aka infosec
This month’s ‘Ouch!’ newsletter (PDF) from SANS explains social engineering – the process by which nefarious persons obtain private information by non-technical means.
A must-read for anyone unclear on the concept of social engineering, this issue also provides tips for recognizing this behaviour.
Next Tuesday Microsoft plans to publish 16 Security Bulletins, five of which are flagged as Critical. The updates affect Windows, Internet Explorer, Office, Exchange, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).
One of the more popular WordPress e-commerce plugins is WP eCommerce.
Recently, security researchers discovered a vulnerability that could allow attackers to obtain private data from WordPress sites that use the plugin.
The plugin’s developers released a new version that fixes the vulnerability. Anyone who manages a WordPress site that uses this plugin should install the new version (3.8.14.4) immediately.
The folks over at Duo Security recently posted a fun infographic about some of the more common network-based attacks. It’s presented in a comic book format, but it includes some useful descriptions of actual events from the past year or so. Highly recommended.
Drupal is a Content Management System, similar to WordPress and Joomla. On October 15th, a very dangerous vulnerability in Drupal was announced. Within hours, exploits attacking this vulnerability started to appear on the web.
Yesterday, a special follow-up Public Service Announcement was posted on the Drupal web site. From the Drupal PSA:
Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement. Simply updating to Drupal 7.32 will not remove backdoors.
Anyone who runs a Drupal site should deal with this issue immediately.
The troubled Universal Plug and Play protocol has a new problem: malicious hackers are increasingly using it as the basis for Distributed Denial of Service attacks.
UPnP is a set of protocols – intended to be used with home networks – that simplifies the process of making connections between network-enabled devices. Unfortunately, misconfigured devices often make UPnP devices visible on the Internet, allowing easy access for intruders.
Now, according to Internet content caching service provider Akamai, those exposed UPnP devices are being used for DDoS attacks. Specially-crafted requests are sent to such devices, so that replies from those UPnP devices are sent to the DDoS target, flooding it with traffic.
If you think you may have UPnP devices that are exposed to the Internet, or just want to make sure you don’t, head over to Steve Gibson’s ShieldsUp site. Click the Proceed button, then on the next page, click the big button labeled GRC’s Instant UPnP Exposure Test. After a moment or two, your results will be shown.
According to Microsoft, all versions of Windows except Windows Server 2003 are vulnerable to attacks based on a bug in OLE (Object Linking and Embedding).
Attacks exploiting this vulnerability would take the form of a specially-crafted PowerPoint document.
Microsoft has released a Fix It solution that can be used to close this hole until a proper patch is released. If you commonly receive PowerPoint documents from unknown sources, you are strongly encouraged to apply this fix or refrain from opening those documents.
References:
SSL3 is one of the ways web sites encrypt data. It has theoretically been superseded by TLS, but in fact is still widely used.
Now researchers at Google have demonstrated that SSL3 encryption can be made to reveal supposedly secure information. The name they’ve given to the new attack is POODLE, an acronym for Padding Oracle On Downgraded Legacy Encryption. In any case, this technique has been verified, and now the race is on to mitigate the vulnerability of browsers and web servers worldwide. If you run a web server, and it supports SSL3, you should disable SSL3 as soon as possible.
A post on Microsoft’s MSRC security blog provides a brief overview of the problem from their perspective and points to security advisory 3009008. The advisory provides instructions for disabling SSL3 in Internet Explorer.
Anyone still using Internet Explorer 6 (why?) is going to have difficulty accessing secure web sites from this point forward, because IE6 requires SSL3 for secure web browsing, and web servers are now busily having SSL3 disabled.
More information:
Update 2014Dec11: A new variant of the POODLE attack targets TLS and apparently affects up to 10% of the world’s servers. Brian Krebs has more.
Update 2015Jan12: One of the SANS handlers posted a followup that looks in detail at assessing the actual risk of a POODLE attack. It turns out that the risk is actually fairly low.
It looked briefly like Dropbox might have been hacked. But it really wasn’t.
Someone posted a big list of credentials on a sharing site. The credentials were likely obtained from various sources, but definitely not from Dropbox. Unfortunately, many people still re-use passwords for different services, and some of the credentials worked on Dropbox.
The release of Firefox 33 snuck past my radar on October 13. In my conversations with Mozilla workers, it was explained to me that only major releases would be announced. But there was no announcement for Firefox 33. Clearly I need to keep bugging them about this. At least the release notes have improved.
The version number would seem to indicate that there are a lot of changes in this new version, and the release notes do list several new features. But none of those features are likely to be of much interest to regular users, aside from some improvements to searching.
Firefox 33 does include at least nine security fixes, as outlined on the Known Vulnerabilities (aka Security Advisories) page.
boot13