Awesome feeds

Vuln: Apache Tomcat CVE-2013-2071 Information Disclosure Vulnerability

Apache Tomcat CVE-2013-2071 Information Disclosure Vulnerability

Source: SecurityFocus Vulnerabilities | 20 May 2013 | 8:00 pm EDT

Vuln: RedHat Multiple JBoss Enterprise Products CVE-2013-0218 Local Information Disclosure Vulnerability

RedHat Multiple JBoss Enterprise Products CVE-2013-0218 Local Information Disclosure Vulnerability

Source: SecurityFocus Vulnerabilities | 20 May 2013 | 8:00 pm EDT

Vuln: OpenSSL Multiple Remote Denial of Service Vulnerabilities

OpenSSL Multiple Remote Denial of Service Vulnerabilities

Source: SecurityFocus Vulnerabilities | 20 May 2013 | 8:00 pm EDT

Vuln: Multiple TLS And DTLS Implementations CVE-2013-0169 Information Disclosure Vulnerability

Multiple TLS And DTLS Implementations CVE-2013-0169 Information Disclosure Vulnerability

Source: SecurityFocus Vulnerabilities | 20 May 2013 | 8:00 pm EDT

Bugtraq: CONFidence - May, 28-29, Krakow, Poland - a conference adventure that never stops!

CONFidence - May, 28-29, Krakow, Poland - a conference adventure that never stops!

Source: SecurityFocus Vulnerabilities |

Bugtraq: [slackware-security] ruby (SSA:2013-136-02)

[slackware-security] ruby (SSA:2013-136-02)

Source: SecurityFocus Vulnerabilities |

Bugtraq: [slackware-security] mozilla-thunderbird x86_64 packages (SSA:2013-136-01)

[slackware-security] mozilla-thunderbird x86_64 packages (SSA:2013-136-01)

Source: SecurityFocus Vulnerabilities |

Bugtraq: APPLE-SA-2013-05-16-1 iTunes 11.0.3

APPLE-SA-2013-05-16-1 iTunes 11.0.3

Source: SecurityFocus Vulnerabilities |

More rss feeds from SecurityFocus

News, Infocus, Columns, Vulnerabilities, Bugtraq ...

Source: SecurityFocus Vulnerabilities |

CONFidence - May, 28-29, Krakow, Poland - a conference adventure that never stops!

Posted by Sławomir Jabs on May 17

Everything has a story, everything evolves, adapts to changing circumstances
but does your IT Sec strategy evolve with the development of the digital
world?

Are you wiling to gamble on the security of you systems?

Join the upcoming CONFidence conference and meet both renown speakers and
specialists who deal with the IT security on a daily basis. People like,
you, who never stop asking questions and play with risks all the time...

We will...

Source: Bugtraq | 17 May 2013 | 11:44 am EDT

[slackware-security] ruby (SSA:2013-136-02)

Posted by Slackware Security Team on May 17

[slackware-security] ruby (SSA:2013-136-02)

New ruby packages are available for Slackware 13.1, 13.37, 14.0, and -current
to fix a security issue.

Here are the details from the Slackware 14.0 ChangeLog:
+--------------------------+
patches/packages/ruby-1.9.3_p429-i486-1_slack14.0.txz: Upgraded.
This update fixes a security issue in DL and Fiddle included in Ruby where
tainted strings can be used by system calls regardless of the $SAFE...

Source: Bugtraq | 17 May 2013 | 11:30 am EDT

[slackware-security] mozilla-thunderbird x86_64 packages (SSA:2013-136-01)

Posted by Slackware Security Team on May 17

[slackware-security] mozilla-thunderbird x86_64 packages (SSA:2013-136-01)

New mozilla-thunderbird packages are available for Slackware64 13.37 and
14.0. These were accidentally omitted from the last upload.

Here are the details from the Slackware64 14.0 ChangeLog:
+--------------------------+
patches/packages/mozilla-thunderbird-17.0.6-x86_64-1_slack14.0.txz: Upgraded.
Here's the package that was missing from the last batch. The...

Source: Bugtraq | 17 May 2013 | 11:14 am EDT

APPLE-SA-2013-05-16-1 iTunes 11.0.3

Posted by Apple Product Security on May 17

APPLE-SA-2013-05-16-1 iTunes 11.0.3

iTunes 11.0.3 is now available and addresses the following:

iTunes
Available for: Mac OS X v10.6.8 or later, Windows 7, Vista,
XP SP2 or later
Impact: An attacker in a privileged network position may manipulate
HTTPS server certificates, leading to the disclosure of sensitive
information
Description: A certificate validation issue existed in iTunes. In
certain contexts, an active network attacker could...

Source: Bugtraq | 17 May 2013 | 10:58 am EDT

ESA-2013-029: RSA SecurID Sensitive Information Disclosure Vulnerability

Posted by Security Alert on May 16

ESA-2013-029: RSA SecurID Sensitive Information Disclosure Vulnerability

EMC Identifier: ESA-2013-029

CVE Identifier: CVE-2013-0941

Severity Rating: CVSS v2 Base Score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C)

Affected Products:

RSA Authentication API versions prior to 8.1 SP1

RSA Web Agent for Apache Web Server versions prior to 5.3.5

RSA Web Agent for IIS versions prior to 5.3.5

RSA PAM Agent versions prior to 7.0

RSA Agent for Microsoft...

Source: Bugtraq | 16 May 2013 | 11:43 am EDT

ESA-2013-041: EMC VNX and Celerra Control Station Elevation of Privilege Vulnerability

Posted by Security Alert on May 16

ESA-2013-041: EMC VNX and Celerra Control Station Elevation of Privilege Vulnerability

EMC Identifier: ESA-2013-041

CVE Identifier: CVE-2013-3270

Severity Rating: CVSS v2 Base Score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C)

Affected products:

• EMC VNX Control Station versions prior 7.1.70.2
• EMC Celerra Control Station versions prior 6.0.70.1

Summary:

A vulnerability exists in EMC VNX and EMC Celerra Control Station that...

Source: Bugtraq | 16 May 2013 | 11:31 am EDT

[slackware-security] mozilla-thunderbird (SSA:2013-135-02)

Posted by Slackware Security Team on May 16

[slackware-security] mozilla-thunderbird (SSA:2013-135-02)

New mozilla-thunderbird packages are available for Slackware 13.37, 14.0,
and -current to fix security issues.

Here are the details from the Slackware 14.0 ChangeLog:
+--------------------------+
patches/packages/mozilla-thunderbird-17.0.6-i486-1_slack14.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:...

Source: Bugtraq | 16 May 2013 | 11:07 am EDT

[slackware-security] mozilla-firefox (SSA:2013-135-01)

Posted by Slackware Security Team on May 16

[slackware-security] mozilla-firefox (SSA:2013-135-01)

New mozilla-firefox packages are available for Slackware 13.37, 14.0,
and -current to fix security issues.

Here are the details from the Slackware 14.0 ChangeLog:
+--------------------------+
patches/packages/mozilla-firefox-21.0-i486-1_slack14.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:...

Source: Bugtraq | 16 May 2013 | 10:58 am EDT

[SECURITY] [DSA 2669-1] linux security update

Posted by dann frazier on May 16

----------------------------------------------------------------------
Debian Security Advisory DSA-2669-1 security () debian org
http://www.debian.org/security/ Dann Frazier
May 15, 2013 http://www.debian.org/security/faq
----------------------------------------------------------------------

Package : linux
Vulnerability : privilege escalation/denial of service/information...

Source: Bugtraq | 16 May 2013 | 10:40 am EDT

Cisco Security Advisory: Cisco TelePresence Supervisor MSE 8050 Denial of Service Vulnerability

Posted by Cisco Systems Product Security Incident Response Team on May 15

Cisco Security Advisory: Cisco TelePresence Supervisor MSE 8050 Denial of Service Vulnerability

Advisory ID: cisco-sa-20130515-mse

Revision 1.0

For Public Release 2013 May 15 16:00 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Cisco TelePresence Supervisor MSE 8050 contains a vulnerability that may allow an unauthenticated, remote attacker to
cause high CPU utilization and a reload of the...

Source: Bugtraq | 15 May 2013 | 3:07 pm EDT

Multiple Vulnerabilities in Exponent CMS

Posted by advisory on May 15

Advisory ID: HTB23154
Product: Exponent CMS
Vendor: Online Innovative Creations
Vulnerable Version(s): 2.2.0 beta 3 and probably prior
Tested Version: 2.2.0 beta 3
Vendor Notification: April 24, 2013
Vendor Patch: May 3, 2013
Public Disclosure: May 15, 2013
Vulnerability Type: SQL Injection [CWE-89], PHP File Inclusion [CWE-98]
CVE References: CVE-2013-3294, CVE-2013-3295
Risk Level: High
CVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P),...

Source: Bugtraq | 15 May 2013 | 2:52 pm EDT

[ MDVSA-2013:165 ] firefox

Posted by security on May 15

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2013:165
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : firefox
Date : May 15, 2013
Affected: Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Multiple...

Source: Bugtraq | 15 May 2013 | 12:07 pm EDT

[security bulletin] HPSBUX02859 SSRT101144 rev.3 - HP-UX Running XNTP, Remote Denial of Service (DoS) and Execution of Arbitrary Code

Posted by security-alert on May 15

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03714526

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03714526
Version: 3

HPSBUX02859 SSRT101144 rev.3 - HP-UX Running XNTP, Remote Denial of Service
(DoS) and Execution of Arbitrary Code

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible....

Source: Bugtraq | 15 May 2013 | 11:49 am EDT

[SECURITY] [DSA 2668-1] linux-2.6 security update

Posted by dann frazier on May 15

----------------------------------------------------------------------
Debian Security Advisory DSA-2668-1 security () debian org
http://www.debian.org/security/ Dann Frazier
May 14, 2013 http://www.debian.org/security/faq
----------------------------------------------------------------------

Package : linux-2.6
Vulnerability : privilege escalation/denial of...

Source: Bugtraq | 15 May 2013 | 11:32 am EDT

File Lite 3.3 & 3.5 PRO iOS - Multiple Web Vulnerabilities

Posted by Vulnerability Lab on May 13

======
File Lite 3.3 & 3.5 PRO iOS - Multiple Web Vulnerabilities

Date:
=====
2013-05-04

References:
===========
http://www.vulnerability-lab.com/get_content.php?id=939

VL-ID:
=====
939

Common Vulnerability Scoring System:
====================================
5.9

Introduction:
=============
You have tons of files you need to get from one device to another, so what do you do? You use File Pro, that’s what you
do.
App Chronicles!...

Source: Bugtraq | 13 May 2013 | 12:58 pm EDT

Re: exploitation ideas under memory pressure

Posted by sd on May 21

Interesting idea to create a thread and patch the list. Upon reading your first post, I immediately thought this wasn't
going to be exploitable, you've proven me wrong. Any chance for a copy of the exploit code? I might port it to
Metasploit.

sd

Source: Full Disclosure | 21 May 2013 | 8:11 am EDT

CVE-2013-3496. Local privilege escalation vulnerability in Infotecs products (ViPNet Client\Coordinator, SafeDisk, Personal Firewall)

Posted by Максим Чудаков on May 21

CVE-2013-3496. Local privilege escalation vulnerability in Infotecs
products (ViPNet Client\Coordinator, SafeDisk, Personal Firewall)

CVE reference:
CVE-2013-3496

Credit:
Maksim Chudakov (@MChudakov)
Andrey Kurtasanov(andreykurtasanov () gmail com)

Severity:
Medium

Local\Remote:
Local

Vulnerability Class:
Privilege Escalation

Vendor URL:
http://www.infotecs.biz/

Affected OS:
Windows

Vulnerable systems:
ViPNet Client 3.2.10 (15632) and...

Source: Full Disclosure | 21 May 2013 | 7:18 am EDT

Sony PS3 Firmware v4.31 - Code Execution Vulnerability

Posted by Vulnerability Lab on May 20

Title:
======
Sony PS3 Firmware v4.31 - Code Execution Vulnerability

Date:
=====
2013-05-12

References:
===========
http://www.vulnerability-lab.com/get_content.php?id=767

VL-ID:
=====
767

Common Vulnerability Scoring System:
====================================
6.5

Introduction:
=============
The PlayStation 3 is the third home video game console produced by Sony Computer Entertainment and the successor to the
PlayStation 2 as part of the...

Source: Full Disclosure | 20 May 2013 | 7:38 pm EDT

Trend Micro DirectPass 1.5.0.1060 (Cloud) Software - Multiple Software Vulnerabilities

Posted by Vulnerability Lab on May 20

Title:
======
Trend Micro DirectPass 1.5.0.1060 (Cloud) Software - Multiple Software Vulnerabilities

Date:
=====
2013-05-21

References:
===========
http://www.vulnerability-lab.com/get_content.php?id=894

Article: http://www.vulnerability-lab.com/dev/?p=580

Trend Micro (Reference): http://esupport.trendmicro.com/solution/en-US/1096805.aspx
Trend Micro Solution ID: 1096805

Video: http://www.vulnerability-lab.com/get_content.php?id=951

VL-ID:...

Source: Full Disclosure | 20 May 2013 | 7:35 pm EDT

Re: exploitation ideas under memory pressure

Posted by Tavis Ormandy on May 20

I guess I'm talking to myself, maybe this list is all about XSS now ;)

I'm quite proud of this list cycle trick, here's how to turn it into an
arbitrary write.

First, we create a watchdog thread that will patch the list atomically
when we're ready. This is needed because we can't exploit the bug while
HeavyAllocPool is failing, because of the early exit in pprFlattenRec:

.text:BFA122B8 call newpathrec...

Source: Full Disclosure | 20 May 2013 | 5:41 pm EDT

Re: My ISP is routing traffic to private addresses...

Posted by Patrick Webster on May 20

Maybe when we cut over to IPv6 the ISPs will revert to the golden age of
putting all their gear on publicly addressable space :)

Conversely, an enjoyable network design is where you route public IPs from
a private network to a private network, and the public IP has different
services on the internet to the internally routed version, but clients need
access to both.

NATing heaven.

Source: Full Disclosure | 20 May 2013 | 12:25 pm EDT

Critical issues affecting multiple game engines

Posted by ReVuln on May 20

We have just released a paper [1], in which we detail several 0-day
issues affecting a number of different game engines, including: Unreal
Engine, CryEngine 3 and idTech 4.

During our presentation at the recent NoSuchCon conference in Paris, we
discussed [2] additional details about game engine issues. Additionally
we demonstrated [3] how an attacker can use master servers to perform
mass-exploiting of game vulnerabilities, in order to target...

Source: Full Disclosure | 20 May 2013 | 8:28 am EDT

Re: My ISP is routing traffic to private addresses...

Posted by Alexander Georgiev on May 20

Because private addresses have no global meaning, routing information
about private networks shall not be propagated on inter-enterprise
links, and packets with private source or destination addresses
should not be forwarded across such links. Routers in networks not
using private address space, especially those of Internet service
providers, are expected to be configured to reject (filter out)
routing information about private...

Source: Full Disclosure | 20 May 2013 | 6:06 am EDT

Defense in depth -- the Microsoft way

Posted by Stefan Kanthak on May 20

Hi @ll,

the "Microsoft Installer" creates for applications installed via an
.MSI the following uninstall information in the Windows registry
(see <http://msdn.microsoft.com/library/aa372105.aspx>):

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall]
"UninstallString"="MsiExec.Exe /X{<GUID>}"
"ModifyPath"="MsiExec.Exe /I{<GUID>}"

Note the unqualified path...

Source: Full Disclosure | 20 May 2013 | 5:05 am EDT

Thttpd 2.25b Directory Traversal Vulnerability

Posted by metropolis haxor on May 20

Hi guys,
You can find the software affected at http://www.acme.com/software/thttpd/thttpd-2.25b.tar.gz
Thanks,
Metropolis
###########################################
#
# Software Name : Thttpd 2.25b
#
# Version : 2.25b (29dec2003)
#
# Bug Type : Directory Traversal Vulnerability
#
# Found by : Metropolis
#
# Home : http://metropolis.fr.cr
#
# Discovered : 19/05/2013
#
# Download app : http://www.acme.com/software/thttpd/thttpd-2.25b.tar.gz
#
#...

Source: Full Disclosure | 20 May 2013 | 5:04 am EDT

Interesting referrer URLs when accessing vulnerability disclosure information

Posted by halfdog on May 19

Hello list,

In the aftermath of most of my full-disclosure posts I've observed
quite interesting referrer URLs when someone tries to read information
provided explaining the issue. In quite some cases, those requests can
be attributed to national CERTs, software distributors' security
teams, universities with IT-security research units, ... accessing
that information.

Information leaked via the referrer URLs indicates, that a...

Source: Full Disclosure | 19 May 2013 | 5:54 pm EDT

Revision of "IPv6 Stable Privacy Addresses" (Fwd: I-D Action: draft-ietf-6man-stable-privacy-addresses-07.txt)

Posted by Fernando Gont on May 19

Folks,

We have published a revision of our IETF I-D "A method for Generating
Stable Privacy-Enhanced Addresses with IPv6 Stateless Address
Autoconfiguration (SLAAC)".

This revision is available at:
<http://tools.ietf.org/html/draft-ietf-6man-stable-privacy-addresses-07>.

This proposal is key for the mitigation of address-scanning attacks,
while at the same time preventing host-tracking.

Stay tuned for more IPv6 security news...

Source: Full Disclosure | 19 May 2013 | 2:11 pm EDT

AFU vulnerabilities in MCImageManager for TinyMCE

Posted by MustLive on May 19

Hello list!

I want to warn you about vulnerabilities in Moxiecode Image Manager
(MCImageManager). This is commercial plugin for TinyMCE. It concerns as
MCImageManager, as all web applications which have MCImageManager in their
bundle.

These are Arbitrary File Uploading vulnerabilities, which lead to Code
Execution on IIS and Apache web servers.

-------------------------
Affected products:
-------------------------

Vulnerable are Moxiecode...

Source: Full Disclosure | 19 May 2013 | 2:06 pm EDT

AFU vulnerabilities in MCFileManager for TinyMCE

Posted by MustLive on May 18

Hello list!

I want to warn you about vulnerabilities in Moxiecode File Manager
(MCFileManager). This is commercial plugin for TinyMCE. It concerns as
MCFileManager, as all web applications which have MCFileManager in their
bundle.

These are Arbitrary File Uploading vulnerabilities, which lead to Code
Execution on IIS and Apache web servers.

-------------------------
Affected products:
-------------------------

Vulnerable are Moxiecode...

Source: Full Disclosure | 18 May 2013 | 4:52 pm EDT

Re: My ISP is routing traffic to private addresses...

Posted by Justin Elze on May 18

The idea behind private IP space is it doesn't leave the ISPs AS via BGP to
the rest of the internet.

Source: Full Disclosure | 18 May 2013 | 9:01 am EDT

RE: WASC Announcement: Static Analysis Technologies Evaluation Criteria Published

Posted by Debasis Mohanty on May 19

Good initiative! I feel one of the important element that is missing is the
"scoring mechanism". Based on what would you distinguish one product from
the other?

I created similar evaluation criteria nearly 7-8 years back for evaluating
SCA products using a QFD. That was the time I was introduced to 6-sigma and
thought a QFD is a best approach to have appropriate scoring for various
pilot parameters. However I never released it to the...

Source: Penetration Testing | 19 May 2013 | 4:47 pm EDT

CONFidence - May, 28-29, Krakow, Poland - a conference adventure that never stops!

Posted by Sławomir Jabs on May 19

Everything has a story, everything evolves, adapts to changing circumstances
but does your IT Sec strategy evolve with the development of the digital
world?

Are you wiling to gamble on the security of you systems?

Join the upcoming CONFidence conference and meet both renown speakers and
specialists who deal with the IT security on a daily basis. People like,
you, who never stop asking questions and play with risks all the time...

We will...

Source: Penetration Testing | 19 May 2013 | 4:43 pm EDT

[HITB-Announce] HITB Magazine Issue 010

Posted by Hafez Kamal on May 14

Hi everyone,

A small reminder that article submissions for HITB Magazine Issue 010
are due tomorrow (15th May 2013). If you're interested in submitting
please send your > 3000 word article to editorial () hackinthebox org

Topics of interest include, but are not limited to the following:

Next generation attacks and exploits
Apple / OS X security vulnerabilities
SS7/Backbone telephony networks
VoIP security
Data...

Source: Penetration Testing | 14 May 2013 | 11:32 am EDT

SpiderFoot 2.0 released

Posted by Steve Micallef on May 10

Hi everyone,

SpiderFoot is a free, open-source footprinting tool, enabling you to
perform various scans against a given domain name in order to obtain
information such as sub-domains, e-mail addresses, owned netblocks, web
server versions and so on. The main objective of SpiderFoot is to
automate the footprinting process to the greatest extent possible,
freeing up a penetration tester's time to focus their efforts on the
security...

Source: Penetration Testing | 10 May 2013 | 4:39 pm EDT

WASC Announcement: Static Analysis Technologies Evaluation Criteria Published

Posted by announcements on May 10

The Web Application Security Consortium (WASC) is pleased to announce the
Static Analysis Technologies Evaluation Criteria. The goal of the SATEC
project is to create a vendor-neutral set of criteria to help guide
application security professionals during the process of acquiring a
static code analysis technology that is intended to be used during
source-code driven security programs. This document provides a
comprehensive list of criteria that...

Source: Penetration Testing | 10 May 2013 | 4:29 pm EDT

Ruxcon 2013 Call For Papers

Posted by cfp on May 07

Ruxcon 2013 Call For Presentations
Melbourne, Australia, October 26th-27th
CQ Function Centre
http://www.ruxcon.org.au/call-for-papers/

The Ruxcon team is pleased to announce the Call For Presentations for Ruxcon 2013.

This year the conference will take place over the weekend of the 26th and 27th
of October at the CQ Function Centre, Melbourne, Australia.

.[x]. About Ruxcon .[x].

Ruxcon is ia premier technical computer security conference...

Source: Penetration Testing | 7 May 2013 | 7:35 pm EDT

[TOOL] TOPERA v2 released

Posted by cr0hn on May 07

Hi everybody,

We just released TOPERA v2:

TOPERA is a new security tool for IPv6, with the particularity that their attacks can't be detected by Snort.

This new version of TOPERA include these improvements:

1 - Slow HTTP attacks (Slowloris over IPv6).
2 - Improved TCP port scanner.

New project page:

http://toperaproject.github.io/topera/

Regards!...

Source: Penetration Testing | 7 May 2013 | 7:29 pm EDT

[HITB-Announce] #HITB2013KUL Call for Papers

Posted by Hafez Kamal on May 01

Hi everyone - This is a Call for Papers for the 11th annual HITB
Security Conference in Malaysia, #HITB2013KUL which takes place on the
16th and 17th of October in Kuala Lumpur.

Keynote speakers for the conference will be Joe Sullivan (Chief Security
Officer, Facebook) and Andy Ellis (Chief Security Officer, Akamai)

We're looking for talks that are highly technical, but most importantly,
material which is new and cutting edge. Submissions...

Source: Penetration Testing | 1 May 2013 | 12:05 am EDT

Breakpoint 2013 Call For Papers

Posted by cfp on May 01

Breakpoint 2013 Call For Papers
Melbourne, Australia, October 24th-25th
Intercontinental Rialto
http://www.ruxconbreakpoint.com

.[x]. Introduction .[x].

The Ruxcon team is pleased to announce Call For Papers for Breakpoint 2013.

Breakpoint showcases the work of expert security researchers from around the
world on a wide range of topics. This conference is organised by the Ruxcon
team and offers a specialised security conference to...

Source: Penetration Testing | 1 May 2013 | 12:00 am EDT

Arachni v0.4.2 has been released (Open Source Web Application Security Scanner Framework)

Posted by Tasos Laskos on Apr 29

Hey folks,

This is just to let you know that there's a new version of Arachni.

Arachni is a modular and high-performance (Open Source) Web Application Security Scanner Framework written in Ruby.

The change-log is quite sizeable but the gist is:
* Brand new web interface -- allowing for team collaboration.
* Significant decreases in memory usage.
* Issue remarks – Providing extra context to logged issues.
* Improved payloads...

Source: Penetration Testing | 29 Apr 2013 | 1:42 pm EDT

TXDNS v2.4 released

Posted by Arley Silveira on Apr 17

TXDNS v 2.4 is out and available to download from
http://txdns.net/
 
This new version adds support for reverse grinding.

Ex:  
     txdns -r 10-20.1.60-70.1-254,192.168.15.0/24 

Cheers
Arley Silveira.
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without...

Source: Penetration Testing | 17 Apr 2013 | 1:39 pm EDT

A survey on qunatifying severity of vulnerabilities in softwares

Posted by Khalid Khan Afridi on Apr 17

Hello!

I am currently performing my master thesis on the topic of quantifying the
severity of
software vulnerabilities.

As you have done significant work in this area, I would be glad if you
could spare a few
minutes of your time to answer a survey on the topic. It should not
require more than 15-20
minutes to complete.

The survey can be found at: http://secsurvey.ics.kth.se/index.php

Thank you for your attention!

Best Regards,
Khalid Khan...

Source: Penetration Testing | 17 Apr 2013 | 1:33 pm EDT

Hackersh 0.1 Release Announcement

Posted by Itzik Kotler on Apr 03

Hi All,

I am pleased to announce the first version of Hackersh
(http://www.hackersh.org).

Hackersh ("Hacker Shell") is a free and open source shell (command
interpreter) written in Python with built-in security commands, and
out-of-the-box wrappers for various security tools, using Pythonect as
its scripting engine. Pythonect is a new, experimental,
general-purpose high-level dataflow programming language based on
Python. It aims to...

Source: Penetration Testing | 3 Apr 2013 | 12:57 pm EDT

D2Sec's Elliot

Posted by Dave Aitel on May 06

http://www.d2sec.com/news/driving_d2_elliot_with_immunity_canvas.html

There's a lot of different kinds of exploits - and many people ignore
the web exploits that are not for Wordpress. This is usually a mistake
because, especially as we look at #OpUSA and #OpIsreal and the like, a
lot of people are running all sorts of web applications with all sorts
of esoteric web vulnerabilities on them. Which is why our close and
continuing friends over...

Source: Daily Dave | 6 May 2013 | 4:54 pm EDT

SyScan 2013

Posted by Dave Aitel on May 02

It's really only after you finish writing a keynote that you know what
it's about. In a sense, everyone around you writes it with you as you
talk through it with people. The one I delivered at SyScan itself was
funnier. . . although even so, not very funny. Not everything is funny!
Even things that include Buffy.

"Things Buffy the Vampire Slayer Taught Me About CyberWar - SyScan 2013
Keynote)"...

Source: Daily Dave | 2 May 2013 | 7:44 pm EDT

Yet Another Java Security Warning Bypass

Posted by Esteban Guillardoy on Apr 25

Hi everyone!

I wrote a blog post about another Java Security Warning Bypass that
you may find interesting ;)

Just go to the Immunity blog and enjoy:
http://immunityproducts.blogspot.com/2013/04/yet-another-java-security-warning-bypass.html

Cheers
Esteban

Source: Daily Dave | 25 Apr 2013 | 12:53 pm EDT

Answering Lurene's Question

Posted by Dave Aitel on Apr 21

So the kids are in NY so I've gotten a full night's sleep for the first
time in about a while, and parts of my brain I didn't realize were
malfunctioning now have blood and oxygen and whatever soupy hormones
they need to start sparking back up. I'm working on my SyScan talk,
which is due next week, so I wanted to warm up by answering a question
for Lurene.

----

Imagine it's 2030 and we finally understand a few things...

Source: Daily Dave | 21 Apr 2013 | 2:06 pm EDT

Students teaching trainers

Posted by Alex McGeorge on Apr 17

Aloha list,

We do a lot of teaching at Immunity and it's something I think we've
gotten pretty good at over the years. Part of improving your teaching
offerings is doing some hard reflection on what did and didn't work for
the most recent class which is what we're in the process of doing for
web hacking right now. Most of those lessons only make sense from an
internal perspective but there are some things that other people...

Source: Daily Dave | 17 Apr 2013 | 7:46 pm EDT

Re: Linux Hangman Rules

Posted by Michal Zalewski on Apr 17

[lcamtuf () raccoon ~]$ gdb
(gdb) shell id
uid=500(lcamtuf) gid=500(lcamtuf) groups=100(users),500(lcamtuf)

Oh no!

/mz

Source: Daily Dave | 17 Apr 2013 | 7:41 pm EDT

Linux Hangman Rules

Posted by Dave Aitel on Apr 17

http://blog.ioactive.com/2013/04/can-gdbs-list-source-code-be-used-for.html

So reading the above blog is amusing for many reasons. But it did make a
lot of people sit around looking at the funniest games you could play on
modern Linux. For example, Linux Hangman.

Linux Hangman Rules
You take turns putting setuid root onto files in /usr/bin /usr/sbin/,
etc. and if your opponent can use that to get root, even via a
convoluted scenario, then you...

Source: Daily Dave | 17 Apr 2013 | 11:36 am EDT

Re: Recent experiences with ZDI?

Posted by Jim Manico on Apr 17

Here is a pretty comprehensive list of bug bounty programs to help kick
start the conversation.

http://bugcrowd.com/list-of-bug-bounty-programs/

- Jim

Source: Daily Dave | 17 Apr 2013 | 11:25 am EDT

Recent experiences with ZDI?

Posted by patrick patrick on Apr 15

Hi guys,

I haven´t had dealings with ZDI in years, but I´ve heard some rumors of
people getting screwed over by them recently.

Can somebody confirm or deny this?

Is there currently a safe&legal alternative to get rewarded for bughunting?

Thanks
P

Source: Daily Dave | 15 Apr 2013 | 1:38 pm EDT

Android Application (Dalvik) Memory Analysis & the Chuli Malware

Posted by Joe Sylve on Apr 15

Hello,

We wanted to take the opportunity to point you to a blog post which gives a
preview of some of the research we've been working on at 504ENSICS Labs in
the area of Android memory analysis. We think our results will be of great
interest to the DFIR community and look forward to your feed back.

The blog post can be found here:

http://www.504ensics.com/android-application-dalvik-memory-analysis-the-chuli-malware/

---
Joe T. Sylve,...

Source: Daily Dave | 15 Apr 2013 | 1:32 pm EDT

top game

Posted by Dave Aitel on Mar 22

In some parallel universe you can hear Yoda say to a younger Disciple,
"How are you going to control EIP if you can't even control your own anger?"

Perhaps not Yoda. Perhaps Halvar.

Regardless, if for whatever reason you wanted to hear more about
Brazilian Jiu Jitsu or INFILTRATE, then you can hit up the podcast I did
this morning with Ryan Naraine
here:...

Source: Daily Dave | 22 Mar 2013 | 3:42 pm EDT

Gifts

Posted by Dave Aitel on Mar 21

Angel <http://en.wikipedia.org/wiki/Angel_%28Buffyverse%29>: And
Buffy, be careful with this gift. A lot of things that seem strong
and good and powerful, they can be painful.
Buffy <http://en.wikipedia.org/wiki/Buffy_Summers>: Like, say...
immortality?
Angel: Exactly. I'm dying to get rid of that.

We put the 32 bit (or we will shortly) version of the PTRACE exploit
into CANVAS Early Updates. I know there...

Source: Daily Dave | 21 Mar 2013 | 12:41 pm EDT

Re: RSA

Posted by Shawn on Mar 21

I putted these slides into one tar file:
http://hfg-resources.googlecode.com/files/RSA-US-2013.tar.bz2

Source: Daily Dave | 21 Mar 2013 | 9:30 am EDT

"Seeing is believing"

Posted by Dave Aitel on Mar 19

So a while back I asked what the point of PWN2OWN was, and Mark Dowd
said that of course many people have never SEEN a modern exploit, and
hence it has some strategic value. I think for Google it's also useful
to see what new bugclasses exist in their products that people have not
otherwise publicly told them about, as well. The main bugclass is being
arrogant enough to believe they can write something memory safe in C++,
but we'll get...

Source: Daily Dave | 19 Mar 2013 | 11:25 am EDT

Re: The Truth of TrueType

Posted by Justin Seitz on Mar 11

Sometimes Dave fails at pasting things, that's why the rest of us are here:

http://immunityproducts.blogspot.com.ar/2013/03/infiltrate-preview-truetype-font.html

Source: Daily Dave | 11 Mar 2013 | 5:21 pm EDT

CONFidence - May, 28-29, Krakow, Poland - a conference adventure that never stops!

Posted by Sławomir Jabs on May 17

Everything has a story, everything evolves, adapts to changing circumstances
but does your IT Sec strategy evolve with the development of the digital
world?

Are you wiling to gamble on the security of you systems?

Join the upcoming CONFidence conference and meet both renown speakers and
specialists who deal with the IT security on a daily basis. People like,
you, who never stop asking questions and play with risks all the time...

