Wednesday, July 16, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Advisory: Oracle Hyperion Performance Suite XSS Vulnerability [Liquidmatrix Security Digest]

Posted: 15 Jul 2008 08:34 PM CDT

Summary

Name: Oracle Hyperion Performance Suite XSS Vulnerability
Release Date: 15 July 2008
Reference: LSD003-2008
CVE Number: CVE-2008-2612
Discover: Dave Lewis
Vendor: Oracle
Product: Oracle Hyperion Performance Suite
Systems Affected: version 8.3.2 (as tested)
NB. Other versions may be affected.

Risk: Important
Status: Published

Reference:
1) http://www.liquidmatrix.org/blog/2008/07/15/advisory-oracle-hyperion-…ility/
2) http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html

Time Line

Discovered: 22 January 2008
Reported: 22 January 2008
Fixed: 25 February 2008
Patch Release: 15 July 2008
Published: 15 July 2008

Description

The Oracle Hyperion Performance Suite contains a vulnerability which is susceptible to a cross site scripting (XSS) attack.

Impact: a remote attacker could execute a XSS attack that could pass arbitrary html to the user which can capture usernames, passwords, session cookies and manipulate data.

Technical Details

Input passed to the software is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Fix Information

This issue has been resolved.

The patch may be obtained via:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html

Notes

I would like to thank Bruce and the Oracle security team for their attention to this problem.

Liquidmatrix Security Digest
http://www.liquidmatrix.org/blog/

2255B Queen Street East
suite 156
Toronto, Ontario
Canada
M4E 1G3

Tags: , , ,

San Francisco IT Admin Charged with Hijacking the City's Network. [360 Security]

Posted: 15 Jul 2008 06:37 PM CDT

Link to PC World Article


Link here

Being an IT manager and security professional, this story make me shake my head. It has certainly been the talk soup at the office today. A few quick thoughts on this.

Terry Childs seems to have backed himself into a corner and created a no-win situation. He had to have been in a desperate position to take the system hostage by blocking access and refusing to hand over passwords. Unfortunately for Childs, real life computer security rarely works like it does in the movies, bargaining power is limited by the long arm of the law.

Child's managers should have known better. A situation like this could only occur if safety nets and best practices were ignored or circumvented. Any security program that could allow one person to cause much damage is seriously deficient, especially since this has apparently been going on since June 20th.

The big question in my mind concerns the ramifications of continuing to run a system that could have been rigged to remotely delete data. If this concern turns out to be accurate, every minute that the city keeps the system up while it is not entirely in their control is another minute that city data is in jeopardy. A compromised system could mean data is deleted and confidential information gets leaked. Both of these are a significant risks.


Update:
Linked to the Robert McMillan article in PC World since he used my quote.

City of San Francisco System Adminstrator In Custody, $5 Million Bail [Infosecurity.US]

Posted: 15 Jul 2008 02:47 PM CDT

NetworkWorld IDG News Service’s Jeremy Kirk (with contributions from Robert McMillan) is reporting recently incarcerated City of San Francisco Systems Administrator Terry Child’s bail has been set at $5 Million USD, if found guilty of all charges - improperly tampering with computer systems and causing a denial of service, the suspect could face up to 7 years in prison. Evidently, from accounts, Mr. Childs failed to turn over psswords to the City’s FiberWan system, and also committed other acts related to illegal monitoring and data gathering. Originally reported on by  Jaxon Van Derbeken, Chronicle Staff Writer at SFGATE.com, the online presence of The San Francisco Chronicle’s.

Viacom Modifies Google YouTube Data Demands: Obfuscated User Names OK [Infosecurity.US]

Posted: 15 Jul 2008 02:41 PM CDT

According to this recent ComputerWorld post, obfuscated user names in the Google (NasdaqGS: GOOG) YouTube database dump, authorized by the U.S. District Court for the Southern District of New York, are OK with Viacom (NYSE: VIA).

MustRead: New Schneier Crypto-Gram Newsletter Released [Infosecurity.US]

Posted: 15 Jul 2008 01:28 PM CDT

Bruce Schneier has just published his eagerly awaited Crypto-Gram Newsletter for July. Ranging from CCTV Cameras, Man-in-the-middle Attacks to the Truth about Chinese Hackers, we rate this latest mailing as a MustRead.

