News

New FBI Surveillance Backdoors? 6 Key Points

(click image for larger view and for slideshow)

Will Congress require social networks, online voice over IP (VoIP) services, and Webmail providers to build in backdoors that could be used for electronic surveillance purposes by the FBI?

According to one news report, FBI officials have been meeting with Facebook, Google, Microsoft (which owns Skype and Hotmail), and Yahoo, among other companies. The goal apparently isn’t to promote the bureau’s push for expanded wiretapping capabilities, but rather to ask how that be implemented while causing minimal disruption for the companies with networks that would be directly accessed.

Reached by phone, an FBI spokesman declined to confirm or deny the news report. But it wouldn’t be the first time in recent history in which the FBI has detailed the difficulties it faces when attempting to “wiretap” newer types of communication–from Facebook and Twitter to Skype and X-Box VoIP–and argued for greater capabilities.

[ Cybersecurity heads the list of federal CIO worries. Read more at Security Top Concern Of Federal CIOs. ]

Here are 6 points to consider about expanding the FBI’s surveillance powers:

1. Bureau Warns About Going Dark.
The bureau has already been asking Congress for broader surveillance powers to help it keep up with new technologies. Notably, FBI director Robert S. Mueller III told Congress in December 2011 that “a growing gap exists between the statutory authority of law enforcement to intercept electronic communications pursuant to court order and our practical ability to intercept those communications.” The consequences, he warned, could be dire. “Should this gap continue to grow, there is a very real risk of the government ‘going dark,’ resulting in an increased risk to national security and public safety.”

2. Proposed CALEA Revisions Would Update 1994 Law.
Accordingly, the FBI wants Congress to expand the Communications Assistance for Law Enforcement Act (CALEA). First passed in 1994, the purpose of the law–according to its text–is “to make clear a telecommunications carrier’s duty to cooperate in the interception of communications for Law Enforcement purposes, and for other purposes.” Specifically, the law is designed to allow law enforcement agencies, with a warrant, to conduct wiretaps of digital telephone networks. The law also made telephone carriers responsible for CALEA development and implementation costs. Congress then expanded the law in 2004 to cover broadband Internet service providers (ISPs) as well as telecommunications carriers that handle voice communications via VoIP.

But the latest proposed expansion could see the Federal Communications Commission review whether CALEA should be used to require services such as Skype, the PlayStation Network, Gmail, and similar services to make their systems easier to wiretap. CALEA requires that any encryption added by the wiretapped service be removed for law enforcement access.

3. Questions Remain Over Wiretapping Scope.
Just how often does the FBI need to use wiretapping during an investigation? That’s not clear. According to an FBI website about CALEA, wiretapping “is used infrequently and then only to combat the most serious crimes and terrorism.” It also says that law enforcement officers must “establish probable cause that the wiretaps may provide evidence of a felony violation of federal law,” after which it’s up to a judge to approve or disprove the wiretap, and then monitor any wiretapping.

4. Civil Liberties Groups See Slippery Slope.
Civil rights groups have warned that granting law enforcement agencies new surveillance powers could lead to a decrease in the privacy protections that people currently enjoy. “The heart of the issue is a growing attitude among law enforcement that there ought to be a presumption that citizens’ communications be susceptible to eavesdropping. There is no reason for such a presumption,” Jay Stanley, senior policy analyst for the Speech, Privacy and Technology Project at the American Civil Liberties Union, wrote in a blog post.

5. Will Technology Companies Back CALEA Expansion?
FBI overtures to technology giants aside, it’s far from clear whether Facebook, Google, Microsoft, and their ilk would back the proposed CALEA changes and grant the FBI direct access their networks. In fact, they could try to torpedo such proposals, not least to distance themselves from anything involving surreptitious access to user data.

In fact, Twitter last month filed a motion in a New York state court to quash a New York City prosecutor’s request for information pertaining to Twitter user Malcolm Harris, who participated in Occupy Wall Street protests on the Brooklyn Bridge last year. Harris had already failed to quash the subpoena after a court ruled that his posts belonged not to him but to Twitter, meaning he had no legal standing to challenge the subpoena.

Interestingly, Twitter’s motion to quash instead argues that the subpoena imposes an overwhelming burden because it doesn’t give the Twitter user the ability to argue against the subpoena. Furthermore, Twitter said that its terms of service explicitly tell users that they “retain [their] rights to any Content [they] submit, post or display on or through” the service, and notes that relevant legislation allows users to challenge any demands for their account records. “To hold otherwise imposes a new and overwhelming burden on Twitter to fight for its users’ rights, since the [court order] deprives its users of the ability to fight for their own rights when faced with a subpoena from New York State,” read Twitter’s legal filing.

6. Backdoors May Facilitate Unauthorized Access.
Wiretapping backdoors could also make online services more vulnerable to attackers. In particular, adding hard-coded backdoors or access credentials for any website, application, or service is a cause for concern since this access could be abused in unintended–and potentially untraceable–ways. “Companies are also afraid of the potential security threat to trade secrets and confidential exchanges,” wrote attorney Aaron Kelly, who specializes in online privacy laws, in a blog post. “Some of them argue that a sufficiently skilled hacker could break in through a backdoor and steal personal information from a business.”

Hacktivist and cybercriminal threats concern IT teams most, our first Federal Government Cybersecurity Survey reveals. Here’s how they’re fighting back. Also in the new, all-digital Top Federal IT Threats issue of InformationWeek Government: Why federal efforts to cut IT costs don’t go far enough, and how the State Department is enhancing security. (Free registration required.)

Return to top

OpenOffice.org Memory Overwrite Vulnerability

 Topic:
OpenOffice.org Memory Overwrite Vulnerability
 Credit:
Kestutis Gudinavicius
 Date:
2012.05.17
 CWE:
N/A
 CVE:
CVE-2012-2149 (Show details)

Use CVE to see details like:
- CVSS2,
- Affected Software,
- References

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

CVE-2012-2149 OpenOffice.org memory overwrite vulnerability

Reference: http://www.openoffice.org/security/cves/CVE-2012-2149.html

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
Earlier versions may be also affected.

Description:

Effected versions of OpenOffice.org use a customized libwpd that has a
memory overwrite vulnerability that could be exploited by a specially
crafted Wordperfect WPD-format document, potentially leading to
arbitrary-code execution at application user privilege level.

Mitigation

OpenOffice.org 3.3.0 and 3.4 beta users are advised to upgrade to
Apache OpenOffice 3.4, where WPD files are ignored. Users who are
unable to upgrade immediately should be cautious when opening
untrusted WPD documents.

Credits

The Apache OpenOffice Security Team acknowledges Kestutis Gudinavicius
of SEC Consult Unternehmensberatung GmbH as the discoverer of this flaw.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJPs8AeAAoJEGFAoYdHzLzHpw4P/3hRQxaIre8XARxy9JiT+HX3
xCFp+ksNHQBlCf7KUDhy0uz5KFzzrPHKoJCVTXBmMz2CErsIJs5rf4ePZhdj2V96
z87qKRojEbeWQGw1lIfXWnytnk1GpPoSb51vhu20J2g4K0IUCor8LTWisVeeVhFu
TlEaNLreQHn+0fVCdYnCWenWzFqJfWvxcUXi3OSysT7+fAacF63ZayuFhGT6WygP
QXdW8fwhwAnFvwcBU4aSVX0tEpbAvQoZGw4EwlU0Osz6DHhJmlH9BYtsvAGX0amh
6Ow/Rg8J1dOicX7W7+bGcgIeNkBalbbiKrMJ2l5SEBhOkFEi0vOJZwDBqceHDDvC
wXYXAIyLqjyd7uyBslnAPqAVoAt3s4ZpAEHKPXSOpWBe4U6idcFNSM2QOj+IEbic
BROlOFXhJnRi69bowISAXdm6bKX/hvFhu9YhbmEfOE2sczp2FfGZ27W80QAboFG+
tfT9a6KmA3pDeh9OPkxABmjhhisPHuP9oSuz0xOiGjcR2A/d7DCtnEQUeLzTV7WI
wtgrlqkJhezNs7JVDcCEm0qXxAUJVTx9KCYvHPFR3IiuKgZba9Keu88wZs9yd/9f
cKSHOSDj2SZ4f4J3lM+llF/z0zjP/hmaQJgKTNsiaO3xl5AzORXMVH25fn4s9UCk
685l8u67flHuv0Iq+m35
=6F6B
—–END PGP SIGNATURE—–

References:

[ ASCII VERSION ]

Return to top

OpenOffice.org Memory Overwrite Vulnerability

 Topic:
OpenOffice.org Memory Overwrite Vulnerability
 Credit:
Kestutis Gudinavicius
 Date:
2012.05.17
 CWE:
N/A
 CVE:
CVE-2012-2149 (Show details)

Use CVE to see details like:
- CVSS2,
- Affected Software,
- References

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

CVE-2012-2149 OpenOffice.org memory overwrite vulnerability

Reference: http://www.openoffice.org/security/cves/CVE-2012-2149.html

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
Earlier versions may be also affected.

Description:

Effected versions of OpenOffice.org use a customized libwpd that has a
memory overwrite vulnerability that could be exploited by a specially
crafted Wordperfect WPD-format document, potentially leading to
arbitrary-code execution at application user privilege level.

Mitigation

OpenOffice.org 3.3.0 and 3.4 beta users are advised to upgrade to
Apache OpenOffice 3.4, where WPD files are ignored. Users who are
unable to upgrade immediately should be cautious when opening
untrusted WPD documents.

Credits

The Apache OpenOffice Security Team acknowledges Kestutis Gudinavicius
of SEC Consult Unternehmensberatung GmbH as the discoverer of this flaw.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJPs8AeAAoJEGFAoYdHzLzHpw4P/3hRQxaIre8XARxy9JiT+HX3
xCFp+ksNHQBlCf7KUDhy0uz5KFzzrPHKoJCVTXBmMz2CErsIJs5rf4ePZhdj2V96
z87qKRojEbeWQGw1lIfXWnytnk1GpPoSb51vhu20J2g4K0IUCor8LTWisVeeVhFu
TlEaNLreQHn+0fVCdYnCWenWzFqJfWvxcUXi3OSysT7+fAacF63ZayuFhGT6WygP
QXdW8fwhwAnFvwcBU4aSVX0tEpbAvQoZGw4EwlU0Osz6DHhJmlH9BYtsvAGX0amh
6Ow/Rg8J1dOicX7W7+bGcgIeNkBalbbiKrMJ2l5SEBhOkFEi0vOJZwDBqceHDDvC
wXYXAIyLqjyd7uyBslnAPqAVoAt3s4ZpAEHKPXSOpWBe4U6idcFNSM2QOj+IEbic
BROlOFXhJnRi69bowISAXdm6bKX/hvFhu9YhbmEfOE2sczp2FfGZ27W80QAboFG+
tfT9a6KmA3pDeh9OPkxABmjhhisPHuP9oSuz0xOiGjcR2A/d7DCtnEQUeLzTV7WI
wtgrlqkJhezNs7JVDcCEm0qXxAUJVTx9KCYvHPFR3IiuKgZba9Keu88wZs9yd/9f
cKSHOSDj2SZ4f4J3lM+llF/z0zjP/hmaQJgKTNsiaO3xl5AzORXMVH25fn4s9UCk
685l8u67flHuv0Iq+m35
=6F6B
—–END PGP SIGNATURE—–

References:

[ ASCII VERSION ]

Return to top

Fake Google Chrome Installer Steals Banking Details

Beware fake Chrome installers for Windows.

A file named “ChromeSetup.exe” is being offered for download on various websites, and the link to the file appears to be legitimately hosted on Facebook and Google domains. In reality, the software won’t install Google’s Chrome browser, but an information-stealing Trojan application known as Banker, according to antivirus vendor Trend Micro.

Once the malware–which appears to be targeting Latin American users, especially in Brazil and Peru–is executed, it relays the IP address and operating system version to one of two command-and-control (CC) servers, then downloads a configuration file. After that, whenever a user of the infected PC visits one of a number of banking websites, the malware intercepts the HTTP request, redirects the user to a fake banking page, and also pops up a dialog box informing the user that new security software will be installed.

In fact, the malware has been designed uninstall GbPlugin, which is “software that protects Brazilian bank customers when performing online banking transactions,” said Trend Micro security researcher Brian Cayanan in a blog post. “It does this through the aid of gb_catchme.exe–a legitimate tool from GMER called Catchme, which was originally intended to uninstall malicious software. The bad guys, in this case, are using the tool for their malicious agendas.”

[ Hacktivists take down the Kremlin's website in protest of Putin reelection. Read more at Anonymous Targets Russian Sites For Putin Protest. ]

Trend Micro gained access to a log file associated with the CC servers that were managing this strain of Banker and saw the number of PCs infected with the malware quickly multiply. “During the time the CC panel was analyzed … the phone-home logs jumped from around 400 to nearly 6,000 in a span of 3 hours. These logs are comprised of 3,000 unique IP addresses, which translates [into] the number of machines infected by the malware,” Cayanan said. But the CC servers–first spotted in use in October 2011–soon became inaccessible. That suggests that attackers were moving to new CC servers, he said, noting that whoever is behind Banker will likely continue to enhance the malicious application’s capabilities.

For now, however, Cayanan said Trend Micro was continuing to study the malware, noting that “the one missing piece” of information is how the malware “is able to redirect [users] from normal websites like Facebook or Google to its malicious IP, to download malware.”

In other malware news, GFI Labs is warning that a new piece of Android malware masquerades as free antivirus software. Advertised via Twitter spam promoting links to “sexi gerl see,” among other phrases, the malicious application has been available via websites sporting a dot-TK (.tk) address, which is the top-level domain name for Tokelau, a New Zealand territory in the South Pacific.

Clicking on the proffered Twitter link takes users to a Russian-language Web page–hosted in the Ukraine–that advertises numerous products, including fake updates for Opera and Skype, as well as an “Anit-Virus Scanner.” [sic] “Users who accessed and used this purported scanner are then given the option to download and install a file, which [varies] depending on whether the target is a PC or a phone,” said GFI Labs researcher Jovi Umawing in a blog post. Interestingly, the PC version–delivered as a Java archive file–will fail to execute. But the APK (Android application package) version will install on an Android device. The application’s Android icon, meanwhile, was copied from security firm Kaspersky.

Many security tools will have difficulty spotting the malicious APK file. According to Bulgarian antivirus researcher Vesselin Bontchev at FRISK Software, “the fake AV file is actually server-side polymorphic.” Polymorphic malware is designed to change every time it gets downloaded, which generates malware with identical attack capabilities but different fingerprints. That makes spotting the malware more difficult for signature-based security defenses.

“If you download it several times in a row, you’ll get different APK files,” said Bontchev. He said it’s also likely that the malware developer is updating the attack code every few days to make the malware more difficult to spot.

What’s the purpose of the Anit-Virus Scanner malware? As with most online attacks, blame the software on criminals trying to make a fast buck (or in this case, ruble). “If you went ahead and installed the app onto your mobile, it would attempt to send expensive SMS messages to premium rate services,” read a blog post from Graham Cluley, senior technology consultant at Sophos, who has also been studying the malware.

As with most malware, the fake antivirus scanner also has the ability to download and install further code from the Internet onto your Android smartphone, thus potentially allowing attackers to exploit devices, or the data they store, in numerous other ways.

Security information and event monitoring technology has been available for years, but the information can be hard to mine. In our SIEM Success report, we provide a step-by-step guide to make the most of your SIEM system. (Free registration required.)

Return to top

OpenOffice.org Memory Overwrite Vulnerability

 Topic:
OpenOffice.org Memory Overwrite Vulnerability
 Credit:
Kestutis Gudinavicius
 Date:
2012.05.17
 CWE:
N/A
 CVE:
CVE-2012-2149 (Show details)

Use CVE to see details like:
- CVSS2,
- Affected Software,
- References

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

CVE-2012-2149 OpenOffice.org memory overwrite vulnerability

Reference: http://www.openoffice.org/security/cves/CVE-2012-2149.html

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
Earlier versions may be also affected.

Description:

Effected versions of OpenOffice.org use a customized libwpd that has a
memory overwrite vulnerability that could be exploited by a specially
crafted Wordperfect WPD-format document, potentially leading to
arbitrary-code execution at application user privilege level.

Mitigation

OpenOffice.org 3.3.0 and 3.4 beta users are advised to upgrade to
Apache OpenOffice 3.4, where WPD files are ignored. Users who are
unable to upgrade immediately should be cautious when opening
untrusted WPD documents.

Credits

The Apache OpenOffice Security Team acknowledges Kestutis Gudinavicius
of SEC Consult Unternehmensberatung GmbH as the discoverer of this flaw.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJPs8AeAAoJEGFAoYdHzLzHpw4P/3hRQxaIre8XARxy9JiT+HX3
xCFp+ksNHQBlCf7KUDhy0uz5KFzzrPHKoJCVTXBmMz2CErsIJs5rf4ePZhdj2V96
z87qKRojEbeWQGw1lIfXWnytnk1GpPoSb51vhu20J2g4K0IUCor8LTWisVeeVhFu
TlEaNLreQHn+0fVCdYnCWenWzFqJfWvxcUXi3OSysT7+fAacF63ZayuFhGT6WygP
QXdW8fwhwAnFvwcBU4aSVX0tEpbAvQoZGw4EwlU0Osz6DHhJmlH9BYtsvAGX0amh
6Ow/Rg8J1dOicX7W7+bGcgIeNkBalbbiKrMJ2l5SEBhOkFEi0vOJZwDBqceHDDvC
wXYXAIyLqjyd7uyBslnAPqAVoAt3s4ZpAEHKPXSOpWBe4U6idcFNSM2QOj+IEbic
BROlOFXhJnRi69bowISAXdm6bKX/hvFhu9YhbmEfOE2sczp2FfGZ27W80QAboFG+
tfT9a6KmA3pDeh9OPkxABmjhhisPHuP9oSuz0xOiGjcR2A/d7DCtnEQUeLzTV7WI
wtgrlqkJhezNs7JVDcCEm0qXxAUJVTx9KCYvHPFR3IiuKgZba9Keu88wZs9yd/9f
cKSHOSDj2SZ4f4J3lM+llF/z0zjP/hmaQJgKTNsiaO3xl5AzORXMVH25fn4s9UCk
685l8u67flHuv0Iq+m35
=6F6B
—–END PGP SIGNATURE—–

References:

[ ASCII VERSION ]

Return to top

Linux Kernel 3.3.x <= 3.3.4 Buffer overflow in HFS plus filesystem

 Topic:
Linux Kernel 3.3.x
 Credit:
Timo Warns
 Date:
2012.05.16
 CWE:
N/A
 CVE:
CVE-2012-2319 (Show details)

Use CVE to see details like:
- CVSS2,
- Affected Software,
- References

PRE-CERT Security Advisory
==========================

* Advisory: PRE-SA-2012-03
* Released on: 10 May 2012
* Affected product: Linux Kernel 3.3.x = 3.3.4
2.6.x = 2.6.35.13
* Impact: code execution / privilege escalation
* Origin: HFS plus file system
* Credit: Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: CVE-2012-2319

Summary
——-

The Linux kernel contains a vulnerability in the driver for HFS plus
file systems that may be exploited for code execution or privilege
escalation.

A specially-crafted HFS plus filesystem can cause a buffer overflow via
the memcpy() call of hfs_bnode_read() (in fs/hfsplus/bnode.c). The
functions

hfsplus_rename_cat() (in fs/hfsplus/catalog.c) and
hfsplus_readdir() (in fs/hfsplus/dir.c)

call hfs_bnode_read() with values that result in a memcpy() call with
a fixed-length destination buffer and both, a source buffer and length,
that are read from the filesystem without sufficient validation.

The buffer overflows were previously fixed in the HFS filesystem driver
and have been assigned CVE-2009-4020
(commit ec81aecb29668ad71f699f4e7b96ec46691895b6 [1]).
Commit 6f24f892871acc47b40dd594c63606a17c714f77 (“hfsplus: fix
a potential buffer overflow”) [2] also fixes the issue in the HFS plus
filesystem driver.

Workaround
———-

Compile and use a kernel that does not support the HFS plus file system.
The corresponding configuration key is CONFIG_HFSPLUS_FS.

Solution
——–

A patch is available at

http://git.kernel.org/linus/6f24f892871acc47b40dd594c63606a17c714f77

The issue has been fixed in Linux 3.3.5.

References
———-

[1] http://git.kernel.org/linus/ec81aecb29668ad71f699f4e7b96ec46691895b6
[2] http://git.kernel.org/linus/6f24f892871acc47b40dd594c63606a17c714f77

When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:

http://www.pre-cert.de/advisories/PRE-SA-2012-03.txt

Contact
——–

PRE-CERT can be reached under precert () pre-secure de For PGP key
information, refer to http://www.pre-cert.de/.

References:

[ ASCII VERSION ]

Return to top

Apple Quicktime .pct Parsing Memory Corruption

 Topic:
Apple Quicktime .pct Parsing Memory Corruption
 Credit:
Rodrigo Rubira Branco
 Date:
2012.05.16
 CWE:
CWE-119 (Show similar)
 CVE:
CVE-2012-0671 (Show details)

Use CVE to see details like:
- CVSS2,
- Affected Software,
- References

Qualys Vulnerability Malware Research Labs (VMRL)
http://www.qualys.com

http://www.dissect.pe

Memory corruption when Apple Quicktime parsers .pct file
CVE-2012-0671

INTRODUCTION

Apple Quicktime does not properly parse .pct media files, which causes
a corruption in module DllMain by opening a malformed file with an
invalid value located in PoC repro01.pct at offset 0x20E.

This problem was confirmed in the following versions of Quicktime and
Windows, other versions may be also affected.

Quicktime Player version 7.7.1 (1680.42) on Windows XP SP 3 – PT_BR.

Apple addressed the vulnerability in the May’s Quicktime Patchset
(http://support.apple.com/kb/HT1222)

CVSS Scoring System

The CVSS score is: 8.6
Base Score: 10
Temporal Score: 8.6
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:UR

TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro01.pct) is available to
interested parties.

DETAILS

(f28.c24): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=02a70000 ebx=04402c68 ecx=98b1cc15 edx=00000004 esi=00000000
edi=088a5000
eip=6682ead8 esp=0012bfa8 ebp=00000001 iopl=0 nv up ei pl nz
ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00210216
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for C:Arquivos de programasQuickTimeQTSystemQuickTime.qts -
QuickTime!DllMain+0x2d068:
6682ead8 668907 mov word ptr [edi],ax
ds:0023:088a5000=????
0:000 !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable – User Mode Write AV starting at
QuickTime!DllMain+0x000000000002d068 (Hash=0x0e483076.0x0e507376)
User mode write access violations that are not near NULL are exploitable.

CREDITS

This vulnerability was discovered by Rodrigo Rubira Branco
(http://twitter.com/bsdaemon) from the Qualys Vulnerability Malware
Research Labs (VMRL).

References:

[ ASCII VERSION ]

Return to top

Can IT Be Trusted With Personal Devices?

Most IT teams weren’t prepared for the BYOD challenge, and they’re not handling it well. This assertion is borne out by our Mobile Security Survey, which shows that security education is still underfunded and underappreciated and that there’s an ongoing mismatch between the mobile device management features IT deems to be important and what’s in end users’ best interests.

To illustrate just how pernicious the wrong BYOD policies can be, here’s a hypothetical: A worker decides to buy an iPad so that, among other things, he can record and store pictures and movies of important events. Perhaps he manages to catch his baby’s first steps or his daughter’s piano recital, or he uses the iPad to store hundreds of family vacation pictures.

Being a good and proactive employee, he brings the iPad into work, to use for sales presentations and such. The IT organization tells him that before he can put any company data on the device, even what’s freely available on the company website, it’ll need to install some software that will enforce passwords (No. 1 on our list of most critical MDM security functions). The app will also perform remote locking and wiping of the device, offer some malware protection, and deliver security updates (Nos. 2, 3, and 4 on the list).

[ BYOD? Get used to it, says Interop panel. Read more at Mobile OS Proliferation Continues. ]

The software will require password changes every few months, enforce minimum standards for length and complexity, lock the device after a given time, and if too many failed password attempts occur, wipe the device (the top 5 password policies desired by IT pros).

Now, suppose one of the employee’s young children plays with the iPad, exceeds the number of failed password attempts, and the device is wiped. No baby’s first steps, no piano recital, no pictures from the family vacation. The employee had the best of intentions about iCloud backups but didn’t follow through, and needless to say, IT hadn’t provided any backup mechanism. The livid employee is left with a blank device and a “Gee, we’re sorry about that” from IT.

While technology can play a part in protecting the company while letting employees use their own devices for business purposes, most IT teams are creating an insane set of rules for no apparent reason. That same employee could have emailed the sales presentation, which probably isn’t encrypted or password protected, to his Gmail account, uploaded some product shots to Dropbox, and used the device for work without IT’s involvement. And there’s often incentive for employees to do just that, because IT’s policies are onerous at best, and at worst downright counter to the employee’s interests. If software can’t tell the difference between company data and employee data, it has no place on a personally owned device.

Further, mobile device management as a path to security is a fundamentally flawed strategy. You must manage the data. The data is what the company owns, and it’s what the company values. But of course, data management involves user training and classification and some security finesse. For too many IT teams, it’s easier to use a blunt instrument.

Visit InformationWeek’s Global CIO — our online community and information resource for CIOs operating in the global economy.

There’s a bit of good news in our survey: While only 32% of respondents have had a security awareness program in place for two or more years, 18% have recently added one, and an additional 25% say they’ll get one in place in the next 12 months. Plenty of cloud-based backup services can add a layer of protection for both company and personal data; we recently did a roundup of 13 providers.

No doubt users represent a security risk, but they’re also your first line of defense–if you take the time to clue them in on best practices. Explain how securing corporate data can help protect them as well; if their smartphone is stolen, they may want to nuke it. But for goodness sake, don’t put device-wipe time bombs on their systems unless you want to explain why all of their personal data is gone and that there’s nothing they can do to get it back.

Art Wittmann is director of InformationWeek Reports, a portfolio of decision-support tools and research reports. You can write to him at awittmann@techweb.com.

At this interactive Enterprise Mobility Virtual Event, experts and solution providers will offer detailed insight into how to bring some order to the mobile industry innovation chaos. When you register, you will gain access to live webcast presentations and virtual booths packed with free resources. It happens May 17.

Return to top

NTDS WebStudio SQL Injection

 Topic:
NTDS WebStudio SQL Injection
 Dork:
inurl:”/pacotes.php?pagina=” id_pct=”
 Credit:
TheCyberNuxbie
 Date:
2012.05.15
 CWE:
CWE-89 (Show similar)
 CVE:
N/A

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /’ __ /’__` / __ /’__` 0
0 /_, ___ /_/_ ___ ,_/ / _ ___ 1
1 /_/ /’ _ ` / /_/___ /’___ / /`’__ 0
0 / / / / __/ _ _ / 1
1 _ _ __ ____/ ____\ __\ ____/ _ 0
0 /_//_//_/ _ /___/ /____/ /__/ /___/ /_/ 1
1 ____/ Exploit database separated by exploit 0
0 /___/ type (local, remote, DoS, etc.) 1
1 1
0 [x] Official Website: http://www.1337day.com 0
1 [x] Support E-mail : mr.inj3ct0r[at]gmail[dot]com 1
0 0
1 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 1
0 I’m NuxbieCyber Member From Inj3ct0r TEAM 1
1 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1

==========================================================================
: NTDS – SQL Injection Vulnerability :
==========================================================================

– Discovered By:
||| TheCyberNuxbie – Independent Security Research |||
root@31337sec.com x CP: +62856-2538-963
[ www.linuxhacktivist.com ] $ YM: nux_exploit

– Use it at your risk,,,
This was written for educational purpos,,,
Author will be not responsible for any damage. //nuxbie

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
./Title Exploit : NTDS – SQL Injection Vulnerability
./URL Vendor Web: NTDS WebStudio – http://www.ntds.com.br/
./Google Dork : inurl:”/pacotes.php?pagina=” id_pct=”
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

[xXx] SQL injection is a code injection technique that exploits a security
vulnerability occurring in the database layer of an #application.
The vulnerability is present when user input is either incorrectly
filtered for string literal escape characters embedded in SQL #statements
or user input is not strongly typed and thereby unexpectedly executed.

– Affected items (SQLi):

http://127.0.0.1/webapps/pacotes.php?pagina=xxxid_pct=[SQLi]

– Private Area:
http://127.0.0.1/webapps/admin/ — LogIn Area…!!!

– Sample WebApps Vuln (SQLi):
http://ststuxsmo.com.br/pacotes.php?pagina=Chileid_pct=45′ + [SQL Injection]
http://viajexguro.biz/pacotes.php?pagina=Nacionaisid_pct=13′ + [SQL Injection]
http://laxf.com.br/agencia/pacotes.php?pagina=Passeiosid_pct=10′ + [SQL Injection]
http://infoxotpr.com.br/hotel/pacotes.php?pagina=Passeiosid_pct=10′ + [SQL Injection]
http://cenxworld.com.br/pacotes.php?pagina=Internacionaisid_pct=2′ + [SQL Injection]
http://acxetour.com.br/pacotes.php?pagina=Estados%20Unidosid_pct=31′ + [SQL Injection]
http://ferixeciatur.com.br/pacotes.php?pagina=Internacionaisid_pct=20′ + [SQL Injection]
, And More @ Google…!!!

– Special Thanks:
…:::’ 1337day – Inj3ct0r TEAM ‘:::…
All Staff 31337 Member Inj3ct0r TEAM,,,
, And All Inj3ct0r Fans All Hacktivist,,,

#############################################################################
– Me @ Solo Raya, 14 May 2012 @ 08:52 PM.
[ Inj3ct0r | PacketStromSecurity | Devilzc0de | Exploit-ID | ID-BackTrack ]
#############################################################################

References:

[ ASCII VERSION ]

Return to top

NETGEAR WNDRMAC Exposure of Sensitive Information

 Topic:
NETGEAR WNDRMAC Exposure of Sensitive Information
 Credit:
Nathaniel Carew from Sense of Security Labs.
 Date:
2012.05.13
 CWE:
N/A
 CVE:
N/A

Sense of Security – Security Advisory – SOS-12-005

Release Date. 13-May-2012
Last Update. –
Vendor Notification Date. 06-Mar-2012
Product. NETGEAR WNDRMAC
Platform. Hardware
Affected versions. 1.0.0.22 and below
Severity Rating. High
Impact. Exposure of sensitive information
Attack Vector. From remote without authentication
Solution Status. Currently no software update; the
vulnerable functionality can be disabled
CVE reference. CVE – not yet assigned

Details.
The NETGEAR Wireless Extreme for Mac computer and PCs (WNDRMAC)
is a N600 wireless dual-band gigabit router. The router
discloses sensitive information in the page source, if a
previous password recovery has been successfully completed,
which allows an attacker to login to the device.

Proof of Concept.
Viewing the source code of the page you are presented with when
you fail to login successfully with the administrator account
exposes the routers serial number which is required to get to the
recovery questions section.

http://x.x.x.x/unauth.cgi
HTMLHEADLINK rel=”stylesheet” href=”/style/form.css”
TITLE 401 Authorization/TITLE
META http-equiv=content-type content=’text/html; charset=UTF-8′
script
function loadvalue()
{
var enable_recovery=”1″;
var enter_sn_again=”0″;
var last_error_sn=”2T82195D0093D”;
if( enable_recovery == “1″ )

Viewing the source code of the recovery questions page allows an
attacker to view the answers to the password recovery questions.
After submitting these answers you are presented with the current
administrator credentials.

http://x.x.x.x/securityquestions.cgi
HTMLHEAD
TITLE Router Password Recovery/TITLE
META http-equiv=content-type content=’text/html; charset=UTF-8′
LINK rel=”stylesheet” href=”/style/form.css”
script
var quest1_1=”What was the name of the first NETGEAR product you
purchased?”;
var quest1_2=”What was the name of the first school you attended?”;
function loadvalue()
{
var answer_again=”1″;
var last_error_ans1=”Answer one”;
var last_error_ans2=”Answer two”;

Solution.
Disable the password recovery option.

Discovered by.
Nathaniel Carew from Sense of Security Labs.

About us.
Sense of Security is a leading provider of information security and
risk management solutions. Our team has expert skills in assessment
and assurance, strategy and architecture, and deployment through to
ongoing management. We are Australia’s premier application penetration
testing firm and trusted IT security advisor to many of the country’s
largest organisations.

Sense of Security Pty Ltd
Level 8, 66 King St
Sydney NSW 2000
AUSTRALIA

T: +61 (0)2 9290 4444
F: +61 (0)2 9290 4455
W: http://www.senseofsecurity.com.au
E: info () senseofsecurity com au
Twitter: @ITsecurityAU

The latest version of this advisory can be found at:

http://www.senseofsecurity.com.au/advisories/SOS-12-005.pdf

Other Sense of Security advisories can be found at:

http://www.senseofsecurity.com.au/research/it-security-advisories.php

References:

[ ASCII VERSION ]

Return to top