We will...

Source: Web App Security | 17 May 2013 | 10:44 am EDT

RE: WASC Announcement: Static Analysis Technologies Evaluation Criteria Published

Posted by Debasis Mohanty on May 17

Good initiative! I feel one of the important element that is missing is the
"scoring mechanism". Based on what would you distinguish one product from
the other?

I created similar evaluation criteria nearly 7-8 years back for evaluating
SCA products using a QFD. That was the time I was introduced to 6-sigma and
thought a QFD is a best approach to have appropriate scoring for various
pilot parameters. However I never released it to the...

Source: Web App Security | 16 May 2013 | 8:33 pm EDT

[HITB-Announce] HITB Magazine Issue 010

Posted by Hafez Kamal on May 14

Hi everyone,

A small reminder that article submissions for HITB Magazine Issue 010
are due tomorrow (15th May 2013). If you're interested in submitting
please send your > 3000 word article to editorial () hackinthebox org

Topics of interest include, but are not limited to the following:

Next generation attacks and exploits
Apple / OS X security vulnerabilities
SS7/Backbone telephony networks
VoIP security
Data...

Source: Web App Security | 14 May 2013 | 7:19 am EDT

WASC Announcement: Static Analysis Technologies Evaluation Criteria Published

Posted by announcements on May 11

The Web Application Security Consortium (WASC) is pleased to announce the
Static Analysis Technologies Evaluation Criteria. The goal of the SATEC
project is to create a vendor-neutral set of criteria to help guide
application security professionals during the process of acquiring a
static code analysis technology that is intended to be used during
source-code driven security programs. This document provides a
comprehensive list of criteria that...

Source: Web App Security | 10 May 2013 | 11:50 pm EDT

SpiderFoot 2.0 released

Posted by Steve Micallef on May 06

Hi everyone,

SpiderFoot is a free, open-source footprinting tool, enabling you to
perform various scans against a given domain name in order to obtain
information such as sub-domains, e-mail addresses, owned netblocks, web
server versions and so on. The main objective of SpiderFoot is to
automate the footprinting process to the greatest extent possible,
freeing up a penetration tester's time to focus their efforts on the
security...

Source: Web App Security | 5 May 2013 | 10:16 pm EDT

[HITB-Announce] #HITB2013KUL Call for Papers

Posted by Hafez Kamal on May 01

Hi everyone - This is a Call for Papers for the 11th annual HITB
Security Conference in Malaysia, #HITB2013KUL which takes place on the
16th and 17th of October in Kuala Lumpur.

Keynote speakers for the conference will be Joe Sullivan (Chief Security
Officer, Facebook) and Andy Ellis (Chief Security Officer, Akamai)

We're looking for talks that are highly technical, but most importantly,
material which is new and cutting edge. Submissions...

Source: Web App Security | 1 May 2013 | 1:19 pm EDT

Breakpoint 2013 Call For Papers

Posted by cfp on May 01

Breakpoint 2013 Call For Papers
Melbourne, Australia, October 24th-25th
Intercontinental Rialto
http://www.ruxconbreakpoint.com

.[x]. Introduction .[x].

The Ruxcon team is pleased to announce Call For Papers for Breakpoint 2013.

Breakpoint showcases the work of expert security researchers from around the
world on a wide range of topics. This conference is organised by the Ruxcon
team and offers a specialised security conference to...

Source: Web App Security | 1 May 2013 | 1:04 pm EDT

Arachni v0.4.2 has been released (Open Source Web Application Security Scanner Framework)

Posted by Tasos Laskos on Apr 29

Hey folks,

This is just to let you know that there's a new version of Arachni.

Arachni is a modular and high-performance (Open Source) Web Application Security Scanner Framework written in Ruby.

The change-log is quite sizeable but the gist is:
* Brand new web interface -- allowing for team collaboration.
* Significant decreases in memory usage.
* Issue remarks – Providing extra context to logged issues.
* Improved payloads...

Source: Web App Security | 29 Apr 2013 | 3:13 pm EDT

Administrivia - slow moderation this week

Posted by Andrew van der Stock on Apr 28

Hi all,

I'm going to be in Milan this week.

Not that there are many messages to moderate, but moderation will be
iffy / slow this next week, particularly during the bits where various
planes are flapping their wings and going "whoosh".

Normal moderation service will resume May 5.

thanks,
Andrew

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here -...

Source: Web App Security | 28 Apr 2013 | 12:40 am EDT

A survey on qunatifying severity of vulnerabilities in softwares

Posted by Khalid Khan Afridi on Apr 18

Hello!

I am currently performing my master thesis on the topic of quantifying the
severity of
software vulnerabilities.

As you have done significant work in this area, I would be glad if you
could spare a few
minutes of your time to answer a survey on the topic. It should not
require more than 15-20
minutes to complete.

The survey can be found at: http://secsurvey.ics.kth.se/index.php

Thank you for your attention!

Best Regards,
Khalid Khan...

Source: Web App Security | 18 Apr 2013 | 11:12 am EDT

Defcon DCG Kerala Information Security Meet 2013

Posted by Ajin Abraham on Apr 07

Defcon DCG Kerala Information Security Meet 2013
=====================================
Defcon DCG Kerala (DC0497) is a Defcon USA registered group for
promoting and demonstrating research and development in the field of
Information Security. We are a group of Information Security
Enthusiasts actively interested in promoting information security.
Defcon Kerala Information Security Meet will be a platform for
security analysts, ethical hackers,...

Source: Web App Security | 7 Apr 2013 | 7:38 am EDT

c0c0n 2013 - Call For Papers and Call For Workshops

Posted by c0c0n International Information Security Conference on Apr 06

/ _ \ / _ \ |__ \ / _ \/_ |___ \
___| | | | ___| | | |_ __ ) | | | || | __) |
/ __| | | |/ __| | | | '_ \ / /| | | || ||__ <
| (__| |_| | (__| |_| | | | | / /_| |_| || |___) |
\___|\___/ \___|\___/|_| |_| |____|\___/ |_|____/

###################################################
c0c0n 2013 - Call For Papers and Call For Workshops
###################################################

August 22-24, 2013 -...

Source: Web App Security | 6 Apr 2013 | 1:14 am EDT

winAUTOPWN v3.4 Released - Completing 4 years !!

Posted by QUAKER DOOMER on Mar 27

Dear all,

This is to announce release of winAUTOPWN version 3.4.
Conceived and released in 2009, WINDOWS AUTOPWN grows strong completing its 4th year.
Visit: http://winautopwn.co.nr

++++++++++++++++++++
About winAUTOPWN:

winAUTOPWN is a unique exploit framework which aids in auto (hacking) / shell gaining as well as in exploiting
vulnerabilities to conduct Remote Command Execution, Remote File/Shell Upload, Remote File Inclusion and...

Source: Web App Security | 27 Mar 2013 | 6:46 pm EDT

Unauthorized Access: Bypassing PHP strcmp()

Posted by Danux on Mar 03

Hope you enjoy it.

http://danuxx.blogspot.com/2013/03/unauthorized-access-bypassing-php-strcmp.html

Source: Web App Security | 3 Mar 2013 | 6:06 pm EST

NoSuchCon CFP 2.0 / 15-17 May 2013 / Paris, France

Posted by Jonathan Brossard on Feb 25

*******************************************************************************

PARENTAL ADVISORY: 100% technical content
*******************************************************************************

+--------------------------------------------------------------+
= =
= NoSuchCon - CFP 2.0 =
=...

Source: Web App Security | 25 Feb 2013 | 2:01 am EST

New VA Modules: Nessus: 14

Posted by New VA Module Alert Service on May 21

This report describes any new scripts/modules/exploits added to Nmap,
OpenVAS, Metasploit, and Nessus since yesterday.

== Nessus plugins (14) ==

66520 opera_check_adobe_reader_enabled.nasl
http://nessus.org/plugins/index.php?view=single&id=66520
Adobe Reader Enabled in Browser (Opera)

66519 firefox_check_adobe_reader_enabled.nasl
http://nessus.org/plugins/index.php?view=single&id=66519
Adobe Reader Enabled in Browser (Mozilla Firefox)...

Source: Nmap Development | 21 May 2013 | 6:00 am EDT

Re: [NSE] IKE information extraction

Posted by Jesper Kückelhahn on May 21

Hi Patrik,

Thanks for the pointer. I'll look into using this for for the script.

- Jesper

Source: Nmap Development | 21 May 2013 | 4:11 am EDT

Re: [NSE] IKE information extraction

Posted by Jesper Kückelhahn on May 21

Hi Anne,

Thank you for your interest in testing the script. Unfortunately I don't
have any systems available for testing purposes, but if you find any I'd be
very interested in any feedback.

- Jesper

Source: Nmap Development | 21 May 2013 | 4:08 am EDT

Re: nmaprc.lua?

Posted by Fyodor on May 21

Good point! I added this to the list of nmaprc ideas at
https://svn.nmap.org/nmap/todo/nmap.txt

Cheers,
Fyodor

Source: Nmap Development | 21 May 2013 | 3:45 am EDT

Re: [NSE] IKE information extraction

Posted by Patrik Karlsson on May 21

Jesper,

I don't think there is a way to tell if the port is in use or not but if
you want to avoid that the scripts run at the same time you could use a
mutex. There some more information here;
http://nmap.org/book/nse-parallelism.html

/Patrik

On Mon, May 20, 2013 at 6:38 PM, Jesper Kückelhahn <dev.kyckel () gmail com>wrote:

Source: Nmap Development | 20 May 2013 | 9:06 pm EDT

Nmap IPC facilities?

Posted by Jacek Wielemborek on May 20

Hi,

I recently had an idea and I thought it'd be nice to get some feedback
from you guys. On the #nmap IRC channel I was discussing introducing
better facilities to interact with Nmap scanning processes. At first,
I was thinking of ways to add more interactivity to the program, like
a keystroke to pause the current task or skip one of hosts.

I found out that there used to be "interactive mode" in Nmap, removed
by David in 2010...

Source: Nmap Development | 20 May 2013 | 7:53 pm EDT

Re: [NSE] IKE information extraction

Posted by stripes on May 20

If you have a system I can test it against, I'll test the patch.

-Anne

Source: Nmap Development | 20 May 2013 | 7:02 pm EDT

[NSE] IKE information extraction

Posted by Jesper Kückelhahn on May 20

Hi list,

I've attached a script for extracting information from an IKE service and a
patch for ike.lua.

The IKE response might contain useful information such as the internal IP
address, domain name or username, which the script displays. Also matched
vendor IDs are displayed.

The ike.lua.patch adds extra functionality to support the extraction (and
some minor refactoring).

Example outputs:

PORT STATE SERVICE REASON VERSION...

Source: Nmap Development | 20 May 2013 | 6:44 pm EDT

New VA Modules: Nessus: 6

Posted by New VA Module Alert Service on May 20

This report describes any new scripts/modules/exploits added to Nmap,
OpenVAS, Metasploit, and Nessus since yesterday.

== Nessus plugins (6) ==

66506 suse_acroread-8571.nasl
http://nessus.org/plugins/index.php?view=single&id=66506
SuSE 10 Security Update : Acrobat Reader (ZYPP Patch Number 8571)

66505 suse_11_acroread-130516.nasl
http://nessus.org/plugins/index.php?view=single&id=66505
SuSE 11.2 Security Update : Acrobat Reader (SAT...

Source: Nmap Development | 20 May 2013 | 6:00 am EDT

Re: Nmap under OpenVZ venet?

Posted by NStorm on May 20

Hello.

Checked out revision 30907.
Seems to be working fine now (on a host with venet NOARP device):
# nmap --iflist
Starting Nmap 6.26SVN ( http://nmap.org ) at 2013-05-20 11:06 MSK
************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MTU MAC
lo (lo) 127.0.0.1/8 loopback up 16436
lo (lo) ::1/128 loopback up 16436
venet0 (venet0) 192.168.9.39/32 other up 1500...

Source: Nmap Development | 20 May 2013 | 3:18 am EDT

[no subject]

Posted by Absai Gomes Brito Junior on May 19

Out

Source: Nmap Development | 19 May 2013 | 2:43 pm EDT

Re: dev Digest, Vol 98, Issue 26

Posted by Brandon Oliver on May 19

# Nmap 6.25 scan initiated Sun May 19 02:40:24 2013 as: C:\Program Files
(x86)\Nmap\nmap.exe -p80 -Pn -O -o
Nmap scan report for
Host is up (0.018s latency).
PORT STATE SERVICE
80/tcp open http
MAC Address:
Warning: OSScan results may be unreliable because we could not find at
least 1 open and 1 closed port
Device type: printer
Running: HP embedded, HP VxWorks
OS CPE: cpe:/h:hp:laserjet_cp2025dn cpe:/h:hp:laserjet_p2045n
cpe:/o:hp:vxworks
OS...

Source: Nmap Development | 18 May 2013 | 11:05 pm EDT

PrinterScanningIntrusion

Posted by Brandon Oliver on May 19

The loan noob, need to borrow some sec info. What's a DragonIDSConsole
doing on an HP Printer? Obviously firewall, but as I read about this bad
boy it's pretty nifty, all retard meant. I do have a serious question,
shall I close all these ports, and why do I return an error when scanning
for window -sW? It suggests to run ipv6 if my address is wrong but it's
not, did it anyways :
# Nmap 6.25 scan initiated Sat May 18 20:34:14...

Source: Nmap Development | 18 May 2013 | 10:54 pm EDT

Re: NMAP Error

Posted by David Fifield on May 18

That is a good find. Does it happen when scanning just 10.0.0.4, or does
it require the full range? Can you send me -d3 of scanning the printer?

David Fifield

Source: Nmap Development | 18 May 2013 | 4:27 pm EDT

Re: NMAP Error

Posted by Gisle Vanem on May 18

"David Fifield" <david () bamsoftware com> wrote:

I also hit this crash (debug-assert) with this command:
nmap -v -A 10.0.0.1-6

Just before nmap is to report the result for 10.0.0.4 (my Canon printer),
the Debug Assertion box comes up. Analysing this in WinDbg reveals
a problem with:

currenths->scriptResults.sort(scriptid_lessthan);
(in output.cc / printhostscriptresults).

The stacktrace at this point is:...

Source: Nmap Development | 18 May 2013 | 4:10 pm EDT

Aurora attackers were looking for Google's surveillance database

When in early 2010 Google shared with the public that they had been breached in what became known as the Aurora attacks, they said that the attackers got their hands on some source code and were looki...

Source: Help Net Security - News | 21 May 2013 | 7:51 am EDT

"NATO vacancies" phishing email also leads to malware

An interesting and very comprehensive phishing and malware-delivery campaign has been spotted by Webroot researchers. The attackers are posing as the chief of NATO's Human Resources Division, sen...

Source: Help Net Security - News | 21 May 2013 | 6:41 am EDT

CISOs need to engage with the board

Cyberspace has placed information risk firmly on the boardroom agenda, and CISOs need to engage with their boards to ensure their organizations understand and manage information risk appropriately whi...

Source: Help Net Security - News | 21 May 2013 | 3:11 am EDT

Find TrueCrypt and BitLocker encrypted containers and images

Passware announced that Passware Kit Forensic 12.5 can now recognize hard disk images and containers, such as TrueCrypt, BitLocker, PGP, during a computer scan. For a computer forensic professional th...

Source: Help Net Security - News | 21 May 2013 | 3:07 am EDT

Wi-Fi client security weaknesses still prevalent

Google Android, Apple iOS, BlackBerry, and Windows Mobile devices have an inherent security weakness in the method they use for connecting to Wi-Fi networks that has the potential for exploitation by ...

Source: Help Net Security - News | 21 May 2013 | 2:58 am EDT

Sourcefire goes beyond the sandbox

Sourcefire introduced malware trajectory capabilities across its Advanced Malware Protection portfolio, giving customers visibility into malware attack activity and enabling them to detect, remediate ...

Source: Help Net Security - News | 21 May 2013 | 2:54 am EDT

U.S. Congress has questions about Google Glass and privacy

Members of the U.S. Congress' Bi-Partisan Privacy Caucus have sent an open letter to Google CEO Larry Page, questioning the company's privacy consideration when it comes to Google Glass. "Since the...

Source: Help Net Security - News | 20 May 2013 | 1:39 pm EDT

Jailed hacker designs device to thwart ATM card skimming

A Romanian hacker that has been jailed for his involvement with a criminal gang that planted ATM skimmers and stole card information has designed a new device aimed at preventing the very same type of...

Source: Help Net Security - News | 20 May 2013 | 11:02 am EDT

Cyber espionage campaign uses professionally-made malware

Trend Micro researchers have discovered a new, massive cyber espionage campaign that has been hitting as many as 71 victims each day, including government ministries, technology companies, academic re...

Source: Help Net Security - News | 20 May 2013 | 9:06 am EDT

Digital Government Strategy progress and challenges

A new report by Mobile Work Exchange and Good Technology examines Federal agencies’ progress toward the Office of Management and Budget’s (OMB) Digital Government Strategy, as we approach its first bi...

Source: Help Net Security - News | 20 May 2013 | 8:56 am EDT

Over 45% of IT pros snitch on their colleagues

Forty five percent of IT workers admit they would snitch you up to the boss if you decide to break corporate rules or access company information that you shouldn’t on the network or Internet, a recen...

Source: Help Net Security - News | 20 May 2013 | 8:23 am EDT

Form-grabbing rootkit sold on underground forums

There seemingly no end to the automated tools that aspiring cyber crooks can buy on underground forums. The latest of these discovered by Webroot's Dancho Danchev is "Private Grabber", a commercial...

Source: Help Net Security - News | 20 May 2013 | 7:32 am EDT

U.S. DOD decides iPhones and iPads can connect to its networks

The Defense Information Systems Agency (DISA) of the U.S. Department of Defense has approved the use of government-issued iOS 6 devices when connecting to its military networks, adding them to the pre...

Source: Help Net Security - News | 20 May 2013 | 6:48 am EDT

The CSO perspective on healthcare security and compliance

Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips. Is it mor...

Source: Help Net Security - News | 20 May 2013 | 6:03 am EDT

Large cyber espionage emanating from India

Norman Shark uncovered a large and sophisticated cyber-attack infrastructure that appears to have originated from India. The attacks, conducted by private threat actors over a period of three years...

Source: Help Net Security - News | 20 May 2013 | 4:05 am EDT

Barracuda updates web application firewall

Barracuda Networks announced Barracuda Web Application Firewall 7.8, specifically aimed at reducing the impact of automated attack attempts from botnets. Automated botnet attacks recently have gain...

Source: Help Net Security - News | 20 May 2013 | 1:00 am EDT

Week in review: Human sensors, IT security jobs, and hacking car charge stations

Here's an overview of some of last week's most interesting news, videos, reviews and articles: Police unable to decrypt iPhones, asks Apple to do it Court documents from a drug trial in Kentucky...

Source: Help Net Security - News | 20 May 2013 | 12:00 am EDT

"Get free followers" scam targets Instagram users

If a service is popular, you can be sure that scammers and spammers will find a way of targeting as many of its users as they can. Trend Micro fraud analyst Karla Agregado warns about Instagram acc...

Source: Help Net Security - News | 17 May 2013 | 11:20 am EDT

New Mac spyware signed with legitimate Apple Developer ID

A new piece of malware designed to spy on Mac users has been unearthed by security researcher and hacker Jacob Appelbaum at the Oslo Freedom Conference held this week in Norway. The malware was dis...

Source: Help Net Security - News | 17 May 2013 | 10:43 am EDT

Ransomware adds password stealing to its arsenal

Slowly but surely, more and more users are becoming acquainted with the existence of ransomware and when faced with one, they opt not to pay the requested "fine" and instead seek help for disinfecting...

Source: Help Net Security - News | 17 May 2013 | 7:17 am EDT

Targeted data stealing attacks using fake attachments

ESET has uncovered and analyzed a targeted campaign that tries to steal sensitive information from different organizations, particularly in Pakistan (with limited spread around the world). During t...

Source: Help Net Security - News | 17 May 2013 | 6:16 am EDT

A look into the EC Council hack

EC Council was reported to have been compromised by a hacker called Godzilla. Based on published materials it seems that the hacker got access to training course material of several certification prog...

Source: Help Net Security - News | 17 May 2013 | 6:07 am EDT

Four LulzSec hackers handed prison sentences

Four LulzSec members have been sentenced today at Southwark Crown Court for taking part in the 2011 attacks against a series of high-profile websites and publishing user information stolen in these at...

Source: Help Net Security - News | 16 May 2013 | 1:41 pm EDT

Thoughts on the need for anonymity

The other day I was reading a post on BoingBoing about Anonymous getting involved in publicizing the Steubenville and Halifax rape cases, and about a protest rally they organized in Steubenville durin...

Source: Help Net Security - News | 16 May 2013 | 12:29 pm EDT

Application vulnerabilities still a top security concern

Respondents to a new (ISC)2 study identified application vulnerabilities as their top security concern. A significant gap persists between software developers’ priorities and security professionals’ c...

Source: Help Net Security - News | 16 May 2013 | 12:09 pm EDT

The New Yorker launches anonymous dead-drop tool

Popular U.S. magazine The New Yorker has made available for its potential sources an anonymous dead-drop tool that allows them to send and receive messages and files to the publication's journalists w...

Source: Help Net Security - News | 16 May 2013 | 7:48 am EDT

Researchers reveal OpUSA attackers' MO

Anonymous' highly publicized Operation USA has not been the resounding success they expected it to be. Sure, the number of sites sporting a page containing messages from the attackers was big, bu...

Source: Help Net Security - News | 16 May 2013 | 7:08 am EDT

Info-stealing Dorkbot worm spreading on Facebook

The Dorkbot worm, which first appeared in 2011 and has since been spreading via removable drives, IM programs and social networks, is currently targeting Facebook users. The worm is delivered to po...

Source: Help Net Security - News | 16 May 2013 | 6:04 am EDT

Review: The Hacker's Guide to OS X: Exploiting OS X from the Root Up

Authors: Robert Bathurst, Russ Rogers, Alijohn Ghassemlouei Pages: 248 Publisher: Syngress ISBN: 1597499501 Introduction With increasing market share and popularity, OS X is getting more...

Source: Help Net Security - News | 16 May 2013 | 4:40 am EDT

Intelligent vulnerability management from CORE Security

CORE Security launched Insight 3.0, which delivers multi-vector vulnerability assessment, asset categorization, threat simulation, penetration testing and security analytics, all in the context of net...

Source: Help Net Security - News | 16 May 2013 | 3:08 am EDT

TA13-134A: Microsoft Updates for Multiple Vulnerabilities

Original release date: May 14, 2013

Systems Affected

Overview

Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.

Description

The Microsoft Security Bulletin Summary for May 2013 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address these vulnerabilities.

Impact

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.

Solution

Apply Updates

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for May 2013, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.

References

Revision History


This product is provided subject to this Notification and this Privacy & Use policy.


Source: US-CERT Alerts | 14 May 2013 | 4:08 pm EDT

TA13-107A: Oracle Has Released Multiple Updates for Java SE

Original release date: April 17, 2013 | Last revised: April 19, 2013

Systems Affected

Overview

Oracle has released a Critical Patch Update (CPU) for Java SE. Oracle strongly recommends that customers apply CPU fixes as soon as possible.

Description

Oracle Java SE Critical Patch Update Advisory - April 2013 describes the update:

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. The Critical Patch Update for Java SE also includes non-security fixes. Critical Patch Updates are cumulative and each advisory describes only the security fixes added since the previous Critical Patch Update and Security Alert. Thus, prior Critical Patch Update and Security Alert advisories should be reviewed for information regarding earlier accumulated security fixes.

Systems administrators are advised to pay additional attention to Oracle advisories due to the increasing volume of vulnerabilities being patched with each release.

Impact

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.

Solution

Apply Updates

Oracle Java SE Critical Patch Update Advisory - April 2013 includes the following information:

Developers can download the latest release from http://www.oracle.com/technetwork/java/javase/downloads/index.html.

Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

The latest JavaFX release is included with the latest update of JDK and JRE 7. For JDK and JRE 6 users, the latest Java FX release is available from http://www.oracle.com/technetwork/java/javafx/

References

Revision History


This product is provided subject to this Notification and this Privacy & Use policy.


Source: US-CERT Alerts | 17 Apr 2013 | 2:02 pm EDT

TA13-100A: Microsoft Updates for Multiple Vulnerabilities

Original release date: April 10, 2013 | Last revised: April 11, 2013

Systems Affected

Overview

Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.

Description

The Microsoft Security Bulletin Summary for April 2013 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address these vulnerabilities.

Impact

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.

Solution

Apply Updates

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for April 2013, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.

References

Revision History


This product is provided subject to this Notification and this Privacy & Use policy.


Source: US-CERT Alerts | 10 Apr 2013 | 12:05 pm EDT

TA13-088A: DNS Amplification Attacks

Original release date: March 29, 2013 | Last revised: April 19, 2013

Systems Affected

Overview

A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS) that relies on the use of publically accessible open recursive DNS servers to overwhelm a victim system with DNS response traffic.

Description

A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS) that relies on the use of publically accessible open recursive DNS servers to overwhelm a victim system with DNS response traffic. The basic attack technique consists of an attacker sending a DNS name lookup request to an open recursive DNS server with the source address spoofed to be the victim’s address. When the DNS server sends the DNS record response, it is sent instead to the victim. Attackers will typically submit a request for as much zone information as possible to maximize the amplification effect. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim. By leveraging a botnet to perform additional spoofed DNS queries, an attacker can produce an overwhelming amount of traffic with little effort. Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks.

While the attacks are difficult to prevent, network operators can implement several possible mitigation strategies. The primary element in the attack that is the focus of an effective long-term solution is the detection and elimination of open recursive DNS resolvers. These systems are typically legitimate DNS servers that have been improperly configured to respond to recursive queries on behalf of any system, rather than restricting recursive responses only to requests from local or authorized clients. By identifying these systems, an organization or network operator can reduce the number of potential resources that the attacker can employ in an attack.

Impact

A misconfigured Domain Name System (DNS) server can be exploited to participate in a Distributed Denial of Service (DDoS) attack.

Solution

DETECTION

Several organizations offer free, web-based scanning tools that will search a network for vulnerable open DNS resolvers.  These tools will scan entire network ranges and list the address of any identified open resolvers.

Open DNS Resolver Project
http://openresolverproject.org
The Open DNS Resolver Project has compiled a list of DNS servers that are known to serve as globally accessible open resolvers.  The query interface allows network administrators to enter IP ranges in CIDR format [1].

The Measurement Factory
http://dns.measurement-factory.com
Like the Open DNS Resolver Project, the Measurement Factory maintains a list of Internet accessible DNS servers and allows administrators to search for open recursive resolvers [2].  In addition, the Measurement Factory offers a free tool to directly test an individual DNS resolver to determine if it allows open recursion.  This will allow an administrator to determine if configuration changes are necessary and verify that configuration changes have been effective [3].  Finally, the site offers statistics showing the number of open resolvers detected on the various Autonomous System (AS) networks, sorted by the highest number found [4].

DNSInspect
http://www.dnsinspect.com
Another freely available, web-based tool for testing DNS resolvers is DNSInspect.  This site is similar to The Measurement Factory’s ability to test a specific resolver for vulnerability, but offers the ability to test an entire DNS Zone for several other potential configuration and security issues [5].

Indicators

In a typical recursive DNS query, a client sends a query request to a local DNS server requesting the resolution of a name or the reverse resolution of an IP address.  The DNS server performs the necessary queries on behalf of the client and returns a response packet with the requested information or an error [6, page 21].  The specification does not allow for unsolicited responses.  In a DNS amplification attack, the key indicator is a query response without a matching request.  

MITIGATION

Unfortunately, due to the overwhelming traffic volume that can be produced by one of these attacks, there is often little that the victim can do to counter a large-scale DNS amplification-based distributed denial-of-service attack.  While the only effective means of eliminating this type of attack is to eliminate open recursive resolvers, this requires a large-scale effort by numerous parties.  According to the Open DNS Resolver Project, of the 27 million known DNS resolvers on the Internet, approximately “25 million pose a significant threat” of being used in an attack [1].  However, several possible techniques are available to reduce the overall effectiveness of such attacks to the Internet community as a whole.  Where possible, configuration links have been provided to assist administrators with making the recommended changes.  The configuration information has been limited to BIND9 and Microsoft’s DNS Server, which are two widely deployed DNS servers.  If you are running a different DNS server, please see your vendor’s documentation for configuration details.

Source IP Verification

Because the DNS queries being sent by the attacker-controlled clients must have a source address spoofed to appear as the victim’s system, the first step to reducing the effectiveness of DNS amplification is for Internet Service Providers to deny any DNS traffic with spoofed addresses.  The Network Working Group of the Internet Engineering Task Force released a Best Current Practice document in May 2000 that describes how an Internet Service Provider can filter network traffic on their network to drop packets with source addresses not reachable via the actual packet’s path [7]. The changes recommended in this document would cause a routing device to test whether it is possible to reach the source address of the packet via the interface that transmitted the packet. If it is not possible, then the packet obviously has a spoofed source address. This configuration change would considerably reduce the potential for most current types of DDoS attacks.

Disabling Recursion on Authoritative Name Servers

Many of the DNS servers currently deployed on the Internet are exclusively intended to provide name resolution for a single domain.  These systems do not need to support resolution of other domains on behalf of a client, and therefore should be configured with recursion disabled.

Bind9

Add the following to the global options [8]:
options {
     allow-query-cache { none; };
     recursion no;
};

Microsoft DNS Server

In the Microsoft DNS console tool [9]:

  1. Right-click the DNS server and click Properties.
  2. Click the Advanced tab.
  3. In Server options, select the “Disable recursion” check box, and then click OK.

Limiting Recursion to Authorized Clients

For DNS servers that are deployed within an organization or ISP to support name queries on behalf of a client, the resolver should be configured to only allow queries on behalf of authorized clients.  These requests should typically only come from clients within the organization’s network address range.

BIND9

In the global options, add the following [10]:
acl corpnets { 192.168.1.0/24; 192.168.2.0/24; };
options {
  allow-query { corpnets; };
  allow-recursion { corpnets; };
};

Microsoft DNS Server

It is not currently possible to restrict recursive DNS requests to a specific client address range in Microsoft DNS Server.  The most effective means of approximating this functionality is to configure the internal DNS server to forward queries to an external DNS server and restrict DNS traffic in the firewall to restrict port 53 UDP traffic to the internal server and the external forwarder [11].

Rate Limiting Response of Recursive Name Servers

There is currently an experimental feature available as a set of patches for BIND9 that allows an administrator to restrict the number of responses per second being sent from the name server [12].  This is intended to reduce the effectiveness of DNS amplification attacks by reducing the volume of traffic coming from any single resolver.

BIND9

There are currently patches available for 9.8.latest and 9.9.latest to support RRL on UNIX systems. Red Hat has made updated packages available for Red Hat Enterprise Linux 6 to provide the necessary changes in advisory RHSA-2013:0550-1. On BIND9 implementation running the RRL patches, add the following lines to the options block of the authoritative views [13]:
rate-limit {
    responses-per-second 5;
    window 5;
};

Microsoft DNS Server

This option is currently not available for Microsoft DNS Server.

References

Revision History


This product is provided subject to this Notification and this Privacy & Use policy.


Source: US-CERT Alerts | 29 Mar 2013 | 2:26 pm EDT

TA13-071A: Microsoft Updates for Multiple Vulnerabilities

Original release date: March 12, 2013 | Last revised: April 11, 2013

Systems Affected

  • Microsoft Windows
  • Microsoft Internet Explorer
  • Microsoft Office
  • Microsoft Server Software
  • Microsoft Silverlight

 

Overview

Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.

Description

The Microsoft Security Bulletin Summary for March 2013 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address these vulnerabilities.

Impact

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.

Solution

Apply Updates

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for March 2013, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.

References

Revision History


This product is provided subject to this Notification and this Privacy & Use policy.


Source: US-CERT Alerts | 12 Mar 2013 | 11:41 am EDT

TA13-064A: Oracle Java Contains Multiple Vulnerabilities

Original release date: March 05, 2013

Systems Affected

Any system using Oracle Java 7, 6, 5 (1.7, 1.6, 1.5) including

All versions of Java 7 through update 15, Java 6 through update 41, and Java 5.0 through update 40 are affected.  Web browsers using the Java 5, 6 or 7 plug-in are at high risk.

Overview

Oracle Java 7 update 15, Java 6 update 41, Java 5.0 update 40, and earlier versions of Java contain a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

An arbitrary memory read and write vulnerability in the Java JVM process could allow an attacker to execute arbitrary code. An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet. An attacker could also compromise a legitimate website and upload a malicious Java applet (a "drive-by download" attack).

