May 17, 2012

You are here: Home / Archives for Security

90% of all HTTPS Websites Insecure

April 27, 2012 By

(LiveHacking.Com) – SSL Pulse, a new project that monitors the quality of SSL sites across the Internet and reports on its findings, has discovered that 90% of all HTTPS websites are insecure. The project has tested the top 200,000 SSL web sites on the Internet and discovered that nearly 180,000 of them are insecure.

The project measures key features about an SSL configuration and ranks the website according to the SSL Server Rating Guide. According to the report 40% of the worlds top SSL sites use 128 bit (or less) ciphers for data transfer and a handful of sites have certificates with keys below 1024 bits.

The biggest weaknesses are insecure renegotiation and susceptibility to a BEAST attack. Over 8,500 sites support insecure renegotiation which since 2009 as been considered insecure. A successful exploitation of this vulnerability allows an active man-in-the-middle attacker to inject arbitrary content into an encrypted data stream. The results is that the attacker can impersonate a valid client and steal confidential data.

The SSL Pulse survey reports that 75% of SSL websites are still open to BEAST attacks. A BEAST attack is based on a flaw in the SSL protocol. A successful exploitation of this issue will result in a disclosure of a victim’s session cookies, allowing the attacker to completely hijack the application session. It was resolved in TLS v1.1, but now six years later, most clients and servers do not support newer protocol versions. To protected against a BEAST attack servers need to be configured to use TLS v1.1 or to only use RC4 with TLS v1.0 or SSL v3.0.

“About 50% (99,903 sites) got an A, which is a good result. Unfortunately, many of these A-grade sites (still) support insecure renegotiation (8,522 sites, or 8.5% of the well-configured ones) or are vulnerable to the BEAST attack (72,357 sites, or 72.4% of the well-configured ones). This leaves us with only 19,024 sites (or 9.59% of all sites) that are genuinely secure at this level of analysis,” wrote Ivan Ristic, director of engineering at Qualys and creator of SSL Labs.

The project hopes that these startling numbers will raise awareness of these issues and help web site owners improve their SSL implementations.

Filed Under: Cryptography, Security Tagged With: , , ,

VMWare ESX Source Code Stolen – Starts to Leak onto Internet

April 26, 2012 By

(LiveHacking.Com) – VMware has confirmed that the source code for its ESX hypervisor has been stolen and portions of it are starting to appear on the Internet. Iain Mulholland, the Director of the VMware Security Response Center, wrote that they are “aware of the public posting of a single file from the VMware ESX source code and the possibility that more files may be posted in the future. The posted code and associated commentary dates to the 2003 to 2004 timeframe.”

The hacker, named Hardcore Charlie, is claiming that the code was stolen from the military contractor China National Import & Export Corp (CEIEC), however they are reporting that such claims are ”totally groundless, highly subjective and defamatory.”

“The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers,” added Iain Mulholland. In the same blog post VMware acknowldged that it shares its source code and interfaces with others companies. Which seems to lend credence to Hardcore Charlie’s claims about the CEIEC breach.

The header file (vmkemit.h) posted by the hacker carries a 1998 copyright date stamp and lists a set of code emission macros for base x86 architecture used by vmkernel.

Hardcore Charlie published the code in a rather incoherent posting to pastebin that also talks about alleged collusion between CITEC and Western military and terrorist organisations: “we want to make it clear that CEIEC is engaged in a criminal activity with Ukraine and Russian officials as of supplying Ukraine and Russia with US army information for the terrorists.” 

The hacker has also threatened to release the source code for EMC.

Filed Under: Data Breach, News, Security, VMware Tagged With: , , ,

Iran Unplugs Oil Export Terminal Computers After Virus Found

April 24, 2012 By

(LiveHacking.Com) – Iran has been forced to disconnect some of the computers at its Kharg Island oil processing terminal due to malware. The yet unknown virus was found inside the control systems of Kharg Island – Iran’s main oil terminal which handles the vast majority of Iran’s crude oil exports. The National Iranian Oil Company (NIOC) said although it disconnected some computers from the Internet, to stop any further spread of the malware, the terminal remained operational.

