* You are viewing the archive for May, 2011

Scant Facts Regarding Lockheed’s VPN System Takedown

What we know at this point:

UPDATE 28 May 2011 – US DHS has confirmed that Lockheed has experienced a network intrusion (http://www.reuters.com/article/2011/05/29/us-usa-defense-hackers-idUSTRE74Q6VY20110529).

UPDATE 07 June 2011 – RSA has confirmed that data stolen from them was a factor in the Lockheed instrusion. RSA is offering to replace tokens for certain types of customers according to this: http://www.rsa.com/node.aspx?id=3891.

1). Lockheed’s entire VPN system was intentionally taken down by Lockheed
2). This happened about a week ago, and has been down the entire week
3). Lockheed is recalling all remote workers to the closest Lockheed offices to continue their … Continue Reading

Share

WordPress 3.1.3 Released

WordPress version 3.1.3 contains both normal bugfixes and security-related changes. I upgraded this blog already to the 3.1.3 release level and it seems to work fine.

References:
http://codex.wordpress.org/Version_3.1.3

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

Google Chrome 11.0.696.71 Released

Google Chrome 11.0.696.71 has been released for Windows, Mac, and Linux. The update includes fixes for 4 vulnerabilities, 3 of which are classified as high or critical.

References:
http://sites.google.com/a/chromium.org/dev/Home/chromium-security
http://www.google.com/chrome/index.html?hl=en&brand=CHMA&utm_campaign=en&utm_source=en-ha-na-us-bk&utm_medium=ha

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter (free enterprise vulnerability alert feed): twitter.com/patchmanagement

Share

Commercial Grade Exploit Released for CVE-2011-0073 in Mozilla Firefox

White Phosphorus Exploit Pack version 1.12 for Immunity CANVAS now includes an exploit for CVE-2011-0073 in Mozilla Firefox versions 3.6.0 through to 3.6.16.

According to the vendor for White Phosphorus:

This module bypasses DEP and ALSR on anything from Windows XP through to Windows 7 to reliably provide a Mosdef node back to you.

(MOSDEF is Immunity CANVAS’ proprietary shell, like Meterpreter for Metasploit).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0073
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0073
http://blog.sharpesecurity.com/2011/04/29/mozilla-firefox-4-0-1-3-6-11-and-3-5-19-released/

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

Apache Portable Runtime 1.4.5 and APR Utility 1.3.12 Released

Apache Portable Runtime version 1.4.5 has been released. It contains a fix for a denial of service condition (CVE-2011-1928). Details are at the links below.

References:
http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3cBANLkTimWdBnKu8hS–O6HeXj_G=g9gfdxA@mail.gmail.com%3e
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1928

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

Apache HTTP Server 2.2.19 Released

Apache HTTP Server 2.2.19 has been released. It contains one security fix for a denial of service condtion. Details are at the links below.

References:
http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3c4DD92D02.70000@apache.org%3e
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0419

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

Free MANDIANT Redline Malware Analysis Tool

 
MANDIANT might have just dealt another costly blow to HBGary’s Responder business with the release of their Redline memory dump and live system analysis tool. Considering what is available for free in this tool space (Volatility Framework 1.3 and 1.4, MANDIANT Memoryze, and now MANDIANT Redline) it is increasingly difficult to justify the $9000 USD upfront cost of HBGary Responder Pro plus the annual maintenance for Responder and HBGary DDNA (Digital DNA). It is awfully difficult to compete with free.

And unlike HBGary Responder Pro, I can actually reliably open up and analyze a Windows 7 RAM dump successfully … Continue Reading

Share

Verizon Wireless’ Odd Use of Secure PDFs for eBilling Customers

 

I recently took a look at a suspected malicious email supposedly sent from Verizon Wireless.  Despite looking possibly malicious at first glance, it turns out that the email was legitimate.  Verizon Wireless is now offering a Secure eBill service that allows customers to elect to receive their bill in a secured PDF file.  The Verizon “Secure eBill” service is described here: http://www.verizonwireless.com/b2c/splash/secure_ebill.jsp.

If your organization are similarly considering using secure PDFs for any customer contacts, I would suggest not going down that path.  Some people might think this looks like a phishing attempt and might simply delete your emails.

Below are some screenshots of what this all looks … Continue Reading

Share

Adobe Flash Player 10.3.181.14 Released

Adobe has released version 10.3.181.14 of their Flash player product for Windows.

References:
http://www.adobe.com/support/security/bulletins/apsb11-12.html

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

Google Chrome 11.0.696.68 Released

Google Chrome 11.0.696.68 has been released for Windows, Mac, and Linux. The update includes fixes for 2 vulnerabilities, both of which are classified as high or critical.

References:
http://sites.google.com/a/chromium.org/dev/Home/chromium-security
http://www.google.com/chrome/index.html?hl=en&brand=CHMA&utm_campaign=en&utm_source=en-ha-na-us-bk&utm_medium=ha

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter (free enterprise vulnerability alert feed): twitter.com/patchmanagement

Share

Microsoft May 2011 Patch Tuesday Patches Released

There are only two bulletins this month. MS11-036 replaces the problematic MS11-022 patch from April 2011 that broke Powerpoint 2003 and 2002 slide decks with background images in their master slide. So if you have systems affected by that bug and didn’t roll out the hotfix for MS11-022 yet, that problem will go away as you deploy MS11-036.

No fix for the Outlook 2007 print preview printing problem was included in this month’s patches. That should appear the next time releases Outlook 2007 patches.

References:
http://isc.sans.edu/diary/May+2011+Microsoft+Black+Tuesday+Overview/10855
http://www.microsoft.com/technet/security/bulletin/ms11-036.mspx

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter (free enterprise vulnerability alert feed): … Continue Reading

Share

Duplicating Volatility Bioskbd Command Function on Live Windows Systems

I didn’t realize there was much demand for pulling passwords from BIOS keyboard buffers still until I saw that a “bioskbd” command had been added to the new 1.4 version of the Volatility Framework.

Examples of products that leak passwords in this manner:
Microsoft Bitlocker/Vista (SP0)
TrueCrypt 5.0 (possibly older versions also)
SafeBoot Device Encryption v4, Build 4750 and below
Secu Star’s DriveCrypt Plus Pack v3.9 (possibly other versions also)
DiskCryptor 0.2.6 for Windows (possibly other versions also)
Lenovo 7CETB5WW v2.05 (10/13/2006) BIOS (possibly others too)
Intel Corp PE94510M.86A.0050.2007.0710.1559 (07/10/2007) BIOS (possibly others too)
Hewlett-Packard 68DTT Ver. F.0D BIOS (possibly others too)

These passwords can be retrieved from a live … Continue Reading

Share

Some Clarity Regarding Patching Microsoft Silverlight Runtimes

As of this writing (06 May 2011), there are four production versions of Microsoft Silverlight – versions 1 through 4. Silverlight 5 is currently in beta. According to Microsoft, they will still provide security patches as they see fit for all five versions of Silverlight. However, you can no longer receive free support for Silverlight versions 1 through 3. For normal usage, versions 1 and 2 went off support on 12 October 2010. Version 3 went off support on 12 April 2011.

If you use Silverlight in production at all, you should aim to … Continue Reading

Share

Stopping Exploits of Symantec SAVCE 10.x AMS

Publicly available exploits exist (e.g. GLEG pack for Immunity CANVAS) for versions Symantec AMS (Alert Management System) from 10.1.8.8000 and below. For each affected server you have, you need to either need to disable AMS, uninstall it, or upgrade SAVCE 10.x to a patched version. Symantec AMS is an optional part of a SAVCE 10.x server installation that allows the SAV server to send email alerts and pages when events of interest happen. Disabling AMS doesn’t break reporting or any other function of SAVCE.

I recommend simply stopping and disabling the AMS services:
“Intel Alert Handler”
“Intel Alert Orginator”
“Intel File … Continue Reading

Share