Any web browser using the Java 5, 6, or 7 plug-in is affected. The Java Deployment Toolkit plug-in and Java Web Start can also be used as attack vectors.

Reports indicate this vulnerability is being actively exploited, and exploit code is publicly available.

Further technical details are available in Vulnerability Note VU#688246.

Impact

By convincing a user to load a malicious Java applet or Java Network Launching Protocol (JNLP) file, an attacker could execute arbitrary code on a vulnerable system with the privileges of the Java plug-in process. Note that applications that use the Internet Explorer web-content-rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for these vulnerabilities.

Solution

Update Java

Oracle Security Alert for CVE-2013-1493 states that Java 7 Update 17 (7u17) and and Java 6 Update 43 address this vulnerability (CVE-2013-1493) and a different but equally severe vulnerability (CVE-2013-0809).

Java 7 Update 17 sets the default Java security settings to "High" so that users will be prompted before running unsigned or self-signed Java applets.

Disable Java in Web Browsers

This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against these vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment.

Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. According to Setting the Security Level of the Java Client,

For installations where the highest level of security is required, it is possible to entirely prevent any Java apps (signed or unsigned) from running in a browser by de-selecting Enable Java content in the browser in the Java Control Panel under the Security tab.

If you are unable to update to Java 7 Update 10, see the solution section of Vulnerability Note VU#636312 for instructions on how to disable Java on a per-browser basis.

References

Revision History


This product is provided subject to this Notification and this Privacy & Use policy.


Source: US-CERT Alerts | 5 Mar 2013 | 8:48 am EST

TA13-051A: Oracle Java Multiple Vulnerabilities

Original release date: February 20, 2013

Systems Affected

Any system using Oracle Java including

Web browsers using the Java plug-in are at high risk.

Overview

Multiple vulnerabilities in Java could allow an attacker to execute arbitrary code on a vulnerable system.

Description

The Oracle Java SE Critical Patch Update Advisory Update for February 2013 addresses multiple vulnerabilities in the Java Runtime Environment (JRE). An additional five fixes that had been previously planned for delivery are in this update. This distribution therefore completes the content for all originally planned fixes to be included in the Java SE Critical Patch Update for February 2013. 

Both Java applets delivered via web browsers and stand-alone Java applications are affected, however web browsers using the Java plug-in are at particularly high risk.

The Java plug-in, the Java Deployment Toolkit plug-in, and Java Web Start can be used as attack vectors. An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet. An attacker could also compromise a legitimate website and upload a malicious Java applet (a "drive-by download" attack).

Some vulnerabilities affect stand-alone Java applications, depending on how the Java application functions and how it processes untrusted data.

Reports indicate that at least one of these vulnerabilities is being actively exploited.

Impact

By convincing a user to load a malicious Java applet or Java Network Launching Protocol (JNLP) file, an attacker could execute arbitrary code on a vulnerable system with the privileges of the Java plug-in process.

Stand-alone java applications may also be affected.

Solution

Update Java

The Oracle Java SE Critical Patch Update Advisory Update for February 2013 states that Java 7 Update 15 and Java 6 Update 41 address these vulnerabilities.

Disable Java in web browsers

These and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates have been installed. As with any software, unnecessary features should be disabled or removed as appropriate for your environment.

Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. From Setting the Security Level of the Java Client:

For installations where the highest level of security is required, it is possible to entirely prevent any Java apps (signed or unsigned) from running in a browser by de-selecting Enable Java content in the browser in the Java Control Panel under the Security tab.

If you are unable to update to at least Java 7 Update 10, please see the solution section of Vulnerability Note VU#636312 for instructions on how to disable Java on a per-browser basis.

Restrict access to Java applets

Network administrators unable to disable Java in web browsers may be able to help mitigate these and other Java vulnerabilities by restricting access to Java applets using a web proxy. Most web proxies have features that can be used to block or whitelist requests for .jar and .class files based on network location. Filtering requests that contain a Java User-Agent header may also be effective. For environments where Java is required on the local intranet, the proxy can be configured to allow access to Java applets hosted locally, but block access to Java applets on the internet.

References

Revision History


This product is provided subject to this Notification and this Privacy & Use policy.


Source: US-CERT Alerts | 20 Feb 2013 | 9:30 am EST

TA13-043B: Microsoft Updates for Multiple Vulnerabilities

Original release date: February 12, 2013

Systems Affected

Overview

Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.

Description

The Microsoft Security Bulletin Summary for February 2013 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities.

Impact

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.

Solution

Apply Updates

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for February 2013, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.

References

Revision History


This product is provided subject to this Notification and this Privacy & Use policy.


Source: US-CERT Alerts | 12 Feb 2013 | 3:53 pm EST

TA13-043A: Adobe Updates for Multiple Vulnerabilities

Original release date: February 12, 2013

Systems Affected

Overview

Select Adobe software products contain multiple vulnerabilities. Adobe has released updates to address these vulnerabilities.

Description

Adobe Security Bulletin APSB13-05 and APSB13-06 describe multiple vulnerabilities in Adobe software. Adobe has released updates to address the vulnerabilities.

Impact

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.

Solution

Apply Updates

Adobe has provided updates for these vulnerabilities in Adobe Security Bulletin APSB13-05 and APSB13-06.

References

Revision History


This product is provided subject to this Notification and this Privacy & Use policy.


Source: US-CERT Alerts | 12 Feb 2013 | 3:49 pm EST

TA13-032A: Oracle Java Multiple Vulnerabilities

Original release date: February 01, 2013 | Last revised: February 06, 2013

Systems Affected

Any system using Oracle Java including

Web browsers using the Java plug-in are at high risk.

Overview

Multiple vulnerabilities in Java could allow an attacker to execute arbitrary code on a vulnerable system.

Description

The Oracle Java SE Critical Patch Update Advisory for February 2013 addresses multiple vulnerabilities in the Java Runtime Environment (JRE). Both Java applets delivered via web browsers and stand-alone Java applications are affected, however web browsers using the Java plug-in are at particularly high risk.

The Java plug-in, the Java Deployment Toolkit plug-in, and Java Web Start can be used as attack vectors. An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet. An attacker could also compromise a legitimate web site and upload a malicious Java applet (a "drive-by download" attack).

Some vulnerabilities affect stand-alone Java applications, depending on how the Java application functions and how it processes untrusted data.

Reports indicate that at least one of these vulnerabilities is being actively exploited.

Further technical details are available in Vulnerability Note VU#858729.

Impact

By convincing a user to load a malicious Java applet or Java Network Launching Protocol (JNLP) file, an attacker could execute arbitrary code on a vulnerable system with the privileges of the Java plug-in process.

Stand-alone java applications may also be affected.

Solution

Update Java

The Oracle Java SE Critical Patch Update Advisory for February 2013 states that Java 7 Update 13 and Java 6 Update 39 address these vulnerabilities.

Disable Java in web browsers

These and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates have been installed. As with any software, unnecessary features should be disabled or removed as appropriate for your environment.

Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. From Setting the Security Level of the Java Client:

For installations where the highest level of security is required, it is possible to entirely prevent any Java apps (signed or unsigned) from running in a browser by de-selecting Enable Java content in the browser in the Java Control Panel under the Security tab.

If you are unable to update to Java 7 Update 13 please see the solution section of Vulnerability Note VU#636312 for instructions on how to disable Java on a per-browser basis.

Restrict access to Java applets

Network administrators unable to disable Java in web browsers may be able to help mitigate these and other Java vulnerabilities by restricting access to Java applets using a web proxy. Most web proxies have features that can be used to block or whitelist requests for .jar and .class files based on network location. Filtering requests that contain a Java User-Agent header may also be effective. For environments where Java is required on the local intranet, the proxy can be configured to allow access to Java applets hosted locally, but block access to Java applets on the internet.

References

Revision History


This product is provided subject to this Notification and this Privacy & Use policy.


Source: US-CERT Alerts | 1 Feb 2013 | 11:53 am EST

TA13-134A: Microsoft Updates for Multiple Vulnerabilities

Original release date: May 14, 2013

Systems Affected

Overview

Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.

Description

The Microsoft Security Bulletin Summary for May 2013 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address these vulnerabilities.

Impact

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.

Solution

Apply Updates

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for May 2013, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.

References

Revision History


This product is provided subject to this Notification and this Privacy & Use policy.


Source: US-CERT Alerts | 14 May 2013 | 4:08 pm EDT

TA13-107A: Oracle Has Released Multiple Updates for Java SE

Original release date: April 17, 2013 | Last revised: April 19, 2013

Systems Affected

Overview

Oracle has released a Critical Patch Update (CPU) for Java SE. Oracle strongly recommends that customers apply CPU fixes as soon as possible.

Description

Oracle Java SE Critical Patch Update Advisory - April 2013 describes the update:

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. The Critical Patch Update for Java SE also includes non-security fixes. Critical Patch Updates are cumulative and each advisory describes only the security fixes added since the previous Critical Patch Update and Security Alert. Thus, prior Critical Patch Update and Security Alert advisories should be reviewed for information regarding earlier accumulated security fixes.

Systems administrators are advised to pay additional attention to Oracle advisories due to the increasing volume of vulnerabilities being patched with each release.

Impact

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.

Solution

Apply Updates

Oracle Java SE Critical Patch Update Advisory - April 2013 includes the following information:

Developers can download the latest release from http://www.oracle.com/technetwork/java/javase/downloads/index.html.

Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

The latest JavaFX release is included with the latest update of JDK and JRE 7. For JDK and JRE 6 users, the latest Java FX release is available from http://www.oracle.com/technetwork/java/javafx/

References

Revision History


This product is provided subject to this Notification and this Privacy & Use policy.


Source: US-CERT Alerts | 17 Apr 2013 | 2:02 pm EDT

TA13-100A: Microsoft Updates for Multiple Vulnerabilities

Original release date: April 10, 2013 | Last revised: April 11, 2013

Systems Affected

Overview

Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.

Description

The Microsoft Security Bulletin Summary for April 2013 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address these vulnerabilities.

Impact

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.

Solution

Apply Updates

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for April 2013, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.

References

Revision History


This product is provided subject to this Notification and this Privacy & Use policy.


Source: US-CERT Alerts | 10 Apr 2013 | 12:05 pm EDT

TA13-088A: DNS Amplification Attacks

Original release date: March 29, 2013 | Last revised: April 19, 2013

Systems Affected

Overview

A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS) that relies on the use of publically accessible open recursive DNS servers to overwhelm a victim system with DNS response traffic.

Description

A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS) that relies on the use of publically accessible open recursive DNS servers to overwhelm a victim system with DNS response traffic. The basic attack technique consists of an attacker sending a DNS name lookup request to an open recursive DNS server with the source address spoofed to be the victim’s address. When the DNS server sends the DNS record response, it is sent instead to the victim. Attackers will typically submit a request for as much zone information as possible to maximize the amplification effect. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim. By leveraging a botnet to perform additional spoofed DNS queries, an attacker can produce an overwhelming amount of traffic with little effort. Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks.

While the attacks are difficult to prevent, network operators can implement several possible mitigation strategies. The primary element in the attack that is the focus of an effective long-term solution is the detection and elimination of open recursive DNS resolvers. These systems are typically legitimate DNS servers that have been improperly configured to respond to recursive queries on behalf of any system, rather than restricting recursive responses only to requests from local or authorized clients. By identifying these systems, an organization or network operator can reduce the number of potential resources that the attacker can employ in an attack.

Impact

A misconfigured Domain Name System (DNS) server can be exploited to participate in a Distributed Denial of Service (DDoS) attack.

Solution

DETECTION

Several organizations offer free, web-based scanning tools that will search a network for vulnerable open DNS resolvers.  These tools will scan entire network ranges and list the address of any identified open resolvers.

Open DNS Resolver Project
http://openresolverproject.org
The Open DNS Resolver Project has compiled a list of DNS servers that are known to serve as globally accessible open resolvers.  The query interface allows network administrators to enter IP ranges in CIDR format [1].

The Measurement Factory
http://dns.measurement-factory.com
Like the Open DNS Resolver Project, the Measurement Factory maintains a list of Internet accessible DNS servers and allows administrators to search for open recursive resolvers [2].  In addition, the Measurement Factory offers a free tool to directly test an individual DNS resolver to determine if it allows open recursion.  This will allow an administrator to determine if configuration changes are necessary and verify that configuration changes have been effective [3].  Finally, the site offers statistics showing the number of open resolvers detected on the various Autonomous System (AS) networks, sorted by the highest number found [4].

DNSInspect
http://www.dnsinspect.com
Another freely available, web-based tool for testing DNS resolvers is DNSInspect.  This site is similar to The Measurement Factory’s ability to test a specific resolver for vulnerability, but offers the ability to test an entire DNS Zone for several other potential configuration and security issues [5].

Indicators

In a typical recursive DNS query, a client sends a query request to a local DNS server requesting the resolution of a name or the reverse resolution of an IP address.  The DNS server performs the necessary queries on behalf of the client and returns a response packet with the requested information or an error [6, page 21].  The specification does not allow for unsolicited responses.  In a DNS amplification attack, the key indicator is a query response without a matching request.  

MITIGATION

Unfortunately, due to the overwhelming traffic volume that can be produced by one of these attacks, there is often little that the victim can do to counter a large-scale DNS amplification-based distributed denial-of-service attack.  While the only effective means of eliminating this type of attack is to eliminate open recursive resolvers, this requires a large-scale effort by numerous parties.  According to the Open DNS Resolver Project, of the 27 million known DNS resolvers on the Internet, approximately “25 million pose a significant threat” of being used in an attack [1].  However, several possible techniques are available to reduce the overall effectiveness of such attacks to the Internet community as a whole.  Where possible, configuration links have been provided to assist administrators with making the recommended changes.  The configuration information has been limited to BIND9 and Microsoft’s DNS Server, which are two widely deployed DNS servers.  If you are running a different DNS server, please see your vendor’s documentation for configuration details.

Source IP Verification

Because the DNS queries being sent by the attacker-controlled clients must have a source address spoofed to appear as the victim’s system, the first step to reducing the effectiveness of DNS amplification is for Internet Service Providers to deny any DNS traffic with spoofed addresses.  The Network Working Group of the Internet Engineering Task Force released a Best Current Practice document in May 2000 that describes how an Internet Service Provider can filter network traffic on their network to drop packets with source addresses not reachable via the actual packet’s path [7]. The changes recommended in this document would cause a routing device to test whether it is possible to reach the source address of the packet via the interface that transmitted the packet. If it is not possible, then the packet obviously has a spoofed source address. This configuration change would considerably reduce the potential for most current types of DDoS attacks.

Disabling Recursion on Authoritative Name Servers

Many of the DNS servers currently deployed on the Internet are exclusively intended to provide name resolution for a single domain.  These systems do not need to support resolution of other domains on behalf of a client, and therefore should be configured with recursion disabled.

Bind9

Add the following to the global options [8]:
options {
     allow-query-cache { none; };
     recursion no;
};

Microsoft DNS Server

In the Microsoft DNS console tool [9]:

  1. Right-click the DNS server and click Properties.
  2. Click the Advanced tab.
  3. In Server options, select the “Disable recursion” check box, and then click OK.

Limiting Recursion to Authorized Clients

For DNS servers that are deployed within an organization or ISP to support name queries on behalf of a client, the resolver should be configured to only allow queries on behalf of authorized clients.  These requests should typically only come from clients within the organization’s network address range.

BIND9

In the global options, add the following [10]:
acl corpnets { 192.168.1.0/24; 192.168.2.0/24; };
options {
  allow-query { corpnets; };
  allow-recursion { corpnets; };
};

Microsoft DNS Server

It is not currently possible to restrict recursive DNS requests to a specific client address range in Microsoft DNS Server.  The most effective means of approximating this functionality is to configure the internal DNS server to forward queries to an external DNS server and restrict DNS traffic in the firewall to restrict port 53 UDP traffic to the internal server and the external forwarder [11].

Rate Limiting Response of Recursive Name Servers

There is currently an experimental feature available as a set of patches for BIND9 that allows an administrator to restrict the number of responses per second being sent from the name server [12].  This is intended to reduce the effectiveness of DNS amplification attacks by reducing the volume of traffic coming from any single resolver.

BIND9

There are currently patches available for 9.8.latest and 9.9.latest to support RRL on UNIX systems. Red Hat has made updated packages available for Red Hat Enterprise Linux 6 to provide the necessary changes in advisory RHSA-2013:0550-1. On BIND9 implementation running the RRL patches, add the following lines to the options block of the authoritative views [13]:
rate-limit {
    responses-per-second 5;
    window 5;
};

Microsoft DNS Server

This option is currently not available for Microsoft DNS Server.

References

Revision History


This product is provided subject to this Notification and this Privacy & Use policy.


Source: US-CERT Alerts | 29 Mar 2013 | 2:26 pm EDT

TA13-071A: Microsoft Updates for Multiple Vulnerabilities

Original release date: March 12, 2013 | Last revised: April 11, 2013

Systems Affected

  • Microsoft Windows
  • Microsoft Internet Explorer
  • Microsoft Office
  • Microsoft Server Software
  • Microsoft Silverlight

 

Overview

Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.

Description

The Microsoft Security Bulletin Summary for March 2013 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address these vulnerabilities.

Impact

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.

Solution

Apply Updates

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for March 2013, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.

References

Revision History


This product is provided subject to this Notification and this Privacy & Use policy.


Source: US-CERT Alerts | 12 Mar 2013 | 11:41 am EDT

TA13-064A: Oracle Java Contains Multiple Vulnerabilities

Original release date: March 05, 2013

Systems Affected

Any system using Oracle Java 7, 6, 5 (1.7, 1.6, 1.5) including

All versions of Java 7 through update 15, Java 6 through update 41, and Java 5.0 through update 40 are affected.  Web browsers using the Java 5, 6 or 7 plug-in are at high risk.

Overview

Oracle Java 7 update 15, Java 6 update 41, Java 5.0 update 40, and earlier versions of Java contain a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

An arbitrary memory read and write vulnerability in the Java JVM process could allow an attacker to execute arbitrary code. An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet. An attacker could also compromise a legitimate website and upload a malicious Java applet (a "drive-by download" attack).

Any web browser using the Java 5, 6, or 7 plug-in is affected. The Java Deployment Toolkit plug-in and Java Web Start can also be used as attack vectors.

Reports indicate this vulnerability is being actively exploited, and exploit code is publicly available.

Further technical details are available in Vulnerability Note VU#688246.

Impact

By convincing a user to load a malicious Java applet or Java Network Launching Protocol (JNLP) file, an attacker could execute arbitrary code on a vulnerable system with the privileges of the Java plug-in process. Note that applications that use the Internet Explorer web-content-rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for these vulnerabilities.

Solution

Update Java

Oracle Security Alert for CVE-2013-1493 states that Java 7 Update 17 (7u17) and and Java 6 Update 43 address this vulnerability (CVE-2013-1493) and a different but equally severe vulnerability (CVE-2013-0809).

Java 7 Update 17 sets the default Java security settings to "High" so that users will be prompted before running unsigned or self-signed Java applets.

Disable Java in Web Browsers

This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against these vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment.

Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. According to Setting the Security Level of the Java Client,

For installations where the highest level of security is required, it is possible to entirely prevent any Java apps (signed or unsigned) from running in a browser by de-selecting Enable Java content in the browser in the Java Control Panel under the Security tab.

If you are unable to update to Java 7 Update 10, see the solution section of Vulnerability Note VU#636312 for instructions on how to disable Java on a per-browser basis.

References

Revision History


This product is provided subject to this Notification and this Privacy & Use policy.


Source: US-CERT Alerts | 5 Mar 2013 | 8:48 am EST

TA13-051A: Oracle Java Multiple Vulnerabilities

Original release date: February 20, 2013

Systems Affected

Any system using Oracle Java including

Web browsers using the Java plug-in are at high risk.

Overview

Multiple vulnerabilities in Java could allow an attacker to execute arbitrary code on a vulnerable system.

Description

The Oracle Java SE Critical Patch Update Advisory Update for February 2013 addresses multiple vulnerabilities in the Java Runtime Environment (JRE). An additional five fixes that had been previously planned for delivery are in this update. This distribution therefore completes the content for all originally planned fixes to be included in the Java SE Critical Patch Update for February 2013. 

Both Java applets delivered via web browsers and stand-alone Java applications are affected, however web browsers using the Java plug-in are at particularly high risk.

The Java plug-in, the Java Deployment Toolkit plug-in, and Java Web Start can be used as attack vectors. An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet. An attacker could also compromise a legitimate website and upload a malicious Java applet (a "drive-by download" attack).

Some vulnerabilities affect stand-alone Java applications, depending on how the Java application functions and how it processes untrusted data.

Reports indicate that at least one of these vulnerabilities is being actively exploited.

Impact

By convincing a user to load a malicious Java applet or Java Network Launching Protocol (JNLP) file, an attacker could execute arbitrary code on a vulnerable system with the privileges of the Java plug-in process.

Stand-alone java applications may also be affected.

Solution

Update Java

The Oracle Java SE Critical Patch Update Advisory Update for February 2013 states that Java 7 Update 15 and Java 6 Update 41 address these vulnerabilities.

Disable Java in web browsers

These and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates have been installed. As with any software, unnecessary features should be disabled or removed as appropriate for your environment.

Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. From Setting the Security Level of the Java Client:

For installations where the highest level of security is required, it is possible to entirely prevent any Java apps (signed or unsigned) from running in a browser by de-selecting Enable Java content in the browser in the Java Control Panel under the Security tab.

If you are unable to update to at least Java 7 Update 10, please see the solution section of Vulnerability Note VU#636312 for instructions on how to disable Java on a per-browser basis.

Restrict access to Java applets

Network administrators unable to disable Java in web browsers may be able to help mitigate these and other Java vulnerabilities by restricting access to Java applets using a web proxy. Most web proxies have features that can be used to block or whitelist requests for .jar and .class files based on network location. Filtering requests that contain a Java User-Agent header may also be effective. For environments where Java is required on the local intranet, the proxy can be configured to allow access to Java applets hosted locally, but block access to Java applets on the internet.

References

Revision History


This product is provided subject to this Notification and this Privacy & Use policy.


Source: US-CERT Alerts | 20 Feb 2013 | 9:30 am EST

TA13-043B: Microsoft Updates for Multiple Vulnerabilities

Original release date: February 12, 2013

Systems Affected

Overview

Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.

Description

The Microsoft Security Bulletin Summary for February 2013 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities.

Impact

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.

Solution

Apply Updates

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for February 2013, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.

References

Revision History


This product is provided subject to this Notification and this Privacy & Use policy.


Source: US-CERT Alerts | 12 Feb 2013 | 3:53 pm EST

TA13-043A: Adobe Updates for Multiple Vulnerabilities

Original release date: February 12, 2013

Systems Affected

Overview

Select Adobe software products contain multiple vulnerabilities. Adobe has released updates to address these vulnerabilities.

Description

Adobe Security Bulletin APSB13-05 and APSB13-06 describe multiple vulnerabilities in Adobe software. Adobe has released updates to address the vulnerabilities.

Impact

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.

Solution

Apply Updates

Adobe has provided updates for these vulnerabilities in Adobe Security Bulletin APSB13-05 and APSB13-06.

References

Revision History


This product is provided subject to this Notification and this Privacy & Use policy.


Source: US-CERT Alerts | 12 Feb 2013 | 3:49 pm EST

TA13-032A: Oracle Java Multiple Vulnerabilities

Original release date: February 01, 2013 | Last revised: February 06, 2013

Systems Affected

Any system using Oracle Java including

Web browsers using the Java plug-in are at high risk.

Overview

Multiple vulnerabilities in Java could allow an attacker to execute arbitrary code on a vulnerable system.

Description

The Oracle Java SE Critical Patch Update Advisory for February 2013 addresses multiple vulnerabilities in the Java Runtime Environment (JRE). Both Java applets delivered via web browsers and stand-alone Java applications are affected, however web browsers using the Java plug-in are at particularly high risk.

The Java plug-in, the Java Deployment Toolkit plug-in, and Java Web Start can be used as attack vectors. An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet. An attacker could also compromise a legitimate web site and upload a malicious Java applet (a "drive-by download" attack).

Some vulnerabilities affect stand-alone Java applications, depending on how the Java application functions and how it processes untrusted data.

Reports indicate that at least one of these vulnerabilities is being actively exploited.

Further technical details are available in Vulnerability Note VU#858729.

Impact

By convincing a user to load a malicious Java applet or Java Network Launching Protocol (JNLP) file, an attacker could execute arbitrary code on a vulnerable system with the privileges of the Java plug-in process.

Stand-alone java applications may also be affected.

Solution

Update Java

The Oracle Java SE Critical Patch Update Advisory for February 2013 states that Java 7 Update 13 and Java 6 Update 39 address these vulnerabilities.

Disable Java in web browsers

These and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates have been installed. As with any software, unnecessary features should be disabled or removed as appropriate for your environment.

Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. From Setting the Security Level of the Java Client:

For installations where the highest level of security is required, it is possible to entirely prevent any Java apps (signed or unsigned) from running in a browser by de-selecting Enable Java content in the browser in the Java Control Panel under the Security tab.

If you are unable to update to Java 7 Update 13 please see the solution section of Vulnerability Note VU#636312 for instructions on how to disable Java on a per-browser basis.

Restrict access to Java applets

Network administrators unable to disable Java in web browsers may be able to help mitigate these and other Java vulnerabilities by restricting access to Java applets using a web proxy. Most web proxies have features that can be used to block or whitelist requests for .jar and .class files based on network location. Filtering requests that contain a Java User-Agent header may also be effective. For environments where Java is required on the local intranet, the proxy can be configured to allow access to Java applets hosted locally, but block access to Java applets on the internet.

References

Revision History


This product is provided subject to this Notification and this Privacy & Use policy.


Source: US-CERT Alerts | 1 Feb 2013 | 11:53 am EST

VU#774103: Linux kernel perf_swevent_enabled array out-of-bound access privilege escalation vulnerability

Vulnerability Note VU#774103

Linux kernel perf_swevent_enabled array out-of-bound access privilege escalation vulnerability

Original Release date: 17 May 2013 | Last revised: 17 May 2013

Overview

The Linux kernel's Performance Events implementation is susceptible to an out-of-bounds array vulnerability that may be used by a local unprivileged user to escalate privileges.

Description

The Linux kernel's Performance Events implementation is susceptible to an out-of-bounds array vulnerability that may be used by a local unprivileged user to escalate privileges. Additional analysis of the vulnerability may be found in the Red Hat bug report. A public exploit is available that has been reported to work against some Linux distributions.

Impact

A local authenticated user may be able to exploit this vulnerability to escalate privileges.

Solution

Apply an Update

Red Hat, Debian, CentOS, and Ubuntu have all released patches. Users should receive the patches through their Linux distributions' normal update process.

Affected Distributions

  • Red Hat Enterprise Linux 6 & Red Hat Enterprise MRG 2
  • CentOS 6
  • Debian 7.0 (Wheezy)
  • Ubuntu 12.04 LTS, 12.10, 13.04
Other distributions may be affected but were not confirmed at the time of publication.

If you are unable to upgrade, please consider the following workaround.

Red Hat has provided mitigation advice in Red Hat Knowledge Solution 373743.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
CentOSAffected-17 May 2013
Debian GNU/LinuxAffected-17 May 2013
Red Hat, Inc.Affected-17 May 2013
UbuntuAffected-17 May 2013
Fedora ProjectUnknown-17 May 2013
Slackware Linux Inc.Unknown-17 May 2013
SUSE LinuxUnknown-17 May 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 6.8 AV:L/AC:L/Au:S/C:C/I:C/A:C
Temporal 5.9 E:ND/RL:OF/RC:C
Environmental 4.4 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Tommi Rantala discovered this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2013-2094
  • Date Public: 14 May 2013
  • Date First Published: 17 May 2013
  • Date Last Updated: 17 May 2013
  • Document Revision: 26

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 17 May 2013 | 12:01 pm EDT

VU#701572: Mutiny Appliance contains multiple directory traversal vulnerabilities

Vulnerability Note VU#701572

Mutiny Appliance contains multiple directory traversal vulnerabilities

Original Release date: 15 May 2013 | Last revised: 15 May 2013

Overview

Mutiny appliance contains multiple directory traversal (CWE-22) vulnerabilities.

Description

The Mutiny appliance commands for UPLOAD, DELETE, CUT and COPY are all vulnerable to directory traversal attacks. Additional details may be found in the Rapid7 blog post entitled, "New 1day Exploits: Mutiny Vulnerabilities".

Impact

An authenticated remote attacker may be able to upload, delete, and move files on the system with root privileges.

Solution

Apply an Update

Mutiny appliance version "5.0-1.11 (EAGLe) - (02-05-13)" has been released to address these vulnerabilities.

Restrict Network Access

As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from connecting to the service from a blocked network location.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Mutiny TechnologiesAffected19 Apr 201315 May 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 7.9 AV:N/AC:M/Au:S/C:C/I:C/A:N
Temporal 6.9 E:ND/RL:OF/RC:C
Environmental 5.2 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Juan Vazquez for discovering and Tod Beardsley for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 15 May 2013 | 1:26 pm EDT

VU#113732: Adobe ColdFusion 9 & 10 code injection vulnerability

Vulnerability Note VU#113732

Adobe ColdFusion 9 & 10 code injection vulnerability

Original Release date: 14 May 2013 | Last revised: 14 May 2013

Overview

Adobe ColdFusion 9, 9.0.1, 9.0.2 with the APSB13-03 hotfix and 10 are vulnerable to a code injection vulnerability when ColdFusion is configured to not require authentication and RDS is disabled.

Description

Adobe ColdFusion is vulnerable to a code injection attack when RDS is disabled and ColdFusion is configured to not require authentication. Adobe has released security bulletin APSB13-13 with more details regarding this vulnerability.

Impact

A remote unauthenticated attacker may be able to upload a malicious .cfm file to the server and have it executed.

Solution

Apply an Update

Adobe has released ColdFusion security hotfix APSB13-13 to address this vulnerability.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
AdobeAffected05 Apr 201314 May 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 8.8 AV:N/AC:M/Au:N/C:C/I:C/A:N
Temporal 7.7 E:ND/RL:OF/RC:C
Environmental 5.8 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Tenable Network Security for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 14 May 2013 | 1:32 pm EDT

VU#127108: Serva32 2.1.0 TFTPD service buffer overflow vulnerability

Vulnerability Note VU#127108

Serva32 2.1.0 TFTPD service buffer overflow vulnerability

Original Release date: 14 May 2013 | Last revised: 21 May 2013

Overview

Serva32 2.1.0 TFTPD service contains a buffer overflow vulnerability.

Description

The Serva32 2.1.0 TFTPD service contains a buffer overflow vulnerability when parsing large read requests. When the application reads in a large buffer the application crashes.

Impact

An unauthenticated attacker can pass large read requests against the application causing it to crash and possibly execute arbitrary code.

Solution

We are currently unaware of a practical solution to this problem.

Restrict Network Access

As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from connecting to the service from a blocked network location.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
ServaAffected-13 May 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 5.4 AV:N/AC:H/Au:N/C:N/I:N/A:C
Temporal 3.9 E:U/RL:W/RC:UC
Environmental 1.1 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Jonathan Christmas a researcher at Solera Networks for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 14 May 2013 | 8:23 am EDT

VU#237655: Microsoft Internet Explorer 8 CGenericElement object use-after-free vulnerability

Vulnerability Note VU#237655

Microsoft Internet Explorer 8 CGenericElement object use-after-free vulnerability

Original Release date: 06 May 2013 | Last revised: 14 May 2013

Overview

Microsoft Internet Explorer 8 contains a use-after-free vulnerability in the CGenericElement object, which is currently being exploited in the wild.

Description

Microsoft Security Advisory 2847140 states:

    Internet Explorer 6, Internet Explorer 7, Internet Explorer 9, and Internet Explorer 10 are not affected by the vulnerability.

    This is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

Additional details may be found in the full advisory. A Metasploit module has been released to exploit this vulnerability as well.

Impact

A remote unauthenticated attacker may be able to run arbitrary code in the context of the user running Internet Explorer 8.

Solution

Apply an Update

Microsoft has released MS13-038 to address this vulnerability. The patch may be obtain through Microsoft's Windows Update.

If you are unable to upgrade, please consider the following workarounds.

Apply a Microsoft "Fix It"

Microsoft has released a Microsoft "Fix It" solution for this vulnerability. The "Fix It" solution uses the Windows application compatibility toolkit to make a small change at runtime to mshtml.dll every time IE is loaded.

Use the Microsoft Enhanced Mitigation Experience Toolkit

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a video tutorial for setting up EMET 3.0 on Windows 7. Note that platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will. While still in beta, EMET 4.0 provides additional exploit mitigations that EMET 3.0 does not that will increase the difficulty of exploitation for an adversary.

