Archive for August, 2011

« Older Entries

National Cyber Alert System Cyber Security Bulletin SB11-241

Wednesday, August 31st, 2011

Excerpt from US-CERT.gov:  Vulnerability Summary for the Week of August 22, 2011

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0
  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9
  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities
Primary
Vendor — Product		 Description Published CVSS Score Source & Patch Info
aimluck — aipo SQL injection vulnerability in Aimluck Aipo before 5.1.1, and Aipo for ASP before 5.1.1, allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. 2011-08-19 7.5 CVE-2011-1342
emc — autostart Multiple buffer overflows in EMC AutoStart 5.3.x and 5.4.x before 5.4.1 allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code by sending a crafted message over TCP. 2011-08-23 7.9 CVE-2011-2735
freetype — freetype The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896. 2011-08-19 9.3 CVE-2011-2895
marcus_schafer — kiwi Unspecified vulnerability in Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4, allows attackers to have an unknown impact via a crafted directory pathname that is inserted into config.sh. 2011-08-23 9.3 CVE-2011-2225
marcus_schafer — kiwi Unspecified vulnerability in Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4, allows remote attackers to execute arbitrary code via a crafted filename for a custom RPM. 2011-08-23 7.5 CVE-2011-2645
marcus_schafer — kiwi Unspecified vulnerability in Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4, allows remote attackers to execute arbitrary code via a crafted filename in the list of testdrive modified files. 2011-08-23 7.5 CVE-2011-2646
marcus_schafer — kiwi Unspecified vulnerability in Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4, allows remote attackers to execute arbitrary code via a crafted archive name in the list of testdrive modified files. 2011-08-23 7.5 CVE-2011-2647
marcus_schafer — kiwi Unspecified vulnerability in Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4, allows remote attackers to execute arbitrary code via a filter in a modified file. 2011-08-23 7.5 CVE-2011-2648
marcus_schafer — kiwi Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4, allows attackers to execute arbitrary commands via shell metacharacters in an unspecified FileUtils function call. 2011-08-23 7.5 CVE-2011-2649
marcus_schafer — kiwi Unspecified vulnerability in the file browser in Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4, allows remote attackers to execute arbitrary code via a crafted filename. 2011-08-23 7.5 CVE-2011-2651
php — php Buffer overflow in the crypt function in PHP before 5.3.7 allows context-dependent attackers to have an unspecified impact via a long salt argument, a different vulnerability than CVE-2011-2483. 2011-08-25 10.0 CVE-2011-3268
snitz — snitz_forums_2000 SQL injection vulnerability in members.asp in Snitz Forums 2000 3.4.07 allows remote attackers to execute arbitrary SQL commands via the M_NAME parameter. NOTE: some of these details are obtained from third party information. 2011-08-24 7.5 CVE-2010-4826
stunnel — stunnel stunnel 4.40 and 4.41 might allow remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. 2011-08-25 9.3 CVE-2011-2940
symantec — netbackup_puredisk Multiple integer overflows in vxsvc.exe in the Veritas Enterprise Administrator service in Symantec Veritas Storage Foundation 5.1 and earlier, Veritas Storage Foundation Cluster File System (SFCFS) 5.1 and earlier, Veritas Storage Foundation Cluster File System Enterprise for Oracle RAC (SFCFSORAC) 5.1 and earlier, Veritas Dynamic Multi-Pathing (DMP) 5.1, and NetBackup PureDisk 6.5.x through 6.6.1.x allow remote attackers to execute arbitrary code via (1) a crafted Unicode string, related to the vxveautil.value_binary_unpack function; (2) a crafted ASCII string, related to the vxveautil.value_binary_unpack function; or (3) a crafted value, related to the vxveautil.kv_binary_unpack function, leading to a buffer overflow. 2011-08-19 10.0 CVE-2011-0547
t-dreams — cars_ads_package SQL injection vulnerability in processview.asp in Techno Dreams (T-Dreams) Cars Ads Package 2.0 allows remote attackers to execute arbitrary SQL commands via the key parameter. 2011-08-24 7.5 CVE-2010-4829
t-dreams — job_career_package SQL injection vulnerability in Resumes/TD_RESUME_Indlist.asp in Techno Dreams (T-Dreams) Job Career Package 3.0 allows remote attackers to execute arbitrary SQL commands via the z_Residency parameter. 2011-08-24 7.5 CVE-2010-4830
Back to top

