Limits Set on E-mail Monitoring

Limits Set on E-mail Monitoring Administration Memo Seeks to Protect Whistleblowers' E-mails By Eric Chabrow, June 21, 2012. Credit Eligible The Obama administration issued a memorandum cautioning U.S. federal agencies that it could be unlawful to interfere with employees' communications, including e-mails, used to report misconduct in government. "We strongly urge executive departments and agencies to evaluate their monitoring policies and practices, and take measures to ensure that these policies and practices do not interfere with or chill employees from using appropriate channels to disclose wrongdoing," writes Carolyn Lerner, who heads the Office of Special Counsel, the federal organization charged with protecting government employees from reprisals for whistleblowing. Lerner sent the memorandum, dated June 20, to departmental and agency heads and legal counsels. Related Content Insider Threat: Emerging Risks Ron Ross on Revised Security Controls 6 Steps to Secure Big Data Using Risk to Fund Infosec Projects Graphical Look at Fed Infosec Performance Related Whitepapers Achieving FISMA Compliance: Continuous Monitoring Using Configuration Control and Log Management PCI Compliance Best Practices for Power Systems running IBM i Access Governance: Challenges and Solutions Security Solutions Guide Governing User Access: Why Provisioning-Centric Approaches Fall Short The genesis of the memorandum is an investigation by the Office of Special Counsel of the Food and Drug Administration monitoring employees who informed the special counsel, inspector general and The New York Times that the FDA had approved what the agency workers considered unsafe medical devices. According to the National Whistleblowers Center, whose lawyers represented the employees, the FDA used spyware to monitor secretly the whistleblowers' computers and other technology to gain access to their password-protected Gmail-to-Gmail communications to Congress, the Office of Special Counsel and other oversight authorities. Stephen Kohn, National Whistleblowers Center executive director, characterizes the administration's memo as a significant first step in protecting the constitutional rights of federal-employee whistleblowers. "This is the first time limits have been placed on the federal government's ability to monitor employee e-mails," Kohn says in a statement. "The targeted monitoring of whistleblowers in all government agencies ... has created a tremendous chilling effect on the willingness of federal employees to speak up about what they witness." Federal law prohibits agencies from taking actions against employees who inform the special counsel or inspector general of suspected wrongdoing in government. Lerner, in the memo, says agency monitoring designed specifically to target protected disclosure to the special counsel and IG is "highly problematic." "Such targeting undermines the ability of employees to make confidential disclosures," Lerner says, adding that this type of monitoring could be perceived as retaliation. The administration's memo strongly recommends that agencies review existing monitoring policies and practices to ensure that they are consistent with the law and Congress's intent to provide a secure channel for protected disclosures.

CISCO ASA vuln warning

MS-ISAC ADVISORY NUMBER: 2012-045 DATE(S) ISSUED: 06/21/2012 SUBJECT: Denial of Service Vulnerability in Cisco ASA Products OVERVIEW: A denial of service vulnerability has been discovered in Cisco Adaptive Security Appliance (ASA) 5500 series appliances and ASA modules for Catalyst 6500 series switches (ASASM). Cisco ASA products provide firewall, intrusion prevention, remote access, and other services. Successful exploitation could result in denial of service conditions or a reload on the affected device. SYSTEMS AFFECTED: Cisco ASA 5500 Series Appliances running software versions prior to 8.4 (4.1), 8.5 (1.11), and 8.6 (1.3) Cisco Catalyst 6500 series ASA Service Modules running software versions prior to 8.4 (4.1), 8.5 (1.11), and 8.6 (1.3) RISK: Government: Large and medium government entities: High Small government entities: High Businesses: Large and medium business entities: High Small business entities: High Home users: Low DESCRIPTION: Cisco ASA 5500 series appliances and Cisco Catalyst 6500 Series ASA Service Modules (ASASM) are prone to a remote Denial of Service vulnerability due to the improper handling of IPv6 traffic. This issue occurs when the devices are running in transparent mode with IPv6 enabled and have system logging configured to log message ID 110003 (enabled with logging severity level 6 or higher). These settings are not enabled by default. To exploit this vulnerability, an attacker creates a specially crafted IPv6 packet that will generate log message ID 110003 and sends it to the vulnerable device. When the packet is processed, the log message is created resulting in denial of service conditions or a potential reboot of the device. Information related to log message ID 110003 can be found at hxxp://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4769354. RECOMMENDATIONS: We recommend the following actions be taken: Apply appropriate patches provided by Cisco after appropriate testing. To view a complete list of what software fixes to apply, please see hxxp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-asaIPv6 Consider disabled log message ID 110003 by issuing the "no logging message 110003 command". To view the instructions for this workaround please see hxxp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-asaIPv6 REFERENCES: Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-asaIPv6#@ID http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4769354 Security Focus: http://www.securityfocus.com/bid/54106 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3058

