[Plug-security] Security News

Lisa Kachold lisakachold at obnosis.com
Sun Sep 25 09:03:59 MST 2011


 *“BEAST”* – Browser Exploit Against SSL/TLS:
BEAST release announced at the Ekoparty
conference<http://www.ekoparty.org/index.php>in Buenos Aires by
security researchers
*Juliano Rizzo* and *Thai Duong. *  According to reports, the two exploit a
known vulnerability that, unlike other SSL attacks, is based on an
implementation flaw and not in the digital certificate model.  “As far as we
know, BEAST implements the first attack that actually decrypts HTTPS
requests. While fixing the authenticity vulnerabilities may require a new
trust model, fixing the vulnerability that BEAST exploits may require a
major change to the protocol itself. Actually we have worked with browser
and SSL vendors since early May, and every single proposed fix is
incompatible with some existing SSL applications."

On September 22, 2011, Cody Kretsinger, a 23-year-old from Phoenix, Arizona
was arrested<http://www.computerweekly.com/Articles/2011/09/23/247974/FBI-arrests-LulzSec-hacker-suspect-Cody-Kretsinger-over-massive-Sony-data.htm>and
charged with conspiracy and the unauthorized impairment of a protected
computer, according a federal indictment.  How did the Feds track down the
alleged *LulzSec* member? It turns out that a VPN service reportedly used to
mask his online identify and location was the one who handed over data to
the FBI. According to the federal indictment (embedded below), Kretsinger
registered for a VPN account at *HideMyAss.Com *under the user name
“recursion”. Following that, the indictment said that Kretsinger and other
unknown conspirators conducted SQL injection attacks against Sony Pictures
in attempt to extract confidential data.
ADOBE Flash Player Security Release:

*Adobe* released a security
update<https://www.adobe.com/support/security/bulletins/apsb11-26.html>for
its Flash Player. The out of cycle update addresses critical security
issues in flash player as well as an important universal cross-site
scripting issue. The critical vulnerabilities have been identified in Adobe
Flash Player 10.3.183.7 and earlier versions for Windows, Macintosh, Linux
and Solaris, and Adobe Flash Player 10.3.186.6 and earlier versions for
Android. These vulnerabilities could cause a crash and potentially allow an
attacker to take control of the affected system. Adobe reported that one of
the vulnerabilities (CVE-2011-2444) is being exploited in the wild in active
targeted attacks designed to trick the user into clicking on a malicious
link delivered in an email message. To illustrate the importance of keeping
systems up to date, including Adobe Flash products, the fact that the *RSA
cyber attack* was executed using a spear phishing attack with an embedded
flash file should serve as a friendly reminder. RSA was breached after an
employee opened a spreadsheet that contained a zero-day
exploit<http://blogs.rsa.com/rivner/anatomy-of-an-attack/>that
installed a backdoor through an Adobe Flash vulnerability.

On 9/23/2011, in a rare move,
*Oracle<http://www.oracle.com/technetwork/topics/security/alert-cve-2011-3192-485304.html>
* broke its normal procedures and issued an emergency patch due to concerns
about the impact of a successful attack.  This security alert addresses the
security issue CVE-2011-3192, a denial of service vulnerability in *Apache
HTTPD*, which is applicable to Oracle HTTP Server products based on Apache
2.0 or 2.2. This vulnerability may be remotely exploitable without
authentication, i.e. it may be exploited over a network without the need for
a username and password. A remote user can exploit this vulnerability to
impact the availability of un-patched systems.  The byterange filter in the
Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19
allows remote attackers to cause a denial of service (memory and CPU
consumption) via a Range header that expresses multiple overlapping ranges,
as exploited in the wild in August 2011, a different vulnerability than *
CVE-2007-0086*.

*Bank social engineering trojan attack* successfully steals
money<http://www.virusbtn.com/news/2011/09_21a.xml?rss>by inviting
users to engage in a Dummy Transfer that actually transfers
money to the hackers account.
On September 18, 2011, *Patrick Dunstan* announced a flaw in OS
X<http://www.defenceindepth.net/>.
On September 20, 2011, *Apple *released notice of a flaw in *OS X Directory
Service* allowing users to display password hash.  A local user can invoke
the following Directory Services command line command to view the password
hash for the target user: dscl localhost -read /Search/Users/[target user] A
local user can change their password without entering the current password
using the following Directory Services command line command: *dscl localhost
-passwd /Search/Users/[current user] *