Medium Vulnerabilities
Primary
Vendor — Product		 Description Published CVSS Score Source & Patch Info
aimluck — aipo Cross-site request forgery (CSRF) vulnerability in Aimluck Aipo before 4.0.4.0, and Aipo for ASP before 4.0.4.0, allows remote attackers to hijack the authentication of administrators for requests that modify data. 2011-08-19 6.8 CVE-2011-1341
apple — cups The LZW decompressor in the LWZReadByte function in giftoppm.c in the David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4 and earlier, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows remote attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2895. 2011-08-19 5.1 CVE-2011-2896
apple — cups The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and earlier does not properly handle the first code word in an LZW stream, which allows remote attackers to trigger a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted stream, a different vulnerability than CVE-2011-2896. 2011-08-19 5.1 CVE-2011-3170
hp — openview_performance_insight Cross-site scripting (XSS) vulnerability in HP OpenView Performance Insight 5.3, 5.31, 5.4, 5.41, 5.41.001, and 5.41.002 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2011-08-19 4.3 CVE-2011-2410
marcus_schafer — kiwi Cross-site scripting (XSS) vulnerability in Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to a pattern listing. 2011-08-23 4.3 CVE-2011-2226
marcus_schafer — kiwi Cross-site scripting (XSS) vulnerability in Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to an RPM info display. 2011-08-23 4.3 CVE-2011-2644
marcus_schafer — kiwi Cross-site scripting (XSS) vulnerability in Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via a crafted pattern name that is included in an RPM info display. 2011-08-23 4.3 CVE-2011-2650
marcus_schafer — kiwi Cross-site scripting (XSS) vulnerability in Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via a crafted archive file list that is used in an overlay file. 2011-08-23 4.3 CVE-2011-2652
php — php The (1) ZipArchive::addGlob and (2) ZipArchive::addPattern functions in ext/zip/php_zip.c in PHP 5.3.6 allow context-dependent attackers to cause a denial of service (application crash) via certain flags arguments, as demonstrated by (a) GLOB_ALTDIRFUNC and (b) GLOB_APPEND. 2011-08-25 5.0 CVE-2011-1657
php — php crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash. 2011-08-25 5.0 CVE-2011-2483
php — php PHP before 5.3.7 does not properly check the return values of the malloc, calloc, and realloc library functions, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger a buffer overflow by leveraging the ability to provide an arbitrary value for a function argument, related to (1) ext/curl/interface.c, (2) ext/date/lib/parse_date.c, (3) ext/date/lib/parse_iso_intervals.c, (4) ext/date/lib/parse_tz.c, (5) ext/date/lib/timelib.c, (6) ext/pdo_odbc/pdo_odbc.c, (7) ext/reflection/php_reflection.c, (8) ext/soap/php_sdl.c, (9) ext/xmlrpc/libxmlrpc/base64.c, (10) TSRM/tsrm_win32.c, and (11) the strtotime function. 2011-08-25 5.0 CVE-2011-3182
php — php The crypt function in PHP 5.3.7, when the MD5 hash type is used, returns the value of the salt argument instead of the hashed string, which might allow remote attackers to bypass authentication via an arbitrary password, a different vulnerability than CVE-2011-2483. 2011-08-25 4.3 CVE-2011-3189
php — php PHP before 5.3.7 does not properly implement the error_log function, which allows context-dependent attackers to cause a denial of service (application crash) via unspecified vectors. 2011-08-25 5.0 CVE-2011-3267
pleer — wp-twitter-feed Cross-site scripting (XSS) vulnerability in magpie_debug.php in the Twitter Feed plugin (wp-twitter-feed) 0.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the url parameter. 2011-08-24 4.3 CVE-2010-4825
rsa — envision RSA enVision 4.x before 4 SP4 P3 places cleartext administrative credentials in Task Escalation e-mail messages, which allows remote attackers to obtain sensitive information by sniffing the network or leveraging access to a recipient mailbox. 2011-08-25 5.0 CVE-2011-2736
rsa — envision RSA enVision 3.x and 4.x before 4 SP4 P3 allows remote attackers to read arbitrary files via unspecified vectors, related to an “arbitrary file retrieval vulnerability.” 2011-08-25 5.0 CVE-2011-2737
snitz — snitz_forums_2000 Cross-site scripting (XSS) vulnerability in members.asp in Snitz Forums 2000 3.4.07 allows remote attackers to inject arbitrary web script or HTML via the M_NAME parameter. NOTE: some of these details are obtained from third party information. 2011-08-24 4.3 CVE-2010-4827
solarwinds — orion_network_performance_monitor Multiple cross-site scripting (XSS) vulnerabilities in SolarWinds Orion Network Performance Monitor (NPM) 10.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Title parameter to MapView.aspx; NetObject parameter to (2) NodeDetails.aspx and (3) InterfaceDetails.aspx; and the (4) ChartName parameter to CustomChart.aspx. 2011-08-24 4.3 CVE-2010-4828
wireshark — wireshark Off-by-one error in the elem_cell_id_aux function in epan/dissectors/packet-ansi_a.c in the ANSI MAP dissector in Wireshark 1.4.x before 1.4.8 and 1.6.x before 1.6.1 allows remote attackers to cause a denial of service (infinite loop) via an invalid packet. 2011-08-23 4.3 CVE-2011-2698
zabbix — zabbix Cross-site scripting (XSS) vulnerability in acknow.php in Zabbix before 1.8.6 allows remote attackers to inject arbitrary web script or HTML via the backurl parameter. 2011-08-19 4.3 CVE-2011-2904
zabbix — zabbix zabbix_agentd in Zabbix before 1.8.6 and 1.9.x before 1.9.4 allows context-dependent attackers to cause a denial of service (CPU consumption) by executing the vfs.file.cksum command for a special device, as demonstrated by the /dev/urandom device. 2011-08-19 5.0 CVE-2011-3263
zabbix — zabbix Zabbix before 1.8.6 allows remote attackers to obtain sensitive information via an invalid srcfld2 parameter to popup.php, which reveals the installation path in an error message. 2011-08-19 5.0 CVE-2011-3264
zabbix — zabbix popup.php in Zabbix before 1.8.7 allows remote attackers to read the contents of arbitrary database tables via a modified srctbl parameter. 2011-08-19 5.0 CVE-2011-3265
Back to top

Low Vulnerabilities
Primary
Vendor — Product		 Description Published CVSS Score Source & Patch Info
citrix — xen tools/libxc/xc_dom_bzimageloader.c in Xen 3.2, 3.3, 4.0, and 4.1 allows local users to cause a denial of service (management software infinite loop and management domain resource consumption) via unspecified vectors related to “Lack of error checking in the decompression loop.” 2011-08-19 2.1 CVE-2011-3262
wireshark — wireshark The proto_tree_add_item function in Wireshark 1.6.1, when the IKEv1 protocol dissector is used, allows user-assisted remote attackers to cause a denial of service (infinite loop) via vectors involving a malformed IKE packet and many items in a tree. 2011-08-23 2.6 CVE-2011-3266

Tags:
Posted in Anti-Virus, Apple, Security, Software, Web | No Comments »

Microsoft Overhauls Windows Explorer in Windows 8

Thursday, August 25th, 2011

Hold onto your socks Windows 8 fans, because Microsoft is adding some new enhancements to its file manager application, Windows Explorer, in the next version of its popular operating system. And the first Explorer feature Microsoft wants to show off is (drumroll please): the new copy dialog. Huh?

I know, I know, copying functions may elicit yawns from many of you, but copying, moving, renaming and deleting files are the most oft-used features of Windows Explorer. Microsoft says these four basic functions account for 50 percent of all Explorer usage in Windows 7. That means there’s a lot of file management going on for the average Windows 7 user every day.

So while these changes may not be as exciting as say, a brand new touch-centric overlay, improvements to the way Windows handles copying could improve your overall OS experience, as long as you’re into copying multiple files that is.

This One’s For The Multitaskers

Microsoft’s copying overhaul doesn’t really improve much for people who typically move around one file or folder at a time or are used to handling small text files. But if you find yourself moving around large amounts of data such as photos and videos, then Windows 8 aims to make your copying experience easier.

