SymmetricalDataSecurity: January 2017

Tuesday, January 31, 2017

USN-3181-1: OpenSSL vulnerabilities

Ubuntu Security Notice USN-3181-1

31st January, 2017

openssl vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in OpenSSL.

Software description

openssl - Secure Socket Layer (SSL) cryptographic library and tools

Details

Guido Vranken discovered that OpenSSL used undefined behaviour when
performing pointer arithmetic. A remote attacker could possibly use this
issue to cause OpenSSL to crash, resulting in a denial of service. This
issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS as other
releases were fixed in a previous security update. (CVE-2016-2177)

It was discovered that OpenSSL did not properly handle Montgomery
multiplication, resulting in incorrect results leading to transient
failures. This issue only applied to Ubuntu 16.04 LTS, and Ubuntu 16.10.
(CVE-2016-7055)

It was discovered that OpenSSL did not properly use constant-time
operations when performing ECDSA P-256 signing. A remote attacker could
possibly use this issue to perform a timing attack and recover private
ECDSA keys. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04
LTS. (CVE-2016-7056)

Shi Lei discovered that OpenSSL incorrectly handled certain warning alerts.
A remote attacker could possibly use this issue to cause OpenSSL to stop
responding, resulting in a denial of service. (CVE-2016-8610)

Robert Święcki discovered that OpenSSL incorrectly handled certain
truncated packets. A remote attacker could possibly use this issue to cause
OpenSSL to crash, resulting in a denial of service. (CVE-2017-3731)

It was discovered that OpenSSL incorrectly performed the x86_64 Montgomery
squaring procedure. While unlikely, a remote attacker could possibly use
this issue to recover private keys. This issue only applied to Ubuntu 16.04
LTS, and Ubuntu 16.10. (CVE-2017-3732)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.10:: libssl1.0.0 1.0.2g-1ubuntu9.1
Ubuntu 16.04 LTS:: libssl1.0.0 1.0.2g-1ubuntu4.6
Ubuntu 14.04 LTS:: libssl1.0.0 1.0.1f-1ubuntu2.22
Ubuntu 12.04 LTS:: libssl1.0.0 1.0.1-4ubuntu5.39

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2016-2177, CVE-2016-7055, CVE-2016-7056, CVE-2016-8610, CVE-2017-3731, CVE-2017-3732

from Ubuntu Security Notices http://ift.tt/2jRo61b

Meeting Cliff Stoll

Today I had the chance to meet the man who unintentionally invented the modern digital forensics practice, Cliff Stoll. In 1989 he published a book about his 1986-87 detection and response against KGB-backed spies who hacked his lab and hundreds of government, military, and university computers. I read his book in high school and it later inspired my military and private computer security services. Cliff was kind enough to take a photo with me today at the SANS Institute Cyber Threat Intelligence Summit in Virginia.

from TaoSecurity http://ift.tt/2kOsIab

Cisco Coverage for Shamoon 2

IBM Security Bulletin: Vulnerability in bellmail affects AIX (CVE-2017-1093)

There is a vulnerability in bellmail that impacts AIX.

CVE(s): CVE-2017-1093

Affected product(s) and affected version(s):

 AIX 6.1, 7.1, 7.2
VIOS 2.2.x
The following fileset levels are vulnerable:
key_fileset = aix
Fileset Lower Level Upper Level KEY
---------------------------------------------------------
bos.net.tcp.client 6.1.9.0 6.1.9.200 key_w_fs
bos.net.tcp.client 7.1.3.0 7.1.3.48 key_w_fs
bos.net.tcp.client 7.1.4.0 7.1.4.30 key_w_fs
bos.net.tcp.client_core 7.2.0.0 7.2.0.2 key_w_fs
bos.net.tcp.client_core 7.2.1.0 7.2.1.1 key_w_fs
Note: To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user's guide.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2jreRpR
X-Force Database: http://ift.tt/2kdd2tS

from IBM Product Security Incident Response Team http://ift.tt/2jrgILj

IBM calls healthcare industry a 'leaky vessel in a stormy sea'

Insider trading takes the Dark Web by storm

IBM Security Bulletin: Vulnerability in password storage scheme affects IBM License Metric Tool v9 and IBM BigFix Inventory v9 (CVE-2016-8967)

IBM License Metric Tool v9 and IBM BigFix Inventory v9 stores passwords in plain text.

CVE(s): CVE-2016-8967

Affected product(s) and affected version(s):

IBM License Metric Tool v9
IBM BigFix Inventory v9

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2jQcIT2
X-Force Database: http://ift.tt/2jyO6uL

from IBM Product Security Incident Response Team http://ift.tt/2jQkxIJ

IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational DOORS Web Access (CVE-2016-5597)

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Version 6.0.16.30 and Version 7.0.9.50 that are used by IBM Rational DOORS Web Access. These issues were disclosed as part of the IBM Java SDK updates in October 2016.

CVE(s): CVE-2016-5597

Affected product(s) and affected version(s):

Rational DOORS Web Access versions 1.5, 1.5.0.1, 9.5, 9.5.0.1, 9.5.1, 9.5.1.1, 9.5.2, 9.5.2.1, 9.6, 9.6.0.1, 9.6.1, 9.6.1.1, 9.6.1.3, 9.6.1.4, 9.6.1.7

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2jyY3YY
X-Force Database: http://ift.tt/2e5pD2s

from IBM Product Security Incident Response Team http://ift.tt/2jQvycH

IBM Security Bulletin: A security vulnerability in IBM Java SDK 7 affect IBM Systems Director Server (CVE-2016-5597)

There is a security vulnerability in IBM SDK Java Technology Edition, Version 7 that is used by IBM Systems Director server. This issue was disclosed as part of the IBM Java SDK updates in October 2016.

CVE(s): CVE-2016-5597

Affected product(s) and affected version(s):

From the IBM System Director command line enter smcli lsver to determine the level of IBM System Director installed.
IBM Systems Director:

6.1.0.0
6.1.0.1
6.1.0.2
6.1.0.3
6.1.1.1
6.1.1.2
6.1.1.3
6.1.2.0
6.1.2.1
6.1.2.2
6.1.2.3
6.2.0.0
6.2.0.1
6.2.0.2
6.2.1.0
6.2.1.0
6.2.1.1
6.2.1.2
6.3.0.0
6.3.1.0
6.3.1.1
6.3.2.0
6.3.2.1
6.3.2.2
6.3.3.0
6.3.3.1
6.3.5.0
6.3.6.0
6.3.7.0

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2jyQT7l
X-Force Database: http://ift.tt/2e5pD2s

from IBM Product Security Incident Response Team http://ift.tt/2jQii7T

IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Cast Iron (CVE-2016-5542, CVE-2016-5573, CVE-2016-5597)

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7 SR9 FP40 and Version 6 SR16 FP26 used by WebSphere Cast Iron. These issues were disclosed as part of the IBM Java SDK updates in October 2016.

CVE(s): CVE-2016-5597, CVE-2016-5542, CVE-2016-5573

Affected product(s) and affected version(s):

WebSphere Cast Iron v 7.5.x.x
WebSphere Cast Iron v 7.0.0.x
WebSphere Cast Iron v 6.4.0.x
WebSphere Cast Iron v 6.3.0.x

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2jyMTUo
X-Force Database: http://ift.tt/2e5pD2s
X-Force Database: http://ift.tt/2e5s2Ku
X-Force Database: http://ift.tt/2eDrVCd

from IBM Product Security Incident Response Team http://ift.tt/2jQnZTF

IBM Security Bulletin: Security bypass vulnerability affects IBM Security Key Lifecycle Manager – Missing Authentication for Critical Function (CVE-2016-6105 )

The software does not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas.

CVE(s): CVE-2016-6105

Affected product(s) and affected version(s):

IBM Security Key Lifecycle Manager: v2.5 – 2.5.0.7

IBM Security Key Lifecycle Manager v2.6 – 2.6.0.2

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2jQe28G
X-Force Database: http://ift.tt/2jz4341

from IBM Product Security Incident Response Team http://ift.tt/2jQl5OI

IBM Security Bulletin: IBM Security Key Lifecycle Manager is affected by active debugging code (CVE-2016-6117)

IBM Security Key Lifecycle Manager can be deployed with active debugging code that can create unintended entry points.