Insane in the mainframe [IT Security: The view from here]

Posted: 15 Jul 2008 12:46 PM CDT

I'm back in the UK. Jetlag plays funny games with my head for a few days, but I'm generally over the worst of it by now. Apparently it is a really hot day today, I wouldn't know, my car's been in the garage so I deliberately arranged all my boring admin jobs, which kept me inside. I re-wrote 2 documents for colleagues, did my expenses, drank copious amounts of tea and then, with a little 'spare' time I logged onto the mainframe in Dayton.

Now, not everyone has a mainframe at their disposal like I do, I appreciate that, but if you haven't touched one in a while, or even ever, and you consider yourself a techie, find one somehow, they are great (techie) fun. Maybe I should explain... PKWare, whom I am currently contracted to, have a fine mainframe SecureZIP product, which is extremely powerful and useful, but for some reason not widely known about yet. I think everyone is still pretty happy with PKZIP, despite the extra power and security this gives them.

I guess in the 80s when Phil Katz (the PK of PKWare) wrote ZIP, the internet was a smaller place, and everyone used BBS (which PK was also instrumental in developing). What a shame publicity costs money these days. My opinion of the product isn't so relevant in this context though, I've expressed my satisfaction with the PK solution already in these pages.

What I am currently enjoying is playing on a mainframe. There is nothing so satisfying as typing short commands into a green and black (sometimes red and white too) screen, all on command lines, and getting numerical return codes. I don't know why this gets me so much, perhaps it's in my blood. My father sold mainframes for IBM back in the 60s and 70s, my mother programmed on them. No wonder I'm a geek.

Did you know, there is even mainframe related humour? If you understand this joke, you are probably in your 50s or 60s, or have a manual somewhere which explains it...
"What's a SOC4?"
"Covering your foot."
It's so lame, it's good. And I know of at least 2 people (working for PKWare) who are chuckling at this right now. You know who you are.

AEP left high and dry moves to ID access control [StillSecure, After All These Years]

Posted: 15 Jul 2008 12:33 PM CDT

AEP had been a victim of the NAC fallout.  They made a bad bet on an OEM partner to provide them with NAC technology.  When that NAC vendor went belly up, so did AEPs NAC product as a result.  Now Tim Greene reports that AEP has come out with a new device that while not strictly a NAC product, does more identity access control and does not seem to do any admission control.

AEP which makes a SSL VPN type of appliance has a new appliance that delivers an agent to an endpoint and authenticates the user.  It than according to the article inserts an identifier in the payload of every packet that shows where and who that packet is from which then allows it to either pass or not pass through, only to its allowed base.  I don't know that seems a bit of a chokepoint/bottleneck to me, but I don't know enough about it, only what I read in the article.

The appliance is not cheap with a price tag of over 50k for just 99 users.  It seems like an awful lot of money for what it does.  An important lesson I think on picking the right OEM partner.  Pick the wrong one and your product goes down as collateral damage to the OEM partners demise.

MustRead: Aviv Raff - Apple Commentary [Infosecurity.US]

Posted: 15 Jul 2008 12:14 PM CDT

This weekend’s MustRead is a superb post by Aviv Raff. Once again, Aviv is on target with his telling commentary on Apple’s (NasdaqGS: APPL) security policies, in relation to the company’s Safari browser implementation on Microsoft (Nasdaq: MSFT) Windows. From Automatic File Downloading to Browser Fuzzing, Aviv’s remarks are definate MustReads.

Data protection commissioner? [Data-Centric Protection and Management]

Posted: 15 Jul 2008 12:05 PM CDT

Never thought a country would have an Information and Data Protection Commissioner - but looks like Malta is taking charge of their data. Interesting article on new laws, expansion of powers, and parliamentary discussions!

OSF Moves To Manage Data Loss DB [Infosecurity.US]

Posted: 15 Jul 2008 11:34 AM CDT

As of July 15th, the Data Loss Database, currently maintained at Attrition.org, will move under the umbrella stewardship of the Open Software Foundation management. The new database site address: datalossdb.org .

via Attrition.org:
RICHMOND, VA, July 14, 2008 - The Open Security Foundation (OSF) is
pleased to announce that the DataLossDB (also known as the Data Loss
Database - Open Source (DLDOS) currently run by Attrition.org) will be
formally maintained as an ongoing project under the OSF umbrella
organization as of July 15, 2008.