According to the semi-official Mehr news agency, the virus affected the computers in Iran’s Oil Ministry and of its national oil company. As a precaution, computers that control some of Iran’s other oil facilities have also been disconnected from the Internet. It is also reporting that the Iranian authorities have set up a crisis unit which is work to neutralize what they are calling an “attack.”

It looks as if the disruption to Iran’s oil production has been minimal unlike the international sanctions which, according to Reuters, is forcing the country to use more than half of its supertanker oil fleet to store crude at sea in the Gulf. The only tangible effect seems to be that the Iranian oil ministry and national oil company websites went offline. This could be due to the massive unplugging that occurred or it could be a direct result of the virus. This remains to be seen. According to the BBC the Ministry website was back in action on Monday but the oil company site has remained unreachable. The BBC added that an Iranian oil ministry spokesperson was quoted as saying that data about users of the sites had been stolen as a result of the attack.

Pundits are already starting to make comparisons with the Stuxnet computer worm which hit Iran’s nuclear facilities in 2009 and 2010. It is estimated that the Stuxnet worm, which specifically targets Siemens’ Supervisory Control And Data Acquisition (SCADA) software used to control and monitor industrial processes and has the ability to reprogram Siemens’ Simatic PLCs (programmable logic controllers), was responsible for destroying about a fifth of Iran’s nuclear centrifuges in an attempt to delay Iran’s nuclear program. In 2010 William J. Lynn, U.S. Deputy Secretary of Defense, wrote that “as a doctrinal matter, the Pentagon has formally recognized cyberspace as a new domain in warfare . . . [which] has become just as critical to military operations as land, sea, air, and space.”

Filed Under: Malware, News, Security Tagged With: , , ,

Security Update for WordPress 3.3

April 20, 2012 By

(LiveHacking.Com) – The WordPress team has released WordPress 3.3.2 to fix 6 security vulnerabilities including two cross-site scripting vulnerabilities and a privilege escalation. The fixed vulnerabilities come in two distinct parts. First, three external libraries included in WordPress received security updates and second, the WordPress core security team have fixed three further vulnerabilities.

The external libraries are all connected with the way WordPress uploads files. Plupload, which WordPress currently uses for uploading media, has been updated to  version 1.5.4. Plupload, which gives WordPress the ability to upload files using HTML5 Gears, Silverlight, Flash, BrowserPlus or normal forms, fixed a the way the Flash part of the library worked to avoid CSRF issues.

Two other Flash related libraries were also updated, SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins and SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.

The other three vulnerabilities, which the WordPress core security team fixed, are:

  • Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances, disclosed by Jon Cave of our WordPress core security team, and Adam Backstrom.
  • Cross-site scripting vulnerability when making URLs clickable, by Jon Cave.
  • Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs. Thanks to Mauro Gentile for responsibly disclosing these issues to the security team.

WordPress 3.3.2 can be downloaded from here or you can update from the Dashboard → Updates menu in your site’s admin area.

Filed Under: News, Open Source, Security, Uncategorized, Vulnerability, WordPress Tagged With: , ,

Google Warns 20,000 Webmasters About Possible JavaScript Injections on their Sites

April 19, 2012 By

(LiveHacking.Com) – Accoring to Matt Cutts,  Google’s friendly face, the search giant has sent emails to 20,000 webmasters warning them about possible hacker activity on their sites. The “your site might be hacked” message was sent to websites which exhibited weird redirect behavior.

The message warns webmasters that their “website’s pages may be hacked.” Specifically, Google are worried about JavaScript that hackers have injected into sites that redirect users to malicious sites. Google are advising the webmasters to check the site’s source code for any unfamiliar JavaScript and in particular any files containing ‘eval(function(p,a,c,k,e,r)’. The malicious code may be placed in any HTML, JavaScript, or PHP files so Google are asking admins to be thorough in their search.

