Limits Set on E-mail Monitoring

Limits Set on E-mail Monitoring Administration Memo Seeks to Protect Whistleblowers' E-mails By Eric Chabrow, June 21, 2012. Credit Eligible The Obama administration issued a memorandum cautioning U.S. federal agencies that it could be unlawful to interfere with employees' communications, including e-mails, used to report misconduct in government. "We strongly urge executive departments and agencies to evaluate their monitoring policies and practices, and take measures to ensure that these policies and practices do not interfere with or chill employees from using appropriate channels to disclose wrongdoing," writes Carolyn Lerner, who heads the Office of Special Counsel, the federal organization charged with protecting government employees from reprisals for whistleblowing. Lerner sent the memorandum, dated June 20, to departmental and agency heads and legal counsels. Related Content Insider Threat: Emerging Risks Ron Ross on Revised Security Controls 6 Steps to Secure Big Data Using Risk to Fund Infosec Projects Graphical Look at Fed Infosec Performance Related Whitepapers Achieving FISMA Compliance: Continuous Monitoring Using Configuration Control and Log Management PCI Compliance Best Practices for Power Systems running IBM i Access Governance: Challenges and Solutions Security Solutions Guide Governing User Access: Why Provisioning-Centric Approaches Fall Short The genesis of the memorandum is an investigation by the Office of Special Counsel of the Food and Drug Administration monitoring employees who informed the special counsel, inspector general and The New York Times that the FDA had approved what the agency workers considered unsafe medical devices. According to the National Whistleblowers Center, whose lawyers represented the employees, the FDA used spyware to monitor secretly the whistleblowers' computers and other technology to gain access to their password-protected Gmail-to-Gmail communications to Congress, the Office of Special Counsel and other oversight authorities. Stephen Kohn, National Whistleblowers Center executive director, characterizes the administration's memo as a significant first step in protecting the constitutional rights of federal-employee whistleblowers. "This is the first time limits have been placed on the federal government's ability to monitor employee e-mails," Kohn says in a statement. "The targeted monitoring of whistleblowers in all government agencies ... has created a tremendous chilling effect on the willingness of federal employees to speak up about what they witness." Federal law prohibits agencies from taking actions against employees who inform the special counsel or inspector general of suspected wrongdoing in government. Lerner, in the memo, says agency monitoring designed specifically to target protected disclosure to the special counsel and IG is "highly problematic." "Such targeting undermines the ability of employees to make confidential disclosures," Lerner says, adding that this type of monitoring could be perceived as retaliation. The administration's memo strongly recommends that agencies review existing monitoring policies and practices to ensure that they are consistent with the law and Congress's intent to provide a secure channel for protected disclosures.

CISCO ASA vuln warning

MS-ISAC ADVISORY NUMBER: 2012-045 DATE(S) ISSUED: 06/21/2012 SUBJECT: Denial of Service Vulnerability in Cisco ASA Products OVERVIEW: A denial of service vulnerability has been discovered in Cisco Adaptive Security Appliance (ASA) 5500 series appliances and ASA modules for Catalyst 6500 series switches (ASASM). Cisco ASA products provide firewall, intrusion prevention, remote access, and other services. Successful exploitation could result in denial of service conditions or a reload on the affected device. SYSTEMS AFFECTED: Cisco ASA 5500 Series Appliances running software versions prior to 8.4 (4.1), 8.5 (1.11), and 8.6 (1.3) Cisco Catalyst 6500 series ASA Service Modules running software versions prior to 8.4 (4.1), 8.5 (1.11), and 8.6 (1.3) RISK: Government: Large and medium government entities: High Small government entities: High Businesses: Large and medium business entities: High Small business entities: High Home users: Low DESCRIPTION: Cisco ASA 5500 series appliances and Cisco Catalyst 6500 Series ASA Service Modules (ASASM) are prone to a remote Denial of Service vulnerability due to the improper handling of IPv6 traffic. This issue occurs when the devices are running in transparent mode with IPv6 enabled and have system logging configured to log message ID 110003 (enabled with logging severity level 6 or higher). These settings are not enabled by default. To exploit this vulnerability, an attacker creates a specially crafted IPv6 packet that will generate log message ID 110003 and sends it to the vulnerable device. When the packet is processed, the log message is created resulting in denial of service conditions or a potential reboot of the device. Information related to log message ID 110003 can be found at hxxp://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4769354. RECOMMENDATIONS: We recommend the following actions be taken: Apply appropriate patches provided by Cisco after appropriate testing. To view a complete list of what software fixes to apply, please see hxxp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-asaIPv6 Consider disabled log message ID 110003 by issuing the "no logging message 110003 command". To view the instructions for this workaround please see hxxp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-asaIPv6 REFERENCES: Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-asaIPv6#@ID http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4769354 Security Focus: http://www.securityfocus.com/bid/54106 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3058