Attrition.org’s Data Loss project, which was originally conceptualized
in 2001 and has been maintained since July 2005, introduced DLDOS to the
public in September of 2006. The project’s core mission is to track the
loss or theft of personally identifying information not just from the
United States, but across the world. As of June 4, 2008, DataLossDB
contains information on over 1,000 breaches of personal identifying
information covering over 330 million records.

DataLossDB has become a recognized leader in the categorization of
dataloss incidents over the past several years. In an effort to build
off the current success and further enhance the project, the new
relationship with OSF provides opportunities for growth, an improved
data set, and expanded community involvement. “We’ve worked hard to
research, gather, and make this data open to the public,” says Kelly
Todd, one of the project leaders for DataLossDB. “Hopefully, the
migration to OSF will lead to more community participation, public
awareness, and consumer advocacy by providing an open forum for
submitting information.”

The Open Security Foundation’s DataLossDB will be free for download and
use in non-profit work and research. The new website launch
(http://www.datalossdb.org/) builds off of the current data set and
provides an extensive list of new features. DataLossDB has attained
rapid success due to a core group of volunteers who have populated and
maintained the database. However, the new system will provide an open
framework that allows the community to get involved and enhance the
project. “For a data set as dynamic as this, it made sense to build it
into a more user-driven format.”, states David Shettler, the lead
developer for the Open Security Foundation. “With the release of this
new site, the project can now be fed by anyone, from data loss victims
to researchers”.

isn’t necessary to convic [The InfoSec Blog]

Posted: 15 Jul 2008 10:10 AM CDT

http://government.zdnet.com/?p=3874 There’s an old joke about a man brought before the court for breaking and entering, not because he was caught in the commission of a crime but because he was found in possession of housebreaking tools - crowbars, glass-cutter and so forth. When found guilty by the judge he said “well you better convict me for rape as well since [...]

S4 Call for Papers Update [Digital Bond]

Posted: 15 Jul 2008 09:44 AM CDT

A friendly reminder that the S4 Call for Papers is open. We organize the event a bit different than most. We review submissions as they come in and give a yes, no or maybe within a week. Submitting your abstract early increases your chances of getting in. We already have accepted three fantastic, must see abstracts for S4 2009.

We also chase groundbreaking research for the event. If you know of some bleeding edge control system security research going on anywhere in the world, please send us an email.

Officially there are sixty days left to get your submission in. The program will be finalized on Sept 15th and registration open on October 1st.

The Last HOPE Countdown - Hack Minus 3 [Liquidmatrix Security Digest]

Posted: 15 Jul 2008 09:04 AM CDT

Ok - yesterday was a write-off from a work standpoint… today isn’t looking much better… so this is going to be quick.

Is it odd that I’m ripping Hackers to put on the iPod for the trip to NYC?

The Last HOPE is coming in only 3 sleeps.

You can follow all the action as it happens by watching this feed: LSD Tweets #TheLastHOPE

Always remember - Don’t Quit Your Day Job.

Tags: , , , ,

Security Briefing: July 15th [Liquidmatrix Security Digest]

Posted: 15 Jul 2008 09:03 AM CDT

On Spies and inside knowledge [The InfoSec Blog]

Posted: 15 Jul 2008 08:55 AM CDT

My friend and mentor, Donn Parker, observes: Build your security assuming that the enemy knows as much about your security and what you are doing as you do. The lesson of history, InfoSec, industry, literature, warfare and politics tells us this is so. Chapter 13 of Sun Tzu’s great work, “On the use of Spies“, advises: What enables [...]

Oracle: 45 Critical Database & Server Patches [Liquidmatrix Security Digest]

Posted: 15 Jul 2008 08:48 AM CDT

Well, today is the day. At 4 pm (EST) the folks at Oracle will release their list of patches 45 in all. Ryan Naraine has a nice synopsis of this over on ZDNet.

From Zero Day:

Database server giant Oracle plans to ship patches for a total of 45 security vulnerabilities on Thursday (July 17), bringing the vulnerability count for 2008 to a whopping 112.

Since January 2006 (this CPU included), Oracle has shipped fixes for a total of 572 vulnerabilities.

According to a pre-release analysis, the vulnerabilities affect hundreds of products, including all supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions.

This is the first Critical Patch Update that includes fixes for BEA WebLogic, Hyperion BI, and TimesTen Database.

My vulnerability made the cut for this release as well. Stay tuned.

