February 22, 2012

You are here: Home / Archives for Security

Mozilla Sends Another Message to Certificate Authorities

February 20, 2012 By Leave a Comment

(LiveHacking.Com) – Mozilla has sent an email to all certificate authorities in the Mozilla root program to reiterate that the issuance of subordinate CA certificates for the purposes of SSL man-in-the-middle interception or traffic management is unacceptable. Mozilla has asked the CAs to revoke any such certificates by April 27, 2012. After that date, if it is found that a subordinate CA is being used for MITM, Mozilla could remove the corresponding root certificate from the Mozilla root program. This would mean the applications like Mozilla FireFox wouldn’t accept the certificate when presented.

“We made it clear that this practice remains unacceptable even when the intended deployment of such a certificate is restricted to a closed network,” said Johnathan Nightingale, Senior Director of Firefox Engineering.

Mozilla also reinforced the the Certificate Authorities responsibilities reminding them that they are accountable for every certificate they sign, directly or through its subordinates.

This isn’t the first time Mozilla has asked CAs to be more responsible. In September 2011 Mozilla sent a message to all the certificate authorities (which participate in the Mozilla root certificate program) requesting that they complete an audit of their PKI systems. This call to review and confirm the integrity of their certificate systems came after Mozilla removed the DigiNotar root certificate in response to its failure to promptly detect, contain, and notify Mozilla of a security breach regarding their root and subordinate certificates.

Filed Under: Cryptography, Mozilla, Security Tagged With: , , ,

Is SSL Falling Apart? New Research Papers Find More Holes

February 17, 2012 By Leave a Comment

(LiveHacking.Com) – Two new research papers (here and here) have been published which examine the low level details of SSL, specifically randomness aspects, and the results are surprising. According to the “Ron was wrong, Whit is right” paper,  two out of every one thousand RSA moduli that on the Internet today offer no security. While the Princeton’s Center for Information Technology Policy blog shows that 0.4% of all the public keys used for SSL web site security can be remotely compromised.

Two in one thousand is  0.2%, Princeton is talking 0.4%. These aren’t huge numbers… but a search on Google for how many sites have “https://” in the URL shows 19,640,000,000 sites. Some of these are sites about HTTPS and aren’t secure sites. If just one quarter of those are really using https, that is 4,910,000,000 sites. 0.4% of 1,964,000,000. That is a lot of SSL certificates. And a huge potential number of sites which can be hacked.

“Our conclusion is that the validity of the assumption is questionable and that generating keys in the real world for “multiple-secrets” cryptosystems such as RSA is signi cantly riskier than for “single-secret” ones such as ElGamal or (EC)DSA which are based on Die-Hellman,” wrote Arjen K. Lenstra et al.

SSL has been having a hard time recently and it is starting to look as if this system isn’t as robust as previously thought. Recent SSL stories include the BEAST, Diginotar and Verisign.

“Unfortunately, we’ve found vulnerable devices from nearly every major manufacturer and we suspect that more than 200,000 devices, representing 4.1% of the SSL keys in our dataset, were generated with poor entropy. Any weak keys found to be generated by a device suggests that the entire class of devices may be vulnerable upon further analysis,” wrote Nadia Heninger.

Filed Under: Cryptography, News, Security Tagged With: , ,

Dutch ISP KPN Security Breach

February 13, 2012 By Leave a Comment

(LiveHacking.Com) – One of the largest ISPs in The Netherlands has shut down its email services after a security breach where hackers leaked the credentials and personal information of more than 500 of its customers.

KPN discovered the breach at the end of January but after consulting with the Dutch government and law enforcement agencies decided not to go public with the details. Once KPN discovered that account details were being posted online (at PasteBin) then it decided to suspend its email services as a precautionary measure. During Saturday email services resumed and KPN sent customers information on how to reset their password.

KPN has over two million customers and it is unclear if the hackers got access to information about all of these account or just the 500 posted online.

Filed Under: Attack, Attacks, News, Security Tagged With: , ,

Hackers Strike at iPhone Maker Foxconn

February 10, 2012 By

(LiveHacking.Com) – A hacking group calling themselves SwaggSec has launched an attack against Foxconn, the Chinese company who makes iPhones for Apple, and posted data it stole from their servers on The Pirate Bay. According to the blog 9to5Mac the the data contained usernames and passwords for company employees which they were able to verify before access to the servers was shut down.

The hackers bragged about their attack on Pastebin where they cited “inhuman conditions the workers experience” as one of the motivations for the hack. They also noted that “Foxconn did have an appropriate firewall” but they hackers were able to “bypass it almost flawlessly.”

It appears that the authorization credentials for Foxconn’s chief executive Terry Gou were among those included in the posted data but the password is encrypted.

Filed Under: Attack, Attacks, News, Security Tagged With: ,

Microsoft Preparing Nine Bulletins for February’s Patch Tuesday

February 10, 2012 By

(LiveHacking.Com) – Microsoft has released its advance notification of the security bulletins it will issue for February’s patch Tuesday. There will be nine bulletins, addressing 21 vulnerabilities, with severity ratings of critical and important for Microsoft Windows, Internet Explorer, Microsoft Silverlight, Microsoft Server Software, Microsoft Office, and Microsoft .NET Framework.

