Episode 188 – ZDI, Google Accounts & VxWorks

ISDPodcast Episode 188 for August 9, 2010.  Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski and Karthik Rangarajan.  In this episode we will discuss ZDI, Google Accounts & VxWorks.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code: isdpod15KY for a 15% discount.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Use the Discount Code: isdpod15 for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

DerbyCon 2011

• Louisville, KY September 29th – October 2nd – Details coming soon (http://www.derbycon.com)

Conference:

• We are currently working on a one-day Security Conference where the proceeds will go towards Matthew’s wife and children.  We are narrowing down the dates, but certainly welcome any volunteers, donations, swag, etc.  As this continues to develop we will certainly keep you informed.
• We also have donate buttons on the isdpodcast website if you would like to make a donation to the Matthew Shoemaker Memorial Fund.  Anything you can spare would certainly be appreciated.

Stories of Interest:
News Item 1: http://www.zdnet.com/blog/security/new-vulnerability-disclosure-deadline-puts-pressure-on-tardy-software-vendors/7044
[Notes: Rick - What a concept!  This is actually something that has been a long time in coming.  The notion that vendors can have an unlimited or undefined time to resolve identified vulnerabilities is rather perplexing when one considers that almost all regulatory requirements mandate resolution within a time frame. Defining that time frame only makes sense.

Keith - US-CERT - 45 day deadline from reporting to CERT by third party till notification is released to the general public, I still prefer their timeline =)

TippingPoint’s Zero Day Initiative (ZDI) will enforce a six-month deadline for patches on all vulnerabilities bought from the security research community and reported to software vendors.  TippingPoint, a program that purchases the rights to vulnerability information in exchange for exclusivity to broker fixes with affected vendors, says the new six-month deadline will apply to all currently outstanding issues.

According to Aaron Portnoy there are about 31 outstanding issues that are more than a year old.  According to ZDI’s public upcoming advisories listing, there are at least a half-dozen high-risk vulnerabilities affecting IBM software that are more than 600 days outstanding. Microsoft, RealNetworks, Symantec, CA and Novell are also among the most tardy vendors.  There are about 90 vulnerabilities in TippingPoint’s queue that are more than six months old.

ZDI won’t be releasing full technical details of the flaws or proof-of-concept/exploit code. Once the deadline expires, ZDI plans to publish a limited advisory with details about the vulnerability and affected software to help the defensive/security community come up with applicable mitigations.

News Item 2:  http://news.cnet.com/8301-27076_3-20012551-248.html?part=rss&subj=news&tag=2547-1_3-0-20

[Notes: Rick - This is finally available on all of my Google accounts.]

As posted on the Google Operating System blog, Google is in the process of rolling out a new feature that lets users cycle through up to three of their registered Google accounts without having to re-identify their credentials. Even better, they’ll be able to switch from one to another with a simple drop down menu.
Google accounts, requires opting in from a user’s Google account management page. Once enabled, it provides quick account switching in Gmail, Calendar, Reader, Code, and Google’s Sites products through the use of a drop-down menu that sits in the top right-hand corner of compatible Google sites. This enables users to keep multiple instances of something like Gmail open without the older page reverting to more recently signed in account.  Two notable Google services that don’t yet work with the feature are Google Docs and Wave. Users trying out the feature also have to give up the offline features in Gmail and Calendar.

News Item 3:  http://www.eweek.com/c/a/Security/VxWorks-Vulnerabilities-Impact-Numerous-Vendors-517048

[Notes: Rick - Having used VxWorks in the past beyone those old Cisco AP 350's, this is really something huge.  I find it strange that Wind River didn't respond until CERT got involved.]

Two critical security bugs have been uncovered in the VxWorks operating system powering products from Apple, Nokia and numerous other vendors.

VxWorks is developed by Wind River Systems, now owned by Intel. Designed for use in embedded systems, VxWorks is a real-time operating system used to power a wide range of devices, including printers, fibre-channel switches and other products. A list of affected vendors that have issued updates can be found in CERT advisories here and here.

The first vulnerability is found in the VxWorks debug service (WDB Agent). This service runs over UDP port 17185 and allows complete access to the device, including the ability to manipulate memory, steal data, and ultimately hijack the entire operating system. This service was inadvertently left exposed by over 100 different vendors and affects at least 250,000 devices sitting on the internet today. You might want to throw up some ACLs  for UDP 17185 until you have a chance to assess each of your networks and verify that none of your devices suffer from this issue.

The second vulnerability is due to a weak password hashing implementation in the VxWorks operating system. Any device that uses the builtin authentication library to handle Telnet and FTP authentication can be compromised. The flaw occurs because there are only 210,000 possible hash outputs for all possible passwords.  An attacker with a known username and access to a service such as telnet or FTP that uses the standard authentication API can brute force the password in a relatively short period of time. Like the Debug Service flaw the core problem exists in the VxWorks’ software.

All works represented here are compiled from various sources (email, IRC, forums, and original author/websites). If the original work is copyrighted it is presented under the fair use of a copyrighted work, Copyright Act of 1976, 17 U.S.C. § 107, for purposes of criticism, comment, news reporting, teaching, and research. No use is directly intended as an infringement of copyright. Attribution is always given to the original source, if known. To have any copyrighted material removed, please contact isdpodcast[at]isdpodcast[dot]com.