InfoSec Daily Podcast Episode 665 for May 10, 2012. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Adrian Crenshaw, and Karthik Rangarajan.
Announcements
GraniteSec (formerly The New England InfoSec Tweetup)
When: May 19, 2012
Where: Veasey Memorial Park, Groveland, MA
http://granitesec.org
AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center – Huntington, West Virginia
http://www.appyide.org/
LayerOne 2012
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
http://www.layerone.org
Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek
When: June 20 – 27, 2012
Where: Courtyard Seattle Federal Way, WA
http://www.sans.org/mentor/details.php?nid=28014
Social Engineering Training
When: July 21-24, 2012
Where: Black Hat Vegas
When: August 20-24, 2012
Where: Bristol, UK
When: November 12-16, 2012
Where: Columbia, MD
http://www.social-engineer.com/social-engineer-training
Inside and Out of the Social-Engineer Toolkit (SET)
When: July 21 – 22, 2012
When: July 23 – 24, 2012
Where: Black Hat Vegas
http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html
DerbyCon 2012 – The “Deuce” Reunion
When: September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com
Hack3rCon^3
When: October 19-21, 2012
Where: Charleston, WV
http://hack3rcon.org/
Skydogcon
When: October 26-28
Where: Hotel Preston in Nashville, TN
http://www.skydogcon.com
Stories
Source: http://www.zdnet.com/blog/security/apple-releases-os-x-lion-1074-fixes-filevault-password-bug/12046
Apple today released the OS X Lion v10.7.4 update, which among other things fixes the FileVault password bug. I broke the news about this security vulnerability over the weekend (see Apple security blunder exposes Lion login passwords in clear text). Here’s the introduction:
An Apple programmer, apparently by accident, left a debug flag in the most recent version of the Mac OS X operating system. In specific configurations, applying OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text.
Anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable. FileVault 2 (whole disk encryption) is unaffected.
Here are the details of Apple’s fix:
Login Window
Available for: OS X Lion v10.7.3, OS X Lion Server v10.7.3
Impact: Remote admins and persons with physical access to the system may obtain account information
Description: An issue existed in the handling of network account logins. The login process recorded sensitive information in the system log, where other users of the system could read it. The sensitive information may persist in saved logs after installation of this update. This issue only affects systems running OS X Lion v10.7.3 with users of Legacy File Vault and/or networked home directories. See http://support.apple.com/kb/TS4272 for more information about how to securely remove any remaining records.
The issue was noted by an Apple user almost three months ago on the Apple Support Communities forum, but nobody got back to him. When security researcher David Emery discovered it as well and posted his findings to the Cryptome mailing list, and then I wrote my report for ZDNet, the story blew up. Apple never got back to my request for comment. Still, the important thing is that the issue has been fixed. In my conclusion, I also wrote this:
Apple needs to fix this issue as soon as possible. Even when a patch is made available, it will be impossible for the company to ensure the log file has been deleted, especially given all the places it may have been backed up. This means your password could still be out there even after you update, so after you do, make sure to change it.
So, patching is not enough. Make sure to change your passwords as well.
The FileVault bug aside, here’s the OS X 10.7.4 changelog:
-
Resolve an issue in which the “Reopen windows when logging back in” setting is always enabled.
-
Improve compatibility with certain British third-party USB keyboards.
-
Addresses permission issues that may be caused if you use the Get Info inspector function “Apply to enclosed items…” on your home directory. For more information, see TS4040.
-
Improve Internet sharing of PPPoE connections.
-
Improve using a proxy auto-configuration (PAC) file.
-
Address an issue that may prevent files from being saved to an SMB server.
-
Improve printing to an SMB print queue.
-
Improve performance when connecting to a WebDAV server.
-
Enable automatic login for NIS accounts.
-
Include RAW image compatibility for additional digital cameras.
-
Improve the reliability of binding and logging into Active Directory accounts.
-
The OS X Lion v10.7.4 Update includes Safari 5.1.6, which contains stability improvements.
…
In the mid-1990s, the emergence of Word macro viruses – capable of infecting both Windows PCs and Apple Macs via Word documents – it was common practice to recommend users avoid sharing .DOC files and use Rich Text Format (.RTF) files instead.
The reasoning was that Rich Text Format didn't support the macro language that Microsoft had embedded inside .DOC files, and so it was a much safer way to share information in the office.
The latest batch of security bulletins issued by Microsoft, however, underline the importance of not thinking that any security advice should be written permanently in stone.