Seven of the nine bulletins cover remote code execution vulnerabilities while the other two are elevation of privilege vulnerabilities. As is often the case with these bulletins all support versions of Windows are affected including XP, Vista and Windows 7 as well as Windows Server 2003 & 2008. The exceptions to this are bulletin 2 (which only affects Vista onwards) and bulletin 7 which only affects Windows Server 2003 and 2008.

The Internet Explorer remote code execution vulnerability is rated Critical and should be considered a mandatory update for all IE users. Affected versions include IE 6, IE 7, IE 8 and IE 9.

Patch Tuesday is scheduled for Tuesday, February 14, 2012.

Filed Under: Microsoft, Microsoft, News, Security, Vulnerability Tagged With: , ,

RealPlayer Updated to Address Security Vulnerabilities

February 8, 2012 By

(LiveHacking.Com) – RealNetworks has released new versions of RealPlayer to fix security related vulnerabilities. The new version, RealPlayer 15.02.71, fixes all the known bugs but there are no known reports of any machines actually being compromised as a result of the vulnerabilities.

Affected Windows versions are:

  • RealPlayer 11.0 – 11.1
  • RealPlayer SP 1.0 – 1.1.5
  • RealPlayer 14.0.0 – 14.0.7
  • RealPlayer 15.0.0 – 15.0.1.13

There is also one vulnerability which affects the Mac version of RealPlayer:

  • Mac RealPlayer 12.0.0.1701

All of the vulnerabilities could allow remote code execution:

  • rvrender RMFF Flags Remote Code Execution Vulnerability
  • RV20 Frame Size Array Remote Code Execution Vulnerability
  • VIDOBJ_START_CODE Remote Code Execution Vulnerability
  • RV40 Remote Code Execution Vulnerability
  • RV10 Encoded Height/Width Remote Code Execution Vulnerability
  • RealAudio coded_frame_size Remote Code Execution Vulnerability
  • Atrac Sample Decoding Remote Code Execution Vulnerability
Filed Under: News, Security, Vulnerability Tagged With: ,

Symantec Working with Unnamed Law Enforcement Agency

February 7, 2012 By

(LiveHacking.Com) – Following my blog post about Anonymous releasing the source code for pcAnywhere, Symantec has contacted us here at LiveHacking.com with further details of the events leading up to the uploading of the source code. Symantec are underlining the following things:

  1. Symantec did NOT offer a bribe to Anonymous. Anonymous tried to extort Symantec for money to withold posting of additional source code. (As a point of clarification – I didn’t say that Symantec offered a bribe and have never inferred it, the original blog post said that the hacker YamaTough asked for $50,000 not to release the source code).
  2. The e-mail string posted on Pastebin by Anonymous was actually between them and a fake e-mail address set up by law enforcement.
  3. Once Symantec saw that it was a clear cut case of extortion, they contacted law enforcement and turned the investigation over to them. All subsequent communications were actually between Anonymous and law enforcement agents – not Symantec.

“The communications with the person(s) attempting to extort the payment from Symantec were part of the law enforcement investigation.  Given that the investigation is still ongoing, we are not going to disclose the law enforcement agencies involved,” said Cris Paden of Symantec in his email to us.

Filed Under: Attack, Attacks, News, Security Tagged With: , , ,

Anonymous Releases Source Code for pcAnywhere [Updated]

February 7, 2012 By

Update: Symantec has contacted us here at LiveHacking.com with the following correction: The e-mail string posted on Pastebin by Anonymous was actually between them and a fake e-mail address set up by law enforcement. For more details see Symantec Working with Unnamed Law Enforcement Agency

(LiveHacking.Com) – The hacking group Anonymous has tweeted that it has released the source code of Symantec’s pcAnywhere on The Pirate Bay. The release of the software seems to have come after a set of emails between Symantec a  law enforcement agency (masquerading as Symantec) and the hacker YamaTough. The hacker tried to exhort money from Symantec when he asked for $50,000 not to release the source code. According to the email exchange the negotaions ended when the hacker gave Symantec the law enforcement agency (masquerading as Symantec) a 10 minute utlimatum: “we give you 10 minutes to decide which way you go after that two of your codes fly to the moon PCAnywhere and Norton Antivirus.” To which Symantec the law enforcement agency (masquerading as Symantec) replied “We can’t make a decision in ten minutes.  We need more time.”

It seems that this then prompted the release of the source code. We spoke with a security expert who has downloaded the archive of the source code and his initial impression is that the release is genuine. According to our expert (who wishes to remain unnamed due to fears of possible reprisals by Symantec) the archive contains the following directries:


AccessServer
CE_Remote
CM
Development
InfoDev
Java_Remote
LU_Patches
Mac_ThinHost
RAPS
SCA
Shared
Tivoli
Unix_Host
pcA-NG
pcAnywhereExpress
pca32
pca_LiveState_2.0
pca_ONiCommand_3.0
r12.0-M1

The Development directory contains documentation including a document called “Programming Style Guide” which is marked as “Symantec Confidential” and pertains to “pcAnywhere / Decomposer / Packager”. The “pca32″ project seems to contain source code with valid Microsoft Visual Studio project files.