The Javascript injection is relatively complex in that the .htaccess file could also have been changed resulting in infected sites cloaking the hack and only showing the malicious content in certain situations.

“We encourage you to investigate this matter in order to protect your visitors. If your site was compromised, it’s important to not only remove the malicious (and usually hidden) content from your pages, but also to identify and fix the vulnerability. A good first step may be to contact your web host’s technical support for assistance. It’s also important to make sure that your website’s software is up-to-date with the latest security updates and patches,” wrote Google.

Google have taken proactive action in the past to protect its users. Last year it removed web sites hosted on the .co.cc free Web hosting service from its search results due to the fact that such a large percentage of the sites were low-quality or set-up only for spam.

Filed Under: Google, Security Tagged With: , , ,

Python Happy to put Hash Attack Issues Behind it

April 13, 2012 By

(LiveHacking.Com) – The Python development team have released Python 2.7.3 and 3.2.3 to fix Python’s hash based types to make them immune to denial of service attacks as disclosed at  the Chaos Communication Congress event in December 2011. The flaw is industry-wide and affects many popular web technologies including PHP, ASP.NET, Java and Ruby.

The problem is that computer languages that use hash functions, including Python, are susceptible to collision attacks. To work effectively hash tables require a well-distributed hash function to spread data evenly across the table. The algorithmic complexity of inserting colliding elements into a table makes it possible to exhaust hours of CPU time and cause a denial of service situation. Python has two hash based types dict and set which have been changed to add randomization to the hashing of Python’s string types datetime.date, and datetime.datetime. This prevents an attacker from computing colliding keys of these types without access to the Python process.

According to the release announcement, “hash randomization causes the iteration order of dicts and sets to be unpredictable and differ across Python runs. Python has never guaranteed iteration order of keys in a dict or set, and applications are advised to never rely on it.”

The new versions of Pthyon also update the expat XML parsing library which had the same hash security issue. The hashing algorithm used in the expat library is now randomized.

The update also fixes some other security related bugs:

  • Issue 14001 / CVE-2012-0845 – A denial of service flaw was found in the way Simple XML-RPC Server module of Python processed client connections, that were closed prior the complete request body has been received. A remote attacker could use this flaw to cause Python Simple XML-RPC based server process to consume excessive amount of CPU.
  • Issue 13885  / CVE-2011-3389 – Disabling of the CBC IV attack countermeasure in the _ssl module.

The team also released Python 2.6.8 and Python 3.1.5 as security-fix source-only releases. 2.6 and 3.1 are now in security maintenance mode only with no new bug fix releases planned. The Python development intend to provide source-only security fixes for the Python 2.6 series until October 2013 (five years after the 2.6 final release) and  for the Python 3.1 series until June 2014 (five years after the 2.6 final release).

Filed Under: News, Security, Vulnerability Tagged With: , ,

Samaba Updated to Close Nine-Year-Old Security Hole

April 12, 2012 By

(LiveHacking.Com) – A new version of Samaba has been released to fix a nine year old security vulnerability that allows remote code execution as the “root” user from an anonymous connection. All versions of Samaba from Samba 3.0.x to 3.6.3 are affected. Samba 3.0.x was released in 2003 meaning that the vulnerability has been in the code base for almost a decade!

According to the security advisory the “code generator for Samba’s remote procedure call (RPC) code contained an error which caused it to generate code containing a security flaw. This generated code is used in the parts of Samba that control marshalling and unmarshalling of RPC calls over the network.” The problem revolves around memory allocation length checks which can be controlled by the connecting client. This means that a specially crafted RPC call can be used to cause the server to execute arbitrary code.

This is the most serious type vulnerability possible as it does not require an authenticated connection. Users and vendors are encouraged to patch their Samba installations immediately.

