Hackin9
[security bulletin] HPSBUX03159 SSRT101785 rev.2 - HP-UX kernel, Local Denial of Service (DoS)
 
[SECURITY] [DSA 3059-1] dokuwiki security update
 
Call for Papers - WorldCIST'15 - Azores, Deadline: November 23
 
[slackware-security] wget (SSA:2014-302-01)
 

Posted by InfoSec News on Oct 30

http://www.bloomberg.com/politics/articles/2014-10-30/security-firms-tie-russian-government-to-utilities-hacks

By Michael A. Riley and Jordan Robertson
Bloomberg.com
October 23, 2014

North American utilities are scouring their systems for signs of Russian
malware that the U.S. government has warned could give hackers control of
water treatment facilities and parts of the electrical grid.

The U.S. Department of Homeland Security issued alerts...
 

Posted by InfoSec News on Oct 30

http://www.forbes.com/sites/thomasbrewster/2014/10/30/did-drupal-drop-the-ball-users-who-didnt-update-within-7-hours-should-assume-theyve-been-hacked/

By Thomas Fox-Brewster
Forbes.com
10/30/2014

Hackers are remarkably quick off the mark. Drupal, the creator of the
eponymous content management system that millions use the world over, now
knows that all too well. In mid-October it patched a SQL injection flaw,
which could be exploited by...
 

Posted by InfoSec News on Oct 30

http://www.defenseone.com/threats/2014/10/cyber-attack-will-cause-significant-loss-life-2025-experts-predict/97688/

By Patrick Tucker
Defense One
October 29, 2014

A major cyber attack will happen between now and 2025 and it will be large
enough to cause “significant loss of life or property losses/damage/theft
at the levels of tens of billions of dollars,” according to more than 60
percent of technology experts interviewed by the Pew...
 

Posted by InfoSec News on Oct 30

http://www.wired.com/2014/10/facebook-builder-osquery/

By Cade Metz
Enterprise
Wired.com
10.29.14

Facebook chief security officer Joe Sullivan says that people like Mike
Arpaia are hard to find.

Arpaia is a security engineer, but he’s not the kind who spends his days
trying to break into computer software, hoping he can beat miscreants to
the punch. As Sullivan describes him, he’s a “builder”—someone who creates
new tools capable...
 
LinuxSecurity.com: A denial of service issue was fixed in systemd-shim.
 
LinuxSecurity.com: Updated v8314-v8 packages that fix multiple security issues are now available for Red Hat Software Collections 1. Red Hat Product Security has rated this update as having Moderate security [More...]
 
LinuxSecurity.com: Several security issues were fixed in PHP.
 
LinuxSecurity.com: New wget packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. [More Info...]
 
LinuxSecurity.com: Security Report Summary
 
McAfee Network Data Loss Prevention Logs Local Information Disclosure Vulnerability
 
McAfee Network Data Loss Prevention Local Security Bypass Vulnerability
 
McAfee Network Data Loss Prevention 'Domain' Field Local Denial of Service Vulnerability
 
McAfee Network Data Loss Prevention Local Information Disclosure Vulnerability
 
DokuWiki Information Disclosure Vulnerability
 
DokuWiki LDAP and AD Authentication Multiple Security Bypass Vulnerabilities
 

Recently we seem to have a theme of new bugs in old code - first (and very publically) openssl and bash. This past week weve had a bunch more, less public but still neat bugs.

First, a nifty bug in strings - CVE-2014-8485, with more details here http://lcamtuf.blogspot.ca/2014/10/psa-dont-run-strings-on-untrusted-files.html
a problem in wget with ftp: https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access
and now the ftp client (found first in BSD) - http://cxsecurity.com/issue/WLB-2014100174

These all share some common ground, where data that the code legitimately should be processing can be crafted to execute an arbitrary command on the target system. The other common thing across these as that these utilities are part of our standard, trusted toolkit - we all use these every day.

Who knew? Coders who wrote stuff in C back in the day didnt always write code that knew how much was too much of a good thing. Now that were all looking at problems with bounds checking on input data, expect to see at least a couple more of these!

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

The latest version of the Android operating system, Lollipop, adds encryption by default, along with a variety of easy-to-use ways to lock and unlock the phone and a more secure foundation to help protect devices against current threats.

In a blog post published on Tuesday, Google described the features, which will begin shipping with the Lollipop operating system in new Android devices in the coming weeks. While some of the capabilities, such as encryption, are already included in the current Android OS, the new version will turn them on by default.

Many of the security features were born of Android’s open-source foundations and the fact that other researchers and companies can create and test new security features for the operating system, Adrian Ludwig, lead security engineer for Android at Google, said during a briefing on the security features.

Read 11 remaining paragraphs | Comments

 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

I think that I will start this Diary with the following statement:

If you use an open source CMS, and you do not update it frequently, there is a very high chance that your website if not only compromised but also part of a botnet.

You probably already saw several of our diaries mentioning vulnerabilities in very well-known CMS systems like WordPress and Joomla, which are quite powerful and easy to use/install, and also full of vulnerabilities and requires frequent updates.

The third one in this list is Drupal. We mentioned last week, on our podcast about a criticalvulnerability fixed by the developers, and today they released a Public Announcement in regards to that vulnerability. And it is scary (yes, Halloween pun intended...).

The PSAmentions that within hours of the Patch announcement, there were already several automated attacks looking for the SQL injection vulnerability in the Drupal implementations.

As our reader Gebhard noted, there is a very interesting quote in the PSA:

You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement

This means, that by now, evenif you updated your server, there is very high chance that your server is now part of a botnet...so, if you have a website with Drupal, I would highly recommendthe Recovery section of the PSA document.

---

Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Apache OpenOffice Calc CVE-2014-3524 Command Injection Vulnerability
 

What IBM can learn from its own cybersecurity business
Network World
If you asked an IBMer about infosec a few years ago, they would point you toward Tivoli identity management or mainframe tools like RACF. Even more recently, IBM acquired network security leader ISS and then buried it within its services group ...

 

A CIO's Interop Takeaways
InformationWeek
Straight, the senior vice president and chief privacy officer of UnitedLex, offered guidelines for developing an infosec strategy that focuses on assessing insider risk. He also shared steps organizations can take to turn this potential liability into ...

 
SEC Consult SA-20141029-1 :: Persistent cross site scripting in Confluence RefinedWiki Original Theme
 
CVE-2014-8399 SQL Injection in NuevoLabs flash player for clipshare
 
SEC Consult SA-20141029-0 :: Multiple critical vulnerabilities in Vizensoft Admin Panel
 
Multiple vulnerabilities in EspoCRM
 
[ MDVSA-2014:212 ] wget
 
[ MDVSA-2014:211 ] wpa_supplicant
 

The unclassified network of the Executive Office of the President—the administrative network of the White House—was breached by attackers thought to be working for the Russian government, according to multiple reports. The Washington Post reported that an investigation is ongoing, and White House officials are not saying what data, if any, was stolen from the computers on the network. “We are still assessing the activity of concern,” an unnamed White House official told the Post.

According to the Post’s anonymous sources, the breach was discovered in early October after a friendly foreign government alerted US officials. The network’s virtual private network access was shut down, and some staff members were told to change passwords. "We took immediate measures to evaluate and mitigate the activity,” the Post’s source at the White House said. “Unfortunately, some of that resulted in the disruption of regular services to users. But people were on it and are dealing with it.”

This isn’t the first time attackers, apparently sponsored by a foreign state, have targeted the White House’s network. In 2008 and 2012, Chinese hackers penetrated the White House’s network. On the first occasion, the attackers gained access to the White House’s e-mail server; in 2012, a phishing attack against White House staffers gave attackers access to the network, though officials said no sensitive data was exposed.

Read 1 remaining paragraphs | Comments

 
Internet Storm Center Infocon Status