Spliced feed for Security Bloggers Network |
Cisco Security Alert: Intrusion Prevention System Vulnerability [Infosecurity.US] Posted: 19 Jun 2008 07:36 AM CDT Cisco (NASDAQ: CSCO) has announced a rather serious, exploitable vulnerability in their Intrusion Prevention Systems product line that have gigabit network interfaces installed. The vulnerability notice notes the IPS products are vulnerable when deployed in inline mode. The specific issue is a DoS vulnerability in the manipulation of jumbo Ethernet frames. Evidently, the [...] |
Malware earthquake hoax [Commtouch Café] Posted: 19 Jun 2008 07:20 AM CDT For some people, hearing about China digging itself out of one of the worst earthquakes in recent memory inspires them to do good works, donate money, join the Peace Corps…. For spammers it is merely inspiration for the next wave of social engineering to attempt to recruit a new army of zombies. Building on human [...] |
Security Briefing: June 19th [Liquidmatrix Security Digest] Posted: 19 Jun 2008 06:17 AM CDT Making lists of things to remember as I scramble to keep my focus in the face of a lack of sleep. Next thing you know I’ll be putting sticky notes on things. “Coffee cup”, “Door”, “Advil” and “C-61 / bad joke”. You get the idea. Click here to subscribe to Liquidmatrix Security Digest!. Welcome to the new subscribers who joined us yesterday! Thanks! And now, the news…
Tags: News, Daily Links, Security Blog, Information Security, Security News |
China Quake Hacker Caught [Liquidmatrix Security Digest] Posted: 19 Jun 2008 05:59 AM CDT How stoopid did this guy have to be to think, “gee, I should put a fake earthquake warning up” and then follow through on it? How did he think it would be funny? From Network World:
I mean seriously. 70,000 people perished in the actual earthquake a month ago. What a dumbass. |
Interesting Timing On Firefox 3 Vuln [Liquidmatrix Security Digest] Posted: 19 Jun 2008 05:52 AM CDT Hmm. This was released by the zero day initiative a few hours after Firefox 3 officially hit the street. Rather suspect timing no? From Secunia:
I’m just saying… |
Live skin fingerprint scanner [Roer.Com Information Security - Your source of Information Security] Posted: 19 Jun 2008 04:18 AM CDT This new thumbdrive/memory stick/flash pin (choose or add your prefered name) offers a finger print scanner. A scanner that looks for the live skin, something that is claimed to increase accuracy, and allows you to use dirty fingers and still get access. The only downside is that now I can no longer cut of your fingers to gain access to your data. I need you alive and kicking at my side... |
Disgruntled IT Worker Gets Heavy Prison Sentence [Darknet - The Darkside] Posted: 19 Jun 2008 02:58 AM CDT It just goes to show, however smart you think you are…don’t bother trying to wreck someones data. In this case, even if the guy was pissed it was highly responsible as it involved medical records and could actually seriously effect someones life. He was pretty careful but left a few clues behind, more than enough for... Read the full post at darknet.org.uk |
links for 2008-06-19 [Raffy's Computer Security Blog] Posted: 18 Jun 2008 09:35 PM CDT |
Posted: 18 Jun 2008 05:43 PM CDT So it looks my hot topic this week is how full of beans most vendors are and how it is making life difficult for security admins looking to choose the right product. I already wrote about how some vendors claim customers use their products for functions that they do not. I wrote about how customers are hounded by sales people calling and writing, blowing smoke about products and solutions they don't want. BTW, on a comment to that one, Greg Ness writes a very insightful piece that I want to paste in here:
Now I was reading a recent analyst report on NAC and almost choked when I saw some of the data passing for information in this report. To be fair the analyst does preface their report by saying they can't vouch for any of the factual information supplied by vendors, But my God does anyone tell the truth anymore? Funny thing is it is the usual suspects up to their same old, same old fudging their numbers. So not only do we have misleading press releases talking about customers who don't really use the products as announced, we have analyst reports that have glaring factual errors that are not checked and people rely on and customers who are swamped with slick sales people. What can we do as an industry to bring sanity to all of this? Am interested in what your take on all of this? Is security marketing worth the paper it is written on anymore? |
Cisco IPS Jumbo Frame DoS [Liquidmatrix Security Digest] Posted: 18 Jun 2008 04:22 PM CDT For a networking company, that’s gotta hurt. From Cisco:
Update or workaround? Which is it then? At the very least get your patch on. |
Pragmatic CSO Podcast #17 - Back to the Future [Security Incite Rants] Posted: 18 Jun 2008 04:13 PM CDT
