Image by kryptyk via Flickr

Oracle issued an emergency patch to fix a denial of service(DoS) vulnerability in Oracle HTTP server products that are based on the Apache Web server 2.0 and 2.2.

Attack Details
—————–
With this attack any exploiter can remotely send large chunk of data in the header without any authentication or requiring  any username and password. When the server tries to process the data, memory and CPU resources are exhausted, resulting in a DoS attack. This bug is known since long but a  security researcher [kingscope] posted an “Apache Killer” Perl script on Full Disclosure mailing list in August; which made it easier to launch such attacks.

National Vulnerability Database (NVD) has assigned a Common Vulnerability Scoring System (CVSS) score of 7.8 to this vulnerability – Common Vulnerability and Exposures -2011-3192.

Oracle strongly recommended customers to apply Security patch as soon as possible since this patch is released out of the regular quarterly cycle of updates.

via Wikipedia

Microsoft has announced advance notification for 13 security bulletins to address 22 vulnerabilities in Windows XP/7/Vista/Server 2008, Office, Internet Explorer, .NET and Visual Studio for August 9, 2011.

Two among 13 bulletins are rated as critical [highest severity] to prevent attacks related to remote code execution. Check the bulletin summary below

Security Bulletin Summary

Full version of Microsoft Security Bulletin Advance Notification for August: http://www.microsoft.com/technet/security/bulletin/ms11-aug.mspx.

Image via Wikipedia

Security researchers [Sergey Golovnoav & Igor Soumenkov] at Kaspersky Lab have posted a detailed analysis of new botnet called TDL-4 and calling it as –>  the one that might just be “indestructible”. TDL-4 compared to previous versions is an updated algorithm encrypting the protocol used for communication between infected computers and botnet command and control servers.

TDL-4 is distributed via adult sites, bootleg websites, and video and file storage services where affiliates receive between $20 to $200 for every 1,000 installations of TDL. The [TDL-4] botnet have already infected  more than 4.5 million computers and is used by hackers to manipulate adware, search engines, to provide anonymous internet access and acts as a launch pad for other malware’s.

TDL loads into the MBR and messes with Windows memory even before the OS loads, injecting malware right into Windows right from the start when there is no security at place. [MBR: Master Boot Record is responsible for bootstrapping/loading the OS].

As per Kaspersky Labs “key threat” from TDL-4 type botnet is that even if the control servers are seized and shut down, botnet owners will not loose complete control because of its peer to peer networking capabilities.

TDL seems to be dodgy, well planned and smartly implemented and can be a tough analysis problem for security researchers. But History tells us its the ethical guys or investigators/security researchers have taken down all malware’s sooner or later and the challenge is open again for them.

Note:

• Conficker was taken down  last year.
• Rustock botnet [world's biggest source of SPAM] was shut down after Microsoft and US authorities located and seized its control servers.

Image via Wikipedia

Yesterday Nyleveia revealed a new vulnerability in Sony PSN password reset page. The hack involves PSN web-based password reset page, where it’s said anyone can change someone else’s password using their PSN account email and date of birth (details possibly collected by hackers in April breach). Eurogamer’s also claiming to have seen actual video footage of PSN password exploit/hack in action.

Whatever the case maybe when I tried to login through PSN site –> following maintenance page is displayed

Sony started phased relaunch of PlayStation Network last week with updated software , customer appreciation program (free games) and promise of higher standards for security.

Sony also confirmed the hack or to be precise the “URL exploit”  and has taken the PSN login and password reset page down for maintenance. Even though Sony says PSN login page is down for maintenance  to improve the password reset process. Nyleveia says “system went down approximately 15 minutes after I received a response from SCEE [Sony Computer Entertainment Europe] on the matter.”

Image via Wikipedia

This risk pertains to using your Android to connect to Facebook, Twitter and some Google services over unencrypted wireless networks. The apps for this services communicate over clear text which can intercepted by an eavesdropper. Google services which are vulnerable to eavesdropping are Google Calendar and Google Contacts. The attack is possible to all Google services using the ClientLogin authentication protocol for access to its data APIs.

ClientLogin is meant to be used for authentication by installed applications and Android apps. Basically, to use ClientLogin, an application needs to request an authentication token (authToken) from the Google service by passing an account name and password via a https connection. The returned authToken can be used for any subsequent request to the service API and is valid for a maximum duration of 2 weeks. However, if this authToken is used in requests send over unencrypted http, an adversary can easily sniff the authToken (e.g. with Wireshark). Because the authToken is not bound to any session or device specific information the adversary can subsequently use the captured authToken to access any personal data which is made available through the service API. For instance, the adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user. This means that the adversary can view, modify or delete any contacts, calendar events, or private pictures.
What can the attacker do?
The attack is similar to session stealing(Sidejacking). It is similar to what FireSheep had done.
The attacker can setup a rogue access point and get the victims to connect through his access point. The attacker can then attempt to impersonate the users and modify the information stored in their accounts

Google has released a patch to solve the ClientLogin protocol problem, but the patch only works for Android 2.3.4 and Android 3.0, meaning that about 99 percent of Android phones don’t have access to the updated code !!!!

“WTF <yourname> I can’t believe you’re in this vid” or
“ROFL <yourname> i cant believe youre tagged in this video”

Sample Wall Post

Its a new scam spreading on Facebook. Don’t open or click on this link else it will be posted to all your friends wall, esp. copy any URL [java-script code] and paste in your browser navigation/location bar to help spread the message to all your friends.

Most importantly for the user who fall into such scams by clicking the link in impulse. Remember Facebook API doesn’t provide data about  if your friend are present in a video or which user has been visiting your profile.

If you are already hit by this scam, delete all related wall posts from your profile, change your password and update your friends about the scam or share this link on Facebook.

Image via Wikipedia

After a week’s shut down of PlayStation Network (PSN); Sony has publicly admitted that its 77 million users data has been compromised which includes

• names
• addresses
• date of birth
• email
• passwords
• or possibly users credit card details.

If you are a PSN user check your account statement, monitor credit reports and if you still have queries read the SONY outage FAQ for more details.

PSN is  online network that connects PlayStation 3 devices to the Internet and Sony cloud services. PS3 owners use  PSN to download games, buy/rent movies from the PlayStation Store, and to relish multilayer gaming across the world with PS3 users. Since PSN network is down users have no option except playing single-player mode. Sony says it expects to restore some services within a week.

As quoted in Sony Playstation Blog:
—————————————————————————————————————————————-

We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:

1. Temporarily turned off PlayStation Network and Qriocity services;
2. Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
3. Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information.

We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.

———————————————————————————————–

[UPDATE]

@hdmoore tweeted the link to actual mail sent to Playstation customers affected by the recent Sony breach

http://pastie.org/1842067

Following is a risk and tool matrix.

The article is a good reference point for someone looking forward for web application testing on the lines of OWASP

Full article can be found here:

http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/

There’s another interesting article by Rakkhi Samarasekera which deals with mitigating OWASP top 10 without touching any code.

This might be useful for many legacy apps

http://www.rakkhis.com/2011/03/mitigating-owasp-top-10-without-any.html

Image via Wikipedia

Armorize, which runs cloud-based Web malware scanning service blogged about a newest Adobe flash 0-day which is being used in new drive-by download variations such as drive-by cache.

WARNING:- the blog of Armorize also contains the full exploit codes to the drive-by cache example.

Image via CrunchBase

As Microsoft April Advance Security Bulletin

Today Microsoft will be pushing huge updates and patches for multiple vulnerabilities across different versions of Microsoft Windows, Microsoft Office and Developer tools like .NET etc

Total of 64 vulnerabilities will be fixed across 17 bulletins from which 9  bulletins are rated as critical.

So get ready to install or plan for deploying the updates and another round of reboot to secure your machines from already disclosed vulnerabilities

Hey & who said IE6 is dead? I still see updates for IE6 in this Microsoft bulletin…..