Affected Operating Systems

Samba is the open source implementation of the SMB/CIFS networking protocol used predominantly by Windows. It enables file and print sharing between Windows, Mac OS X, Linux and FreeBSD machines and often comes pre-installed on popular Linux distributions and is included in OS X from Apple.

Samba is also included on certain embedded devices like network storage and media sharing devices. Due to their embeedded nature it is likely that a new firmware release will be needed from the manufacturers, which in many cases won’t happen. If you use such a device you need to only use it on a trusted network.

The open source network attached storage solution FreeNAS has been updated to include the fixes. FreeNAS-8.0.4-RELEASE-p1 contains Samba 3.6.4 and can be downloaded from https://sourceforge.net/projects/freenas/files/FreeNAS-8.0.4/

Patch Availability

Patches are now available at http://www.samba.org/samba/security. Samba 3.6.4, Samba 3.5.14 and 3.4.16 have been released to correct the defect and due to the seriousness of this vulnerability, patches have been released for all Samba versions currently out of support and maintenance from 3.0.37 onwards.

Filed Under: News, Security, Uncategorized, Vulnerability Tagged With: , , ,

Exploit Kits Having Success with Recent Java Concurrency Vulnerability

March 30, 2012 By

(LiveHacking.Com) – Well-known security blogger Brian Krebs has released an overview of how different exploit kits, including the widely use BlackHole pack, have now integrated exploits for a Java concurrency vulnerability (CVE-20120-0507) that was fixed in Java Version 6 Update 31, or Java 7 Update 3 on Feb. 15, 2012. According to Microsoft’s Malware Protection Center new malware samples are coming to light that are proving highly successful at exploiting the flaw. The malware which Microsoft analysed loaded the ZeuS Trojan (PWS:Win32/Zbot.gen!Y) but the exploit kits allow hackers to install the malware of their choosing.

The exploit used in the automated kits uses a vulnerability in AtomicReferenceArray to disable the Java runtime sandbox mechanism. To do this the attacker deliberately creates a special serialized object data which due to a logic error (and not a memory corruption) allows the attacker to run arbitrary code on the victim’s PC. The exploit is very reliable.

Java seems to yield a never-ending supply of new exploits for attackers to use. “On at least two Underweb forums where I regularly lurk, there are discussions among several core members about the sale and availability of an exploit for an as-yet unpatched critical flaw in Java,” wrote Krebs. “I have not seen firsthand evidence that proves this 0 day exploit exists, but it appears that money is changing hands for said code.”

According to Marcus Carey, a security researcher at Rapid7, upwards of 60 to 80 percent of users probably have not yet applied the latest Java patches. And over the long term research has shown that upwards of 60% of Java installations are never up to the current patch level allowing even older exploits can be used to compromise a victim’s PC.

Rapid7 researched the typical patch cycle for Java and identified a telling pattern of behavior, namely that during the first month after a Java patch is released,  adoption is less than 10%. After 2 months, approximately 20% have applied patches and after 3 months, maybe more than 30% are patched.  They determined that the highest patch rate last year was 38% with Java Version 6 Update 26 3 months after its release.

Filed Under: Java, News, Security Tagged With: , , ,

Congress Warned That Foreign Spies Penetrate US Military Networks

March 26, 2012 By

(LiveHacking.Com) – It should be assumed that foreign spies have penetrated the US military networks was the message sent to American’s politicians last week when security experts testified at hearings held by the US Senate Armed Services Committee on cybersecurity. The committee was told that enforcing a perimeter to keep out spies is unsupportable, and that the US should assume that its networks have already been fully penetrated. Instead, the committee was told, cyberdefence should be about protecting data not controlling access.

“We’ve got the wrong mental model here,” said Dr James Peery, head of the Information Systems Analysis Centre at the Sandia National Laboratories. “I think we have to go to a model where we assume that the adversary is in our networks.”

