Google Patches 6 Serious Chrome Bugs

Google Patches 6 Serious Chrome Bugs
And adds more entries to Chrome’s SSL certificate blacklist as Comodo break-in makes news
By Gregg Keizer | March 25, 2011 12:06 PM ET

Computerworld – Google on Thursday patched six vulnerabilities in Chrome, and as usual, silently updated users’ copies of the browser.

The update to Chrome 10.0.648.204 also included two more entries to the browser’s blacklist, a move related to last week’s theft of nine digital certificates from a Comodo reseller.

All six bugs were rated “high,” Google’s second-most-serious ranking in its threat scoring system. Of the half-dozen bugs, two were “use after free” flaws — a type of memory management bug that can be exploited to inject attack code — while a second pair were pegged by Google as “stale pointer” vulnerabilities, another kind of memory allocation flaw.

As is Google’s practice, the company locked down its bug-tracking database, blocking access to the technical details of the patched vulnerabilities. Google usually unlocks the bug entries several weeks, sometimes months later, to give users time to update before the information goes public.

Full story here: Google patches 6 serious Chrome bugs

Research: Robert Cazares
Source: www.computerworld.com/s/article/9215070/Google_patches_6_serious_Chrome_bugs?taxonomyId=85

Russian security team to upgrade SCADA exploit tool

Russian security team to upgrade SCADA exploit tool
By Jeremy Kirk | March 25, 2011 10:28 AM ET

IDG News Service – A Russian security company plans to release an upgraded exploit pack for industrial control software that incorporates a raft of new vulnerabilities released by an Italian security researcher.

The three-person company, called Gleg, is based in Moscow and specializes in vulnerability research. It recently began focusing on problems within SCADA (supervisory control and data acquisition) systems, which are used in factories, utilities and many other kinds of industrial applications, said Yuriy Gurkin, Gleg’s CEO.

Gleg works with the Miami company Immunity, which sells a tool called Canvas, which is a framework for penetration testers wanting to try out the latest exploits against software vulnerabilities, along the same lines as the Metasploit tool.

Full story here: Russian security team to upgrade SCADA exploit tool

Research: Robert Cazares
Source: www.computerworld.com/s/article/9215064/Russian_security_team_to_upgrade_SCADA_exploit_tool?taxonomyId=82

Mozilla regrets keeping quiet on SSL certificate theft

Mozilla regrets keeping quiet on SSL certificate theft
‘We should have informed Web users,’ says Firefox maker of Comodo hack
By Gregg Keizer | March 25, 2011 03:27 PM ET

Computerworld – Mozilla today said that it regretted staying silent when it found out last week that hackers had stolen digital certificates for some of the Web’s biggest sites, including Google, Skype, Microsoft, Yahoo and its own add-on site.

On March 15, attackers used a valid username and password to obtain nine SSL certificates — which essentially prove that a site is what it says it is — from an Comodo certificate reseller. The certificates were for six Web sites, including the log-on sites for Microsoft’s Hotmail, Google’s Gmail, the Internet phone and chat service Skype, and Yahoo Mail. A certificate for Mozilla’s Firefox add-on site was also acquired.

Comodo disclosed the breach of its reseller and the theft of the SSL certificates on March 23. Between March 15, when Comodo realized its reseller had been hacked, and March 23, the company revoked the certificates and contacted browser makers Mozilla, Google and Microsoft.

Although Google patched Chrome on March 17, Mozilla and Microsoft issued updates to Firefox and Windows on March 22 and March 23, respectively. Those patches added the stolen certificates to the browsers’ blacklists as a fallback defense in case users reached fake sites secured with the certificates.

Full story here: Mozilla regrets keeping quiet on SSL certificate theft

Research: Robert Cazares
Source: www.computerworld.com/s/article/9215077/Mozilla_regrets_keeping_quiet_on_SSL_certificate_theft?taxonomyId=17

RSA won’t talk? Assume SecurID is broken

RSA won’t talk? Assume SecurID is broken
No news is bad news for two-factor logins
By Dan Goodin in San Francisco | 24th March 2011 20:25 GMT

Comment It’s been a week since RSA dropped a vaguely worded bombshell on 30,000 customers that the soundness of the SecurID system they used to secure their corporate and governmental networks was compromised after hackers stole confidential information concerning the two-factor authentication product.

For seven days, reporters, researchers, and customers have called on RSA, and its parent corporation EMC, to specify what data was lifted – or at the very least to say if it included details that could allow government or corporate spies to predict the one-time passwords that SecurID tokens generate every 60 seconds. And for seven days, the company has resolutely refused to answer. Instead, RSA has parroted Security 101 how-tos about strong passwords, support-desk best practices, and the dangers of clicking on email attachments.

Officials from RSA and EMC have steadfastly refused to give yes or no answers to two questions that have profound consequences for the 40 million or so accounts that are protected by SecurID: Were the individual seed values used to generate a new pseudo-random number exposed and, similarly, was the mechanism that maps a token’s serial number to its seed leaked?

Full story here: RSA won’t talk? Assume SecurID is broken

Research: Robert Cazares
Source: www.theregister.co.uk/2011/03/24/rsa_securid_news_blackout/

ZeuS cybercrime cookbook on sale in underground forums

ZeuS cybercrime cookbook on sale in underground forums
Lets non-coders produce trojans, other burglar tools
By John Leyden | 23rd March 2011 16:32 GMT

Cybercrooks are offering what purports to be source code for the infamous ZeuS cybercrime toolkit through underground forums.

The would-be seller, nicknamed IOO, has lent credibility to the offer by including screenshots of what appears to be portions of the source code for ZeuS to his sales pitch. IOO offers to discuss the sale to prospective buyers via either Jabber or ICQ. He is prepared to accept payment via any escrow service.

The screenshots make reference to peinfector.cpp, a project of ZeuS known as “Murofet”. Security researchers – while unable to verify the sale is genuine – are taking the potential offer seriously.

“Prior to this there were several rumors that the Zeus/Zbot code was sold to the creator of SpyEye,” writes Peter Kruse, an eCrime specialist who works for Danish security consultancy CSIS Security.

“This is also currently unconfirmed – however what is certain is the fact that someone besides the author of the ZeuS/Zbot has access to the code.”

Full story here: ZeuS cybercrime cookbook on sale in underground forums

Research: Robert Cazares
Source: www.theregister.co.uk/2011/03/23/zeus_source_code_sale/

Google, Yahoo, Skype targeted in attack linked to Iran

Google, Yahoo, Skype targeted in attack linked to Iran
By: Elinor Mills and Declan McCullagh | March 23, 2011 12:40 PM PDT

A malicious attacker that appears to be the Iranian government managed to obtain supposedly secure digital certificates that can be used to impersonate Google, Yahoo, Skype, and other major Web sites, the security company affected by the breach said today.

Comodo, a Jersey City, N.J.-based firm that issues digital certificates, said the nine certificates were fraudulently obtained, including one for Microsoft’s Live.com, have already been revoked. A fraudulent certificate allows someone to impersonate the secure versions of those Web sites–the ones that are used when encrypted connections are enabled–in some circumstances.

The Internet Protocol addresses used in the attack are in Tehran, Iran, said Comodo, which believes that because of the focus and speed of the attack, it was “state-driven.” Spoofing those Web sites would allow the Iranian government to use what’s known as a man-in-the-middle attack to impersonate the legitimate sites and grab passwords, read e-mail messages, and monitor any other activities its citizens performed, even if the connections were protected with SSL (Secure Sockets Layer) encryption.

The attacker tested the certificate for “login.yahoo.com,” but because it had been revoked, most browsers attempting to communicate with the site would see that it was not a trusted site, Comodo Chief Executive Melih Abdulhayoglu told CNET.

Full story here: Google, Yahoo, Skype targeted in attack linked to Iran

Research: Robert Cazares
Source: news.cnet.com/8301-31921_3-20046340-281.html

Harnig Botnet Abandoned After Rustock Takedown

Harnig Botnet Abandoned After Rustock Takedown
March 23rd, 2011, 12:51 GMT | By Lucian Constantin

A large botnet acting as distribution platform for Rustock and other malware seems to have been abandoned by its creators in an attempt to erase their tracks.

Dubbed Harnig, the botnet has been part of Rustock’s propagation scheme for around two years. This means the bot client might exist on many of the one million Rustock-infected computers.

The Rustock botnet, one of the world’s primary sources of email spam, was taken down in a coordinated effort that saw the participation of Microsoft’s Digital Crimes Unit (DCU) and the U.S. Marshals Service.

Authorities seized hard drives from hosting providers in seven U.S. cities, which were providing resources for the Rustock operation.

Soon after the take down action, all Harnig command and control (C&C) servers were wiped out by the botnet’s masters in a surprising move.

“I must say that this was quite surprising for me,” says Atif Mushtaq, a security research engineer at security vendor FireEye.

“Apparently there was no immediate danger to the Harnig botnet. No one was really going after it but it looks like the Harnig and Rustock operators must have been very close to each other such that a hit on Rustock panicked the Harnig bot herders and they felt that they better go underground for a while,” he adds.

Full story here: Harnig Botnet Abandoned After Rustock Takedown

Research: Robert Cazares
Source: news.softpedia.com/news/Harnig-Botnet-Abandoned-After-Rustock-Takedown-191057.shtml

SCADA vulnerabilities prompt U.S. government warning

SCADA vulnerabilities prompt U.S. government warning
By Jeremy Kirk | March 23, 2011 11:51 AM ET

IDG News Service – Software vulnerabilities found in a variety of industrial control systems have prompted vendors to begin developing patches, following a warning by the U.S. government’s Computer Emergency Readiness Team (CERT).

The security problems were found in SCADA (supervisory control and data acquisition) systems made by Siemens, Iconics, 7-Technologies and Datac by researcher Luigi Auriemma, whose findings appeared on his website and the vulnerability site Bugtraq.

The U.S. CERT’s Industrial Control Systems Cyber Emergency Response Team issued four alerts on Monday regarding Auriemma’s findings.

All of the products have remotely exploitable vulnerabilities, the most dangerous kind. If the systems are connected to the Internet, hackers could find ways to exploit them from afar and get inside the systems to steal or manipulate data.

The systems affected are Siemens’ Tecnomatix FactoryLink, which is used in the food, pharmaceutical and metals industries, among many others. Siemens said in 2007 that it would pull FactoryLink from the market in October 2012 and help customer migrate to its WinCC product. According to material published by Siemens in 2008, more than 80,000 FactoryLink systems have been installed worldwide.

Full story here: SCADA vulnerabilities prompt U.S. government warning

Research: Robert Cazares
Source: www.computerworld.com/s/article/9214990/SCADA_vulnerabilities_prompt_U.S._government_warning

Hackers make off with TripAdvisor’s membership list

Hackers make off with TripAdvisor’s membership list
By John Leyden | 24th March 2011 14:35 GMT

Travel site TripAdvisor has warned subscribers to expect more spam following the theft of its member database.

The travel review and information website said that an unspecified vulnerability allowed miscreants to make off with a portion of its email database. TripAdvisor does not collect members’ credit card or financial information, and no passwords were obtained as a result of the breach.

TripAdvisor has promised to tighten up its security in the wake of the incident, which is under investigation internally. The US-based website, which serves an international client base, has also reported the matter to police.

Full story here: Hackers make off with TripAdvisor’s membership list

Research: Robert Cazares
Source: www.theregister.co.uk/2011/03/24/tripadvisor_email_database_breach/

City issues RFP for public access TV provider

The City of Seattle is seeking proposals from qualified organizations to operate the City of Seattle’s Public Access Cable Television Channel and to provide related community digital media production services.

Please see the Request for Proposals (RFP) posted at http://www.seattle.gov/doit/vendor.htm. The deadline to submit a proposal is April 15, 2011, at 4 p.m. PDT.