CVE(s): CVE-2016-6117

Affected product(s) and affected version(s):

IBM Security Key Lifecycle Manager: v2.5 – 2.5.0.7

IBM Security Key Lifecycle Manager v2.6 – 2.6.0.2

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2jQe0h4
X-Force Database: http://ift.tt/2jyTjTj

from IBM Product Security Incident Response Team http://ift.tt/2jQA0Z9

IBM Security Bulletin: GSKit Sweet32: Birthday attacks in Content Collector for IBM Connections

OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the DES/3DES cipher, used as a part of the SSL/TLS protocol. By capturing large amounts of encrypted traffic between the SSL/TLS server and the client, a remote attacker able to conduct a man-in-the-middle attack could exploit this vulnerability to recover the plaintext data and obtain sensitive information. This vulnerability is known as the SWEET32 Birthday attack.

CVE(s): CVE-2016-2183

Affected product(s) and affected version(s):

Content Collector for IBM Connections v3.0
Content Collector for IBM Connections v4.0
Content Collector for IBM Connections v4.0.1

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2jyQUrV
X-Force Database: http://ift.tt/2dR3VyC

from IBM Product Security Incident Response Team http://ift.tt/2jQjkAS

IBM Security Bulletin: GSKit Sweet32: Birthday attacks in IBM Content Collector for Microsoft SharePoint

CVE(s): CVE-2016-2183

Affected product(s) and affected version(s):

IBM Content Collector for Microsoft SharePoint v3.0
IBM Content Collector for Microsoft SharePoint v4.0
IBM Content Collector for Microsoft SharePoint v4.0.1

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2jyPVYE
X-Force Database: http://ift.tt/2dR3VyC

from IBM Product Security Incident Response Team http://ift.tt/2jQmZij

IBM Security Bulletin: GSKit Sweet32: Birthday attacks in IBM Content Collector for File Systems

CVE(s): CVE-2016-2183

Affected product(s) and affected version(s):

IBM Content Collector for File Systems v3.0
IBM Content Collector for File Systems v4.0
IBM Content Collector for File Systems v4.0.1

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2jyYUsH
X-Force Database: http://ift.tt/2dR3VyC

from IBM Product Security Incident Response Team http://ift.tt/2jQlpN6

IBM Security Bulletin: GSKit Sweet32: Birthday attacks in IBM Content Collector for Email

CVE(s): CVE-2016-2183

Affected product(s) and affected version(s):

IBM Content Collector for Email v3.0
IBM Content Collector for Email v4.0
IBM Content Collector for Email v4.0.1

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2jQkPz7
X-Force Database: http://ift.tt/2dR3VyC

from IBM Product Security Incident Response Team http://ift.tt/2jQkuMO

Microsoft: Windows 10 will stop a ransomware epidemic when antivirus fails

Ransomware is about to get a lot worse, by holding your operating system hostage

These hackers set a 'trap' for security researchers probing their malware

Why criminals are using this old technique to take cyberattacks back to the future

iPhone lock: Did hackers drive Apple to kill iCloud activation checker?

Flaws in popular printers can let hackers easily steal printed documents

Staying Ahead of the Evolving Threat – Announcing the Cisco 2017 Annual Cybersecurity Report

Facebook Unveils 'Delegated Recovery' to Replace Traditional Password Recovery Methods

How will you reset the password for your Facebook account if your primary email account also gets hacked?

Using SMS-based security code or maybe answering the security questions?

Well, it's 2017, and we are still forced to depend on insecure and unreliable password reset schemes like email-based or SMS code verification process.

But these traditional access recovery mechanisms aren't safe enough to protect our all other online accounts linked to an email account.

Yahoo Mail

can be used as an excellent example.

Once hackers have access to your Yahoo account, they can also get into any of your other online accounts linked to the same email just by clicking the link that says, "Forgot your password?"

Fortunately, Facebook has a tool that aims to fix this process and unveiled a new service that will help you recover access to all your other online accounts securely.

At the Enigma Conference in Oakland, California on Monday, Facebook launched an account recovery feature for other websites called

Delegated Recovery

— a protocol that helps applications delegate account recovery permissions to third-party accounts controlled by the same user.

Starting today, Delegated Recovery is available to GitHub users for account recovery, allowing them to set up encrypted recovery tokens for their Github accounts in advance and save it with their Facebook accounts.

So in case they ever lose access to their Github account, they can re-authenticate to Facebook and request the stored token be sent from their Facebook account back to Github with a time-stamped signature, proving their identities and securely regaining access to their accounts.

This whole process takes place over encrypted HTTPS Web links and completes within a few seconds.

Since the stored token is encrypted, even Facebook can not read the personal data stored in that token.

The social network giant also assured that except its assertion that the person recovering the GitHub account is the same who saved the token, the company doesn't share any personal information about the user with GitHub.

According to the social networking giant, the Delegated Recovery service will be especially helpful for online users who have lost their smartphones, physical tokens or keys used as a second factor of authentication.

"We also want to offer the ability for people to use other accounts, such as a GitHub account, to help you recover your access to Facebook." said Brad Hill, Security Engineer at Facebook

Facebook has published the protocol behind the feature and the technical specifications on its

GitHub page

. You can also read more information about the feature on

Facebook's official post

Since no system is hacker-proof, Facebook has invited hackers and security community for reporting bugs, submit suggestions, and feedback.

Delegated Recovery is part of Facebook's bug bounty program, allowing security researchers and bug hunters to test and find out security vulnerabilities in it.

This tool is being released as open-source that would allow other third-party sites to implement it, but for now, the service is available only for GitHub.

from The Hacker News http://ift.tt/2kKFH9m

Google hands over $3m in bug bounties as payouts soar for new Android flaws

Malvertising reached new heights in 2016

Check If Your Netgear Router is also Vulnerable to this Password Bypass Flaw

Again bad news for consumers with Netgear routers: Netgear routers hit by another serious security vulnerability, but this time more than two dozens router models are affected.

Security researchers from Trustwave are warning of a new authentication vulnerability in at least 31 models of Netgear models that potentially affects over one million Netgear customers.

The new vulnerability,

discovered

by Trustwave's SpiderLabs researcher Simon Kenin, can allow remote hackers to obtain the admin password for the Netgear router through a flaw in the password recovery process.

Kenin discovered the flaw (

CVE-2017-5521

) when he was trying to access the management page of his Netgear router but had forgotten its password.

Exploiting the Bug to Take Full Access on Affected Routers

So, the researcher started looking for ways to hack his own router and found a couple of exploits from 2014 that he leveraged to discover this flaw which allowed him to query routers and retrieve their login credentials easily, giving him full access to the device.

But Kenin said the newly discovered flaw could be remotely exploited only if the router's remote management option is enabled.

While the router vendor claims the remote management option is turned off on its routers by default, according to the researcher, there are "hundreds of thousands, if not over a million" routers left remotely accessible.

"The vulnerability can be used by a remote attacker if remote administration is set to be internet facing. By default this is not turned on," Kenin said. "However, anyone with physical access to a network with a vulnerable router can exploit it locally. This would include public Wi-Fi spaces like cafés and libraries using the vulnerable equipment."

If exploited by bad actors, the vulnerability that completely bypasses any password on a Netgear router could give hackers complete control of the affected router, including the ability to change its configuration, turn it into botnets or even upload entirely new firmware.

After trying out his flaw on a range of Netgear routers, Kenin was surprised to know that more than ten thousand vulnerable devices used the flawed firmware and can be accessed remotely.

He also released an

exploit code

for testing purpose, written in Python.

List of Vulnerable NETGEAR Router Models

The SpiderLabs researcher stressed that the vulnerability is very serious as it affects a large number of Netgear router models. Here's a list of affected Netgear routers:

R8500
R8300
R7000
R6400
R7300DST
R7100LG
R6300v2
WNDR3400v3
WNR3500Lv2
R6250
R6700
R6900
R8000
R7900
WNDR4500v2
R6200v2
WNDR3400v2
D6220
D6400
C6300 (firmware released to ISPs)

Update the Firmware of your NETGEAR Router Now!

