Recent WordPress vulns and the Open Source Vuln DB

Posted on 12-May-2011 by .

There’s been too many WordPress vulnerabilities for my liking.  Fortunately they seem to be quick to patch but software updates are always a pain. How long before everyone starts to adopt Chrome’s auto update feature?

Luckily, I’m a fan of the Open Source Vuln Database which makes staying on top of security updates that matter to you easy.  Using the OSVDB is as simple as creating an account and search alerts for any software you’re interested in.  Here’s what I recently received regarding WP:

Osama, new or updated vulnerabilities that match your search watch list have been foundSEARCH ID: 14

OSVDB_ID:  72173
URL: http://osvdb.org/show/osvdb/72173

Title: WordPress Arbitrary File Upload
Disclosure Date: Apr 26, 2011Description: WordPress fails to properly validate uploaded files, allowing a remote attacker to upload a .phtml file with an appended extension (such as .gif) to execute arbitrary PHP code.

Posted in news, security | Tagged , | Leave a comment

LastPass & DropBox breach thoughts

Posted on 11-May-2011 by .

LastPass, the online cloud based password manager, and Dropbox, the cloud based storage service, both reported possible security concerns.  A dropbox vulnerability(?) was discovered where an attacker with physical access to a PC can steal a certain config file and access your dropbox storage from a different machine.  Everyone’s getting their panties in a bunch about this dropbox vulnerability but it requires access to data on your PC. If an attacker has access to your PC you have other problems to worry about.  The bigger issue with Dropbox is the fact that they possess a recovery key to your data and can grant access to the government.  Always encrypt your data first with something like Truecrypt before uploading to the cloud.

LastPass also reported noticing a network anomaly which has prompted them to take action including recommending users to update their master password.  Again this is not a major deal.  I use LastPass and will continue to use it.  LastPass doesn’t have plaintext data —- they have your password list stored as an encrypted blob and they have your master password hash.  If any of LastPass’ client data was leaked it’s only a matter of time before cryptographically weak master password hashes are brute forced (salt?) .  You should update your critical passwords (banks, finance, email) just in case —- BTW, how often are you changing passwords?  90 days?  Yearly? Never?  I update my key passwords monthly (gmail & banking).

 LastPass, I still love you….

Dear LastPass User,
On May 3rd, we discovered suspicious network activity on the LastPass internal network. After investigating, we determined that it was possible that a limited amount of data was accessed. All LastPass accounts were quickly locked down, preventing access from unknown locations. We then announced our findings and course of action on our blog and spoke with the media.
As you know, LastPass does not have access to your master password or your confidential data. To further secure your account, LastPass now requires you to verify your identity when logging in. You will be prompted to validate your email if you try to log in from a new location. This prompt will continue to appear until you change your master password or indicate that you are comfortable with the strength of your master password.
Please visit https://lastpass.com/status for more information.
Thanks,
The LastPass Team
 
Posted in news, security | Leave a comment

OWASP Appsec Tutorial Series

Posted on 10-May-2011 by .

I don’t remember where I found these links —- researching White Hat security I believe after reading an entry in Grossman’s blog, don’t quote me though… Anyways I thought the videos below are valuable if you’re into appsec for a living — that includes programmers — if you code you should breath appsec.

The training provided in this section was written by Jerry Hoff. Jerry is an expert in the field of web application security and one of WhiteHat’s training instructors.
  1. OWASP Appsec Tutorial Series – Episode 1: Appsec Basics
  2. OWASP Appsec Tutorial Series – Episode 2: Injection Attacks

Unfortunately it looks like Jerry burnt out on creating AppSec videos after two.  I would have done the same unless there were strippers involved.

Posted in news, security | Leave a comment

Microsoft Office vs. OpenOffice: Vulnerabilities compared

Posted on 9-May-2011 by .

There’s an interesting article in the H online discussing vulnerability trends between the two largest office productivity suites, Microsoft and Oracle’s OpenOffice.  This allows for an interesting security comparison between similar commercial and open source software.

What may be more interesting is future analysis between Oracle’s OpenOffice and the recently forked Libre Office.  That is if OpenOffice even has a future….

Posted in news | Leave a comment

Hacking to pwn a cop car

Posted on 8-May-2011 by .

My boy Kevin Finisterre recently made headlines while doing a penetration test on a city’s infrastructure.

(Kevin and I knew each other from past lives)

It turns out Kevin discovered a way to access video dumps from a police dash cam.  After a little more digging he was able to tap into “real time GPS tagged live audio and video from the cruiser.”

Kevin has a nice writeup of the exercise here, Owning a Cop Car.

Posted in news, pentest, security | Leave a comment

Simplifying Information Security Risk Assessments

Posted on 19-Apr-2011 by .

There’s a free webcast available from Accuvant’s Doug Landoll on Simplifying your Risk Assessments available here.

Some of the highlights are:

  • First, data and system owners need to be included on discussions to set protection requirements based on their criticality of their data (regulations can act as minimum baseline)
  • Hopefully you’re using a robust risk assessment method.  I strongly recommend reading How To Measure Anything.  Too many risk assessments result in Green, Yellow or Red traffic light graphics —- what does that really mean?
  • Common challenges that the webinar addresses:  High number of machines and monolithic vs. diverse environments (std. images across your enterprise or a free for all?)
Posted in news, pentest, security | Leave a comment

Free IPv6 /48 prefix via tunneling over the existing IPv4 Internet

Posted on 18-Apr-2011 by .

(I thought this posting was relevant now as ?APNIC just assigned their last block of i

Hurricane Electric offers a free IPv6 tunneling service if you would like to begin using and or experimenting with the next generation internet protocol. 

One you’re up and running check out Cool IPv6 Stuff.

Posted in networking, news | Tagged | Leave a comment

Night Dragon

Posted on 18-Feb-2011 by .

Puff the Magic, err I mean McAfee’s “Night Dragon” is what they’ve named tools, techniques, and network activities used in continuing attacks since November 2009 targeted against global oil, energy, and petrochemical companies.

Again, it seems like the same old story.  Web servers sitting in the DMZ with harmless SQL injection vulnerabilities (sarcasm) are pwned and then used to pivot into the internal corporate network.  Seek and exfiltrate high value data using remote access tools such as Gh0st and zwShell (think SubSeven, Netbus etc).  Game over.  Again, attribution leans towards our friends from the East (hence the ‘Dragon’ you jackass).

This could be a catalyst from McAfee’s PR/marketing department so be warned.  I’d love to see some Anon-LoLz member in Kansas bouncing through China, planting Mandarin comments in src before compiling shell code, and working 9-5 China time hours getting everyone in a tizzy over this APT threat….

Posted in news, security | Tagged | Leave a comment

Windows, Ubuntu, and Auto-Run

Posted on 17-Feb-2011 by .

Isaac Newton’s third law states there is an equal and opposite reaction for every action.  Who would have thought while Microsoft improves their security posture that a linux distribution would dumb down their standard config and end up with worse security?

Microsoft has learned their lesson and recently announced security updates that backport the autoplay protection existing in Windows 7 to Windows XP.  You can read more about their reasoning here.

At Shmoocon last week, John Larimer showed how GNOME’s evince can be abused to exploit autorun functionality in Linux.  *Note: ASLR and AppArmor were disabled during the PoC.

Posted in news | Leave a comment

Net Neutrality

Posted on 15-Feb-2011 by .

There’s an interesting article I came across, albeit from Sept 2010, in the Economists’ Voice. It’s written by two academic economists but by full disclaimer have
consulted for telecommunications companies in regulatory proceedings.

They make the argument that telecoms (and business in general) are sitting on large amounts of liquid assets afraid to make capital or labor investments due to the fear of increased regulation.  One interesting analogy they make is comparing net neutrality and premium automobile options:

As laid out by the Commission, non-
discrimination (i.e., “net neutrality”) under
the FCC’s proposal means that ISPs cannot
offer enhanced services to content providers
at any price except zero. That some content
providers may not afford priority service at a
positive price does not constitute discrimina-
tion; there are many upgrades in life—from
navigation systems on cars to private lounges
in airports—that are not free.

Read the complete paper here (only 5 pg): Net Neutrality Is Bad Broadband Regulation

Posted in news | Leave a comment