According to ComputerWorld there is no official word yet from Symantec as “it happened so recently that we’re still in the process of analyzing and won’t be able to confirm until the morning.”

Filed Under: Attack, Attacks, News, Security Tagged With: , , ,

4 Key Features of Good Endpoint Security Software

January 24, 2012 By

(Live-Hacking.Com) – Data leakage occurs when data that should have never left the physical confines of your company’s brick and mortar walls does, and control of that data is lost. One of the main reasons why this could happen is because companies lack endpoint protection. When a user copies data to their smartphone (think contacts, critical documents that they wish to

GFI EndPointSecurity™ console

GFI EndPointSecurity™ console

review while mobile, email attachments, etc), or to a USB flash drive, your company is primed for a data leak. Endpoint protection is designed to prevent that from ever happening in the first place. Sure, you can remotely wipe smartphones, at least the ones that are compatible with your company’s policies, and you can protect data on portable media with encryption, but both of those depend in part on the end user. Whether that person is intentionally malicious, apathetic, or simply ignorant, it is entirely possible to transfer data to unprotected media, unless you prevent it in the first place through endpoint security.

There are programs on the Internet today that can turn portable media players into mass storage devices capable of automatically seeking out and downloading key data to their storage. Search for podslurping to see just how creative these applications are, and don’t forget the users with DVD/CD burners in their machines that can burn a disk with gigabytes of data. Unless they have encrypted that data, it can be read by anyone who happens to come across that disk. Some companies have gone as far as to epoxy the USB connection on machines to prevent the physical attachment of external media, but this has several problems. They won’t be able to turn such damaged hardware back in at the end of a lease; any residual value after the useful life will be greatly decreased, there are lots of legitimate uses for USB that will be prevented by this, and it is not a full solution. Search on bluesnarfing to see how users can exploit Bluetooth connections to further transfer data. Instead of ruining your hardware, implement endpoint security to protect your data.

So how can endpoint security help a company to prevent data leakage? Here are the four most important features to look for in good endpoint protection software:

  1. Agent based enforcement: Endpoint protection software should use easy to deploy, tamperproof agents which can be rolled out to users, and once on their system, be locked down so even local admins cannot disable them.
  2. Easy, central management: Good endpoint protection software should support rapid policy creation through an easy to understand wizard, that can be deployed granularly with Active Directory Group Policy, and that has the flexibility to support business needs.
  3. Information at your fingertips
  4. Real-time centralized monitoring and alerts are just the starting point for endpoint protection’s information components. Look for centralized logging and reporting, that can generate on demand and scheduled reports.
  5. Flexibility:The one thing you can count on is that no matter what you set up, you will need exceptions. Whether you need to provide temporary access, allow systems admins or security personnel to bypass restrictions, or implement white-lists and blacklists, look for an endpoint protection that is not going to lock you down so tightly that it breaks business processes.

By deploying endpoint security, you are taking reasonable steps to prevent data leakage and protecting your company’s data and that of your customers. Endpoint protection makes good business sense in today’s environment where a data leakage can cost a company millions in reporting and monitoring, and cause irreparable damage to a company’s reputation.

Editor Note: This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more on how to make the best out of endpoint security.

Disclaimer: All product and company names herein may be trademarks of their respective owners.

Filed Under: Security, Tutorials Tagged With: , , ,

Unauthorized Activity Within One of DreamHost’s Databases Prompts Password Resets

January 23, 2012 By

(LiveHacking.Com) – DreamHost detected some unauthorized activity within one of its databases over the weekend. And as a precautionary measure it is forcing customers to change their Shell and FTP password. To do this users needed to access the DreamHost web panel and go to “Manage Users”, however the rush of customers wanting to protect their accounts left the web panel overwhelmed with intermittent access for about an hour before DreamHost managed to fix it.

According to DreamHost, its support team handled thousands of password related requests over the weekend and that all mandatory Shell & FTP password resets were completed Friday evening for shared hosting customers and by Saturday for its VPS customers

“Due to the fast action we took to reset passwords, we’re not seeing any unusual malicious activity on customer accounts. Our security software and systems are functioning normally.”

DreamHost subsequently posted a security update in which it revealed that the database was accessed using a zero day exploit however the intrusion detection systems alerted DreamHost’s security team who then identified the means of access and blocked it. After a quick review of the data potentially accessed it appeared that some customers’ FTP and shell access passwords were possibly compromised. This then prompted the hosting company to initiate a forced reset of FTP and shell access passwords.

When asked if DreamHost stores its password in plaintext, Simon Anderson CEO, DreamHost, replied “Our systems have stored and used encrypted passwords for a number of years, however the hacker found a legacy pool of unencrypted FTP/shell passwords in a database table that we had not previously deleted. We’ve now confirmed that there are no more legacy unencrypted passwords in our systems. And we’re investigating further measures to ensure security of passwords including when a customer requests their password by email (this was not the issue here, though).

Filed Under: News, Security Tagged With: ,
« Older Posts