Worth peeking at your VPN Configs: US-CERT Vulnerability Note VU#261869

December 1, 2009 by corq

This was getting some discussion on teh twitter today, but the list of affected VPN vendors was substantial enough, you might want peek at your own configs. The hyperbole might not yet be warranted, but it might be worth a peek under your hood.

The description of the vuln implies potentially that some VPN vendors’ default settings might make attacks more viable. taken from US-CERT Vulnerability Note VU#261869:

Vulnerability Note VU#261869

Clientless SSL VPN products break web browser domain-based security models

Overview

Clientless SSL VPN products from multiple vendors operate in a way that breaks fundamental browser security mechanisms. An attacker could use these devices to bypass authentication or conduct other web-based attacks.

Later in the bulletin, a mention of the potential exploit method:

By convincing a user to view a specially crafted web page, a remote attacker may be able to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content) from any site accessed through the clientless SSL VPN. This effectively eliminates same origin policy restrictions in all browsers. For example, the attacker may be able to capture keystrokes while a user is interacting with a web page. Because all content runs at the privilege level of the web VPN domain, mechanisms to provide domain-based content restrictions, such as Internet Explorer security zones and the Firefox add-on NoScript, may be bypassed. For additional information about impacts, please see CERT Advisory CA-2000-02.

There’s a broad variety of affected software- and appliance-based VPNs in the CERT list, it’s certainly worth a call to your vendor to be certain you’re using the safest possible configs for your VPN’s environment. Read full bulletin here.

FCW: DHS could hire 1,000 more cybersecurity professionals

October 2, 2009 by corq

The Homeland Security Department will hire up to 1,000 additional people to work in cybersecurity jobs over the next three years, senior DHS officials announced today.

The new employees will be scattered across DHS agencies, and will work in areas such as cyber risk and strategic analysis, cyber incident response, vulnerability detection and assessment, intelligence and investigation and network and systems engineering, DHS said. The hiring authority comes from a joint effort between DHS, the Office of Personnel Management and the Office of Management and Budget, according to the department.

Homeland Security Secretary Janet Napolitano announced the program in Washington at an event hosted by the National Cyber Security Alliance. Philip Reitinger, deputy undersecretary of DHS’ National Protection and Programs Directorate (NPPD) that includes the National Cybersecurity Division (NCSD), joined Napolitano at the event.

DHS is in charge of protecting the federal government’s civilian computer networks and leads efforts to work with industry to enhance cybersecurity.

“This authority will assist us in recruiting the best people in the world to come work for us over the next few years as cyber analysts, developers and engineers,” Napolitano said. “So look out – we’re coming.”

[More, via Federal Computer Week ]

New Malware Re-Writes Online Bank Statements to Cover Fraud

September 30, 2009 by corq

Pretty unnerving trick, if this is efficient. I wonder if this will prompt banks to render balance amounts via Captcha-type technology to circumvent this. Even though the flaw is client-side. It will be interesting to watch how prevalent this sort of exploits become.

New malware being used by cybercrooks does more than let hackers loot a bank account; it hides evidence of a victim’s dwindling balance by rewriting online bank statements on the fly, according to a new report.

The sophisticated hack uses a Trojan horse program installed on the victim’s machine that alters html coding before it’s displayed in the user’s browser, to either erase evidence of a money transfer transaction entirely from a bank statement, or alter the amount of money transfers and balances.

The ruse buys the crooks time before a victim discovers the fraud, though won’t work if a victim uses an uninfected machine to check his or her bank balance.

The novel technique was employed in August by a gang who targeted customers of leading German banks and stole Euro 300,000 in three weeks, according to Yuval Ben-Itzhak, chief technology officer of computer security firm Finjan.

“The Trojan is hooked into your browser and dynamically modifies the text in the html,” Ben-Itzhak says. “It’s a very sophisticated technique.”

Read on, via Threat Level

OpenDNS begins commercial service offering

September 15, 2009 by corq

One of the first cloud-based secure DNS services was launched today amid intensified concerns about locking down vulnerable Domain Name Service servers.

OpenDNS, which provides a free DNS service for consumers and schools, is offering a subscription-based commercial service for enterprises. Other vendors, such as Nominum, are considering offering secure DNS cloud services, as well.

DNS security has received more attention than ever in the wake of the discovery of a major DNS hole that was revealed by researcher Dan Kaminsky, and was later patched by several vendors. The so-called cache-poisoning flaw could allow an attacker to guess the transaction ID of a Web query and let the attacker hijack queries. Meanwhile, the Internet community has stepped up efforts to adopt the DNSSEC standard for protecting the DNS translation process from being compromised.

[ more via DarkReading]

NewsLink: Network Solutions Breach Revives PCI Debate

August 11, 2009 by corq

Does qualifying as “compliant” somehow have the collateral effect of relaxing vigilance? (“We’re PCI Compliant and we’ve spent a lot of money becoming compliant; we can stop worrying now!”)

I don’t work in this particular sector so I can’t comment much, but with the amount of money that gets spent on compliance I can imagine anyone’s too thrilled about seeing their organization meet the PCI standard, but then fail in security practice, elsewhere, resulting in a breach.

The recent data breach at Internet domain administrator and host Network Solutions compromised more than 573,000 credit and debit cardholders and begs the question: What more can be done to secure such systems?

The incident also raises new questions about the Payment Card Industry Data Security Standard PCI. At the time of the breach, discovered in June, Network Solutions says it was PCI compliant. The breach was the result of hackers planting rogue code on the company’s web servers, intercepting financial transactions between the sites and their customers, which are mostly small online stores.

So, if Network Solutions was PCI compliant, how could it be breached? Paul Kocher, chief research scientist at Cryptography Research Institute, says the fundamental limitation with PCI is that it attempts to distill security down into a static set of requirements, while adversaries aren’t restricted to a rigidly-defined set of methods. “As a result, clever attackers will always find holes,” he says. “PCI does provide some value by forcing merchants to put some effort into addressing the most common attacks, but the objective is to reduce total risk — not stop all attacks. “Changes that would increase the burden on merchants could raise the bar further, Kocher notes, “Although it’s not clear how much impact this will have on actual fraud rates.”

At this point, he sees no sign that security standards are anywhere near close to putting fraudsters out of business, and forcing them to work a bit harder doesn’t necessarily mean they’ll actually steal less. Kocher sees the most effective anti-fraud step the U.S. card industry could take would be to make a real effort to adopt smart cards. The secrets needed to copy stay in the chip, and terminals for card-present transactions simply do not have access to the secrets.

[More on this article at Bank Info Security.]

Three Charged with International Bank Trojan Scheme

December 8, 2008 by corq

Two U.S. men and a Russian face conspiracy and bank fraud charges for allegedly running a successful scheme to compromise online banking and brokerage accounts and help themselves to the cash.

In a 15-month-long caper that ended in December of last year, prosecutors say Alexander Bobnev, of Volgograd, worked with others in Russia to infect U.S. consumers with Trojan horses that let the gang swipe the victims’ login credentials.

Bobnev then initiated wire transfers from the hacked bank accounts — and liquidated stocks from compromised brokerage accounts — and channeled the money to “drop” accounts in the U.S., according to federal indictments (.pdf) filed last week in Manhattan.

Opening the drop accounts and pulling out the cash was allegedly the job of Aleksey Volynskiy, of Manhattan, and Alexey Mineev from Hampton, New Hampshire, who got to keep a portion of the loot for their efforts, according (.pdf) to the government.

The scheme unraveled when the feds cultivated an informant in scheme in Poughkeepsie, New York. In June of last year, the informant gave the gang the routing number for a new drop account to send stolen funds into — in actuality, the account was under law enforcement’s control, and the feds watched as it received transfers of $15,400 and $4,700 from two hacked Charles Schwab trading accounts.

The informant then met with Volynskuy in Manhattan to give him half of the $4,700, according to the indictments.

[ via Threat Level from Wired]

Monitoring of potential issues at the polls on Election Day

October 31, 2008 by corq

San Francisco – Reporters, bloggers, and voters across the country can monitor problems at the polls on Election Day on OurVoteLive.org, a project built and hosted by the Electronic Frontier Foundation (EFF) on behalf of Election Protection, the nation\’s largest nonpartisan voter protection coalition, and its toll-free voter-assistance hotline, 866-OUR-VOTE.

OurVoteLive.org collects and analyzes reports from calls to the 866-OUR-VOTE hotline, which is staffed by hundreds of volunteers across the country. Tested during the presidential primaries, the site is already documenting over a thousand examples per day of voters needing information or reporting problems such as registration and identification issues, difficulties with voting machines, and polling place accessibility issues. Over 200,000 calls are expected to come into the hotline and be documented on OurVoteLive.org through Election Day.

[ via EFF.org / OurVoteLive.org ]

the electric stranger

this monkey, this typewriter.

Tag Archives: EFF