Internet Explorer vuln advisory

The following cyber advisory was issued by the New York State Office of Cyber Security (OCS) and is intended for State government entities. The information may or may not be applicable to the general public and accordingly, the State does not warrant its use for any specific purposes. OCS ADVISORY NUMBER: 2012-044 DATE(S) ISSUED: 06/12/2012 SUBJECT: Cumulative Security Update for Internet Explorer (MS12-037) OVERVIEW: Multiple vulnerabilities have been discovered in Microsoft's web browser, Internet Explorer, which could allow an attacker to take complete control of an affected system. Successful exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. SYSTEMS AFFECTED: • Internet Explorer 6 • Internet Explorer 7 • Internet Explorer 8 • Internet Explorer 9 RISK: Government: • Large and medium government entities: High • Small government entities: High Businesses: • Large and medium business entities: High • Small business entities: High Home users: High DESCRIPTION: Thirteen vulnerabilities have been discovered in Microsoft Internet Explorer. Details of these vulnerabilities are as follows: Remote Code Execution Vulnerabilities: Nine remote code execution vulnerabilities have been discovered in Internet Explorer. These are memory corruption vulnerabilities that occur due to the way Internet Explorer accesses objects in memory that have not been properly deleted. These vulnerabilities may be exploited if a user visits a web page that is specifically crafted to take advantage of the vulnerabilities. Successful exploitation of any of these vulnerabilities could result in an attacker taking complete control of the system. Information Disclosure Vulnerabilities: Four information disclosure vulnerabilities have been discovered in Internet Explorer. These vulnerabilities could be exploited if an attacker convinces a user to visit a specially crafted website which would allow the attacker to access information in other domains or Internet Explorer Zones. RECOMMENDATIONS: We recommend the following actions be taken: • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing. • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. • Remind users not to open e-mail attachments from unknown users or suspicious e-mails from trusted sources. REFERENCES: Microsoft: http://technet.microsoft.com/en-us/security/bulletin/ms12-037 Security Focus: http://www.securityfocus.com/bid/53866 http://www.securityfocus.com/bid/53867 http://www.securityfocus.com/bid/53868 http://www.securityfocus.com/bid/53869 http://www.securityfocus.com/bid/53870 http://www.securityfocus.com/bid/53871 http://www.securityfocus.com/bid/53841 http://www.securityfocus.com/bid/53842 http://www.securityfocus.com/bid/53843 http://www.securityfocus.com/bid/53844 http://www.securityfocus.com/bid/53845 http://www.securityfocus.com/bid/53847 http://www.securityfocus.com/bid/53848 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1523 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1858 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1872 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1873 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1874 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1875 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1876 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1877 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1878 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1879 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1880 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1881 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1882 Thomas D. Smith Director ________________________________________ Cyber Security • Cyber Security Home • Awareness/Training/Events • Incident Reporting • Breach Notification • Cyber Advisories • NYS Digital Forensics Work Group • Cyber Tips Newsletter • Keeping Kids Safe Online • Local Government • Policies and Resources • NY-ISAC Secure Portal GIS • GIS Home • GIS Data • Broadband Providers • NYS Broadband Map • Coordination Program • Orthoimagery • Outreach/Calendar • Street Address Mapping (SAM) • GIS Help Desk • • • privacy policy • accessibility • site map • foil • text

MySql Vulnerability

darkreading Expect A Surge In Breaches Following MySQL Vulnerability Vulnerability is so easily attacked and so prevalent that we're bound for a bump in database exposures By Ericka Chickowski, Contributing Writer Dark Reading, Darkreading Jun 13, 2012 | 10:10 PM URL - http://www.1stsecureit.com/news_detail.php?NewsArticleID=80 An unusual password vulnerability that makes hundreds of thousands of MySQL and MariaDB databases vulnerable to simple brute-force attacks is likely to soon start a ripple effect of increased data breach activity online, security experts predict. According to researchers, databases within host service provider and cloud infrastructures are the likeliest targets, but all administrators are advised to keep on the lookout for patches from their open source distribution and adhere to basic best practices to mitigate risk in the interim. [What weaknesses do bad guys look for in your databases? See How Attackers Find And Exploit Database Vulnerabilities.] Initially, the vulnerability was discovered over the weekend by a developer in the MariaDB community and who reported it as a quirky but trivial bug. Subsequently, though, research into the vulnerability was crowd-sourced to the security community at large via social media, which found the problem to be a lot bigger than initially thought. "This was one of the cases where it looked like a minor bug, but the folks didn't do enough coordination and they ended up leaving everyone out there kind of hanging in the wind," says HD Moore, chief security officer at Rapid7 and creator of Metasploit. "From their perspective, it didn't affect their shipping build, but it's all the other vendors who compile packages slightly differently who may be affected more than they realized." The vulnerability itself is in the way MySQL accepts passwords -- the bug makes it such that there's a one in 256 chance that the wrong password will still grant the user access to an account. So an endless loop of attempts will eventually grant an attacker access. It was a bug so unique that Moore says some MySQL developers ran into it, couldn't reproduce it ,and eventually chalked it up as a fluke. "I've never really seen a vulnerability like this where the thing just randomly doesn't verify your password and lets you in. I hadn't seen a vulnerability like that before," says Josh Shaul, CTO of Application Security, Inc. According to Moore, who happened to be doing research online across a number of IP spaces on the Internet already, he was able to use some existing data feeds to find that there are about 1.74 million vulnerable MySQL databases facing the Internet at the moment, half of which he found employed no kind of host-based access control to mitigate risk of an attack. That tallies to approximately 870,000 databases online and vulnerable to an attack that needs very little technical expertise to carry out. With such a large number of vulnerable systems and such an easy path to attack them, the community should expect a surge in breaches, he warns. "We're going to see a lot of exposure to this," Moore says. "I wouldn't be surprised if we see a whole lot of data breaches coming out because it is so easy to exploit. You don't have to be a hacker to do it, you can just type in one line and you're guaranteed to get into a vulnerable server. In fact, some security pundits have already thrown out wild theories that maybe we've already seen the surge start. "Crazy theory: Could this be related to the LinkedIn, last.fm, eHarmony and other recent breaches? Did any of them have MySQL exposed? Even worse, was this really a bug or a very clever backdoor?" wrote security blogger David Dede in the Sucuri Research Blog earlier this week. However, Shaul thinks that's not likely at all. "I think it's unlikely because I'd be shocked to see eHarmony and LinkedIn exposing their database to the public Internet so that people could exploit it from login," he says. "I think you're much more likely looking at significantly less sophisticated IT shops that are vulnerable to this." Nevertheless, this vulnerability still has the potential to affect databases hooked up to everything from ecommerce systems to online forums, Rapid7's Moore says. He says that even before patches are available, organizations can protect themselves with best practices. "The good thing is that it is best practice not to expose the database to the network in the first place. We do see a lot of them out there, but those are folks who are doing something wrong to start with," he says. "And folks who don't have host access control, that's another strike against them saying 'You aren't dong the even minimum level of security.'" However, there are cases where host access control isn't possible, which is why he believes host service providers and cloud providers are squarely in the crosshairs for this. "There are cases where service providers have got a huge arm of shared servers and they may expose a MySQL server to some customers or their IP ... such that they can't just firewall it off," he says. "Also, you see that with a lot of cloud providers, where they give you a dynamic IP address every time your server comes up so you can't use host access control a lot of times." This latest MySQL exposure is the second big security black eye for the database software in the past year. In September 2001, the MySQL.com website was breached and redirected to a website serving up malware controlled by the BlackHole crimeware kit. The site had been hit by a SQL injection attack in that instance. Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Copyright © 2007 CMP Media LLC

The Cloud

“In a new global survey of nearly 1,500 business and technology leaders conducted by Harvard Business Review Analytic Services, the majority — 85% — said their organizations will be using cloud tools moderately to extensively over the next three years. They cited the cloud’s ability to increase business speed and agility, lower costs, and enable new means of growth, innovation, and collaboration as the drivers for this fairly aggressive rate of adoption. A small group of early adopters (only 7% of respondents have been using cloud computing for more than five years) said cloud technology has already provided them with real business value and advantage, including faster time to market and speed to effectiveness, lower cost of operations, and the ability to acquire and integrate new operations more quickly and easily. These benefits are becoming more widely recognized; more than half of respondents (57%) believe that cloud will be a source of competitive advantage for early adopters, and 26% described their company’s posture toward cloud as enthusiastic. But for others, the speed of adoption is slower because executives say they have yet to gain a full understanding of the benefits and risks of cloud computing, and they have concerns about security, business continuity and compli­ance issues. Fifty-nine percent of respondents said they are using limited or no cloud services today, and 36% described their company’s posture toward cloud as either cautious or resistant.”

