ISDPodcast Episode 232 for October 12, 2010. Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Karthik Rangarajan.
Announcements:
MyHardDriveDied.com Data Recovery Class:
http://www.myharddrivedied.com
Washington, DC – December 6th – 10th
Use the Discount Code: isdpodcast for a $300 discount.
Phreaknic:
http://www.phreaknic.info
When: Oct 15-17 2010
Where: Nashville, TN
Hack3rCon:
http://www.hack3rcon.org
When: Oct 23-24 2010
Where: Charleston, WV
Stories of Interest:
News: https://blogs.technet.com/b/msrc/archive/2010/10/11/october-2010-security-bulletin-release.aspx
Today’s mammoth Patch Tuesday, Microsoft delivers 16 security bulletins that address 49 vulnerabilities affecting Windows, Internet Explorer, Microsoft Office, and the .NET Framework. One of them is related to the Stuxnet flaw. It actually addresses two of the four unpatched holes being used by Stuxnet to spread to Windows-based machines. The malware ultimately targets systems running software from Siemens that is used in critical infrastructure operations.
- MS10-071 (Critical) Cumulative Security Update for Internet Explorer. Note: Internet Explorer 8 is only affected by one RCE listed and IE 9 beta is not affected.
- MS10-076 (Critical) Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution.
- MS10-077 (Critical) Vulnerability in .NET Framework Could Allow Remote Code Execution. Note: this affects .NET Framework 4.0.
- MS10-075 (Critical) Vulnerability in Media Player Network Sharing Service Could Allow Remote Code Execution.
The first bulletin to be deployed should be the MS10-071, a hole in IE 6, 7, and 8 that could allow an attacker to take control of a computer if a user browses to a malicious Web page. Second on the list should be MS10-076, which affects Windows XP, Vista, Windows 7, and Windows Server 2003 and 2008.
Next up is MS10-077, which affects the same operating system versions as MS10-076. The most likely attack vectors are when a victim running 64-bit Windows browses to a malicious Web page or when an attacker is allowed to run ASP.Net code on 64-bit IIS (Internet Information Services) server to run arbitrary code.
And finally there is MS10-075, which is rated “critical” for Windows 7 but only “important” for Vista. It fixes a hole in the Microsoft Windows Media Player Network Sharing Service that could allow an attacker to compromise a system by sending a malicious RTSP (real-time streaming protocol) packet to an affected system.
BTW The previous record for vulnerabilities fixed was 34, which was set in October 2009, and reached in June and August of 2010.
News: http://www.infosecurity-magazine.com/view/13135/smes-data-exposed-to-partners-and-fraudsters/
A survey of 1200 UK SMEs, carried out by online back-up supplier Mozy, revealed that 80% had never checked if the companies they work with secure their data. A significant 56% carry out no checks at all, according to the survey.
Information passed on to partners, such as IT service providers, might include financial information and customer databases, for example.
Mozy said 60% of SMEs that suffer major losses and do not have back-up could go under within 48 hours.
News: http://www.nytimes.com/2010/10/06/business/global/06bank.html
A French sentenced Jerome Kerviel, the former Societe Generale trader, to three years in prison and ordered him to repay €4.9 billion in restitution to the bank, the collective gasp from the courtroom clearly signaled that the question of who bears responsibility for banks’ aggressive risk-taking in the build-up to the global financial crisis is far from resolved.
The verdict, legal experts said, has once again laid bare the deep distrust among the French public of its elites and its financial institutions — a suspicion that has only strengthened in the years since the U.S. subprime mortgage crisis brought about the multibillion-dollar bailouts of many of the world’s leading financial lights.
“It really does hold him solely responsible, which is probably the most debatable part of the decision,” said Christopher Mesnooh, an international lawyer with Field Fisher Waterhouse in Paris. “The message from the court is that Societe Generale — a leading jewel of the French banking sector — did not act irresponsibly, but was the victim of a rogue trader.”
Mr. Kerviel, 33, whose €50 billion, or $69 billion at current exchange rates, in rogue dealings almost brought about the French bank’s demise, was convicted on all counts of breach of trust, forgery and unauthorized use of computer systems. The court sentenced him to five years, with two suspended, and barred him for life from working in financial services.
Tool: http://code.google.com/p/inspathx/
A tool that uses local source tree to make requests to the url and search for path inclusion error messages. It’s ever a common problem in PHP web applications that we’re hating to see for ever. We hope this tool triggers no path disclosure flaws any more.
- First you have to download source archived file of your desired OSS.
- Second, extract it.
- Third, feed its path to inspath
inspathx accepts the following arguments:
- -d or –dir argument as source directory (of application)
- -u or –url arguement as the target base URL (like http://victim.com)
- -t or –threads argument as the number of threads concurrently to run (default is 10)
You can download inspathx via SVN here:
svn checkout http://inspathx.googlecode.com/svn/trunk/ inspathx-read-only
http://www.owasp.org/index.php/Full_Path_Disclosure
http://projects.webappsec.org/Information-Leakage
News: http://www.csoonline.com/article/624180/oracle-database-admins-acknowledge-security-gaps?source=rss_data_protection
Keith: This one just plain baffles me…
Database security is rife with pitfalls, according to 430 Oracle database administrators surveyed by the Independent Oracle Users Group.
According to the results of the survey released last month, fewer than 30% encrypt personally identifiable information in all their databases, while about 75% acknowledge their organizations do not have a means to prevent privileged database users from reading or tampering with human resources, financial or other business application data in their databases.