Microsoft says it had three goals for its new copy dialog: move all copy jobs into one window, simplify the UI and give you more control over any operations in progress. Here’s what you have to look forward to when copying files in Windows 8.

Copy Central

Instead of having multiple windows open for each file, Windows 8 will automatically merge all copy jobs into one central window. The basic view shows you how many items are being copied in each job, their source and destination folders, and a progress bar. There are also pause and cancel buttons if you’d like to speed up one copy job by putting the other on hold or cancel one altogether. The source and destination folders are also clickable so you can open up those folders directly from the copy dialog.

If you want more details about your copy job, click on the “More details” disclosure button at the bottom of the window. Opening this up shows you a new real-time throughput graph, speed of data transfer, time remaining and how much data is left to transfer.

Microsoft also says it has improved its time estimates for how long it takes for a copy job to finish, but didn’t go into detail about what those improvements are. The Windows maker did point out that getting a precise time estimate is nearly impossible. There are just too many variables to account for, according to Microsoft, such as whether you’re anti-virus program will start scanning files on your hard drive halfway through the transfer.

Microsoft also warned that while the new copy dialog offers detailed information it was not designed to be a benchmarking tool.

Filename Collisions

Windows 7 Conflict Resolution Dialog

Windows 8 has a new way to handle alerts when you are about to copy a file with the same name as another file in your destination folder, a problem Microsoft calls a filename collision. This can happen if you maintain a separate folder for editing photos and don’t bother to change the filename. Or, you receive a revised copy of a contract via email and dump it into your contracts folder.

Before Windows 8 lets you overwrite your old file, you’ll be met with three choices that are somewhat similar to Windows 7: replace all the old files in the destination folder, skip copying the new files or choose the files to keep in the destination folder.

Windows 8 Conflict Resolution Dialog

If you choose the latter, a new dialog pops up showing you the files you want to copy in the left column and the files with the same name in the destination folder on the right. The dialog shows the file names, dates that each file was created, and each file’s size. You can also hover over each file to see its location or you can double click on a file to open it. When you’re ready to choose the files you want to keep, just click the check boxes next to the files, press “Continue” and you’re done. If you don’t click a check box next to one of your two colliding files, Windows 8 errs on the side of caution and keeps your old version intact.

New Windows 8 Start Icon?

Beyond the new copying features, online sleuths have been trying to glean other tidbits of information from Microsoft’s new Windows 8 demo. UK-based blog My Microsoft Life believes it saw a new Windows start icon at the beginning of the video below, but it’s hard to say for sure. Keep an eye on the screen behind Microsoft’s Alex Simons and let us know what you think in the comments. Microsoft also has a larger version of the copy dialog video to get a better look at the screen.

Source:  pcworld.com

Tags:
Posted in Microsoft | No Comments »

Yale warns 43,000 about 10-month-long data breach

Tuesday, August 23rd, 2011

FTP server on which data was stored became searchable by Google in September

Yale University has notified about 43,000 faculty, staff, students and alumni that their names and Social Security numbers were publicly available via Google search for about 10 months.

All of the victims were affiliated with Yale in 1999, and are being offered identity theft insurance and free credit monitoring services for two years, the university said in a statement last week.

The breach resulted when a File Transfer Protocol (FTP) server on which the data was stored became searchable via Google as the result of a change the search engine giant made last September, the Yale Daily News reported

The online publication reported that Yale IT Services Director Len Peters said the FTP server holding the compromised information was used mainly for open-source materials.

In September 2010, Google made a change that allowed its search engine to index and find FTP servers. But university IT officials were unaware of the change, Peters told the Daily News.

When Yale discovered the breach in June, it immediately took the server offline, deleted the sensitive data and evaluated whether there were any other files containing similar data on the FTP server, Peters said.

In a statement to Computerworld, Yale officials make no mention of how the data was compromised. But the school said it has “secured” the file and Google has confirmed that its search engine no longer stores any information from it.

The statement doesn’t say how Yale discovered the breach, nor whether any of the data available via Google was accessed by anyone. Peters told the campus publication that the file and the directory in which the exposed information was stored had innocuous sounding names that are unlikely to have tipped off others about the contents.

This is the second publicly known breach in the last two months involving the inadvertent exposure of sensitive data on the Web. In June, Southern California Medical-Legal Consultants Inc. (SCMLC) said that the names and Social Security numbers of about 300,000 people who had filed for California workers compensation had been potentially compromised. That breach resulted when an internal server on which the data was stored became exposed to web searches.

SCMLC learned of the breach from security firm Identity Finder. In a statement, Identity Finder said that its security researchers had uncovered 3,875 uncompressed files containing several gigabytes of personal data on an SCMLC server that was exposed to the Web.

“The files were neither encrypted nor password-protected and some were cached by at least one major search engine,” Identity Finder said. The company subsequently worked with Google to clear search engine caches, a spokesman for the company said. As of today, Google caches are clear of sensitive personal information from SCLMC, the spokesman said.

Source:  computerworld.com

Tags:
Posted in Cloud, Database, Google, Network, Security, Server, Web | No Comments »

Security flaw found in Feds’ digital radios

Thursday, August 11th, 2011

Expensive high-tech digital radios used by the FBI, Secret Service, and Homeland Security are designed so poorly that they can be jammed by a $30 children’s toy, CNET has learned.

A GirlTech IMME, Mattel’s pink instant-messaging device with a miniature keyboard that’s marketed to pre-teen girls, can be used to disrupt sensitive radio communications used by every major federal law enforcement agency, a team of security researchers from the University of Pennsylvania is planning to announce tomorrow.

Converting the GirlTech gadget into a jammer may be beyond the ability of a street criminal for now, but that won’t last, says associate professor Matt Blaze, who co-authored the paper that will be presented tomorrow at the Usenix Security symposium in San Francisco. CNET obtained a copy of the paper, which will be made publicly available in the afternoon.

“It’s going to be someone somewhere creating the Project 25 jamming kit and it’ll be something that you download from the Net,” Blaze said. “We’re not there right now, but we’re pretty close.”

Project 25, sometimes abbreviated as P25, is the name of the wireless standard used in the radios, which have been widely adopted across the federal government and many state and local police agencies over the last decade. The plan was to boost interoperability, so different agencies would be able to talk to one another, while providing secure encrypted communications.

