Your daily source of Pwnage, Policy and Politics.

[display_podcast]

Episode 40

Play

InfoSec Podcast Episode 40 for January 6, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.    

Sponsors: This podcast is sponsored in part by Webspeedway, your Virtual IT Department.  When your systems are down, as a small and medium-sized businesses the resulting downtime can have a devastating impact.

Webspeedway specializes in providing proactive solutions to mitigate the risks of downtime, data loss, e-mail viruses and the many other threats to your business systems. Webspeedway provides the services of a Fortune 500 IT department, including 24 x 7 monitoring and on-site support, all at a fraction of the cost of even one employee.

Goto www.webspeedway.com today to learn about their cost-effective IT management solutions for your business.

Announcements:
Community SANS Atlanta 2010 Spring Schedule has been posted.

SEC-606: Drive and Data Recovery Forensics    2/9/10 to 2/13/10
SEC-502: Perimeter Protection In-Depth    2/22/10 to 2/27/10
AUD-507: Auditing Networks, Perimeters, and Systems    3/15/10 to 3/20/10
MGT-512: SANS Security Leadership Essentials For Managers with Knowledge Compression    4/15/10 to 4/21/10
SEC-566: 20 Critical Security Controls – In Depth    5/17/10 to 5/21/10

Go online to register by going to http://www.sans.org/atlanta-cs-events-2010/?utm_source=web-sans&utm_medium=banner&utm_content=Featured_Community_SANS_atlanta-2010-cs_events&utm_campaign=Community_SANS_Atlanta_2010&ref=52093 or call (301) 654-SANS(7267).

Vulnerabilities of Interest:

  1. Novell Netware CIFS And AFP is subject to a Remote Memory Consumption DoS vulnerability.  The CIFS and AFP protocols have a memory consumption problem when their received lot’s of malformed arbitrary requests on their respective services. Sending arbitrary crafted requests to these services will consume all the memory available, create multiples abends and finally crash the whole server….. It could take couple of minutes to hours (Depend of the memory available on the server ). CIFS.nlm Semantic Agent (Build 163 MP)
    Version 3.27 and AFPTCP.nlm Build 163 SP Version 3.27are affected.  PoC code is available.
  2. Multiple vulnerabilities were found in PHP, the worst of which leading to the remote execution of arbitrary code. All PHP users should upgrade to the latest version. As PHP is
    statically linked against a vulnerable version of the c-client library when the imap or kolab USE flag is enabled, users should upgrade net-libs/c-client beforehand.
  3. LineWeb is prone to multiple remote vulnerabilities including multiple local file-include vulnerabilities, a SQL-injection vulnerability, and a security-bypass vulnerability.An attacker can exploit these issues to execute arbitrary local files within the context of the webserver process, obtain sensitive information, compromise the affected application, access or modify data, or exploit latent vulnerabilities in the underlying database.  LineWeb 1.0.5 is vulnerable; other versions may also be affected. Example URL:  http://www.example.com/Lineage%20ACM/lineweb_1.0.5/admin/index.php?op=index.php?op=../../../../../../../etc/passwd%00 http://www.example.com/Lineage ACM/lineweb_1.0.5/index.php?op=index.php?op=../../../../../../../etc/passwd%00 http://www.example.com/Lineage%20ACM/lineweb_1.0.5/admin/edit_news.php?newsid=%27

News Items of Interest: News item 1: http://www.net-security.org/secworld.php?id=8670
The Denim Group has announced its guidance on the top application security trends for 2010.

1. Web mashup applications will result in new attack vectors
Web applications integrating data and functionality from multiple systems are becoming increasingly more common. Unfortunately, threat models for these “mashup” applications are rarely performed, and when they are, they are rarely understood. The accelerated pace of change for software security is moving much faster than the security practitioners’ ability to provide meaningful guidance to application development teams.

2. New data breaches will force organizations to focus on internal applications as well as external
Most organizations incorrectly assume they only need to worry about external security, but publicly-revealed data breaches of internal applications have shown that an internal network is no longer a safe haven. In 2009, known breaches caused by malicious insiders resulted in the compromise of over 1.5 million records according DataLossDB.org. What is not known is the extent of incidents that were concealed or went unreported.

3. Adoption of HTML 5 and other new technologies will cause developers to inadvertently build vulnerable applications
HTML 5 has a variety of new capabilities that can erode previously established security controls. While developers are building more ambitious applications using these new capabilities, many development teams will not consider the associated security risks of exposure of HTML-based 5 web applications until after their deployment.

4. Resurgence of risk management
Many organizations have postponed spending on software security during the recession at a potentially huge cost.  As the economy improves, organizations will refocus on risk management rather than merely meeting compliance requirements.

5. Organizations will finally start asking, “How are we going to fix these vulnerabilities?”
Security teams will shift their focus from finding vulnerabilities to working with development teams and actually fixing them. Forward-thinking organizations will treat application vulnerabilities as software defects and will leverage existing software development and maintenance practices within the organization in order to resolve security vulnerabilities.