Kenin notified Netgear of the flaw, and the company confirmed the issue affects a large number of its products.

Netgear has

released

firmware updates for all of its affected routers, and users are strongly advised to upgrade their devices.

This is the second time in around two months when researchers have discovered flaws in Netgear routers. Just last month, the US-CERT advised users to

stop using Netgear's R7000 and R6400

routers due to a serious bug that permitted command injection.

However, in an effort to make its product safe, Netgear recently partnered up with Bugcrowd to launch a

bug bounty program

that can earn researchers cash rewards of up to $15,000 for finding and responsibly reporting flaws in its hardware, APIs, and the mobile apps.

from The Hacker News http://ift.tt/2jOSCso

Monday, January 30, 2017

Data61 wants Australia to go all-in on fintech and cybersecurity innovation

On Data Privacy Day, Keep Your Data Safe by Identifying the Threats

By Rick Orloff, Chief Security Officer, Code42

Saturday, January 28th was Data Privacy Day. We’re proud champions of the National Cyber Security Alliance’s focused effort on protecting privacy and safeguarding data. But at Code42, we know that one day isn’t enough. We dedicate an entire month each year to reaffirm our critical role in keeping our customers’ data safe.

This year, we initiated an annual Certified Information Systems Security Professional (CISSP) training program at Code42 and trained staff on the eight common bodies of knowledge defined by (ICS)² to earn the coveted credential. We embedded a new tool in our email system for Code42 employees to report phishing attempts. And, we hosted a panel discussion with representatives from the FBI and Secret Service to learn more about how they combat cybercrime.

But we’re not here to talk about what we did to keep our data safe. We’re here to talk about what you can do to protect yours. The first step in any cybersecurity strategy: situational awareness.

Your Employees Are Being Targeted: Part One
Your end users, and their devices, represent a very large mobile attack surface. IT and InfoSec professionals spend far too much time cleaning up issues caused by employees who fall for phishing emails, click corrupt links, or engage in careless online behavior. These unintentional “user mistakes” are one of the biggest threats today, causing around 25 percent of data exfiltration events.

Why do users make so many mistakes? To put it simply, most don’t care. They believe that if IT is doing its job, no threats will reach them and they have nothing to worry about. They believe that if they have an error in judgment, or do something foolish, IT will always come to the rescue. They actively ignore security policies and find creative workarounds for security measures they view as an inconvenience.

Your Employees Are Being Targeted: Part Two
It’s one thing for your employees to make mistakes. It’s another for them to deliberately remove data from your organization. Unfortunately, that’s exactly what happens quite often, and it’s part of the reason why 78% of security professionals say insiders are the biggest contributors to data misappropriation.

With your company’s IP making up 80% of its value, the potential damage from malicious insider threat is enormous. To help spot vulnerabilities, look for “Shadow IT,” the tools and solutions your employees use without explicit organizational approval that often pose measurable risks. Many tools that are unapproved by your IT department also place the data they’re accessing at risk and often there’s no overall management of these tools.

The Solution: Backup and Real-time Recovery
I have often said that there are only two types of networks in this world, those that have been breached and those that are being attacked. The fact is, security breaches occur to varying degrees of severity at all Fortune 500 companies. If a breach results in being denied access to your data, the C-Suite expects IT to get them back up and running. What they are just now learning is that this can be accomplished in mere minutes, or hours without overwhelming support staff! The solution to protecting your company from inside threats, ransomware, or any other cybersecurity issue is real-time recovery on the endpoints.

This is what the FBI has been urging businesses to do for years: regularly back up data and verify the integrity of those backups. It’s equally important to ensure that backed-up files aren’t susceptible to ransomware’s ability to infect multiple sources and backups. Consider these key points:

When endpoints are infected by ransomware, real-time recovery can roll back clean versions of every file, including system files.
While other solutions such as File Sync and Share (FSS) programs can import ransomware to its mirror mate (as they are designed to do), enterprise endpoint recovery solutions can roll back all files to earlier dates (versions) and restore them.
When a device gets stolen or damaged for whatever reason, or when an employee leaves with valuable company data, real-time recovery can roll back each and every file on the device. This keeps the business operational and provides options relative to how they want to deal with the departed employee.

There are many tools on the market that claim to protect your data, and many indeed do a good job. But a sound cybersecurity policy begins within. You can’t protect your data if you don’t understand where it is and the threats you’re up against.

The post On Data Privacy Day, Keep Your Data Safe by Identifying the Threats appeared first on Cloud Security Alliance Blog.

from Cloud Security Alliance Blog http://ift.tt/2jOGy82

Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January 2017

On January 26, 2017, the OpenSSL Software Foundation released a security advisory that included three new vulnerabilities. The foundation also released one vulnerability that was already disclosed in the OpenSSL advisory for November 2016 and included in the Cisco Security Advisory Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: November 2016. OpenSSL classifies all the new vulnerabilities as “Moderate Severity.”

The first vulnerability affects only OpenSSL used on 32-bit systems architecture and may cause OpenSSL to crash. The second vulnerability affects only version 1.1.0 and occurs only when OpenSSL is used on the client side. The second vulnerability may cause OpenSSL to crash when connecting to a malicious server. The third vulnerability affects only systems based on x86_64 architecture. A successful exploit of the third vulnerability could allow the attacker to access sensitive private key information.

Multiple Cisco products incorporate a version of the OpenSSL package that is affected by one or more of these vulnerabilities.

This advisory will be updated as additional information becomes available.

This advisory is available at the following link:
http://ift.tt/2jMgMnC On January 26, 2017, the OpenSSL Software Foundation released a security advisory that included three new vulnerabilities. The foundation also released one vulnerability that was already disclosed in the OpenSSL advisory for November 2016 and included in the Cisco Security Advisory Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: November 2016. OpenSSL classifies all the new vulnerabilities as “Moderate Severity.”

The first vulnerability affects only OpenSSL used on 32-bit systems architecture and may cause OpenSSL to crash. The second vulnerability affects only version 1.1.0 and occurs only when OpenSSL is used on the client side. The second vulnerability may cause OpenSSL to crash when connecting to a malicious server. The third vulnerability affects only systems based on x86_64 architecture. A successful exploit of the third vulnerability could allow the attacker to access sensitive private key information.

Multiple Cisco products incorporate a version of the OpenSSL package that is affected by one or more of these vulnerabilities.

This advisory will be updated as additional information becomes available.

This advisory is available at the following link:
http://ift.tt/2jMgMnC
Security Impact Rating: Medium
CVE: CVE-2017-3730,CVE-2017-3731,CVE-2017-3732

from Cisco Security Advisory http://ift.tt/2jMgMnC

EyePyramid: An Archaeological Journey

Over four billion data records were stolen in 2016

IBM Security Bulletin: Vulnerabilities in Samba affect IBM Spectrum Scale SMB protocol access method (CVE-2016-2126, 2016-2125)

Samba vulnerabilities affect IBM Spectrum Scale SMB protocol access method which could allow: – a remote authenticated attacker to gain elevated privileges on the system, caused by forwarding a Ticket Granting Ticket (TGT) to other service when using Kerberos authentication. An attacker could exploit this vulnerability to impersonate the authenticated user and gain elevated privileges on the system (2016-2125) – a remote authenticated attacker to gain elevated privileges on the system, caused by the failure of handling the PAC checksum. By using a specially-crafted Kerberos ticket, an authenticated attacker could exploit this vulnerability to gain privileges or cause the winbindd process to crash (2016-2126)

CVE(s): CVE-2016-2126, CVE-2016-2125

Affected product(s) and affected version(s):

IBM Spectrum Scale V4.2.0.0 thru V4.2.2.1

IBM Spectrum Scale V4.1.1.0 thru V4.1.1.11

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2jmxYRS
X-Force Database: http://ift.tt/2k8JxsZ
X-Force Database: http://ift.tt/2jmyxeh

from IBM Product Security Incident Response Team http://ift.tt/2k8N2jd

IBM Security Bulletin: Vulnerability in SSL affects IBM DataPower Gateways (CVE-2016-8610)

An SSL vulnerability was disclosed by the OpenSSL Project. IBM DataPower Gateways has addressed the applicable CVE.

