Monday, October 18, 2010

Wednesday, October 13, 2010

SAP BusinessObjects Security Patch Released

SAP has released a security patch for certain versions of SAP BusinessObjects for the Axis2 component. According to the US-CERT write-up:

... anyone with access to the Axis2 port can gain full access to the machine via arbitrary remote code execution. This requires the attacker to upload a malicious web service and to restart the instance of Tomcat. This issue may apply to other products and vendors that embed the Axis2 component. The username is "admin" and the password is "axis2", this is also the default for standalone Axis2 installations.

For further details please refer to the links below. An exploit is currently available for this.


References:
http://www.kb.cert.org/vuls/id/989719
http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf?bcsi_scan_896CC636179ADAAE=0&bcsi_scan_filename=Hacking%20SAP%20BusinessObjects.pdf
https://websmp230.sap-ag.de/sap/support/notes/1432881 (requires login)


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

BlackBerry Attachment Service PDF Distiller Remote Buffer Overflow Vulnerability

RIM has published a bulletin announcing a possible remotely exploitable issue with their Blackberry Attachment Service PDF Distiller. There is no known publicly available exploit code at this time (as of 13 Oct 2010).


References:
http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB24547#


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Oracle October 2010 Patches Released

Oracle has released its October 2010 set of patch. There are 85 total security fixes. 29 of those are for Java.

Several of these fixes address remotely exploitable vulnerabilities. For details please refer to the links below.


References:
http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html (for Java-related patches)
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Wednesday, October 6, 2010

New Adobe Reader 9.4 and 8.2.5 Versions Released

Adobe has released versions 9.4 and 8.2.5 of their Acrobat and Reader products. These versions contain fixes for several vulnerabilities - one of which is being actively exploited in the wild.


References:
http://www.adobe.com/support/security/bulletins/apsb10-21.html


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Hex-Rays Version 1.4 x86 and ARM Decompilers Released

Hex-Rays has released version 1.4 of their x86 and ARM decompilers. The major update is that the decompilers can now be used on the Linux and Apple Mac OS X platforms now. See the link below for a list of all of the fixes and updates.

References:
http://www.hex-rays.com/news1.shtml#101001


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

IDA Pro 6.0 Released

Hex-Rays has released IDA Pro 6.0. The major change is that the GUI for MS Windows, Linux, and Mac OS X are all the same now (Qt framework-based). A complete list of fixes and updates is at the link below.

References:
http://www.hex-rays.com/idapro/60/index.html


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Thursday, September 30, 2010

ISC BIND 9.7.x DoS and Security Bypass Vulnerability

Certain downlevel versions of ISC BIND 9.7 have both a security bypass vulnerability and a denial of service vulnerability. ISC Bind versions 9.7.2 and 9.7.2-P1 are vulnerable. ISC Bind 9.7.2-P2 is not.


References:
http://www.kb.cert.org/vuls/id/784855
https://lists.isc.org/pipermail/bind-announce/2010-September/000655.html
http://ftp.isc.org/isc/bind9/9.7.2-P2/RELEASE-NOTES-BIND-9.7.2-P2.html


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Monday, September 20, 2010

MANDIANT Memoryze 1.4.2900 Released

Jamie Butler and friends at MANDIANT have released Memoryze 1.4.2900. This new version supports Windows 7 32- and 64-bit and Windows Server 2008 64-bit. Despite how well the Volatility Framework works with Windows XP, I am fairly certain it has now been firmly relegated to third place behind HBGary Responder and MANDIANT Memoryze in the Windows RAM dump analysis space.


References:
http://blog.mandiant.com/archives/1459


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Adobe Flash Player 10.1.85.3 Released

Adobe has released versions 10.1.85.3 of their Flash player product for Windows, Apple Mac, Solaris, and Linux. This new version contains a security-related update that addresses a vulnerability that is being actively exploited in the wild.

References:
http://www.adobe.com/support/security/bulletins/apsb10-22.html


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Google Chrome 6.0.472.62 Released

Google Chrome 6.0.472.62 has been released for Windows, Mac, and Linux. The update includes fixes for 3 vulnerabilities, all 3 of which are classified as high or critical.


References:
http://sites.google.com/a/chromium.org/dev/Home/chromium-security
http://www.google.com/chrome/index.html?hl=en&brand=CHMA&utm_campaign=en&utm_source=en-ha-na-us-bk&utm_medium=ha



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Friday, September 17, 2010

Wednesday, September 15, 2010

Apple Quicktime Player 7.6.8 Released

Apple has released version 7.6.8 of their Quicktime Player for Windows. This version contains security fixes as described in the first link below, including a fix to address the remotely exploitable "_Marshaled_pUnk" vulnerability (for which publicly available exploit code exists).

References:
http://support.apple.com/kb/HT4339


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Tuesday, September 14, 2010

Google Chrome 6.0.472.59 Released

Google Chrome 6.0.472.59 has been released for Windows, Mac, and Linux. The update includes fixes for 10 vulnerabilities, 6 of which are classified as critical.


References:
http://sites.google.com/a/chromium.org/dev/Home/chromium-security
http://www.google.com/chrome/index.html?hl=en&brand=CHMA&utm_campaign=en&utm_source=en-ha-na-us-bk&utm_medium=ha



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

New Vulns Used by Stuxnet Patched in Microsoft's Sept 2010 Patches

According to this article by Symantec, it looks like the top countries affected Stuxnet (by infection count) were Iran and some of its closest neighbors geographically. To me, it looks like an intelligence service lost a couple of arrows out of its quiver here. Microsoft is closing one of the vulnerabilites used by Stuxnet in the September 2010 Microsoft monthly patches.

The smart money is on the U.S. or Israel, but I guess the public storyline will never tell us for sure. Nation-state intelligence services cannot wait for a time of war to penetrate and exploit the infrastructure of potential enemies. That type of offensive penetration and espionage activity happens all the time. Like some others, the U.S. is very good at cyber offense and computer network exploitation. It very well could have been us that lost a couple privately held vulns this time around.



References:
http://www.symantec.com/connect/blogs/w32stuxnet-network-information
http://krebsonsecurity.com/2010/09/stuxnet-worm-far-more-sophisticated-than-previously-thought/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29


email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

Monday, September 13, 2010

Recent VBmania Mass Mailer Malware Deleted the Windows Automatic Updates Service

It looks like the recent VBmania ("Here You Have" and "Just for You") mass mailer malware deleted the Automatic Updates service from infected machines. Microsoft Automatic Updates, WSUS, and SCCM-integrated WSUS need the Automatic Updates service working to successfully install monthly Microsoft patches and other updates.

It looks like reinstalling the Automatic Updates service fixes the damage on affected machines.  Your antivirus tool won't restore this broken configuration for you.  You will need to do that as a follow up activity after the initial infections have been removed.

A quick way to tell if a machine lost its Automatic Updates service is to run services.msc (Start --> Run --> services.msc --> hit enter).  On a clean and healthy Windows XP machine, you should see an entry like what is circled in red below. 