6. Security and development teams will have increasing interactions
Increasing dialogue between security and application development teams will lead to improved decision-making, which incorporates risk management and understanding of the overall value of the enterprise.

7. Organizations will move beyond scan-only approaches to application security
Initial approaches to application security were often solely focused on automated scans of applications or code to identify technical vulnerabilities. However, targeted attackers are shifting their focus to business logic attacks on applications, and leading organizations will start to incorporate more manual testing and code reviews in order to respond to the these new realities.

8. The application security market will continue consolidating
Further consolidation of product vendors will provide product suites with a more comprehensive range of capabilities and consistent approach. Global system integrators will identify software security as a gap in their services and will try to solve the problem through acquisition.

9. Organizations deploying web application firewalls will increasingly use them for virtual patching
Virtual patching involves creating targeted rules for a web application firewall based on specific known vulnerabilities. Organizations will increase their use of this practice to provide interim protection while code-level fixes are implemented.

10. Application security metrics will provide a foundation for decision-making
As enterprises increase the sophistication of their application security programs, standard metrics will evolve for costs for finding and resolving vulnerabilities as well as time frames required to fix vulnerabilities. Forward-looking firms in more mature industries will begin sharing anonymized data to support benchmarking efforts.

News item 2: http://isc.sans.org/diary.html?storyid=7867
SANS is reporting a new a new attack against the previously reported Adobe doc.media.newPlayer vulnerability flaw.  The exploit for this vulnerability is similar to most other exploits: it uses heap spraying in order to redirect the execution to shellcode. The NOP sled in this case actually consists of SBB AL,0x1C and SBB AL,0x0C instructions which do nothing (SBB is Subtract with borrow, from the register AL, so it keeps subtracting two values until it reaches the shellcode).

News item 3:http://www.csoonline.com/article/512613/Secure_USB_Drives_Not_So_Secure?source=rss_news
So did you hear about the “secure” USB drives not being so secure?

Several hardware-encrypted USB memory sticks are now part of a worldwide recall and require security updates because they contain a flaw which could allow hackers to easily gain access to the sensitive information contained on the device.

When USB maker SanDisk first received news of the problem last month, the vendor issued a security bulletin that warned customers its Cruzer Enterprise series of USB flash drives contained a vulnerability in the access control mechanism. SanDisk offered a product update online to address the issue and made sure to note the problem only applied to the application running on the host, not the device hardware or firmware.

Now USB vendor Kingston has jumped in with a similar warning, probably because their drives utilize the same code from SanDisk. Kingston’s alert informs customers that “a skilled person with the proper tools and physical access to the drives may be able to gain unauthorized access to data contained” on the drives. The company has issued a recall on the devices and urged customers to return them. A warning has also been issued by USB vendor Verbatim.

News item 4: http://www.symantec.com/connect/forums/official-status-sepm-definitions-stay-31-12-2009-last-updated-04-jan-2010

An issue has been identified in the Symantec Endpoint Protection Manager (SEPM) server whereby all types of SEP definition content [AV/AS, IPS] with a date greater than December 31, 2009 11:59pm are considered to be “out of date”.

Customers running SEP are still protected, and we are continuing to release updated definitions as normal.  However, for the time being, SEP definitions will display a date of December 31, 2009, with increasing revision numbers.

Symantec is working on a solution and will update customers when a solution becomes available.

Impacted Products:

  • Symantec Endpoint Protection v11.x Product Line
  • Symantec Endpoint Protection Small Business Edition v12.x Product Line

For those customers also running NAC who have Host Integrity configured to check their clients definitions, this issue will cause the HI check to fail.  The following options are available to you:

  • To more accurately, for now, report on SEP clients that are genuinely behind on AV/AS defs, statically set the min allowed def date to be 30/12, so anything older than this fails HI.
  • Disable the HI check on definition date
  • For the specific AV/AS definition date check, you could temporarily check the box to “allow HI to pass even if it fails”, so you can still log and report centrally on HI results

News item 5: http://spamassassin.apache.org/

Versions of the FH_DATE_PAST_20XX rule released with versions of Apache SpamAssassin 3.2.0 thru 3.2.5 will trigger on most mail with a Date header that includes the year 2010 or later. The rule will add a score of up to 3.6 towards the spam classification of all email. You should take corrective action immediately; there are two easy ways to correct the
problem:Review your spamassassin rules, the FH_DATE_PAST_20XX rule marks the 2010 mails as spam with 3.6 points app, the workarounds are possible.

.- file /usr/share/spamassassin/72_active.cf

replace :

header FH_DATE_PAST_20XX Date =~ /20[1-9][0-9]/ [if-unset: 2006]

by:

header FH_DATE_PAST_20XX Date =~ /20[2-9][0-9]/ [if-unset: 2006]

.- add score 0 to this rule at /usr/share/spamassassin/50_scores.cf

replace:
score FH_DATE_PAST_20XX 2.075 3.384 3.554 3.188 # n=2by:

by:
score FH_DATE_PAST_20XX 0

News item 6:  http://www.wired.com/gadgetlab/2010/01/windows-mobile-bug-dates-messages-from-2016/

It appears that Symantec is not the only company experiencing issues with the year 2010. Microsoft is also reporting Y2.10k issues with Windows Mobile versions 6.1 and 6.5. Text messages received on those devices are being erroneously dated as 2016.

