InfoSec Podcast Episode 39 for January 5, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Webspeedway specializes in providing proactive solutions to mitigate the risks of downtime, data loss, e-mail viruses and the many other threats to your business systems. Webspeedway provides the services of a Fortune 500 IT department, including 24 x 7 monitoring and on-site support, all at a fraction of the cost of even one employee.
Goto www.webspeedway.com today to learn about their cost-effective IT management solutions for your business.
Community SANS Atlanta 2010 Spring Schedule has been posted.
SEC-606: Drive and Data Recovery Forensics 2/9/10 to 2/13/10
SEC-502: Perimeter Protection In-Depth 2/22/10 to 2/27/10
AUD-507: Auditing Networks, Perimeters, and Systems 3/15/10 to 3/20/10
MGT-512: SANS Security Leadership Essentials For Managers with Knowledge Compression 4/15/10 to 4/21/10
SEC-566: 20 Critical Security Controls – In Depth 5/17/10 to 5/21/10
Go online to register by going to http://www.sans.org/atlanta-cs-events-2010/?utm_source=web-sans&utm_medium=banner&utm_content=Featured_Community_SANS_atlanta-2010-cs_events&utm_campaign=Community_SANS_Atlanta_2010&ref=52093
or call (301) 654-SANS(7267).
Vulnerabilities of Interest:
- Kayako eSupport is subject to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data. eSupport 3.04.10 is vulnerable; other versions may also be affected. Attackers can use a browser to exploit this issue.
- NetworkManager is subject to a security-bypass vulnerability and an information-disclosure vulnerability. Attackers can exploit theses issues to obtain sensitive information or entice a user to connect to a network without certificate verification. NetworkManager 0.7.2 is vulnerable; other versions may also be affected. Attackers can use readily available tools to exploit these issues.
- The ‘httpdx’ application is subject to a remote file-disclosure vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to view the source code of files in the context of the server process. This may aid in further attacks. This issue affects httpdx 1.5; other versions may be vulnerable as well. Example URL: http://www.example.com/file.php%20
- BLOG:CMS is subject to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Attacker-supplied HTML and script code would run in the context of the affected website, potentially allowing the attacker to control how the site is rendered to the user. Versions prior to BLOG:CMS 4.2.1e are vulnerable. An attacker can exploit this issue through a browser.
- The BF Survey Pro component for Joomla! is subject to a local file-include vulnerability because it fails to properly sanitize user-supplied input. This may allow the attacker to compromise the application and the computer; other attacks are also possible. Example URL: http://www.example.com/index.php?option=com_bfsurvey&controller=../../../../../../../../../../etc/passwd%00
- LXR Cross Referencer is subject to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. LXR Cross Referencer 0.9.5 and 0.9.6 are affected; other versions may also be vulnerable. Example URL: http://www.example.com/lxr/ident?i=<script>alert(‘XSS’)</script>
- BigAnt IM Server is subject to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. An attacker can exploit this issue to execute code with the privileges of the user running the server. Failed exploit attempts will result in a denial-of-service condition. BigAnt IM Server 2.52 is vulnerable; other versions may also be affected.
News item 1:http://www.eweek.com/c/a/Security/Researcher-Uncovers-Twitter-Google-Calendar-Security-Vulnerabilities-530764/?kc=rss
eWeek has an article about a security researcher that has uncovered vulnerabilities in Twitter and Google Calendar. In a proof of concept, researcher Nir Goldshlager demonstrated cross-site scripting (XSS) vulnerabilities in Google Calendar and Twitter that he said could be used to steal cookies and session IDs. He also uncovered an HTML injection issue affecting Google Calendar as well that he said could be used to redirect a victim to an attack site any time the user viewed his or her Google Calendar agenda events.
News item 2: http://www.msnbc.msn.com/id/34611083/ns/technology_and_science-tech_and_gadgets/
Two New Jersey state legislators are sponsoring a bill that would impose hefty fines on people and/or organizations that send unsolicited text messages. Of particular concern to Sens. Joseph Vitale and Sean Kean are messages sent to the elderly and disabled and messages that cause people to exceed their monthly text message allotment, incurring additional costs from their providers. An unsolicited ad is defined as one that is sent without prior consent of the recipient that urges the recipient to rent or purchase services or merchandise. First time offenders would be fined up to US $10,000 and repeat offenders fined up to US $20,000. If the violator knew or should have known that the recipient was an elderly or disabled person, the maximum fine increases to US $30,000.
News item 3: http://www.investmentnews.com/apps/pbcs.dll/article?AID=/20091230/FREE/912309990/1035/TECHNOLOGY
Users of the trade-it-yourself trading site collective2.com received an “urgent” e-mail notifying them that the company’s computer database had been breached by a hacker and that all users should log in to change their passwords immediately. Information accessed by the hacker included names, e-mail addresses, passwords and credit card information.
News item 4: http://www.infoworld.com/d/applications/googles-chrome-grabs-no-3-browser-spot-safari-941?source=rss_infoworld_news
InfoWorld is reporting that Google Chrome grabbed the number three spot in the browser wars from Safari. Google’s Chrome overtook Apple’s Safari to become the world’s third-most popular browser just 16 months after its debut, a Web metrics company said Friday. Internet Explorer (IE), meanwhile, lost almost a full percentage point in December, the latest slip in a decline that accelerated during the second half of 2009.
News item 5:http://www.computerweekly.com/Articles/2010/01/05/239811/Hackers-yet-to-succeed-in-250000-encryption-challenge.htm
Hackers have yet to claim the $250,000 prize offered by Israel-based data encryption firm Gold Lockto anyone who can defeat its technology.
News item 6:http://news.cnet.com/8301-17852_3-10424780-71.html?part=rss&subj=news&tag=2547-1_3-0-20
According to CNET, the No. 1 illegal download in 2009 was the “Kama Sutra.” The Indian manual for so many things sexual managed to beat out another manual of fundamental interest to a pirate’s survival on the tossing tempests of this world: “Adobe Photoshop Secrets.”
At No. 3, we have “The Complete Idiot’s Guide to Amazing Sex.” Followed, with geometric nerdy symmetry, by “The Lost Notebooks of Leonardo da Vinci.” Then, perhaps suggesting an interest in a post baby-making period, we have “Solar House–A Guide for the Solar Designer.”
News item 7: http://news.bbc.co.uk/2/hi/technology/8441080.stm
The BBC is reporting that Facebook has blocked a website from accessing people’s profiles in order to delete their online presence. The site, Web 2.0 Suicide Machine, offers to remove users from Facebook, Twitter, LinkedIn and Myspace. It does not delete their accounts but changes the passwords and removes “friend” connections. Facebook says that by collecting login credentials, the site violates its Statement of Rights and Responsibilities (SRR).
Seppukoo.com, which offers to remove people from Facebook, received a letter from the social network site’s lawyers in December 2009. Once they have deleted their friends Seppukoo clients can choose an image instead of their profile picture to remain as a “memorial”. The site is run by a group called Les Liens Invisibles, and describes itself as an artistic project. The name Seppukoo is taken from a Japanese ritual form of suicide known as Seppuku.