Enable DEP in Microsoft Windows

Consider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts "Understanding DEP as a mitigation technology" part 1 and part 2. DEP should be used in conjunction with the application of patches or other mitigations described in this document.

Note that when relying on DEP for exploit mitigation, it is important to use a system that supports Address Space Layout Randomization (ASLR) as well. ASLR is not supported by Windows XP or Windows Server 2003 or earlier. ASLR was introduced with Microsoft Windows Vista and Windows Server 2008. Please see the Microsoft SRD blog entry: On the effectiveness of DEP and ASLR for more details.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected-06 May 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 9.4 AV:N/AC:L/Au:N/C:C/I:C/A:N
Temporal 8.9 E:H/RL:W/RC:C
Environmental 6.7 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

This vulnerability was discovered in the wild.

This document was written by Jared Allar.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 6 May 2013 | 1:32 pm EDT

VU#912420: IBM Notes runs arbitrary JAVA and Javascript in emails

Vulnerability Note VU#912420

IBM Notes runs arbitrary JAVA and Javascript in emails

Original Release date: 30 Apr 2013 | Last revised: 03 May 2013

Overview

IBM Notes parses arbitrary JAVA and Javascript code by default when viewing emails.

Description

The n.runs AG security advisory states:

    Notes 8.5.3 does not filter <applet> tags inside HTML emails. This can be used to load arbitrary Java applets from remote sources (making it an information disclosure as well as this can be used to trigger an HTTP request once the mail is previewed/opened).

Additional details may be found in the full n.runs AG security advisory. It should also be noted that the IBM JRE that comes with the latest patched version of IBM Notes is IBM JRE 6 SR12 while IBM JRE 6 SR13 has been released and includes many security related fixes.

Impact

A remote unauthenticated attack may be able to execute arbitrary code in the context of the user viewing emails within IBM Notes.

Solution

Apply an Update

IBM's Security Bulletin states:

    The fix will be included in Interim Fix 1 for 8.5.3 Fix Pack 4 and 9.0 Interim Fix 1.
The fix disables loading of JAVA applets for emails that originated from the Internet. Please consider the following workarounds if you are unable to upgrade. We also recommend all users implement the following workarounds if they do not have a need for JAVA & Javascript within Notes.

The following directives should be set to zero in notes.ini to reduce the attack surface.

  • EnableJavaApplets=0
  • EnableJavaScript=0
  • EnableLiveConnect=0

Although not needed to mitigate this vulnerability, if plugins are not needed we recommend the following directive also be set to zero.
  • EnablePlugins=0

Alternatively, in Notes Basic Preferences, deselect the following three preferences:
  • Enable Java applets
  • Enable Java access from JavaScript
  • Enable JavaScript

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
IBM CorporationAffected19 Mar 201329 Apr 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N
Temporal 5.0 E:ND/RL:OF/RC:C
Environmental 5.0 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Alexander Klink for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 30 Apr 2013 | 12:55 pm EDT

VU#209131: McAfee ePolicy Orchestrator 4.6.4 and earlier pre-authenticated SQL injection and directory path traversal vulnerabilities

Vulnerability Note VU#209131

McAfee ePolicy Orchestrator 4.6.4 and earlier pre-authenticated SQL injection and directory path traversal vulnerabilities

Original Release date: 29 Apr 2013 | Last revised: 29 Apr 2013

Overview

McAfee ePolicy Orchestrator 4.6.4 and earlier contains a pre-authenticated sql injection and directory path traversal vulnerability which could allow an attacker to inject malicious code into the system.

Description

McAfee ePolicy Orchestrator 4.6.4 and earlier contains a pre-authenticated sql injection and directory path traversal vulnerability:

    1. Server-side pre-Authenticated SQL Injection within the Agent-Handler component (Agent-Server communication channel).
    The attack is performed by registering a rogue Agent to the ePolicy Orchestrator server, and sending a crafted HTTP request to the ePolicy Orchestrator server. Successful attacks allow remote attackers to retrieve sensitive information from the ePo database (such as administrative domain credentials), to create additional web console administrator accounts, and to perform remote code execution with SYSTEM privilege. CVE-2013-0140

    2. Server-side pre-Authenticated Directory Path Traversal within File upload process.
    The attack is performed by registering a rogue Agent to the ePolicy Orchestrator server, and sending a crafted HTTP request to the ePolicy Orchestrator server. Successful attacks allow remote attackers to upload unrestricted file content. A typical scenario would be to store malicious files under /Software/ folder, to make them available for download from the ePolicy Orchestrator server. CVE-2013-0141

Impact

An attacker with network access to the McAfee ePolicy Orchestrator Agent-Handler (port tcp/443 by default) could upload arbitrary files under the ePolicy Orchestrator installation folder, gain read and write access to ePolicy Orchestrator database, or run arbitrary code on the ePolicy Orchestrator system.

Solution

Update

Mcafee Security Advisory SB10042 states:

    All of these issues are resolved in McAfee ePO version 4.6.6 and 4.5.7.
    McAfee ePO 4.5.7 is targeted for release in mid-May 2013.
    McAfee ePO 4.6.6 was released on March 26th, 2013.
    A McAfee ePO 4.5.6 Hotfix was released on April 15th, 2013.

    McAfee ePO download Instructions.
    1. Launch Internet Explorer.
    2. Navigate to:
    http://www.mcafee.com/us/downloads
    3. Provide your valid McAfee grant number.
    4. Select the product and click View Available Downloads.
    5. Click McAfee ePolicy Orchestrator.
    6. Click the patches tab or click the link to download the product .ZIP file under Download on the Software Downloads screen.
    For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see:
    KB56057.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
McAfeeAffected28 Jan 201325 Apr 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 7.9 AV:A/AC:M/Au:N/C:C/I:C/A:C
Temporal 6.2 E:POC/RL:OF/RC:C
Environmental 5.5 CDP:LM/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Jerome Nokin from Verizon Enterprise Solutions (GCIS Vulnerability Management) for discovering this vulnerability, and thanks to Thierry Zoller from Verizon Enterprise Solutions (GCIS Vulnerability Management) for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 29 Apr 2013 | 8:48 am EDT

VU#948155: Henry Schein Dentrix G5 uses hard-coded database credentials shared across multiple installations

Vulnerability Note VU#948155

Henry Schein Dentrix G5 uses hard-coded database credentials shared across multiple installations

Original Release date: 26 Apr 2013 | Last revised: 26 Apr 2013

Overview

Henry Schein Dentrix G5, a dental practice management software suite, uses hard-coded database access credentials that are shared across multiple installation sites. An attacker who is able to obtain the credentials for one site may be able to gain access to other sites using the same credentials.

Description

Dentrix G5 has uses hard-coded credentials (CWE-798) to access a database back-end. The credentials are the same across installations of Dentrix G5. Sensitive patient information is contained in Dentrix G5 databases. An administrator is unable to change these credentials without breaking access to the back-end database. Henry Schein has provided a vendor statement with additional details about this vulnerability.

Impact

An attacker who is able to obtain the database credentials from one site can potentially access databases on other sites sharing the same credentials. The attacker may need access to the local network or a system with Dentrix G5 installed in order to obtain the credentials, and the attacker would need network access to the database in order to obtain sensitive patient information.

Solution

Apply an Update

Dentrix G5 version 15.1.294 (Dentrix G5.1 Hotfix 1, released 14 Feb 2013) addresses this vulnerability. This update adds a feature to create a unique database back-end password for each Dentrix G5 installation. The update also makes it more difficult to obtain the password from a Dentrix G5 system or the network. Contact Henry Schein customer service for additional information.

Restrict Network Access

As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from using the hard-coded credentials from a blocked network location.

Do not allow the Dentrix G5 database to be accessed by unauthorized users on an insecure wireless network. If the Dentrix G5 database is accessible from an insecure wireless network, a remote attacker may be able to gain access using the hard-coded credentials. Wireless access points should be configured to use WPA2 encryption and disable the WiFi Protected Setup (WPS) PIN. Encryption standards such as Wired Equivalent Privacy (WEP) can be easily cracked and should not be relied on to secure wireless networks. MAC address whitelisting can also be used to restrict wireless LAN access to trusted clients.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Henry Schein DentrixAffected15 Oct 201205 Apr 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 7.4 AV:A/AC:M/Au:S/C:C/I:C/A:C
Temporal 6.4 E:ND/RL:OF/RC:C
Environmental 1.9 CDP:LM/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Justin Shafer for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 26 Apr 2013 | 4:31 pm EDT

VU#521612: Citrix NetScaler and Access Gateway Enterprise Edition unauthorized access to network resources vulnerability

Vulnerability Note VU#521612

Citrix NetScaler and Access Gateway Enterprise Edition unauthorized access to network resources vulnerability

Original Release date: 25 Apr 2013 | Last revised: 25 Apr 2013

Overview

Citrix NetScaler and Access Gateway Enterprise Edition contain a vulnerability which could result in unauthorized access to network resources.

Description

Citrix NetScaler and Access Gateway Enterprise Edition contain a vulnerability which could allow a remote attacker to gain unauthorized access to network resources.

For additional information please see Citrix Advisory.

Impact

A remote attacker could gain unauthorized access to internal network resources.

Solution

Upgrade

Citrix Advisory states:


    A new version of the NetScaler appliance firmware has been released to address this vulnerability. Citrix strongly recommends that affected customers upgrade their appliances to version 9.3.62.x or later as soon as possible. Customers using NetScaler Access Gateway Enterprise Edition in the Common Criteria evaluated configuration should upgrade to 9.3.53.6. These new firmware versions can be downloaded from the Citrix website at the following location: https://www.citrix.com/downloads/netscaler-adc/firmware.html

    Customers using NetScaler appliance firmware versions up to and including 10.0.74.4 in a double hop deployment should apply the following configuration change from the NSCLI:

    >add ns acl allowedHost ALLOW -srcIP <MIP/SNIP address of AGEE in the first DMZ> -destIP <ICA proxy VIP> -priority 10 #permit traffic only from the AGEE appliance in the first DMZ

    >enable ns acl allowedHost

    >add ns acl denyAll DENY -srcIP 0.0.0.0 - 255.255.255.255 -destIP <ICA proxy VIP> -priority 20 #block everything else

    >enable ns acl denyAll
    >apply ns acls

Vendor Information (Learn More)

Citrix Advisory states:

    This vulnerability affects the following NetScaler Access Gateway Enterprise Edition configurations:

    • All appliance firmware versions up to and including version 9.3.61.5 with the exception of Common Criteria build 9.3.53.6.

    • All version 10.0 appliance firmware up to and including version 10.0.74.4 when deployed in a double hop configuration only.
    Customers using an appliance with appliance firmware version 10.0 that is not deployed in a double hop configuration are not affected by this vulnerability.

VendorStatusDate NotifiedDate Updated
CitrixAffected15 Mar 201325 Apr 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 5.4 AV:N/AC:H/Au:N/C:C/I:N/A:N
Temporal 4.2 E:POC/RL:OF/RC:C
Environmental 4.5 CDP:LM/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to HyeongKwan Lee of SK Planet for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 25 Apr 2013 | 9:19 am EDT

VU#131263: avast! Mobile Security Android application denial-of-service vulnerability

Vulnerability Note VU#131263

avast! Mobile Security Android application denial-of-service vulnerability

Original Release date: 19 Apr 2013 | Last revised: 19 Apr 2013

Overview

avast! Mobile Security Android application version 2.0.3587, and possibly earlier versions, contains a denial-of-service vulnerability.

Description

avast! Mobile Security (version 2.0.3587) crashes if an Intent is sent to com.avast.android.mobilesecurity.app.scanner.DeleteFileActivity with no arguments. Upon receiving the malformed intent the application will crash with the following message.

“Unfortunately, avast! Mobile Security has stopped.”

The logcat log contains a message confirming that the application has crashed.

“I/ActivityManager(  175): Process com.avast.android.mobilesecurity (pid 6596) has died.”

This results in a malicious application being able to disable the avast! Mobile Security software.

Impact

A malicious application installed on the phone may be able to disable the avast! Mobile Security software.

Solution

Apply an Update

Upgrade to avast! Mobile Security version 2.0.4400 or later to address this vulnerability.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Avast! Antivirus SoftwareAffected22 Mar 201316 Apr 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 3.8 AV:L/AC:H/Au:S/C:N/I:N/A:C
Temporal 3.0 E:POC/RL:OF/RC:C
Environmental 2.3 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Kurt Traver for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 19 Apr 2013 | 3:20 pm EDT

VU#880916: BitZipper 2013 memory-corruption vulnerability

Vulnerability Note VU#880916

BitZipper 2013 memory-corruption vulnerability

Original Release date: 19 Apr 2013 | Last revised: 19 Apr 2013

Overview

BitZipper 2013 contains a memory-corruption vulnerability, which may allow a remote unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

BitZipper 2013 contains a memory-corruption vulnerability, which may allow a remote unauthenticated attacker to execute arbitrary code on a vulnerable system.

Impact

By convincing a user to view a specially crafted ZIP document, an attacker may be able to execute arbitrary code on a vulnerable system.

Solution

Update

The vendor has stated that this vulnerability has been addressed in BitZipper 2013 Update 1. Users are advised to update to BitZipper 2013 Update 1 or later.

Use the Microsoft Enhanced Mitigation Experience Toolkit

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a video tutorial for setting up EMET 3.0 on Windows 7. Note that platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will.

Enable DEP in Microsoft Windows

Consider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts "Understanding DEP as a mitigation technology" part 1 and part 2. DEP should be used in conjunction with the application of patches or other mitigations described in this document.

Note that when relying on DEP for exploit mitigation, it is important to use a system that supports Address Space Layout Randomization (ASLR) as well. ASLR is not supported by Windows XP or Windows Server 2003 or earlier. ASLR was introduced with Microsoft Windows Vista and Windows Server 2008. Please see the Microsoft SRD blog entry: On the effectiveness of DEP and ASLR for more details.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
BitZipperAffected04 Mar 201316 Apr 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 4.0 AV:L/AC:H/Au:N/C:N/I:N/A:C
Temporal 2.9 E:U/RL:W/RC:UC
Environmental 0.9 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Christopher Gabriel of Telos Corporation for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 19 Apr 2013 | 8:20 am EDT

VU#311644: pd-admin contains cross-site scripting vulnerabilities

Vulnerability Note VU#311644

pd-admin contains cross-site scripting vulnerabilities

Original Release date: 15 Apr 2013 | Last revised: 15 Apr 2013

Overview

pd-admin, a web interface for users of hosting providers, is susceptible to cross-site scripting (XSS) vulnerabilities.

Description

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

pd-admin, contains cross-site scripting (XSS) vulnerabilities.

The vulnerability report provided by Thomas Roth states:

    Reflective cross-site scripting
    When pasting the string below into the 'Create new directory' textfield (found under 'WebFTP' -> 'Overview'), the error page will include the attacker supplied JavaScript code.

    "><script>alert("XSS");</script>

    Stored cross-site scripting
    When storing the string below as the body for an e-mail autoresponder, every time someone tries to change the text of the autoresponder, the attacker supplied JavaScript code will execute. By tricking a (higher privileged) support contact into looking at it, the attacker might be able to steal the support contact's session cookie.

    </textarea><script>alert("XSS");</script>

Impact

An attacker may be able to exploit the cross-site scripting vulnerability to result in information leakage, privilege escalation, and/or denial of service on the host computer.

Solution

Apply an Update
pd-admin 4.17 has been released to address these vulnerabilities.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the web interface using stolen credentials from a blocked network location.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
pd-adminAffected20 Mar 201315 Apr 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Temporal 3.9 E:ND/RL:U/RC:UC
Environmental 2.9 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Thomas Roth for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 15 Apr 2013 | 4:18 pm EDT

VU#375180: Arecont Vision model AV1355DN camera vulnerable to denial of service

Vulnerability Note VU#375180

Arecont Vision model AV1355DN camera vulnerable to denial of service

Original Release date: 15 Apr 2013 | Last revised: 15 Apr 2013

Overview

The Arecont Vision model AV1355DN MegaDome surveillance camera is reported to be affected by a denial-of-service vulnerability by sending a UDP packet to port 69 on the device.

Description

The Arecont Vision model AV1355DN MegaDome surveillance camera is reported to be affected by a denial-of-service vulnerability by sending a UDP packet to port 69 on the device. It has been reported that the camera will stop producing video when the vulnerability is triggered. It may be possible to trigger the crash using tools such as Nessus and NMAP. After triggering the denial of service the device will need to be power cycled to resume video capture.

Impact

A remote unauthenticated attacker may be able to cause the camera to stop producing video until the device is power cycled.

Solution

We are currently unaware of a practical solution to this problem. Please consider the following workaround.

Restrict Access

Implement firewall rules to block access to port 69 on the device.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Arecont VisionAffected07 Feb 201315 Apr 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C
Temporal 7.0 E:H/RL:U/RC:UC
Environmental 5.3 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Charles Corcoran for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 15 Apr 2013 | 12:59 pm EDT

VU#310500: Plesk Panel 11.0.9 privilege escalation vulnerabilities

Vulnerability Note VU#310500

Plesk Panel 11.0.9 privilege escalation vulnerabilities

Original Release date: 10 Apr 2013 | Last revised: 25 Apr 2013

Overview

Plesk Panel 11.0.9 and possibly earlier versions contains multiple privilege escalation vulnerabilities.

Description

Plesk Panel contains multiple privilege escalation vulnerabilities which may allow an attacker to run arbitrary code as the root user.

Special-case rules in Plesk's custom version of Apache suexec allow execution of arbitrary code as an arbitrary user id above a certain minimum value. In addition, several administrative or system accounts have a user ID above this minimum.

  • Plesk's /usr/sbin/suexec binary (the binary may be present in additional locations, always with suexec in the filename) always allows the binary 'cgi-wrapper', bypassing restrictions on the ownership of the file to be called. Since cgi-wrapper's function is to execute a PHP script based on environment variables (and suexec does not sanitize these environment variables) this allows execution of arbitrary PHP code with a user id above a minimum user ID value that is hardcoded in the suid binary. CVE-2013-0132
  • The program /usr/local/psa/admin/sbin/wrapper allows the user psaadm to execute various administrative scripts with root privileges. Some of these scripts call external programs without specifying the full path. By specifying a malicious PATH environment variable, an attacker can cause the administrative scripts to call his own program instead of the intended system program. CVE-2013-0133

Impact

An authenticated attacker maybe be able to escalate their privileges to root allowing them to run arbitrary code as the root user.

Solution

Update

Parallel's Plesk Panel advisory states:

    Parallels is actively working on security updates for these issues. The ETAs for these updates are as follows:

    • Plesk 11: fixed in MU#46 (shows up as a Security fix – red – in all Plesk 11 versions) - see
    KB115944 for more information
    • Plesk 10.4.4: fixed in MU#49 (shows up as an Update – MU – in Panel) - see
    KB115945 for more details
    • Plesk 10.3.1: fixed in MU#20 - see
    KB115959 for more details
    • Plesk 10.2.0: fixed in MU#19 - see
    KB115958 for more details
    • Plesk 10.1.1: fixed in MU#24 - see
    KB115957 for more details
    • Plesk 10.0.1: fixed in MU#18 - see
    KB115956 for more details
    • Plesk 9.5.4: fixed in MU#28 - see
    KB115946 for more details
    • Plesk 8.x: affected, EOLed - see
    Installation, Upgrade, Migration, and Transfer Guide. Parallels Plesk Panel 11.0 for more details about the Panel upgrade/migration

Parallel's Plesk Panel advisory states the following workaround:

    Disable mod_php, mod_python, and mod_perl and use Fast CGI and/or CGI, which are not affected by this security vulnerability.
    Below is the example on how to switch mod_php to fast_cgi for all existing domains:
    # mysql -uadmin --skip-column-names -p`cat /etc/psa/.psa.shadow` psa -e "select name from domains where htype = 'vrt_hst';" | awk -F \| '{print $1}' | while read a; do /usr/local/psa/bin/domain -u $a -php_handler_type fastcgi; done
    After the fix for the issue is published, Parallels still recommends that you avoid using these Apache modules (mod_php, mod_python, and mod_perl) and instead use Fast CGI or CGI modes for improved security on Apache.
    For additional details, please refer to
    Parallels Plesk Panel for Linux Advanced Administration Guide, Enhancing Security.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Parallels Holdings LtdAffected08 Feb 201325 Apr 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 4.4 AV:L/AC:M/Au:S/C:C/I:N/A:N
Temporal 3.4 E:U/RL:U/RC:UC
Environmental 1.0 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Ronald Volgers of Pine Digital Security for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 10 Apr 2013 | 1:11 pm EDT

VU#557252: AirDroid web interface XSS vulnerability

Vulnerability Note VU#557252

AirDroid web interface XSS vulnerability

Original Release date: 08 Apr 2013 | Last revised: 29 Apr 2013

Overview

AirDroid web interface contains a XSS vulnerability.

Description

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The AirDroid web interface fails to sanitize malicious code within a text message on the target phone causing the script to be executed on the host computer.

Impact

An attacker with access to the phone being controlled by AirDroid can send a text message with malicious code. When this message is viewed on the AirDroid web interface an attacker can conduct a cross-site scripting attack, which may be used to result in information leakage, privilege escalation, and/or denial of service on the host computer.

Solution

Update

The vendor has stated that this vulnerability has been addressed in the latest version of AirDroid. Users are advised to upgrade to the latest version of AirDroid on the Google Play Store.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS, CSRF, or SQLi attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the AirDroid web interface using stolen credentials from a blocked network location.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
AirDroidAffected-03 Apr 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 2.1 AV:N/AC:H/Au:S/C:P/I:N/A:N
Temporal 1.5 E:U/RL:W/RC:UC
Environmental 0.6 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Solomon Gilbertand Aidan Woodcraft for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 8 Apr 2013 | 8:27 am EDT

VU#771620: NVIDIA UNIX GPU driver ARGB cursor buffer overflow in "NoScanout" mode

Vulnerability Note VU#771620

NVIDIA UNIX GPU driver ARGB cursor buffer overflow in "NoScanout" mode

Original Release date: 05 Apr 2013 | Last revised: 05 Apr 2013

Overview

NVIDIA UNIX video drivers contain a buffer overflow vulnerability when run in NoScanout mode.

Description

The NVIDIA security advisory states:

    NVIDIA UNIX GPU Driver ARGB Cursor Buffer Overflow in "NoScanout" Mode.

    When the NVIDIA driver for the X Window System is operated in "NoScanout" mode, and an X client installs an ARGB cursor that is larger than the expected size (64x64 or 256x256, depending on the driver version), the driver will overflow a buffer. This can cause a denial of service (e.g., an X server segmentation fault), or could be exploited to achieve arbitrary code execution. Because the X server runs as setuid root in many configurations, an attacker could potentially use this vulnerability in those configurations to gain root privileges.

    To install an ARGB cursor, an application would require a connection to a running X server. Normally, X servers are configured to only accept authenticated connections from the local host, but some X servers may be configured to more permissively allow connections, and/or to allow connections over a network.

    "NoScanout" mode is enabled implicitly on NVIDIA products which lack display output connectors, and can be enabled explicitly on some other configurations with the X configuration option:

    Option "UseDisplayDevice" "none"

    NVIDIA GPU drivers for OSes other than Linux, FreeBSD, VMware ESX, and Solaris are not affected.

    This vulnerability has been present since NVIDIA driver version 195.22.
    The overflow is fixed in 304.88, 310.44, 313.30, and all drivers newer than those versions.

    NVIDIA recommends that users upgrade to a fixed driver version, or disable NoScanout mode, where possible.

    This vulnerability was identified by NVIDIA. There are no known reports of exploits of this vulnerability in the wild.

Additional details may be found in the full NVIDIA security advisory.

Impact

A local authenticated attacker may be able to exploit this vulnerability to gain privilege escalation to the root user.

Solution

Apply an Update

The overflow is fixed in driver versions 304.88, 310.44, 313.30, and all drivers newer than those versions. Users should download the drivers directly from NVIDIA.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
NVIDIAAffected-05 Apr 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 6.0 AV:L/AC:M/Au:S/C:C/I:C/A:N
Temporal 5.2 E:ND/RL:OF/RC:C
Environmental 4.3 CDP:L/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to the NVIDIA security team for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 5 Apr 2013 | 4:07 pm EDT

VU#183692: PHP Address Book sqli vulnerability

Vulnerability Note VU#183692

PHP Address Book sqli vulnerability

Original Release date: 05 Apr 2013 | Last revised: 05 Apr 2013

Overview

PHP Address Book web application is vulnerable to multiple sqli injection vulnerabilities.

Description

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

PHP Address Book 8.2.5 and possibly older versions fail to sanitize input from multiple functions.
http://www.example.com/addressbook/register/checklogin.php?username={insert}&password=pass
http://www.example.com/addressbook/register/admin_index.php?q={insert}
http://www.example.com/addressbook/register/delete_user.php?id={insert}
http://www.example.com/addressbook/register/edit_user.php?id={insert}

Additional information on vulnerable functions can be found at Acadion Security advisory.

Impact

A remote unauthenticated attacker may be able to run a subset of SQL commands against the back-end database.

Solution

We are currently unaware of a practical solution to this problem.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent SQLi attacks since the attack comes as an SQL request from a legitimate user's host. Restricting access would prevent an attacker from accessing a web interface using stolen credentials from a blocked network location.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
PHP Address BookAffected-03 Apr 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 9.0 AV:N/AC:L/Au:N/C:C/I:P/A:P
Temporal 6.5 E:U/RL:W/RC:UC
Environmental 1.7 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Jurgen Voorneveld of Acadion Security for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 5 Apr 2013 | 2:02 pm EDT

VU#418923: C2 WebResource web interface XSS vulnerability

Vulnerability Note VU#418923

C2 WebResource web interface XSS vulnerability

Original Release date: 03 Apr 2013 | Last revised: 03 Apr 2013

Overview

The C2 WebResource web interface contains a XSS vulnerability.

Description

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The C2 WebResource web interface is vulnerable to XSS on the following URL and parameter:
https://c2webresource/fileview.asp?File=<script>alert(document.cookie)</script>

Impact

An attacker with access to the C2 WebResource web interface can conduct a cross-site scripting attack, which may be used to result in information leakage, privilege escalation, and/or denial of service.

Solution

We are currently unaware of a practical solution to this problem.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS, CSRF, or SQLi attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the C2 WebResource web interface using stolen credentials from a blocked network location.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
C2EnterpriseAffected-02 Apr 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 0.0 AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal 0.0 E:ND/RL:ND/RC:ND
Environmental 0.0 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thank you to the reporter that wishes to remain anonymous.

This document was written by Michael Orlando.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 3 Apr 2013 | 8:11 am EDT

VU#704916: The TigerText Free Consumer Private Texting App (iOS) sends unencrypted user information in support requests

Vulnerability Note VU#704916

The TigerText Free Consumer Private Texting App (iOS) sends unencrypted user information in support requests

Original Release date: 02 Apr 2013 | Last revised: 02 Apr 2013

Overview

The TigerText Free Consumer Private Texting App (iOS) sends unencrypted user information to TigerText support.

Description

The TigerText app generates an unencrypted log file containing the TigerText username and password on the device when a user taps on "Contact Customer Support." An email is generated to support that sends the log information with it. This does not impact the TigerText Pro application.

Impact

TigerText usernames and passwords may be viewable by TigerText support or others with access to the device or email. A recipient of the email containing the log file could use credentials to impersonate the user, gaining unauthorized access to any non-expired messages.

Solution

Apply an Update

An updated app is available from the iTunes App Store. Version 3.1.402 or above contains a patch that removes sensitive information from the log file. The latest version is available here: https://itunes.apple.com/us/app/tiger-text/id355832697?mt=8

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
TigerTextAffected07 Feb 201318 Mar 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 1.7 AV:L/AC:L/Au:S/C:P/I:N/A:N
Temporal 1.4 E:F/RL:OF/RC:C
Environmental 0.4 CDP:N/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Pedro Paixao for reporting this vulnerability.

This document was written by Chris King.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 2 Apr 2013 | 11:35 am EDT

VU#370868: CoreFTP contains a buffer overflow vulnerability

Vulnerability Note VU#370868

CoreFTP contains a buffer overflow vulnerability

Original Release date: 21 Mar 2013 | Last revised: 21 Mar 2013

Overview

CoreFTP contains a buffer overflow when parsing long directory names.

Description

CoreFTP is susceptible to a buffer overflow when parsing long directory names from a malicious FTP server. The LIST, VIEW, commands are vulnerable to a denial of service and the DELE command has been reported to be vulnerable to code execution.

Impact

A user that is tricked into visiting a malicious FTP server and deleting a directory with a long name may allow arbitrary code to run on the user's computer.

Solution

Apply an Update

Upgrade to CoreFTP 2.2 build 1769 or later. If you are unable to upgrade, please consider the following workarounds.

Use the Microsoft Enhanced Mitigation Experience Toolkit

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a video tutorial for setting up EMET 3.0 on Windows 7. Note that platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will.

Enable DEP in Microsoft Windows

Consider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts "Understanding DEP as a mitigation technology" part 1 and part 2. DEP should be used in conjunction with the application of patches or other mitigations described in this document.

Note that when relying on DEP for exploit mitigation, it is important to use a system that supports Address Space Layout Randomization (ASLR) as well. ASLR is not supported by Windows XP or Windows Server 2003 or earlier. ASLR was introduced with Microsoft Windows Vista and Windows Server 2008. Please see the Microsoft SRD blog entry: On the effectiveness of DEP and ASLR for more details.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
CoreFTPAffected-21 Mar 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P
Temporal 3.4 E:U/RL:OF/RC:UC
Environmental 0.5 CDP:N/TD:L/CR:L/IR:L/AR:L

References

Credit

Thanks to Silent Dream for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 21 Mar 2013 | 3:02 pm EDT

VU#957036: NVIDIA Windows video card drivers contain multiple vulnerabilities

Vulnerability Note VU#957036

NVIDIA Windows video card drivers contain multiple vulnerabilities

Original Release date: 21 Mar 2013 | Last revised: 21 Mar 2013

Overview

NVIDIA video card drivers contain multiple vulnerabilities.

Description

The NVIDIA security advisory states:

    CVE-2013-0109: NVIDIA Display Driver Service Vulnerability
    Due to an issue identified with the NVIDIA driver, a malicious actor could – by forcing exceptions and overwriting memory –potentially escalate privileges to gain administrative control of a system. The vulnerability is associated with the NVIDIA Display Driver service, and affects NVIDIA drivers for Windows operating systems (Windows XP/Windows Vista/Windows 7/Windows 8 - 32 & 64-bit) starting with the Release 173 drivers.

    CVE-2013-0110: NVIDIA Stereoscopic 3D Driver Service Vulnerability
    NVIDIA has verified an issue with the NVIDIA Stereoscopic 3D Driver Service (nvSCPAPISvr.exe), which could allow a malicious actor to potentially escalate privileges locally by inserting an executable file in the path of the affected service. The specific issue identified was that the service used an unquoted service path, containing at least one whitespace.

    CVE-2013-0111: NVIDIA Update Service Daemon Vulnerability
    NVIDIA has verified an issue with the NVIDIA Update Service Daemon (daemonu.exe), which could allow a malicious actor to potentially escalate privileges locally by inserting an executable file in the path of the affected service. The specific issue identified was that the service used an unquoted service path, containing at least one whitespace.

    The vulnerabilities are present in NVIDIA drivers starting with driver version 173.01 and are resolved in driver releases starting with version 311.00 (for Release 310) and version 307.78 (for Release 304).


Additional details may be found on the NVIDIA support page.

Impact

A local authenticated attacker may be able to escalate privileges or cause a denial of service.

Solution

Apply an Update

Users should upgrade to the latest NVIDIA drivers. Users that need to stay on an older driver version can apply a patch.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
NVIDIAAffected-21 Mar 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 6.8 AV:L/AC:L/Au:S/C:C/I:C/A:C
Temporal 5.3 E:POC/RL:OF/RC:ND
Environmental 3.8 CDP:MH/TD:M/CR:M/IR:M/AR:L

References

Credit

Thanks to NVIDIA Security for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 21 Mar 2013 | 7:22 am EDT

VU#406596: Askiaweb survey application contains multiple vulnerabilities

Vulnerability Note VU#406596

Askiaweb survey application contains multiple vulnerabilities

Original Release date: 20 Mar 2013 | Last revised: 20 Mar 2013

Overview

The Askiaweb survey application contains multiple vulnerabilities.

Description

The Askiaweb survey application contains multiple vulnerabilities.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2013-0123
The administration interface for the Askia web survey application (http://www.askia.com/askiaweb) is vulnerable to SQL injection (blind, time-based) on 2 different parameters :
https://[application]/WebProd/pages/pgHistory.asp [nHistoryId parameter]
https://[application]/WebProd/pages/pgadmin.asp [OrderBy parameter]


CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2013-0124
The administration interface is vulnerable to XSS on the following URLs and parameters :
https://[application]/WebProd/cgi-bin/AskiaExt.dll [Number parameter]
https://[application]/WebProd/cgi-bin/AskiaExt.dll [UpdatePage parameter]

Impact

An attacker with access to the Askiaweb survey application web interface can conduct a cross-site scripting or sql injection attack, which could be used to result in information leakage, privilege escalation, and/or denial of service.

Solution

We are currently unaware of a practical solution to this problem.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS, CSRF, or SQLi attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the Askiaweb survey application web interface using stolen credentials from a blocked network location.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
AskiaAffected-11 Mar 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 8.5 AV:N/AC:L/Au:S/C:C/I:C/A:N
Temporal 6.5 E:U/RL:U/RC:UC
Environmental 1.7 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thank you to the reporter that wishes to remain anonymous.

This document was written by Michael Orlando.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 20 Mar 2013 | 8:05 am EDT

VU#278204: Verizon Fios Actiontec model MI424WR-GEN3I router vulnerable to cross-site request forgery

Vulnerability Note VU#278204

Verizon Fios Actiontec model MI424WR-GEN3I router vulnerable to cross-site request forgery

Original Release date: 18 Mar 2013 | Last revised: 18 Mar 2013

Overview

The Verizon FIOS Actiontec router model MI424WR-GEN3I is susceptible to cross-site request forgery attacks. (CWE-352)

Description

The Verizon FIOS Actiontec router model MI424WR-GEN3I is susceptible to cross-site request forgery attacks. (CWE-352) A remote attacker that is able to trick a user into clicking a malicious link while logged into the router may be able to compromise the router.

Impact

A remote unauthenticated attacker that is able to trick a user into clicking a malicious link while they are logged into the router may be able to compromise the router.

Solution

We are currently unaware of a practical solution to this problem. Please consider the following workarounds.

Restrict Access

Verify the router's web interface is not Internet accessible. As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent CSRF attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the router web interface using stolen credentials from a blocked network location.

Do Not Stay Logged Into the Router's Management Interface

Always log out of the router's management interface when done using it.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
VerizonAffected01 Feb 201318 Mar 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 6.4 AV:A/AC:M/Au:N/C:P/I:C/A:N
Temporal 5.5 E:H/RL:W/RC:UC
Environmental 3.0 CDP:L/TD:M/CR:L/IR:L/AR:L

References

Credit

Thanks to Jacob Holcomb of Independent Security Evaluators for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 18 Mar 2013 | 5:11 pm EDT

VU#737740: Fiery Network Controllers for Xerox DocuColor 242/252/260 Printer/Copier use a vulnerable version of OpenSSL

Vulnerability Note VU#737740

Fiery Network Controllers for Xerox DocuColor 242/252/260 Printer/Copier use a vulnerable version of OpenSSL

Original Release date: 18 Mar 2013 | Last revised: 02 May 2013

Overview

Fiery Network Controllers for Xerox DocuColor 242/252/260 Printer/Copier use a vulnerable version of OpenSSL (0.9.8o).

Description

Fiery Network Controllers for Xerox DocuColor 242/252/260 Printer/Copier uses OpenSSL for SSL/TLS encryption. The version of OpenSSL that comes with the Fiery Network Controllers for Xerox DocuColor 242/252/260 Printer/Copier is 0.9.8o that is out of date and known to be vulnerable.

Impact

A remote attacker may be able to cause a denial of service or possibly run arbitrary code.

Solution

Apply an Update

Apply patch 1-1IJ6ZK. The patch will upgrade OpenSSL to version 0.9.8x. Patch 1-1IJ6ZK can be obtained from Xerox tech support.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
EFIAffected18 Dec 201218 Mar 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 6.9 AV:A/AC:M/Au:N/C:P/I:P/A:C
Temporal 5.1 E:U/RL:OF/RC:C
Environmental 1.0 CDP:L/TD:L/CR:L/IR:L/AR:L

References

Credit

Thanks to Curtis Rhodes for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 18 Mar 2013 | 1:44 pm EDT

VU#782451: HP LaserJet Professional printer telnet debug shell vulnerability

Vulnerability Note VU#782451

HP LaserJet Professional printer telnet debug shell vulnerability

Original Release date: 11 Mar 2013 | Last revised: 11 Mar 2013

Overview

Certain HP LaserJet Professional printers contain a telnet debug shell which could allow a remote attacker to gain unauthorized access to data.

Description

Certain HP LaserJet Professional printers contain a telnet debug shell which could allow a remote attacker to gain unauthorized access to data.

For additional vulnerability information and a list of affected devices see HP Security Bulletin HPSBPI02851 SSRT101078.

Impact

A remote unauthenticated attacker can connect to the telnet debug shell and gain unauthorized access to data.

Solution

Update

HP has provided updated printer firmware to resolve this issue. Firmware download information can be found in HP Security Bulletin HPSBPI02851 SSRT101078.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Hewlett-Packard CompanyAffected09 Jan 201308 Mar 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 8.8 AV:N/AC:M/Au:N/C:N/I:C/A:C
Temporal 6.2 E:POC/RL:OF/RC:UC
Environmental 1.6 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Christoph von Wittich of Hentschke Bau GmbH for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 11 Mar 2013 | 9:04 am EDT

VU#345260: GroundWork Monitor Enterprise contains multiple vulnerabilities

Vulnerability Note VU#345260

GroundWork Monitor Enterprise contains multiple vulnerabilities

Original Release date: 08 Mar 2013 | Last revised: 08 Mar 2013

Overview

GroundWork Monitor Enterprise 6.7.0 and possibly earlier versions contain multiple vulnerabilities.

Description

The SEC Consult Vulnerability Lab Security Advisory states:

The following vulnerability description has been categorized into the components where the vulnerabilities have been identified.

1) Insufficient authentication in many components: Many components of GroundWork are only "secured" by Referer-header checks. An attacker who uses a specific, known Referer-header of the GroundWork Apache configuration file is able to access parts of the administration interface without prior authentication. Only few components are additionally secured by the JOSSO Single-Sign-On system.

2) Foundation webapp admin interface:
2.1) Referer-check: The webapp is only "secured" by a referer check, an unauthenticated attacker is able to access the admin interface. The attacker also has write access and is able to manipulate settings as admin user and he can further exploit other vulnerabilities.
2.2) Unauthenticated file disclosure & file write/modification An unauthenticated attacker is able to read arbitrary files of the operating system with the access rights of the operating system user "nagios" (the only "security protection" is the weak Referer-check from 2.1).
2.3) Multiple permanent XSS vulnerabilities An unauthenticated attacker is able to store malicious JavaScript/HTML code in many places within the admin interface and hence further attack / take over admin users of GroundWork! If an administrator e.g. clicks on the "Administration" /"Foundation" menu within GroundWork, the JavaScript code will be executed automatically.

3) MONARCH component:
3.1) Direct OS command injection An attacker with a valid cookie (JOSSO SSO) with at least low-privileged "user" access rights is able to execute arbitary operating system commands. He is able to gain access to sensitive configuration files, e.g. passwords of Nagios (and hence of many services within the monitored network) in cleartext.
3.2) XML external entity injection & arbitrary XML file (over-)write The Monarch components suffer from XXE attacks where an attacker e.g. is able to read arbitrary files of the operating system (sensitive configuration files, etc.).
The vulnerability can be exploited by uploading a malicious XML file within the "Profile Importer" component and then view this uploaded file within the same module.

4) Nagios-App component
4.1) Access to sensitive files, A low privileged user is able to gain access to log files or nagios configuration files (e.g. clear text passwords) just by entering the corresponding URL and including the Referer-header from 1).

5) Performance component
5.1) Write files & execute operating system commands An unauthenticated attacker is able to write files (filename & path can be chosen arbitrarily) with pre-given XML content with the access rights of the "nagios" operating system user. The XML content is partially given by the application, but can be modified by the attacker for further injection attacks. In the end it is possible to execute operating system commands, e.g. by using SSI (server-side includes) injection.

Note there are additional vulnerabilities.

For detailed vulnerability information regarding the above listed vulnerabilities and additional vulnerabilities see SEC Consult Vulnerability Lab Security Advisory 1 and SEC Consult Vulnerability Lab Security Advisory 2.

Impact

A remote unauthenticated attacker may be able to modify the administrator web interface of the system, read sensitive configuration files, or execute arbitrary operating system commands with the permission's of the GroundWork Monitor Enterprise system.

Solution

Change configuration

GroundWork has released a technical bulletin addressing some of the vulnerabilities. Users are advised to read GroundWork's technical bulletin and apply the recommended changes.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent SQLi, unauthenticated file uploads, or denial of service attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing a web interface using stolen credentials from a blocked network location.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
GroundWorkAffected-08 Mar 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 9.0 AV:N/AC:L/Au:N/C:C/I:P/A:P
Temporal 7.3 E:POC/RL:U/RC:UC
Environmental 1.9 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Johannes Greil of SEC Consult Unternehmensberatung GmbH for reporting these vulnerabilities. https://www.sec-consult.com

This document was written by Michael Orlando.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 8 Mar 2013 | 2:10 pm EST

VU#688246: Java contains multiple vulnerabilities

Vulnerability Note VU#688246

Java contains multiple vulnerabilities

Original Release date: 05 Mar 2013 | Last revised: 05 Mar 2013

Overview

Java 7 Update 15, Java 6 Update 41, Java 5.0 Update 40, and earlier versions of Java contain a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

The Oracle Java Runtime Environment (JRE) allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems. OpenJDK is an open-source implementation of the Java platform, and the IcedTea project aims to make it easier to deploy OpenJDK, including a web browser plugin.

Additional details of the vulnerability can be found at FireEye Malware Intelligence Lab blog post.

This vulnerability is reportedly being exploited in the wild.

Impact

By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for these vulnerabilities.

Solution

Apply an update

These issues are addressed in Java 7 Update 17 and Java 6 Update 43. Please see the Oracle Security Alert for CVE-2013-1493 for more details.

Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u17. This will help mitigate other Java vulnerabilities that may be discovered in the future.

This issue has also been addressed in IcedTea versions 1.11.9 and 1.12.4.

Disable Java in web browsers
Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details.

Note: Due to what appears to potentially be a bug in the Java installer, the Java Control Panel applet may be missing on some Windows systems. In such cases, the Java Control Panel applet may be launched by finding and executing javacpl.exe manually. This file is likely to be found in C:\Program Files\Java\jre7\bin or C:\Program Files (x86)\Java\jre7\bin.

Also note that we have encountered situations on Windows where Java will crash if it has been disabled in the web browser as described above and then subsequently re-enabled. Depending on the browser used, this Michael Horowitz has pointed out that performing the same steps on Windows 7 will result in unsigned Java applets executing without prompting in Internet Explorer, despite what the "Security Level" slider in the Java Control panel applet is configured to use. We have confirmed this behavior with Internet Explorer on both Windows 7 and Vista. Reinstalling Java appears to correct both of these situations.

System administrators wishing to deploy Java 7 Update 10 or later with the "Enable Java content in the browser" feature disabled can invoke the Java installer with the WEB_JAVA=0 command-line option. More details are available in the Java documentation.

Restrict access to Java applets

Network administrators unable to disable Java in web browsers may be able to help mitigate this and other Java vulnerabilities by restricting access to Java applets. This may be accomplished by using proxy server rules, for example. Blocking or whitelisting web requests to .jar and .class files can help to prevent Java from being used by untrusted sources. Filtering requests that contain a Java User-Agent header may also be effective. For example, this technique can be used in environments where Java is required on the local intranet. The proxy can be configured to allow Java requests locally, but block them when the destination is a site on the internet.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Oracle CorporationAffected-05 Mar 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 8.7 E:H/RL:OF/RC:C
Environmental 9.4 CDP:H/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

Oracle credits the following people or organizations for reporting security vulnerabilities addressed by this Security Alert to Oracle: an Anonymous Reporter of TippingPoint's Zero Day Initiative; axtaxt viaTipping Point's Zero Day Initiative; Darien Kindlund of FireEye; Vitaliy Toropov via iDefense; and Vitaliy Toropov via TippingPoint.

This document was written by Michael Orlando.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 5 Mar 2013 | 9:31 am EST

VU#160460: Dell PowerConnect 6248P series switch denial of service vulnerability

Vulnerability Note VU#160460

Dell PowerConnect 6248P series switch denial of service vulnerability

Original Release date: 22 Feb 2013 | Last revised: 22 Feb 2013

Overview

Dell PowerConnect 6248P series switches contain a denial of service vulnerability when parsing malformed requests.

Description

Dell PowerConnect 6248P series switches contain a denial of service vulnerability when parsing malformed requests which could cause the switch to crash and become unavailable.

Impact

An authenticated attacker can cause the Dell PowerConnect 6248P series switch to crash and become unavailable.

Solution

We are currently unaware of a practical solution to this problem.

Restrict Access

The Dell PowerConnect M6220 series switch web interface should not be Internet facing.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Dell Computer Corporation, Inc.Affected09 Jan 201318 Feb 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C
Temporal 6.0 E:POC/RL:W/RC:UC
Environmental 1.6 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Gary Blosser for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 22 Feb 2013 | 11:58 am EST

VU#583564: CS-Cart v3.0.4 configured with PayPal Standard Payments design vulnerability

Vulnerability Note VU#583564

CS-Cart v3.0.4 configured with PayPal Standard Payments design vulnerability

Original Release date: 22 Feb 2013 | Last revised: 22 Feb 2013

Overview

CS-Cart v3.0.4 and possibly other versions configured with PayPal Standard Payment is susceptible to a client-side attack that results in an attacker purchasing items without having to pay for them.

Description

It has been reported that CS-Cart v3.0.4 configured with PayPal Standard Payments contains a design flaw that allows an attacker to buy items without having to pay for them. The parameter for the merchant's PayPal email address is controlled on the client-side and not verified by the server. This allows an attacker to change the PayPal email address to one the attacker controls allowing the attacker to purchase items on a website but effectively pay themselves instead of the merchant. Manual verification of website orders with the PayPal transactions would need to be performed to detect this fraud.

Impact

An attacker can effectively purchase items without paying the merchant for them.

Solution

Update

The vendor has stated that this vulnerability has been addressed in CS-Cart version 3.0.6. They have also released the security patch for the older versions (3.0.x & 2.2.x).

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
CS-CartAffected24 Jan 201318 Feb 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 7.1 AV:N/AC:M/Au:N/C:N/I:C/A:N
Temporal 4.7 E:U/RL:OF/RC:UC
Environmental 1.3 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Giancarlo Pellegrino Institute Eurecom and SAP Research for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 22 Feb 2013 | 7:25 am EST

VU#422807: Adobe Reader and Acrobat memory corruption vulnerabilities

Vulnerability Note VU#422807

Adobe Reader and Acrobat memory corruption vulnerabilities

Original Release date: 14 Feb 2013 | Last revised: 21 Feb 2013

Overview

Adobe Reader and Acrobat 11.0.01 and earlier, 10.1.5 and earlier, and 9.5.3 and earlier contain memory corruption vulnerabilities.

Description

The Adobe security bulletin APSB13-07 states:

    Adobe has released security updates for Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier 9.x versions for Windows and Macintosh, and Adobe Reader 9.5.3 and earlier 9.x versions for Linux. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.


Additional details may be found in the full bulletin APSB13-07.

Impact

A remote attacker may be able to cause a denial of service or execute arbitrary code on the system in the context of the user running the Adobe product.

Solution

Apply an Update

The Adobe security bulletin APSB13-07 states:


Please consider the following workarounds, if you are unable to apply the update.

Enable Protected View

Users of Adobe Reader XI and Acrobat XI for Windows can protect themselves from this exploit by enabling Protected View. To enable this setting, choose the "Files from potentially unsafe locations" option under the Edit > Preferences > Security (Enhanced) menu.

Disable Javascript

To disable Javascript in Adobe Reader and Acrobat, uncheck "Enable Acrobat JavaScript" under the Edit > Preferences > JavaScript menu.

Use the Microsoft Enhanced Mitigation Experience Toolkit

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a video tutorial for setting up EMET 3.0 on Windows 7. Note that platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will.

Enable DEP in Microsoft Windows

Consider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts "Understanding DEP as a mitigation technology" part 1 and part 2. DEP should be used in conjunction with the application of patches or other mitigations described in this document.

Note that when relying on DEP for exploit mitigation, it is important to use a system that supports Address Space Layout Randomization (ASLR) as well. ASLR is not supported by Windows XP or Windows Server 2003 or earlier. ASLR was introduced with Microsoft Windows Vista and Windows Server 2008. Please see the Microsoft SRD blog entry: On the effectiveness of DEP and ASLR for more details.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
AdobeAffected-14 Feb 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal 8.8 E:H/RL:W/RC:C
Environmental 8.8 CDP:MH/TD:H/CR:H/IR:H/AR:H

References

Credit

This document was written by Jared Allar.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Source: CERT Recently Published Vulnerability Notes | 14 Feb 2013 | 12:14 pm EST

Adobe ColdFusion Information Disclosure Vulnerability (APSB13-13)

Source: Help Net Security - Vulnerabilities | 17 May 2013 | 6:17 am EDT

Oracle Java SE JVM 2D Subcomponent Remote Code Execution Vulnerability (Oracle Security Alert for CVE-2013-1493)

Source: Help Net Security - Vulnerabilities | 13 May 2013 | 3:22 am EDT

phpMyAdmin preg_replace() Input Validation Error Script Execution Vulnerability

Source: Help Net Security - Vulnerabilities | 10 May 2013 | 4:21 am EDT

Microsoft Internet Explorer 8 Use-After-Free Memory Corruption Vulnerability

Source: Help Net Security - Vulnerabilities | 9 May 2013 | 3:19 pm EDT

Java Applet Reflection Type Confusion Remote Code Execution

Source: Help Net Security - Vulnerabilities | 3 May 2013 | 8:28 am EDT

Nagios Remote Plugin Executor Arbitrary Command Execution

Source: Help Net Security - Vulnerabilities | 25 Apr 2013 | 10:48 am EDT

Adobe ColdFusion APSB13-03 Remote Exploit

Source: Help Net Security - Vulnerabilities | 22 Apr 2013 | 4:53 am EDT

MongoDB nativeHelper.apply Remote Code Execution

Source: Help Net Security - Vulnerabilities | 15 Apr 2013 | 8:36 am EDT

Novell ZENworks Configuration Management Remote Execution

Source: Help Net Security - Vulnerabilities | 15 Apr 2013 | 5:33 am EDT

KingView Log File Parsing Buffer Overflow

Source: Help Net Security - Vulnerabilities | 9 Apr 2013 | 6:22 am EDT

Wireshark Multiple Bugs Let Remote Users Deny Service

Source: SecurityTracker Vulnerability Headlines |

libvirt File Descriptor Leak Lets Remote Users Deny Service

Source: SecurityTracker Vulnerability Headlines |

Apple iTunes WebKit Memory Corruption Flaws Let Remote Users Execute Arbitrary Code

Source: SecurityTracker Vulnerability Headlines |

EMC VNX and EMC Celerra Control Station Lets Local Administrative Users Gain Elevated Privileges

Source: SecurityTracker Vulnerability Headlines |

RSA SecurID Agent Discloses Node Secret Encryption Key to Local Users

Source: SecurityTracker Vulnerability Headlines |

PentesterLab.com – Excercises To Learn Penetration Testing

PentesterLab is an easy and straight forwards way to learn the basics of penetration testing. It provides vulnerable systems in a virtual image, and accompanying exercises that can be used to test and understand vulnerabilities. Just decide what course you want to follow, download the course and start learning. You can easily run the course...

Read the full post at darknet.org.uk

Source: Darknet - The Darkside | 13 May 2013 | 4:33 pm EDT

New eLearnSecurity Course – WAPT – Web Application Penetration Testing

eLearnSecurity is coming out with a new course, it’s intended to be a comprehensive training on web application penetration testing with large coverage of the newest attack vectors introduced by HTML5 and other W3C protocols. Over 40 new labs in the Coliseum cloud based virtual lab are included in the course. Course Description The Web...

Read the full post at darknet.org.uk

Source: Darknet - The Darkside | 25 Apr 2013 | 2:32 pm EDT

Large Scale Botnet Brute Force Password Cracking Against WordPress Sites

There have always been a lot of brute force attempts/bot scans and hacking attempts on WordPress hosted sites (due to flaws in the core and a multitude of insecure plugins) – this site being no exception (they’ve even done some minor damage before). But things appear to have really ramped up recently with a large [...] The post Large...

Read the full post at darknet.org.uk

Source: Darknet - The Darkside | 17 Apr 2013 | 2:01 pm EDT

HoneyDrive Desktop v0.2 Released – Honeypot LiveCD

HoneyDrive is a virtual appliance (OVA) with Xubuntu Desktop 12.04 32-bit edition installed. It contains various honeypot software packages such as Kippo SSH honeypot, Dionaea malware honeypot, Honeyd low-interaction honeypot, Glastopf web honeypot along with Wordpot, Thug honeyclient and more. Additionally it includes useful pre-configured...

Read the full post at darknet.org.uk

Source: Darknet - The Darkside | 3 Apr 2013 | 11:00 am EDT

Andrew Auernheimer AKA Weev Gets 41 Months Jail Time For GET Requests

This is a pretty sad case, and one which I’m sure all of us have followed since it first started. Surprisingly it hasn’t gotten a whole lot of media attention, but then this legal precedent sticks it to the man and has some consequences regarding the infosec industry – and who would want to publicize [...] The post Andrew...

Read the full post at darknet.org.uk

Source: Darknet - The Darkside | 20 Mar 2013 | 11:42 am EDT

SSLyze v0.6 Available For Download – SSL Server Configuration Scanning Tool

SSLyze is a Python tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify misconfigurations affecting their SSL servers. Features SSL 2.0/3.0 and TLS 1.0/1.1/1.2 compatibility Performance testing: session resumption and TLS tickets...

Read the full post at darknet.org.uk

Source: Darknet - The Darkside | 13 Mar 2013 | 5:09 am EDT

Evernote Hacked – ALL Users Required To Reset Passwords

The big news in the past week or so was the Evernote hack, being a user of Evernote I was interested by this one – it seems to be a pretty pervasive hack with user IDs and e-mail addresses being leaked. Thankfully the passwords are salted hashes, so it’s unlikely they’ll get brute forced any [...] The post Evernote Hacked –...

Read the full post at darknet.org.uk

Source: Darknet - The Darkside | 7 Mar 2013 | 9:28 am EST

ARPwner – ARP & DNS Poisoning Attack Tool

ARPwner is a tool to do ARP poisoning and DNS poisoning attacks, with a simple GUI and a plugin system to do filtering of the information gathered, also has a implementation of sslstrip and is coded 100% in python and on Github, so you can modify according to your needs. This tool was released by [...] The post ARPwner – ARP & DNS...

Read the full post at darknet.org.uk

Source: Darknet - The Darkside | 27 Feb 2013 | 8:27 am EST

Apple, Facebook & Hundreds More Hacked By 0-Day Java Exploit

There’s an awful lot of high profile hacks going on lately, with some people linking them to the Chinese and a large-scale attack on Western companies. Before this, Twitter Breach Leaks 250,000 User E-mails & Passwords – was probably the most high profile case. Now Apple, Facebook and quite possibly hundreds of other companies...

Read the full post at darknet.org.uk

Source: Darknet - The Darkside | 21 Feb 2013 | 3:10 pm EST

Weevely – PHP Stealth Tiny Web Shell

Weevely is a stealth PHP web shell that provides a telnet-like console. It is an essential tool for web application post exploitation, and can be used as stealth backdoor or as a web shell to manage legit web accounts, even free hosted ones. Weevely is currently included in Backtrack and Backbox and all the major [...] The post Weevely – PHP...

Read the full post at darknet.org.uk

Source: Darknet - The Darkside | 6 Feb 2013 | 6:48 am EST

FBI IC3 2012 Internet Crime Report

As seen on the excellenthttp://www.stefanomele.it web site:

The FBI Internet Crime Complaint Center (IC3) has released the 2012 Internet Crime Report — a summary of reported fraudulent activity, including data and statistics.

In 2012, the IC3 received and processed 289,874 complaints, averaging more than 24,000 complaints per month. Unverified losses reported to IC3 rose 8.3 percent over the previous year.

A new section in this year’s report includes charts for each of the 50 states detailing demographic, complaint, and dollar-loss data. The section allows for easy comparisons and convenient reference.

Additional content includes frequently reported Internet crimes, case highlights, and graphs that explain the lifecycle of a complaint. The most common complaints received in 2012 included FBI impersonation e-mail scams, various intimidation crimes, and scams that used computer “scareware” to extort money from Internet users.

The report gives detailed information about these and other commonly perpetrated scams in 2012.

Read the report here:
http://www.ic3.gov/media/annualreport/2012_IC3Report.pdf

Source: The Professional Security Testers Warehouse for the CEH V7 GPEN CPTS CREST GCIH GREM OPST | 19 May 2013 | 3:27 am EDT

The Holistic CISSP Exam Preparation and Overview Tutorial

Good news!

Today I have updated my holistic presentation on How to become a CISSP.

This presentation will tell you ALL that you need to know from step A to Z.

You can find it at:

https://www.cccure.org/flash/intro/player.html

This is a MUST watch for anyone interested in completing the CISSP certification.

Enjoy!

Clement

 

 

Source: The Professional Security Testers Warehouse for the CEH V7 GPEN CPTS CREST GCIH GREM OPST | 15 May 2013 | 5:22 pm EDT

Webinar: CompTIA Advanced Security Professional (CASP)

Here is a webcast you don't want to miss.

My friend Eric Conrad will be doing a webcast tomorrow on the new CASP Certification from CompTIA.

Visit the link below to register:

https://www.sans.org/webcasts/prepare-comptia-casp-exam-96525

On the exciting side, The CASP was added to DoD 8570 for the following roles:
IAT level III
IAM II, and
IASAE level I and II.

You can see the updated 8570 list of approved certifications at:

http://iase.disa.mil/eta/iawip/content_pages/iabaseline.html 

Here is the latest list of approved certs on the graphic below:

DoD Approved 8570 Baseline Certifications
DoD Approved 8570 Baseline Certifications

Source: The Professional Security Testers Warehouse for the CEH V7 GPEN CPTS CREST GCIH GREM OPST | 13 May 2013 | 9:47 am EDT

Wireless Hacking and Wireshark Special Edition Magazine

Wireshark Compendium – 180 pages on Wi-fi Hacking

Wireshark Compendium - 180 pages on Wi-fi HackingWireshark Compendium - 180 pages on Wi-fi Hacking - Hakin9
Wireshark Compendium - 180 pages on Wi-fi Hacking

 

HACKING WIRELESS NETWORKS

Hacking Wireless in 2013
By Terrance Stachowski, CISSP, L|PT

This article is a simple how-to guide for hacking wireless networks using BackTrack 5 R3, or Kali – Linux Penetration Testing Distributions offered by Offensive Security. The information provided in this article will aid you in testing the security of your wireless network to determine if your vulnerable to wireless intruders. The following information is for educational purposes only; never use these techniques to access any network which you do not own, unless you have the explicit written permission from the owner of the network.

Hacking Wi-Fi Networks
By Danny Wong, CISSP, CISA, CEH, PMP, ITIL, MCT, MCSE, MCITP, MCTS

In an Enterprise Infrastructure where your Wi-Fi network is breached, you might imagine a situation where monitoring alerts goes off, SMS alerts are sent to your mobile, Intrusion Detection Systems sounds off and Intrusion Prevention Systems kicks in to lock down the perpetrator. Security team activates their well-defined security framework encompassing Security Incident Response and Handling which define the processes to Identify, Contain, Eradicate and Recover from the incident.

Security Through Obscurity: How To Hack Wireless Access Point
By Bamidele Ajayi, OCP, MCTS, MCITP EA, CISA, CISM

This article is meant for legitimate use by users who have forgotten their Wireless Access Point (WAP) credentials such as recovering a misplaced network key or users who have been called by legitimate owners of WAP to help recover network keys. It will inform readers how to hack their Wireless Access Point to gain access.

Wireshark – Hacking WiFi Tool
By MI1

When placed properly, Wireshark can be a great help for network administrator when it comes to network troubleshooting, such as latency issues, routing errors, buffer overflows, virus and malware infections analysis, slow network applications, broadcast and multicast storms, DNS resolution problems, interface mismatch, or security incidents.

Introduction to Wireless Hacking Methods
By Alexander Heid, Co-founder and President of HackMiami

This article is intended for those who have never forayed into the world of wireless hacking, and will assume the reader has a basic understanding of networking principles and Linux command navigation.

WIRESHARK BASICS

Wireshark – Not Just a Network Administration Tool
By Arun Chauchan, Joint Director CIRT Navy at Indian Navy

Wireshark, a powerful network analysis tool formerly known as Ethereal, captures packets in real time and displays them in human-readable format. Wireshark was developed by Gerald Combs and is free and open-source.

Wireshark – Sharks on The Wire
By Patrick Mark Preuss, Network Engineer

Capturing and analyzing network data is one of the core skills every IT professional should posses. If you have problems with your system or application, suspect a security issue, in almost every case the network is involved today.

The Network Hackeror Analyzer Wireshark
By Anand Singh

Wireshark is an open source tool for capturing and analysing network packets, from standard network protocols such as Ethernet, TCP, UDP, HTTP to GSM Protocols like LAPD. Wireshark works like a network packet X-Ray and can listen to network traffic to help identify problems related to protocols, applications, links, processing time,
latency and more.

Wireshark Overview
By Nitish Mehta, Information Security & Cyber Crime Consultant

Wireshark is a very popular tool mainly used to analyze network protocols. It has many other features as well but if you are new the program and you seek somebody tocover the basics, here is a brief tutorial on how to getstarted.

WIRELESS SECURITY

“You Are Here” A Guide to Network Scanning
By Court Graham, CISSP, CEH, GCIH, GSEC, MCSE

Historically the term network scanning has been defined as a process which primarily takes place shortly after the information gathering phase of a hacking attempt or penetration test. In actuality, you never know when you will have to perform scanning activities.

WiFi Combat Zone: Wireshark Versus the Neighbors
By Bob Bosen, Founder of Secure Computing

If you’re one of the regular readers of Hakin9, then you know that there are several means by which your neighbors could have penetrated your WiFi LAN. Do you ever wonder if it’s already happened? Would you like to learn how to monitor anybody that’s abusing your network?

Wi-Fi Security Testing with Kali Linux on a Raspberry Pi
By Dan Dieterle, Security Researcher at CyberArms Computer Security

Learn how to test the security of Wi-Fi networks using a $35 Raspberry Pi and the new Kali Linux. You will also see how some common wireless network security tactics are very easily bypassed.

Using Wireshark to Analyze a Wireless Protocol
By Hai Li, Associate Professor of Beijing Institute of Technology

Wireshark is the perfect platform to troubleshoot wireless networks. In this tutorial, I will demonstrate how to support a new wireless protocol in Wireshark. A wireless protocol in the real world is very complicated, so I will use ASN.1 technology to generate the source code of a dissector.

The Revolving Door of Wi-Fi Security
By Jonathan Wigg, Data Architect at NetMotion Wireless

This isn’t a how-to guide for breaching wireless networks; there are more than enough of those floating around on the Internet. Instead, I wanted to provide some context and an overview of the Wi-Fi security space. Back to the revolving door that is Wi-Fi security and why broadly diverse security measures in random quantities make a poor barrier for entry.

Capturing WiFi Traffic with Wireshark
By Steve Williams, CISSP, GCIH, ACMA

For many years, Wireshark has been used to capture and decode data packets on wired networks. Wireshark can also capture IEEE 802.11 wireless traffic while running on a variety of operating systems.

An Introduction to the Rise (and Fall) of Wi-Fi Networks
By Alessio Garofalo, System Engineer at Green Man Gaming, IT Security Analyst at Hacktive Security

Wireshark is an open source network packet analyzer that offer similar functions of tcpdump and allows you to make the packet sniffing a less stressing task.

Decoding and Decrypting Network Packets with Wireshark
By Andrei Emeltchenko, Linux SW Engineer at Intel Corporation

The main idea is that well known Bluetooth protocols, profiles and security mechanisms to be used with secondary radio are already present in many devices.

State of Security in the App Economy: Mobile Apps Under Attack
By Jukka Alanen, vice president, Arxan Technologies

The proliferation of mobile devices has created an appcentric global marketplace, ushering in the App Economy that is driving innovation, new business models, and revenue streams across all industries. The app industry is growing at a staggering rate, with revenues approaching $60 billion worldwide.