Below is the disassembly of a portion of the relevant code from the most common variant of the malware referencing the "wuauserv" service name in preparation for disabling that service.  The malware deletes the wuauserv service entirely.   Click the image for a more legible view of the disassembly.



We have prepared a completely silent software deployment package to deploy out through your normal software deployment tool to fix Automatic Updates service instances broken by the VBmania/MM mass mailer worm. A normal reinstallation doesn't work due to the way the malware broke the service.  This fixer package takes care of repairing that damage for you.  This package will work through SCCM, Tivoli, Marimba, CA DSM, ZENworks, or any other software deployment system you might have. You can also PSexec it out silently as required.  Given the serious nature of this problem, we are offering our fixer package for the low price of $50 USD - and that includes whatever follow up email-based support you need for cleanup and to answer any questions you might have about the data and access credential leakage vector this malware has.  As always that is backed by our 100% money back satisfaction guarantee.  Please contact us at sales@sharpesecurity.com if you need any assistance cleaning up after, or if you need help determining if any sensitive data or access credentials leaked during this outbreak.


email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

Wednesday, September 8, 2010

Cisco Patches Vulns for Several Wireless LAN Controllers

Cisco lists the following devices as all being affected by at least one of the vulnerabilities. These devices are commonly found in enterprise environments, so it is likely you need to take action if you are a Cisco shop.

Cisco 2000 Series WLCs
Cisco 2100 Series WLCs
Cisco 4100 Series WLCs
Cisco 4400 Series WLCs
Cisco 5500 Series WLCs
Cisco Wireless Services Modules (WiSMs)
Cisco WLC Modules for Integrated Services Routers (ISRs)
Cisco Catalyst 3750G Integrated WLCs


References:
http://cisco.com/warp/public/707/cisco-sa-20100908-wlc.shtml


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Apple iOS 4.1 Released for iPhone and iPod Touch

Apple has released iOS version 4.1. This version includes several security fixes (see link below) alongside many feature updates.


References:
http://support.apple.com/kb/HT4334



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Apple Safari 5.0.2 and 4.1.2 Released

Apple has released security updates and other bugfixes for the Apple Safari 4.1 and 5.0 browser platforms. The latest versions are 5.0.2 and 4.1.2. Some of these security bugs are remotely exploitable according to Apple's release notes (below).


References:
http://support.apple.com/kb/HT4333


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Monday, September 6, 2010

Firefox 3.6.9 Released

Mozilla has released Firefox 3.6.9 This version contains security fixes according to the release notes (below). Firefox 3.5.12 was released as well for those not wanting to move to 3.6.x.


References:
https://wiki.mozilla.org/Releases/Firefox_3.6.9
https://wiki.mozilla.org/Releases/Firefox_3.5.12



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Thursday, September 2, 2010

New Security Update in Apple iTunes 10 Released

Apple has released iTunes version 10 (10.0.0.68) for Windows. This release includes several security updates - all in WebKit.

References:
http://support.apple.com/kb/HT4328


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Google Chrome 6.0.472.53 Released

Google Chrome 6.0.472.53 has been released for Windows, Mac, and Linux. The update includes fixes for 14 vulnerabilities, 7 of which are classified as critical.

References:
http://googlechromereleases.blogspot.com/2010/09/stable-and-beta-channel-updates.html
http://sites.google.com/a/chromium.org/dev/Home/chromium-security


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Thursday, August 26, 2010

Dept of State CISO to Speak at NoVA ISSA Chapter Meeting

If you happen to be near northern Virginia on 16 Sept 2010, you can catch the US Department of State's CISO - John Streufert - speak at the Northern Virginia ISSA chapter meeting. John Streufert is interesting because he and his team are one of the first to break ranks with FISMA and create what they call a "continuous monitoring" security metrics program instead.

I look forward to this presentation.


References:
http://www.issa-nova.org/default.aspx



email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

Back to School Special on Fake AV

Emails were found circulating yesterday masquerading as school parking permit receipts. Below is an example:

Parking Permit and/or Benefit Card Order Receipt - 396521 Parking Permit and/or Benefit Card Receipt for Date:Wed, 25 Aug 2010 16:43:59 +0200
Grossmont-Cuyamaca Community College District

Your Credit Card has been charged $40.00.
"GROSSMONT-CUYA PARKING" will appear on your credit card statement.

A summary of the contents of your order are shown below.
Please note that each item will be mailed individually.

------------------------------------------------------------------------
Order # Description Amount
------------------------------------------------------------------------
0GU843621 Student Fall Permit - # 081821 40.00
------------------------------------------------------------------------
TOTAL: 40.00

Please find attached invoice

Being timed so close to the start of the new school year in the US, a few people fell for this and tried to open up the HTML file attachment that accompanied the email. In this example, the attachment contained obfuscated Javascript that to pointed
http://enjoyyourhaircut (dot) com/5 (dot) html. That page redirected to http://conspalopi (dot) cz (dot) cc/scanner10/?afid=24, which in turn tried to sell you a copy of "My Windows Online Scanner".

According to this article, this was part of a much larger spam campaign.


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Tuesday, August 24, 2010

Adobe Shockwave Player 11.5.8.612 Released

Adobe addresses 20 security issues in this update. The 20 relevant CVEs are listed in the link below.

Adobe Shockwave player is a relatively easy upgrade to deploy, just remember to make sure all old versions of the player software get removed so that follow up vulnerability scans and your software asset inventory data are clean and show only fully patched versions.

References:
http://www.adobe.com/support/security/bulletins/apsb10-20.html


email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

Friday, August 20, 2010

Google Chrome 5.0.375.127 Released

Google Chrome 5.0.375.127 has been released for Windows, Mac, and Linux. The update includes fixes for nine vulnerabilities, six of which are classified as critical.

References:
http://googlechromereleases.blogspot.com/2010/08/stable-channel-update_19.html
http://sites.google.com/a/chromium.org/dev/Home/chromium-security


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Thursday, August 19, 2010

Writing a Social Media Policy

There are lots of ways to product a viable social media policy document. This article lays out one simple template. The links in the references section show other methods and ideas for accomplishing the same thing.

EXAMPLE
Policy
A broad general statement saying you disallow social media goes here if you don't allow it at all. Otherwise, say that you permit the use of social media within certain guidelines. Specifically mention that people covered by this policy must protect themselves and the organization's shareholders, brand, reputation, and assets. Indicate what actions failure to comply with the policy might result in.


Procedures
Briefly describe what social media is here. Cover blogs, message boards, wikis, Facebook, etc here.

Restate your organizations view on social media use here.

IMPORTANT - If you have any regulatory requirements or guidelines that impact your employees' use of social media, SPELL THOSE OUT HERE. You should check with your Legal, HR, and all relevant IT and business management to identify what applies to you. For examples, in some industries use of social media can be considered advertising if products or services are mentioned.


