Show Notes:

Java flaws not entirely fixed by emergency patch

• The Polish security firm that initially discovered the 29 Java vulnerabilities back in April, two of which were the target of the emergency out-of-band patch issued by Oracle last week, has discovered that the flaws are still exploitable
• Oracle’s patch removed the getField and getMethod methods from the implementation of the sun.awt.SunToolkit, this disabled all of the Proof of Concept exploits from the security researchers, and the exploits actively being used in the wild
• Oracle basically removed the exploitation vector, without fixing the underlying vulnerabilities
• The Polish firm discovered another exploitation vector, that when combined with the unpatched vulnerabilities, allowed them to update their Proof of Concept code and continue to posses a large number of working exploits again Java
• Adam Gowdiak, CEO of Security Explorations (the Polish firm that discovered the vulnerabilities) also commented that Java 6 seemed much more secure, in all the time they spend researching it, they only ever managed to escape the sandbox once, using an Apple Quicktime exploit
• Researchers find critical vulnerability in Java 7 patch hours after release

More infrastructure switches vulnerable

• Some GarrettCom switches come with a hard coded password for a default account that cannot be changed or disabled
• A researcher at Cylance discovered the hidden account in April and warned the vendor and ICS-CERT
• The issue is present in GarrettCom Magnum MNS–6K Management Software version 4.1.14 and 14.1.14 SECURE, the vendor released an update that addresses the issue in May, but the issue was not disclosed until this week
• The attack is mitigated somewhat by the fact that the attacker would need access to an account on the switch, in order to exploit the vulnerability and escalate the privileges of the regular user account
• “A ‘factory’ account intended to only be allowed to log in over a local serial console port exists in certain versions of GarrettCom’s MNS–6K and MNS–6K-SECURE software. Cylance has identified an unforseen method whereby a user authenticated as ‘guest’ or ‘operator’ can escalate privileges to the ‘factory’ account”
• GarretCom switches are marketed as “Hardened” and used in traffic control systems, railroad communications systems, power plants, electrical substations, and even US military sites. Beyond simple L2 and L3 networking these devices are also used for serial-to-ip conversion in SCADA systems
• Original Advisory
• ICS-CERT Advistory

Hackers claim to have stolen Mitt Romney’s tax returns from financial firm

• A group claims to have broken into the offices of Price Waterhouse Cooper in Tennessee, accessed the network file servers and copied the Romney’s tax returns for the years before 2010
• Later years were apparently not digitized yet and so were not able to be copied
• It doesn’t seem correct to refer to the individuals as hackers because the data was physically stolen from unsecured file servers, rather than accessed remotely
• The attackers seem to have thought ahead, going so far as to include secret statements in the copies of the documents sent to PWC and using those to authenticate themselves as the real attackers
• The attackers claim to have send encrypted copies of the documents to the media, as well as both political parties
• The attackers provide two bitcoin addresses, if the first receives 1 million USD worth of bitcoins before September 28th, then the encryption keys will be destroyed. If this does not happen, or if 1 million USD is sent to the second bitcoin address, the keys will be released publically
• In Canada the Personal Information Protection and Electronic Documents Act (PIPEDA) mandates specific security measures be taken to safeguard such personal information, it seems that the security practices at PWC were extremely lax
• The US Secret Service is investigating
• Pastebin Post #1
• Pastebin Post #2
• Additional Coverage

Anti-sec releases 1 million iOS unique device ID, apparently stolen from FBI laptop

• Anti-sec claims the original file they stole contains more than 12 million records
• The file apparently includes detailed data, including the UDIDs, push notification tokens, device names, usernames, phone numbers, addresses and device types
• Antisec claims to have remotely accessed Supervisor Special Agent Christopher K. Stangl’s Dell Vostro notebook in March 2012 using the AtomicReferenceArray Java vulnerability
• "During the shell session some files were downloaded from his Desktop folder one of them with the name of ‘NCFTA_iOS_devices_intel.csv’
• NCFTA is the: National Cyber Forensics and Training Alliance, a private group set up by a former FBI agent to facilitate information sharing between private companies and the FBI. Companies can share information with the 501(c)6 non-profit that they would be wary of (or prohibited from) sharing directly with the FBI
• SSA Stangl is a member of the FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team
• The FBI denies the claim . “The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data”
• A website has been setup to attempt to identify which apps or companies are sharing data with the FBI
• Original Pastebin
• Additional Coverage

Feedback:

• Comcast transparent DNS proxy. Another pfSense solution? : techsnap
• How do you choose networking gear?
• How I cope with a cap on my bandwidth

Have some fun:

• What will be in the news the week in October when Allan is at Euro BSD Con? Let make a prediction on the head lines or just make up funny stuff to read

What I wish the new hires “knew”

Round-Up:

• GhostBSD 3.0 BETA1 LXDE is ready to test. | GhostBSD
• BBC pursuades Adobe to continue to support Flash for Android 4.x
• Widely used fingerprint reader exposes Windows passwords in seconds
• Research shows possible vulnerability in Firefox and Opera, using data URIs to mask phishing attacks
• Intel immerses its servers in oil — and they like it!
• the Islamic Republic of Iran and the Democratic People’s Republic of Korea (DPRK, North Korea), have signed a number of new cooperation agreements, and are likely collaberating to attempt to defend them selves from the current cyber warfar campaign being waged against them
• Bitfloor hacked