Internet Explorer vuln advisory

The following cyber advisory was issued by the New York State Office of Cyber Security (OCS) and is intended for State government entities. The information may or may not be applicable to the general public and accordingly, the State does not warrant its use for any specific purposes. OCS ADVISORY NUMBER: 2012-044 DATE(S) ISSUED: 06/12/2012 SUBJECT: Cumulative Security Update for Internet Explorer (MS12-037) OVERVIEW: Multiple vulnerabilities have been discovered in Microsoft's web browser, Internet Explorer, which could allow an attacker to take complete control of an affected system. Successful exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. SYSTEMS AFFECTED: • Internet Explorer 6 • Internet Explorer 7 • Internet Explorer 8 • Internet Explorer 9 RISK: Government: • Large and medium government entities: High • Small government entities: High Businesses: • Large and medium business entities: High • Small business entities: High Home users: High DESCRIPTION: Thirteen vulnerabilities have been discovered in Microsoft Internet Explorer. Details of these vulnerabilities are as follows: Remote Code Execution Vulnerabilities: Nine remote code execution vulnerabilities have been discovered in Internet Explorer. These are memory corruption vulnerabilities that occur due to the way Internet Explorer accesses objects in memory that have not been properly deleted. These vulnerabilities may be exploited if a user visits a web page that is specifically crafted to take advantage of the vulnerabilities. Successful exploitation of any of these vulnerabilities could result in an attacker taking complete control of the system. Information Disclosure Vulnerabilities: Four information disclosure vulnerabilities have been discovered in Internet Explorer. These vulnerabilities could be exploited if an attacker convinces a user to visit a specially crafted website which would allow the attacker to access information in other domains or Internet Explorer Zones. RECOMMENDATIONS: We recommend the following actions be taken: • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing. • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. • Remind users not to open e-mail attachments from unknown users or suspicious e-mails from trusted sources. REFERENCES: Microsoft: http://technet.microsoft.com/en-us/security/bulletin/ms12-037 Security Focus: http://www.securityfocus.com/bid/53866 http://www.securityfocus.com/bid/53867 http://www.securityfocus.com/bid/53868 http://www.securityfocus.com/bid/53869 http://www.securityfocus.com/bid/53870 http://www.securityfocus.com/bid/53871 http://www.securityfocus.com/bid/53841 http://www.securityfocus.com/bid/53842 http://www.securityfocus.com/bid/53843 http://www.securityfocus.com/bid/53844 http://www.securityfocus.com/bid/53845 http://www.securityfocus.com/bid/53847 http://www.securityfocus.com/bid/53848 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1523 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1858 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1872 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1873 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1874 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1875 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1876 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1877 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1878 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1879 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1880 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1881 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1882 Thomas D. Smith Director ________________________________________ Cyber Security • Cyber Security Home • Awareness/Training/Events • Incident Reporting • Breach Notification • Cyber Advisories • NYS Digital Forensics Work Group • Cyber Tips Newsletter • Keeping Kids Safe Online • Local Government • Policies and Resources • NY-ISAC Secure Portal GIS • GIS Home • GIS Data • Broadband Providers • NYS Broadband Map • Coordination Program • Orthoimagery • Outreach/Calendar • Street Address Mapping (SAM) • GIS Help Desk • • • privacy policy • accessibility • site map • foil • text