CVE(s): CVE-2016-8610

Affected product(s) and affected version(s):

IBM DataPower Gateways appliances, all versions through 7.0.0.16, 7.1.0.13, 7.2.0.10, 7.5.0.4, 7.5.1.3, 7.5.2.1

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2jmGct6
X-Force Database: http://ift.tt/2hNr07D

from IBM Product Security Incident Response Team http://ift.tt/2jmDTq0

IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2016-5597)

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7 used by IBM Tivoli System Automation Application Manager. IBM Tivoli System Automation Application Manager has addressed the applicable CVEs. These issues were also addressed by WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager.

CVE(s): CVE-2016-5597

Affected product(s) and affected version(s):

IBM Tivoli System Automation Application Manager 4.1.0.0 – 4.1.0.1

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2k91GXT
X-Force Database: http://ift.tt/2e5pD2s

from IBM Product Security Incident Response Team http://ift.tt/2jmzBiF

IBM Security Bulletin: Vulnerability in IBM Java SDK affects Rational Functional Tester (CVE-2016-5542)

If a JAR file is signed with old, weak hash algorithms, the class files within it can be modified without the change being caught. This potentially enables attackers to inject malicious code into signed code from a trusted third party.

CVE(s): CVE-2016-5542

Affected product(s) and affected version(s):

All versions of Rational Functional Tester from 8.3.0 through 8.6.0.9

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2jmxYBy
X-Force Database: http://ift.tt/2e5s2Ku

from IBM Product Security Incident Response Team http://ift.tt/2jmvzXc

IBM Security Bulletin: IBM Systems Director Storage Control is affected by multiple IBM Websphere Application Server (WAS) vulnerabilities (CVE-2016-3092, CVE-2016-5986, CVE-2016-5983)

There are multiple vulnerabilities identified in IBM Websphere Application Server (WAS) that is embedded in IBM Systems Director Storage Control. This update addresses these issues.

CVE(s): CVE-2016-5983, CVE-2016-5986, CVE-2016-3092

Affected product(s) and affected version(s):

From the IBM Systems Director command line enter smcli lsver to determine the level of IBM Systems Director installed.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2k8JJZu
X-Force Database: http://ift.tt/2cX6Wuu
X-Force Database: http://ift.tt/2ccJKps
X-Force Database: http://ift.tt/2bozrA8

Affected Product and Version(s)	Product and Version shipped as a component
IBM System Director Storage Control 4.2.6	IBM Systems Director 6.3.5
IBM System Director Storage Control 4.2.7	IBM Systems Director 6.3.6
IBM System Director Storage Control 4.2.8	IBM Systems Director 6.3.7

from IBM Product Security Incident Response Team http://ift.tt/2jmE6JL

IBM Security Bulletin:Multiple vulnerabilities in AppScan Source (CVE-2016-5419, CVE-2016-5420)

IBM AppScan Source is affected by vulnerabilities in cURL which could allow a remote attacker to bypass security restrictions, caused by the failure to check the TLS connection server certificates.

CVE(s): CVE-2016-5419, CVE-2016-5420

Affected product(s) and affected version(s):

IBM AppScan Security 9.0.1, 9.0.2, 9.0.3

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2k8S4fr
X-Force Database: http://ift.tt/2kdL4xr
X-Force Database: http://ift.tt/2j0IwpD

from IBM Product Security Incident Response Team http://ift.tt/2jmxWcI

IBM Security Bulletin: Vulnerabilities in Apache POI affects IBM InfoSphere Information Server

Apache POI vulnerabilities were addressed by IBM InfoSphere Information Server.

CVE(s): CVE-2012-0213, CVE-2014-3574, CVE-2014-3529, CVE-2014-9527, CVE-2016-5000

Affected product(s) and affected version(s):

The following products, running on all supported platforms, are affected:
IBM InfoSphere Information Server: versions 9.1, 11.3, and 11.5
IBM InfoSphere Metadata Workbench: versions 8.7, and 9.1
IBM InfoSphere Information Governance Catalog: versions 11.3, and 11.5
IBM InfoSphere Information Server on Cloud: version 11.5

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2k91x6F
X-Force Database: http://ift.tt/2dFdUrV
X-Force Database: http://ift.tt/2cOGReI
X-Force Database: http://ift.tt/2cOIhpQ
X-Force Database: http://ift.tt/2dFfcmC
X-Force Database: http://ift.tt/2dFewhf

from IBM Product Security Incident Response Team http://ift.tt/2k8Wl2r

IBM Security Bulletin: Vulnerabilities in Open Source Expact affect Tivoli Network Manager IP Edition

Vulnerabilities in Open Source Expat affect Tivoli Network Manager IP Edition. Tivoli Network Manager IP Edition has addressed the applicable CVEs

CVE(s): CVE-2012-6702, CVE-2016-5300, CVE-2012-0876, CVE-2012-1147, CVE-2012-1148

Affected product(s) and affected version(s):

Tivoli Network Manager IP Edition 3.9.0 – 3.9.0.5
Tivoli Network Manager IP Edition 4.1.1 – 4.1.1.1
Tivoli Network Manager IP Edition 4.2.0 – 4.2.0.1
Impact: Alcatel5620SamSoapFindToFile Collector, Collector Finder and Collector Helper use Expat XML Parser library

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2k8YoDO
X-Force Database: http://ift.tt/2dmagTH
X-Force Database: http://ift.tt/2cwoPxW
X-Force Database: http://ift.tt/2aA9yyg
X-Force Database: http://ift.tt/2az7wLo
X-Force Database: http://ift.tt/2aAaouW

from IBM Product Security Incident Response Team http://ift.tt/2k90F1E

IBM Security Bulletin: IBM Forms Experience Builder is vulnerable due to Apache Tomcat and Apache Commons FileUpload Vulnerabilities (CVE-2016-3092)

IBM Forms Experience Builder could be susceptible to a denial of service, caused by an error in the Apache Commons FileUpload component.

CVE(s): CVE-2016-3092

Affected product(s) and affected version(s):

IBM Forms Experience Builder 8.5
IBM Forms Experience Builder 8.5.1
IBM Forms Experience Builder 8.6

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2k93MH4
X-Force Database: http://ift.tt/2bozrA8

from IBM Product Security Incident Response Team http://ift.tt/2k8WRNS

IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affects IBM Systems Director Storage Control

There are multiple vulnerabilities in IBM®Runtime Environment Java™Technology Edition, Version 6 that is used by IBM Systems Director Storage Control. These issues was disclosed as part of the IBM Java updates for January 2016, July 2016 and October 2016.

CVE(s): CVE-2016-0475, CVE-2015-7575, CVE-2016-3485, CVE-2016-5573, CVE-2016-5597

Affected product(s) and affected version(s):

From the IBM Systems Director command line enter smcli lsver to determine the level of IBM Systems Director installed.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2k8WAdP
X-Force Database: http://ift.tt/1WhPgug
X-Force Database: http://ift.tt/1TnIyR8
X-Force Database: http://ift.tt/2b7G65u
X-Force Database: http://ift.tt/2eDrVCd
X-Force Database: http://ift.tt/2e5pD2s

Affected Product and Version(s)	Product and Version shipped as a component
IBM System Director Storage Control 4.2.6	IBM Systems Director 6.3.5
IBM System Director Storage Control 4.2.7	IBM Systems Director 6.3.6
IBM System Director Storage Control 4.2.8	IBM Systems Director 6.3.7

from IBM Product Security Incident Response Team http://ift.tt/2k93LD7

Over 70% of Washington DC's CCTV Were Hacked Before Trump Inauguration

Just days before the inauguration of President Donald Trump, cyber criminals infected 70 percent of storage devices that record data from feds surveillance cameras in Washington D.C. in a cyber attack.

Any guess, What kind of virus could have hit the storage devices?

Once again, the culprit is Ransomware, which has become a noxious game of Hackers to get paid effortlessly.

Ransomware is an infamous piece of malware that has been known for locking up computer files and then demanding a ransom in Bitcoins in order to help victims unlock their files.

But over time, the threat has changed its way from computers and smartphones to Internet-of-Thing (IoT) devices.

Ransomware Infected 70% Surveillance Cameras in Washington D.C.