As part of a prepared statement to the committee Dr. Peery said “A silver bullet for solving the ‘cyber problem’ for DoD, DOE, dot-gov or the private sector does not exist. It is impossible to make an absolutely secure information technology (IT) system.

Dr. Peery

Dr. Kaigham Gabriel, current head of the Defence Advanced Research Projects Agency, likened the current cybersecurity efforts of the US DoD to treading water in the middle of the ocean.  The DoD oversees 15,000 networks that connect about seven million devices which presents numerous security challenges to the DoD. These challenges include:

  •  Attackers can penetrate our networks: In just 3 days and at a cost of only $18,000, the Host-Based Security System was penetrated.
  • User authentication is a weak link: 53,000 passwords were provided to teams at  Defcon; within 48 hours, 38,000 were cracked.
  • The Defense supply chain is at risk: More than two-thirds of electronics in U.S. advanced fighter aircraft are fabricated in off-shore foundries.
  • Physical systems are at risk: A smartphone hundreds of miles away took control  of a car’s drive system through an exploit in a wireless interface.
  • The United States continues to spend on cybersecurity with limited increase in security: The Federal Government expended billions of dollars in 2010, but the  number of malicious cyber intrusions has increased.

With regards to cyber offense (rather than defense) Dr. Gabriel wrote: “DARPA’s belief is that the Department must have the capability to conduct offensive operations in cyberspace to defend our Nation, Allies, and interests. To be relevant, DoD needs cyber tools to provide the President with a full range of options to use in securing our national interests. These tools must address different timescales and new targets, and will require the integrated work of cyber and electronic warfare at unprecedented levels.”

Dr. Michael A. Wertheimer, director of research and development at the NSA, told the Senators that the federal government also faces a shortage of talent. Historically, the government has lost about one percent of their IT talent annually; this year the government is set to lose 10 percent of that workforce, the experts claimed. Wertheimer said that 44 percent of the NSA resigns from their position as opposed to retiring. Within the NSA’s IT staff, that figure is 77 percent resigning as opposed to retiring.

 

Filed Under: Attacks, Cryptography, Security, Security Report Tagged With: , , ,

CrySyS Lab Updates its Duqu Detector Toolkit to Recognize New Variant

March 23, 2012 By

(LiveHacking.Com) – CrySyS Lab has updated its Duqu Detector Toolkit to v1.24 to add new signatures for a new variant of the Duqu malware found by Symantec. The classification of the new variant is based on a file Symantec received, however it is only one component of the whole Duqu malware (in this case the loader file that is used to load the rest of the malware when the computer restarts). The file is called mcd9x86.sys and it has a compile date of February 23, 2012. In an attempt to bypass anti-virus software the file has been compiled with different options compared to those used in the previous version. There are also some code changes connected with decrypting the configuration block and loading the malware’s payload.

The Duqu malware has been a topic of constant discussion among security experts since its discovery in October 2011. Recently while analysing its structure, researchers at Kaspersky Lab concluded that the parts of the code which communicate with the command and control (C&C) servers are written in an unknown programming language. Unlike the rest of the Duqu body, it’s not C++ (or Objective C, Java, Python, Ada, Lua). Compared to Stuxnet (which is considered to be a cousin of Duqu and is written completely in C++), this unknown language is one of the defining features of Duqu. Further analysis then revealed that the mystery programming languages was in fact a custom extension to C, generally called “OO C” and that these parts of Duqu were written in “C” code compiled with MSVC 2008 using the special options “/O1″ and “/Ob1″

Duqu Detector Toolkit

The detector uses simple signature and heuristic detection techniques to find Duqu infections on a computer or in a whole network. It is able to find traces of infections where components of the malware have already been removed from the system. The Duqu malware got its name because of the temporary files it uses beginning with ~DQ. The detector toolkit also includes a tool to find all Duqu related temporary files on a system.

Filed Under: Malware, Security, Tools Tagged With: , , , ,
« Older Posts
Newer Posts »