Bypass Flash Logins Using FLASM
Watch this video. Then disable your flash logins if you got them.
In: Security · Tagged with: bypass, flash, hackers, logins, video
Vulnerabilities
Cisco disclosed multiple vulnerabilities in their Unified MeetingPlace product. These issues leave the product vulnerable to SQL injection attacks and could allow attackers to bypass authentication. Cisco has released patches to address these issues.
http://www.cisco.com/warp/public/707/cisco-sa-20100127-mp.shtml
http://secunia.com/advisories/38259/
The open source library YaSSL was found to have a security vulnerability related to the negotiation of SSL certificates. The possibility of a buffer overflow exists under these conditions. There has been a patch released to address this vulnerability.
http://secunia.com/advisories/38344/
http://osvdb.org/show/osvdb/61956
http://yassl.com/news.html#yassl199
A overflow vulnerability was found in the 1.3.xx Apache open source web server. This issue leaves the server open to remote unauthenticated access and denial of service attacks. Upgrading to version 1.3.42 resolves this issue.
http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0589.html
http://secunia.com/advisories/38319/2/
In: Education, Security · Tagged with: apache, cisco, denial of service, sql injection, SSL, Unified Meeting Place, YaSSL
Online Identity?
If you have a twitter account, facebook account, wordpress site, use Gmail, Google Docs and Spreadsheets, flickr, basecamp, photobucket, friendfeed, etc, get all your information backed up for free. You have until January 31st to get a free account with Backupify.
If you are downloading your files manually, daily, and keeping them off your home computer, then ignore this.
In: Management · Tagged with: backupify, backups, blogger, continuity, facebook, flickr, friendfeed, google apps, twitter, wordpress
MS10-002
Microsoft has released MS10-002 today. The update addresses 7 privately reported and 1 publicly reported vulnerability which is associated with the widely publicized attacks associated with Security Advisory 979352. There are four (4) Uninitialized Memory Corruption Vulnerabilities, two (2) HTML Object Memory Corruption Vulnerabilities, one (1) XSS Filter Script Handling Vulnerability, and one (1) URL Validation Vulnerability. This single patch is considered Critical by Microsoft and covers the following CVE entries:
CVE-2009-4074
CVE-2010-0027
CVE-2010-0244
CVE-2010-0245
CVE-2010-0246
CVE-2010-0247
CVE-2010-0248
CVE-2010-0249
Customers should apply this update as soon as possible. The update will also be sent through the Automatic update mechanism.
http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx
http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx
In: Security · Tagged with: microsoft, Patches, Vulnerabilities
Security News
Microsoft Announces out of cycle Security Update schedule
Microsoft issued their Advanced Notification Service (ANS) notification to inform customers of the impending release of MS10-002 on January 21st, 2010. The update will be cumulative, in advance of the normal February release Cycle, and is intended to protect customers from the known, widely publicized attacks associated with Security Advisory 979352. Customers should apply this update as soon as possible. The update will also be sent through the Automatic update mechanism.
http://blogs.technet.com/msrc/archive/2010/01/20/advance-notification-for-out-of-band-bulletin-release.aspx
http://blogs.technet.com/msrc/archive/2010/01/19/security-advisory-979352-going-out-of-band.aspx
Additional Technical Detail
Data Execution Prevention (DEP) Bypass
There is a report of a new exploit that bypasses Data Execution Prevention (DEP). We have analyzed the Proof-of-Concept (POC) exploit code and have found that Windows Vista and later versions of Windows offer more effective protections in blocking the exploit due to the improved security protection offered by Address Space Layout Randomization (ASLR). Windows XP does not currently benefit from ASLR and will be more susceptible.
Additional details on the DEP bypass exploit are provided in a Security Research and Defense Blog published today.
http://blogs.technet.com/srd/archive/2010/01/20/reports-of-dep-being-bypassed.aspx
Microsoft E-Mail Products That Render using mshtml.dll Protected by Default
There have been reports that supported versions of Outlook, Outlook Express and Windows Live Mail are affected by the vulnerability in Security Advisory 979352.
For customers using the default configuration of all supported versions of Outlook, Outlook Express and Windows Live Mail the risk of exploit using Outlook as an attack vector is low. We are unaware of active exploit against supported versions of Outlook, Outlook Express or Windows Live. If customers have modified their default configuration to not run in Restricted sites zone, their environments will be in a less secure, more vulnerable, state.
Please review the announcement described above for more detail.
Office Applications with Active Scripting Enabled Potentially Vulnerable
Microsoft indicates that an ActiveX control in a Microsoft Access, Word, Excel, or PowerPoint file is a potentially exploitable vulnerability. Customers would have to open a malicious file to be at risk of exploitation, and Microsoft recommends disabling ActiveX Controls in Microsoft Office.
Live Briefing
On Thursday, January 21 at 1:00 p.m. PST (UTC – 8) Microsoft will host a public webcast where information on the bulletin will be presented.
Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032440627
Original . . .
Yesterday we updated the assessment to reflect an impending out of cycle security update from Microsoft which will address the 0-day Microsoft Internet Explorer vulnerability highlighted in recent assessments. The update is announced in an MSRC blog posting, and timing for the release is expected to be explained today. The threat level remains at AlertCon 2 while we continue to encurage review of Microsoft Security Advisory for workaround information and X-Force Protection Alert for associated IBM product coverage.
http://blogs.technet.com/msrc/archive/2010/01/19/security-advisory-979352-going-out-of-band.aspx
https://portal.mss.iss.net/mss/xftas/alertAdvisory/details.mss?alertAdvisoryId=3382
http://www.microsoft.com/technet/security/advisory/979352.mspx
Shortly after the blog posting from MSRC appeared, a new posting on Neohapsis [Full Disclosure] began to be discussed. The posting explains how a restricted Windows user can exploit the Virtual DOS Machine (VDM) to gain command access in the system context (Ring 0). Microsoft was notified of the flaw in June 2009, but there currently is no patch. Exploit code that functions under Windows XP, 2003 Server, 2008 Server, Vista, and Windows 7 has been made available, and has been confirmed to function as described.
