Oracle issued an emergency patch for its WebLogic Server almost two weeks after a white-hat hacker disclosed a vulnerability that allows criminals to remotely execute commands on the webserver with no authentication necessary.…
Oracle issued an emergency patch for its WebLogic Server almost two weeks after a white-hat hacker disclosed a vulnerability that allows criminals to remotely execute commands on the webserver with no authentication necessary.…
The prosecution of a Swedish man charged with breaching the computer networks of NASA and Cisco Systems and making off with sensitive source code will be transferred to Swedish authorities, US federal prosecutors said Monday.…
Top flight outsourcing firm Tata Consulting Services appeared to have lost control of its website to hackers today, with the domain apparently being touted for sale.…
Even users running up-to-date anti-virus software still get infected with malware, according to stats from an online malware scanning service.…
Chinese authorities have closed down a firm that allegedly trained hackers to develop spyware and launch cyberattacks.…
Cryptographers have broken the proprietary encryption used to prevent eavesdropping on more than 800 million cordless phones worldwide, demonstrating once again the risks of relying on obscure technologies to remain secure.…
A supervisor for the town of Poughkeepsie, New York lashed out at a local bank after someone siphoned $378,000 out of municipal coffers and transferred it to Ukraine.…
Two Firefox add-ons available for months on Mozilla's website infected users with malware that stole passwords and opened a backdoor on Windows machines, the open-source browser maker has confirmed.…
The security services are running 23 ongoing investigations into the exploitation of gambling websites to finance terrorism.…
A site dedicated to tracking the infamous ZeuS botnet is celebrating its first birthday.…
Online gambling sites are fighting ever-sharper fraudsters, forcing them to balance stricter anti-cheat measures against the risk of alienating some of their best customers.…
0000 45 00 00 00 61 53 46 41 54 41 4c 00 43 32 38 30 E...aSFATAL.C280
0010 30 30 00 4d 70 61 73 73 77 6f 72 64 20 61 75 74 00.Mpassword aut
0020 68 65 6e 74 69 63 61 74 69 6f 6e 20 66 61 69 6c hentication fail
0030 65 64 20 66 6f 72 20 75 73 65 72 20 22 70 6f 73 ed for user "pos
0040 74 67 72 65 73 22 00 46 61 75 74 68 2e 63 00 4c tgres".Fauth.c.L
0050 32 37 33 00 52 61 75 74 68 5f 66 61 69 6c 65 64 273.Rauth_failed
0060 00 00 ..
Microsoft is planning a bumper patch Tuesday, with 13 bulletins that collectively fix 26 difference vulnerabilities.…
Comment The stories about Adobe software keep coming, and the news hasn't been good. Critical bugs in Reader and Flash have come under real-world, zero-day attacks so many times in the past year that the exploits almost seem routine.…
APRA has released what they dub as a “prudential practice guide” – “on the management of security risk in information and information technology (IT) by institutions supervised by APRA”. Press release and document here.
It will be interesting to see how the “guideline” adoption will go. Similar to the Monetary Authority of Singapore’s “Internet Banking and Technology Risk Management Guidelines“, but a decade behind, and packing what seems to be no real regulatory push nor enforcement like that in Singapore.
———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.
The US House of Representatives has overwhelmingly passed a bill that would direct almost $400m toward research designed to shore up the nation's cybersecurity defenses.…
Password cracking of iPhone backups has become a point-and-click exercise thanks to software unveiled Thursday by a computer forensics tools provider.…
Today we released February bulletin information through our Advance Notification Service (ANS). This month, we will be releasing 13 bulletins - five rated Critical, seven rated Important, and one rated Moderate - addressing 26 vulnerabilities. Eleven of the bulletins affect Windows and the remaining two affect Office. More information about the upcoming security updates can be found on the Advance Notification Service (ANS) webpage.
As we started to do in December, we want to give customers a peek at what our deployment guidance will be next Tuesday. This month, we will be giving four of the bulletins a deployment priority rating of 1. In the ANS, those are bulletins 1, 2, 3, and 6. We recommend that customers test and deploy all security updates as soon as possible but you should prioritize these first.
To further help customers prioritize, I have pulled the Windows information from the ANS into a summary table so depending on the version you are running, you can see how many bulletins you need to prepare for:
|
Version |
Critical |
Important |
Moderate |
Low |
Total |
|
Windows 2000 |
5 |
3 |
1 |
0 |
9 |
|
Windows XP |
5 |
2 |
1 |
0 |
8 |
|
Windows Server 2003 |
4 |
3 |
2 |
0 |
9 |
|
Windows Vista |
3 |
3 |
0 |
0 |
6 |
|
Windows Server 2008 |
3 |
4 |
0 |
1 |
8 |
|
Windows 7 |
3 |
2 |
0 |
0 |
5 |
|
Windows Server 2008 R2 |
3 |
1 |
0 |
1 |
5 |
The Office related bulletins are both rated Important and would require user action to be exploited (usually in the form of convincing a user to open a specially crafted file). The vulnerabilities only affect older versions of Office so customers on Office 2007 or Office 2008 for Mac will have not actions this month.
