Posted by Kevin on October 16, 2014.
The ITsecurity daily security briefing: Thursday, October 16, 2014.
If you find this security briefing useful, please spread the word via social media. If you have any comments or recommendations, please email kevtownsend at gmail dot com.
NEWS ONLY TODAY
New York Times nytimes.com Page Design XSS Vulnerability (Almost all Article Pages Before 2013 are Affected)
“The vulnerability occurs at New York Times’s URLs. Nytimes (short for New York Times) uses part of the URLs to construct its pages. However, it seems that Nytimes does not filter the content used for the construction at all before 2013…
“However, all URLs before 2013 are still using the old mechanism. This means almost all article pages before 2013 are still vulnerable to XSS attacks. I guess the reason Nytimes does not filter URLs before is cost. It costs too much (money & human capital) to change the database of all posted articles before.”
New privacy and civil liberties board to look at security policy, says Nick Clegg
“Legislation is to be introduced shortly setting up a privacy and civil liberties board within government to counterbalance the strong security interests in Whitehall, the deputy prime minister has said.
“Nick Clegg said the details of the civil liberties board were being worked on but it would be modelled on its equivalent American body, which scrutinises policy initiatives at an early stage for their potential impact on privacy and civil liberties.”
The devil will obviously be in the detail, but notice the phrase ‘within government’. How is that going to be any different to the existing nod-through oversight ‘within government’?
So is the Anonabox genuine or a fraud?
“Hi everyone, this is August Germar, the anonabox Kickstarter developer. I had a good time doing the AMA on the /tor section of Reddit the other night, and now I am flattered to see someone has made a whole new reddit section just for this. I’m so amazed to see the outpouring of interest in this project!”
The interest, however, is not all favourable.
“So everyone noticed the massive hype about Anonabox router that is supposed to be used for automatic ‘anonymization’ worldwide.
“I didn’t like it from the start, considering I’ve been using the same on Raspberry Pi, WR703n clone called Gl-iNet (powered by OpenWRT) and because it looked like devices mentioned above.
“What really pissed me off is because they said THEY had built FOUR prototypes before.”
But Gemar responded in an email to El Reg:
“The engineer who designed the board for us didn’t start with an empty canvas [because] it would take too much time. He used files he had from other customers and projects and modified them to meet our specs.
“This is pretty normal, and it’s partially why devices such as cellphones all look the same.”
FBI warns U.S. businesses of cyber attacks, blames Beijing
“The U.S. Federal Bureau of Investigation warned U.S. businesses on Wednesday that hackers it believes to be backed by the Chinese government have recently launched attacks on U.S. companies.
“The “‘flash’ warning described tools and techniques used by the hackers and asked companies to contact federal authorities if they believe they are the victims of such attacks.
“‘These state-sponsored hackers are exceedingly stealthy and agile by comparison with the People’s Liberation Army Unit 61398 . . . whose activity was publicly disclosed and attributed by security researchers in February 2013,’ said the FBI in its alert, which referred to a Chinese military hacker unit exposed in a widely publicized report by the security firm Mandiant.
“Indeed, U.S. officials say privately, the activities of this group are just as significant — if not more so — than those of Unit 61398.”
The Washington Post:
Software Companies Now on Notice That Encryption Exports May Be Treated More Seriously: $750,000 Fine Against Intel Subsidiary
“On October 8, 2014, the Department of Commerce’s Bureau of Industry and Security (BIS) announced the issuance of a $750,000 penalty against Wind River Systems, an Intel subsidiary, for the unlawful exportation of encryption software products to foreign government end-users and to organizations on the BIS Entity List.
“Wind River Systems exported its software to China, Hong Kong, Russia, Israel, South Africa, and South Korea. BIS significantly mitigated what would have been a much larger fine because the company voluntarily disclosed the violations.
“We believe this to be the first penalty BIS has ever issued for the unlicensed export of encryption software that did not also involve comprehensively sanctioned countries (e.g., Cuba, Iran, North Korea, Sudan or Syria). This suggests a fundamental change in BIS’s treatment of violations of the encryption regulations.”
SQL injection in Drupal core
“A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.
“This vulnerability can be exploited by anonymous users.”
Gavin Millard, EMEA technical director at Tenable Network Security, comments, “The SQL injection vulnerability in Drupal… is not just significant but should be considered high risk. In the wild, this flaw could allow any attacker to run commands on the webserver, without authentication taking place, leading to data exfiltration or further exploitation. To add context, approximately 900,000 websites were running the vulnerable versions of Drupal at the last count, all of which will need to be patched immediately.”
So patch ASAP!
LulzSec attack on the Sun newspaper instigated by FBI informant
The news report that appeared on the Sun newspaper website claiming that Rupert Murdoch had been found dead in his garden was typical LulzSec — hacking for the hell of it.
But Motherboard now reports that the hack had been urged by Hector Monsegur (Sabu) while he was cooperating with the FBI. According to a statement from the Sun, the FBI never warned them about the attack, either before or after it happened.
So, if Sabu was working for the FBI at the time, is it or LulzSec responsible for the hack?
“‘What’s most interesting to me is how the FBI, DOJ, and perhaps others used Monsegur, or ‘Sabu,’ to catch other hackers,’ said Michael Ratner, an attorney for WikiLeaks who is familiar with the case, in a phone interview with Motherboard. ‘Who should be on trial here isn’t Hammond, and isn’t Sabu, but the federal government which used this group of hackers to penetrate other websites as well as foreign countries.’”
Submitted in: News, Uncategorized |