Episode 463 - Kernel.org, SW Galaxies, Ex-Anon, Apache Squash, Facebook Bounty & TouchPad Resurection [ 42:33 | 19.48 MB ] Play Now | Play in Popup | Download (163)InfoSec Daily Podcast Episode 463 for August 31, 2011. Tonight's podcast is hosted by Rick Hayes, Karthik Rangarajan, Boris Sverdlik, Geordy Rostad, Matthew Romanek, and Varun Sharma.
Announcements:
OWASP NY/NH
When: Sept 8, 2011
Where: New York City, NY
https://www.owasp.org/index.php/NYNJMetro#tab=SEPTEMBER_MEETINGS
Nashville Infosec
When: Sept 15, 2011
Where: Nashville, TN
http://www.technologycouncil.com/connect/infosec-2011/
Wim Remes ISC2 Official Petition
When: Deadline September 19, 2011
What: CISSP’s can send their e-mail address registered with NAME, EMAIL ADDRESS and CERTIFICATION NUMBER to wim@remes-it.be.
http://blog.remes-it.be/petition.html
#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html
Louisville Infosec
When: September 29th
Where: Louisville, KY
http://louisvilleinfosec.com/
If you registered for DerbyCon and want to go to the Louisville Infosec the day before email chair (at) LouisvilleInfoSec.com for a $50 off discount code.
@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/
SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Wednesday, October 12, 2011 – Wednesday, December 14, 2011
Where: Atlanta, GA
Discount Code: ISDPod15 (15% discount)
http://www.sans.org/mentor/details.php?nid=25504
Hack3rCon 2011
When: October 21-23rd, 2011
Where: the Charleston House Hotel and Conference Center
http://www.hack3rcon.org/
SkyDogCon
When: Nov 4th – Nov 6th
Where: Holiday Inn Airport, Nashville, TN
http://www.skydogcon.com
CFP Open Now!
Phreaknic
When: Nov 4th – Nov 6th
Where: Days Inn Stadium, Nashville, TN
http://www.phreaknic.info
2011 Fall Information Security Conference
When: November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org
Stories:
Source: http://pastebin.com/BKcmMd47
As you can guess from the subject line, I've not had what many would consider a "good" day. Earlier today discovered a trojan existing on HPA's personal colo machine, as well as hera. Upon some investigation there are a couple of kernel.org boxes, specifically hera and odin1,
with potential pre-cursors on demeter2, zeus1 and zeus2, that have been hit by this.
As it stands right now, HPA is working on cleaning his box, and I'm working on hera (odin1 and zeus1 are out of rotation still for other reasons), mainly so that if one of us finds something of interest, we can deal with it and compare notes on the other box.
Points of interest:
- – Break-in seems to have initially occurred no later than August 12th
- – Files belonging to ssh (openssh, openssh-server and openssh-clients) were modified and running live. These have been uninstalled and removed, all processes were killed and known good copies were reinstalled. That said all users may wish to consider taking this
opportunity to change their passwords and update ssh keys (particularly if you had an ssh private key on hera). This seems to have occurred on or around August 19th.
- – A trojan startup file was added to rc3.d
- – User interactions were logged, as well as some exploit code. We have
retained this for now.
- – Trojan initially discovered due to the Xnest /dev/mem error message w/o Xnest installed; have been seen on other systems. It is unclear if systems that exhibit this message are susceptible, compromised or not. If you see this, and you don't have Xnest installed, please investigate.
- – It *appears* that 3.1-rc2 might have blocked the exploit injector, we don't know if this is intentional or a side affect of another bugfix or change.
- – System is being verified from backups, signatures, etc. As of right now things look correct, however we may take the system down soon to do a full reinstall and for more invasive checking.
- – As a precaution a number of packages have been removed from the system, if something was removed that you were using please let us know so we can put it back.
- – At this time we do not know the vector that was used to get into the systems, but the attackers had gained root access level privileges.
That's what we know right now, some of the recent instabilities may have been caused by these intrusions, and we are looking into everything.
If you are on the box, keep an eye out, and if you see something please let us know immediately.
Beyond that, verify your git trees and make sure things are correct.
Source: http://venturebeat.com/2011/08/30/hackers-steal-21000-mostly-weak-user-passwords-from-star-wars-game-fan-site/
A Star Wars Galaxies fan site got hacked today and thieves stole 21,000 email addresses and 23,000 passwords. And judging from an analysis of the passwords, most of them were weak.
The site SWGalaxies.net is a Star Wars Galaxies online game fan site owned by LFNetwork, an independently owned network of LucasArts fan sites. Hackers from the group ObSec, a small hacking collective with apparent sympathies for the LulzSec and AntiSec hacktivist groups, broke into the site’s security and posted the addresses and passwords on the web. The threat from this kind of smaller breach is that it can lead to further identity theft that could be devastating for individuals.
Jeff Moeller, editor of LFNetwork, said that the site that got hacked is not actively maintained anymore.
Identity Finder took a look at the post and found there were a lot of weak passwords, which would have been easy to crack because they are short, contain dictionary words, or don’t contain special characters, numbers, or alternating punctuation.
Source: http://www.cso.com.au/article/399150/ex-anon_good_liars_undermine_information_security
Self-exiled, gun-loving ex-Anon, who goes by the name SparkyBlaze on Twitter, claims that skilled liars are the number one concern for information security.
“We have the software/hardware to defend buffer overflows, malware, DDoS and code execution. But what good is that if you can get someone to give you their password or turn off the firewall because you say you are Greg from computer maintenance just doing testing?” SparkyBlaze told networking giant Cisco on Wednesday.
“It all comes down to lies, everyone does it and some people get good at it.”
The self-described hacker recently severed ties with Anonymous over its supporters’ practice of killing “innocent peoples” anonymity when they leaked San Francisco transport user details, supposedly in support of the transport system's users.
“AntiSec Has Released Gig After Gig Of Innocent Peoples Information. For What? What Did They Do? Does Anon Have The Right To Remove The Anonymity Of Innocent People? They Are Always Talking About Peoples Right To Remain Anonymous So Why Are They Removing That Right?”,SparkyBlaze declared in a post on PasteBin this month.
Source: http://www.theregister.co.uk/2011/08/30/apache_dos_vuln_patched/
Maintainers of the open-source Apache webserver have fixed a severe weakness that attackers are exploiting to crash websites.
Flaws in Apache's HTTP daemon made it easy to crash servers using publicly available software released last week. The bugs in the way the HTTPD processed multiple web requests that involved overlapping byte ranges allowed attackers to overwhelm servers by sending them a modest amount of traffic.
An advisory on Apache's website said the bug, formally known as CVE-2011-3192 has been fixed in version 2.2.20.
“We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade,” the advisory stated. "Active use" of the attack tool has been observed.
One of the bugs fixed in the update was specific to Apache, while a second flaw has been known since 2007, and possibly involves all webservers, an Apache bulletin said. The Internet Engineering Task Force is considering changing the underlying protocol responsible for the problem, Apache said.
Versions 1.3.x and 2.0.x through 2.0.64 contain the denial-of-service vulnerabilities. They can be triggered by a single web request that contains overlapping byte ranges for a specific page.
Source: http://threatpost.com/en_us/blogs/facebook-bug-bounties-one-month-later-083011
Just a month into its cash-for-bugs program, social networking giant Facebook doled out some $40,000 in bounties to researchers from 16 countries, according to a company statement.
Joe Sullivan, Facebook’s Chief Security Officer, authored a column on Facebook’s security page yesterday heralding the success of the new program as an overall security improvement on the world’s largest social network. The bounties include $7,000 to one researcher who disclosed six separate bugs.
Facebook followed the lead of companies like Google, Mozilla and a gaggle of vulnerability detection firms in July: offering cold hard cash for the details of security holes in its Web based social networking service. The company is paying $500 as the minimum bug bounty, with more money coming to more valuable (read: exploitable) vulnerabilities. The company paid out $5,000 to one researcher for a particularly good report. These are drops in the bucket to a company whose eventual IPO, if rumors prove true, may exceed $100 billion.
IN what seems a resurrection of biblical proportions, Hewlett-Packard will resume manufacturing its TouchPad just 11 days after the tablet was killed off in the market.
The company’s decision follows an unprecedented demand for the TouchPad, which in Australia was axed just four days after its launch due to poor sales in the US.
TouchPads were sold out at Harvey Norman around Australia within an hour of the start of a TouchPad fire sale. Prices were slashed to $98 from $498 for the 16 Gigabyte model, and to $148 for the 32GB version.
As one commentator quipped: “The TouchPad sold like a dead tablet strapped to a rocket.”
The sentiment extended to eBay, where buyers willingly were bidding more than $300 per unit in auctions that began well after the fire sale ended, in full knowledge of the retail price cuts.
In the week following the TouchPad’s demise, a flurry of new apps found their way into HP’s app shop, further adding to a view that, despite its hardware limitations, the tablet was killed off too quickly.
No comments
Trackbacks/Pingbacks