Mitigation steps requiring the Group Policy Editor for Windows 2003 Server systems are included in the Neohapsis article. For those systems that do not include the GPE the heise security team has provided instructions for a registry hack that should work until a patch is available.
http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html
http://www.h-online.com/security/news/item/Windows-hole-discovered-after-17-years-Update-908917.html
Apple Computer released their Security Update 2010-001 yesterday. The update addresses several multi-media applications, as well as printer handling, and a patch to suppress renegotiation in OpenSSL while the IETF works out final changes to the renegotiation protocol. The multi-media flaws relate to MP4, TIFF, and RAW(DNG) files, as well as multiple patches to the Adobe Flash player plug-in.
http://support.apple.com/kb/HT4004
Adobe has released an update for critical vulnerabilities in Adobe Shockwave Player 11.5.2.602 and earlier versions, on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system. Adobe has provided a solution for the reported vulnerabilities. It is recommended that users update their installations to the latest version.
http://www.adobe.com/support/security/bulletins/apsb10-03.html
Additionally, the Internet Systems Consortium (ISC) announced the release of the BIND 9.6.1-P3 security patch to address two cache poisoning vulnerabilities, both of which could allow a validating recursive nameserver to cache data which had not been authenticated or was invalid. This patch targets nameservers that have DNSSEC validation enabled, which could potentially provide responses from unauthenticated records within the cache.
http://isc.sans.org/diary.html?storyid=8029
In: Education, Security · Tagged with: adobe, apple, DEP, email, microsoft
Operation Aurora
Description of the attack
McAfee Labs identified a zero-day vulnerability in Microsoft Internet Explorer that was used as an entry point for “Operation Aurora” to exploit Google and at least 30 other companies. Microsoft has issued a security advisory and McAfee is working closely with them on this matter. “Operation Aurora” was a coordinated attack which included a piece of computer code that exploits a vulnerability in Internet Explorer to gain access to computer systems. This exploit is then extended to download and activate malware within the systems. The attack, which was initiated surreptitiously when targeted users accessed a malicious Web page (likely because they believed it to be reputable), ultimately connected those computer systems to a remote server. That connection was used to steal company intellectual property and, according to Google, additionally gain access to user accounts.
In: Education, Security · Tagged with: aurora, mcafee
Keeping Up-to-Date
Always keep your systems up-to-date. This goes without saying, but a lot of production environments will delay implementing patches and configurations to allow for testing in development, QA, and pre-prod environments prior to rolling out changes on change control. Which is a great idea! But at the same time, it’s important to review what changes are proposed, and critical, rate your risk and potential loss and if that risk is high, you may want to expedite your changes sooner rather than later.
Hackers know
In: Management, Security
Some News
Security Risks at Fake ATM Machines
Fake ATM machines are not new, but awareness of them is. Have you ever gone into a locally owned gas station that has a small ATM sitting in the corner near the chocolate bars? Not all of them are real. They read card information, allow the person to enter their PIN, display a dummy message saying that the transaction cannot be completed at this time. All the while, it’s harvesting all the cards information to be used at a later time. Some fake ATM machines even have a camera to capture a photo to associate with the card information. We need to pass this information along among ourselves, our families, our friends and our customers. Captured information can be used to recreate a complete identity along with a bank account with funds in it.
Some good news … Albert Gonzalez, the Miami man who stole and resold 170 million cards and ATM numbers, has pleaded guilty and is awaiting sentencing in March.
Increases in Phishing Attacks
Identity theft is expected to increase again this year. With the bad economy in 2009 came a huge reduction in the workforce. Many of those who were unemployed invested in starting online businesses to make ends meet. These unskilled “webmasters” may have great ideas, but many are uneducated in privacy and security leaving identifiable information out there for criminal minds with access to the Internet. Names, addresses, phone numbers, notes on prospective clients all are jumping off points for spear phishing attacks.
There were many phishing attacks against financial institutions in 2009, about a 600-percent increase over phishing attacks in 2008. Spear phishing is becoming more popular as hackers target businesses where an attacker can access business accounts and initiate money transfers via wires or ACH to steal large sums of money at once or over time.
In: Security · Tagged with: atm, hackers, id theft, information security, infosec, phishing, Security
February 9th – 11th exercise will simulate cyber attacks against payment processes.
FS-ISAC, in conjunction with a variety of industry partners, is organizing an exercise which aims to test and practice emergency response, notification, and communication procedures for various cyber-attack scenarios.
The three day exercise will simulate a different payment processes attack scenario each day.
Participants will include:
* Financial institutions
* Card processors
* Third party service providers
* Retailers
* Corporate treasurers
* Government entities.
There is no cost to participate, according to FS-ISAC.
Registration deadline: January 29, 2010
Exercise dates: February 9 – 11, 2010
Adobe and Social Networks
According the the McAfee predictions report, Adobe will be a larger target for hackers than Microsoft. So keep your adobe products updated. No matter how annoying they are. You know what we’re talking about.
Also, beware when social networking. Sites such as Twitter, MySpace and Facebook will be a very large target for hackers. If you are a social networker, keep separate passwords for all sites. Change your password every 3 months, and make sure its no less than 8 characters, with upper and lower case, symbols and numbers.
Speaking of Twitter, follow our tweets. @AZITMGMT