Proof Links Flame and Stuxnet

'Proof' Links Flame, Stuxnet Super Cyber Weapons: Researchers ABC NewsBy LEE FERRAN and KIRIT RADIA | ABC News – 6 hrs ago Email 20 Print Related Content 'Proof' Links Flame, Stuxnet Super Cyber Weapons: Researchers (ABC News) 'Proof' Links Flame, Stuxnet Super … Researchers say they have uncovered "proof" linking the authors of the Flame cyber espionage program to Stuxnet, the most powerful offensive cyber weapon ever developed -- both of which are believed to have targeted Iran. Analysts at the Russia-based cyber security firm Kaspersky Labs, which was the first to uncover Flame and had previously analyzed Stuxnet, wrote in a blog post today that they had found the "missing link" between Flame and Stuxnet: a specific piece of code that appears to have been used in both programs. Flame, a highly advanced "toolkit" of cyber espionage programs capable of watching virtually everything on an infected computer, was discovered last month on computers in the Middle East and Iran and had apparently been spying on those systems for years. Stuxnet, an offensive cyber weapon designed to physically alter its intended target, was discovered in 2010 after it reportedly infiltrated and managed to damage an Iranian nuclear enrichment facility -- an unprecedented feat. In both cases, cyber security experts that analyzed the programs' code determined that due to similarities in cost, time requirement and apparent target, it was likely they had each been developed under the direction of a nation-state, leading to speculation the U.S. or Israel may be involved. However, the same experts quickly noted that Flame's code architecture was vastly different from Stuxnet's and determined that while both could have come from the same nation-state, they were not likely written together. READ: Smoke Over Flame: Who Is Behind Super Cyber Spy Tool? But now Kaspersky Labs says the two cyber tools appear to have been developed in tandem and a section of code directly from Flame was used in an early 2009 version of Stuxnet, meaning that the two development teams overlapped in their work at least for a little while, even if they appear to have gone their separate ways in 2010 when newer versions of the programs appeared. "We believed that the two teams only had access to some common resources, [but] that didn't show any true collaboration," Kaspersky Labs senior researcher Roel Schouwenberg told ABC News. "However, now it turns out that the Stuxnet team initially used Flame to kickstart the project. That proves collaboration and takes the connection between the two teams to a whole new level." After Stuxnet's discovery, a Congressional report in December 2010 put the U.S. and Israel on a short list of countries believed to be capable of carrying out that attack -- a list that also included Russia, China, the U.K. and France. A month later, The New York Times reported Stuxnet may have been the result of a joint U.S., Israeli project to undermine Iran's nuclear program. Five different U.S. government agencies declined to comment to ABC News about allegations they were involved in Flame and the Israeli government has reportedly denied any link to the virus. News of the new connection between the two programs came just days after a U.S.-based cyber security firm, Symantec, reported Flame appears to have been given a "suicide" command that would wipe any trace of it from an infected computer.

Major Flaw in MySQL and MariaDB

Major Flaw in MySQL and MariaDB that bypasses the authentication and the guy who discovered it + Extras June 11, 2012 It’s all over the news and tweets now in the #Infosec World! A major security flaw in MySQL and MariaDB has been found by Sergei Golubchik (Date: Sat, 9 Jun 2012 17:30:38 +0200). In the oss-sec mailing list, he said that: All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable. MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not. MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not. This issue got assigned an id CVE-2012-2122. Here’s the issue. When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might’ve happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256. Which means, if one knows a user name to connect (and “root” almost always exists), she can connect using *any* password by repeating connection attempts. ~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent. Any client will do, there’s no need for a special libmysqlclient library. /* More info on seclists.org */ Thus, if an attacker guesses the correct username (example: “root”), he can easily connect to the mysql server by using a random password by repeating connection attempts. This issue got assigned an id CVE-2012-2122. But the good thing here is that it’s only applicable to versions 5.1.61, 5.2.11, 5.3.5, 5.5.22. The versions 5.1.62, 5.2.12, 5.3.6, 5.5.23 fro MariaDB and versions 5.1.63, 5.5.24, 5.6.6 are not vulnerable to his discovery. But who is Sergei Golubchik? Sergei Golubchik Well, for those of you who don’t know Sergei Golubchik then today is your lucky day (If you are reading this)! He is the MariaDB Security Coordinator, primary architect of the MySQL/MariaDB plugin API and the author of the “MySQL 5.1 Plugin Development” book. He has been modifying MySQL source code since 1998 and has continued doing it as a MySQL AB employee since 2000. Cool !!!! The Infosec World is proud of you Sir Sergei Golubchik. A few days later, HD Moore of Metasploit posted a report in their website (Jun 11, 2012 12:51:25 AM) about a one-liner in bash that will provide access to an affected MySQL server as the root user account, without actually knowing the password: $ for i in `seq 1 1000`; do mysql -u root –password=bad -h 127.0.0.1 2>/dev/null; done mysql> He also reported about the Linux distributions that were affected based on the reports of other users and researchers. Then, Jonathan Cran (CTO of Pwnie Express and Metasploit contributor) committed a threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database. The metasploit module for the said exploit is auxiliary/scanner/mysql/mysql_authbypass_hashdump: mysql_authbypass_hashdump So what are you waiting for? Check your mysql server version and use the module mysql_authbypass_hashdump to rape it. If it is vulnerable then update it! Check the references below to get some more information about this serious bug. :) Also, Joshua Drake provided a sample application which he called CVE-2012-2122 checker to determine if your system is vulnerable or affected. CVE-2012-2122 checker References: http://seclists.org/oss-sec/2012/q2/493 http://en.oreilly.com/mysql2011/public/schedule/speaker/639 http://www.net-security.org/secworld.php?id=13076 https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql Tags: #Infosec World, auxiliary/scanner/mysql/mysql_authbypass_hashdump, CVE-2012-2122, database pawning, HD Moore, Jonathan Cran, Joshua Drake, MariaDB, memcmp, Metasploit contributor, MySQL, mysql -u root --password, MySQL 5.1 Plugin Development, mysql_authbypass_hashdump, mysql_hashdump module, oss-sec mailing list, Pwnie Express, seclists.org, Sergei Golubchik | Categories: Blog Jay Turla Jay Turla is a Filipino security researcher, programming student, infosec enthusiast, open source advocate, and the blog manager of PenTest Laboratory. He is interested in Linux, OpenVMS, penetration testing and vulnerability assessment. He is one of the core team members of The ProjectX Blog and one of the bloggers and goons of ROOTCON (Philippine Hackers Conference).You can follow his tweets @shipcod3.

Backtrack 5r2-PTE1

Checking out BackTrack Linux 5r2-PenTesting Edition Lab! Posted by Shipcode at 10.6.12 What's a BackTrack Linux 5r2-PenTesting Edition Lab? What's with the edition thingy? Isn't BackTrack 5 a pentesting distro already? Why make a pentesting edition? Maybe these are some of the questions you have in your mind after reading the title and because of that, I would like to give some few points about this edition. BackTrack Linux 5r2-PenTesting Edition Lab is still the same BackTrack 5 r2 with the same pentesting tools pre-installed in the distribution and has KDE as its Desktop Environment although in backtrack-linux.org you can also choose if you want Gnome or KDE. The only difference is that it includes all of the hosts, network infrastructure, tools, and targets necessary to practice penetration testing for the CPLT or Certified PenTest Laboratory course which is brought to you by PenTest Laboratory and the guys behind PenTest Magazine. This edition is a modified version of NETinVM which has a predefined User-mode Linux (UML) based penetration testing targets. When started, this builds an entire network of machines within the VMware virtual machine. The BackTrack Linux distribution is used to provide the tools necessary for completing the lab scenarios. Thus, It is an an all-in-one penetration testing lab environment that pre-configured with: - A master (base) host utilizing BackTrack Linux 5r2 - A DMZ network with two hosts (targets) - An “internal” network with one host (target) - A pre-configured firewall This pentesting lab is available for free to non-CPLT course students which can be downloaded here. Here are some of targets you can attack or play with: - 10.5.0.1 - 10.5.0.254 - 10.5.1.10 - 10.5.1.254 About the Contributor: Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security. He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section. ROOTCON is managed by like minded InfoSec professionals across the Philippines. All rights reserved. Designated trademarks, brands and articles are the property of their respective owners. Labels: BackTrack 5, DMZ network, hosts, network infrastructure, PenTest Laboratory, pentesting edition, pre-configured firewall, tools, virtual penetration testing lab 0 comments: Post a Comment Newer Post Older Post Home Subscribe to: Post Comments (Atom) Twitter Updates Subscribe To Posts Comments Contributors Silver Hawk Paola Shipcode Semprix (The Fork Meister) ROOTCON Blog Archive ▼ 2012 (32) ▼ June (3) ROOTCON 6 SpeedTalks Checking out BackTrack Linux 5r2-PenTesting Editio... 8 Hacking and Information Security Magazines You M... ► May (5) ► April (10) ► March (7) ► February (3) ► January (4) ► 2011 (70) Cloud Tags #AntiSec (IN)SECURE 2600 accounts airsnare android 4.0 exploit announcements anonymity Anonymous anonymous surfing antisec AP attacks apache logs april 2012 articles asp auditor authentication bypass BackBox Linux backdoor shell backdoor shells BackTrack BackTrack 5 base64_decode bash scripting BashCrew Blackbuntu blackhat blackhat hacker blogger botnets bots Browser settings bypass firewalls Caesar Cipher carders career cbcp defaced CBCP Website Hacked cdo CEGNULUG change IP address CHmag cipher blocking mode citibank hacked clickjacking Clubhack clubhack magazine code gyan Command Execution command injection command-line conference conscience of a hacker cplt Crack WPA in 10 hours crackers credit card hacking credit_cards Cross cross frame scripting Cross Site Request Forgery cross site scripting cross-site scripting crypto geek cryptography CSRF CVE-2012-0056 Cyber Espionage cyber terrorism d4rkb1t Dalnet Damn Vulnerable Web App database database takeover DDoS Debian decode files DECWindows defaced website defcon developers Digital Command directory traversal DMZ network dumping in sqlmap DVWA dvwa tutorial easter easter egg electronic traffic signs hacked encode files encryption algorithms essays eval exec exploit exploit/multi/handler Extasyy Elite ezines F-Secure FBT feedback fern wifi cracker file fuzzer File Inlcusion Filipino filipino hackers Filsat filter evasion FINGER command fix wps Forensic Analysis forensics forms-caching FOSS free channels free shell account FTA games GCC Gerix gma hacked gma news hacking incident Google Chrome grep h4xor bbq hacked sites h

SANS may be pricing themselves out of the market.

SANS provides IT education at a ridiculously high price. They may just be pricing themselves out of the market. There are more and more very good quality sources at reasonable prices coming online and expect many more to start-up. One I have discovered recently is Mile2. The video training is the best I have ever seen and the instruction is excellent. Prices are very reasonable. www.mile2.com In February 2002, Mile2 was established in response to the critical need for an international team of IT security training experts to mitigate threats against national and corporate security far beyond USA borders in the aftermath of 9/11.

HR is broken

In an essay in this newspaper last fall, Peter Cappelli, a professor of management and human resources at the University of Pennsylvania's Wharton School, challenged the oft-heard complaint from employers that they can't find good workers with the right skills. "The real culprits are the employers themselves," he asserted. "It is part of a long-term trend," he adds in an interview, "and the recession caused employers to be able to be pickier, to get even more specific in the skills they think they can find outside the company and to cut back on training." Not surprisingly, his essay drew a lot of response. What did surprise Mr. Cappelli—as he describes in a book, "Why Good People Can't Get Jobs," to be published in June—was the frequency of complaints about the hiring process itself, particularly the now-ubiquitous use of software to screen applicants. A Philadelphia-area human-resources executive told Mr. Cappelli that he applied anonymously for a job in his own company as an experiment. He didn't make it through the screening process. Therein lies a problem. The job market is more than a professional concern for Mr. Cappelli. His son, now 25 years old, graduated in 2010 with a degree in classics from St. John's College and couldn't find a job. Told that health care was hiring, he enrolled at New Orleans's Delgado Community College and got a certificate in phlebotomy, learning how to draw patients' blood. However, he discovered that work experience was essential to land a job. Also, many potential employers were consolidating two medical-related occupations into one, so a phlebotomy certificate alone wasn't enough. He is still looking. For the entire U.S. economy, a lot rides on correctly diagnosing today's job market. If the chief problem is one of too many workers and not enough jobs, then today's unemployment is treatable and there's a case for more fiscal and monetary policy to stimulate demand, or at least for deferring fiscal austerity. But if the problem is chiefly a mismatch between skills employers need and those the jobless have, then more fiscal and monetary medicine won't do much good. That kind of unemployment is treatable only in the long run—with better education and training. Mr. Cappelli leans toward the first view but argues that there's more to this. "For every story about an employer who can't find qualified applicants, there's a counterbalancing tale about an employer with ridiculous hiring requirements," he says. In many companies, software has replaced recruiters, he writes, so "applicants rarely talk to anyone, even by email, during the hiring process." As in other parts of the economy, software has its benefits. It makes applying for a job easier. One doesn't have to trudge down to the HR office to fill out forms. It has broadened the pool of applicants from which employers can choose. It saves money. But at a time of widespread unemployment, the volume of applications is swamping HR departments, many of which have been downsized to cut costs. That has led employers to further automate hiring—and to become incredibly specific about experience and skills they seek. Screening software weeds out anyone whose application lacks particular key words. With so much talent looking for work, why not get what you really need? Here's why: Managers pile up so many requirements that they make it nearly impossible to find anyone who fits. Neal Grunstra, president of Mindbank Consulting Group, a temporary-staffing company, calls this "looking for a unicorn." Mr. Cappelli's favorite email came from a company that drew 25,000 applicants for a standard engineering position only to have the HR department say not one was qualified. One job seeker said "he had been told he was perfect for a given position—except for the fact that his previous job title didn't match that of the vacancy," a title unique to the prospective employer. As anyone who has applied for a job lately knows, the trick is parroting all the words in the job description but not just copying and pasting the text, which leads the software to discard the application. It's a whole new skill: Clearing the software hurdle is as important as being able to do the job. Much of what is broken in the U.S. job market will take a lot of work and time to fix. The current approach to training needs repair, for instance. But some fixes are easier. Employers could, as Mr. Cappelli puts it, "back off the strict requirement that applicants need to have previously done precisely the tasks needed for the vacant job" and "see if they could do the same with some training or ramp-up time." And employers could insist that vendors redo the software so it isn't so picky and flags for personal consideration—rather than discards—an applicant who doesn't quite fit the specifics but might be able to do the job. Write to David Wessel at capital@wsj.com A version of this article appeared May 31, 2012, on page A2 in the U.S. edition of The Wall Street Journal, with the headline: Software Raises Bar for Hiring.

Moral Hazard of Flame

Moral Hazard of Flame & Stuxnet It is becoming increasing apparent that the U.S. Government is behind both Flame and Stuxnet. The poor quality of the latter notwithstanding, the complexity and sophistication of the attacks are not in doubt. Deployment and infiltration techniques require human involvement and impressive technical resources (paid for with tax dollars). Consider the scenario that an 18-year old in a coffee shop or a "cyber-business man" creates a virus, worm or other form of enhanced malware. He then distributes it hundreds or thousands of computers for the purposes of causing damage to someone with whom he does not agree or perhaps to make money. Just as one will text message something that they would never say in person, the attackers feel there is something acceptable about carrying out a form of violence through electronic means. These individuals would be called cyber criminals in most countries. They would be subject to arrest and prosecution using the evidence obtained. As security professionals we are angered, frustrated and concerned about the potential for this to happen to our own organization we are paid to protect. When a government does the same thing to another government, there is a sense that this is acceptable. If the government does this to another government, it is okay, The government is on our side. Stuxnet targeted Iranian fuel enrichment. It caused physical destruction of the infrastructure. Somehow many people seem to feel it is justified and event commendable. But the bigger picture is not discussed. This behavior creates a strategic cyber security threat to all of us. Once this Pandora's box is open, the U.S. is a target for retaliatory attacks. We may say that it is a bad thing but that is only because it is happening to us. Private infrastructure must be a legitimate target because it serves the needs of our government. Furthermore, these attacks may reasonably be considered an act of war. A weapon such as Stuxnet or Flame was used to cause physical and technological damage and steal confidential information. If this is an act of war, retaliation may amount to a missile strike against a U.S. target. After all, not everyone will send a text message when they can speak to you in person. More relevant to security professionals around the world, your private infrastructure may be the target of a cyber or even physical attack. Whatever the reason for the attack, it is our responsibility to discourage this behavior. But we cannot discourage this if we condone or fail to reject this behavior from our own government. In a sense, the U.S. Government may become the single biggest threat to the cyber security of private enterprise. Posted by Park Foreman, CISSP, ISSAP, CEH, CHFI, GIAC 27000 at 7:52 PM 0 comments:

FLAME?

What is all the talk about "Flame"? "Flame". I cannot understand this. There is so much need for people in the IT security community to just understand some basic concepts of IT security. Just like all sports, baseball, football sometimes needs to revisit "back to basics" I think this is what IT security needs to do. Why cannot people contribute "back to basics" IT security learning rather than take time doing articles on an "outlier" rare thing like "Flame". Why the interest in "Flame"? Are IT security managers so egotistical or paranoid that they think that "Flame" is meant for them and their organization?. "Flame" is a very specific targeted malware aimed at Iran much like Stuxnet. It is much ado about nothing. IT is time to get back to thinking about the "basics" of the boring day to day "security in-depth" measures that we get paid to do. 99.9% of IT security people are not going to understand what Flame is about and 99.9% of businesses will not have any negative effects from Flame. So everyone get back to work, working on what you can control.

Intrusion Deception: The 'Tar Trap' Approach to Web Application Security

eSecurityPlanet > Network Security > Intrusion Deception: The 'Tar Trap' Approach to Web Application Security Introducing Microsoft Office 365: Start Collaborating in the cloud for $10 per user per month. Begin your free trial Sponsored Intrusion Deception: The 'Tar Trap' Approach to Web Application Security Juniper's Mykonos Software goes on the offense with a novel approach against brute force authentication and directory traversal attacks. By Sean Michael Kerner | June 01, 2012 Share The deception of one's enemies is a time-tested strategy that dates back to Sun Tzu's The Art of War. Applied to the context of web application security, "intrusion deception" software tricks hackers into thinking they are about to hit the jackpot -- when in fact they've simply been lured into a tar trap whose real purpose is to detect and disable their attack. Mykonos Software's Web Intrusion Prevention System works by inserting bogus server files, forms, and URLs into web applications. Deployed in front of any website or web application, the software inserts the tar traps at serve time and never actually touches the application server. Normal users never see the traps, which can only be found by malicious hackers. The company claims that its technology can detect hackers with absolute certainty and zero false positives during the reconnaissance phase of the attack. In a new release of Mykonos, the software is now going a step further with a series of new protections that make it even more difficult and time-consuming for attackers to go after two common attack vectors: directory traversal and brute-force authentication. The new release is the first since Mykonos was acquired by Juniper in February 2012 for $80 million in cash. Directory Traversal? Check Out These Bogus Files In a directory traversal attack, hackers run automated tools against a site -- trying to spider it and get a map of all the hidden files and directories that are present. The risk with this type of attack is that files that are normally not exposed can be discovered and mined for sensitive information such as passwords and configuration settings. Kyle Adams, Chief Architect of Mykonos told eSecurity Planet that the risk of directory traversal is not something that a Google search would typically uncover. Adams explained that in a directory traversal attack, attackers have a list of common files names that are searched for with a custom tool. These are files that are not linked anywhere else in the site and could include items that are not intended for public disclosure. "What we're doing is identifying people that are probing for random files that don't exist," Adams said. "Once we identify the attacker, then the Mykonos system responds back that the files do exist." Since the tool is recursive, it would send the attacker on a feedback loop that could last forever. So if the attacker is looking for an admin file they will find a bogus file created by Mykonos that goes nowhere. "Google will only spider resources that are referenced from the site," Adams said. "Google will not say there is a readme file if it's not referenced anywhere, whereas that hacker tool will pick that file up." Legitimate searchers are not likely to be requesting a large number of files that don't exist, which limits the risk of blocking real users. The Mykonos system identifies the malicious directory traversal attempt based on the number of attempts. Brute Force? Your Inputs Have Been Changed The other improvement to the Mykonos system is with new brute-force authentication protection. In a brute-force attack, the attacker tries to gain unauthorized use to a system or application by trying out myriad passwords until one works. The traditional way that security systems have dealt with brute-force attacks is by blocking IP addresses based on the number of bad password entries. The Mykonos approach is a bit more devious and is designed to confuse the attacker and waste their time and resources. The Mykonos system looks for failed logins to specific accounts. For example, if someone tries to login as Joe Smith five times and provides the wrong password, the system will serve up a CAPTCHA. The CAPTCHA is the first step and then if the attacker figures out how to get around the CAPTCHA, Mykonos has a layer of defensive deception. "At a certain point, when we see that a particular user has failed to login a certain number of times, we say that from that point forward, for anyone that tries to login to that particular user, we'll mess up the password," Adams said. So if the attacker attempts to login to the Joe Smith account with the password Joe123, the Mykonos system will actually change the input to be something else. As a result, when the attacker submits a password, it will come back as invalid, even if they submitted the correct password. "So someone that is doing a brute force attack, they will have to test every possible combination of passwords and even if they guess it correctly the response will come back as invalid," Adams said. "That's pretty effective against brute force attacks." WAF Signatures While the Myknos system is not technically defined as a Web Application Firewall (WAF), the new release now supports WAF signatures as well. Adams noted that Mykonos now support the open source mod_security WAF ruleset. With the mod_security rules, Mykonos will also be able to block known web application threats. Moving forward, the Mykonos software is still in the process of being integrated into Juniper's larger overall portfolio of solutions. Adams noted that they are still figuring out the different API and integration points. Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com, the news service of the IT Business Edge Network. Follow him on Twitter: @TechJournalist. Ease into NoSQL, making Big Data work. Learn more