WIRESHARK ADVANCED

Network Analysis On Storage Area Network Using Wireshark
By Massimiliano Sembiante, IT Security and Risk Specialist at UBS Bank

Wireshark can be used during a proactive analysis to identify potential network bottleneck, to monitor “live” what is happening to data flow, and to decode packets in transit, displaying information in readable format. The tool can be installed on any computer connected to the network and equipped with a NIC card. Using specific API or libraries, such as WinPcap under Windows or libpcap for Unix, it enables data capture and allow to analyze packets travelling over the carrier.

Deep Packet Inspection with Wireshark
By David J. Dodd, GIAC, IAM & IEM, Security +

This article attempts to provide some detail into how to search through packet dump files or pcap files using Wireshark. I’ll give some useful information on using wireshark & tshark to do deep packet analysis.Intrusion etection devices such as Snort use the libpcap C/C++ library for network traffic capture.

Listening to a Voice over IP (VoIP) Conversation Using Wireshark
By Luciano Ferrari, Information Security at Kimberly-Clark

Wireshark is a very powerful tool but did you know you can extract an RTP stream traffic from your VoIP packets, listen to, and even save an audio file of the conversation?In this article, you’ll find an overview and introduction to using Wireshark to analyze VoIP packets and also a step-by-step tutorial on how to extract and listen to a capturedaudio file.

Wireshark – LUA
By Jörg Kalsbach, Senior Consultant at JPrise GmbH and Information Technology and Services Consultant

This article explores an extension mechanisms offered by Wireshark. After a brief description of Wireshark itself, it shows how Wireshark can be extended using Lua as an embedded language. It shows the benefits to be gained from using the combination of Wireshark and Lua.

Tracing ContikiOs Based IoT Communications over Cooja Simulations with Wireshark
By Pedro Moreno-Sanchez, M.Sc. student at the University of Murcia, Spain
Rogelio Martinez-Perez, B.Cs. in Computer Science at the University of Murcia, Spain

Internet of Things is getting real. Billions of devices interconnected between each other retrieving data and sharing information using wireless communication protocols everywhere.

CYBERSECURITY

Integration of Cyberwarfare and Cyberdeterrence Strategies into the U.S. CONOPS Plan to Maximize Responsible Control and Effectiveness by the U. S. National Command Authorities
By William F. Slater, III, CISSP, SSCP, CISA, MSCE 2000: Security, ITIL Foundation v3, MCTIP, Certified Data Center Professional

This paper deals with issues related to the present situation of lack of a clearly defined national policy on the use of cyberweapons and cyberdeterrence, as well as the urgent present need to include strategies and tactics for cyberwarfare and cyberdeterrence into the national CONOPS Plan, which is the national strategic war plan for the United States.

Open Networks- Stealing the Connection
By Michael Christensen CISSP, CSSLP, CRISC, CCM ISO:22301, CPSA, ISTQB, PRINCE2

Most of you are quite aware of the fact, that using open WiFi networks processes a threat to the security of your device (Laptop, smartphone, tablet etc.). But did you know, that if you associate your device with an open network, the threat even goes beyond being actively online on the open access point?

Social Engineering: The Art of Data Mining
By Terrance J. Stachowski, CISSP, L|PT

This article explores the art of data mining, a technique utilized build a dossier and profile of a targeted individual, network, or organization.

Attempting to Solve the “Attribution Problem” – Using Wireshark and Other Tools to as an Aid in Cyberwarfare and Cybercrime for Analyzing the Nature and Characteristics of a Tactical or Strategic Offensive Cyberweapon and Hacking Attacks
By William Favre Slater III, PMP, CISSP, SSCP, CISA, MSCE 2000: Security, ITIL Foundation v3, MCTIP, Certified Data Center Professional

One of the main disadvantages of the hyper-connected world of the 21st century is the very real danger that countries, organizations, and people who use networks computer resources connected to the Internet face because they are at risk of cyber attacks that could result in anything ranging from denial service, to espionage, theft of confidential data, destruction of data, and/or destruction of systems and services.

Spyware Your Business Cannot Afford It
By Louis Corra, Owner of NEPA Computer Consulting, Net Solution Specialist at Network Solutions

Certainly, your business is important to you, your employees, your stock holders and your customers. Your computer systems, servers, and netwo,rk storage devices contain tons of vital information such as inventory, tax records, payroll and, most importantly, your customers’ credit card information.

EXTRA

An Interview with Cristian Critelli, L3 Escalation TAC Engineer at Riverbed Technology Ltd.
Level 3 Escalation Engineer at Riverbed Technology Inc., and part of the EMEA TAC Support Team
By Ewelina Nazarczuk

 

Wireshark Compendium - 180 pages on Wi-fi HackingWireshark Compendium - 180 pages on Wi-fi Hacking - Hakin9
Wireshark Compendium - 180 pages on Wi-fi Hacking

 



Tagged with: ASN.1, backtrack, CONOPS Plan, ContikiOs, Cooja Simulations, DNS, Ethernet, Gerald Combs, hack wireless, hacking, HTTP, IEEE 802.11, kali linux, LAN, LUA, network security, raspberry Pi, RTP, Snort, TCP, UDP, VoIP, WAP security, wi-fi, wi-fi security, wifi, WinPcap, wireless security, wireshark

Source: The Professional Security Testers Warehouse for the CEH V7 GPEN CPTS CREST GCIH GREM OPST | 13 May 2013 | 2:03 am EDT

New OWASP projects

NEW OWASP PROJECTS 

OWASP Web Application Security Quick Reference Guide Project - Project Leader:  Marek Zmyslowski - This will be a simple checklist for Web Application.  The unique feature of this project is that all checks will be simple and can be checked by particular testcase.  It is simple but can be very informative and useful for testers and coders.​

OWASP Application Fuzzing Framework Project - Project Leader:  Marek Zmyslowski.  The framework will be used to fuzz applications in the Windows environment.  It will have a couple of modules.  Two main modules will be for ile fuzzing and dll fuzzing.  A very wide configuration will allow for many fuzzing possibilities. 

OWASP Security JDIs Project - Project Leader:  Edwin Aldridge.  This project aims to build a library of concise, actionable, technology specific instructions detailing good practice on avoiding or closing specific vulnerabilities.  This will be a Security HOWTOs for people who may not have time to study a problem in depth but need to secure their application.  

OWASP Top 10 Fuer Entwickler 
- Project Leader:  Torsten Gigler  The Top 10 Fuer Entwickler (Top 10 Developer Edition in German) The objectives of the project is to add Good Practices (like the Cheat Sheets) to the OWASP Top 10.  Its aim is to bridge the gap between awareness and theoretical knowledge, to effective know-how for the purpose of building good programs.  It is written in German to amke it easier for German developers to use it.  We will take care to make a migration to other languages easy. 

OWASP Rails Goat Project - Project Leader:  Ken Johnson  This is a Rails application which is vulnerable to the OWASP Top 10.  It is intended to show how each of these categories of vulnerabilities can manifest themselves in a Rails-specific way as well as provide the subsequent mitigations for each. 

PROJECT ANNOUNCEMENTS

OWASP Code Review Table of Contents is now live!
We are currently still recruiting authors that can assist with section development, writing, and editing of the Code Review Guide.  This is an excellent opportunity to work on a high profile OWASP Flagship project.  Applicants are encouraged to choose to contribute to either a section or the entire chapter.  Authors should be knowledgeable about the sections they choose.  For more information on the OWASP Code Review Guide, please visit the Project Webpage

Source: The Professional Security Testers Warehouse for the CEH V7 GPEN CPTS CREST GCIH GREM OPST | 11 May 2013 | 2:23 pm EDT

Arachni v0.4.2 has been released

From: Tasos Laskos

Subject: Arachni v0.4.2 has been released (Open Source Web Application Security Scanner Framework)

Hey folks,

This is just to let you know that there's a new version of Arachni.

Arachni is a modular and high-performance (Open Source) Web Application Security Scanner Framework written in Ruby.

The change-log is quite sizeable but the gist is:

  * Brand new web interface -- allowing for team collaboration.
  * Significant decreases in memory usage.
  * Issue remarks –  Providing extra context to logged issues.
  * Improved payloads for Windows machines for path traversal and OS command injection.
  * RPC API updates allowing for much easier remote scan management.
  * Much improved profiling and detection of custom 404 responses.
  * The ability to exclude pages from the scan based on content.

For more details about the new release please visit:

http://www.arachni-scanner.com/blog/new-release-v0-4-2-new-interface-new-website/

Homepage       - http://www.arachni-scanner.com
Blog               - http://www.arachni-scanner.com/blog
Support          - http://support.arachni-scanner.com
GitHub page    - http://github.com/Arachni/arachni
Author           - Tasos "Zapotek" Laskos (http://twitter.com/Zap0tek)
Twitter          - http://twitter.com/ArachniScanner
Copyright       - 2010-2013 Tasos Laskos
License          - Apache License v2

Cheers,

Tasos Laskos.

Source: The Professional Security Testers Warehouse for the CEH V7 GPEN CPTS CREST GCIH GREM OPST | 11 May 2013 | 2:16 pm EDT

Hack The Planet Magazine - Latest edition released

HTP5 has been released, featuring:

MIT/EDUCAUSE
Linode
Nmap
Sucuri
NIST/NVD
Wireshark
and two zerodays.

Enjoy - http://straylig.ht/zines/HTP5/

Source: The Professional Security Testers Warehouse for the CEH V7 GPEN CPTS CREST GCIH GREM OPST | 11 May 2013 | 2:16 pm EDT

New version of SpiderFoot has been released

From: Steve Micallef
Date: Fri, May 10, 2013 at 2:28 PM
Subject: SpiderFoot 2.0 released
To: [email protected]

Hi everyone,

SpiderFoot is a free, open-source footprinting tool, enabling you to perform various scans against a given domain name in order to obtain information such as sub-domains, e-mail addresses, owned netblocks, web server versions and so on. The main objective of SpiderFoot is to automate the footprinting process to the greatest extent possible, freeing up a penetration tester's time to focus their efforts on the security testing itself.

Grab it from: http://www.spiderfoot.net/

New in this release, which is actually a complete re-write of the version from 2005(!):
    - Now runs on Windows as well as Linux, Solaris, *BSD (basically anything with Python should be fine)
    - Scans are even more configurable than before
    - All scan data stored locally in an SQLite database for querying, reporting and analysis
    - Many more scans/tests included (GeoIP, URL linkage, web technology, port scans...)
    - You can now easily extend functionality by writing your own modules in Python
    - Completely new user interface, which is now entirely web-based
    - Configuration state is stored between runs
    - Scanning can be remotely controlled

I hope you find it useful, and if you have any suggestions/complaints, feel free to contact me.

Thanks,

Steve

Source: The Professional Security Testers Warehouse for the CEH V7 GPEN CPTS CREST GCIH GREM OPST | 10 May 2013 | 12:03 pm EDT

Trustwave Global Security Report

Wednesday, April 03, 2013 3:00 AM

2013 Trustwave Global Security Report

Trustwave Global Security Report - Click HERE to download

This year, Trustwave analyzed millions of passwords, hundreds of businesses and billions of emails, all in an effort to expose the most critical and emerging security threats to organizations around the world.

The results--along with real-world scenarios and actionable advice--will help you prepare your business and your teams for what's ahead in 2013 and beyond.

Did you know?

The average time from breach to detection is 210 days.
Mobile malware samples increased by 400%.
E-commerce applications account for 48% of breach investigations.

Want the inside track on the threats you'll be facing this year?

Then download and read the 2013 Trustwave Global Security Report.

Request the report for Free!

Source: The Professional Security Testers Warehouse for the CEH V7 GPEN CPTS CREST GCIH GREM OPST | 13 Apr 2013 | 9:15 am EDT

BACKTRACK is now called KALI LINUX -- Do not expect Backtrack 6

The free security auditing toolkit launched today at Black Hat Europe in Amsterdam.

Click on the graphic below to visit the new Kali Linux website and learn more about this new OS based on Backtrack:

Kali Linux Operating System and testing environment

 

 

The Birth of Kali Linux

Posted on the Kali website on: 12-12-2012

Kali Linux, The Rising

It’s been 7 years since we released our first version of BackTrack Linux, and the ride so far has been exhilarating. When the dev team started talking about BackTrack 6 (almost a year ago), each of us put on paper a few “wish list goals” that we each wanted implemented in our “next version”.

Scrapping it All and Starting Afresh

It soon became evident to us that with our 4 year old development architecture, we would not be able to achieve all these new goals without a massive restructure, so, we massively restructured. We realized it would be easier to start afresh, using new technologies and processes than to try to patch up our existing environment to conform to Debian policies and standards. This realization brought upon the next question…

Ubuntu vs. Debian

Once we realized we were free from the bonds of our old environment, we started musing about the base platform we want to build our next penetration testing distribution – the main players on our table were Debian and Ubuntu. With both options heavily weighed and gently avoiding philosophical rants about the pros and cons of each, Debian was our final choice.

What About the Offensive Security Courses?

Surprisingly enough, with all the new changes we have made in Kali, the user experience remains pretty much the same. Apart from a couple of path changes due to our new FHS compliance, our students should feel little difference between Kali and BackTrack.

Where’s my /pentest Directory?

Gone. Kaput. Kwisha. Dissipated. FHS compliance has removed the /pentest structure from our distribution. Although the /pentest directory tree was a signature of our previous distributions for many years, it always brought with it policy questions which could never be satisfactorily answered. For example, when does a tool go in /pentest, and when should it be placed in the $PATH ? Where should a tool like “sqlmap” be placed? Should it be in /pentest/web, or /pentest/database? With our new FHS compliant packages, there’s no guesswork left. Everything is in the path and accessible directly, as it should be.

Kali Linux – What’s in a Name?

Hindu Goddess of time and change? Philippine martial art? Cool word in Swahili? None of the above. “Kali” is simply the name we came up with for our new distribution. Why change the name in the first place? With all these significant changes in our distribution, we felt that we needed to convey this in the project name. “BackTrack 6″ didn’t do justice to our efforts in the past year, and wouldn’t convey our new message to our users. What’s the new message? We’ll let you find out for yourself.

 

Source: The Professional Security Testers Warehouse for the CEH V7 GPEN CPTS CREST GCIH GREM OPST | 13 Mar 2013 | 5:20 am EDT

BBC News: LulzSec Hacker Interview

BBC News has a 13 minute report that's worth a view.

LulzSec hacker: Internet is a world devoid of empathy

LulzSec hacker: 'Internet is a world devoid of empathy'

On 17/05/13 At 12:54 PM

Source: F-Secure Antivirus Research Weblog | 17 May 2013 | 5:56 am EDT

Another Document Targeting Uyghur Mac Users

We spotted a new variant of the documents used in the cyber attacks against Uyghur back in February.

This variant was first submitted to VirusTotal on April 11 from China. This time it uses IUHRDF, which may be a reference to International Uyghur Human Rights & Democracy Foundation, instead of Captain as the author:

Properties of poadasjkdasuodrr.doc

The payload is still the same besides using different filenames and command and control server.

It uses "alma.apple.cloudns.org" as the command and control server:

Command and control server name

It creates the following copy of itself and launch point:

~/Library/Application Support/.realPlayerUpdate
~/library/launchagents/realPlayerUpdate.plist

Or it may create the following instead (when executed with 2 parameters):

/Library/Application Support/.realPlayerUpdate
/library/LaunchDaemons/realPlayerUpdate.plist

It remains pretty much the same malware and is generically detected as Backdoor:OSX/CallMe.A since February.

MD5: ee84c5d626bf8450782f24fd7d2f3ae6 - poadasjkdasuodrr.doc
MD5: 544539ea546e88ff462814ba96afef1a - .realPlayerUpdate

On 25/04/13 At 01:39 PM

Source: F-Secure Antivirus Research Weblog | 17 May 2013 | 5:56 am EDT

LulzSec Sentencing in UK

LulzSec Twitter

LulzSec – the rockband of hacker groups – had three of their six members sentenced today in London.

LulzSec made headlines during their "50 days of Lulz" in May-June 2011, during which they attacked Fox, PBS, Sony, Nintendo, Sega, Minecraft, Infragard, NHS, US Senate, SOCA and CIA. They also recorded and published a conference call between US and European law enforcement officials, discussing police tactics against LulzSec.

LulzSec was different from most other attackers, as they weren't doing their attacks to make money or to protest. They did it for Teh Lulz. Also, they had no sense of self-preservation, which led to taking them down.

LulzSec had 6 core members:

The first three were sentenced today.


A botnet master associated with Lulzsec was sentenced at the same time: Ryan Cleary (aka Viral). He got a 32 month sentence. He will serve 16 months.

Sabu was arrested in June 2011. He pleaded guilty and has been working with FBI since. He's yet to be sentenced.

Darren Martyn was indicted in March 2012. He's yet to be sentenced.

So, five of the LulzSec six has been caught. The remaining mystery is the 6th member: Avunit.

Who was Avunit? How come none of the other members have given him up?

We have no idea who Avunit is. We have no identity. We don't even know which continent he is from.

P.S. Obligatory nyan.cat.






On 16/05/13 At 01:32 PM

Source: F-Secure Antivirus Research Weblog | 17 May 2013 | 5:56 am EDT

Facebook is Testing Tags For "What"

Facebook has gradually added different tags to its "Status" updates.

Currently, most users have the ability to tag: who, when and where.

Facebook, What tags

Those options could soon include: what. (Roll out is limited at the moment.)

Facebook, What tags

And not just what you are doing — but what you're feeling.

Facebook, What tags

As long as everybody you're friends with gets the joke…

Facebook, What tags

…you should be safe.

Facebook, What tags

But let's say your boss mistakes "a pan galactic gargle blaster" for a real drink and reprimands you for drinking alcohol on the job.

That could leave you feeling quite annoyed.

Facebook, What tags

How do I share my feelings or what I'm doing in a status update?

Carefully.






On 30/04/13 At 12:06 PM

Source: F-Secure Antivirus Research Weblog | 17 May 2013 | 5:56 am EDT

Mac Spyware Found at Oslo Freedom Forum

The Oslo Freedom Forum is an annual event "exploring how best to challenge authoritarianism and promote free and open societies." This year's conference (which took place May 13-15) had a workshop for freedom of speech activists on how to secure their devices against government monitoring. During the workshop, Jacob Appelbaum actually discovered a new and previously unknown backdoor on an African activist's Mac.

Our Mac analyst (Brod) is currently investigating the sample.

It's signed with an Apple Developer ID.

Developer ID

The launch point:

Launch point

It dumps screenshots into a folder called MacApp:

Screenshot dump folder

Functions:

Functions

There are two C&C servers related to this sample:

DomainTools, securitytable.org
securitytable.org

DomainTools, docforum.info
docsforum.info

One C&C doesn't currently resolve, and the other:

docsforum.info
Forbidden

Our detection is called: Backdoor: OSX/KitM.A. (SHA1: 4395a2da164e09721700815ea3f816cddb9d676e)

On 16/05/13 At 12:29 PM

Source: F-Secure Antivirus Research Weblog | 17 May 2013 | 5:56 am EDT

CVE-2013-2423 Java Vulnerability Exploit ITW

A few days after Oracle released its critical patch for Java, and CVE-2013-2423 is already being exploited. Upon checking the history, the exploitation seems to have begun on April 21st and is still actively happening (as of this post):

url_list (122k image)

For a closer look, the image below contains a comparison of the classes found in the Metasploit module and that of the ITW sample:

Metasploit (95k image)

Interestingly, the Metasploit module was published on the 20th, and as mentioned earlier, the exploit was seen in the wild the day after.

Information about the PoC can be found here.

Files are detected as Exploit:Java/Majava.B.

Sample hashes:
1a3386cc00b9d3188aae69c1a0dfe6ef3aa27bfa
23acb0bee1efe17aae75f8138f885724ead1640f


Post by — Karmina and @Timo






On 23/04/13 At 02:36 PM

Source: F-Secure Antivirus Research Weblog | 17 May 2013 | 5:56 am EDT

Download: Mobile Threat Report Q1 2013

Our Mobile Threat Report Q1 2013 is now publicly available.

Mobile Threat Count, Q1 2013

All of our past reports are also available in the "Labs" section of f-secure.com.

On 15/05/13 At 12:45 PM

Source: F-Secure Antivirus Research Weblog | 17 May 2013 | 5:56 am EDT

Online Activities Related to Elections in Malaysia

Malaysia's 2013 general elections are scheduled for Sunday, May 5, 2013. Political news coverage is currently inundating all news outlets, including social networking sites, as the country's political parties go into high gear in the final run-up to polling day.

The huge media interest creates an opportunity for malware writers to gain new victims using established social engineering techniques — and sure enough, this week Citizen Lab released a report indicating that a sample of the sophisticated FinFisher (a.k.a. FinSpy) surveillance malware was discovered in a document crafted specifically for this event.

The malware was distributed in a booby-trapped Malay-language Microsoft Word document named "SENARAI CADANGAN CALON PRU KE-13 MENGIKUT NEGERI.doc" (In English: "List of proposed candidates for 13th General Elections according to states").

SENARAI CADANGAN CALON PRU KE-13 MENGIKUT NEGERI.doc

The report speculates that the attack document is targeting Malaysians looking for more information related to one of the most closely contested elections in the country's history. F-Secure detects the document in question as Trojan:W32/FinSpy.D.

Finfisher is produced by an European company called the Gamma Group. As we mentioned in a previous post, the company was present at the ISS World 2011 gathering hosted in Kuala Lumpur, Malaysia. The ISS event serves as a trade fair for surveillance software (attendance is by "invitation" or if you are a "telco service provider, government employees or law enforcement officer").

ISS World Kuala Lumpur

Additionally, there have been reports alleging that multiple news and social media sites, including YouTube, Facebook, and Malaysiakini (a popular Malaysian online news site) have been subjected to various forms of disruption, including defacements, denial of service attacks, and filtering.

F-Secure Labs is observing the situation. We saw a rise in malware detections during April 2013 in Malaysia. However, we don't really know if the increase was due to election-related activity or something else.

Malaysia, detections

On 03/05/13 At 11:57 AM

Source: F-Secure Antivirus Research Weblog | 17 May 2013 | 5:56 am EDT

Webinar: Embedded

F-Secure Labs Webinar: Mobile Threat Report Q1 2013

On 13/05/13 At 01:51 PM

Source: F-Secure Antivirus Research Weblog | 17 May 2013 | 5:56 am EDT

The Fog of Cyber Defence

The Fog of Cyber Defence

The Finnish National Defence University has published a 250-page book called The Fog of Cyber Defence. The book discusses cyber warfare, cyber arms race, and cyber defense from a Nordic viewpoint.

The book was written by twenty authors:

Insights into Cyberspace, Cyber Security, and Cyberwar in the Nordic Countries - (Jari Rantapelkonen & Harry Kantola)
Sovereignty in the Cyber Domain - (Topi Tuukkanen)
Cyberspace, the Role of State, and Goal of Digital Finland - (Jari Rantapelkonen & Saara Jantunen)
Exercising Power in Social Media - (Margarita Jaitner)
Victory in Exceptional War: The Estonian Main Narrative of the Cyber Attacks in 2007 - (Kari Alenius)
The Origins and the Future of Cyber Security in the Finnish Defence Forces - (Anssi Kärkkäinen)
Norwegian Cyber Security: How to Build a Resilient Cyber Society in a Small Nation - (Kristin Hemmer Mørkestøl)
Cyber Security in Sweden from the Past to the Future - (Roland Heickerö)
A Rugged Nation - (Simo Huopio)
Contaminated Rather than Classified: CIS Design Principles to Support Cyber Incident Response Collaboration - (Erka Koivunen)
Cyberwar: Another Revolution in Military Affairs? - (Tero Palokangas)
What Can We Say About Cyberwar Based on Cybernetics? - (Sakari Ahvenainen)
The Emperor's Digital Clothes: Cyberwar and the Application of Classical Theories of War - (Jan Hanska)
Theoretical Offensive Cyber Militia Models - (Rain Ottis)
Offensive Cyber Capabilities are Needed Because of Deterrence - (Jarno Limnéll)
Threats Concerning the Usability of Satellite Communications in Cyberwarfare Environment - (Jouko Vankka & Tapio Saarelainen)
The Care and Maintenance of Cyberweapons - (Timo Kiravuo & Mikko Särelä)
The Exploit Marketplace - (Mikko Hyppönen)

The Fog of Cyber Defence can be downloaded as a PDF file from http://urn.fi/URN:ISBN:978-951-25-2431-0

On 30/04/13 At 06:53 AM

Source: F-Secure Antivirus Research Weblog | 17 May 2013 | 5:56 am EDT

Webinar: Monday, May 13th

It's time to schedule another F-Secure Labs webinar!

We're trying out Google's "Hangouts On Air" this go-around:

Google Hangout Webinar, May13

Details: F-Secure Labs Threat Report Preview Webinar

Hope to see you there.

On 10/05/13 At 05:43 PM

Source: F-Secure Antivirus Research Weblog | 17 May 2013 | 5:56 am EDT

Apple's Root Certs Include the DoD

Fun Fact!

Among the trusted root certificates used by Mac OS X, iOS 5 and iOS 6
DoD_CLASS_3_Root_CA
DoD_Root_CA_2
iOS_DoD_certs

…are two from the United States Department of Defense (DoD).

Interesting, no?

On 24/04/13 At 06:39 PM

Source: F-Secure Antivirus Research Weblog | 17 May 2013 | 5:56 am EDT

Twitter's Password Fails

Let's say you want to hack Jack Dorsey's online banking account. Where to start? His username?

Challenging… his online banking username is a secret. But how about his Twitter account?

Oh, that's easy. It's @jack.

That's the problem with "social" usernames — they're meant to be known.

Twitter's Password Fails

Another problem, Twitter appears to validate e-mail addresses:

Twitter's Password Fails

Looks like nobody's home at [email protected]:

Twitter's Password Fails

Twitter's settings include an option to require "personal" infomation such as an e-mail or phone number:

Twitter's Password Fails

But that's less than useless if Twitter won't actually let you add your number:

Twitter's Password Fails

And just how "personal" is a phone number anyway?

Twitter's Password Fails

Two-factor authentication?

Sure.

But Twitter should first stop validating e-mail addresses.

And then maybe it could add an option to disallow logins via the publicly known username.

Edited to add: On second thought…

How about this?

Twitter should stop validating e-mailing addresses in its password reset form.

And then, discriminate between using e-mail and username. If an account is accessed with the usernamedon't provide access to the account settings! The e-mail address (alias) could then be used only by account "adminstrators".

Example: regular @AP staff could login with "AP" — no settings for them! They could Tweet, but would be restricted from making changes to the account. But the @AP "admin", some guy in the IT department, that person could login using the "secret" e-mail address and would be able to change account settings (and lockdown the account in case of a breach).

Discriminating between e-mail and username — a way to distinguish between "admins" and "users".

On 07/05/13 At 12:51 PM

Source: F-Secure Antivirus Research Weblog | 17 May 2013 | 5:56 am EDT

Infosec's Hall of Fame 2013

Infosecurity Europe 2013 opened its doors today. And tomorrow…

Our own Mikko Hypponen will be inducted into Infosec's Hall of Fame.

Infosecurity Europe's Hall of Fame 2013

Congratulations Mikko!

Session details here.

On 23/04/13 At 12:42 PM

Source: F-Secure Antivirus Research Weblog | 17 May 2013 | 5:56 am EDT

CVE-2013-3496. Local privilege escalation vulnerability in Infotecs products (ViPNet Client\Coordinator, SafeDisk, Personal Firewall)

CVE-2013-3496. Local privilege escalation vulnerability in Infotecs products (ViPNet Client\Coordinator, SafeDisk, Personal Firewall) CVE reference:

Source: Full Disclosure | Full-Disclosure | 21 May 2013 | 3:37 am EDT

Sony PS3 Firmware v4.31 - Code Execution Vulnerability

Title: ====== Sony PS3 Firmware v4.31 - Code Execution Vulnerability Date: ===== 2013-05-12 References: =========== http://www.vulnerability-lab.c

Source: Full Disclosure | Full-Disclosure | 20 May 2013 | 8:32 pm EDT

Trend Micro DirectPass 1.5.0.1060 (Cloud) Software - Multiple Software Vulnerabilities

Title: ====== Trend Micro DirectPass 1.5.0.1060 (Cloud) Software - Multiple Software Vulnerabilities Date: ===== 2013-05-21 References: ==========

Source: Full Disclosure | Full-Disclosure | 20 May 2013 | 8:29 pm EDT

Critical issues affecting multiple game engines

We have just released a paper [1], in which we detail several 0-day issues affecting a number of different game engines, including: Unreal Engine, Cry

Source: Full Disclosure | Full-Disclosure | 20 May 2013 | 8:46 am EDT

Interesting referrer URLs when accessing vulnerability disclosure information

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello list, In the aftermath of most of my full-disclosure posts I've observed quite interesting refer

Source: Full Disclosure | Full-Disclosure | 19 May 2013 | 6:46 pm EDT

Thttpd 2.25b Directory Traversal Vulnerability

Hi guys, You can find the software affected at http://www.acme.com/software/thttpd/thttpd-2.25b.tar.gz Thanks, Metropolis

Source: Full Disclosure | Full-Disclosure | 19 May 2013 | 5:12 pm EDT

Revision of "IPv6 Stable Privacy Addresses" (Fwd: I-D Action: draft-ietf-6man-stable-privacy-addresses-07.txt)

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Folks, We have published a revision of our IETF I-D "A method for Generating Stable Privacy-Enhanced A

Source: Full Disclosure | Full-Disclosure | 19 May 2013 | 3:05 pm EDT

AFU vulnerabilities in MCImageManager for TinyMCE

Hello list! I want to warn you about vulnerabilities in Moxiecode Image Manager (MCImageManager). This is commercial plugin for TinyMCE. It concerns

Source: Full Disclosure | Full-Disclosure | 19 May 2013 | 3:00 pm EDT

Defense in depth -- the Microsoft way

Hi @ll, the "Microsoft Installer" creates for applications installed via an .MSI the following uninstall information in the Windows registry (see <ht

Source: Full Disclosure | Full-Disclosure | 19 May 2013 | 12:40 pm EDT

AFU vulnerabilities in MCFileManager for TinyMCE

Hello list! I want to warn you about vulnerabilities in Moxiecode File Manager (MCFileManager). This is commercial plugin for TinyMCE. It concerns a

Source: Full Disclosure | Full-Disclosure | 18 May 2013 | 5:45 pm EDT

Practice of Network Security Monitoring Table of Contents

Since many of you have asked, I wanted to provide an updated Table of Contents for my upcoming book, The Practice of Network Security Monitoring. The TOC has only solidified in the last day or so. I delayed responding until I completed all of the text, which I did this weekend.

You can preorder the book through No Starch. Please consider using the discount code NSM101 to save 30%.

I'm still on track to publish by July 22, 2013, in time to teach two sessions of my new course, Network Security Monitoring 101, in Las Vegas. I'll be using the new book's themes for inspiration but will likely have to rebuild all the labs.

I expect the book to approach the 350 page mark, exceeding my initial estimates for 256 pages and 7 chapters. Here's the latest Table of Contents.

I hope you enjoy the book and consider the new class! If you have comments or questions, please post them here on via @taosecurity.

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 29 Apr 2013 | 6:38 pm EDT

Bejtlich Teaching New Class at Black Hat in July

I'm pleased to announce I will teach two sessions of a brand-new two day class at Black Hat USA 2013 this summer. The new class is Network Security Monitoring 101. From the overview:

Is your network safe from intruders? Do you know how to find out? Do you know what to do when you learn the truth? If you are a beginner, and need answers to these questions, Network Security Monitoring 101 (NSM101) is the newest Black Hat course for you.

This vendor-neutral, open source software-friendly, reality-driven two-day event will teach students the investigative mindset not found in classes that focus solely on tools. NSM101 is hands-on, lab-centric, and grounded in the latest strategies and tactics that work against adversaries like organized criminals, opportunistic intruders, and advanced persistent threats.

Best of all, this class is designed *for beginners*: all you need is a desire to learn and a laptop ready to run a few virtual machines.

Instructor Richard Bejtlich has taught over 1,000 Black Hat students since 2002, and this brand new, 101-level course will guide you into the world of Network Security Monitoring.

Black Hat has three remaining price points and deadlines for registration.

Seats are filling -- it pays to register early!

If you have any questions about the class, please leave a comment here or contact me via Twitter at @taosecurity. Thank you.

I'm also talking with Black Hat about teaching at their Istanbul and Seattle events later this year.

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 21 Apr 2013 | 10:57 am EDT

Mandiant APT1 Report: 25 Best Commentaries of the Last 12 Days

Two weeks ago today our team at Mandiant was feverishly preparing the release of our APT1 report.

In the twelve days that followed publication on the evening of Monday the 18th, I've been very pleased by the amount of constructive commentary and related research published online.

In this post I'd like to list those contributions that I believe merit attention, in the event you missed them the first time around.