This time the hackers managed to plant ransomware in 123 of its 187 network video recorders, each controlling up to four CCTVs used in public spaces throughout Washington D.C, which eventually left them out from recording anything between 12 and 15 January.

Officials told the

Washington Post

that the incident forced them to take the storage devices offline, remove the infection and rebooted the systems across the city, but did not fulfill any ransom demands by the hackers.

While the storage devices were successfully put back to rights and the CCTV cameras were back to work, it is still unclear if any valuable data was lost or if the ransomware infection merely crippled the affected computer network devices.

Washington's chief technology officer Archana Vemulapalli said the officials are now investigating the source of hacking, assuring that the incident was limited to the storage devices tied to closed-circuit TV system and did not affect other D.C. government networks.

Rise in Ransomware: Both in Numbers and Sophistication

Ransomware is the hackers sure-shot way to get paid effortlessly. The threat has been around for a few years, but nowadays it has become one of the most used types of hacking methods.

Recently, hundreds of guests of a luxurious hotel in Austria were

locked out of their rooms

when ransomware malware hit the hotel's IT system, and the hotel paid the attackers to get back the control of their systems.

We saw an enormous rise in Ransomware threats, both in numbers and sophistication. You would be surprised to know about

KillDisk data wiping ransomware

that encrypts files and asks for an unusually large ransom of around $218,000 in Bitcoins, but did not provide decryption keeps even after the payment has made.

Another weird ransomware variant was

Popcorn Time

that was designed to give victims options to either pay a ransom to hackers or infect two more people and have them pay the ransom to get a free decryption key.

Prevention is the Best Practice

The only safe way of dealing with ransomware is prevention. The best defense against Ransomware malware is to create awareness within the organizations, as well as to maintain back-ups that are rotated regularly.

Most viruses and infections are introduced by opening infected attachments or clicking on malicious links usually served in spam emails. So, don't click on links provided in emails and attachments from unknown sources.

Besides this, always ensure that your systems and devices are running the latest version of Antivirus software with updated malware definitions.

from The Hacker News http://ift.tt/2kLyBRf

Used iPhones: Apple quietly kills tool to check lock status of secondhand devices

Sunday, January 29, 2017

Singapore business cyber confidence is probably cyber delusion

WordPress patches dangerous XSS, SQL injection bugs

Former NSA lawyers blast US border plans to collect contacts lists, web histories

Ransomware Hijacks Hotel Smart Keys to Lock Guests In and Out of the Rooms

What's the worst that could happen when a Ransomware hits a Hotel?

Recently, hundreds of guests of a luxurious hotel in Austria were locked in or out of their rooms when ransomware hit the hotel's IT system, and the hotel had no choice left except paying the attackers.

Today, we are living in a digital age that is creating a digital headache for people and organizations around the world with cyber attacks and data breaches on the rise.

Ransomware

is one of them.

The threat has been around for a few years, but during 2016, it has turned into a noxious game of Hackers to get paid effortlessly by targeting hospitals, Universities, private businesses and even police departments and making hundreds of millions of dollars.

Now, the

Romantik Seehotel Jäegerwirt 4-Star Superior Hotel

has admitted it paid €1,500 (£1,275/$1,600) in Bitcoin ransom to cybercriminals who managed to break into their network and hack their electronic key card system that prevented its guests from entering or leaving their rooms.

The luxury hotel with a beautiful lakeside setting on the Alpine Turracher Hoehe Pass in Austria, like several other hotels in the industry, has a modern IT system that includes key cards for its hotel doors, which could not be programmed.

Also Read: This Tool Detects Never-Seen-Before Ransomware Before It Encrypts Your Data

According to the hotel management, the hotel has been hit multiple times by hackers, but this time they managed to take down the entire key system, preventing its guests to getting in or going out of their rooms,

reported

The Local.

Besides gaining control of the electronic key system, the hackers even gained control over the general computer system, shutting down all hotel computers, including the reservation system and the cash desk system.

Once the hotel made the payment, the system was completely restored that allowed the hotel staff to gain access to the network and hotel guests to enter and exit their rooms.

What's interesting? Even after the hotel fulfilled the hackers demand, the hackers left a backdoor to the hotel system in an attempt to conduct another cyber attack later.

Fortunately, the security standards of the hotel had been improved by its IT department, and critical networks had been separated to thwart the attack, giving attackers no chance to harm the hotel again.

Furious hotel managers decided to go public with the incident to warn others about the dangers of cyber attack, with Managing Director Christoph Brandstaetter said:

"The house was totally booked with 180 guests; we had no other choice. Neither police nor insurance helps you in this case.

The restoration of our system after the first attack in summer has cost us several thousand Euros. We did not get any money from the insurance so far because none of those to blame could be found.

Every euro that is paid to blackmailers hurts us. We know that other colleagues have been attacked, who have done similarly."

The Ransomware had stolen the nights of many businesses and organizations, as they would often be blamed to fight up to this nasty threat.

Ransomware criminals often demand the ransom in Bitcoin (BTC) for the surety of not getting caught, as Bitcoin transactions are non-trackable due to its decentralized nature.

The frequent payment to Ransomware encourages criminals to stash the cash and develop a more enticing framework for the next target. So, instead of paying or encouraging this scheme, keep your software and systems updated and avoid clicking suspicious links.

from The Hacker News http://ift.tt/2kfD6Xj

Saturday, January 28, 2017

Police Arrest 5 Cyber Thieves Who Stole 3.2 Million From ATMs Using Malware

Law enforcement authorities from Europe and Russia have arrested five members of an international cyber criminal gang for stealing $3.2 million cash from ATMs using malware.

Three of the suspects, Andrejs Peregudovs (41), of Latvia, Niklae Penkov (34) of Moldova, and Mihail Colibaba (30) of Romania, were arrested in Taiwan by the Taiwanese Criminal Investigation Bureau last summer, have already been

sentenced

to 5 years in prison for their role in a massive ATM heist operation, involving

22 individuals

from 6 countries.

The European-based cyber criminal gang used a variety of different hacking techniques to infect ATMs with malware and force them to dispense cash.

According to Europol that began its investigation in early 2016, the gang used spear-phishing emails containing malicious attachments to target bank employees and penetrate the bank's internal networks.

From there, the cyber crooks then located and hacked into the network of ATMs from the inside, and used a malicious software program to delete almost all traces of their activities.

However, three suspects have already been arrested convicted, one has been arrested by the Romanian National Police, and one arrest has been made by the Belarusian Central Office of the Investigative Committee.

Europol estimates the five arrested suspects caused damages to banks of around $3.2 Million, although in some cases,the stolen money was partially recovered from the criminals after the cashing-out.

The ruling three of them will be deported back to their home countries, when their jail terms will end.

Here's the statement by Steven WILSON, Head of Europol's European CyberCrime Centre (EC3):

"The majority of cyber crimes have an international dimension, taking into account the origins of suspects and places where crimes are committed. Only through a coordinated approach at the global level between law enforcement agencies can we successfully track down the criminal networks behind such large-scale frauds and bring them to justice."

Europol did not provide names of any of the five criminals arrested, but has credited the success of its investigation to international cooperation by police across the world.

Europol's European CyberCrime Centre (EC3) assisted the investigation by organizing operational meetings in Europe and Asia, providing analytical support, as well as analyzing the seized data and equipment.

from The Hacker News http://ift.tt/2kx9RN9

Google becomes its own Root Certificate Authority

In an effort to expand its certificate authority capabilities and build the "foundation of a more secure web," Google has finally launched its root certificate authority.

In past few years, we have seen Google taking many steps to show its strong support for sites using HTTPS, like:

Giving more preference to HTTPS websites in its search rankings than others.

Warning users that all HTTP pages are not secure.
Starting an industry-wide initiative, Certificate Transparency − an open framework to log, audit, and monitor certificates that CAs have issued.

However, Google has been relying on an intermediate Certificate Authority (Google Internet Authority G2 - GIAG2) issued by a third party, with the latest suppliers being GlobalSign and GeoTrust, which manages and deploys certificates to Google's products and services.

Google announced Thursday the creation of its own certified, and independent Root Certificate Authority called

Google Trust Services

, allowing the company to issue its own TLS/SSL certificates for securing its web traffic via HTTPS, instead of relying on third party certs.

"As we look forward to the evolution of both the web and our own products it is clear HTTPS will continue to be a foundational technology," writes Ryan Hurst, product manager at Google, in a blog post. "This is why we have made the decision to expand our current Certificate Authority efforts to include the operation of our own Root Certificate Authority."

The newly established Google Trust Services (GTS) will issue certificates on behalf of Google and parent company Alphabet.

Like others, Google Trust Services can now be used to sign other subordinate certificates to authenticate the identity of other websites.

However, the process of embedding root CAs into products can take time, so Google acquired two existing Root Certificate Authorities from

GlobalSign: R2 and R4

The acquisitions will allow independent certificate issuance from the company "sooner rather than later."

Developers, who will have to include the new Root Certificates into their services, can head to the Google's

official announcement

for more details about the newly established Google Trust Services (GTS).

from The Hacker News http://ift.tt/2kE6HdW

Friday, January 27, 2017

USN-3165-1: Thunderbird vulnerabilities

Ubuntu Security Notice USN-3165-1

27th January, 2017

thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Thunderbird.

Software description

thunderbird - Mozilla Open Source mail and newsgroup client

Details

Multiple memory safety issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted message, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-9893, CVE-2017-5373)

Andrew Krasichkov discovered that event handlers on <marquee> elements
were executed despite a Content Security Policy (CSP) that disallowed
inline JavaScript. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to conduct cross-site scripting (XSS) attacks.
(CVE-2016-9895)

A memory corruption issue was discovered in WebGL in some circumstances.
If a user were tricked in to opening a specially crafted website in a
browsing context, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code.
(CVE-2016-9897)

A use-after-free was discovered when manipulating DOM subtrees in the
Editor. If a user were tricked in to opening a specially crafted website
in a browsing context, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-9898)

A use-after-free was discovered when manipulating DOM events and audio
elements. If a user were tricked in to opening a specially crafted website
in a browsing context, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-9899)

It was discovered that external resources that should be blocked when
loading SVG images can bypass security restrictions using data: URLs. An
attacker could potentially exploit this to obtain sensitive information.
(CVE-2016-9900)

Jann Horn discovered that JavaScript Map/Set were vulnerable to timing
attacks. If a user were tricked in to opening a specially crafted website
in a browsing context, an attacker could potentially exploit this to
obtain sensitive information across domains. (CVE-2016-9904)

A crash was discovered in EnumerateSubDocuments while adding or removing
sub-documents. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to execute arbitrary code. (CVE-2016-9905)

JIT code allocation can allow a bypass of ASLR protections in some
circumstances. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute arbitrary
code. (CVE-2017-5375)

Nicolas Grégoire discovered a use-after-free when manipulating XSL in
XSLT documents in some circumstances. If a user were tricked in to opening
a specially crafted website in a browsing context, an attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2017-5376)

Jann Horn discovered that an object's address could be discovered through
hashed codes of JavaScript objects shared between pages. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit this to obtain sensitive
information. (CVE-2017-5378)

A use-after-free was discovered during DOM manipulation of SVG content in
some circumstances. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to cause a denial of service via application crash, or
execute arbitrary code. (CVE-2017-5380)

Armin Razmjou discovered that certain unicode glyphs do not trigger
punycode display. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to spoof the URL bar contents. (CVE-2017-5383)

Jerri Rice discovered insecure communication methods in the Dev Tools JSON
Viewer. An attacker could potentially exploit this to gain additional
privileges. (CVE-2017-5390)

Filipe Gomes discovered a use-after-free in the media decoder in some
circumstances. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute arbitrary
code. (CVE-2017-5396)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.10:: thunderbird 1:45.7.0+build1-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:: thunderbird 1:45.7.0+build1-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:: thunderbird 1:45.7.0+build1-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:: thunderbird 1:45.7.0+build1-0ubuntu0.12.04.1

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References

CVE-2016-9893, CVE-2016-9895, CVE-2016-9897, CVE-2016-9898, CVE-2016-9899, CVE-2016-9900, CVE-2016-9904, CVE-2016-9905, CVE-2017-5373, CVE-2017-5375, CVE-2017-5376, CVE-2017-5378, CVE-2017-5380, CVE-2017-5383, CVE-2017-5390, CVE-2017-5396

from Ubuntu Security Notices http://ift.tt/2kbEBFK

USN-3175-1: Firefox vulnerabilities

Ubuntu Security Notice USN-3175-1

27th January, 2017

firefox vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Firefox could be made to crash or run programs as your login if it opened a malicious website.

Software description

firefox - Mozilla Open Source web browser

Details

Multiple memory safety issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2017-5373, CVE-2017-5374)

JIT code allocation can allow a bypass of ASLR protections in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2017-5375)

Nicolas Grégoire discovered a use-after-free when manipulating XSL in
XSLT documents in some circumstances. If a user were tricked in to opening
a specially crafted website, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2017-5376)

Atte Kettunen discovered a memory corruption issue in Skia in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2017-5377)

Jann Horn discovered that an object's address could be discovered through
hashed codes of JavaScript objects shared between pages. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to obtain sensitive information. (CVE-2017-5378)

A use-after-free was discovered in Web Animations in some circumstances.
If a user were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code. (CVE-2017-5379)

A use-after-free was discovered during DOM manipulation of SVG content in
some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code.
(CVE-2017-5380)

Jann Horn discovered that the "export" function in the Certificate Viewer
can force local filesystem navigation when the Common Name contains
slashes. If a user were tricked in to exporting a specially crafted
certificate, an attacker could potentially exploit this to save content
with arbitrary filenames in unsafe locations. (CVE-2017-5381)

Jerri Rice discovered that the Feed preview for RSS feeds can be used to
capture errors and exceptions generated by privileged content. An attacker
could potentially exploit this to obtain sensitive information.
(CVE-2017-5382)

Armin Razmjou discovered that certain unicode glyphs do not trigger
punycode display. An attacker could potentially exploit this to spoof the
URL bar contents. (CVE-2017-5383)

Paul Stone and Alex Chapman discovered that the full URL path is exposed
to JavaScript functions specified by Proxy Auto-Config (PAC) files. If a
user has enabled Web Proxy Auto Detect (WPAD), an attacker could
potentially exploit this to obtain sensitive information. (CVE-2017-5384)

Muneaki Nishimura discovered that data sent in multipart channels will
ignore the Referrer-Policy response headers. An attacker could potentially
exploit this to obtain sensitive information. (CVE-2017-5385)

Muneaki Nishimura discovered that WebExtensions can affect other
extensions using the data: protocol. If a user were tricked in to
installing a specially crafted addon, an attacker could potentially
exploit this to obtain sensitive information or gain additional
privileges. (CVE-2017-5386)

Mustafa Hasan discovered that the existence of local files can be
determined using the <track> element. An attacker could potentially
exploit this to obtain sensitive information. (CVE-2017-5387)

Cullen Jennings discovered that WebRTC can be used to generate large
amounts of UDP traffic. An attacker could potentially exploit this to
conduct Distributed Denial-of-Service (DDOS) attacks. (CVE-2017-5388)

Kris Maglione discovered that WebExtensions can use the mozAddonManager
API by modifying the CSP headers on sites with the appropriate permissions
and then using host requests to redirect script loads to a malicious site.
If a user were tricked in to installing a specially crafted addon, an
attacker could potentially exploit this to install additional addons
without user permission. (CVE-2017-5389)

Jerri Rice discovered insecure communication methods in the Dev Tools JSON
Viewer. An attacker could potentially exploit this to gain additional
privileges. (CVE-2017-5390)

Jerri Rice discovered that about: pages used by content can load
privileged about: pages in iframes. An attacker could potentially exploit
this to gain additional privileges, in combination with a
content-injection bug in one of those about: pages. (CVE-2017-5391)

Stuart Colville discovered that mozAddonManager allows for the
installation of extensions from the CDN for addons.mozilla.org, a publicly
accessible site. If a user were tricked in to installing a specially
crafted addon, an attacker could potentially exploit this, in combination
with a cross-site scripting (XSS) attack on Mozilla's AMO sites, to
install additional addons. (CVE-2017-5393)

Filipe Gomes discovered a use-after-free in the media decoder in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2017-5396)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.10:: firefox 51.0.1+build2-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:: firefox 51.0.1+build2-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:: firefox 51.0.1+build2-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:: firefox 51.0.1+build2-0ubuntu0.12.04.1

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

CVE-2017-5373, CVE-2017-5374, CVE-2017-5375, CVE-2017-5376, CVE-2017-5377, CVE-2017-5378, CVE-2017-5379, CVE-2017-5380, CVE-2017-5381, CVE-2017-5382, CVE-2017-5383, CVE-2017-5384, CVE-2017-5385, CVE-2017-5386, CVE-2017-5387, CVE-2017-5388, CVE-2017-5389, CVE-2017-5390, CVE-2017-5391, CVE-2017-5393, CVE-2017-5396

from Ubuntu Security Notices http://ift.tt/2kcfnaC

Matryoshka Doll Reconnaissance Framework

Facebook Adds FIDO U2F Security Keys Feature For Secure Logins

Hacking password for a Facebook account is not easy, but also not impossible.

We have always been advising you to enable two-factor authentication — or 2FA — to secure your online accounts, a process that requires users to manually enter, typically a six-digit secret code generated by an authenticator app or received via SMS or email.

So even if somehow hackers steal your login credentials, they would not be able to access your account without one-time password sent to you.

But, Are SMS-based one-time passwords Secure?

US National Institute of Standards and Technology (NIST) is also no longer recommending

SMS-based two-factor authentication systems

, and it’s not a reliable solution mainly because of two reasons:

Users outside the network coverage can face issues
Growing number of sophisticated attacks against OTP schemes

So, to beef up the security of your account, Facebook now

support

Fido-compliant Universal 2nd Factor Authentication (U2F), allows users to log into their Facebook account using a physical security key, such as the

YubiKey

, instead of relying on a one-time passcode sent via text message or email.

Compared with the traditional authentication protocols, Universal 2nd Factor Authentication (U2F) is a hardware-based authentication aims to simplify, fasten and secure two-factor authentication process.

U2F standard as a security feature has already been implemented by major companies including Google, Dropbox, GitHub, Salesforce and supported by Chrome and Opera web browsers.

The best thing about this standard is that one tiny little device can be used to authenticate with any number of online services and no mobile connection or batteries are required.

These hardware-based security keys are easy to use and deploy. You just need to simply plug-in the inexpensive USB device (which starts at about $10) into your computer's USB port to get into your Facebook account from any computer anywhere.

Ready to activate your security key for your Facebook account?

Go to Security settings of your Facebook account.
Open Login Approval and Click "Add Key" shown in front of 'Security Key.'
'Add Key ' and Facebook will ask you to "Insert your security key into a USB port."

Note:

Hardware-based Security Key will only work if you're using the Chrome or Opera browser.

For more detailed instructions on setting up a security key, you can head on to this

page

How to Authenticate to your Account using the Fido-compliant U2F device? Simple, whenever next time you log into your Facebook account you'll be asked to plug your security key into the USB slot.

Once you plug in, the tiny device generates an encrypted, one-time security passcode for use in two-factor authentication (2FA) systems and logs you into your Facebook account.

These hardware-based security keys are thought to be more efficient at preventing phishing, man-in-the-middle (MITM) and other types of account-takeover attacks than 2FA via SMS, as even if your credentials are compromised, account login is impossible without that physical key.

"By adding FIDO authentication to its security portfolio, Facebook gives their users the option to enable unphishable strong authentication that is no longer vulnerable to social engineering and replay attacks using stolen 'shared secrets' like passwords and one-time-passcodes," said Brett McDowell, executive director of the FIDO Alliance.

At this moment, security key logins for the mobile Facebook app is not supported, but users with NFC-capable Android device and the latest version of Chrome and Google Authenticator installed can use a security key to log in from their mobile website.

from The Hacker News http://ift.tt/2kaFiPR

Organised cybercrime gang members arrested after ATM attacks

My advice to President Trump: Keep the private email servers, ditch the Android phone, and Tweet on!

Ex top Mozilla dev to Windows users: Ditch all antivirus except Microsoft's Defender

IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) and Rational Directory Administrator (CVE-2016-5554, CVE-2016-5542)

There are multiple vulnerabilities in IBM® Runtime Environment that are used by IBM Rational Directory Server (Tivoli) and IBM Rational Directory Administrator. These issues were disclosed as part of the IBM Java SDK updates in October 2016. New product iFixes do not include the JRE. Install an updated JRE and a new iFix to resolve these issues.

CVE(s): CVE-2016-5554, CVE-2016-5542

Affected product(s) and affected version(s):

Rational Directory Server (Tivoli) v5.2.1 iFix 8 and earlier
Rational Directory Administrator v6.0.0.2 iFix 3 and earlier

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2kBbe0F
X-Force Database: http://ift.tt/2eDqzaq
X-Force Database: http://ift.tt/2e5s2Ku

from IBM Product Security Incident Response Team http://ift.tt/2kB7rwk

IBM Security Bulletin: Vulnerability in OpenSSL affects IBM BladeCenter Networking Switch products (CVE-2016-2183)

OpenSSL vulnerabilities were disclosed on September 22 and 26, 2016 by the OpenSSL Project. OpenSSL is used by IBM BladeCenter Networking Switch products. The IBM BladeCenter Networking Switch products below have addressed the applicable CVE. Vulnerability Details:

CVE(s): CVE-2016-2183

Affected product(s) and affected version(s):

Product	Fix Version
IBM 1/10Gb Uplink Ethernet Switch Module	6.8
IBM 1/10Gb Uplink Ethernet Switch Module	7.4
IBM Virtual Fabric 10Gb Switch Module	6.8
IBM Virtual Fabric 10Gb Switch Module	7.8
IBM Layer 2/3 GbE Switch Module (GbESM)	5.3
IBM Layer 2/7 GbE Switch Module (GbESM)	21.0

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2kB3XtT
X-Force Database: http://ift.tt/2fn630l

from IBM Product Security Incident Response Team http://ift.tt/2kBg0LP

IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Flex System Networking Switch products (CVE-2016-2183)

OpenSSL vulnerabilities were disclosed on September 22 and 26, 2016 by the OpenSSL Project. OpenSSL is used by IBM Flex System Networking Switch products. IBM Flex System Networking Switch products have addressed the applicable CVE. Vulnerability Details:

CVE(s): CVE-2016-2183

Affected product(s) and affected version(s):

Product	Affected Version
IBM Flex System Fabric EN4093R 10Gb Scalable Switch	7.8.15.0
IBM Flex System Fabric CN4093 10Gb Converged Scalable Switch	7.8.15.0
IBM Flex System Fabric SI4093 System Interconnect Module	7.8.15.0
IBM Flex System EN2092 1Gb Ethernet Scalable Switch	7.8.15.0

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2kB3Zlv
X-Force Database: http://ift.tt/2fn630l

from IBM Product Security Incident Response Team http://ift.tt/2kB9kx2

IBM Security Bulletin: Vulnerability in OpenSSL affects IBM System Networking RackSwitch products (CVE-2016-2183)

OpenSSL vulnerabilities were disclosed on September 22 and 26, 2016 by the OpenSSL Project. OpenSSL is used by IBM System Networking RackSwitch products. IBM System Networking RackSwitch products have addressed the applicable CVE. Vulnerability Details:

CVE(s): CVE-2016-2183

Affected product(s) and affected version(s):

IBM System Networking RackSwitch	Affected Version
IBM RackSwitch G8052	7.9
IBM RackSwitch G8052	7.11
IBM RackSwitch G8124/G8124-E	7.9
IBM RackSwitch G8124/G8124-E	7.11
IBM RackSwitch G8264	7.9
IBM RackSwitch G8264	7.11
IBM RackSwitch G8264CS	7.8
IBM RackSwitch G8264T	7.9
IBM RackSwitch G8316	7.9
IBM RackSwitch G8332	7.7

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2kBcT6r
X-Force Database: http://ift.tt/2fn630l

from IBM Product Security Incident Response Team http://ift.tt/2kB8VL0

Trump aides' use of encrypted messaging verges on violating records law

Chrome 56: Google starts slapping 'not secure' on HTTP payment and login pages

Breach Database Site 'LeakedSource' Goes Offline After Alleged Police Raid

The biggest mistake companies make with data security is leaving all their secrets unprotected at one place, which if attacked, they are all gone in one shot.

An unnamed law enforcement agency has reportedly accessed billions of compromised usernames, email IDs, and their passwords, collected by LeakedSource, a popular breach notification service.

LeakedSource that exposed some of the largest data breaches in 2016, including

DailyMotion

Rambler.ru

Last.fm

VK.com

Weebly, and Foursquare

, might be facing a permanent shut down after law enforcement officers

allegedly

raided its operator.

The LeakedSource website that allowed visitors to look up for their account details that had been collected from multiple data breaches has suddenly disappeared, and its associated social media accounts have been suspended.

The data breach aggregation service had always been criticized for its unethical policy of allowing anyone to look up hacked account details, rather than discreetly notifying compromised account owners.

The service, which indexed more than 3.1 billion compromised accounts records last year, also sells access to the full archive for which it charges a membership fee.

Although there is no official announcement from the company or any law enforcement agency, an online OGFlip forum post made shortly after the site's takedown claims LeakedSource has been raided and the police have seized all the data hosted on it.

Here's the

message

from a person using the handle LTD wrote on OGF forum:

"Leakedsource is down forever and will not be coming back. Owner raided early this morning. Was not arrested, but all [solid state drives (SSD)] got taken, and LeakedSource servers got subpoenaed and placed under federal investigation. If somehow he recovers from this and launches LS again, then I'll be wrong. But I am not wrong."

LeakedSource made headlines last year for indexing the leaked data compromised during the high-profile data breach in

MySpace

Twitter

, and

Weebly

While it is not clear whether LeakedSource hard drives and servers were located, or was actually raided, and if true, which law enforcement agency conducted the raid, the website is still unavailable.

from The Hacker News http://ift.tt/2kAaLMc

President Trump's @POTUS Twitter Linked To A Private Gmail Account

It seems like the new American President's Twitter account could easily be hacked due to security blunders he made with the most powerful Twitter account in the world, experts warned.

Days after we got to know that the newly inaugurated President Donald Trump was still using his old, insecure Android smartphone, it has now been revealed that the official @POTUS Twitter account was linked to a private Gmail account.

Since we are already aware of the potential scandal with government officials using outside email systems following the hack of private e-mail servers of

Hillary Clinton

and

George W. Bush

, the choice of using private, non-government email address by Trump has raised serious concerns about the security of the White House's closely watched account.

To gain control of the official

@POTUS

Twitter account, which may or may not is secured with some form of

two-factor authentication

, all an attacker needs to do is hack the email address associated with the account, which controls the password reset process.

A hacker, @WauchulaGhost, who discovered this issue also reported similar weaknesses in the email linked to the First Lady Melania Trump (@FLOTUS) and VP Mike Pence (@VP), said

CNN

WauchulaGhost, who took down more than 500 ISIS Twitter accounts in the past, said he would not hack the @POTUS Twitter account or Twitter accounts of other White House officials; instead, he just wanted to issue a warning to upgrade the security of these accounts.

Fortunately, all those Twitter accounts were switched over to the White House-affiliated private email clients by just yesterday morning, but so far only Trump's personal Twitter account is apparently protected by two-factor verification, which requires users to enter a one-time passcode sent to their phone.

Also Read: Donald Trump's Email Servers are Horribly Insecure — Researcher Reveals

However, Trump's personal Twitter account still involves some substantial information security risks, since he is still using the insecure device to post messages from the White House, according to numerous

reports

quoting unnamed White House sources, which could allow malicious actors to gain access to the account through his phone itself.

Trump Press Secretary May Have Just Tweeted His Password, Twice!

Another example of security blunders came yesterday when Press Secretary Sean Spicer believed to have tweeted his own Twitter password — particular combination of letters and numbers (n9y25ah7) — by mistake.

And since the email address used for the Spicer's Twitter account (@PressSec) was already known, it would have taken just a few seconds to log into it.

Overall, it is not a good start for the nascent Trump administration as far as cyber security is concerned. And if this continues, the new president will be the next target for hackers.

from The Hacker News http://ift.tt/2k9ZZvw

Thursday, January 26, 2017

NCIIPC: It's Time to Step Forward And Protect Our Critical Infrastructures from Cyber Attacks

The IT threat landscape has changed dramatically over the last three-four years.

With no shortage of threat actors, from hacktivists to nation-states, criminals to terrorists, all of them are now after something new.

It's no more just about stealing your money, credit cards and defacing websites, as now they are after the intellectual property, mass attacks and most importantly, our critical infrastructures.

We have long-discussed nightmare scenarios of cyber attacks against nation's critical infrastructure, but now these scenarios have come to the real world, and we have seen many such incidents in the past years.

The latest example is

cyber attacks against Ukrainian power grid

. Just two weeks back, Ukraine's national power company

Ukrenergo

confirmed that electricity outage on 17-18th December last year was caused by a cyber attack.

Such sophisticated cyber attacks have revealed the extent of vulnerabilities in the systems that are operating the most critical sectors in a country.

Around 13 years ago, the Indian government established the Computer Emergency Response Team (

CERT-In

), and just like CERTs in other nations; it is responsible for collecting and sharing reports on cyber attacks against non-critical systems.

Every minute, we see about half a million attack attempts that are happening in cyberspace.

But, we are living in a dramatically fast changing world and unfortunately, which now includes threats not only against people, places, and information but also against strategic sectors and critical infrastructure of a nation, for which most organizations were never prepared for.

In order to address cybersecurity of critical infrastructure and evolve related practices, policies, and procedures to protect our most critical properties, the government set up a special body in 2014, named NCIIPC.

NCIIPC

—

National Critical Information Infrastructure Protection Centre

— works under the country's technical Intelligence Agency, NTRO and vowed to work with public and private sectors to identify the nation's most critical assets and systems, and help them to create a foolproof firewall around these networks and overall risk management strategies.

Just last week, NCIIPC organized an event to celebrate its third anniversary of its foundation day, and I got an opportunity to attend the event and represent The Hacker News, among others, including — cyber security experts, policymakers, industry leaders, Academia and Government representatives.

The event aimed to provide a platform for all stakeholders of the CII ecosystem to converge, deliberate and formalize action plans for optimizing and improving protection of the vast array of CII deployed across the nation.

Here's a brief of last week's main events, in case you've missed them:

The event was inaugurated with the welcome address from Mr. Alok Joshi, Chairman NTRO, who briefly said that the cybersecurity threats are becoming more severe over time.

Attacks are happening now… but not only this, it is constantly changing and, in the case of cyber, the threats are becoming ever more sophisticated and insidious.

And It’s true, everything is under attack… from highly critical infrastructures to medical devices.

Mr. Joshi’s talk was followed by Dr.Arvind Gupta, Deputy National Security Advisor (NSA), Chief guest for the event, who primarily focused his talk on critical issues originated due to a massive number of unreported cyber-attacks.

He also showed support for the need of developing capabilities to strengthen cybersecurity research and development (R&D) community, which must include researchers, industry experts, and academia.

The event also witnessed insightful keynotes including Dr.Gulshan Rai, India’s first National Cyber Security Coordinator and Dr. Sanjay Bahl, Director General CERT-In.

Both officials collaboratively said that NCIIPC is intended to promote collaboration and information sharing between government and industry to facilitate safe, secure and resilient Information Infrastructure for Critical Sectors of the Nation.

Moreover, delegates also discussed the security of

Internet of Things

-- the next generation critical Infrastructure.

Just as critical infrastructure is essential for everyday living, the rapidly growing "Internet of Things" is changing the way we use technology and helping people live more efficiently.

So, it has been concluded that to prevent our critical assets from sophisticated cyber attacks, we and organizations like NCIIPC, need to work together to identify the list of infrastructures that need special protection and know, who are after them.... waiting for opportunities to harm nation's economy and steal our secrets.

from The Hacker News http://ift.tt/2k8rDbP