DC404 meeting is this Saturday, December 19th @ 2PM at the Vortex Midtown. Nick Owen will be presenting on “WiKiD Two-factor Auth and Securing Network Access with Open Source Solutions”. For more information and direction go to dc404.kaos.to or simply google DC404.
Vulnerabilities of Interest:
- The Sections module for Drupal is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. In order to exploit this issue, an attacker requires having a role with ‘administer sections’ permission. Sections versions prior to 5.x-1.3 and 6.x-1.3 are vulnerable. Attackers can use a browser to exploit this issue. Example input is available:<script>alert(‘xss’);</script>
- Mozilla Firefox and Sea Monkey are affected by a spoofing vulnerability.An attacker could exploit t this issue to place a legitimate-looking but invalid URL in the location bar and inject HTML and JavaScript into the body of the webpage,To exploit this issue, an attacker must entice an unsuspecting user to view a maliciously crafted web document.
- Ez Cart is prone to is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Attackers can exploit this issue by enticing an unsuspecting user to follow a malicious URI. Example URL: http://www.example.com/index.php?action=showcat&cid=1&sid=[XSS]
- ZABBIX is prone to a denial-of-service vulnerability and an SQL-injection vulnerability. ZABBIX is an open source network mionitoring solution. Successful exploits may allow remote attackers to crash the affected application, exploit latent vulnerabilities in the underlying database, access or modify data, or compromise the application. Versions prior to ZABBIX 1.6.6 are vulnerable.
- Multiple Kaspersky products are prone to a local privilege-escalation vulnerability. Local attackers can exploit this issue to execute arbitrary code with SYSTEM-level privileges and completely compromise the affected computer. Failed exploit attempts will result in a denial-of-service condition.
- Cacti is prone to multiple cross-site-scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. Cacti 0.8.7e is vulnerable; other versions may be affected as well. Attackers can use a browser to exploit these issues. To exploit a cross-site scripting vulnerability, an attacker must entice an unsuspecting user to follow a malicious URL. Code is available in the wild.
Community SANS Atlanta 2010 Spring Schedule has been posted. There are 5 classes currently being offered. Leading off with Scott Moulton’s SEC606.
SEC-606: Drive and Data Recovery Forensics 2/9/10 to 2/13/10
SEC-502: Perimeter Protection In-Depth 2/22/10 to 2/27/10
AUD-507: Auditing Networks, Perimeters, and Systems 3/15/10 to 3/20/10
MGT-512: SANS Security Leadership Essentials For Managers with Knowledge Compression 4/15/10 to 4/21/10
SEC-566: 20 Critical Security Controls – In Depth 5/17/10 to 5/21/10
Go online to register by emailing sales@sans.org or call (301) 654-SANS(7267).
News item 2: http://news.cnet.com/8301-1009_3-10416246-83.html
Online scammers are taking advantage of the public’s interest in the Google Doodle to spread malware. Scammers are using search engine optimization techniques to increase the distribution of malware by creating malware-rigged Web sites or hide malware on legitimate Web sites they’ve compromised and then use tags associated with popular search terms to get them listed high up in search engine results. Google Doodle is the graphics that often take over the Google logo on holidays or to mark special events, when you click on them they take you to a search that is related to the event. This is where the whole SEO part comes in. They use SEO tactics to get their malware sites at the top of the listing and thereby increase their odds of infecting unsuspecting users. It’s really nefarious. Imagine if they were to use those skills for good and not evil.
News item 3: http://www.net-security.org/malware_news.php?id=1161
Cisco Security Intelligence Operations has detected serious activity related to spam e-mail messages that claim to contain a greeting card. The text in the spam message instructs the recipient to view the attached card. The .zip attachment contains a .scr file that, when executed, attempts to infect the system with malicious software. E-mail messages that are related to this threat may contain the following files: card.zip, C:flash.scr
Subject: I Love You
Message Body:
Hi.