These sorts of posts are examples of what the security community can do to advance our collective capability to counter digital threats.

Please note I avoided mass media accounts, interviews with Mandiant team members, and most general commentary.

They are listed in no particular order.

  1. Seth Hall (Bro): Watching for the APT1 Intelligence
  2. Jason Wood (SecureIdeas): Reading the Mandiant APT1 Report
  3. Chris Sanders: Making the Mandiant APT1 Report Actionable
  4. Symantec: APT1: Q&A on Attacks by the Comment Crew
  5. Tekdefense (NoVA Infosec): MASTIFF Analysis of APT1
  6. Chort Row (@chort0): Analyzing APT1 with Cuckoobox, Volatility, and Yara
  7. Ron Gula (Tenable): We have Microsoft Tuesday, so how long until we have Indicator Wednesday?
  8. OpenDNS Umbrella Labs:An intimate look at APT1, China’s Cyber-Espionage Threat
  9. Chris Lew (Mandiant): Chinese Advanced Persistent Threats: Corporate Cyber Espionage Processes and Organizations (BSidesSF, slides not online yet)
  10. Adam Segal: Hacking back, signaling, and state-society relations
  11. Snorby Labs: APT Intelligence Update
  12. Wendy Nather: Exercises left to the reader
  13. Brad Shoop (Mandiant): Mandiant’s APT1 Domain/MD5 Intel and Security Onion for Splunk
  14. Brad Shoop (Mandiant): Mandiant’s APT1 Domain/MD5 Intel and Security Onion with ELSA
  15. Kevin Wilcox: NSM With Bro-IDS Part 5: In-house Modules to Leverage Outside Threat Intelligence
  16. Cyb3rsleuth: Chinese Threat Actor Part 5
  17. David Bianco: The Pyramid of Pain
  18. Wesley McGrew: Mapping of Mandiant APT1 malware names to available samples
  19. Russ McRee: Toolsmith: Redline, APT1, and you – we’re all owned
  20. Jaime Blasco ( AlienVault Labs): Yara rules for APT1/Comment Crew malware arsenal
  21. Brandon Dixon: Mandiant APT2 Report Lure
  22. Seculert: Spear-Phishing with Mandiant APT Report
  23. PhishMe: How PhishMe addresses the top attack method cited in Mandiant’s APT1 report
  24. Rich Mogull (Securosis): Why China's Hacking is Different
  25. China Digital Times: Netizens Gather Further Evidence of PLA Hacking

M-Unition (Mandiant) published Netizen Research Bolsters APT1 Attribution.

I'd also like to cite Verizon for their comments and mention of IOCExtractor and Symantec for publishing their indicators via Pastebin after I asked about it.

Thank you to those who took the time to share what you found when analyzing related APT1 data, or when showing how to use APT1 indicators to do detection and response.

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 2 Mar 2013 | 8:51 pm EST

Recovering from Suricata Gone Wild

Recently I tried interacting with one of my lab Security Onion sensors running the Suricata IDS. I found the Sguil server was taking a really long time to offer services on port 7734 TCP. Since I hadn't worked with this lab system in a while, I guessed that there might be too many uncategorized events in the Sguil database. I dusted off an old blog post titled More Snort and Sguil Tuning from 2006 and took a look at the system.

First I stopped the NSM applications on the server.


sudo service nsm stop
Stopping: securityonion
* stopping: sguil server [ OK ]
Stopping: HIDS
* stopping: ossec_agent (sguil) [ OK ]
Stopping: Bro
stopping ds61so-eth1-1 ...
stopping proxy ...
stopping manager ...
Stopping: ds61so-eth1
* stopping: netsniff-ng (full packet data) [ OK ]
* stopping: pcap_agent (sguil) [ OK ]
* stopping: snort_agent (sguil) [ OK ]
* stopping: suricata (alert data) [ OK ]
* stopping: barnyard2 (spooler, unified2 format) [ OK ]
* stopping: prads (sessions/assets) [ OK ]
* stopping: sancp_agent (sguil) [ OK ]
* stopping: pads_agent (sguil) [ OK ]
* stopping: argus [ OK ]
* stopping: http_agent (sguil)
Next I ran a query to look for the top uncategorized events.

$ mysql -uroot
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1639
Server version: 5.5.29-0ubuntu0.12.04.1 (Ubuntu)

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use securityonion_db;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

mysql> SELECT COUNT(signature)as count, signature FROM event WHERE status=0 GROUP BY signature ORDER BY count DESC LIMIT 20;
+---------+----------------------------------------------------------------------------------+
| count | signature |
+---------+----------------------------------------------------------------------------------+
| 2299160 | SURICATA STREAM Packet with invalid ack |
| 2298505 | SURICATA STREAM ESTABLISHED invalid ack |
| 1777530 | SURICATA STREAM ESTABLISHED packet out of window |
| 38700 | SURICATA STREAM ESTABLISHED retransmission packet before last ack |
| 24181 | SURICATA STREAM TIMEWAIT ACK with wrong seq |
| 5430 | ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management |
| 3160 | SURICATA STREAM Last ACK with wrong seq |
| 753 | ET POLICY Dropbox.com Offsite File Backup in Use |
| 637 | SURICATA HTTP unknown error |
| 626 | SURICATA STREAM SHUTDOWN RST invalid ack |
| 505 | SURICATA STREAM FIN1 FIN with wrong seq |
| 494 | SURICATA HTTP request field too long |
| 448 | ET POLICY PE EXE or DLL Windows file download |
| 315 | ET RBN Known Malvertiser IP (22) |
| 270 | ET POLICY iTunes User Agent |
| 266 | SURICATA STREAM CLOSEWAIT ACK out of window |
| 237 | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) |
| 219 | ET POLICY MOBILE Apple device leaking UDID from SpringBoard |
| 217 | SURICATA STREAM 3way handshake with ack in wrong dir |
| 151 | SURICATA STREAM FIN2 FIN with wrong seq |
+---------+----------------------------------------------------------------------------------+
20 rows in set (15.24 sec)
Wow, that's a lot of SURICATA STREAM events. I need to categorize them as non-issues to recover the Sguil server.


mysql> UPDATE event SET status=1, last_modified='2013-02-24 16:26:00', last_uid='sguil' WHERE event.status=0 and event.signature LIKE 'SURICATA STREAM%';
Query OK, 6443375 rows affected, 65535 warnings (3 min 4.89 sec)
Rows matched: 6443375 Changed: 6443375 Warnings: 6443375
Let's see what the database thinks now.

mysql> SELECT COUNT(signature)as count, signature FROM event WHERE status=0 GROUP BY signature ORDER BY count DESC LIMIT 20;
+------+-----------------------------------------------------------------------------------------+
| cnt | signature |
+------+-----------------------------------------------------------------------------------------+
| 5430 | ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management |
| 753 | ET POLICY Dropbox.com Offsite File Backup in Use |
| 637 | SURICATA HTTP unknown error |
| 494 | SURICATA HTTP request field too long |
| 448 | ET POLICY PE EXE or DLL Windows file download |
| 315 | ET RBN Known Malvertiser IP (22) |
| 270 | ET POLICY iTunes User Agent |
| 237 | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) |
| 219 | ET POLICY MOBILE Apple device leaking UDID from SpringBoard |
| 133 | ET INFO PDF Using CCITTFax Filter |
| 106 | ET POLICY Pandora Usage |
| 97 | ET CHAT Facebook Chat (buddy list) |
| 93 | ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET |
| 58 | ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection |
| 41 | PADS New Asset - ssl TLS 1.0 Client Hello |
| 39 | SURICATA HTTP response header invalid |
| 39 | ET CURRENT_EVENTS Exploit Kit Delivering Compressed Flash Content to Client |
| 36 | ET POLICY Python-urllib/ Suspicious User Agent |
| 36 | ET MALWARE Possible Windows executable sent when remote host claims to send a Text File |
| 28 | ET POLICY Http Client Body contains pw= in cleartext |
+------+-----------------------------------------------------------------------------------------+
20 rows in set (0.03 sec)
That's much better.

Before restarting the NSM services, I edit the autocat.conf file to add the following.


none||ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%^SURICATA STREAM||1
This will auto-categorize any SURICATA STREAM alerts as non-issues. I want to keep adding events to the database for testing purposes, but I don't want to see them in the console.

Now I restart the NSM services.


sudo service nsm start
Starting: securityonion
* starting: sguil server [ OK ]
Starting: HIDS
* starting: ossec_agent (sguil) [ OK ]
Starting: Bro
starting manager ...
starting proxy ...
starting ds61so-eth1-1 ...
Starting: ds61so-eth1
* starting: netsniff-ng (full packet data) [ OK ]
* starting: pcap_agent (sguil) [ OK ]
* starting: snort_agent (sguil) [ OK ]
* starting: suricata (alert data) [ OK ]
* starting: barnyard2 (spooler, unified2 format) [ OK ]
* starting: prads (sessions/assets) [ OK ]
* starting: pads_agent (sguil) [ OK ]
* starting: sancp_agent (sguil) [ OK ]
* starting: argus [ OK ]
* starting: http_agent (sguil) [ OK ]
* disk space currently at 22%
I check to see if port 7734 TCP is listening.

sudo netstat -natup | grep 7734
tcp 0 0 0.0.0.0:7734 0.0.0.0:* LISTEN 10729/tclsh
Now the Sguil server is listening. I can connect with a Sguil client, even the 64 bit Windows .exe that I just found this morning. Check it out at sourceforge.net/projects/sguil/

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 24 Feb 2013 | 11:43 am EST

Using Bro to Log SSL Certificates

I remember using an older version of Bro to log SSL certificates extracted from the wire. The version shipped with Security Onion is new and that functionality doesn't appear to be enabled by default. I asked Seth Hall about this capability, and he told me how to get Bro to log all SSL certs that it sees.

Edit /opt/bro/share/bro/site/local.bro to contain the changes as shown below.


diff -u /opt/bro/share/bro/site/local.bro.orig /opt/bro/share/bro/site/local.bro
--- /opt/bro/share/bro/site/local.bro.orig 2013-02-23 01:54:53.291457193 +0000
+++ /opt/bro/share/bro/site/local.bro 2013-02-23 01:55:16.151996423 +0000
@@ -56,6 +56,10 @@
# This script enables SSL/TLS certificate validation.
@load protocols/ssl/validate-certs

+# Log certs per Seth
[email protected] protocols/ssl/extract-certs-pem
+redef SSL::extract_certs_pem = ALL_HOSTS;
+
# If you have libGeoIP support built in, do some geographic detections and
# logging for SSH traffic.
@load protocols/ssh/geo-data
Restart Bro.

~# broctl

Welcome to BroControl 1.1

Type "help" for help.

[BroControl] > install
removing old policies in /nsm/bro/spool/installed-scripts-do-not-touch/site ... done.
removing old policies in /nsm/bro/spool/installed-scripts-do-not-touch/auto ... done.
creating policy directories ... done.
installing site policies ... done.
generating standalone-layout.bro ... done.
generating local-networks.bro ... done.
generating broctl-config.bro ... done.
updating nodes ... done.
[BroControl] > status
Name Type Host Status Pid Peers Started
bro standalone localhost running 3042 0 17 Feb 13:22:42
[BroControl] > restart
stopping ...
stopping bro ...
starting ...
starting bro ...
[BroControl] > exit

After restarting you will have a new log for all SSL certs:


ls -al certs-remote.pem
-rw-r--r-- 1 root root 31907 Feb 23 02:05 certs-remote.pem

New certs are appended to the file as Bro sees them. A cert looks like this:


-----BEGIN CERTIFICATE-----
MIIGYjCCBUqgAwIBAgIQdyRQbU+ah51Lxm5niPJgyTANBgkqhkiG9w0BAQUFADCB
ujELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE0MDIGA1UEAxMr
VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBDQTAeFw0x
MjAyMjkwMDAwMDBaFw0xMzAyMjgyMzU5NTlaMIIBJjETMBEGCysGAQQBgjc8AgED
EwJVUzEZMBcGCysGAQQBgjc8AgECEwhEZWxhd2FyZTEdMBsGA1UEDxMUUHJpdmF0
ZSBPcmdhbml6YXRpb24xEDAOBgNVBAUTBzI5Mjc0NDIxCzAJBgNVBAYTAlVTMQ4w
DAYDVQQRFAU2MDYwMzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcUB0NoaWNh
Z28xGjAYBgNVBAkUETEzNSBTIExhIFNhbGxlIFN0MSQwIgYDVQQKFBtCYW5rIG9m
IEFtZXJpY2EgQ29ycG9yYXRpb24xHzAdBgNVBAsUFk5ldHdvcmsgSW5mcmFzdHJ1
Y3R1cmUxHjAcBgNVBAMUFXd3dy5iYW5rb2ZhbWVyaWNhLmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAL3mUutqncWzNlwQNaM6IJdaadkQtUBvVnyp
obSS69GgKykAiQlx8QZQGbPCpJmHxmd7gz1JRnDntjp7N6Pg/cC47RvH2GOEgBdP
oGjaqMIprDXWSOgsBg7sBG0Qu9jPdAwHKhl0pv+wbkIBY2hn2XAxM2EWmqakjbp7
ArUkrYV1/qI1LIUPoO5oGsGXYBLTafAy4fO8auz/gqYxfciUj9mWi09PAqhnB5eU
jPYqu4yF6SA1V46AhC4cmaSZdH18ZmO6onp344tvjyJOn86Erb0VPmFfc8EgbLfK
paheO7GropabCr/TKV6fhSuwcp7sDs1SC2PJhV+w6/0ZUqpp9B8CAwEAAaOCAfMw
ggHvMAkGA1UdEwQCMAAwHQYDVR0OBBYEFK333BMwfBgnezSDatzj3Y2KbimNMAsG
A1UdDwQEAwIFoDBCBgNVHR8EOzA5MDegNaAzhjFodHRwOi8vRVZTZWN1cmUtY3Js
LnZlcmlzaWduLmNvbS9FVlNlY3VyZTIwMDYuY3JsMEQGA1UdIAQ9MDswOQYLYIZI
AYb4RQEHFwYwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t
L3JwYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAU
/IpQup65JVp7VYVPlQBjj+lYa0MwfAYIKwYBBQUHAQEEcDBuMC0GCCsGAQUFBzAB
hiFodHRwOi8vRVZTZWN1cmUtb2NzcC52ZXJpc2lnbi5jb20wPQYIKwYBBQUHMAKG
MWh0dHA6Ly9FVlNlY3VyZS1haWEudmVyaXNpZ24uY29tL0VWU2VjdXJlMjAwNi5j
ZXIwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJaW1hZ2UvZ2lmMCEwHzAHBgUr
DgMCGgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYkaHR0cDovL2xvZ28udmVyaXNp
Z24uY29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEBBQUAA4IBAQB31shk3CQ/jMfz
O1h6qCm+OeWUqgCvmAf26JoBx9hiHx+sWj1/z11rLp3oEt7fiqFsj76zWXAdhyH0
bp/sPGxAD7VQJEiAvtUR7015OUyNo+qnwJk2rZNlvwZydtsEmnYywVEgLQuFm962
csbbjmAqE+ODT9wk6jbIplfqhnSj2AL4xTNS2Rj3+jKsXlZvzCBdXs8Ewq9IwocL
UpaWV6ObhXsxkgFon/KX0fS9TAams4RaPwIJzvr5ExE+NSyaufs1utdKoEwUaoS1
2Z1QVtxiueNgdFKoTATfODowb1C+IDEPJmY0urBzEhdrsMECtYxJVYBDAhbhocG6
yYpg3ayS
-----END CERTIFICATE-----
OpenSSL can read them one at a time, e.g.:

openssl x509 -in certs-remote.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
77:24:50:6d:4f:9a:87:9d:4b:c6:6e:67:88:f2:60:c9
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)06, CN=VeriSign Class 3 Extended Validation SSL CA
Validity
Not Before: Feb 29 00:00:00 2012 GMT
Not After : Feb 28 23:59:59 2013 GMT
Subject: 1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2927442, C=US/postalCode=60603, ST=Illinois, L=Chicago/street=135 S La Salle St, O=Bank of America Corporation, OU=Network Infrastructure, CN=www.bankofamerica.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bd:e6:52:eb:6a:9d:c5:b3:36:5c:10:35:a3:3a:
20:97:5a:69:d9:10:b5:40:6f:56:7c:a9:a1:b4:92:
eb:d1:a0:2b:29:00:89:09:71:f1:06:50:19:b3:c2:
a4:99:87:c6:67:7b:83:3d:49:46:70:e7:b6:3a:7b:
37:a3:e0:fd:c0:b8:ed:1b:c7:d8:63:84:80:17:4f:
a0:68:da:a8:c2:29:ac:35:d6:48:e8:2c:06:0e:ec:
04:6d:10:bb:d8:cf:74:0c:07:2a:19:74:a6:ff:b0:
6e:42:01:63:68:67:d9:70:31:33:61:16:9a:a6:a4:
8d:ba:7b:02:b5:24:ad:85:75:fe:a2:35:2c:85:0f:
a0:ee:68:1a:c1:97:60:12:d3:69:f0:32:e1:f3:bc:
6a:ec:ff:82:a6:31:7d:c8:94:8f:d9:96:8b:4f:4f:
02:a8:67:07:97:94:8c:f6:2a:bb:8c:85:e9:20:35:
57:8e:80:84:2e:1c:99:a4:99:74:7d:7c:66:63:ba:
a2:7a:77:e3:8b:6f:8f:22:4e:9f:ce:84:ad:bd:15:
3e:61:5f:73:c1:20:6c:b7:ca:a5:a8:5e:3b:b1:ab:
a2:96:9b:0a:bf:d3:29:5e:9f:85:2b:b0:72:9e:ec:
0e:cd:52:0b:63:c9:85:5f:b0:eb:fd:19:52:aa:69:
f4:1f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
AD:F7:DC:13:30:7C:18:27:7B:34:83:6A:DC:E3:DD:8D:8A:6E:29:8D
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:

Full Name:
URI:http://EVSecure-crl.verisign.com/EVSecure2006.crl

X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.6
CPS: https://www.verisign.com/rpa

X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Authority Key Identifier:
keyid:FC:8A:50:BA:9E:B9:25:5A:7B:55:85:4F:95:00:63:8F:E9:58:6B:43

Authority Information Access:
OCSP - URI:http://EVSecure-ocsp.verisign.com
CA Issuers - URI:http://EVSecure-aia.verisign.com/EVSecure2006.cer

1.3.6.1.5.5.7.1.12:
0`.^.\0Z0X0V..image/gif0!0.0...+......Kk.(.....R8.).K..!..0&.$http://logo.verisign.com/vslogo1.gif
Signature Algorithm: sha1WithRSAEncryption
77:d6:c8:64:dc:24:3f:8c:c7:f3:3b:58:7a:a8:29:be:39:e5:
94:aa:00:af:98:07:f6:e8:9a:01:c7:d8:62:1f:1f:ac:5a:3d:
7f:cf:5d:6b:2e:9d:e8:12:de:df:8a:a1:6c:8f:be:b3:59:70:
1d:87:21:f4:6e:9f:ec:3c:6c:40:0f:b5:50:24:48:80:be:d5:
11:ef:4d:79:39:4c:8d:a3:ea:a7:c0:99:36:ad:93:65:bf:06:
72:76:db:04:9a:76:32:c1:51:20:2d:0b:85:9b:de:b6:72:c6:
db:8e:60:2a:13:e3:83:4f:dc:24:ea:36:c8:a6:57:ea:86:74:
a3:d8:02:f8:c5:33:52:d9:18:f7:fa:32:ac:5e:56:6f:cc:20:
5d:5e:cf:04:c2:af:48:c2:87:0b:52:96:96:57:a3:9b:85:7b:
31:92:01:68:9f:f2:97:d1:f4:bd:4c:06:a6:b3:84:5a:3f:02:
09:ce:fa:f9:13:11:3e:35:2c:9a:b9:fb:35:ba:d7:4a:a0:4c:
14:6a:84:b5:d9:9d:50:56:dc:62:b9:e3:60:74:52:a8:4c:04:
df:38:3a:30:6f:50:be:20:31:0f:26:66:34:ba:b0:73:12:17:
6b:b0:c1:02:b5:8c:49:55:80:43:02:16:e1:a1:c1:ba:c9:8a:
60:dd:ac:92
Since each cert has a standard header and footer, I bet someone could write a parser to extract each cert from the certs-remote.pem file to separate files. Thanks a lot Seth!

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 22 Feb 2013 | 9:21 pm EST

Practical Network Security Monitoring Book on Schedule

First the good news: my new book Practical Network Security Monitoring is on track, and you can pre-order with a 30% discount using code NSM101.

I'm about 1/3 of the way through writing the book. Since I announced the project last month, I've submitted chapters 1, 2, and 3. They are in various stages of review by No Starch editors and my technical editors. I seem to be writing more than I expected, despite trying to keep the book at an introductory level. I find that I want to communicate the topic sufficiently to make my point, but I try to avoid going too deeply into related areas.

I'm also encountering situations where I have to promise to explain some concepts later, rather than explain everything immediately. I believe once I get the first chapter ironed out with the editor, the rest will be easier to digest. I'm taking a fairly methodical approach (imagine that), so once the foundation in chapter 1 is done the rest is more straightforward.

I'm keeping a fairly aggressive schedule. Basically I have to write a chapter each week, get it to my technical editors, and then spend additional time working with No Starch to get the text legible and ready for print. All of this is happening in parallel in order to have the books in print by Black Hat. That means the text must done by the first week in April. My family is helping me stay on track by giving me time and space to write, especially on the weekends. Thank you!

When working on the examples, I've been very pleased with the performance of VMWare Workstation 9. I have one copy installed on Windows 7, where I write with Word. I have a second copy installed on Ubuntu Server, where it acts like a "VMWare Server." I used to run a real ESXi server on server-class hardware. Now, to save electricity and to more tailor my computer power to my requirements, I run a Shuttle DS61 with a Core i5-3450S 2.80GHz CPU, 16 GB RAM, 750 GB HDD, and two onboard NICs. The two NICs are really awesome in a device this small -- 190(L) x 165(W) x 43(H) mm. With two NICs, I can devote one for management and one for network traffic collection and interpretation. I use a Net Optics Dual Port Aggregator Tap for access to the wire.

I use VMWare Workstation this way. I run a Linux VM on Workstation on my Windows 7 laptop. I connect via Workstation to the Workstation instance on Ubuntu on the DS61. Then I create whatever VMs I need on the DS61. For example, I created a Security Onion server and sensor to test that setup. With 16 GB RAM, I have plenty of RAM for both, plus another VM that I'm running as my "production" Security Onion sensor for the lab network.

Writing is going well, despite the fact that I last wrote a book in 2005. I promised my youngest daughter, who wasn't born until 2006, that this new book is for her. If you have any questions on the writing process, please post them here or ask me on Twitter.

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 11 Feb 2013 | 10:27 pm EST

On Thought Leadership and Non-Technical Relevance

A reader left a comment on my post 2012: The Year I Changed What I Read. He said:

Richard, it's interesting to note that your career has shifted from "pure" technology to more of a thought leadership role where you can leverage your training and interest in history, political science, etc. I wonder if you ever expected to become such a public figure in the whole debate about China when you first started with infosec?

Your career path is an encouraging example for others to follow. Even though I work in technology, I also have a sociology/political science background and I've been wondering how I can leverage those interests, especially as I get older and cheaper/hungrier techies continue to enter the industry.

Thank you for your comment and question. I will try to answer here.

I did not plan to become a "public" figure, and I don't necessarily consider myself exceptionally "public" now. I just reviewed my TaoSecurity news page to see when I first started speaking at conferences. Before joining Foundstone, I spoke at a few events because I believed too few people were discussing incident detection and traffic analysis. Once I joined Foundstone in April 2002 as a member of Kevin Mandia's incident response team, I became a public speaker out of necessity. Kevin and Foundstone expected consultants to speak, teach, and write, in addition to performing consulting duties. I've stayed in that mindset ever since, although I speak, teach, and write on increasingly diverse topics.

I see the "thought leadership" question in two ways. First, I took deliberate actions to get my thoughts to the world. I wrote my books and post to this blog as a way to capture my thinking on a coherent set of subjects. I hope they are useful to others, but I see these as outlets for self-expression.

The second way I think about "thought leadership" involves my work duties. If you look at my press page you will see a jump in activity in 2011, the year I joined Mandiant. In addition to being CSO, I'm also responsible for speaking with the press, industry analysts, policy makers, and some customers and prospects. I enjoy these opportunities because I realize there are a lot of sources for tools but few for methodologies and operational processes. To the extent I can share my recommendations for how to combat intruders and avoid wasting resources or pursuing dead ends, I consider this second form of thought leadership a success.

Finally, let me address the point about leveraging what are traditionally "non-security" skills or interests, namely history and political science. As I've posted and Tweeted earlier, the world is waking up to the fact that the techies and engineers don't have all the answers. Every time you hear someone say that the answer is to build Internet 2, and "get it right," you're listening to an "engineering first" mindset.

I love engineers (my dad is one, I took plenty of engineering in college, I work with engineers, etc.) but their viewpoint is but one of many. Technical knowledge doesn't give anyone a golden ticket to good policy. If we don't engage people who understand lessons of history and policy, we'll continue to lose when facing advanced intruders.

I would argue that a person who knows technology, security, history, and politics is equipped to be very valuable to an organization trying to build a mature security operation, or that seeks to influence policy. Your interests and skills may not align with your current role, so you may need to keep those strengths in mind when looking for a job better aligned with history and politics.

I think the key is to strive to stay relevant in whatever area interests you. If you like non-technical subjects, you've got to stay current with them and develop your thoughts and analysis on those issues the same as you might with technical topics.

Thank you for your comment. I welcome other comments here or on Twitter.

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 26 Jan 2013 | 11:03 am EST

How to Win This TCP/IP Book

Last week I wished this blog happy tenth birthday and announced plans for a new book on network security monitoring. I also mentioned a contest involving a book give-away. I finally figured out a good way to select a winner, and it involves your participation in my current writing project!

Thanks to No Starch Press I have a brand-new, shrink-wrapped copy of The TCP/IP Guide, a mammoth 1616 page hardcover book by Charles M. Kozierok.

Here's what you have to do to try to win this book: submit a case study on how network security monitoring helped you detect, respond to, and contain an intrusion in your environment.

You don't have to reveal your organization, but I want to know some general information like the number of users and computers. Readers need to know the sort of environment where NSM worked for you, but I don't want you to reveal your organization (unless you want to).

Tell the reader what happened, what NSM data you used, how you used it, and how you handled the incident. Extra points go to writers who include log excerpts and screen captures.

I will include the submission in my new book, subject to editing by myself and No Starch, for readability and comprehension.

The deadline for submission is 10:00 pm eastern time, Saturday 26 January (sorry for the earlier typo). I managed to extend the deadline a little. Quality trumps quantity here -- I'm not looking for another chapter!

Please submit your entries as plain text in email to taosecurity at gmail dot com. I won't open .doc or .pdf or other files which could contain surprises.

When you take screen captures, save them in high-resolution .tif format without compression. Don't take a capture of command-line information; instead, copy the text into the story. When taking screen captures of GUI tools and the like, don't take a capture of a giant window; resize to something that will be legible on a printed page, witha .

This is an example of a bad screen capture:

This is a good screen capture:

Depending on the quality of any screen captures, I may ask you to resubmit them to meet the publisher's requirements.

If you have any questions, please post them here.

The winner will receive the pictured TCP/IP book. Once my new book arrives, I will ask the publisher to mail you a free copy too.

If I receive one or more good runners-up, I will ask the publisher to send their owners copies of my new book too.

If you have any questions, please submit them as comments here. Good luck!

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 16 Jan 2013 | 7:52 pm EST

Bejtlich's New Book: Planned for Summer Publication

Nearly ten years after I started writing my first book, the Tao of Network Security Monitoring, I'm pleased to announce that I just signed a contract to write a new book for No Starch titled Network Security Monitoring in Minutes.

From the book proposal:

Network Security Monitoring in Minutes provides the tactics, techniques, and procedures for maximum enterprise defense in a minimum amount of time.

Network Security Monitoring (NSM) is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. Network Security Monitoring in Minutes teaches information technology and security staff how to leverage powerful NSM tools and concepts immediately.

Using open source software and vendor-neutral methods, the author applies lessons he first began applying to military networks in 1998. After reading this book, the audience will be able to integrate the same winning approaches to better defend his or her company’s data and networks.

Network Security Monitoring in Minutes is an important book because nearly all organizations operate a network. By connecting to the Internet, they expose their intellectual property, trade secrets, critical business processes, personally identifiable information (PII), and other sensitive information to attackers worldwide. Without the network level vigilance provided by this book, organizations will continue to be victimized for months, and in many cases years, before learning they have been breached.

This book consists of the following chapters:

Chapter 1, Network Security Monitoring Rationale, explains why NSM matters and help readers gain the support needed to deploy NSM in their environment.

Chapter 2, Accessing Network Traffic, addresses the challenges and solutions surrounding physical access to network traffic.

Chapter 3, Sensor Deployment and Configuration, introduces Security Onion (SO), and explains how readers can install the software on spare hardware to gain an initial NSM capability at low or no cost.

Chapter 4, Tool Overview, guides the reader through the core SO tool set, focusing on those capabilities most likely to help handle digital intrusions.

Chapter 5, Network Security Monitoring Operations, shares the author’s experience building and leading a global Computer Incident Response Team (CIRT), such that readers can apply those lessons to their own operations.

Chapter 6, Server-Side Compromise, is the first NSM case study, wherein readers will learn how to apply NSM principles to identify and validate a compromise of an Internet-facing application.

Chapter 7, Client-Side Compromise, is the second NSM case study, offering readers an example of a user being victimized by a client-side attack. NSM data will again identify and validate the compromise, prompting efficient incident response.

The Conclusion extends NSM principles beyond the enterprise into hosted and Cloud settings, offering future options for those environments.

The Appendix discusses tools that are not open source, but which may be helpful to those conducting NSM operations.

My goal is to finish this short book (roughly 220 pages) in time for publication at Black Hat this summer. Thank you to Pearson/Addison-Wesley for giving me the flexibility to write this complementary NSM book, and to No Starch for signing me to their publishing house.

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 8 Jan 2013 | 7:51 am EST

Happy 10th Birthday TaoSecurity Blog

Today, 8 January 2013, is the 10th birthday of TaoSecurity Blog!

I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone wortking for Kevin Mandia. Today I am Chief Security Officer at Mandiant, back working for Kevin Mandia. (It's a small world.)

With 2905 posts published over these 10 years, I am still blogging -- but much less. Looking at all 10 years of blogging, I averaged 290 per year, but in the age of Twitter (2009-2012) I averaged only 144 blog posts per year. Last year I wrote 60 times.

Why the drop over the years? First, I "blame" my @taosecurity Twitter account. With over 15,000 followers, easy posting from mobile devices, and greater interactivity, Twitter is an addictive platform. However, I really enjoy Twitter and make the trade-off gladly. It would be nice to become a verified user though, with access to two-factor or two-step authentication.

Second, blogging used to be the primary way I could share my ideas with the community. These days, speaking and writing are a big part of my professional duties. For example, last year news outlets quoted me 55 times. Those citations represent hundreds of hours spent talking to the press, explaining how security works and how to improve our situation. I also wrote for the Mandiant Blog, and spoke or taught at 22 events. At the end of many days, I feel like I'm getting my message out without blogging.

Third, time is precious. I enjoy spending time with my family, or reading, or working out, or learning to play guitar when I'm not working for Mandiant.

However, I still plan to keep blogging in 2013. Twitter's only a 140 character platform, and some days I have the time and inclination to share a few thoughts beyond what I've said or written for work.

To celebrate the blog's 10th birthday, I will be announcing a book giveaway on my @taosecurity Twitter account either today or before the end of the week. Follow me on Twitter for details.

Before finishing I'd like to thank Blogger, now part of Google, for providing me this free platform for the past ten years. Way to go!

In my next post I will share word on an exciting new project. Stay tuned.

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 8 Jan 2013 | 7:01 am EST

Welcome to Network Security Monitoring in the Cloud

I just watched an incredible technical video. If you have about 10 minutes to spare, and want to be amazed, take a look at Snorby Cloud.

I think the video and Web site does an excellent job explaining this new offering, but let me provide a little background.

Many of the readers of this blog are security pros. You're out there trying to defend your organization, not necessarily design, build, and run infrastructure. You still need tools and workflows that accelerate your incident detection and response process though. So, you work as a security admin, system admin, storage admin, database admin... you get the picture. You manage to keep up, but you probably wish you could focus on finding bad guys, as quickly as possible, without taking care of all the *stuff* that you need to do your job.