Microsoft has warned Windows and Mac users that they could be at risk from boobytrapped RTF files if they leave their copies of Microsoft Office unpatched:
This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
In shorthand that means a malicious attacker could send you a poisoned RTF file, and the simple act of you opening it in MS Word on a Windows or Mac computer could allow them to run malicious code. Potentially, for instance, they could open a backdoor that could allow them to gain remote access to your files or install further malware.
…
University officials at UNC Charlotte say they now know exactly what was exposed during an Internet breach earlier this year.
School officials alerted students and staff in mid-February that online security breach hit the Charlotte-based college campus. They discovered the breach in January but told WBTV they waited to inform students until they knew more.
An investigation into the incident shows that financial account numbers and approximately 350,000 social security numbers were included among the exposed data.
The exposure has been remediated, officials say, and the University is acting to alert people who may have been affected by this exposure. University staff discovered the exposure.
"I think that's really scary. It makes me feel unsafe to think my information could be out there and that somebody could take my credit and do what they want to with my social security," said student Jennifer Affinito.
Due to a system misconfiguration and incorrect access settings, a large amount of electronic data hosted by the University was accessible from the Internet.
There were two exposure issues, one affecting general university systems over a period of approximately three months, and another affecting the University's College of Engineering systems over a period exceeding a decade.
The University has no reason to believe that any information from either of these incidents was inappropriately accessed or that information was used for identity theft or other crime.
The exposed data involved people connected to the University, and included names, addresses, social security numbers, and/or financial account information provided in association with transactions with the University.
"We're still investigating as to how it came to be," said Stephen Ward, a spokesman with UNCC.
The University involved state and federal regulatory and law enforcement agencies to assist in determining how to proceed, and acted upon their advice. The University continues to monitor the situation carefully and has increased its internal review procedures to watch for any unusual activity.
The university created a website where it will post information and have setup a phone hotline at 855-205-6937 (toll-free).
…
Source: http://threatpost.com.mx/en_us/blogs/dutch-government-asks-87-reimburse-diginotar-debacle-050912
The Dutch government has asked DigiNotar, the Dutch certificate authority that was broken into last summer, for €8.7 million ($11M USD) to recoup money it spent buying new certificates, according to several Dutch news reports. The Dutch interior ministry asked for €1 million in January, yet the number “has now risen to €8.7 million,” according to the company’s curator Rocco Mulder in an interview with Dutch news site nu.nl.
Mulder stressed however that there’s very little of the company left to seize after it was forced to declare bankruptcy late last fall. Diginotar ceased operations, suspended its certificate business and since then, has been managed by a court-appointed trustee and bankruptcy judge.
Mulder argues that it was the decision of the Independent Post and Telecommunications Authority of the Netherlands (OPTA) that led to the downfall of Diginotar. Mulder claims OPTA acted too fast in suspending the company’s certificates and was heavily swayed by Fox-IT, a consultancy whose audit report on Diginotar detailed the attack and its effects.
Diginotar first made headlines in August after it had falsely issued an SSL certificate for Google to a third party. Additional forged certificates for Mozilla, Yahoo, WordPress and the Tor Project later surfaced, making it clear the authority had been breached earlier that summer.
Diginotar’s parent company, VASCO Data Security International, eventually admitted its CA infrastructure had been compromised that July and the company halted issuing SSL certificates soon after.
…
Source: http://www.esecurityplanet.com/hackers/teen-teamp0ison-hacker-arrested-in-uk.html
Police have arrested a 17-year-old suspected spokesman for Team Poison, a hacking group that has claimed responsibility for a series of high-profile cyber-attacks.
The boy was arrested on Wednesday in Newcastle in connection with alleged computer misuse offences, London's Metropolitan Police said.
"The suspect, who is believed to use the online 'nic' (nickname) 'MLT', is allegedly a member of and spokesperson for TeaMp0isoN ('TeamPoison')," Scotland Yard said in a statement.
"He has been taken to a local police station for interview. Computer equipment has been seized and is undergoing a detailed forensic examination."
Team Poison, believed to be behind cyber-attacks on Facebook founder Mark Zuckerberg and the Facebook page of outgoing French President Nicolas Sarkozy, "has claimed responsibility for more than 1,400 offences", the statement added.
These offences include "denial of service and network intrusions where personal and private information has been illegally extracted from victims in the UK and around the world," police said.
Scotland Yard itself came under attack from Team Poison last month, when the group uploaded a four-minute recording of conversations between staff manning Britain's confidential anti-terrorist hotline to YouTube.
Police admitted the recordings were genuine, but insisted they were not obtained through hacking and that their internal communication systems were secure.
…
[end]