September 9, 2011, Hackers Break into NBC
Twitter<http://news.yahoo.com/hackers-seize-nbcs-twitter-claim-false-attack-232448289.html;_ylt=AhqxmzJpwdI.DVqv._Mm.OODzdAF;_ylu=X3oDMTQ1NDBlZTA0BG1pdANUb3BTdG9yeSBUZWNoU0YgU2VjdXJpdHlTU0YEcGtnAzlkM2IyZDYxLWYxOGQtMzY0Yy04ZWUwLTI2NGZkNzc3YTQ3MQRwb3MDNwRzZWMDdG9wX3N0b3J5BHZlcgMxZGVmMjQ4MC1kYjNiLTExZTAtYjc2Zi1lOGVmMzAwM2JhZWI-;_ylg=X3oDMTIxbzc3Z3NmBGludGwDdXMEbGFuZwNlbi11cwRwc3RhaWQDBHBzdGNhdAN0ZWNofHNlY3VyaXR5BHB0A3NlY3Rpb25zBHRlc3QD;_ylv=3>:
"This is not a joke, Ground Zero has just been attacked. We're attempting to
get reporters on the scene. #groundzeroattacked," read the first false
message sent from the @nbcnews account. The second message alleged an
airliner had been hijacked and the plane had just hit Ground Zero -- the
site of the deadly September 11, 2001 terrorist strikes in New York.   *The
Script Kiddies*, who claimed responsibility, is reportedly a group that
splintered from Anonymous, the loose network of "hacktivists" behind recent
cyber attacks on Visa.com, Mastercard.com and other websites. The same group
claimed to have hacked the @foxnewspolitics Twitter account in July, posting
a false report that President Barack Obama had been murdered.

*Google* advises Iran users to change passwords on September 9, 2011.
Google has advised users of its online services in Iran to change their
passwords following the theft of Internet security certificates from a Dutch
company<http://news.yahoo.com/hacked-dutch-internet-company-declared-bankrupt-182235564.html;_ylt=AmLvvzMDYZfFRyLCMG7.2mCDzdAF;_ylu=X3oDMTQ1cW1kaXVhBG1pdANUb3BTdG9yeSBUZWNoU0YgU2VjdXJpdHlTU0YEcGtnAzZiOTAwZTBjLTNkMzYtMzkyOC1iOTUxLWQ2ODA3ZDVmYWU0YgRwb3MDMQRzZWMDdG9wX3N0b3J5BHZlcgNiZDYzNDQ2MC1lM2I1LTExZTAtOWY0Ni1mMjgxNWVkNDRiMmM-;_ylg=X3oDMTIxbzc3Z3NmBGludGwDdXMEbGFuZwNlbi11cwRwc3RhaWQDBHBzdGNhdAN0ZWNofHNlY3VyaXR5BHB0A3NlY3Rpb25zBHRlc3QD;_ylv=3>.
"We learned last week that the compromise of a Dutch company involved with
verifying the authenticity of websites could have put the Internet
communications of many Iranians at risk, including their Gmail," Google vice
president of security engineering Eric Grosse said.  Users of Chrome Browser
were not affected.  *An Iranian Hacker *has claimed responsibility.

Another Amsterdam SSL Certificate Authority Admits Security Breech
<http://www.securityweek.com/comodohacker-claims-major-globalsign-breach-company-hires-diginotar-cyber-investigators>and
halts certificate sales.  *ComodoHacker*, a 21 year old Iranian hacker,
claims individual responsibility for the breech.  ComodoHacker's
pastebin<http://pastebin.com/u/ComodoHacker>is still available to
read.

On July 30, 2011,
researchers<http://utahbruteforce.com/bruteforce/2009/07/an-sms-can-force-a-url-or-app-on-smartphones.html>at
the Black Hat security conference showed an iPhone
security flaw<http://www.computerworld.com/s/article/9136106/Mass_Panic_The_iPhone_Has_a_Vulnerability?source=rss_security>which
exploits a weakness in SMS text messaging to take control of the
device.  On July 31, 2011, Apple announced repair of the
issue<http://news.cnet.com/8301-1009_3-10301001-83.html>.
It is unknown how few iPhone users have implemented this fix. Researchers at
Black Hat also showed how SMS-related vulnerabilities can affect Windows
Mobile smartphones
<http://news.cnet.com/8301-27080_3-10300536-245.html>including those
from HTC, Motorola, and Samsung.   As yet,
* Microsoft* has not responded.

*Kaminsky* describes the full impact of DNS
poisoning<http://www.darkreading.com/security/application-security/211201180/kaminsky-dns-vulnerability-will-affect-email-internal-systems-too.html>vulnerability
at DefCon 19, again reminding everyone to patch their
*DNS systems*.

*RPC/DCOM Vulnerabilites <http://www.nist.org/news.php?extend.262>* patched
for virtually all *Windows *server and desktop OS, as well as Internet
Explorer, XP.  Networks that properly block inbound 445 and 139 are not
affected externally, however internal networks are all vulnerable.


More news available at PLUG Hackfests <http://plug.phoenix.az.us>.


Hack to Learn with PLUG <http://hackfest.obnosis.com/>!
Showing DefCon and Blackhat 19 Videos, 2nd Saturday of every month at
MakerBench <http://www.makerbench.com/about/> 3PM - 6PM.

“Tell me and I forget.  Teach me and I remember.  Involve me and I learn.”
*– Benjamin Franklin*

-- 
(602) 791-8002  Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
homesmartarizona.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-security/attachments/20110925/0c126125/attachment.html>


More information about the Plug-security mailing list