While many of you are security experts, some are just beginning your journeys. The responsibilities of being an admin of four or more different shades is overwhelming. Furthermore, you don't have the experience, or budget, or support to get the security data and escalation paths needed to defend your network. How can you improve your skills when you're constantly overwhelmed?

Both kinds of users -- senior and junior alike -- are going to find something intriguing about Snorby Cloud. Maybe you've heard of Snorby before, as a Web-based interface to Network Security Monitoring data. Doug Burks packages it with Security Onion (SO), and you can try it via live CD or .iso in a VM. It looks great on my iPad! There's even a mobile version on iTunes.

Snorby Cloud would be cool if it just put the Snorby Web application in the cloud, and managed the administrative side of security infrastructure for you. For example, you'd log into the cloud interface and be greeted by the graphs you remember from traditional Snorby.

However, you have to think of this as a new, better version of Snorby, collecting far more useful data, and making it rapidly available to the analyst. For example, the following shows SMTP logs available in the interface:

You can just as easily access host-based logs for the same victim computer:

As you investigate the incident, you can see who else on your team is working and what they did. You can also chat with them in real time.

I could say a lot more about this new tool, but I think watching the video will convey some of what it can do. My next step is to get the agents running on a test network so I can drive the console myself and become more familiar with it.

Snorby Cloud is a product from Packet Stash. Follow them at @packetstash for updates.

Disclaimer: I'm friends with this team; I hired two of the co-founders into GE-CIRT, and later worked with all three co-founders at Mandiant.

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 7 Jan 2013 | 10:19 pm EST

Security Onion + (ELSA or Snorby) + CapMe = Awesome

Happy New Year everyone, and with some new open source software, what a year it will be.

Monday Doug Burks released Security Onion 12.04. Please read Doug's post to learn how great this new 64 bit release is. I wanted to highlight a few features of the new release which takes Network Security Monitoring with open source tools to a new level for security analysts.

12.04 ships with Martin Holste's Enterprise Log and Search Archive (ELSA) working out of the box. Thanks to close integration with the latest version of Bro, analysts have Web-based, indexed access to Bro logs.

If that weren't enough, 12.04 also ships with a late addition -- Paul Halliday's CapMe. What this means is that you can now access full TCP transcripts from any alert in Dustin Webber's Snorby or Martin's ELSA.

You might not appreciate that right away, but it's a step in the right direction. Thus far, Bamm Visscher's Sguil has been the de facto open source NSM reference tool, allowing analysts to easily pivot from alert or session data to full pcap data. Now, with ELSA + CapMe, analysts can pivot from any log entry of TCP traffic with timestamps, IP addresses, protocols, and ports to a Web-based rendering of a transcript.

This is key: this transcript was not saved because of the log or alert. It was saved simply because the traffic was seen on the wire and netsniff-ng recorded it. This is one way to better handle threats who know how to evade signature-based systems.

This new workflow/feature is what I chose to depict in the screen shot at left. The upper window shows ELSA with a query for a BRO_HTTP log for www.testmyids.com. I then invoke CapMe and generate the transcript in the window at bottom. You can do the same from alert data in Snorby.

This is only the first step in giving analysts more data via open source software. Great work Security Onion team!

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 2 Jan 2013 | 5:34 pm EST

Best Book Bejtlich Read in 2012

It's time to name the winner of the Best Book Bejtlich Read award for 2012!

I started seriously reading and reviewing digital security books in 2000. This is the 7th time I've formally announced a winner; see my bestbook label for previous winners.

I posted yesterday that 2012 was the year I changed what I read. For example, in 2011 I read and reviewed 22 technical books. In 2012, which a change in my interests, I only read and reviewed one technical book. Thankfully, it was a five star book, which means it is my BBBR 2012 winner!

As you might have figured out yesterday, this year's winner is SSH Mastery by Michael W Lucas. Feel free to read my Amazon.com review for details. Note that I bought a Kindle version from Amazon.com, and later MWL mailed me a print copy.

Besides the excellent style and content, one of the reasons I read the book was to experience MWL's first release of a self-published technical book. I think it was a successful endeavor, although I'm not prepared to try that route myself anytime soon.

If I were to name my favorite non-technical book I read in 2012, it would be For the President's Eyes Only: Secret Intelligence and the American Presidency from Washington to Bush by Christopher Andrew. I enjoyed learning more about American history through the eyes of the intel world, but I was shocked by how poorly most presidents understood and (mis)used intelligence.

I'm probably done reading and reviewing technical books, so I consider this to be the final BBBR post. I have over 100 possible (mainly nontechnical) books to read on my Kindle now (in Sample form), but I doubt I will review them when done.

Good luck reading in 2013!

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 31 Dec 2012 | 2:23 pm EST

2012: The Year I Changed What I Read

If you've been reading this blog for a while, you probably know that reading and reviewing technical books has been a key aspect since the blog's beginning in January 2003. In fact, my first blog post announced a review of a book on Border Gateway Protocol (BGP).

Looking at my previous reviews, it's clear that my interest in reading and reviewing technical books expired in the summer of 2011. Since then, the only technical book I wanted to read and review was Michael W. Lucas' excellent SSH Mastery. MWL is such a great author that I read just about anything he writes, and I was interested in his first self-published technical work.

So what happened? Becoming CSO at Mandiant in April 2011 contributed to my changing interests. Since that time I've spoken to almost a hundred reporters and industry analysts, and hundreds of customers and prospects, answering their questions about digital threats and how best to live in a world of constant compromise. (I listed some of the results of talking to the reporters on my press page.)

For me, the most interesting questions involved history, political science, and public policy. Probably not be accident, these are the three subjects in which I have degrees.

Accordingly, I bought and read books to add the historical, political, and policy content I needed to balance my technical understanding of the threat landscape. I also read a few books based purely on personal interest, without a work connection.

I thought you might want to know what these books were, despite my lack of interest in reviewing them at Amazon.com.

The books on Chinese topics included:

Of these five, the first was probably the most interesting. The way Chinese intelligence agencies work today appears very much the same way that the author described them almost twenty years ago.

I read three books on intelligence and Russia:

Of these three, the first was exceptional. It combined a history of the US with a history of intelligence through the end of Bush 41's term.

Finally, I read two other books; one related to security, and one completely unrelated:

The first was Bruce Schneier's latest, which I found largely interesting. I recommend reading it, because it may convince you that all the technical safeguards our industry pursues contribute probably less than 10% of the risk mitigation we need in the real world.

The second was another biography of my favorite historical figure, US Grant.

I'm trying to finish Tim Thomas' latest book, Three Faces of the Cyber Dragon, by the end of tomorrow, as well.

In my last post of 2012 I'll announce my Best Book Bejtlich Read in 2012 winner.

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 30 Dec 2012 | 10:29 am EST

Five No Starch Books for Kids, Reviewed by Kids

No Starch was kind enough to send me five books for kids, which I asked my 6- and 8-year-old daughters to read. (I didn't need to "ask," really -- like my wife and I, our daughters think reading is something you have to be told "not" to do, e.g., "put the book down; we don't read at the dinner table.")

I did have to encourage my daughters to review the books. Although the older one writes book reports for school, she's not accustomed to writing reviews for books sent by publishers.

The five books, with links to the Amazon.com reviews, are:

I agree with my daughters: all five of these books are excellent. However, for readers of this blog who have kids, I would most strongly recommend the Python book. I would start with the book we previously reviewed, Super Scratch Programming Adventure!, and then see what your kid can do with Python.

Kudos to No Starch for publishing high quality books that teach kids skills they can use in the work place (programming), or for fun!

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 30 Dec 2012 | 9:32 am EST

The Value of Branding and Simplicity to Certifications

At the risk of stirring the cyber pot (item 3, specifically) I wanted to post a response to a great mailing list thread I've been following. A reader asked about the value of the CISSP certification. Within the context of the mailing list, several responders cited their thoughts on SANS certifications. Many mentioned why the CISSP tends to be so popular. I'd like to share my thoughts here.

In my opinion, the primary reason the CISSP is so successful is that it is easy to understand it, which facilitates marketing it. It is exceptionally easy for a recruiter to search LinkedIn profiles, other databases, or resumes for the term "CISSP." If you encounter a person with the CISSP, you basically know what the person had to do to get the certification.

Before continuing, answer this quick question: what are the following? 1) SSCP, 2) CAP, 3) CSSLP?

Let me guess -- you didn't recognize any of them, just like I did?

Now, let me see if you recognize any of the following? 1) GGSC-0400, 2) GNET, 3) GAWN-C, 4) GBLC, 5) GCIM?

I believe you didn't recognize any of those either.

How about? 1) GISP, 2) GLEG, 3) GCIH, 4) GAWN?

I'm guessing some of you might recognize GCIH as the SANS "GIAC Certified Incident Handler," which actually doesn't have much to do with "incident handling." That's a topic for another day, but it does show GCIH benefits from decent branding.

You've probably figured out that the last two lists of acronyms were SANS certifications. The first list was a selection of a few of the retired SANS certifications. There's 26 of those.

The second list was a selection from the list of 24 active SANS certifications.

What about the first list, starting with "SSCP?" Those are other certifications offered by ISC2. They're utterly forgettable. Had I not visited the ISC2 Web site, I would never have known they existed.

Now, one could argue that the brand "SANS" is as recognizable, or even more recognizable, than the brand "CISSP."

The problem is that a person's resume could list "SANS" as a course he or she attended, without noting if a certain achievement (i.e., certification) was achieved. "SANS" is also a poor search term because the diversity of the SANS ecosystem means you could be dealing with a legal person, or a reverse engineer, or a UNIX system administrator.

What is the answer for SANS, if the CISSP will likely continue to out-market it? I recommend adopting the model used by Cisco. If you hear a person has a CCIE, that means something -- you immediately think of deep knowledge, several levels of work, and grueling hands-on testing over two days in a controlled environment.

The genius of Cisco's approach is that they have "tracks" for the CCIE, e.g. Data Center, Routing and Switching, etc. Those aren't the brands though; that stays with CCIE.

The Cisco approach isn't perfect, because you can't simply search resumes for "CCIE" intending to get a CCIE in security. You might find a CCIE in routing and switching, or wireless. However, if one finds a CCIE, you get a sense of the level of seniority and ability to operate in a stressful environment (at least as far as a test can simulate).

SANS has tried something like the CCIE with their "GIAC Security Expert (GSE)." The GSE is similar to the CCIE in many respects, including horribly tough hands-on labs, but unfortunately hardly anyone knows about it. It is really difficult to reach that level in SANS certification. However, because only 63 people hold it, there's no real market for them.

By the way, I smell a branding failure when SANS certifications like GSE, GCIH, and so on all have a "G," which references another acronym -- "GIAC," for "Global Information Assurance Certification." That doesn't even include the term "SANS," which is the stronger brand. GIAC originally meant "Global Incident Analysis Center," but that's another story.

In brief, I think SANS could increase the branding value of their certifications if they retired the existing acronyms and names, incorporated "SANS" into a new naming scheme, and concentrated on a "level" approach seen with Cisco. Focus on Entry-Level, Associate, Professional, and Expert as Cisco does, and develop programs to accelerate the adoption of the Expert level among its constituency as Cisco did with CCIEs.

Rebranding would cause lots of SANS folk plenty of heartache, but I think integrating "SANS" into the new level-oriented structure would more than compensate for the initial transition costs. Ultimately the system would be stronger for everyone.

What do you think?

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 26 Dec 2012 | 4:20 pm EST

Why Collect Full Content Data?

I recently received the following via email:

I am writing a SANS Gold paper on a custom full packet capture system using Linux and tcpdump. It is for the GSEC Certification, so my intent is to cover the reasons why to do full packet capture and the basic set up of a system (information that wasn't readily available when setting my system up)...

I am already referencing The Tao of Network Security Monitoring.

These are the questions that I came up with based on questions other peers have asked me...

Here are the questions, followed by my answers. Most of this is covered in my previous books and blog posts, but for the sake of brevity I'll try posting short, stand-alone responses.

  1. As an information security analyst in today's threat landscape why would I want to do full packet capture in my environment? What value does have?

    Full content data or capturing full packets provides the most flexibility and granularity when analyzing network-centric data. Unlike various forms of log data, full content data, if properly collected, is the actual data that was transferred -- not a summarization, or representation, or sample.

  2. Where should I place a full packet capture system on my network - are ingress/egress points sufficient?

    I prioritize collection locations as follows:

    • Collect where you can see the true Internet destination IP address for traffic of interest, and where you can see the true internal source IP address for traffic of interest. This may require deploying two traffic access methods with two sensors; so be it.
    • Collect where you can see traffic to and from your VPN segment. Remember the previous IP address requirements.
    • Collect where you can see traffic to and from business partners or through "third party gateways." You need to acquire the true source IP, but you may not be able to acquire the true destination IP if the business partner prevents collecting behind any NAT or security devices that obscure the true destination IP.
    • Collect where your business units exchange traffic. This is more of a concern for larger companies, but you want to see true source and destination IPs (if possible) of internal traffic as they cross business boundaries.
    • Consider cloud or hosted vendors who enable collection near Infrastructure-as-a-Service platforms used by your company.
  3. What advantages are there to creating a custom server with open source tools (such as a server running Linux and capturing with tcpdump) opposed to buying a commercial solution (like Solera or Niksun)?

    A custom or "open" platform enables analysts to deploy the sorts of tools they need to accomplish their security mission. Closed platforms require the analyst to rely on the information provided by the vendor.

  4. Now that I have full packet data, what kind of analysis goals should I have to address advanced threats and subtle attacks?

    The goal for any network security monitoring operation is to collect and analyze indicators and warnings to detect and respond to intrusions. Your ultimate role is to detect, respond to, and contain adversaries before they accomplish their mission, which may be to steal, alter, or destroy your data.

  5. Any other advice for an analyst just getting started with full packet capture systems and analyzing the data?

    Rarely start with full content data. Don't dump a ton of traffic into Wireshark and start scrolling around. I recommend working with session data (connection logs) and application-specific logs (HTTP, DNS, etc.) to identify sessions of interest, then examine the content if necessary to validate your suspicions.

I could write a lot more on this topic. Stay tuned.

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 26 Nov 2012 | 6:30 am EST

Spectrum of State Responsibility

"Attribution" for digital attacks and incidents is a hot topic right now. I wanted to point readers to this great paper by Jason Healey at the Atlantic Council titled Beyond Attribution: Seeking National Responsibility in Cyberspace.

ACUS published the report in February, but I'm not hearing anyone using the terms described therein. Probably my favorite aspect of the paper is the chart pictured at left. It offers a taxonomy for describing state involvement in digital attacks, ranging from "state-prohibited" to "state-integrated."

I recommend using the chart and ideas in the paper as a starting point the next time you have a debate over digital attribution.

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 25 Nov 2012 | 12:00 pm EST

Recommended: The Great Courses "Art of War" Class

I recently purchased and listened to an audio course titled The Art of War (TAOW) by Prof Andrew R. Wilson and published by The Great Courses. From the first few minutes I knew this series of six 30 minute lessons was going to be great.

For example, did you know that "Sun Tzu" didn't write "The Art of War?" An anonymous author wrote the book in the 4th century BC, based on Sun Tzu's lessons from his time in the 6th century BC.

Also, "The Art of War" isn't even the name of the book! It's actually "Master Sun's Military Method." Furthermore, the use of the term "Master" is significant as it was a term not usually associated with generals.

I especially like two aspects of the course. First, the lecturer, paraphrasing his own words, didn't choose to simply peruse TAOW looking for trite phrases. He equates that approach with telling a stock broker to "buy low, sell high." Instead, Prof Wilson is more concerned with explaining the context for the book and what the words really mean.

Second, the lecturer extends his discussion beyond the history of China's Warring States Period, the era from which TAOW was born. Prof Wilson applies lessons from the book to military history and business situations. He also applies TAOW to modern Chinese cyber espionage, showing he keeps current with contemporary issues.

Consider buying TAOW as a holiday gift for yourself or your friends!

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 24 Nov 2012 | 12:05 pm EST

Commander's Reading List

Last month a squadron commander asked me to recommend books for his commander's reading list. After some reflection I offer the following.

I've divided the list into two sections: technical and nontechnical. My hope for the technical books is to share a little bit of technical insight with the commander's intended audience, while not overwhelming them. The plan for the nontechnical items is to share some perspective on history, policy, and contemporary problems.

The list is in no particular order.

Nontechnical books:

Technical books:

I also recommend any books by Timothy L Thomas.

Update: For the more technically-minded reader, I'm adding the following:

Practical Malware Analysis by Michael Sikorski and Andrew Honig.

Note: The above do not necessarily constitute my "best" or "favorite" books. Please see Best Books for blog posts on that subject.

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 23 Nov 2012 | 2:42 pm EST

Do Devs Care About Java (In)Security?

In September InformationWeek published an article titled Java Still Not Safe, Security Experts Say. From that article by Matthew J. Schwartz:

Is Java 7 currently safe to use?

Last week, Oracle released emergency updates to fix zero-day vulnerabilities in Java 7 and Java 6. But in the case of the Java 7 fix, the new version allows an existing flaw--spotted by security researchers and disclosed to Oracle earlier this year--to be exploited to bypass the Java sandbox. In other words, while fixing some flaws, Oracle opened the door to another one.

In light of that situation, multiple security experts said that businesses should continue to temporarily disable all Java use, whenever possible. "There are still not-yet-addressed, serious security issues that affect the most recent version of Java 7," said Adam Gowdiak, CEO and founder of Poland-based Security Explorations, which initially disclosed the exploited vulnerabilities to Oracle in April. "In that context, disabling Java until proper patches are available seems to be an adequate solution," he said via email.

A month later I read a new article in InformationWeek titled "Oracle's Java Revival," also available as Two Years Later: A Report Card On Oracle's Ownership of Java by Andrew Binstock. The article appeared in the 29 October 2012 issue of InformationWeek, at a time when the security community continued to reel from repeated hammering of Java vulnerabilities.

I expected some mention of Java security woes in the article. About halfway through, with the word "security" not yet in print, I found the following:

In 2011, Oracle did not fare much better. The welcome release of Java 7 was marred by the revelation that it included serious defects that the company knew about.

Ok, maybe there will be some expansion of this idea? Shouldn't a terrible security record be a major factor affecting enterprise use of Java and a reflection on Oracle's handling of Java? Instead I read this:

I'm inclined to agree with James Gosling's revised opinion of Oracle's stewardship, that it's been good for Java...

However, the record is mixed in other areas...

Oracle's ambiguous relationship with the JCP and the OSS communities remain two other weak points.

That's it? Security pros continue to tell enterprise users to disable Java, and the development community is more concerned about features, personalities, and community relations?

I think the Java development community, and especially Oracle, must reevaluate their responsibilities regarding security. Otherwise, they may find themselves coding for a platform that enterprise users will increasingly disable.

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 22 Nov 2012 | 2:16 pm EST

Review of Super Scratch Programming Adventure! Posted

Amazon.com just posted a joint review by myself and my daughter of No Starch's new book Super Scratch Programming Adventure!. From the five star review:

I asked my almost-8-year-old to share her thoughts on Super Scratch Programming Adventure! She chose five stars and wrote the following:

"I think it's a very great book. I love the storyline, but my main concern is that I could not find a trace of the Super Scratch folder.

How hard is it to draw the Mona Lisa? I have Scratch version 1.4, and I found it difficult drawing Le Louvre.

On the flip side, I learned a lot. Who knew you could make Scratchy move with 1) arrow keys and 2) a medium sized Script?

I enjoyed watching the Magic Star Web change colors.

Overall, I think it's a very great book, and I highly recommend it to anyone who is interested in programming."

I agree that this is a great book. My daughter wanted to learn how to program a video game, and I thought it would be a lot more difficult. Shortly after starting to read and apply this book, she coded a video game!

I'd like to thank No Starch for sending us a review copy.

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 14 Oct 2012 | 7:37 pm EDT

Washington National Guard: Model for Cyber Defense?

My friend Russ McRee pointed me to an article recently: WA National Guard focusing on cyber security. From the article:

The Washington National Guard is leveraging a decade of investment in cyber security at Camp Murray in Lakewood into projects that could protect state and local governments, utilities and private industry from network attacks.

The aim is to bring to the digital world the kind of disaster response the National Guard already lends to fighting wildfires and floods, said Lt. Col. Gent Welsh of the Washington Air National Guard.

“Just as ‘Business X’ needs the National Guard to come in and fill sand bags, ‘Business X’ might need to call the National Guard if it’s overwhelmed on the cyber side,” Welsh said.

The new task plays to a growing strength in the state’s National Guard, which draws on employees from companies including Microsoft and Amazon to provide special expertise in its network warfare units.

I first learned of this initiative when Russ Tweeted about it in June. In an email exchange he described his role in the Washington State Guard (WSG):

"The WSG is an all volunteer force that is a state defense force, with what is typically an emergency management mission. See Title 38 of the Revised Code of Washington (RCW). WSG is also authorized by Federal law, Title 32 of the United States Code.

We most often serve as liaison officers in support of the Emergency Support Function (ESF) 20 (defense support for civilian authorities) function per Federal Emergency Management Agency (FEMA) National Incident Management System (NIMS) / Incident Command System (ICS) guidance during major events (disasters, natural or human caused).

WSG remains a place where extremely experienced soldiers who have exceeded age requirements for active/reserve service can continue to serve as well as folks like me with no prior service who can't get the federal services to consider them for age reasons.

We can be called to active duty but in-state only. I was on active duty with orders for two days in June for a major statewide exercise. When we're called up for such activity we become peer in rank and responsibility to our National Guard counterparts.

I'll also be seeing some active duty time again in the immediate future in support of the initiatives mentioned in the article."

I think this is a great start on a journey towards applying private sector expertise to national digital security problems, but on a local scale. The News Tribune article mentions that the Guard (in all its forms) is working to figure out how it can provide help to besieged companies, from a legal and logistical perspective.

I think this line from the news article summarizes a key theme in this discussion:

"We're not going to wait for the feds to hand us everything," Welsh said.

In our Federal system, we should allow the States (per the 10th Amendment) the freedom to innovate, and thereby invent multiple approaches to fighting digital threats.

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 9 Oct 2012 | 4:01 pm EDT

Inside Saudi Aramco with 60 Minutes

I just watched a recent episode of 60 Minutes on CNBC and enjoyed the segment on oil production in Saudi Arabia. It featured a story from late 2008 on Saudi Aramco. You may recall this name from recent news, namely data destruction affecting 30,000 computers. A recent Reuters article said the following:

Saudi Aramco has said that only office PCs running Microsoft Windows were damaged. Its oil exploration, production, export, sales and database systems all remained intact as they ran on isolated and heavily protected systems.

"All our core operations continued smoothly," CEO Khalid Al-Falih told Saudi government and business officials at a security workshop on Wednesday.

"Not a single drop of oil was lost. No critical service or business transaction was directly impacted by the virus."

It is standard industry practice to shield plant operating networks from hackers by running them on separate operating systems that are protected from the Internet.

While watching the video I was struck by the following comments by the CEO of Saudi Aramco, giving Leslie Stahl a tour of their 21st century operations center (pictured here). From the transcript:

Abdallah Jum'ah, Saudi Aramco's president and CEO... gave 60 Minutes a tour of the company's command center, where engineers scrutinize and analyze every aspect of the company's operations on a 220-foot digital screen.

"Every facility in the kingdom, every drop of oil that comes from the ground is monitored in real time in this room," Jum'ah explained. "And we have control of each and every facility, each and every pipeline, each and every valve on the pipeline. And therefore, we know exactly what is happening in the system from A to Z."

Aramco engineers are making sure that not one drop of oil is overlooked: computers are receiving data, via satellite, from sensors mounted on drill bits that are burrowing deep into the oil fields all over Saudi Arabia. Engineers are sending instant messages that actually guide the drill bits.

"He is now directing that drill bit to go into the best areas of the reservoirs. And suck that oil from it, and not leave any oil behind," Jum'ah explained.

He says the drill bit is a bit like a snake, going down and following where the oil is. "And mind you, this is happening 400 to 500 miles from here geographically. And we are sending that drill bit also two or three miles in the ground."

The screen capture at right appears to show this control process in action on a Windows XP computer. (Remember, this show was filmed in late 2008.)

You can watch the segment (in two parts) for more details, if you like.

Now, it's entirely possible that the sorts of systems depicted in the video were not affected by the malicious code that allegedly struck 30,000 systems. Then again, it's not unheard of for malicious code to propagate from one enclave to another.

Hopefully we will hear more details on what happened, either to Saudi Aramco or apparently other companies. Again, from Reuters:

Qatar's natural gas firm Rasgas was also hit by a cyber attack last week, although it has not said how much damage was caused or whether Shamoon was the virus involved. Qatar, also a Sunni Gulf kingdom, has similar foes to Saudi Arabia.

Its parent firm Qatar Petroleum, which also owns Qatar's other main natural gas firm Qatargas, said it was unaffected but implied that other companies had been hit.

"Qatar Petroleum has not been affected by the computer virus that hit several oil and gas firms. All QP operations are continuing as normal," it said in an official tweet on Monday.

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 4 Oct 2012 | 11:10 pm EDT

Netanyahu Channels Tufte at United Nations

This is not a political blog, and I don't intend for this to be a political post.

I recently watched Israeli Prime Minster Benjamin Netanyahu's speech to the United Nations on Thursday. I watched it because I am worried about Iran's nuclear weapons program and the Iranian security situation, to be sure.

However, what really intrigued me was the red line he actually drew on a diagram, in front of the United Nations. In the video I linked, it takes place at approximately the 26 minute mark. The screen capture at left shows this event.

The reason this caught my attention was that it reminded me of the Best Single Day Class Ever, taught by Edward Tufte. I attended his class in 2008 and continue to recommend it.

I've since blogged about Tufte on several occasions.

Netanyahu's action, to me, seems like pure Tufte. The primary goal of his speech was to tell Iran, and the world, that Israel is setting a "red line" involving Iran's nuclear weapons program. To show that, he literally drew a red line on a diagram representing Iranian progress on uranium enrichment.

Now, there's some confusion about what that red line really means. The point is that people are talking about the red line, and that means Netanyahu at least partially achieved his goal.

This is the take-away for those of us who speak in public: rather than develop Yet Another PowerPoint presentation, determine 1) what message you want your audience to remember, and then 2) figure out how you can escape from flat land to grab your audience's attention.

If you want to learn more about these techniques, take Tufte's course!

You can read a transcript of the speech as well as see the video. Besides the red line segment, I thought it was a powerful speech. I'm convinced that unless Iran changes course, Israel will disable Iran's uranium enrichment capability.

Tweet

Copyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Source: TaoSecurity | 29 Sep 2012 | 9:18 am EDT

SANSFIRE 2011

SANSFIRE 2011

Source: @RISK: The Consensus Security Alert |

Surveillance and the Internet of Things

The Internet has turned into a massive surveillance tool. We're constantly monitored on the Internet by hundreds of companies -- both familiar and unfamiliar. Everything we do there is recorded, collected, and collated -- sometimes by corporations wanting to sell us stuff and sometimes by governments wanting to keep an eye on us. Ephemeral conversation is over. Wholesale surveillance is...

Source: Schneier on Security | 21 May 2013 | 7:15 am EDT

Security Risks of Too Much Security

All of the anti-counterfeiting features of the new Canadian $100 bill are resulting in people not bothering to verify them. The fanfare about the security features on the bills, may be part of the problem, said RCMP Sgt. Duncan Pound. "Because the polymer series' notes are so secure ... there's almost an overconfidence among retailers and the public in terms...

Source: Schneier on Security | 20 May 2013 | 7:34 am EDT

Friday Squid Blogging: Striped Pyjama Squid Pet Sculpture

Technically, it's a cuttlefish and not a squid. But it's still nice art. I posted a photo of a real striped pyjama squid way back in 2006. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Source: Schneier on Security | 17 May 2013 | 5:57 pm EDT

Applied Cryptography on Elementary

In the episode that aired on May 9th, about eight or nine minutes in, there's a scene with a copy of Applied Cryptography prominently displayed on the coffee table. This isn't the first time that my books have appeared on that TV show....

Source: Schneier on Security | 17 May 2013 | 3:59 pm EDT

Bluetooth-Controlled Door Lock

Here is a new lock that you can control via Bluetooth and an iPhone app. That's pretty cool, and I can imagine all sorts of reasons to get one of those. But I'm sure there are all sorts of unforeseen security vulnerabilities in this system. And even worse, a single vulnerability can affect all the locks. Remember that vulnerability found...

Source: Schneier on Security | 16 May 2013 | 9:45 am EDT

Transparency and Accountability

As part of the fallout of the Boston bombings, we're probably going to get some new laws that give the FBI additional investigative powers. As with the Patriot Act after 9/11, the debate over whether these new laws are helpful will be minimal, but the effects on civil liberties could be large. Even though most people are skeptical about sacrificing...

Source: Schneier on Security | 14 May 2013 | 6:48 am EDT

2007 NSA Manual on Internet Hacking

Mildly interesting....

Source: Schneier on Security | 13 May 2013 | 9:15 am EDT

Friday Squid Blogging: Squid Festival in Monterey

It's at the end of May. Note that it's being put on by the Calamari Entertainment Group. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Source: Schneier on Security | 10 May 2013 | 5:26 pm EDT

The Onion on Browser Security

Wise advice: At Chase Bank, we recognize the value of online banking­ -- it’s quick, convenient, and available any time you need it. Unfortunately, though, the threats posed by malware and identity theft are very real and all too common nowadays. That’s why, when you’re finished with your online banking session, we recommend three simple steps to protect your personal...

Source: Schneier on Security | 10 May 2013 | 2:49 pm EDT

Mail Cover

From a FOIAed Department of Transportation document on investigative techniques: A "mail cover" is the process by which the U.S. Postal Service records any data appearing on the outside cover of any class of mail, sealed or unsealed, or by which a record is made of the contents of unsealed (second-, third-, or fourth-class) mail matter as allowed by law....

Source: Schneier on Security | 10 May 2013 | 7:47 am EDT

The Economist on Guantanamo

Maybe the tide is turning: America is in a hole. The last response of the blowhards and cowards who have put it there is always: "So what would you do: set them free?" Our answer remains, yes. There is clearly a risk that some of them would then commit some act of violence -- in Yemen, elsewhere in the Middle...

Source: Schneier on Security | 9 May 2013 | 6:16 am EDT

Reidentifying Anonymous Data

Latanya Sweeney has demonstrated how easy it can be to identify people from their birth date, gender, and zip code. The anonymous data she reidentified happened to be DNA data, but that's not relevant to her methods or results. Of the 1,130 volunteers Sweeney and her team reviewed, about 579 provided zip code, date of birth and gender, the three...

Source: Schneier on Security | 8 May 2013 | 2:54 pm EDT

[remote] - Linksys WRT160nv2 apply.cgi Remote Command Injection

Linksys WRT160nv2 apply.cgi Remote Command Injection

Source: Exploit-DB updates | 20 May 2013 | 8:00 pm EDT

[papers] - GAME ENGINES: A 0-DAY’S TALE

GAME ENGINES: A 0-DAY’S TALE

Source: Exploit-DB updates | 20 May 2013 | 8:00 pm EDT

[remote] - D-Link DIR615h OS Command Injection

D-Link DIR615h OS Command Injection

Source: Exploit-DB updates | 20 May 2013 | 8:00 pm EDT

[local] - Ophcrack 3.5.0 - Local Code Execution BOF

Ophcrack 3.5.0 - Local Code Execution BOF

Source: Exploit-DB updates | 20 May 2013 | 8:00 pm EDT

[webapps] - Kimai 0.9.2.1306-3 - SQL Injection Vulnerability

Kimai 0.9.2.1306-3 - SQL Injection Vulnerability

Source: Exploit-DB updates | 20 May 2013 | 8:00 pm EDT

[dos] - nginx 1.3.9-1.4.0 DoS PoC

nginx 1.3.9-1.4.0 DoS PoC

Source: Exploit-DB updates | 16 May 2013 | 8:00 pm EDT

[webapps] - Exponent CMS 2.2.0 beta 3 - Multiple Vulnerabilities

Exponent CMS 2.2.0 beta 3 - Multiple Vulnerabilities

Source: Exploit-DB updates | 16 May 2013 | 8:00 pm EDT

[webapps] - ZPanel templateparser.class.php Crafted Template Remote Command Execution

ZPanel templateparser.class.php Crafted Template Remote Command Execution

Source: Exploit-DB updates | 16 May 2013 | 8:00 pm EDT

[remote] - Mutiny 5 Arbitrary File Upload

Mutiny 5 Arbitrary File Upload

Source: Exploit-DB updates | 16 May 2013 | 8:00 pm EDT

[webapps] - php-Charts 1.0 - Code Execution Vulnerability

php-Charts 1.0 - Code Execution Vulnerability

Source: Exploit-DB updates | 16 May 2013 | 8:00 pm EDT