic Command has lifted its ban on the tiny drives, memory sticks, CDs and other “removable flash media” on military networks.
The repeal, first reported by InsideDefense.com, may be good news for troops, who depend on the drives to move data in bandwidth-starved locations. But it may be good news for hackers, too. The original network security concerns which prompted the ban haven’t really been addressed, one Strategic Command cyber defense specialist tells Danger Room: “Not much changed. StratCom simply does not have the support to enforce such a ban indefinitely.”
StratCom prohibited the drives’ use back in November 2008 after the Agent.btz virus began working its way through military networks. A variation of the “SillyFDC” worm, Agent.btz spreads by copying itself from thumb drive to computer and back again. Once on a PC, “it automatically downloads code from another location. And that code could be pretty much anything,” iDefense computer security expert Ryan Olson said at the time.
News item 11: http://www.eweek.com/c/a/Security/Google-Patches-Buzz-Security-Vulnerability-471810/
Google has fixed a cross-site scripting bug that allowed attackers to take control of Google Buzz accounts. The bug affects the mobile version of Buzz and was reported Feb. 16 by SecTheory CEO Robert Hansen. Google patched the vulnerability the same day. According to Hansen, news of the flaw was passed along to him by a hacker with the moniker of TrainReq.
“There [are] four things of note here,” Hansen blogged. “Firstly, it’s on Google’s domain, not some other domain like Google Gadgets or something. So, yes, it’s bad for phishing and for cookies. Secondly, it’s over SSL/TLS [Secure Sockets Layer/Transport Layer Security] (so no one should be able to see what’s going on, right?). Third, it could be used to hijack Google Buzz—as if anyone is using that product (or at least you shouldn’t be). And lastly, isn’t it ironic that Google is asking to know where I am on the very same page that’s being compromised?”
News item 12: http://www.scientificamerican.com/article.cfm?id=flattery-will-get-you-far&sc=MND_20100216
Elaine Chan and Jaideep Sengupta at the Hong Kong University of Science and Technology research which was first reported in the Journal of Marketing Research, showed that while most people can spot obvious flattery and attempts to influence them, on an innate subconscious level it actually works!
The study showed that while participants explicit attitudes rejected marketing come-on’s, their implicit attitudes were more positive and could be used to predict future behavior. This susceptibility to flattery may stem from the basic human need to feel good about oneself, referred to as illusory superiority or the above-average effect.
In testing whether or not the motive to self-enhance was related to insincere flattery, the researchers showed that, in the words of Scientific American, “those of us who could use a little pick-me up to begin with are particularly vulnerable to the message behind a smooth sales pitch”.
So, how does this relate to information security and why is it important? This all goes back to social engineering and the ability to market towards or convince other people to do what you want them to. Knowledge of these behavioral responses can be applied to social engineering as part of penetration testing and taught as part of security awareness training. On the converse, look for this to be used in phishing attempts.