List our your DOs and DONTs:
Example DOs
1. Remind people of other related company policies here
2. Remind people that they are solely responsible for any legal liability arising from or related to what they post online. Remind official company spokepersons of their special requirements when speaking online.
3. Do say that if commenting on some aspect of the organization, identify yourself as an employee and include a disclaimer.



Example DONTs:
1. do not disclose confidential or proprietary information.
2. do not disparage other people (customers, coworkers, etc) or any other company (suppliers, business partners, etc)
3. do not use the organization's logos or trademarks without permission


Any closing legalese and a reminder that the policy has teeth can go here.



Some other good advice can be found in the links below:

References:
[Online policy creation tool]: http://socialmedia.policytool.net/
http://www.inc.com/guides/2010/05/writing-a-social-media-policy.html
http://socialmediagovernance.com/policies.php
http://mashable.com/2009/04/27/social-media-policy/




email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Adobe Reader 9.3.4 and 8.2.4 Released for Windows and Apple Mac

Included in the changes in these releases are a fix the security issue reported last month by Charlie Miller at the Black Hat USA 2010 conference.

The GDI object leak problem described here is still present in this latest release of Adobe Reader.

References:
http://www.adobe.com/support/security/bulletins/apsb10-17.html


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Saturday, August 14, 2010

Have You Scanned Your Network for Any Vulnerable VxWorks Devices Yet?

VxWorks is an embedded operating system found on a wide variety of devices – including some things commonly found on enterprise networks like network storage devices, printers, external RAID controllers, and some other types of control devices. You should probably scan your networks using something like the new VxWorks scanning facility in Metasploit to be assured that you don't have any vulnerable devices on your network. The links below will help you get started.


References:
Description of current issues with VxWorks:
http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html

US-CERT advisory
http://www.kb.cert.org/vuls/id/362332

Wikipedia link describing VxWorks - includes list of some known VxWorks-based devices
https://secure.wikimedia.org/wikipedia/en/wiki/VxWorks


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Thursday, August 12, 2010

Apple Quicktime Player 7.6.7 Released

Apple has released version 7.6.7 of their Quicktime Player for Windows. This version contains a security fix as described in the first link below.

References:
Security content: http://support.apple.com/kb/HT4290
Download location: http://support.apple.com/kb/HT1222


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Wednesday, August 11, 2010

Apple iOS 4.0.2 Released for iPhone and iPod Touch. 3.2.2 for iPad

Apple has released iOS version 4.0.2 for the iPhone and iPod Touch. Version 3.2.2 was released for the iPad. These releases fix the two vulnerabilities exploited by jailbreakme.com.


References:
http://support.apple.com/kb/HT4291
iOS 4.0.2 for iPhone 4
iOS 4.0.2 for iPhone 3GS
iOS 3.2.2 for iPad



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Tuesday, August 10, 2010

Adobe ColdFusion Security Update Released

Adobe has released a security update for ColdFusion. The issue affects ColdFusion versions 9.0.1, 9.0, 8.0.1 and 8.0. The update patches for each version are available at the second link below.

References:
http://www.adobe.com/support/security/bulletins/apsb10-18.html
http://kb2.adobe.com/cps/857/cpsid_85766.html


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

AdobeFlash Media Server 3.5.4 or 3.0.6 Released

Adobe has released versions 3.5.4 and 3.0.6 of their Flash Media Server software. These new versions contain security-related updates according to the release notes.

References:
http://www.adobe.com/support/security/bulletins/apsb10-19.html

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Adobe Flash Player 10.1.82.76 and 9.0.280 Released

Adobe has released versions 10.1.82.76 and 9.0.280 of their Flash player product. These new versions contain security-related updates according to the release notes.

References:
http://www.adobe.com/support/security/bulletins/apsb10-16.html


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Friday, August 6, 2010

New FoxIt Version 4.1.1.0805 Released - Contains Security Fixes

According to the release notes, version 4.1.1.0805 of the Foxit Reader fixes a bug (new iPhone/iPad jailbreak issue) that can be used to remotely exploit a victim machine.

References:
http://www.foxitsoftware.com/announcements/2010861227.html
Download location: http://www.foxitsoftware.com/pdf/reader/addons.php


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Security Fix Released for Citrix ICA Client

Citrix has released a fix for a remotely exploitable vulnerability in ICA Client versions 12.0.0.6410 and 11.2.0.31560 and all versions of the Online
Plug-in for Windows for versions less than 12.0.3. Citrix recommends upgrading affected client installations to the latest version - which is currently 12.0.3.


References:
http://seclists.org/fulldisclosure/2010/Aug/50
http://citrix.com/English/ss/downloads/details.asp?downlaodld=2301299&productId=186


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Thursday, August 5, 2010

New Adobe Reader Version due out Week of 16 - 20 August 2010

Adobe has announced that a security update will be released in the form of a new Adobe Reader version sometime in the week of 16 - 20 August 2010.

References:
http://www.adobe.com/support/security/bulletins/apsb10-17.html


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

New NBISE Infosec Certs

I am surprised to see supportive comments from SANS' Alan Paller in the threatpost.com link below, given that SANS might lose a profitable revenue stream from its own GIAC certification program if NBISE is successful in its goal "to supplant a hodge podge of private and industry certifications for IT security practitioners, including the CISSP and certificate programs run by the SANS Institute and other industry and private groups". From the second and third links below, I see Alan Paller listed as a board member for NBISE.

Are these proposed new NBISE certs intended to replace those from GIAC? Is this a signal from Dr. Paller that we shouldn't obtain new or renew old SANS/GIAC certs going forward?


References:
http://threatpost.com/en_us/blogs/new-certification-group-aims-set-high-bar-it-security-pros-080510
https://prodnet.www.neca.org/publicationsdocs/wwpdf/71210natboard.pdf
http://nbise.org/leadership.php/


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Thursday, July 29, 2010

Major Oil Company Data Leaked By Service Provider at Black Hat USA 2010 Conference

At the recent Black Hat USA 2010 security conference, a well known Washington DC area security service provider accidentally leaked a sensitive penetration test report for a major US-based oil company containing enough sensitive information to gain Windows domain administrator access rights as well as the username and password for everyone in the target company's domain. According to the detailed, 39-page report, these access rights included the ability to access servers containing SCADA system information. The report was not encrypted or password-protected in any way. Anyone with access to the leaked document and a copy of Microsoft Word could read the report in full.

The file was inadvertently distributed on USB keys provided to some attendees.

I guess the lesson here is that, as a service provider, you must take every absolutely every precaution to safeguard customer data.

As a purchaser of pentest services, you should make sure that you contractually require your pentest vendor to take any necessary precautions to safeguard whatever reports and data they might retain. If you need boilerplate terms and services contract language, please contact me via email or as @sharpesecurity on Twitter. If there is enough demand, I may post the sample contract language online for download.