Somebody send you a flash card 
Bye
News item 4: http://www.scmagazineus.com/rockyou-hack-compromises-32-million-passwords/article/159676/
Have you guys ever heard of Rockyou.com? Apparently, 32 million people have and they there was a hacker that was able to break into the database of RockYou and obtain 32 million clear-text passwords through an SQL vulnerability. Rockyou provides applications and services for social networking sites like Facebook and MySpace. The hacker, using the alias “igigi,” claims to have broken into the database and obtained the RockYou credentials of all users. He was able to steal the information because users’ email addresses and passwords were stored in clear text.
News item 5: http://www.tomshardware.co.uk/macbook-gun-shot-israel-security,news-32422.html<Matt>
So there was a story on Tom’s Hardware where a Lily Sussman, who blogged on her WordPress account about a run in she had on her way through the Israeli border. Where it is standard practice these days for border patrol to scan through a traveler’s luggage, discharging a firearm three times into a bag containing a laptop isn’t an action that seems good for security control nor for the laptop.
News item 6: http://www.theregister.co.uk/2009/12/15/lookout_services_security_breach/
A Texas company is threatening to press criminal and civil charges against a Minnesota Public Radio reporter after she uncovered a security lapse that exposed sensitive data for at least 500 people.
Texas-based Lookout Services admits that misconfigurations on its website left databases containing names, dates of birth, and social security numbers accessible to unauthorized individuals. But the company, which verifies the identities of new employees, says MPR and its reporter, Sasha Aslanian, violated criminal statutes when she viewed databases belonging to five of Lookout’s customers.
Lookout has already sued the state of Minnesota because one of its employees allegedly leaked details of the vulnerability after learning of it at a company-sponsored webinar.
Is blaming the messenger reporting a vulnerability really the tact they should be taking?
News item 7: http://www.wired.com/threatlevel/2009/12/gonzalez-memo/
Wired has a story on on a document about Albert Gonzalez and the fact that he has identified two Russian accomplices who helped him hack into numerous companies. The document reveals that six months after his May 2008 arrest, Gonzalez located and provided prosecutors with the “complicated” and “lengthy” password to decrypt his laptop, which contained “a vast array of historical data and communications” that helped the government indict other members of Gonzalez’s team, and could be used in future search warrants. It also reveals that Gonzalez drew prosecutors a map that helped them find more than $1.1 million that he had buried in his parents’ backyard.
Apparently, Gonzalez also provided prosecutors with “detailed disclosure of others involved in the offenses, including other hackers, persons who facilitated money exchanges, persons who de-encrypted data, receivers of stolen property and even three individuals who were involved in minor roles in his own group — people he was close to — each of whom has been indicted, in part based on Gonzalez’ proffers and in part based on the content of Gonzalez’ computer.”
The probation office calculated that Gonzalez should receive a life sentence for his crimes, based primarily on the number of credit cards the hacker compromised in two of his three indictments — 40 million cards. Under sentencing guidelines, every stolen card is counted as a theft of at least $500, whether it was used or not, making Gonzalez’s capers equivalent to stealing 20 billion.
News item 8:http://www.f-secure.com/weblog/archives/00001837.html
F-Secure has an interesting howto article, it is in fact an how not to article titled How Not To Redact Confidential Information. Most people who know about digital redaction problems think it’s just about being able to copy and paste the redacted texts of the document. But as the article exposes the problem is related to a problem that most users who create PDF files do so with a virtual printer. So they create the file in Word, then just “print” it to a PDF file. The problem with this is that there are numerous PDF Editors available and with one you can open up any PDF file and modify it in any way you want. This includes being able to select the redaction black boxes and moving them away, uncovering the content underneath. Fail!
Having done this with Word, PDFCreator as the printer driver and PDFEdit, it is quite easy to do this. Simply load up the PDF, select the textbox or object that is covering what you want to see and click delete. Bob’s your uncle, you have revealed the hidden text.
News item 9: http://blogs.adobe.com/psirt/2009/12/security_advisory_apsa09-07_up.html
Adobe to issue an update for the Adobe Reader and Acrobat vulnerability by January 12, 2010