MySql Vulnerability

darkreading Expect A Surge In Breaches Following MySQL Vulnerability Vulnerability is so easily attacked and so prevalent that we're bound for a bump in database exposures By Ericka Chickowski, Contributing Writer Dark Reading, Darkreading Jun 13, 2012 | 10:10 PM URL - http://www.1stsecureit.com/news_detail.php?NewsArticleID=80 An unusual password vulnerability that makes hundreds of thousands of MySQL and MariaDB databases vulnerable to simple brute-force attacks is likely to soon start a ripple effect of increased data breach activity online, security experts predict. According to researchers, databases within host service provider and cloud infrastructures are the likeliest targets, but all administrators are advised to keep on the lookout for patches from their open source distribution and adhere to basic best practices to mitigate risk in the interim. [What weaknesses do bad guys look for in your databases? See How Attackers Find And Exploit Database Vulnerabilities.] Initially, the vulnerability was discovered over the weekend by a developer in the MariaDB community and who reported it as a quirky but trivial bug. Subsequently, though, research into the vulnerability was crowd-sourced to the security community at large via social media, which found the problem to be a lot bigger than initially thought. "This was one of the cases where it looked like a minor bug, but the folks didn't do enough coordination and they ended up leaving everyone out there kind of hanging in the wind," says HD Moore, chief security officer at Rapid7 and creator of Metasploit. "From their perspective, it didn't affect their shipping build, but it's all the other vendors who compile packages slightly differently who may be affected more than they realized." The vulnerability itself is in the way MySQL accepts passwords -- the bug makes it such that there's a one in 256 chance that the wrong password will still grant the user access to an account. So an endless loop of attempts will eventually grant an attacker access. It was a bug so unique that Moore says some MySQL developers ran into it, couldn't reproduce it ,and eventually chalked it up as a fluke. "I've never really seen a vulnerability like this where the thing just randomly doesn't verify your password and lets you in. I hadn't seen a vulnerability like that before," says Josh Shaul, CTO of Application Security, Inc. According to Moore, who happened to be doing research online across a number of IP spaces on the Internet already, he was able to use some existing data feeds to find that there are about 1.74 million vulnerable MySQL databases facing the Internet at the moment, half of which he found employed no kind of host-based access control to mitigate risk of an attack. That tallies to approximately 870,000 databases online and vulnerable to an attack that needs very little technical expertise to carry out. With such a large number of vulnerable systems and such an easy path to attack them, the community should expect a surge in breaches, he warns. "We're going to see a lot of exposure to this," Moore says. "I wouldn't be surprised if we see a whole lot of data breaches coming out because it is so easy to exploit. You don't have to be a hacker to do it, you can just type in one line and you're guaranteed to get into a vulnerable server. In fact, some security pundits have already thrown out wild theories that maybe we've already seen the surge start. "Crazy theory: Could this be related to the LinkedIn, last.fm, eHarmony and other recent breaches? Did any of them have MySQL exposed? Even worse, was this really a bug or a very clever backdoor?" wrote security blogger David Dede in the Sucuri Research Blog earlier this week. However, Shaul thinks that's not likely at all. "I think it's unlikely because I'd be shocked to see eHarmony and LinkedIn exposing their database to the public Internet so that people could exploit it from login," he says. "I think you're much more likely looking at significantly less sophisticated IT shops that are vulnerable to this." Nevertheless, this vulnerability still has the potential to affect databases hooked up to everything from ecommerce systems to online forums, Rapid7's Moore says. He says that even before patches are available, organizations can protect themselves with best practices. "The good thing is that it is best practice not to expose the database to the network in the first place. We do see a lot of them out there, but those are folks who are doing something wrong to start with," he says. "And folks who don't have host access control, that's another strike against them saying 'You aren't dong the even minimum level of security.'" However, there are cases where host access control isn't possible, which is why he believes host service providers and cloud providers are squarely in the crosshairs for this. "There are cases where service providers have got a huge arm of shared servers and they may expose a MySQL server to some customers or their IP ... such that they can't just firewall it off," he says. "Also, you see that with a lot of cloud providers, where they give you a dynamic IP address every time your server comes up so you can't use host access control a lot of times." This latest MySQL exposure is the second big security black eye for the database software in the past year. In September 2001, the MySQL.com website was breached and redirected to a website serving up malware controlled by the BlackHole crimeware kit. The site had been hit by a SQL injection attack in that instance. Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Copyright © 2007 CMP Media LLC

The Cloud

“In a new global survey of nearly 1,500 business and technology leaders conducted by Harvard Business Review Analytic Services, the majority — 85% — said their organizations will be using cloud tools moderately to extensively over the next three years. They cited the cloud’s ability to increase business speed and agility, lower costs, and enable new means of growth, innovation, and collaboration as the drivers for this fairly aggressive rate of adoption. A small group of early adopters (only 7% of respondents have been using cloud computing for more than five years) said cloud technology has already provided them with real business value and advantage, including faster time to market and speed to effectiveness, lower cost of operations, and the ability to acquire and integrate new operations more quickly and easily. These benefits are becoming more widely recognized; more than half of respondents (57%) believe that cloud will be a source of competitive advantage for early adopters, and 26% described their company’s posture toward cloud as enthusiastic. But for others, the speed of adoption is slower because executives say they have yet to gain a full understanding of the benefits and risks of cloud computing, and they have concerns about security, business continuity and compli­ance issues. Fifty-nine percent of respondents said they are using limited or no cloud services today, and 36% described their company’s posture toward cloud as either cautious or resistant.”

Proof Links Flame and Stuxnet

'Proof' Links Flame, Stuxnet Super Cyber Weapons: Researchers ABC NewsBy LEE FERRAN and KIRIT RADIA | ABC News – 6 hrs ago Email 20 Print Related Content 'Proof' Links Flame, Stuxnet Super Cyber Weapons: Researchers (ABC News) 'Proof' Links Flame, Stuxnet Super … Researchers say they have uncovered "proof" linking the authors of the Flame cyber espionage program to Stuxnet, the most powerful offensive cyber weapon ever developed -- both of which are believed to have targeted Iran. Analysts at the Russia-based cyber security firm Kaspersky Labs, which was the first to uncover Flame and had previously analyzed Stuxnet, wrote in a blog post today that they had found the "missing link" between Flame and Stuxnet: a specific piece of code that appears to have been used in both programs. Flame, a highly advanced "toolkit" of cyber espionage programs capable of watching virtually everything on an infected computer, was discovered last month on computers in the Middle East and Iran and had apparently been spying on those systems for years. Stuxnet, an offensive cyber weapon designed to physically alter its intended target, was discovered in 2010 after it reportedly infiltrated and managed to damage an Iranian nuclear enrichment facility -- an unprecedented feat. In both cases, cyber security experts that analyzed the programs' code determined that due to similarities in cost, time requirement and apparent target, it was likely they had each been developed under the direction of a nation-state, leading to speculation the U.S. or Israel may be involved. However, the same experts quickly noted that Flame's code architecture was vastly different from Stuxnet's and determined that while both could have come from the same nation-state, they were not likely written together. READ: Smoke Over Flame: Who Is Behind Super Cyber Spy Tool? But now Kaspersky Labs says the two cyber tools appear to have been developed in tandem and a section of code directly from Flame was used in an early 2009 version of Stuxnet, meaning that the two development teams overlapped in their work at least for a little while, even if they appear to have gone their separate ways in 2010 when newer versions of the programs appeared. "We believed that the two teams only had access to some common resources, [but] that didn't show any true collaboration," Kaspersky Labs senior researcher Roel Schouwenberg told ABC News. "However, now it turns out that the Stuxnet team initially used Flame to kickstart the project. That proves collaboration and takes the connection between the two teams to a whole new level." After Stuxnet's discovery, a Congressional report in December 2010 put the U.S. and Israel on a short list of countries believed to be capable of carrying out that attack -- a list that also included Russia, China, the U.K. and France. A month later, The New York Times reported Stuxnet may have been the result of a joint U.S., Israeli project to undermine Iran's nuclear program. Five different U.S. government agencies declined to comment to ABC News about allegations they were involved in Flame and the Israeli government has reportedly denied any link to the virus. News of the new connection between the two programs came just days after a U.S.-based cyber security firm, Symantec, reported Flame appears to have been given a "suicide" command that would wipe any trace of it from an infected computer.

Major Flaw in MySQL and MariaDB

Major Flaw in MySQL and MariaDB that bypasses the authentication and the guy who discovered it + Extras June 11, 2012 It’s all over the news and tweets now in the #Infosec World! A major security flaw in MySQL and MariaDB has been found by Sergei Golubchik (Date: Sat, 9 Jun 2012 17:30:38 +0200). In the oss-sec mailing list, he said that: All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable. MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not. MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not. This issue got assigned an id CVE-2012-2122. Here’s the issue. When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might’ve happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256. Which means, if one knows a user name to connect (and “root” almost always exists), she can connect using *any* password by repeating connection attempts. ~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent. Any client will do, there’s no need for a special libmysqlclient library. /* More info on seclists.org */ Thus, if an attacker guesses the correct username (example: “root”), he can easily connect to the mysql server by using a random password by repeating connection attempts. This issue got assigned an id CVE-2012-2122. But the good thing here is that it’s only applicable to versions 5.1.61, 5.2.11, 5.3.5, 5.5.22. The versions 5.1.62, 5.2.12, 5.3.6, 5.5.23 fro MariaDB and versions 5.1.63, 5.5.24, 5.6.6 are not vulnerable to his discovery. But who is Sergei Golubchik? Sergei Golubchik Well, for those of you who don’t know Sergei Golubchik then today is your lucky day (If you are reading this)! He is the MariaDB Security Coordinator, primary architect of the MySQL/MariaDB plugin API and the author of the “MySQL 5.1 Plugin Development” book. He has been modifying MySQL source code since 1998 and has continued doing it as a MySQL AB employee since 2000. Cool !!!! The Infosec World is proud of you Sir Sergei Golubchik. A few days later, HD Moore of Metasploit posted a report in their website (Jun 11, 2012 12:51:25 AM) about a one-liner in bash that will provide access to an affected MySQL server as the root user account, without actually knowing the password: $ for i in `seq 1 1000`; do mysql -u root –password=bad -h 127.0.0.1 2>/dev/null; done mysql> He also reported about the Linux distributions that were affected based on the reports of other users and researchers. Then, Jonathan Cran (CTO of Pwnie Express and Metasploit contributor) committed a threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database. The metasploit module for the said exploit is auxiliary/scanner/mysql/mysql_authbypass_hashdump: mysql_authbypass_hashdump So what are you waiting for? Check your mysql server version and use the module mysql_authbypass_hashdump to rape it. If it is vulnerable then update it! Check the references below to get some more information about this serious bug. :) Also, Joshua Drake provided a sample application which he called CVE-2012-2122 checker to determine if your system is vulnerable or affected. CVE-2012-2122 checker References: http://seclists.org/oss-sec/2012/q2/493 http://en.oreilly.com/mysql2011/public/schedule/speaker/639 http://www.net-security.org/secworld.php?id=13076 https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql Tags: #Infosec World, auxiliary/scanner/mysql/mysql_authbypass_hashdump, CVE-2012-2122, database pawning, HD Moore, Jonathan Cran, Joshua Drake, MariaDB, memcmp, Metasploit contributor, MySQL, mysql -u root --password, MySQL 5.1 Plugin Development, mysql_authbypass_hashdump, mysql_hashdump module, oss-sec mailing list, Pwnie Express, seclists.org, Sergei Golubchik | Categories: Blog Jay Turla Jay Turla is a Filipino security researcher, programming student, infosec enthusiast, open source advocate, and the blog manager of PenTest Laboratory. He is interested in Linux, OpenVMS, penetration testing and vulnerability assessment. He is one of the core team members of The ProjectX Blog and one of the bloggers and goons of ROOTCON (Philippine Hackers Conference).You can follow his tweets @shipcod3.