Article Link

Greetings from Phuket (it was work, really) [Commtouch Café]

Posted: 15 Jul 2008 07:17 AM CDT

Sawadika (that's hello in Thai)… What could be better than fresh pineapple juice? The answer is fresh pineapple juice in the morning on one of the beautiful Andaman ocean beaches in Phuket, Thailand. Well, I had to make do with the fresh pineapple juice and a walk down to the OPSEC pavilion, but still not that [...]

McCain Can't Use the Internet [Carnal0wnage Blog]

Posted: 15 Jul 2008 06:31 AM CDT

you know i don't require my elected leaders to be a NOP or be able to write an 0day but to not be able to "get online" or read email. :-(

http://blog.wired.com/27bstroke6/2008/07/mccain-says-hes.html

how the F is someone that cant even get online supposed to be able to make good decisions for our country about all the different numbers of issues that come up with regard to the internet, privacy, security, etc

Angelina Jolie Malware “Video” [Commtouch Café]

Posted: 15 Jul 2008 06:31 AM CDT

I know some people get excited about the prospect of a new video of Angelina Jolie (with or without her new twins), but it’s not recommended to download one that ends in “.exe” since it’s most likely malware Building on the trend from the past few months of using standard MSN messages (links and [...]

USCERT: ZoneLabs Issues Network Connectivity Patch [Infosecurity.US]

Posted: 15 Jul 2008 12:44 AM CDT

US-CERT has announced a security update from ZoneLabs, addressing issues in their ZoneAlarm product. Elsewhere in the Black Hat Security Bloggers Network, there have been reports of the latest Microsoft Patch (MS08-037) creating a loss of network connectivity for users with versions immediately prior to ZoneAlarm version 7.0.483.0.

AxBan Signature List v. 4 [Errata Security]

Posted: 14 Jul 2008 11:00 PM CDT

Errata has updated the content on the AxBan bad ActiveX control list.

We added entries including the Yahoo Messenger and the Microsoft Access Snapshot Viewer ActiveX controls.

Users with AxBan 1.5 or later will not need to manually download these entries. It will be updated automatically on launch if your computer is connected to the internet.

NERC Responds To Congressional Pounding [Digital Bond]

Posted: 14 Jul 2008 06:25 PM CDT

NERC got hit hard by Congress in the May Congressional Subcommittee Hearings, most notably on providing false information to Congress in the past. Some members of the Subcommittee went as far as saying NERC needed to be replaced as the ERO. There had to be some action plan by NERC to attempt to restore faith, and to that end a letter and press release were published today.

The highlights are:

  • NERC will now have a CSO and a Critical Infrastructure Protection program as a “statutory function”
  • Investigate a streamlined, emergency standards making process
  • Communicate better

I have a tough time writing a logical, consistent analysis of this. On one hand it reads - - this is so hard, we have limitations on what we can do, blah, blah, blah, reorganize to better address, blah, blah, blah, communicate better. Very political and bureaucratic, but then again when Congress got involved it is undoubtably political. This may be what is required to get Congress off their back, but I doubt it. At the last meeting it was clear that FERC had ameliorated Congress and NERC was the target of wrath. I don’t see anything in this letter or press release that would change Congressional attitude. In fact, a large portion of the letter gives excuses/reasons why NERC can’t do better. Will responding weakly only harden Congressional opinion?

On the other hand, if one reads this as a statement of emphasis and improvement it does little to impress. Where is the focus on the guidance documents and changes that FERC and many asset owners had asked for. So many electric utilities are begging for guidance on what many of the broadly written requirements mean and what is going to be an acceptable solution from an audit perspective. Many because they want to do the right thing and some because they want to do the minimum necessary. If NERC wanted to add rigor they could do this through audit guideline documents.

Where is the detail on how NERC is going to accelerate the 2nd Generation of the CIP standards or perhaps a more detailed and rigorous audit schedule? [There is so much room in an audit that we have wondered how audits will be performed with any level of consistency across the country.] These actions and information would be a lot more persuasive to a security professional, maybe or maybe not to Congress, than a re-org.

To be clear, we have seen marked improvement in the level of effort and security posture of electric utilities that can be attributed to the NERC CIP standards. If they went away or were delayed it would negatively impact the security of the bulk power system. But when your boss’s boss tells you do to something and threatens to fire you, it would be wise to respond with a very strong effort. That may be the issue - - NERC may have trouble deciding which boss to listen to. The ERO portion should listen solely to FERC who has to answer to some degree to Congress, but the majority of the work NERC does is for its members, the electric utilities.