Windows Mobile users are facing an unexpected New Year’s surprise. A software bug has struck smartphones running the Microsoft operating system so all messages received starting January 1 are dated 2016. Phones running versions 6.1 or 6.5 of Windows Mobile are reportedly affected. Microsoft and the handset makers haven’t responded yet with a fix for the bug. We are still waiting for a comment from the company.
News item 7: http://www.theregister.co.uk/2010/01/04/bank_queensland/
The Bank of Queensland in Australia has been declined debit cards because their point of sale machines believe it is 2016 and thus beyond the card’s expiration date. The bank has provided a code for merchants to punch into their point of sale machines, which tells the system to ignore the date. Others are using old hand-operated carbon paper machines to record transactions. Bank of Queensland today said it is still investigating the cause of the problems with its EFTPOS system. Other Australian banks that use the same processing network have not been affected.

News item 8: http://projects.webappsec.org/Threat-Classification
The Web Application Security Consortium (WASC) is pleased to announce the long awaited release of the WASC Threat Classification v2.0. The Threat Classification is an effort to classify the weaknesses, and attacks that can lead to the compromise of a website, its data, or its users. This document’s primarily purpose is to serve as a reference guide for common attacks and weaknesses.

Main goals
- Refine document scope, terminology, and purpose
- Update existing sections when applicable
- Add missing attacks and weaknesses
- Creation of a firm, scalable base foundation allowing for the introduction of data views allowing for various
forms of data representation
- Addition of attack and weakness reference identifiers (WASC-<xx>)
- Publication of two data views

WASC Threat Classification v2.0 Online
http://projects.webappsec.org/Threat-Classification

News item 9:
Intel just released updated drivers for their ethernet network adaptors (http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=17906&ProdId=3025&lang=eng
and http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=18518&ProdId=3025&lang=eng).  Unfortunately ALL these driver packages but contain an outdated and
unsupported “Microsoft Visual C++ 2008 Runtime”, repackaged as VC90_CRT_{x86,ia64,x64}.msi and violating Microsofts redistribution rules, which installs VULNERABLE runtime DLLs (http://support.microsoft.com/kb/973551,http://support.microsoft.com/kb/973552 and http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx).

News item 10: http://news.cnet.com/8301-27080_3-10424759-245.html
Elinor Mills over at CNET has a good article on “Using your smartphone safely”.  She has the article posed in an FAQ format, but it has some interesting notes.
What’s the biggest security threat to my mobile phone?
Losing it.
Can mobile phones get viruses?
Yes. Mobile viruses, worms and Trojans have been around for years
What are other types of attacks?
Just like with computer users, smartphone users are vulnerable to e-mail and Web-based attacks like phishing and other social-engineering efforts.
Is it safe to use Wi-Fi and Bluetooth?
Yes and no. If you are doing something sensitive on your phone, like checking a bank account or making a payment, don’t use the free Wi-Fi at a coffee shop or other access point. Use your password-protected Wi-Fi at home or the cellular networks.

Which is safer: the iPhone or Android?
Apple vets all the apps that are used on the iPhone, and that tight regulation of the Apps store has kept users safe from malicious apps so far. Nothing is foolproof, however. Once apps are approved they can do any number of things. For instance, Apple removed free games in November developed by Storm8 that were found to be collecting users’ phone numbers.

From an architecture standpoint, Android offers more granular access control. But the open-source nature of the Android platform means apps aren’t as controlled as they are on the iPhone and holes can be introduced by any number of parties.
Are standard mobile phones safe?
Obviously regular mobile phones don’t pose the Web-based threats that smartphones do. But they are still used to store sensitive information that can be accessed by gaining access to the device. For instance, the inbox and outbox for text messages can contain information that can be used for identity fraud

Technical Segment:
DeepToad, a tool for computing fuzzy hashes from files. DeepToad can generate signatures, clusterize files and/or directories and compare them. It’s supposedly inspired by the tool ssdeep and, in fact, both projects are very similar. The complete project is written in pure python and is distributed under the LGPL license.

Links:
Project’s Web Page http://code.google.com/p/deeptoad/
Download Web Page http://code.google.com/p/deeptoad/downloads/list
Wiki http://code.google.com/p/deeptoad/w/list

All works represented here are compiled from various sources (email, IRC, forums, and original author/websites). If the original work is copyrighted it is presented under the fair use of a copyrighted work, Copyright Act of 1976, 17 U.S.C. § 107, for purposes of criticism, comment, news reporting, teaching, and research. No use is directly intended as an infringement of copyright. Attribution is always given to the original source, if known. To have any copyrighted material removed, please contact isdpodcast[at]isdpodcast[dot]com.