Essentially the process used was fairly standard for such a insider threat type pentest:
1). gain access to an internal Windows client
2). stop the client's AV
3). identify candidate local admin accounts on that client to compromise
4). use fgdump to extract the password hashes from those accounts
5). use rcrack to convert those hashes to cleartext passwords
6). identify which of those accounts get used on all windows client builds
7). NET VIEW to get a list of usernames and machines in target domain
8). NET GROUP "domain admins" /domain to get list of candidate domain admins
9). Use results of steps 7 and 8 to pivot to client machines of domain admin. Steps below show how.
10). attack a domain admin's client machines using the Metasploit Framework’s incognito token impersonation utility to obtain access to that domain admin's privilege level.
11). accessed the domain admin client machine with local admin privileges over the admin$ pipe to upload the Metasploit Meterpreter. This allowed full control over the client machine, with local admin privileges as one of the shared local admin accounts taken in steps 3-5. The psexec module in Metasploit to conduct the attack. This allowed a binary to to be uploaded inside of a process and reside in memory for the duration of the attack.
12). use the Metasploit incognito commands to list out available tokens to impersonate. Impersonating the the target domain admin user and create a new account in the “domain admins” group to demonstrate the successful compromise of the target Windows domain.
13). dump every username and password hash on the domain controller using “fgdump.exe” for later offline cracking using rcrack
14). This should be enough to access any machine or data in the domain.



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Tuesday, July 27, 2010

Google Chrome 5.0.375.125 Released

Google Chrome 5.0.375.125 has been released for Windows, Mac, and Linux. The update includes fixes for five vulnerabilities, three of which are classified as critical.

References:
http://googlechromereleases.blogspot.com/


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Monday, July 26, 2010

Firefox 3.6.8 Released

Mozilla has released Firefox 3.6.8 This version contains security fixes according to the release notes (below).


References:
http://www.mozilla.com/en-US/firefox/3.6.8/releasenotes/



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Wednesday, July 21, 2010

Dell Confirms Malware in Some PowerEdge Motherboard Firmware

Dell confirms malware is present in the firmware in some PowerEdge motherboards. No further details are available at this time beyond what is in the link below. If someone has a copy of the problematic firmware image and can send that to me, I will reverse the malware and post the results here. My contact information is below.


References:
http://en.community.dell.com/support-forums/servers/f/956/t/19339458.aspx


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Possible End to Adobe Reader Upgrade Hamster Wheel

Adobe has announced that the next major version of their Adobe reader product will contain "Adobe Reader Protected Mode" or sandboxing.

From Adobe's description of the new feature:

"The initial release of Adobe Reader Protected Mode will be the first phase in the implementation of the sandboxing technology. This first release will sandbox all “write” calls on Windows 7, Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003. This will mitigate the risk of exploits seeking to install malware on the user’s computer or otherwise change the computer’s file system or registry. In future releases of Adobe Reader, we plan to extend the sandbox to include read-only activities to protect against attackers seeking to read sensitive information on the user’s computer."


References:
http://blogs.adobe.com/asset/2010/07/introducing-adobe-reader-protected-mode.html
http://krebsonsecurity.com/2010/07/adobe-sandbox-will-stave-off-reader-attacks/



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Firefox 3.6.7 and 3.5.11 Released

Mozilla has released Firefox 3.6.7 and 3.5.11. These versions contain security fixes and other changes as outlined in the links below.


References:
http://www.mozilla.com/en-US/firefox/3.6.7/releasenotes/
http://www.mozilla.com/en-US/firefox/3.5.11/releasenotes/



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Tuesday, July 20, 2010

CFCE Forensics Cert Open to People Outside of Law Enforcement?

From http://www.iacis.com/news/view/33:

"The IACIS Membership recently voted to open certification programs to non-members or those who do not qualify for membership. Therefore, the Certified Forensic Computer Examiner (CFCE) Certification will be available to applicants of the computer/digital forensics community who qualify. A comprehensive background check will be required, and we will provide more details as they become available. Please check back often as the program is unveiled".



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Monday, July 19, 2010

Microsoft Office 2003 and 2007 SKU Uninstall Strings

For the software packagers out there who need this type of list, the following command lines are provided as a reference can be used to silently uninstall updates from the various Office 2003 and 2007 SKUs. Please test these on a test machine before using them in any production environment.

%windir%\System32\msiexec.exe /package /uninstall {8F1CF36F-7BC8-42CF-8A5A-8B803DE8423A} /QN /L*V %temp%\KB980373_Uninstall.log

%windir%\System32\msiexec.exe /package /uninstall {48113C06-9BA2-4D54-A731-D1D2C5B3144A} /QN /L*V %temp%\KB980376_Uninstall.log

Office 2003 Product Codes (see KB832672 for related info):

Office 2003 Standard
{90120409-6000-11D3-8CFE-0150048383C9}

Office 2003 Professional Edition
{90E30409-6000-11D3-8CFE-0150048383C9}

Office 2003 Enterprise
{90110409-6000-11D3-8CFE-0150048383C9}

Office 2003 Small Business Edition
{90CA0409-6000-11D3-8CFE-0150048383C9}

Office 2007 Product Codes (see KB928516 for related info):

Office 2007 Standard
{90120000-0012-0000-0000-0000000FF1CE}

Office 2007 Enterprise
{90120000-0030-0000-0000-0000000FF1CE}

Office 2007 Professional
{90120000-0014-0000-0000-0000000FF1CE}

Office 2007 Professional Plus
{90120000-0011-0000-0000-0000000FF1CE}

For example, the following two command lines are specific to Office 2003 and Office 2007 Standard and would remove patch MS10-045:

%windir%\System32\msiexec.exe /package {90120409-6000-11D3-8CFE-0150048383C9} /uninstall {8F1CF36F-7BC8-42CF-8A5A-8B803DE8423A} /QN /L*V %temp%\KB980373_Uninstall.log

%windir%\System32\msiexec.exe /package {90120000-0012-0000-0000-0000000FF1CE} /uninstall {48113C06-9BA2-4D54-A731-D1D2C5B3144A} /QN /L*V %temp%\KB980376_Uninstall.log



If you need any assistance with this or any other software packaging/repackaging project, please don't hesitate to contact us:
email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

HP OpenView Network Node Manager Vulnerability

Exploit code has been made publicly available for a vulnerability (CVE-2010-1964) in HP OpenView Network Node Manager. HP has stated that this vulnerability could potentially be remotely exploited.


References:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439
http://www.zerodayinitiative.com/advisories/ZDI-10-108/
http://www.exploit-db.com/exploits/14256/
http://cve.mitre.org/cgi-bin/cvename.cgi?




email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Windows XP SP2 32-Bit, Windows 2000 Off Support

As a reminder, starting after 13 July 2010 (unless you have purchased Microsoft Custom Support) you will no longer receive patches for the following Microsoft products:

- Windows XP Service Pack 2 (32 bit only. XP 64-bit remains under support through April 2014)
- Windows 2000 Server and Professional
- Microsoft Office 2007 Service Pack 1



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Vulnerability in IBM SolidDB

IBM has released a fix for IBM solidDB to address a remotely exploitable buffer overflow vulnerability. This vulnerability can be exploited by an unauthenticated remote attacker to execute arbitrary code and potentially gain administrative access. The relevant Fix Pack is available from the second References section link below.

