[ISN] Critical Linux vulnerability imperils users, even after “silent” fix

http://arstechnica.com/security/2013/05/critical-linux-vulnerability-imperils-users-even-after-silent-fix/ By Dan Goodin Ars Technica May 15 2013 For more than two years, the Linux operating system has contained a high-severity vulnerability that gives untrusted users with restricted accounts nearly unfettered “root” access over machines, including servers running in shared Web hosting facilities and other sensitive environments. Surprisingly, most users remain wide open even now, more than a month after maintainers of the open-source OS quietly released an update that patched the gaping hole. The severity of the bug, which resides in the Linux kernel’s “perf,” or performance counters subsystem, didn’t become clear until Tuesday, when attack code exploiting the vulnerability became publicly available (note: some content on this site is not considered appropriate in many work environments). The new script can be used to take control of servers operated by many shared Web hosting providers, where dozens or hundreds of people have unprivileged accounts on the same machine. Hackers who already have limited control over a Linux machine—for instance, by exploiting a vulnerability in a desktop browser or a Web application—can also use the bug to escalate their privileges to root. The flaw affects versions of the Linux kernel from 2.6.37 to 3.8.8 that have been compiled with the CONFIG_PERF_EVENTS kernel configuration option. “Because there’s a public exploit already available, an attacker would simply need to download and run this exploit on a target machine,” Dan Rosenberg, a senior security researcher at Azimuth Security, told Ars in an e-mail. “The exploit may not work out-of-the-box on every affected machine, in which case it would require some fairly straightforward tweaks (for someone with exploit development experience) to work properly.” The fix to the Linux kernel was published last month. Its documentation did not mention that the code patched a critical vulnerability that could jeopardize the security of organizations running Linux in highly sensitive environments. This lack of security advisories has been standard practice for years among Linus Torvalds and other developers of the Linux kernel—and has occasionally been the subject of intense criticism from some in security circles. […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Detangling the $45 Million Cyberheist

http://www.bankinfosecurity.com/detangling-45-million-cyberheist-a-5759 By Tracy Kitten Bank Info Security May 15, 2013 In the aftermath of the recent news about an international $45 million cyberheist and ATM cash-out scheme, experts say pinpointing the source of such a massive breach can prove to be extremely difficult. That’s because so many different entities are now involved in the global payments chain. “There are so many parties in the payments chain that it is very difficult to assign blame in these types of breaches,” says financial fraud expert Avivah Litan, an analyst with consultancy Gartner Inc., who blogged about the attack. “There can easily be seven roundtrip hops or more between an ATM cash disbursement request and the cash disbursement. The leakage can happen at any of those points or hops.” News reports this week named two payments processors that had their networks hacked, leading to the card data compromises in the $45 million cyberheist. But one is claiming it had no data intercepted, and the other has yet to make a statement. Al Pascual, senior security, risk and fraud analyst for Javelin Strategy & Research, says card data could have been obtained through any number of channels. “Couldn’t these criminals just buy the cards legitimately and then breach the processor to alter the limits?” he asks. “Seems easier to me. Obtaining card data is less challenging for criminals than gaining access to a processor and altering their internal controls, though.” […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] New Algorithm Lets SCADA Devices Detect, Deflect Attacks

http://www.darkreading.com/attacks-breaches/new-algorithm-lets-scada-devices-detect/240154875 By Kelly Jackson Higgins Dark Reading May 14, 2013 Researchers have built a prototype that lets SCADA devices police one another in order to catch and cut off a fellow power plant or factory floor device that has been compromised. The so-called secure distributed control methodology outfits SCADA systems, such as robots or PLCs, with embedded software that uses a specially created algorithm to detect devices behaving badly. The software, which was developed by researchers at NC State University with funding from the National Science Foundation, detects and then isolates a neighboring device that has been compromised. It uses a reputation manager for the devices, so that if one robot or PLC starts doing something it’s not supposed to do — or exceeds a certain threshold such as improperly accelerating or slowing its speed — fellow robots or other devices detect the uncharacteristic behavior, sound an alarm, and cut it off from their operations to minimize or stop any damage. This peer-level SCADA security would augment existing and emerging SCADA security products and features, the researchers say. The algorithm could be added into existing software in control systems, with some minor coding modifications, according to the researchers. […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] IT powerhouse nurtures elite white hackers

http://english.donga.com/srv/service.php3?bicode=020000&biid=2013051579958 The Dong-A Ilbo MAY 15, 2013 “The country will directly foster the most elite white hackers (hackers with well-intentioned purpose).” So said Yoo Jun-sang, head of Korea Information Technology Research Institute, at an interview with the Dong-A Ilbo Tuesday. At the institute`s education center in southern Seoul, he said, “Korea is an IT powerhouse, but it lacks manpower and infrastructure in information security,” adding, “At a time when data security is important, nurturing white hackers is a way to develop creative economy.” Yoo was accepted for the second term as the institute`s head at the provisional board meeting Tuesday. His success in leading information, security, and personnel project after being inaugurated as the 9th head in September 2010 was well acknowledged. The biggest achievement Yoo made after he took office was the next-generation leader fostering program, dubbed “Best of Best.” As the government institution directly fosters elite security manpower, the program is an unprecedented model both domestically and externally. The program began education last year and selected 60 talented security workers with a 4 to 1 competition rate. “The average age of the selected people is 21. They are young and have ample potential,” Yoo said. “As forces program, our goal is to foster them into top 1 percent white hackers. […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Spreading the word about cybersecurity

http://fcw.com/articles/2013/05/15/cybersecurity-evangelism.aspx By Amber Corrin FCW.com May 15, 2013 Say you’re a beef inspector. Or a firefighter. Or a doctor treating critically ill patients. Do you think much about cybersecurity? Is it integrated into your daily work routine? The answer probably is no — but federal officials are hoping to change that. Cybersecurity already ranks as a top priority at agencies such as the Defense Department, Homeland Security department or in the intelligence community. Increasingly, cyber awareness is spreading throughout the government, but those in charge of implementing IT security into daily operations are finding it is difficult to catch up with threats, let alone get ahead of the curve. Often, these types of responsibilities fall into the hands of the chief information security officer, or CISO. That’s usually the person saying, no, you cannot use your personal iPhone on federal networks, or no, you should not plug that jump drive you just found into your work computer. The CISO also must find ways to keep agencies safe from cyber threats. “We don’t have a big stick. People assume we say, ‘you do this,’ and that’s the end of the discussion,” said Chris Lowe, associate CIO and CISO at the Agriculture Department. “At different organizations that may be the case…but in a loosely federated civilian space, it’s very hard to say do it or else, because ‘or else’ means I’ll just have to work around you.” […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail