Slashdot Mirror

Because this article is Gizmodo and crappy. He did a full write up that is much more in depth. He was specifically trying to figure out how much PII people are leaving on things.

"I used pyocr to try to identify Social Security numbers, dates of birth, credit card numbers, and phone numbers on images and PDFs. I then used PowerShell to go through all documents, emails, and text files for the same information."

My cybersecurity company is still finding MS08-067 all over the place. IT'S ten years old, and it's "bigger than ever!" It's every burgeoning hacker's favorite, since it is so trivial to exploit.

Articles 2-4: Don't be confused by the word blizzard. Was the Trojan built an "apparatus which can be used to intercept...electronic communication"? Then "yes".

And that is where a lot of the information security professionals are concerned. There are several programs and methods used in information security research and penetration testing that would fall under that category, one example being the Meterpreter shell in the Metasploit framework. If this case results in a conviction under those charges you can bet many companies and researchers would hesitate to publish their tools for fear of being the next target on an ambitious DA's hit list. Criminalizing tools based on their functionality rather than the users actions with them could have a very chilling effect on information security research.

Before a white hat, you have to be a grey hat.

However this is all highly illegal these days.

That used to be the case but nowadays there is many resources for sharpening peoples hacking skills without violating the law. Exploit Exercises has several isos with examples of misconfigurations, buffer overflows and format string vulnerabilities for linux. Metasploitable 2 and Metasploitable 3 have multiple web and system vulnerabilities for both linux and windows respectively. And Vulhub has hundreds more vulnerable by design systems for people to practice with.

While not as instructional as a whole system compromise there are many ways for aspiring penetration testers to practice how to get their foot in the door, while remaining on the right side of the law so to speak.

And in not disclosing that it is using both, it opens many, many security holes on older platforms. Furthermore, we don't know how much work is being done by the local Webcore, and what sort of hostile traffic that Presto might send to it.

Avoid this browser in those cases. It is not safe.

We should all be looking at Tor at this point.

The OFA outlines this issue. What they are saying is that because the Swagger is a JSON document, if you use a code generator that simply regurgitates its values without validation, you could end up with code executing in the context of whatever is consuming the API. The issue is with code generators, and not the swagger documentation .

An example they give as an attack on HTML is the following (with angle brackets instead of square ones, obviously):

"info": { "description": "[script]alert(1)[/script]",

I guess the idea is that you have used Swagger code generator to create code to call the RESTful APIs you are interested in. The code generator includes this description (which seems kind of odd) in the generated code, giving you an alert when a page including this code is loaded. They also give an example of attacking the "paths" property (which includes information on what URLs can be used to call specific APIs) which would execute code on the back end. I could see this being more a legitimate problem.

A few things though before we all freak out:

• If you are calling APIs from a party you don't know and trust, you are doing it wrong,
• If you are calling APIs without reviewing them and their documentation, you are doing it wrong. If you are looking at a Swagger document and somebody put in an PHP or Ruby injection attack, it will stick out like a sore thumb.
• For vulnerability to be exploited that party you trust with your data will have to insert malicious definitions into their Swagger file, and include enough definitions to attack all of the platforms that code will be generated for.
• Because Swagger is now an open specification (Open API), the code generators in question can be updated pretty easily,

Titles like ZDNet's "Severe Swagger vulnerability compromises NodeJS, PHP, Java" are gratuitous hyperbole. Slashdot's title is a little better because it at least refines the panic to "tools", but still not great. There is an issue here, but the internet is not going to go down in flames over this one.

The Guardian flubbed its headline. I read the Rapid7 report and the most worrying detail was the fact that there are still over 15 million Internet-available Telnet ports, 7.8 million MySQL ports, 8.8 million RDP, and 5.2 million VNC ports. https://information.rapid7.com...

Yeah, that can't be right.
A WebView can be used in pretty much any app. It may or may not be vulnerable, depending on whether certain features of the WebView are used, but a WebView has the potential to be the core of a complete (vulnerable) browser in any app.

More info on this matter here: https://community.rapid7.com/c...

My guess (or hope, maybe) is that Google is responding the way they are to strongarm the handset manufacturers into (allowing) properly updating Android on their older products. A sort of 'this shit has been going on long enough: take some fucking responsibility for your products'. Either that or they really see no realistic way to fix this.

- The disclosure is here:

https://community.rapid7.com/c...

- Vulnerability Note VU#685996 (kb.cert.org):

http://www.kb.cert.org/vuls/id...

wget prior to 1.16 allows for a web server to write arbitrary files on the client side.

A Metasploit module is available for testing:

https://github.com/rapid7/meta...

the disclosure is here:

https://community.rapid7.com/c...

Redhat's bug is here:

https://bugzilla.redhat.com/sh...

Well, one IPMI does SHA256 or SHA1. For another, I'm unaware of any attack even against MD5 that would compromise the security when used in an HMAC scheme, as is the case for the hash function use in IPMI.

An actual dump from a BMC:

ID IANA Auth Alg Integrity Alg Confidentiality Alg
0 N/A none none none
1 N/A hmac_sha1 none none
2 N/A hmac_sha1 hmac_sha1_96 none
3 N/A hmac_sha1 hmac_sha1_96 aes_cbc_128
6 N/A hmac_md5 none none
7 N/A hmac_md5 hmac_md5_128 none
8 N/A hmac_md5 hmac_md5_128 aes_cbc_128
11 N/A hmac_md5 md5_128 none
12 N/A none md5_128 aes_cbc_128

As for the rest, yes, http can be done without encryption, but there are substantial low-risk use cases for taht. Http doesn't generally allow rebooting a server into single user mode and resetting the root password..

As for the rest, see A Penetration Tester's guide to IPMI. Note that using a DH exchange to negotiate a session key offers forward secrecy and allows for a much more secure authentication protocol that doesn't involve handing out the MD5 hash of any chosen user's password or storing passwords in plain text. MD5 is quite weak in that scenario.

So the new XBOX has a 3D video camera built in to it and it requires constant internet connection. Does this bother anyone else? Even if you aren't paranoid about a deliberate plan for in home surveillance you must admit the potential for abuse.

Employees at Microsoft could potentially monitor video streams. The kinect has always been creepy. It also can't be secure. Even if there is never an inside job there is potential that some exploit could be found. Hackers around the world could be tapping in to the live feed off the camera in your living room that is always on.

Don't dare say that this is difficult or compare it to a laptop with a built-in webcam without looking at this post here:
https://community.rapid7.com/community/metasploit/blog/2013/01/24/weekly-update

You think the chief security officer of Rapid7 doesn't understand the nature of Java, huh? It's not that he's trying to use language that most people would understand, but that he actually does not know that Java is a programming language and what the JVM actually is. That's some stunning logic you've got there. He sounds like he probably knows his stuff.

Summary is making it look a LOT worse than it is.

- Bug's already been fixed, only what it did was revealed now.
- Bug does not affect binary distributions from mysql.com, Windows included.
- Bug only affects some distros.

Full description here: https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql

They claim ubuntu 10.04 64 bit is vulnerable. That's my laptop distro, and after 5,000 attempts I can't break in.

The linked memcmp program at http://pastie.org/4064638 indeed says I'm vulnerable, so why can't I break in?

Also check out the Web Application Attack and Audit Framework at https://community.rapid7.com/community/w3af

There are no reports of any Microsoft or default Windows applications containing the bug

Really? That's odd, from the original blog posting:

At least four of Microsoft’s own applications have been confirmed as exploitable through this vector, two of which were already being addressed by the time I contacted them.

Haven't learned our lesson regarding security or portability have we?

Popular binary drivers had some unresolved, severe exploits and couldn't be bothered to address them for about two years. That's just an anecdote, but illustrates that the problem is real and not just theoretical. Anecdotes aside, there are inherent problems with binary-only drivers (or binary-only anything). For the obtuse, the interview with Theo de Raadt interview with Jonathan Gray and Damien Bergamini go into more details.

Production mistakes and design flaws aside, happen. That's why we get the effect that "given enough eyeballs, all bugs are shallow". But with binary-only that also means that nearly anything, from back doors to monitoring, can be piggybacked into the blob. You'd be hard pressed to find out. And depending on the vendor for the binary also leaves you dependent on their choice of architectures - not yours, and their lifecycle timeline - not yours.

Some, like the GP, may prefer the GPL, others may prefer other open source license. Whatever. Any of them is a far cry better than no source code.

Also, remember the open source is not just a license, but a development model. Popular hardware will gain development speed and quality for the drivers. It's not like the drivers have any inherent value without the hardware. Opening up the drivers would most likely boost the sales of the hardware they use.

"the NVIDIA Binary Graphics Driver for Linux is vulnerable to a buffer overflow that allows an attacker to run arbitrary code as root. This bug can be exploited both locally or remotely

The NVIDIA Binary Graphics Driver for Linux is vulnerable to a buffer overflow that allows an attacker to run arbitrary code as root. This bug can be exploited both locally or remotely

> Before anyone bothers replying talking about binary drivers being bad please see my previous posts on the issue. I think they are fine

Thank you for your opinion, here's a different one :

http://www.rapid7.com/advisories/R7-0025.jsp

It's one thing to RTFA, it's another thing entirely to UNDERSTAND TFA.

This funny little prank javascript fills the location field with a massive string of 'a' characters, in the hopes that the browser will freak out and crash. It's old, it's well-known. Read the tail end of the IRC transcript where the dude laughs at the fact that the prankster used nvidia's website to force the javascript to punk the poor guy. He could have tacked the javascript onto any URL at all to deliver this OLD OLD prank.

The *actual* concept exploit is a C program linked in the advisory here (although I am certain it's beyond you):

http://www.rapid7.com/advisories/R7-0025.jsp

* BEGIN FONT HEAP OVERFLOW SETUP CODE
*
* "It's so hard to write a graphics driver that open-sourcing it would
* not help."
* - Andrew Fear, Software Product Manager (NVIDIA Corporation).

* BEGIN FONT HEAP OVERFLOW SETUP CODE
*
* "It's so hard to write a graphics driver that open-sourcing it would
* not help."
* - Andrew Fear, Software Product Manager (NVIDIA Corporation).

In order to detect these sorts of vulnerabilities in an automated fashion, there are only two decent approaches to choose from:

1. Dynamic analysis: Feed the entire site, page by page, to a live browser and try to reproduce the XSS using a large number of browser actions as input. This is practically difficult and could also be quite risky (you can get owned yourself while doing it), and to get a good test you need to run a large number of inputs on several different browsers.
2. Static analysis: Spider the site and run static analysis on the JavaScript on a page-by-page basis. This is much more promising, although obviously static analysis on a language like JavaScript, which is loosey-goosey with typing, is not trivial. Shameless plug: There are only a couple of tools which can do this: NeXpose from Rapid7 is one of them that I have worked on.

var result = eval(document.responseText)

which is a bit scary when you think that it may be possible to trick the server into emitting JavaScript (which, given the limited kinds of filterings that servers do, could be easier than tricking the server into emitting HTML).

The reason most vuln scanners can't find XSS vulns on modern sites is because of the increased amount of JavaScript and Flash (with ActionScript) that's in use. But some scanners can grok this stuff to varying degrees of completeness.

I read about this a couple days ago and spent some time on the company's site looking for an explanation of what they are doing that is so new. The answer I came up with is "Nothing". There is no information on their websites about specifc products or services. Looks like another snake-oil security startup.

There are other companies and even some academic groups (PROTOS from the University of Oulu, to name one) who have been doing real things in this area for years. There are also companies that take a source-code centric approach.

For several years now, there have been products that check for whole classes of vulnerabilities in applications. Such approaches are not limited to just known vulnerabilities in existing apps -- they check for common programming or configuration errors in custom applications as well. They are making it sound like checking for these things before systems go into production is a new concept. That's the whole point of security auditing.

Our NeXpose security scanner uses JESS to perform vulnerability assessments against remote systems. The expert system is a nice way to have NeXpose not only identify vulnerabilities, but also take advantage of the vulnerabilities to perform more tests. It can be done without an expert system, but it works very nicely using JESS.

External audits are good because they bring in experts who focus on finding vulnerabilities in your network. These experts will come armed with a variety of vulnerability assessment tools to perform their audit. The only problem is that it will almost always happen less frequently than vulnerabilities are discovered, so this should only be 1 part of the overall solution.

You should adopt this practice internally, because if the tools are set up to check for vulnerabilities, you can be much more proactive about finding them than simply by scheduling consultants to come every few weeks, months, year. There are a variety of tools available, both freely and commercially.

A good tool will be updated frequently, check a lot of bugs, including the most critical (SANS Top 20, BugTraq, CERT.

Free Tools
SATAN -- Security Administrator Tool for Analyzing Networks
SAINT -- Security Administrator's Integrated Network Tool -- based on SATAN, GNU
SARA -- Security Auditor's Research Assistant -- similar to SATAN/SAINT check the Freshmeat page
NESSUS -- another free tool

Commercial Tools
ISS has a variety of tools avaiable depending on your needs
NeXpose -- try the free demo, great ui, demo only lets you assess 1 IP at a time though :( Here is a review
A Networking Computing article on Vulnerability Assessment tools. Reviews many of the major vendors (so I won't list them all). Includes some of the free tools.
Here is another overview of security tools to get you started.

For example, computer vision -- there are publicly-traded companies out there which have been doing machine vision for YEARS. These systems are used by all major chip manufacturers, most major paper and textile manufacturers, etc. to catch recognize and catch defects in products before they leave the assembly line. Cognex is a $1B a year company -- they exclusively do machine vision and visual pattern recognition for industrial applications.

Another example of a company applying AI would be Virage, who has several patents relating to image/video searching and indexing.

Many investment houses use neural networks to profile and model investments, and plenty of large financials use expert systems and neural networks to for data mining, employee profiling, and so on.

Expert systems have been applied to computer security as well -- Rapid 7 (my company) sells a network security scanner which uses the Jess expert system from Sandia labs. The value of the expert system is, it allows the product to use discovered vulnerabilities to further exploit the network, discovering more vulnerabilities, which enable more probes to be performed, etc.

There's a running joe that James' century old work represents basically everything cognitive scientists know today. In other words, not much new progress in the last 100 years. :) Anyways, to quote from James' book, chapter 11 (emphasis mine):

[p. 409] If, then, by the original question, how many ideas or things can we attend to at once, be meant how many entirely disconnected systems or processes of conception can go on simultaneously, the answer is, not easily more than one, unless the processes are very habitual; but then two, or even three, without very much oscillation of the attention. Where, however, the processes are less automatic, as in the story of Julius Caesar dictating four letters whilst he writes a fifth,[9] there must be a rapid oscillation of the mind from one to the next, and no consequent gain of time. Within any one of the systems the parts may be numberless, but we attend to them collectively when we conceive the whole which they form.

When the things to be attended to are small sensations, and when the effort is to be exact in noting them, it is found that attention to one interferes a good deal with the perception of the other. A good deal of fine work has been done in this field, of which I must give some account.

It has long been noticed, when expectant attention is concentrated upon one of two sensations, that the other one is apt to be displaced from consciousness for a moment and to appear subsequent; although in reality the two may have been contemporaneous events...

Chad Loder
Rapid 7, Inc.
The next generation of network security products

Anyways, if cable modem users are seeing drastically increased ARPing, the targeting of the Code Red III variant should explain it -- hitting non-existent addresses on your subnet will cause the CMTSheadend router to ARP out to see who's got that address, you get the picture.

At the very least, it's a good opportunity for users to see how many modems your provider has packed onto your segment. If they've packed too many on there, you can be sure the CMTS router's going to get seriously bogged down.

I have an automated program which sends the IP addresses to the ARIS list *and* to my ISP's security department (those IP's which fall under their management) -- I wonder if ISP's are considering just dropping all packets from infected hosts, so when the customer comes to them and complains, they say "Oh, you're infected, reboot, install the patch, and we'll reconnect you." Seems that this would reduce the load on the CMTS and would be faster than trying to track down each customer individually.

Chad Loder

Rapid 7, Inc. - Next generation security products and services

http://www.rapid7.com

Anyways, the bill seems meaningless in terms of adding additional protection for school computers. The biggest difference from the original bill is actually a change in language from:

"whoever...intentionally causes damage without authorization" [subsec. (a) paragraph (5.A)] and "whoever...recklessly causes damage" [subsec. (a) paragraph (5.B)] to:

"whoever...intentionally affects or impairs without authorization".

IANAL, but it seems to be there's a big difference between "causes damage" and "affects or impairs", considering ANYTHING one does to a computer affects the computer. And in a way, any program you run on a computer "impairs" the computer's ability to do other things (as quickly, say).

Network Security Tools and Services

Rapid 7, Inc.