We encourage customers to upgrade to the latest versions of both Windows and Office. As this bulletin release shows, the latest versions are less impacted overall due to the improved security protections built in to these products.
I also want to give a summary of the three open Security Advisories so customers know what to expect on Tuesday:
· Advisory 980088, Vulnerability in Internet Explorer Could Allow Information Disclosure: this advisory was released yesterday (Feb 3). We do not have an update for this issue planned for the normal February bulletin release. However, this vulnerability only affects versions of windows older than Vista in their default configuration, and there is a “Fix It” available so customers in non-default configurations can protect themselves.
· Advisory 979682, Vulnerability in Windows Kernel Could Allow Elevation of Privilege: we are on track to release an update for this issue next Tuesday.
· Advisory 977544, Vulnerability in SMB Could Allow Denial of Service: we are still working on an update for this issue so it will not be addressed in the February bulletins. As a reminder, this issue cannot be used to allow an attacker to take control of a system remotely, but instead results in a system becoming unresponsive due to resource consumption.
We are not aware of any attacks on these vulnerabilities and continue to encourage customers to implement the mitigations and workarounds outlined in the advisories.
Last month I started including important information about Windows versions that are reaching the end of their product lifecycle. Customers using these versions should consider upgrading before support for these products end as, once they do, we will no longer provide security updates:
Finally, please plan to join Adrian Stone and myself next week for our regular live webcast where we will go in to detail on each bulletin to give you even more information and guidance:
Date: Wednesday, Feb 10
Time: 11:00 a.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032427679
Hope to see you there!
Jerry Bryant
Sr. Security Communications Manager – Lead
*This posting is provided "AS IS" with no warranties, and confers no rights.*
I did a presentation at the DefCon Comedy Jam about how users manually validate updates for Firefox was just a total mess from a security perspective. It had a lot to do with the fact that they are using round robin DNS and relying on the good will of a lot of dispirit sites to do their hosting for them. Well, I’ve been wondering more and more about how I may or may not be able to download these releases and verify them manually in a secure way. So I did a few checks and here’s the IP space I found and the status of what their SSL/TLS ports were when checked yesterday:
63.245.208.152 (live but with SSL/TLS mismatch)
128.61.111.9 (connection refused)
129.101.198.59 (connection refused)
131.188.12.212 (connection refused)
149.20.20.5 (connection refused)
156.56.247.196 (connection refused)
202.177.202.154 (connection refused)
204.152.184.196 (connection refused)
204.246.0.136 (connection refused)
216.165.129.141 (connection refused)
64.50.236.214 (connection refused)
64.50.236.52 (connection refused)
129.101.198.59 (operation timed out)
155.98.64.83 (operation timed out)
So only 1 out of 14 even have SSL enabled. Okay… well today, I took a little spin on SSLLabs and I found that the one site that does have SSL enabled (63.245.208.152) has a SSL/TLS mismatch error for videos.mozilla.org. I mean… seriously! If your browser goes to https://releases.mozilla.org this is sort of what’s happening under the hood:
$ telnet releases.mozilla.org 443
Trying 202.177.202.154…
telnet: connect to address 202.177.202.154: Connection refused
Trying 204.152.184.196…
telnet: connect to address 204.152.184.196: Connection refused
Trying 204.246.0.136…
telnet: connect to address 204.246.0.136: Connection refused
Trying 216.165.129.141…
telnet: connect to address 216.165.129.141: Connection refused
Trying 64.50.236.214…
telnet: connect to address 64.50.236.214: Connection refused
Trying 128.61.111.9…
telnet: connect to address 128.61.111.9: Connection refused
Trying 129.101.198.59…
telnet: connect to address 129.101.198.59: Connection refused
Trying 131.188.12.212…
telnet: connect to address 131.188.12.212: Connection refused
Trying 149.20.20.5…
telnet: connect to address 149.20.20.5: Connection refused
Trying 155.98.64.83…
telnet: connect to address 155.98.64.83: Operation timed out
Trying 156.56.247.196…
telnet: connect to address 156.56.247.196: Connection refused
Trying 63.245.208.152…
Connected to releases.geo.mozilla.com.
Escape character is ‘^]’.
^]
telnet> quit
Yes, after a minute of trying your browser will eventually find the one HTTPS server - or it won’t (sometimes it just gives up). So then in poking around within my Mozilla config I saw a reference to http://en-US.www.mozilla.com/en-US/firefox/3.5.7/releasenotes/. So I switched to SSL/TLS with this link, because I like being secure, and I get a SSL/TLS warning as well. These are the kinds of things that make Firefox incredibly unsafe to manually download and verify the binaries if you are in a hostile environment. And I’m just scratching the surface compared to my presentation. How many of those 3rd party sites do you think can be exploited?
Microsoft has begun investigating a flaw in IE that most affects older versions of Windows, and turns vulnerable systems into a "public file server".…
Phishing fraudsters have extended their net beyond harvesting e-banking credentials via a scam that resulted in the theft of 250,000 carbon permits worth over €3m.…
Made my day when I heard iiNet won their case against the Film Industry! Here reported by itnews. Awesome. Hoping some common sense will prevail and workable collaborative efforts can happen now. Well done iiNet.
Some of our previous posts on this topic…worth a read:
http://beastorbuddha.com/?s=iinet
———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.
A Miami hacker has admitted he pocketed more than $1m by selling millions of minutes of voice over IP calls and surreptitiously routing them through the networks of telecommunications companies.…
Security researchers have defeated vulnerability protections baked into the latest versions of Internet Explorer, demonstrating that it's possible to poke holes in a safety net that's widely relied on to keep end users safe from drive-by exploits.…
Hi everyone,
Today we released Security Advisory 980088 to address a publicly disclosed vulnerability in Internet Explorer that may allow Information Disclosure for customers running on Windows XP or who have disabled Internet Explorer Protected Mode. At this time we are not aware of any attacks seeking to use the vulnerability.
Customers running Internet Explorer 7 or Internet Explorer 8 in their default configuration on Windows Vista or later operating systems are not vulnerable to this issue as they benefit from Internet Explorer Protected Mode, which protects from this issue. Windows XP users, or users who have disabled Protected Mode, can help protect themselves by implementing Network Protocol Lockdown. We have created a Microsoft Fix It to automate this. The Fix It can be run on individual systems or enterprises can deploy it through their automated systems.
We are working to produce an update for this vulnerability and when that is complete, we will take appropriate action to protect customers, which may include releasing an update out-of-band. As with any update, we have to balance overall quality and ensure application compatibility before we release it.
Microsoft is also working with our Microsoft Active Protections Program (MAPP) partners to help provide broader protections for customers. Together with our partners, we will continue to monitor the threat landscape and will take action against any web sites that seek to exploit this vulnerability.
We continue to encourage customers to upgrade to Internet Explorer 8 to benefit from the increased protections provided in the newer version. In addition, customers should continue to follow our “Protect Your Computer” guidance at http://www.microsoft.com/protect.
Thanks!
Jerry Bryant
Sr. Security Communications Manager – Lead
*This posting is provided "AS IS" with no warranties, and confers no rights.*
Larry Suto is back with another report outlining the differences between some of the top web application scanners on the market. Before you get all uptight and start flaming me, I in NO WAY sponsored, encouraged or had anything to do with this test in any way. In fact, I only found out about it a few days ago. Not that I think that’ll stop the flame wars, but just direct your ire appropriately, please! Anyway, he took a different approach this time, and instead of running the scanners against something he had devised up to be used only in his own lab, he turned all the scanners on each other’s public test sites. You might think they should all fair fairly well since they’re all public and there’s nothing stopping them from testing to their heart’s content. But that’s anything but what he found. You can download Larry’s report here.
Some of the more interesting findings were that Burp Suite Pro (an extremely cheap product built by Portswigger - and a damned fine manual testing tool, I might add) fared better than Qualys or WebInspect when trained. I always loved Burp Suite! Larry’s commentary is particularly amusing as you go through it, with choice quotes, like:
Accuntix missed 31% of the vulnerabilities after training and 37% without training. This is a significant cause for concern as they should be aware of the links vulnerabilities on their own site and be able to crawl and attack them.
And…
WebInspect missed 66% of the vulnerabilities, even after being trained to know all of the pages. They missed 42% of the vulnerabilities on their own test site after being trained and 55% before training.
NTOSpider by NT Objectives came out in the lead with the best overall score of the application scanners tested (which included Acunetix, Appscan, Burp Suite Pro, Hailstorm, WebInspect, and NTOSpider). He also measured things like how long the various scanners take to configure, support and so on - all important things for companies about to make the big investment. This isn’t all scanners everywhere (notably WhiteHat is missing as is the newest player to the field, NetSparker who incidentally took it upon themselves to add themselves into the report after the fact, and other free web assessment tools, like Nikto etc…), but it’s a great start to a long future of heavily debated research, I’m sure. Love him, or hate him, Larry’s always got interesting research to share!
Adware slingers have taken advantage of the buzz around the latest version of Firefox to establish a fake browser download site.…
Manchester police were once again able to run inquiries on the Police National Computer on Wednesday morning, after techies purged a Conficker worm infection from the force's network.…