The radios aren’t cheap. A handheld Midland P25 Digital sells for $3,295, and scanners are closer to $450.

But federal agents frequently don’t turn encryption on, the researchers found. (Their paper is titled “A Security Analysis of the APCO Project 25 Two-Way Radio System,” and the other authors are Sandy Clark, Travis Goodspeed, Perry Metzger, Zachary Wasserman, and Kevin Xu.)

Here’s an excerpt:

The traffic we monitored routinely disclosed some of the most sensitive law enforcement information that the government holds, including: Names and locations of criminal investigative targets, including those involved in organized crime… Information relayed by Title III wiretap plants…Plans for forthcoming arrests, raids and other confidential operations…

On some days, particularly weekends and holidays, we would capture less than one minute, while on others, we captured several hours. We monitored sensitive transmissions about operations by agents in every Federal law enforcement agency in the Department of Justice and the Department of Homeland Security. Most traffic was apparently related to criminal law enforcement, but some of the traffic was clearly related to other sensitive operations, including counter- terrorism investigations and executive protection of high ranking officials…

To intercept the Project 25 radio communications, the researchers used a high-quality receiver that cost about $1,000 and can be purchased off-the-shelf. But, Blaze said, it’s possible to do it on the cheap: “You can do everything you need with equipment you can buy at Radio Shack… hobbyist-grade equipment.”

Motorola XTS5000 handheld, which uses the Project 25 standardBlaze said he has contacted the Justice Department and the Defense Department, which also uses Project 25 digital radios. “They are now aware of the problem and are trying to mitigate against it,” he said.
Representatives of the Association of Public-Safety Communications Officials (APCO), which has championed the Project 25 standard, did not respond to a request for comment this afternoon. Neither did the Telecommunications Industry Association, which maintains the standard.

The University of Pennsylvania researchers did not discover any vulnerabilities in the actual encryption algorithms used in the radios. They also chose not to disclose which agencies were the worst offenders, what cities the monitoring took place in, or what frequencies they found each agency used.

A third vulnerability they found was that each radio contains a unique identifier, akin to a phone number, that is broadcast in unencrypted form. So is the unique ID of the destination radio. That allows an eavesdropper to perform what’s known as traffic analysis, meaning tracking who’s talking to whom.

The reason jamming is relatively easy is that the Project 25 doesn’t use spread spectrum, which puts the would-be jammer at a disadvantage. By contrast, P25 relies on metadata that must be transmitted perfectly for the receiver to make sense of the rest of the communication. A pulse lasting just 1/100th of a second, it turns out, is enough to disrupt the transmission of the metadata.

This isn’t the first time that University of Pennsylvania researchers have taken a critical look at Project 25. Many of the same authors published a security analysis last November, which concluded that it’s “strikingly vulnerable to a range of attacks.”

Source:  CNET

Tags: ,
Posted in Electronics, Hardware, Mobile, Network, Security, Wireless | No Comments »

New IE9 update fixes several security flaws

Thursday, August 11th, 2011

Microsoft has rolled out a new update for Internet Explorer 9 that fixes a host of different security holes.

Launched yesterday on Microsoft’s familiar “Patch Tuesday,” the August 2011 Cumulative Security Update for Internet Explorer is a critical one that resolves issues not just in IE9 but in versions 6, 7, and 8 as well, according to a Microsoft blog. The update is available through Windows Update, so IE users who have Windows automatic updates turned on should have already received it.

The patch takes care of five holes in IE that were disclosed in coordination with Microsoft and two others that were publicly revealed. The most serious of the security flaws could let a hacker run code on a remote PC if the user visits a malicious Web page. Microsoft also advises that people who run accounts without administrative rights are generally better protected against these types of exploits.

Beyond patching the security holes, the 21MB update throws in some non-security fixes. One resolves an issue in which IE took a long time to open an e-mail on Outlook’s Web App. Another addresses a flaw in IE8 in which the browser may have frozen when opening some pages in Windows 7 or Windows Server 2008 R2.

Due to the critical nature of the security flaws, Microsoft is recommending that individual users who don’t have automatic updates turned on install the update manually as soon as possible. IT administrators will also want to roll out the update to their organizations using their own in-house update tools.

Yesterday’s Patch Tuesday was a big one for Microsoft and the third largest of 2011, according to security vendor McAfee. The folks in Redmond rolled out 13 security updates to fix 22 flaws that affected Windows, IE, Microsoft Office, the .Net Framework, and Microsoft Developer Tools.

“Overall this Patch Tuesday is on the large side,” Dave Marcus, director of security research and communications at McAfee Labs, said in a statement. “Although there are only two critical patches this month, this update comes after the July patches from Oracle and Apple, and there will be another release of critical patches for Adobe Flash Player [on Tuesday], leaving IT administrators with a full plate this summer.”

Marcus advises IT admins to place priority on the IE and Windows updates since their related vulnerabilities could “result in remote code execution attacks and can expose users to drive-by download attacks via the browser.”

Source:  CNET

Tags:
Posted in Microsoft, Office 2007, Office 2010, OS, Security, Software | No Comments »

Viruses: Destroying your systems for 25 years

Monday, August 8th, 2011

LAS VEGAS–The hacker conference DefCon kicked off this morning with the rare public sighting of a now-archaic piece of technology: the 5 1/4-inch floppy disk. Mikko Hypponen, the chief technical officer for the Finnish security company F-Secure, waved the disk above his head to start off his history of PC viruses, and said, “This is Brain.”

Hypponen was talking about a guest of honor housed on the disk: the original computer virus. Hypponen found the disk last year in a lockbox in F-Secure’s headquarters in Helsinki, and he dove in, cracked the virus code, and found in it the names and address of the virus’ writers, two brothers from a town near Lahore, Pakistan. And–believe it or not–he went to the address and found the same brothers there, now running an Internet service provider called Brain Communications. (Hypponen details his trip in a short YouTube film.)

One of the important things he learned from them is that they said they had no malicious intent when they created the virus. “There was no real motive,” said Hypponen. It was a proof-of-concept, created just to prove that it could be done. This was to inform computer virus development until the first years of the new century, as viruses grew more malicious and complicated, but were essentially pranks.

Just because they were pranks doesn’t mean they weren’t harmful, though. Hypponen demonstrated a number of early computer viruses from which he had removed the infectors, including one called Disk Destroyer. This particular piece of nastiness would copy the contents of your hard disk into the RAM, then wipe your drive. It then loaded a rudimentary slot machine-style game, and gave you five chances to win. If you won, it would reload your data back onto your hard drive. If you lost, your data was permanently wiped out.

Though viruses continued to get more and more complex, it wasn’t until 2003 that things began to change. First, Microsoft began to take computer viruses seriously, he said, because worm infections were causing serious Internet traffic packet loss and causing real-world damage. Trains in 2003 were stopped around Washington, D.C., because the Windows computers controlling the signals and routing systems had crashed. “This is the basic reason why serious problems like these were finally taken seriously,” Hypponen noted.

The other major change in 2003 was the Fizzer infection. “Fizzer, which nobody here remembers, is one of the most important viruses in history. It was the first virus written with one purpose only: making money.” Fizzer spread e-mail spam in an effort to rake in the dough. Hypponen said that when other virus writers realized they too could earn some bucks from writing malicious code, it was game on.

This began to have even more serious real-world implications, as some virus writers were found to have used their money to buy equipment for fighters in Iraq.

“We also began to see a geographical shift [in] where viruses were written,” he said. “From 1986 to 2003, it was mostly Western countries, the U.S., Western Europe, Japan. From 2003 on, it was Russia, Eastern Europe, Ukraine, China (of course), and South America, especially Brazil.”

However, Hypponen said the problem was not only limited to criminals. He called out the president of Sony BMG, Thomas Hesse, to calls of derision from the audience. Hesse was instrumental in approving a DRM system that surreptitiously installed a rootkit on your computer when you played a CD from that computer. “Sony gets a lot of hate, and they deserve it. Of course, some would claim that if you listen to Celine Dion, you get what you deserve,” Hypponen quipped.

But he especially called out Hesse for saying, “Most people, I think, don’t even know what a rootkit is, so why should they care about it?” Hypponen retorted, “Most people don’t even know what brain damage is, so why should they care about it, too?”

Hypponen talked about the technical complexity of the 2008 virus Mebroot, a trojan that infects the master boot record of computers and is exceptionally difficult to remove because of it, and ransomware like GPCode, which holds your computer hostage until you wire money to the virus writers. Stuxnet, though, was an embarrassment for the security industry, Hypponen said.

“All this work did not prepare us for what we found next. It was embarrassing. We missed Stuxnet for a freaking year,” he said, shaking his head.

“Today when you get infected by viruses, you will not know,” Hypponen said. “It’s running silently in the background. It won’t slow down your system, and it won’t take up too much of your resources.”

“It has been a pretty wild ride over the past 25 years, from Brain to Stuxnet. Many things have changed, many things haven’t changed. Brain didn’t spread on the Internet, it didn’t exist,” Hypponen said, alluding to the spread by floppy disk. “And Stuxnet spread by USB key.”

Source:  CNET

Tags: ,
Posted in Anti-Virus, Hardware, Microsoft, Network, Security, Web | No Comments »

Malware turns off Windows’ UAC, warns Microsoft

Sunday, August 7th, 2011

Urges users to check that the regularly-belittled prompt is really on

Microsoft this week urged users to keep an oft-criticized Windows security feature turned on, even as it said that more malware is disabling the tool.

User Account Control (UAC) is the feature that debuted in Vista and revised in Windows 7 that prompts users to approve certain actions, including software installation.

UAC was “universally hated” in Vista, and was a major complaint about the unsuccessful operating system, a Gartner security analyst said more than two years ago.

“From a usability standpoint, no one was happy. And from a security standpoint, no one was happy either, because we knew that people get ‘click fatigue,’” said John Pescatore of Gartner in the months before Windows 7′s launch.

Microsoft took the complaints to heart, and downplayed UAC in Windows 7 after its data showed users got irritated when they faced more than two such prompts in a session at the computer.

This week, Microsoft’s Malware Protection Center (MMPC) said that malware was increasingly turning off UAC as a way to disguise its presence on infected PCs.

To disable UAC, attack code must either exploit a bug that allows the hacker to gain administrative rights — Microsoft calls those flaws “privilege elevation” vulnerabilities — or trick the user into clicking “OK” on a UAC prompt.

Apparently, neither are difficult.

Some of the most-common threats now in circulation — including the Sality virus family, Alureon rootkits, the Bancos banking Trojan and fake antivirus software — have variants able to switch off UAC, said Joe Faulhaber of the MMPC team in a post to the group’s blog.

One worm, dubbed “Rorpian” by Microsoft, is especially enamored with the anti-UAC tactic: In more than 90% of the cases involving Rorpian on a single day, MMPC observed the worm disabling UAC by exploiting a four-year-old Windows vulnerability.

Nearly one-in-four PCs that reported malware detections to Microsoft had UAC switched off, either because of malware antics, or because the user turned it off.

UAC has not been problem-free on the technical side, either. Months before Windows 7′s debut, a pair of researchers revealed a bug in the feature that hackers could use to piggyback on preapproved Microsoft code to trick Windows 7 into granting malware full access rights.

Although Microsoft initially dismissed their reports, it later changed UAC.

Faulhaber provided a link to instructions for switching UAC on or off on Vista. They can also be used on Windows 7, but the final step is to pull the slider to “Never Notify” to turn off UAC.

Source:  computerworld.com

Tags: , ,
Posted in Anti-Virus, Microsoft, OS, Security, Software, Web | No Comments »

Microsoft Security Bulletin Advance Notification for August 2011

Friday, August 5th, 2011

Microsoft yesterday announced a significant number of patches to secure vulnerabilities in its desktop/server OS, Office suite, and developer software.  Key excerpts from the release can be found below:

Bulletin ID Maximum Severity Rating and Vulnerability Impact Restart Requirement Affected Software
Bulletin 1 Critical
Remote Code Execution		 Requires restart Microsoft Windows,
Internet Explorer
Bulletin 2 Critical
Remote Code Execution		 Requires restart Microsoft Windows
Bulletin 3 Important
Remote Code Execution		 Requires restart Microsoft Windows
Bulletin 4 Important
Remote Code Execution		 May require restart Microsoft Office
Bulletin 5 Important
Elevation of Privilege		 May require restart Microsoft Windows
Bulletin 6 Important
Elevation of Privilege		 Requires restart Microsoft Windows
Bulletin 7 Important
Elevation of Privilege		 Requires restart Microsoft Windows
Bulletin 8 Important
Denial of Service		 Requires restart Microsoft Windows
Bulletin 9 Important
Denial of Service		 Requires restart Microsoft Windows
Bulletin 10 Important
Information Disclosure		 May require restart Microsoft .NET Framework,
Microsoft Developer Tools
Bulletin 11 Important
Information Disclosure		 May require restart Microsoft Developer Tools
Bulletin 13 Moderate
Denial of Service		 Requires restart Microsoft Windows
Bulletin 12 Moderate
Information Disclosure		 May require restart Microsoft .NET Framework

Windows Operating System and Components

Table 1

Windows XP
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 5 Bulletin 6 Bulletin 7
Aggregate Severity Rating Critical None None None Important Important
Windows XP Service Pack 3 Internet Explorer 6
(Critical)Internet Explorer 7
(Critical)Internet Explorer 8
(Critical)		 Not applicable Not applicable Not applicable Windows XP Service Pack 3
(Important)		 Windows XP Service Pack 3
(Important)
Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 6
(Critical)Internet Explorer 7
(Critical)Internet Explorer 8
(Critical)		 Not applicable Not applicable Not applicable Windows XP Professional x64 Edition Service Pack 2
(Important)		 Windows XP Professional x64 Edition Service Pack 2
(Important)
Windows Server 2003
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 5 Bulletin 6 Bulletin 7
Aggregate Severity Rating Critical Important None None Important Important
Windows Server 2003 Service Pack 2 Internet Explorer 6
(Important)Internet Explorer 7
(Critical)Internet Explorer 8
(Critical)		 Windows Server 2003 Service Pack 2
(Important)		 Not applicable Not applicable Windows Server 2003 Service Pack 2
(Important)		 Windows Server 2003 Service Pack 2
(Important)
Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 6
(Important)Internet Explorer 7
(Critical)Internet Explorer 8
(Critical)		 Windows Server 2003 x64 Edition Service Pack 2
(Important)		 Not applicable Not applicable Windows Server 2003 x64 Edition Service Pack 2
(Important)		 Windows Server 2003 x64 Edition Service Pack 2
(Important)
Windows Server 2003 with SP2 for Itanium-based Systems Internet Explorer 6
(Important)Internet Explorer 7
(Critical)		 Windows Server 2003 with SP2 for Itanium-based Systems
(Important)		 Not applicable Not applicable Windows Server 2003 with SP2 for Itanium-based Systems
(Important)		 Windows Server 2003 with SP2 for Itanium-based Systems
(Important)
Windows Vista
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 5 Bulletin 6 Bulletin 7
Aggregate Severity Rating Critical None None None None Important
Windows Vista Service Pack 2 Internet Explorer 7
(Critical)Internet Explorer 8
(Critical)Internet Explorer 9
(Critical)		 Not applicable Not applicable Not applicable Not applicable Windows Vista Service Pack 2
(Important)
Windows Vista x64 Edition Service Pack 2 Internet Explorer 7
(Critical)Internet Explorer 8
(Critical)Internet Explorer 9
(Critical)		 Not applicable Not applicable Not applicable Not applicable Windows Vista x64 Edition Service Pack 2
(Important)
Windows Server 2008
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 5 Bulletin 6 Bulletin 7
Aggregate Severity Rating Critical Critical None None None Important
Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 7**
(Critical)Internet Explorer 8**
(Critical)Internet Explorer 9**
(Critical)		 Windows Server 2008 for 32-bit Systems Service Pack 2*
(Critical)		 Not applicable Not applicable Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2*
(Important)
Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 7**
(Critical)Internet Explorer 8**
(Critical)Internet Explorer 9**
(Critical)		 Windows Server 2008 for x64-based Systems Service Pack 2*
(Critical)		 Not applicable Not applicable Not applicable Windows Server 2008 for x64-based Systems Service Pack 2*
(Important)
Windows Server 2008 for Itanium-based Systems Service Pack 2 Internet Explorer 7
(Critical)		 Not applicable Not applicable Not applicable Not applicable Windows Server 2008 for Itanium-based Systems Service Pack 2
(Important)
Windows 7
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 5 Bulletin 6 Bulletin 7
Aggregate Severity Rating Critical None Important None None Important
Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1 Internet Explorer 8
(Critical)Internet Explorer 9
(Critical)		 Not applicable Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
(Important)		 Not applicable Not applicable Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
(Important)
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1 Internet Explorer 8
(Critical)Internet Explorer 9
(Critical)		 Not applicable Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
(Important)		 Not applicable Not applicable Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
(Important)
Windows Server 2008 R2
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 5 Bulletin 6 Bulletin 7
Aggregate Severity Rating Critical Critical Important Important None Important
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1 Internet Explorer 8**
(Critical)Internet Explorer 9**
(Critical)		 Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1*
(Critical)		 Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1*
(Important)		 Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1**
(Important)		 Not applicable Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1*
(Important)
Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Internet Explorer 8
(Critical)		 Not applicable Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Important)		 Not applicable Not applicable Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Important)

Table 2

Windows XP
Bulletin Identifier Bulletin 8 Bulletin 9 Bulletin 10 Bulletin 13 Bulletin 12
Aggregate Severity Rating None Moderate Important None Moderate
Windows XP Service Pack 3 Not applicable Windows XP Service Pack 3
(Moderate)		 Windows XP Service Pack 3
(Important)		 Not applicable Windows XP Service Pack 3
(Moderate)
Windows XP Professional x64 Edition Service Pack 2 Not applicable Windows XP Professional x64 Edition Service Pack 2
(Moderate)		 Windows XP Professional x64 Edition Service Pack 2
(Important)		 Not applicable Windows XP Professional x64 Edition Service Pack 2
(Moderate)
Windows Server 2003
Bulletin Identifier Bulletin 8 Bulletin 9 Bulletin 10 Bulletin 13 Bulletin 12
Aggregate Severity Rating None Important Important None Moderate
Windows Server 2003 Service Pack 2 Not applicable Windows Server 2003 Service Pack 2
(Important)		 Windows Server 2003 Service Pack 2
(Important)		 Not applicable Windows Server 2003 Service Pack 2
(Moderate)
Windows Server 2003 x64 Edition Service Pack 2 Not applicable Windows Server 2003 x64 Edition Service Pack 2
(Important)		 Windows Server 2003 x64 Edition Service Pack 2
(Important)		 Not applicable Windows Server 2003 x64 Edition Service Pack 2
(Moderate)
Windows Server 2003 with SP2 for Itanium-based Systems Not applicable Windows Server 2003 with SP2 for Itanium-based Systems
(Important)		 Windows Server 2003 with SP2 for Itanium-based Systems
(Important)		 Not applicable Windows Server 2003 with SP2 for Itanium-based Systems
(Moderate)
Windows Vista
Bulletin Identifier Bulletin 8 Bulletin 9 Bulletin 10 Bulletin 13 Bulletin 12
Aggregate Severity Rating Moderate None Important Moderate Moderate
Windows Vista Service Pack 2 Windows Vista Service Pack 2
(Moderate)		 Not applicable Windows Vista Service Pack 2
(Important)		 Windows Vista Service Pack 2
(Moderate)		 Windows Vista Service Pack 2
(Moderate)
Windows Vista x64 Edition Service Pack 2 Windows Vista x64 Edition Service Pack 2
(Moderate)		 Not applicable Windows Vista x64 Edition Service Pack 2
(Important)		 Windows Vista x64 Edition Service Pack 2
(Moderate)		 Windows Vista x64 Edition Service Pack 2
(Moderate)
Windows Server 2008
Bulletin Identifier Bulletin 8 Bulletin 9 Bulletin 10 Bulletin 13 Bulletin 12
Aggregate Severity Rating Important None Important Moderate Moderate
Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2*
(Important)		 Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2**
(Important)		 Windows Server 2008 for 32-bit Systems Service Pack 2**
(Moderate)		 Windows Server 2008 for 32-bit Systems Service Pack 2**
(Moderate)
Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2*
(Important)		 Not applicable Windows Server 2008 for x64-based Systems Service Pack 2**
(Important)		 Windows Server 2008 for x64-based Systems Service Pack 2**
(Moderate)		 Windows Server 2008 for x64-based Systems Service Pack 2**
(Moderate)
Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2
(Important)		 Not applicable Windows Server 2008 for Itanium-based Systems Service Pack 2
(Important)		 Windows Server 2008 for Itanium-based Systems Service Pack 2
(Moderate)		 Windows Server 2008 for Itanium-based Systems Service Pack 2
(Moderate)
Windows 7
Bulletin Identifier Bulletin 8 Bulletin 9 Bulletin 10 Bulletin 13 Bulletin 12
Aggregate Severity Rating Moderate None Important Moderate Moderate
Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
(Moderate)		 Not applicable Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
(Important)		 Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
(Moderate)		 Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
(Moderate)
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1 Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
(Moderate)		 Not applicable Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
(Important)		 Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
(Moderate)		 Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
(Moderate)
Windows Server 2008 R2
Bulletin Identifier Bulletin 8 Bulletin 9 Bulletin 10 Bulletin 13 Bulletin 12
Aggregate Severity Rating Important None Important Moderate Moderate
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1*
(Important)		 Not applicable Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1*
(Important)		 Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1**
(Moderate)		 Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1*
(Moderate)
Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Important)		 Not applicable Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Important)		 Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Moderate)		 Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Moderate)

Tags:
Posted in Microsoft, Office 2007, Office 2010, OS, Security, Server, Software, Web | No Comments »

Black Hat: Routers Using OSPF Open to Attacks

Friday, August 5th, 2011

LAS VEGAS – A researcher at Black Hat has revealed a vulnerability in the most common corporate router protocol that puts networks using it at risk of attacks that compromise data streams, falsify network topography and create crippling router loops.

The problem is serious not only because of the damage an attacker might do but also because the protocol, OSPF, is used so pervasively that many networks are vulnerable. Open Shortest Path First (OSPF) is the most popular routing protocol used within the roughly 35,000 autonomous systemsinto which the Internet is divided.

Typically large corporations, universities and ISPs run autonomous systems.

The only remedies are using another protocol such as RIP or IS-IS or changing OSPF to close the vulnerability, says Gabi Nakibly, a researcher at Israel’s Electronic Warfare Research and Simulation Center, who discovered the problem.

Nakibly says he has successfully carried out an exploit against the vulnerability on a Cisco 7200 router running software version IOS 15.0(1)M, but that it would be equally effective against any router that is compliant with the OSPF specification. He says he chose a Cisco router to underscore the severity of the problem, since Cisco dominates the router market.

The problem lies in the OSPF protocol itself, which can be tricked into accepting false router table updates from phantom routers on the network — Nakibly says he used a laptop attached to the test network he was attacking.

The phantom sends a false link state advertisement (LSA) — a periodic router table update — to the targeted router. The router accepts it as legitimate because, to verify its authenticity, all it checks for is that it has the most recent LSA sequence number, contains the proper checksum and is plus or minus 15 minutes old.

Nakibly described how to falsify all of these and to overcome the protocol’s defense mechanism called fightback that floods accurate LSAs in the face of false ones.

The false LSA can be crafted to create router loops, send certain traffic to particular destinations or snarl a network by making the victim router send traffic along routes that don’t exist in the actual network topology, he says.

The exploit requires one compromised router on the network so the encryption key used for LSA traffic among the routers on the network can be lifted and used by the phantom router. The exploit also requires that the phantom router is connected to the network, Nakibly says.

To initiate the attack the phantom router introduces itself as being adjacent to the victim router, which must be the designated router on the network. Designated routers store complete topology tables for the network, and they multicast updates to the other routers.

Nakibly introduced a second attack that is not as effective, but similarly takes advantage of a vulnerability in the OSPF specification.

Source:  pcworld.com

Tags: ,
Posted in Cisco, Hardware, Network, Security, Web | No Comments »

A Power Plant Hack That Anybody Could Use

Friday, August 5th, 2011

The night before the start of this week’s Black Hat hacker conference here in Las Vegas, security researcher Dillon Beresford gave a demonstration to a small audience in his room at Caesar’s Palace. The topic: how a hacker could take over the Siemens S7 computers that are used to control engines, machines and turbines in tens of thousands of industrial facilities.

It was a preview of the talk he was set to give Wednesday, and Beresford seemed both nervous and relieved to be finally talking to the handful of reporters and industry and government officials in the room. A few months ago it wasn’t clear when or if he’d ever be able to go public with his research. Concerned that his research could be misused, he pulled out of an earlier conference to give Siemens more time to fix the problems he’d uncovered. Even now, after months of work with Siemens and the U.S. Department of Homeland Security, coordinating patch after patch for many of the bugs he’s found, Beresford can’t say everything he knows.

But clearly, he knows quite a lot. The question is, how much will he make public?

The NSS Labs researcher said he’s found ways to bypass the S7′s security measures and read and write data into the computer’s memory — even when the system has password protection enabled. He can steal sensitive information from the systems, he said. And on one model, the S7 300, he found a command shell, apparently left in the system’s firmware by Siemens engineers, that he can connect to and use to run commands on the system.

After poking around for a bit he discovered a hard-coded username and password that allowed him access to a Unix-like shell program on the systems, where he can run his own commands: Username: basisk; password: basisk.

This shell is a “back door” to the system that could be misused by an attacker, Beresford said.

He also discovered dancing monkeys. This goofy graphic of four dancing monkeys was apparently an Easter egg — a software developer’s version of graffiti, left for other geeks to discover — stuck in the S7 300′s firmware.

The demo wasn’t much to look at. The S7s are like futuristic grey shoeboxes with green LED lights on them. Smoking a cigarette, Beresford would type into his laptop and one by one, the machines would turn off. But considering that each one of those machines could be running a nuclear centrifuge or an elevator, the demonstration held everyone’s attention.

The government official in the room Tuesday night — a contractor from the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team — didn’t want to be quoted. Neither did Tim Roxey, a staffer with the North American Electric Reliability Corp., the nonprofit corporation chartered with helping to keep the U.S. supply of electricity online.

Clearly both groups are interested in Beresford’s work. The S7 300 systems on which Beresford found the back door and dancing monkeys are the same computers that were targeted by the Stuxnet worm, thought to have destroyed centrifuges at Iran’s Natanz nuclear reactor.

For decades, makers of these industrial computer systems — companies such as Siemens, Rockwell Automation and Honeywell International — lived in a bubble. They built computer systems that were adapted by electrical engineers for the factory floor. It used to be that these systems operated entirely on their own, disconnected from the rest of the networked world, but gradually they’ve been networked with Windows computers. They are supposed to be run on networks that are physically separate from the rest of the world, but these networks can have misconfigured routers, and every time a consultant plugs a laptop into them, it’s another opportunity for a virus to spread.

The problem is that these industrial systems were not built with security in mind, according to Dale Peterson, CEO of security consultancy Digital Bond. Industrial systems security experts like Peterson have known for at least 10 years that these kind of problems were coming, but not enough has been done. “We’ve made progress in a lot of areas, but we haven’t made progress on these field devices,” Peterson said.

He and other security experts say Siemens is hardly alone; that all industrial control systems suffer from the kinds of bugs that Beresford discovered.

The industry could add strong authentication control to machines like the Siemens S7, so they only run code that’s given to them by trusted sources. But in a world where rebooting a computer means taking a power plant offline for a day, that’s not easily done. “No one in the industry wanted to do this because of the possible consequences,” Peterson said.

On the other hand, as Stuxnet has shown, the risks of a cyber-attack on these industrial systems are very real. And malicious programs wind up on factory floors all the time.

In February 2011, the two-year-old Conficker worm infected systems at a Brazilian power plant, according to Marcelo Branquinho, executive director with TI Safe, the consulting company that has been working on fixing the problem these past few months. Engineers would clean up the infection only to find it reappear on the network, most likely spread there by an infected machine that they had missed. “This is not the first Conficker infection we’ve seen in Brazilian automation plants,” he said in an e-mail interview.

Branquinho wouldn’t name the power plant, but the infection was clearly disrupting operations. The plant’s management systems were freezing up and not displaying data from the field. This forced operators to control their systems the same way they did before computers — using radios to communicate with each other.

If those infected Conficker machines had contained the type of software that Beresford has written, things would have been much worse.

This isn’t the first time that researchers have released code relating to industrial systems, but past releases have focused on the Windows-based management consoles that these systems use — not the control systems themselves. And the fact that Beresford has hacked the S7 300 — widely used in the energy sector — puts his work in a category by itself.

In fact, Beresford isn’t sure when he’s going to make the software he’s written public. There are 15 modules, small programs he’s written for the open-source Metasploit hacking toolkit, but he wants to give Siemens’ customers time to patch their systems before he releases the code. He said that six months might be an appropriate window.

Once his code is available, anyone could use it. But Beresford believes that he’s only making public what others have secretly known for a long time.

Digital Bond’s Peterson says that releasing the code might be what it takes to push the industry to finally fix its security problems. “At this point, I’m like, let’s give it a shot,” he said. “I don’t think he’s telling the nasty people anything they don’t already know.”

Ralph Langner, one of the researchers who helped crack the Stuxnet mystery, thinks that Beresford should never release his code. “Dillon did not ask me for advice,” he said. “But the advice I would give him is, ‘Don’t ever release the Metasploit code, because this is dynamite.’”

The Metasploit modules would make it easy for a less-skilled hacker to build software that could disrupt a power plant. And even if Siemens has addressed all of the underlying issues, it will be years before the patches are installed. One day of downtime at a power plant can easily cost the operator US$1 million, Langner said. “Don’t assume that a power plant operator will say, ‘I will shut my plant down for a day to install the damned patch,’” he said.

It turns out that Langner is the guy who inspired Beresford to look into Siemens systems in the first place. Because of the apparent reconnaissance work and sophisticated PLC programming involved in Stuxnet, Langner believes that only a few organizations have the technical know-how to pull something like this off.

Beresford wanted to prove that industrial hacking could be done on the cheap too. His company kicked in $20,000 to buy the Siemens systems, but Beresford did most of the work from his bedroom in a couple of weeks. “It’s not just the spooks who have these capabilities,” he said when he finally gave this Black Hat presentation. “Average guys sitting in their basements can pull this off.”

Source:  pcworld.com

Tags: , ,
Posted in Anti-Virus, Electronics, Network, Security, Web | No Comments »

« Older Entries