Finally we come to the end of the line on building the security business plan. It was a long time coming, but again this is the most important step in effecting long lasting change in your security organization. First I talk about defining the future state, and setting priorities relative to what you must have, should have, and is nice to have. Then it's all about setting up the migration plan, which needs to be in alignment with the timelines and milestones that we discussed last week. A lot of this stuff happens simultaneously, but it's very important to manage expectations appropriately at this stage of the game. Running time: 6:52 Direct Download: 17_Pragmatic_CSO_Podcast_17.mp3 |
Napera on TechNet Radio [Napera Networks] Posted: 18 Jun 2008 12:07 PM CDT Fresh from TechEd, Chris Boscolo spoke on TechNet Radio with Kevin Remde and Jeff Sigman from Microsoft about Network Access Protection. Chris talks about the Napera product line, how we enable NAP for small and medium enterprises and how you can deploy NAP in 10 minutes. |
Identity Theft is more than Fraud By Impersonation [Emergent Chaos] Posted: 18 Jun 2008 12:03 PM CDT In "The Pros and Cons of LifeLock," Bruce Schneier writes: In reality, forcing lenders to verify identity before issuing credit is exactly the sort of thing we need to do to fight identity theft. Basically, there are two ways to deal with identity theft: Make personal information harder to steal, and make stolen personal information harder to use. We all know the former doesn't work, so that leaves the latter. If Congress wanted to solve the problem for real, one of the things it would do is make fraud alerts permanent for everybody. But the credit industry's lobbyists would never allow that.There's a type of security expert who likes to sigh and assert that ID theft is simply a clever name for impersonation. I used to be one of them. More recently, I've found that it often leads to incorrect or incomplete thinking like the above. The real problem of ID theft is not the impersonation: the bank eats that, although we pay eventually. The real problem is that one's "good name" is now controlled by the credit bureaus. The pain of ID theft is not that you have to deal with one bad loan, it's how the claims about that bad loan haunt you through a shadowy network of unaccountable bureaucracies who libel you for years, and treat you like a liar when you try to clear up the problem. So there's a third way to deal with identity theft: make the various reporting agencies responsible for their words and the impact of those words. Align the law and their responsibilities with the reality of how their services are used. I've talked about this before, in "The real problem in ID theft," and Mordaxus has talked about "What Congress Can Do To Prevent Identity Theft." |
"Secure Resolutions" Sends Spam [Richi Jennings] Posted: 18 Jun 2008 11:35 AM CDT Yesterday, I got email from some company called Secure Resolutions. We are contacting you because you are currently a customer or you have been a customer and we would like to continue to be your supplier of anti-malware and backup protection. I would like to take this opportunity to introduce you to our award winning, patented technology...etc., etc., etc. Trouble is, I've never heard of them, and the role account they sent it to is incapable of being a "customer" of anyone. Yes, friends: ergo, this email was spam. (Incidentally, there seems to be some connection between this company and Panda Security, who I've also caught spamming.) The company uses VerticalResponse to send this spam, so I shot a note to their abuse alias and got an encouraging note back from their Email Delivery & Policy Enforcement team. VR says it has "completely disabled" the Secure Resolution's account and "opened an investigation." Watch this space for updates. Anyone else had problems with this sender? |
3Com TechConnect EMEA - Madrid [Commtouch Café] Posted: 18 Jun 2008 10:57 AM CDT I just returned from Madrid, where I represented Commtouch at 3Com's TechConnect EMEA event, which was a great time. Together with 3Com's Sean Newman, Product Manager, I presented the new messaging security in 3Com's X-Family Unified Security Platforms to eager attendees comprised of their extended sales force. People are excited about the new GlobalView Mail [...] |
Security Briefing: June 18th [Liquidmatrix Security Digest] Posted: 18 Jun 2008 08:47 AM CDT Wednesday. That is all. Click here to subscribe to Liquidmatrix Security Digest!. And now, the news…
Tags: News, Daily Links, Security Blog, Information Security, Security News |
Al-Qaeda Pwns Your Coffee Machine [Liquidmatrix Security Digest] Posted: 18 Jun 2008 08:38 AM CDT This, is one of the funniest things I have read in a while. From The Register:
Someone took the Trojan Room Coffee Machine idea and made it open to TERRORISM. Run screaming if you feel so compelled. LOL! Yes there is a fair degree of tongue in cheek in this story. Thanks to Lester Haines for making my day. Be sure to read the full piece on the Reg. |
iPhone 3G: ready for business? [Birchtree Blog] Posted: 18 Jun 2008 08:19 AM CDT No, not yet, says a Gartner analyst: "Of some concern is how secure the iPhone will be. According to Ken Delaney from Gartner, the iPhone has neither firewall nor native encryption - functions many businesses have come to expect and trust from the likes of BlackBerry and Windows Mobile devices - so IT departments could be concerned about its daily use, and what happens if the iPhone is stolen." We talked about business-ready iPhones before and had some hopes for the better. But it seems that iPhones are still more a design issue than a serious business tool. via: iPhonic: iPhone 3G: still too many unknowns to recommend for business use, analyst says |
A New Attack On Electronic Locks [Liquidmatrix Security Digest] Posted: 18 Jun 2008 08:18 AM CDT OK, this is cool. From BlackBag:
For the explanation be sure to read the full posting over on blackbag. Article Link (via Schneier) |
Digital Thieves Swiping Online Pics For Profit [Liquidmatrix Security Digest] Posted: 18 Jun 2008 08:06 AM CDT And people wonder why I never bother with sites such as Flickr. Nothing against them, I just figured that this type of behaviour had to be going on. From Guradian:
I was recently at a Foo Fighters concert and the same was happening there. Camera phones were everywhere. Not a single muscle twitch from any of the security folks. |
Posted: 18 Jun 2008 02:05 AM CDT We recently researched an interesting DOM-based XSS vulnerability in Adobe Flex 3 applications that exploits a scenario in which two frames (parent & son) interact with each other, without properly validating their execution environment. In our research, we have seen that in some cases, it is possible to manipulate JavaScript code flow, by controlling the environment in which it runs. Specifically, we managed to return hacker-controlled boolean values to conditional statements, and by that force the application to be vulnerable to an existing DOM-based XSS, which was otherwise unexploitable. The advisory presented herein, is a real world example of the research mentioned above, and contains two XSS variants. The second of which, makes use of the JavaScript Flow Manipulation technique. # # # Begin Advisory # # # This advisory describes a new security vulnerability found in auto-generated code created by Adobe Flex 3 (Builder & SDK) that uses the default HistoryManager or Deep Linking support. Attack Variant #1: DOM Based Cross-Site Scripting The following text, which describes the HistoryManager and Deep Linking support in Adobe Flex, was taken from the official Adobe documentation:
The following code was taken from the historyFrame.html: ... function processUrl() { var pos = url.indexOf("?"); url = pos != -1 ? url.substr(pos + 1) : ""; if (!parent._ie_firstload) { parent.BrowserHistory.setBrowserURL(url); try { parent.BrowserHistory.browserURLChange(url); } catch(e) { } } else { parent._ie_firstload = false; } } var url = document.location.href; processUrl(); document.write(url); ...
As can be seen from the code above, the url variable, holds the document.location.href string, and is later on written to the HTML document. So, in order for the XSS attack to work, the malicious payload should be injected into the URL. Here's an exploit URL: http://www.some.site/flex_html_wrapper.html#<script>alert(document.cookie)</script> Note 1: due to how Flex HistoryManager is implemented, the above exploit URL will only work on Microsoft Internet Explorer Note 2: in the example above, the file /flex_html_wrapper.html is the HTML wrapper file of the Flex SWF Attack Variant #2: DOM Based XSS Using JavaScript Flow Manipulation From a quick research into how Flex 3 applications support deep linking ("browser navigation integration"), we have noticed that the attack we described above, will only work if the developer explicitly makes use of either HistoryManager or BrowserManager classes. In such case, the application will use the vulnerable code presented above (i.e. it will load the vulnerable file /history/historyFrame.html into the browser). This fact limits our attack vector to sites that were designed to actively use history management / deep linking (note: all applications that were compiled with "enable integration with browser navigation" ship with the vulnerable file, but they don't load it into the browser unless the above objects are used in the code). When we looked at the JavaScript code in /history/historyFrame.html, we saw that calling it directly in order to mount the DOM-based XSS attack (against all Flex 3 sites that include that file) will not work. This is because the JavaScript first calls the function processUrl before performing the vulnerable document.write(url) The function processUrl, contains the following lines of code:
When there is no parent document (or if the parent document does not contain the object _ie_firstload), the condition inside the parenthesis is evaluated to TRUE. This in turn, causes the line: parent.BrowserHistory.setBrowserURL(url); to get executed, resulting in a runtime exception, since no such objects and methods actually exist (there is no parent document). At this point, the attack will fail. In order to bypass this obstacle, we have created a (malicious) parent document, which includes an IFrame whose source is the vulnerable HTML page /history/historyFrame.html. In addition, we have added another IFrame (called _ie_firstload), whose role will be explained below. The malicious HTML page looks like this (line wrapped): <!-- HTML source of page, hosted on http://www.evil.site/ --> <html> <body> <iframe name="_ie_firstload"></iframe> <iframe src="http://www.vuln.site/app/history/historyFrame.html? #<script>alert('xss')</script>"></iframe> </body> </html> Upon visiting this malicious page, which is hosted on http://www.evil.site/ the victim's browser issues a request to the vulnerable Flex application that is hosted on http://www.vuln.site/. The request exploits the DOM-based XSS vulnerability that was mentioned in the first section (variant #1). Here's a quick explanation of the attack:
Pay attention to #2 - the child IFrame was expecting its parent to return TRUE or FALSE depending on the existence of a JavaScript object (_ie_firstload), but since we controlled the parent's DOM, we have substituted the JavaScript object, with an IFrame. The IFrame's existence in the parent DOM allows us to fool the child IFrame into believing that such object exists. We have decided to use an IFrame instead of a regular JavaScript object, since the browser's same origin policy will not allow the child IFrame to access JavaScript objects originating from a different domain (www.evil.site). Nevertheless, the browser will allow the child IFrame to traverse the parent's IFrame structure. In our case, the JavaScript code flow manipulation technique was relying on this browser behavior.
To sum things up, all a hacker needs to do in order to exploit this vulnerability, is host a malicious HTML page as shown above, which points to a Flex application that includes the file /history/historyFrame.html. This file exists by default in all Adobe Flex 3 applications that were created either by Flex 3 Builder or the Flex 3 SDK (regardless if the developer chose to use HistoryManager or BrowserManager) Impact First and foremost, this vulnerability is extremely severe, since every Flex web application that is developed using Flex Builder 3 or the Flex 3 SDK (see the next paragraph), includes the file /history/historyFrame.html (this file exists by default), and thus is vulnerable to DOM-based XSS. In order for the vulnerable files to be included in the Flex application, the developer has to enable "integration with browser navigation". This option is enabled by default, and can be configured from the project properties. The most severe impact of the vulnerability described in this document is achieving a successful DOM based cross-site scripting attack. If an application is vulnerable to attacks of this type, a remote attacker can execute a malicious script in the context of the victim's browser which can access cookies, session tokens and other sensitive data kept by the browser for the vulnerable web application. Fix Recommendations: The following fix recommendations are taken from the Adobe security bulletin:
Acknowledgements:
CVE ID: CVE-2008-2640 # # # End Advisory # # # |
FIRST 2008 Log Analysis and Visualization Workshop [Raffy's Computer Security Blog] Posted: 18 Jun 2008 12:56 AM CDT I am presenting at the FIRST 2008 conference in Vancouver next week. I am speaking on my birthday, June 25th, from 9.50 until 12.50. The topic is “Applied Security Visualization” - the same as my book title. I am going through some of the material from the book and show how visualization can be used to analyze log files. Some of the highlights:
|
Dude Don’t Hack My Coffee [Grumpy Security Guy] Posted: 18 Jun 2008 12:19 AM CDT As someone trying to get off the coffee train I find the recent reports of vulnerabilities in network connected coffee machines somewhat amusing. It seems some guy tht has $2,900 to spend on a coffee maker(!!) also has the skillz to find a buffer overflow in it. This type of thing is only going to increase as people slap more stuff onto the network with little to no care about security. These things generally all have web UIs which makes the vulns that much more interesting. It is somewhat easy to detect the spread of a mass SQLi attack on public facing web sites but what happens when we get this attack on internally facing systems? They are much harder to track and even detect. What if my coffee maker now does drive by malware attacks? What if my wireless router does? Our jobs are only geting harder people. Post from: Grumpy Security Guy |
You are subscribed to email updates from Black Hat Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full? Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader. | |
If you prefer to unsubscribe via postal mail, write to: Black Hat Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 |
No comments:
Post a Comment