*“BEAST”* – Browser Exploit Against SSL/TLS: BEAST release announced at the Ekoparty conferencein Buenos Aires by security researchers *Juliano Rizzo* and *Thai Duong. * According to reports, the two exploit a known vulnerability that, unlike other SSL attacks, is based on an implementation flaw and not in the digital certificate model. “As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests. While fixing the authenticity vulnerabilities may require a new trust model, fixing the vulnerability that BEAST exploits may require a major change to the protocol itself. Actually we have worked with browser and SSL vendors since early May, and every single proposed fix is incompatible with some existing SSL applications." On September 22, 2011, Cody Kretsinger, a 23-year-old from Phoenix, Arizona was arrestedand charged with conspiracy and the unauthorized impairment of a protected computer, according a federal indictment. How did the Feds track down the alleged *LulzSec* member? It turns out that a VPN service reportedly used to mask his online identify and location was the one who handed over data to the FBI. According to the federal indictment (embedded below), Kretsinger registered for a VPN account at *HideMyAss.Com *under the user name “recursion”. Following that, the indictment said that Kretsinger and other unknown conspirators conducted SQL injection attacks against Sony Pictures in attempt to extract confidential data. ADOBE Flash Player Security Release: *Adobe* released a security updatefor its Flash Player. The out of cycle update addresses critical security issues in flash player as well as an important universal cross-site scripting issue. The critical vulnerabilities have been identified in Adobe Flash Player 10.3.183.7 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.186.6 and earlier versions for Android. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system. Adobe reported that one of the vulnerabilities (CVE-2011-2444) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message. To illustrate the importance of keeping systems up to date, including Adobe Flash products, the fact that the *RSA cyber attack* was executed using a spear phishing attack with an embedded flash file should serve as a friendly reminder. RSA was breached after an employee opened a spreadsheet that contained a zero-day exploitthat installed a backdoor through an Adobe Flash vulnerability. On 9/23/2011, in a rare move, *Oracle * broke its normal procedures and issued an emergency patch due to concerns about the impact of a successful attack. This security alert addresses the security issue CVE-2011-3192, a denial of service vulnerability in *Apache HTTPD*, which is applicable to Oracle HTTP Server products based on Apache 2.0 or 2.2. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the availability of un-patched systems. The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than * CVE-2007-0086*. *Bank social engineering trojan attack* successfully steals moneyby inviting users to engage in a Dummy Transfer that actually transfers money to the hackers account. On September 18, 2011, *Patrick Dunstan* announced a flaw in OS X. On September 20, 2011, *Apple *released notice of a flaw in *OS X Directory Service* allowing users to display password hash. A local user can invoke the following Directory Services command line command to view the password hash for the target user: dscl localhost -read /Search/Users/[target user] A local user can change their password without entering the current password using the following Directory Services command line command: *dscl localhost -passwd /Search/Users/[current user] * September 9, 2011, Hackers Break into NBC Twitter: "This is not a joke, Ground Zero has just been attacked. We're attempting to get reporters on the scene. #groundzeroattacked," read the first false message sent from the @nbcnews account. The second message alleged an airliner had been hijacked and the plane had just hit Ground Zero -- the site of the deadly September 11, 2001 terrorist strikes in New York. *The Script Kiddies*, who claimed responsibility, is reportedly a group that splintered from Anonymous, the loose network of "hacktivists" behind recent cyber attacks on Visa.com, Mastercard.com and other websites. The same group claimed to have hacked the @foxnewspolitics Twitter account in July, posting a false report that President Barack Obama had been murdered. *Google* advises Iran users to change passwords on September 9, 2011. Google has advised users of its online services in Iran to change their passwords following the theft of Internet security certificates from a Dutch company. "We learned last week that the compromise of a Dutch company involved with verifying the authenticity of websites could have put the Internet communications of many Iranians at risk, including their Gmail," Google vice president of security engineering Eric Grosse said. Users of Chrome Browser were not affected. *An Iranian Hacker *has claimed responsibility. Another Amsterdam SSL Certificate Authority Admits Security Breech and halts certificate sales. *ComodoHacker*, a 21 year old Iranian hacker, claims individual responsibility for the breech. ComodoHacker's pastebinis still available to read. On July 30, 2011, researchersat the Black Hat security conference showed an iPhone security flawwhich exploits a weakness in SMS text messaging to take control of the device. On July 31, 2011, Apple announced repair of the issue. It is unknown how few iPhone users have implemented this fix. Researchers at Black Hat also showed how SMS-related vulnerabilities can affect Windows Mobile smartphones including those from HTC, Motorola, and Samsung. As yet, * Microsoft* has not responded. *Kaminsky* describes the full impact of DNS poisoningvulnerability at DefCon 19, again reminding everyone to patch their *DNS systems*. *RPC/DCOM Vulnerabilites * patched for virtually all *Windows *server and desktop OS, as well as Internet Explorer, XP. Networks that properly block inbound 445 and 139 are not affected externally, however internal networks are all vulnerable. More news available at PLUG Hackfests . Hack to Learn with PLUG ! Showing DefCon and Blackhat 19 Videos, 2nd Saturday of every month at MakerBench 3PM - 6PM. “Tell me and I forget. Teach me and I remember. Involve me and I learn.” *– Benjamin Franklin* -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** homesmartarizona.com