US Air Marshal Sets World Marksmanship Record [Infosecurity.US]

Posted: 14 Jul 2008 05:55 PM CDT

While not necessarily information security related, we thought this story important enough to comment on. The TSA reports on a world record in speed shooting, by a Federal Air Marshal. Held in Middlesex County, N.J., in mid-June,  the event was earmarked by an outstanding performance by the New York based Air Marshal.

It is vitally important to recall, the Federal Air Marshal (FAM) Service exits to serve and protect us as we fly, and Infosecurity.US wants to extend our thanks for the dedication of these fine men and women bring to the law enforcement community, and to our country. I am sure we are joined by many in extending our gratitude for the work the Air Marshals, who protect the women, children and men who fly our nations’ airlines.

In Memoriam: Joe Barr [Infosecurity.US]

Posted: 14 Jul 2008 05:14 PM CDT

In Memoriam: Joe Barr.

Over the weekend, devastating news came of Joe Barr’s untimely passing. Read Robin Miller’s (Editor in Chief of SourceForge) marvelous tribute.

Another Apple Security Update: XCode 3.1 [Infosecurity.US]

Posted: 14 Jul 2008 03:09 PM CDT

Symantec’s Todd Woodward posts on the recently released Apple (NasdaqGS: APPLXCode3.1 Security Update. For the uninitated Apple XCode is the Apple OSX Development Environment. Written in Objective C, it is the fundamental underpinnings of many MAC OSX compatible software products.

Security on Tight Budgets in Lean Times [The IT Security Guy]

Posted: 14 Jul 2008 01:53 PM CDT

CIO magazine had this interesting article on their web site last week about running an IT security department when times are tough -- like now -- on thin budgets.

The article pointed out, among other things, that security professionals shouldn't get complacent about their jobs. Even though their function is important, when cuts come, they can be axed too. This is counterintuitive to the fact security spending should actually be increased in lean times, when desperate people are more likely to try hanky panky.

But the key message of the article was that if staff is light, then make everybody a security professional, so to speak, through security awareness training and education. Make the rest of the staff your security eyes and ears.

Though a bit unrelated, it reminded me of the human side of security, which Bruce Schneier emphasized again in a recent interview for CSO online. He clearly explains his evolution from hardcore techie to security generalist, applying social sciences to security behavior. Interesting stuff.

TSA Launches Leak Investigation [Liquidmatrix Security Digest]

Posted: 14 Jul 2008 01:16 PM CDT

Not too long ago someone inside the TSA talked to CNN and leaked the fact there are almost zero air marshalls on flights these days. Security through obscurity illusion I guess.

So, what did they do?

Did they put more air marshalls in service? Not sure.

Did they say, “our bad, we’ll get right on it”. Nope.

They decided to launch an internal hunt for the leak whistle blower.

From CNN:

The Transportation Security Administration rejected as a “myth” CNN’s report that less than 1 percent of the nation’s daily flights carry armed federal air marshals. Now the agency is conducting an investigation into who talked to CNN and who encouraged other agents to do the same.

A spokesman for the TSA confirmed the investigation.

Spokesman Christopher White said a TSA investigator is looking into the “possible unauthorized release of sensitive and classified information to the news media by covered parties.”

A rational response. Sigh. The TSA refutes the story but, they don’t offer anything to back their version. Rather they claim it as classified information. The marshal in question has asked for anonymity due to fear of reprisals from the TSA. Yeah, the internal investigation won’t validate his position at all will it? (yes, that’s sarcasm)

So, how does one resolve this? Does the TSA come clean? Or do we continue to suffer the pat on the head as they tell us to go play in traffic?

Article Link

The Last HOPE Countdown - Hack Minus 4 [Liquidmatrix Security Digest]

Posted: 14 Jul 2008 09:57 AM CDT

Ok folks,

I know I haven’t been posting much, but I’ve been up to my proverbials in… well…

Let’s just say that work has been interesting. Not the good interesting.

However, it’s HOPE week and therefore I’m feeling happier about the world.

Countdown to Friday’s festivities is on…

And ye shall know me by my shoes.

Packing for HOPE

See ya there!

Oh — and expect many more updates. Be sure to follow the “LSD Twitters TheLastHOPE” feed if you want the news as it happens (presuming the fail whale doesn’t show up on Twitter).

Thanks!

Tags: , , , ,

No comments: