4 X Security Team

More than a week after a cryptic note hinted at a security breach at Fedora, the open-source group has finally fessed up to two separate server intrusions that compromised the security of Red Hat’s OpenSSH packages.

The confirmation follows eight days of media speculation and conjecture over a brief e-mail that simply mentioned “an issue in the infrastructure systems” and calls into question Red Hat’s ability to promptly — and accurately — disclose security breaches.

Today’s acknowledgment is two-fold — an e-mail on the Fedora-Announce list and a critical Red Hat advisory — but some things surrounding the breach remain murky.

In the e-mail announcement, the group said some it discovered the breach “last week” but there’s no mention of when it actually occurred.

It said that one of the Fedora servers was a system used for signing Fedora packages but insists with “high confidence” that the intruder was not able to capture the passphrase used to secure the Fedora package signing key.

• Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers.
• While there is no definitive evidence that the Fedora key has been compromised, because Fedora packages are distributed via multiple
  third-party mirrors and repositories, we have decided to convert to new Fedora signing keys. This may require affirmative steps from every Fedora system owner or administrator. We will widely and clearly communicate any such steps to help users when available.

In tandem with that announcement, Red Hat shipped a critical OpenSSH update to RHEL users that mentions an “an intrusion on certain computer system” that compromised some Open SSH packages.

• In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only). As a precautionary measure, we are releasing an updated version of these packages, and have published a list of the tampered packages and how to detect them at http://www.redhat.com/security/data/openssh-blacklist.html.

The company said its processes and efforts to date indicate that packages obtained by Red Hat Enterprise Linux subscribers via Red Hat Network are not at risk.

The company insists the effects of the intrusion on Fedora and Red Hat are not the same.

• Accordingly, the Fedora package signing key is not connected to, and is different from, the one used to sign Red Hat Enterprise Linux packages. Furthermore, the Fedora package signing key is also not connected to, and is different from, the one used to sign community Extra Packages for Enterprise Linux (EPEL) packages.

[Source: zdnet]

HeX is a project aimed at the NSM (Network Security Monitoring) community for use by network security analysts. The developers believe that simplicity and analysis work flow logic must be enhanced and emphasized through-out the process of designing this liveCD. Not only have they carefully chosen all the necessary applications and tools to be included to the liveCD, they have also tested them to make sure everything running as smooth as possible. In order to summarize the objective of HeX, they are trying to develop the first and foremost Network Security Monitoring & Network Based Forensics liveCD!

HeX Main Features

HeX Main Menu - Cleaner look and more user interface oriented and maximum 4 levels depth HeX Main Menu allows quick access to all the installed applications in HeX.

Terminal - This is exactly what you need, the ultimate analyzt console!

Instant access to all the Network Security Monitoring(NSM) and Network Based Forensics(NBF) Toolkits via Fluxbox Menu. We have also categorized them nicely so that you know what to use conditionally or based on scenario.

Instant access to the Network Visualization Toolkit, you can watch the network traffics in graphical presentation and that assist you in identifying large scale network attacks easily.

Instant access to Pcap Editing Tools which you can use to modify or anonymize the pcap data, it’s great especially when you want to share your pcap data.

Network and Pentest Toolkits contain a lot of tools to perform network or application based attacks, you can generate malicious packets using them and study malicious packets using those analysis tools listed in NSM-Toolkit and NBF-Toolkit as well.

While we think HeliX liveCD is better choice in digital forensics arsenal, Forensics-Toolkit can be considered as the add-on for people who are interested in doing digital forensics.

Under Applications, there are Desktop, Sysutils and Misc, all of them are pretty self-explained and contain user based applications such as Firefox, Liferea, Xpdf and so forth. Additionally, Misc contains some useful scripts, for example you can just start ssh service by clicking on SSHD-Start.

You can download HeX 1.0.3 here:

hex-i386-1.0.3.iso

[Source:Rawpacket]

Lost in the shuffle of this month’s Patch Tuesday barrage is the fact that a critical vulnerability in the ever-present Windows Media Player (WMP) was not fixed “because of a last minute quality issue.”

Microsoft originally listed the WMP update in the advance notice for August but, when the patches dropped on Tuesday, it had slipped because of patch-quality concerns.

The explanation from Redmond:

• Microsoft has heard from customers that the quality of updates is very important and, as part of the process at the Microsoft Security Response Center (MSRC), Microsoft tests these updates continuously until they are ready for distribution to customers through our regularly scheduled security bulletin release.

This effectively means that millions of Windows users — WMP ships with every version of the desktop operating system — are exposed to a critical, code execution vulnerability that will not be fixed for at least another month.

[ SEE: Microsoft issues Safari-to-IE blended threat warning ]

The missing WMP patch is just one of a several known — and very serious — vulnerabilities that have not yet been patched by Microsoft. A few off the top of my head:

1. Internet Explorer – Remember the Safari-to-IE blended threat from April? This vulnerability was reported to Microsoft since 2006 and, despite issuing an advisory that embarrassed Apple into shipping a Safari fix, Microsoft has still not fixed the underlying code defect. Now, I’m hearing murmurings that this issue probably won’t be fixed until Windows 7. Boo!
2. Token Kidnapping — Four months after shipping a pre-patch advisory confirming the severity of Cesar Cerrudo’s token kidnapping (.pdf) bug, Microsoft’s fix is still not available. This issue affects Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008.
3. Ghosts in Browsers — It’s been more than three months since Manuel Cabellero (now a Microsoft employee) went to Blue Hat and gave the scary ghosts-in-the-browser talk. Nate McFeters saw the carnage first hand and confirms that it affects “all browsers.” Since then, Sirdarckcat published details on IE browser flaws that entends to both IE 7 and IE 8 beta. Worse, they’re all still unpatched.
4. Web Proxy Auto-Discovery — This man-in-the-middle WPAD issue, publicly discussed at Kiwicon last December, is another bug on Microsoft’s late list. An advisory with mitigations (Windows 2000, Windows XP, Windows Server 2003 and Windows Vista) is available but still no patch. This issue also relates to all versions of Internet Explorer, including IE 7 for Windows Vista so it’s not insignificant.
5. Print Table of Links (IE) - Aviv Raff’s discovery of a cross-zone issue affecting IE 7 and IE 8 beta is publicly known but, despite the availability of proof-of-concept code, there’s no fix yet from Microsoft.

If that list is not scary enough, take a peek at this upcoming advisories page maintained by TippingPoint’s Zero Day Initiative. It lists a whopping 20 unpatched vulnerabilities that have been reported to Microsoft, some more than 200 days ago.

I asked ZDI’s David Endler about this list and he confirmed they were all “high-risk” issues that were reported to Microsoft on the dates listed but he declined to discuss the status of individual vulnerabilities.

Microsoft has done a great job of improving its security posture and its relationship with hackers/researchers but the inability to issue patches in a timely manner is still a major problem.

The disclosure time-line in this Core Security advisory (scroll to bottom) shows just how frustrating it is to get Microsoft to stick to a patch release schedule. The two sides are discussing an IE vulnerability that was first reported in January 2008 but was delayed numerous times because of all kinds of (sometimes comical) hiccups.

The list above applies only to publicly known issues. Can you imagine what’s out there that’s not yet public?

* Image via Todd Bishop, Seattle PI.

[Source: zdnet]

Will disclose Nokia s40 security vulnerabilities for money? Part of Security Exploration’s research program, Adam Gowdiak, a well known researcher with a decent history of uncovered security issues, recently made an announcement regarding two security vulnerabilities affecting the implementation of mobile Java used by Sun and Nokia in their products, as well as 14 other security issues affecting different Nokia Series 40 devices, accompanied by 14000 lines of proof of concept code, all presented in a 178 pages research report. Where’s the catch? He’s asking for 20,000 euros per company for access to the paper and proof of concept code. Here’s an excerpt from his paper entitled “J2ME Security Vulnerabilities 2008″ :

“The initial motive for this work was to verify security of proprietary Nokia devices and its Series 40 Platform in particular. For many years, no major threat had been uncovered for this family of Nokia devices. All of that regardless of increasing devices complexity and their very closed nature. Unfortunately, in a security research world, closed source/platform and complexity never go along with security. Thus, the motive for the research.

This paper presents the results of the research conducted from Feb 2008 till Jul 2008 in the area of security of Nokia Series 40 Platform devices and Java 2 Micro Edition (J2ME). It also contains information pertaining to security vulnerabilities discovered during the research process as well as detailed discussion of universal and reliable exploitation techniques for the aforementioned family of Nokia devices.”

Will vendors purchase the research, ignore it entirely, or try to reverse engineer his claims based on the already provided details in order not to pay?

While I’m fairly certain that they’ll try to reverse engineer his claims in order not to entice other researchers into holding their proof of concept code and start demanding financial incentives for the research they’ve done, since the vendors themselves didn’t commission it at the first place, at least Gowdiak isn’t threatening to release it in the wild unless the vendor pays under a deadline.

This very same situation happened last year, when Vulnerability Discovery and Analysis (VDA) Labs demanded $5000 for a security vulnerability that they found in LinkedIn’s toolbar, an offer that would have increased to $10,000 unless LinkedIn didn’t pay the price based on the deadline they set. Here’s a sample of the letter :

“We’ve discovered an attack against the LinkedIn toolbar. If you are interested in the bug, we would like to give first right of refusal to purchase it. We’d also like to perform a more complete security audit of your products. We can help make the LinkedIn products more secure,” DeMott stated in e-mail sent to LinkedIn on July 10, as viewed by CNET News.com.

The e-mail continues: “If you wouldn’t like to buy it then we are happy to resell or release as a full disclosure to help prevent security issues arising on end users servers. We strongly believe in keeping users safe. We are unique in that we give vendors a first chance at the bugs we discover rather than selling to a third-party or releasing publicly. Please find the VDA Labs Value add document attached. If you’d like to buy the bug we will provide working attack code, so that you can verify the bug, before you send the check.”

Being a hostage of someone else’s research isn’t a very comfortable situation, especially when millions of mobile device users’ security could be at stake. But with mobile device vendors allocating bigger budgets for marketing than R&D in security, and not even raising awareness on basic threats thereby contributing to insecure habits that would become the cornerstone for efficient exploitation of mobile devices in the very near future, perhaps this is a the wake up call they need to take seriously this time. Case in point - trivial security vulnerabilities in NFC mobile phones that could have been taken care of if usability was balanced with security, remain unpatched, some of them not even recognized as vulnerabilities yet.

The bottom line of this insecure by design mentality is an end user that’s paying more attention to the quality of the camera of the device, and taking security as granted. However, once the trivial vulnerabilities start taking place in the moment when the user is actively using mobile banking, he’d be the first to blame the vendor for lack of security, forgetting that he accepted and got used to using an insecure device at the first place. So don’t take security for granted.

[Source: zdnet]

Guest editorial by Derek Callaway

This post is meant to provide an approximation of BIND nameserver updates that occurred during the past month, most likely in response to Dan Kaminsky’s DNS cache poisoning vulnerability. I conducted this research because I was curious as to how widely BIND nameserver updates have been deployed given that a month has passed since US-CERT first alerted the public about the nature of the vulnerability and availability of patches.

In an interview with Dark Reading at BlackHat Las Vegas 2008, Kaminsky estimated that between 60 and 70 percent of Fortune 500 companies have patched — but what about the rest of the Internet? Originally, I considered executing nameserver version query sweeps against only U.S. government networks, but I decided not to as I figured I would already be turning enough heads as it is.

[ SEE: Vulnerability disclosure gone awry: Understanding the DNS debacle ]

A number of assumptions have been made throughout this research:

1. That the version number and patch level advertised by the nameserver is correct.
2. That properly patched nameservers are not still vulnerable as a result of gateway device Port Address Translation.
3. That the domain names retrieved from the Open Directory Project are served by a representative sample of BIND nameservers as a whole.

Therefore, the measurements provided should only be treated as what they are — rough estimates. To that end, I wrote a bash shell script that: downloads the content file from the Open Directory Project, parses out random domain names that have three character top-level domains, sends a version query to the nameserver(s) authoritative for each domain, compares the result of the query to BIND version numbers with and without the fix, continues this process until 1,000 unique domain names have been tested, and calculates statistics based on the results. Note that invalid version query responses such as timeouts and strings that do not adhere to BIND version numbering cause a domain to be discarded.

[ SEE: Attack code published for DNS flaw ]

Here’s what I found:

First, let me define a few terms to describe my findings. Un-Patched means that the domain had at least one nameserver that was not patched to address the DNS cache poisoning vulnerability; therefore, in all likelyhood it is vulnerable to CVE-2008-1447. In this research, Out-Dated means that the domain had at least one nameserver that hasn’t been updated for over a year so, in addition to CVE-2008-1447, it’s vulnerable to issues from previous CERT advisories. Dinosaur describes a domain with a nameserver that was last updated during or before the year 2002. Up-To-Date means that the domain is not vulnerable to any publicly known vulnerabilities, including Kaminsky’s bug from CVE-2008-1447 because all of the nameservers responsible for it have been recently updated.

As matters stand, according to the aforementioned definitions:

• 950 domains were vulnerable
  • Un-Patched: 319
  • Out-Dated: 593
  • Dinosaurs: 38

• 336 domains had a nameserver that performed recursive queries
  • Of these, 327 were vulnerable to cache poisoning

• 69 domains had a nameserver performed zone transfers

• 50 domains were Up-To-Date

A previous test run yielded similar results so I feel that these numbers are a decent estimation. Again, the domains that were a part of this experiment only have nameservers that respond with the default VERSION.BIND string. Still, this is quite a patching deficiency when taking into account that this is a major security hole in the Internet infrastructure that received significant media attention and well over a month has passed since patches were released.

Here’s how I did it. Here’s the output from the shell script. Here is the output from all the executions of the tool by the shell script.

* Derek Callaway is a computer programmer and security analyst. When he’s not analyzing applications, system architecture, or penetration testing, his preferred areas of study are vulnerability research and security tool development. He is currently part of the development team for a dynamic binary analysis tool at Security Objectives.

[Source: zdnet]

The PHP Group has shipped the last and final patch in the PHP 4.4 series.

The open-source group released PHP 4.4.9 with “security enhancements and fixes” and is making a strong plea for all users to upgrade as soon as possible.

“This release wraps up all the outstanding patches for the PHP 4.4 series, and is therefore the last PHP 4.4 release,” the Apache-backed group said.

Security enhancements and fixes in PHP 4.4.9:

• Updated PCRE to version 7.7.
• Fixed overflow in memnstr().
• Fixed crash in imageloadfont when an invalid font is given.
• Fixed open_basedir handling issue in the curl extension.
• Fixed mbstring.func_overload set in .htaccess becomes global.

[ SEE: Flaw trifecta kicks off Month of PHP bugs ]

Despite the last-and-final warning, Stefan Esser — of Month of PHP Bugs fame — says the PHP 4.4 series will be around for a very long time.

“There are still millions of servers running PHP 4 that haven’t upgraded to the faster, more stable and more secure PHP 5 and most of them will continue to use it. So PHP 4 will still be around a while,” Esser said in a blog entry announcing plans to continue supporting PHP 4 with his Suhoshin patch.

• This means the current Suhosin-Patch 0.9.6 will be ported to PHP 4.4.9 and also the next release of Suhosin-Patch will still support recent PHP 4 versions. However at the end of 2008 I will also discontinue Suhosin-Patch for PHP 4 and new features to the Suhosin-Extension will only be implemented for PHP 5.

[Source: zdnet]

L0pht hacker Kingpin is getting ready for prime time.

Joe Grand, who used the Kingpin handle in his time as a member of the Boston hacker crew, will co-host Prototype This!, a new Discovery Channel television show centered around the conceptualizing, designing and creating prototypes of robots, gadgets and other machines.

C|Net News.com’s Daniel Terdiman has an excellent write-up on the new show, which debuts its 13-episode first season on October 15.

In the article, Grand/Kingpin is introduced as the team’s electrical engineer and self-styled “hardware hacker.”

Anyone familiar with the awesome Defcon badges designed by Kingpin will want to catch his work on this show. I’m certainly looking forward to it.

* Photo credit: Daniel Terdiman, C|Net News.com.

[Source: zdnet]