From IBM's bulletin:
"This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM solidDB. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the solid.exe process which listens by default on TCP port 1315. The code responsible for parsing the first handshake packet does not properly validate the length of the username field. By crafting an overly long value in the request an attacker can exploit this to execute arbitrary code under the context of the SYSTEM user."


References:
http://www.zerodayinitiative.com/advisories/ZDI-10-125/
http://www-01.ibm.com/support/docview.wss?uid=swg21439148&myns=swgimgmt&mynp=OCSSPK3V&mync=R


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

PHP Unserialize() Vulnerability

A vulnerability in the PHP unserialize() function was announced at the SyScan 2010 security conference. Proof of concept exploit code has been published publicly. PHP developers have committed a fix to their source code repository (see link below), but have not released an offical fix as of this writing.

Affected versions:
PHP 5.2 <= 5.2.13
PHP 5.3 <= 5.3.2


References:
http://nibbles.tuxfamily.org/?p=1837
http://svn.php.net/viewvc?view=revision&revision=300843
http://php-security.org/2010/06/25/mops-2010-061-php-splobjectstorage-deserialization-use-after-freevulnerability/


email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

New Security Update in Apple iTunes 9.2.1 Released

Apple has released iTunes version 9.2.1. This release contains one security patch.

From http://support.apple.com/kb/HT4263 :
"Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow exists in the handling of "itpc:" URLs. Accessing a maliciously crafted "itpc:" URL may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking."


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Thursday, July 15, 2010

New USB Threat - Link Files

According to this article, there appears to be a newly discovered threat affecting Windows 7 from USB devices NOT related to autorun or autoplay. This one has to do with viewing .LNK files through the Windows GUI.

The major AV companies already have samples are releasing definitions for the known variants. For example, Symantec detects the malware as W32.Temphid and released that detection on 13 July 2010.


References:
http://anti-virus.by/en/tempo.shtml
http://en.securitylab.ru/viruses/395815.php


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Wednesday, July 14, 2010

Gregory Evans - Ligatt allowed to speak at HTCIA conference

As a HTCIA member, I think I am slightly ashamed of this.

"Gregory Evans Why Cybercrime Pays from an Ex-Computer Hacker's Perspective "

UPDATE 29 July 2010 - HTCIA reports that LIGATT's Gregory Evans has been removed from the speaker's list. HTCIA (eventually) did the right thing. I am happy again.

References:
http://twitter.com/HTCIA
http://www.htciaconference.org/speakers.shtml



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Tuesday, July 13, 2010

Oracle July 2010 Quarterly Patches Released

Oracle has released their July 2010 quarterly patches. Oracle indicates that, for some of the products affected, several of these vulnerabilities may be remotely exploitable without authentication.


References:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

July 2010 Microsoft Monthly Patches Released

Microsoft has released the July 2010 monthly patches. This set includes a fix (MS10-042) for the vulnerability that Tavis Ormandy released a few weeks ago that caused a bit of a media storm and controversy about disclosure. Public exploit code exists for that vulnerability.


References:
https://www.microsoft.com/technet/security/bulletin/ms10-jul.mspx



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Microsoft Exchange Server 2007 OWA CSRF Exploit Code Released

Exploit code has been published for a CSRF vulnerability in Microsoft Exchange Server 2007 Outlook Web Access. Early reports indicate that Microsoft has fixed the underlying bug in Service Pack 3 for Exchange Server 2007. Whether or not Exchange 2003 is affected is unknown at this time.

References:
http://www.securityfocus.com/bid/41462/
http://www.exploit-db.com/exploits/14285/
http://sites.google.com/site/tentacoloviola/pwning-corporate-webmails



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Sunday, July 11, 2010

Default Writable SNMP Community Names Vuln in Cisco Industrial Ethernet 3000 Series Switches

Cisco Industrial Ethernet 3000 (IE 3000) Series switches running IOS versions 12.2(52)SE or 12.2(52)SE1 have vulnerability where the SNMP "public" and "private" community names are hard-coded for both read and write access.

Vendor workaround and upgrade information is at the link below.


References:
http://www.cisco.com/warp/public/707/cisco-sa-20100707-snmp.shtml



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Wednesday, July 7, 2010

Google Chrome 5.0.375.99 Released

Google Chrome 5.0.375.99 has been released for Windows, Mac, and Linux. The update includes fixes for nine vulnerabilities, four of which are classified as critical.

References:
http://googlechromereleases.blogspot.com/2010/07/stable-channel-update.html


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Wednesday, June 30, 2010

Hex-Rays x86 and ARM Version 1.3 Decompilers Released

Hex-Rays has released version 1.3 of their x86 and ARM decompilers. There are numerous bugfixes in each. Please refer to the links below for details.


References:
http://www.hex-rays.com/news1.shtml#100628
http://www.hex-rays.com/hexcomp13.shtml



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

IDA Pro 5.7 Released

IDA Pro 5.7 has been released. The full list of updates and bugfixes is in the references link below.

Highlights in version 5.7 include:
- Scripted plugins can be implemented in Python or IDC.
- Scripted processor modules be implemented in Python or IDC.
- Improvements for iPhone/iPad file analysis in the form of additional ARM module/Mach-O file format features.
- You can now define your own data types.
- The PDB plugin now works without having to install a full copy of Microsoft Visual Studio.


References:
http://www.hex-rays.com/idapro/57/index.htm

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Tuesday, June 29, 2010

Opera 10.54 Released for Windows

Since Opera now has over 2% of web browser market share, we are initiating coverage of the Opera web browser platform.

Version 10.54 of Opera has been released. It includes 5 security bugfixes.


References:
http://www.opera.com/docs/changelogs/windows/1054/



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Adobe Releases Reader/Acrobat 9.3.3 and 8.2.3

Adobe has released Reader/Acrobat versions 9.3.3 and 8.2.3. These updates include 17 security-related fixes including one related to Flash content embedded in PDFs that has been exploited in the wild.

/Launch actions are also defaulted to off starting with this release. If you enable /Launch, then the warning the user sees is much improved.

The GDI object leak and crash problem described here remains unfixed.

References:
http://www.adobe.com/support/security/bulletins/apsb10-15.html
http://blog.didierstevens.com/2010/06/29/quickpost-no-escape-from-pdf/



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Monday, June 28, 2010

Apple iOS 4 Released for iPhone

Apple has released iOS 4. This new version of Apple iOS contains fixes for over 60 vulnerabilities.

References:
http://support.apple.com/kb/HT4225


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Wednesday, June 23, 2010

Monday, June 21, 2010

Cisco Announces End-of-Sale and End-of-Life for Cisco Security Agent Product Line

Cisco has announced end-of-life for the Cisco Security Agent product line. The relevant timelines and other details related to the drawdown are at the link below.

From the article:

"There is no replacement available for the Cisco Security Agent at this time.

Cisco's network security product portfolio has complementary security technologies, such as Cisco Intrusion Prevention Systems,Cisco ASA 5500 Series Adaptive Security Appliances, and Cisco IronPort Email and Web gateways. Please contact your Cisco account team for more information on these products. While there is no direct Cisco Security Agent replacement product from Cisco, many endpoint security products are available from a wide variety of third-party vendors. We expect that customers will want to do their own due diligence in choosing a replacement product that best meets their needs".


References:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps2330/end_of_life_c51-602579.html


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

New Samba Remote Root Vulnerability

Versions 3.0.x - 3.3.12 of Samba have a vulnerability that allows remote root level access. Version 3.4.0 and higher isn't vulnerable.

References:
http://www.samba.org/samba/security/CVE-2010-2063




email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Thursday, June 17, 2010

Security Updates in New Apple iTunes 9.2 Release

There are security updates in Apple's iTunes 9.2 release affecting Windows XP, Vista, and Windows 7. Details are in the link below.

References:
http://support.apple.com/kb/HT4220



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Tuesday, June 15, 2010

New OpenOffice Release Fixes Two Security Issues

OpenOffice has released a new version that addresses two vulnerabilities.

References:
http://www.openoffice.org/security/cves/CVE-2009-3555.html
http://www.openoffice.org/security/cves/CVE-2010-0395.html



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Was Tavis Ormandy's Disclosure Irresponsible?

Regarding Tavis Ormandy's recent disclosure of a vulnerability in Windows Help and Support Center, my understanding is that there are five basic paths to take when you have a valid vulnerability to disclose. They are enumerated below. In short, I think Tavis Ormandy went down the RFPv2 path, and thus was within his rights to disclose when he did assuming that Microsoft didn't in fact reply to him within the 5 days allowed.

As a corporate defender, I would prefer that researchers not take such an aggressive stance with disclosure, but my point is that what he did might have long-standing precedent.

1). CERT/CC - Public disclosure happens within 45 days of the vulnerability being reported to CERT/CC. CERT/CC notifies the vendor per their own process.

2). Full Disclosure Policy (Rain Forest Puppy policy version 2 - RFPv2) - Reporter of problem contacts the software vendor directly. The vendor is allowed 5 days to reply. If the vendor does reply within the 5 day time window, then a disclosure schedule should be agreed upon by both parties. After that, the vendor should provide updates every 5 days. The wording of the disclosure should be agreed upon by both parties. if the vendor does not reply back with 5 days of the initial contact, the reporter of the problem is free to disclose.

3). OIS (Organization for Internet Safety) - Finder submits a VSR (Vulnerability Summary Report). Vendor can choose to do a partial public disclosure at this point if they wish. The vendor must respond directly to the finder within 7 days. If the vendor doesn't respond in 7 days, then the finder must submit again, and the vendor gets another 3 days to reply. if the finder doesn't get a reply after this final 3 days, the finder is OK to publicly disclose.

4). Go through a vulnerability broker like Verisign iDefense VCP or TippingPoint ZDI and follow whatever policy that broker uses.

5). Sell directly to a private buyer. Many governments - including the U.S - purchase vulnerabilities for their own purposes.

Having served as an intermediary before, I can tell you that this process sometimes isn't a walk in the park. I am not saying anyone is right or wrong, but I am saying that what he did isn't new and maybe he is being singled out unfairly in the media.

UPDATE 13 July 2010 - Microsoft has released a fix for this vulnerability in July 2010 patch MS10-042.


References:
http://www.microsoft.com/technet/security/advisory/2219475.mspx
UPDATED 13 July 2010 http://www.microsoft.com/technet/security/Bulletin/MS10-042.mspx


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Thursday, June 10, 2010

Microsoft Security Updates for Apple Mac Office 2004 and 2008

Microsoft has released updates for Apple Mac Office 2004, Mac Office 2008, and Open XML File Format Converter for Mac software. These updates includes fixes for some security vulnerabilities.


References:
Description of the Microsoft Office 2004 for Mac 11.5.9 Update: http://support.microsoft.com/kb/2028866

Download Microsoft Office 2004 for Mac 11.5.9 Update: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=16c71ab8-9284-407a-856a-93c67995f125

Description of the Microsoft Office 2008 for Mac 12.2.5 Update: http://support.microsoft.com/kb/2028864

Download Microsoft Office 2008 for Mac 12.2.5 Update: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=d46255bd-6470-4106-9fe2-ea67acd3f1bd

Download Open XML File Format Converter for Mac 1.1.4: http://www.microsoft.com/downloads/details.aspx?FamilyID=4c5487d5-c912-4087-8c83-769e3fb78ea9&displaylang=en



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Wednesday, June 9, 2010

Google Chrome 5.0.375.70 Released

Google Chrome 5.0.375.70 has been released for Windows, Mac, and Linux. The update includes fixes for 11 vulnerabilities, 9 of which are classified as critical

References:
http://googlechromereleases.blogspot.com/2010/06/stable-channel-update.html


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Tuesday, June 8, 2010

Apple Releases Security Updates for Safari 4.1 and 5.0

Apple has released security updates and other bugfixes for the Apple Safari 4.1 and 5.0 browser platforms. Some of these security bugs are remotely exploitable according to Apple's release notes.

References:
http://support.apple.com/kb/HT4196



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Upcoming Adobe Flash and Adobe Reader/Acrobat security patches for Windows and Mac platforms

Adobe has announced that the next Flash player update is due out on 10 June 2010. This affects Windows and Mac.

The Adobe Reader/Acrobat update is due out 29 June 2010. This also affects Windows and Mac. Adobe also said that the normal quarterly update due out 13 July 2010 won't happen due to this out-of-band release.

UPDATE 09 June 2010 - Proof of concept code was made available here: http://www.exploit-db.com/exploits/13787/. Please be aware that the PoC provided at that link is live malicious code, so handle with caution.

UPDATE-2 10 June 2010 - Adobe released Flash player 10.1.53.64 fixing not only the one known problem, but 32 separate vulnerabilities.

References:
http://blogs.adobe.com/asset/2010/06/background_on_apsa10-01_patch.html
http://www.adobe.com/support/security/advisories/apsa10-01.html



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Monday, June 7, 2010

U.S. Military Intelligence Analyst Arrested for Data Leakage

This Wired article discusses a U.S. Army intelligence analyst being arrested for leaking classified and other sensitive information to Wikileaks.

A quote from the Wired article:
“I would come in with music on a CD-RW labeled with something like ‘Lady Gaga’, erase the music then write a compressed split file,” he wrote. “No one suspected a thing and, odds are, they never will.”

“[I] listened and lip-synced to Lady Gaga’s ‘Telephone’ while exfiltrating possibly the largest data spillage in American history,” he added later. ”Weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis… a perfect storm.”

Manning told Lamo that the Garani video was left accessible in a directory on a U.S. Central Command server, centcom.smil.mil, by officers who investigated the incident. The video, he said, was an encrypted AES-256 ZIP file.

Some thoughts spring to mind:
1). Why did it take so long for him to get caught? Why couldn't the DoD and US Military tell exactly who touched the video that got released by Wikileaks as "Collateral Murder" in February 2010?
2). Why weren't there procedures in place to catch rogue IT system administrators and analysts browsing for files they don't need to see?
3). While it was good that the investigators encrypted and password-protected the helicopter attack video, why wasn't the password on the encrypted AES-256 ZIP file housing the video uncrackable? My understanding is that the US government password length and complexity requirements get dramatically better for Top Secret content. I shouldn't be able to drop the ZIP into a copy of Passware and just wait a while for the password to get displayed in front of me.

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Sunday, June 6, 2010

New Adobe Flash, Reader, Acrobat Vulnerability

Adobe announced a new vulnerability in its Adobe Flash and Adobe Reader/Acrobat products. There is no patch available as of this writing. The scope of the exploitation attempts isn't known at this time. The CVE number assigned is CVE-2010-1297.

For now, we will need to rely upon AV for protection. The major AV vendors started releasing definitions over the weekend. For example, Symantec has released definitions (detected as Trojan.Pidief.J) for the known exploits for the Adobe Flash, Reader, and Acrobat vulnerability.

References:
http://www.adobe.com/support/security/advisories/apsa10-01.html
http://www.symantec.com/connect/blogs/0-day-attack-wild-adobe-flash-reader-and-acrobat


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Wednesday, June 2, 2010

Security Bug Fixes in OpenSSL 1.0.0a Release

Two security holes in OpenSSL were fixed in the 1.0.0.a and 0.9.8o releases. These updates CVE-2010-1633 and CVE-2010-0742. The download tarballs are here.

References:
http://www.openssl.org/news/secadv_20100601.txt



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Preparing for Apple Mac Malware

This SANS ISC article (http://isc.sans.org/diary.html?storyid=8890)
got me thinking again about the reality of Mac malware. What are
people using for AV scanning for Mac executables at their web and mail
gateways? As Macs increasingly make their way in the enterprise and
Apple continues to improve its market share, I assume that eventually
we will need to supplement host-based AV scanning on the Macs with
gateway-based AV defensive layers - just like we did to protect our
Windows endpoints.

What should we block at the web and email gateway level - all .DMG file, .PKG files, and OS X/MACH-O executables?


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Thursday, May 27, 2010

Google Chrome 5.0.375.55 Released

Google has announced the release of Google Chrome 5.0.375.55 here.

From a risk perspective - as of this writing - the latest version of Google Chrome with known publicly available remote exploit is version 4.1.249.

References:
http://googlechromereleases.blogspot.com/2010/05/stable-channel-update.html
http://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugs


email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

Review of Apricorn Aegis Padlock Hardware Encrypted Drives

There don't appear to be a large number of viable solutions available for secure hardware-encrypted hard external drives. I used to recommend the Maxtor BlackArmor for this type of application, but those are no longer available. The Seagate BlackArmor drives are NOT hardware-encrypted - so don't be fooled by the continued and confusing reuse of the BlackArmor name.

The best choice on the market right now appears to be the Apricorn Aegis Padlock drives. These drives offer features and security comparable to the Ironkey or Kanguru Defender/Elite USB thumbdrives, but in an external USB drive form factor.


Pros
1). Works with both Windows and Apple Mac (including Time Machine - you have to reformat drive for Mac use)
2). No special software required on client endpoint for either Windows or Mac
3). Has support for IT admin passkey and several user passkeys.  So an IT admin can recover data in case the user forgets their password or leaves the company.
4). No admin rights required on Windows for normal use, but is needed for initial setup

Cons
1). Not currently FIPS certified from what I can tell
2). 6-16 character password means keyspace is a a little small. This is mitigated by the brute force protections the drive has.
3).  Only has only USB connector and the cable is short.  Drives does come with longer Y-cable in the box.
4).  No enterprise management console is available if you are looking to manage and support a fleet of these.

Amazon has good prices on these. Links (affiliate tagged) to the 128- and 256-bit versions of the three largest capacity drives available right now are below:


















email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

Wednesday, May 26, 2010

Restaurant Credit Card Skimming Alive and Well

From http://www.washingtonpost.com/wp-dyn/content/article/2010/05/23/AR2010052302921.html:


"Three servers at the Cheesecake Factory restaurant on Wisconsin Avenue in the District allegedly stole credit card numbers from patrons as part of a scheme that racked up more than $117,000 in fraudulent charges between 2008 and last year, authorities say.

Investigators with the U.S. Secret Service allege the servers were working for a larger fraud ring and were using electronic devices to "skim" the credit card numbers of customers they served at the restaurant. The devices were handed off to others, and the stolen numbers were used to make fake credit cards and later used to buy gift cards and merchandise in the Washington area, according to court records in U.S. District Court in Alexandria. "

The $40 street rate per stolen card quoted here for known good cards is much higher than the bulk rate for credit card data collected through mass malware infections.

This is an example of why I always pay in cash as much as possible in places like this. As economic conditions possibly worsen over time, I would expect to see more activity like this.


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Tuesday, May 25, 2010

Oracle Java SE and Java for Business 'MixerSequencer' Remote Code Execution Vulnerability

From SecurityFocus:

"Oracle Java SE and Java for Business are prone to a remote code-execution vulnerability affecting the 'Sound' component.

Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition."

References:
Descritpion - http://www.securityfocus.com/bid/39077/discuss
PoC exploit code - http://www.securityfocus.com/bid/39077/exploit
List of affected versions - http://www.securityfocus.com/bid/39077/info


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Update to Java for Mac OS X

Given the growing use of Apple products in the enterprise, I will start covering Apple vulnerabilities in this blog. Apparently, Apple is here to stay in the enterprise.

Apple has recently released updates to Java for Mac OS X. These patches address several vulnerabilities. The worst one potentially allows an attacker to break out of the Java sandbox and execute code through an untrusted applet.

References:
http://support.apple.com/kb/HT4170

http://support.apple.com/kb/HT4171


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

New Security Patches in Latest PostgreSQL Release

An update to PostgreSQL has been released that addresses several bugs including two security vulnerabilities. The patches in this release address a privilege escalation issue and another problem that allows an attacker to run arbitrary tcl scripts through the pltcl_modules table.

Even if you don't have PostgreSQL in production, your developers might have stood up PostgreSQL instances internally as a cost-saving measure for their own development and test platforms.


References:
http://www.postgresql.org/about/news.1203


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Patch Released for IBM AIX rpc.pcnfsd Integer Overflow Vulnerability

IBM has released a patch for the AIX rpc.pcnfsd integer overflow vulnerability. According to IBM, the vulnerability in the rpc.pcnfsd service could potentially be exploited to execute arbitrary code and this could be done by sending malicious RPC requests over the wire.

UPDATE 28 May 2010 - This bug also affects HP-UX and SGI IRIX.

References:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=5088

http://aix.software.ibm.com/aix/efixes/security/pcnfsd_advisory.asc

http://www.checkpoint.com/defense/advisories/public/2010/cpai-13-May.html

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02115103



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Security Updates in Fix Pack 31 for IBM Websphere 6.1 Released

Fix Pack 31 for IBM Websphere Application Server 6.1 has been released. According to IBM, the patched vulnerabilities are possible denial of service and information disclosure holes. The list of all security and bug fixes are in the link below.

References:
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg27007951


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Sunday, May 23, 2010

New US Law Regarding CallerID Spoofing

The US Congress has passed a law making certain types of malicious use of CallerID spoofing a felony. Please refer to the text of the new law for the specifics.

The law exempts law enforcement agencies, so the investigative technique described here remains valid for exempted US agencies. Below is the text describing the LE exemption:

"LAW ENFORCEMENT EXCEPTION.— This section does not prohibit lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States, or any activity authorized under chapter 224 of title 18, United States Code."

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Wednesday, May 12, 2010

Impact of SSDT Argument Substitution Attacks (KHOBE)

A report was released recently describing "SSDT Argument Substitution Attacks" against certain Windows endpoint security products. The original report can be found at: http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php.

In a nutshell, this problem seems to fall under Law #1 of the 10 Immutable Laws of Security (http://technet.microsoft.com/en-us/library/cc722487.aspx).

"If a bad guy can persuade you to run his program on your computer, it's not your computer anymore."

Of the security products vendors that have issued responses to this report so far, I believe this law is a recurring theme in their replies. If a KHOBE attack has gotten past your layered defenses and is running on your endpoint, then you already have malcode running on the endpoint. The other point the AV vendors are making is that other defensive layers (i.e. HIPS/HIDS and newer reputation-based protection endpoint security technologies ) should help with the detection and prevention.

The statements made by some in the media about KHOBE not affecting Vista SP1 and above and Windows 7 due to Microsoft's Kernel Patch Protection (Patchguard) is only true of 64-bit versions of those operating systems - not 32-bit versions.

Once we as an industry have swallowed Windows 7 32-bit and migrated the entire software ecosystem around Windows to work properly alongside the security improvements in Windows 7 32-bit, is it time to hasten the move to 64-bit Windows to address new types of attacks against the Windows architecture like KHOBE?

email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

Adobe Fixes Three Security Issues in Latest ColdFusion Release

References:
http://www.adobe.com/support/security/bulletins/apsb10-11.html


email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

Adobe Closes 18 Security Holes in Adobe Shockwave Player 11.5.7.609 Release

The CVEs for all 18 bug fixes are in the article listed below. The Adobe Shockwave player is a relatively easy upgrade to deploy, just remember to make sure all old versions of the player software get removed so that follow up vulnerability scans and your software asset inventory data are clean and show only fully patched versions.

References: http://www.adobe.com/support/security/bulletins/apsb10-12.html

Let us know if you need any help packaging up this for deployment.


email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

Tuesday, May 11, 2010

Guidance Software to Acquire Tableau

Guidance Software is buying Tableau. I am still trying to figure out if this is a good thing or not. I don't know what your experience has been like recently, but Guidance has been hounding me with sales calls so I had assumed they were having financial challenges.

The press release is here.


email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

U.S. Secret Service Setting Data Sharing Example for Other Law Enforcement Agencies

According to this Verizon blog entry, we will see sanitized intrusion data from the U.S. Secret Service alongside Verizon Business Service's own data in their next Data Breach Investigations Report (due later in 2010).

Apparently the U.S. Secret Service started using Verizon's VerIS framework and has decided to share at least some of their casework data.

Very cool. Maybe this will set a precedent for others in the law enforcement world to start sharing real world data (where they can) so that system defenders everywhere can benefit from knowing more about the tactics and true offensive capabilities of the parties coming after them.


email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

R.I.P. Dojosec

I really enjoyed the Dojosec series of monthly meetings that Marcus J Carey put together, and I am sad to see it has gone away. Dojosec was a security meetup in the southern Maryland area.  The last Dojosec that had speakers was in November 2009. Some of the videos from various Dojosecs are online, so you can still see some of those great presentations.

Hopefully Dojosec will resurface again sometime in the future.

UPDATE 24 August 2010 - Great news! It looks like Dojosec (and Dojocon) may be returning soon.
UPDATE #2 November 2010 - Never mind. Dojosec is dead for good.

email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

Monday, April 26, 2010

Exploit Code Published for MS10-020 (KB980232)

Exploit code for MS10-020 (KB980232) has been published here.  Please read http://sharpesecurity.blogspot.com/2010/04/problems-with-microsoft-april-2010.html for all known issues with patching MS10-020, paying special attention the information about MS10-020 and Cisco WAAS-related issues if you use that technology in your environment.


email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

Saturday, April 24, 2010

Problems with Microsoft April 2010 Patch MS10-020 - KB980232

In some cases, there are problems after installing Microsoft April 2010 Patch MS10-020 (KB980232).  Microsoft acknowledges that there are problems and is collecting data to determine the root cause(s).

We have seen four symptoms.  In each case, removing the KB980232 patch and rebooting the affected machine resolved the problem:

1).  Errors saving from Office 2007 applications to network shares.

2).  Not being able to read the contents of the Security tab when looking at the properties of a file on a file share.  Click the image below to see a larger view.



3).  Not being able to see the file and folder "owner" column information for file in a file share.  The owner column information just shows blanks.  Click the image below to see a larger view.



4).  Crashes in explorer.exe when navigating to network shares.




Microsoft is working on a fix. Hopefully we will have an ETA soon. Until then removing MS10-020/KB980232 seems to fix the problem.

UPDATE (26 April 2010):  It turns out this is a bug in Cisco WAAS (Wide Area Application Services).  You need to upgrade your Cisco WAAS 4.0.x and 4.1.x installations to a patched version.

From Cisco:
File Save/Save As Issues After Installing Microsoft Patch (KB980232)


Symptom:

When using the new Windows patch (MS10-020 KB980232), the file save/save-as operation may not be successful when WAAS CIFS optimization is turned on. A popup message indicating "There has been a network or file permission error. The network connection may be lost" is generated by the client

Conditions:

Installation of Microsoft patch (MS10-020 KB980232) to Windows clients

Applies to all 4.0.X and 4.1.X releases

Workaround:

1. Using the new Windows patch : If the customer has installed (or wishes to install) the Windows patch and wants to keep the patch in place, turn the WAAS CIFS optimizations off. Once the new WAAS software is available and deployed, CIFS optimizations can be turned on again.

2. Deploying the Windows patch MS10-020 after the relevant WAAS S/W update is available: After reviewing the patch notes from Microsoft, customers may choose to apply the Windows patch after the updated WAAS software is available.

References:
http://www.cisco.com/en/US/ts/fn/633/fn63320.html
https://supportforums.cisco.com/message/3060183
http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v415/release/notes/ws415xrn.html#wp85418


email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity