“Rootpipe” Vulnerability
Emil Kvarnhammar
A new critical vulnerability titled “Rootpipe” affecting the Mac OS X operating system has been discovered courtesy of Swedish security researcher and consultant Emil Kvarnhammar (@emilkvarnhammar).
The vulnerability allows the malicious user the ability to escalate administrative privileges on a compromised system as well as allows them to obtain the highest level of access known as “root’ access. In doing so, the malicious user could bypass the built-in safeguards that are supposed to stop individuals who try to root the operating system through a temporary backdoor.
Speaking at a Developer Conference in Sweden, Kvarnhammar demonstrated the privilege escalation vulnerability on OS X 10.8.5 through the newest 10.10 Yosemite.
Once exploited, hackers could install malicious software or even make other changes to the system without any need of a password. From there they could also steal sensitive information such as passwords or bank account information, or delete all of the data from the computer.
Kvarnhammar reached out to Apple about the issue but initially didn’t get any response, Apple requested additional details in which he did provide. Since then Apple has requested he not to disclose the exploit until they are able to produce a patch in January 2015.
Apple OS X users affected by the “Rootpipe” vulnerability are advised to follow the below steps in order to protect themselves:
• Avoid running the system on a daily basis with an admin account. An attacker that will gain control on this account will obtain anyway limited privileges.
Kvarnhammar also recommended using FileVault, Apple’s hard drive encryption for Mac users, noting “This is a great way of protecting your data, especially if your computer gets stolen.”
However, the best way to protect yourself from such security vulnerabilities is to ensure that the operating system running on your system is always up-to-date, and always be careful to the links and documents others send to you.
WordPress Security Plugin Vulnerabilities for Oct 30th
Article from Wordfence.com:
This is a WordPress security report for Oct 30th 2014. We are publishing a list of current critical vulnerabilities that we want to draw your attention to. Please scan the list below and if you are using any of the products listed, or if you are aware of anyone using the products listed, please take the appropriate action which we include in each bullet point below.
- Creative Contact Form has a shell upload vulnerability in all versions prior to 1.0.0. Upgrade immediately. Reported by ExploitDB.
- The current version of CP Multi View Event Calendar 1.01 has an SQL injection vulnerability. Uninstall the plugin immediately until a fix is released. Published on PacketStorm by Claudio Viviani.
- (Chinese) The Alipay plugin for WordPress has an XSS vulnerability in versions 3.6.0 and lower. It may have been fixed in the newest version although that version does not have an entry in the plugin changelog. Disclosed by Prajal Kulkarni on CodeVigilant.
- The current version of Rich Counter 1.1.5 (possibly abandoned) contains an XSS vulnerability. Uninstall the plugin until a fix is released. Disclosed by XroGuE on Packetstorm.
- The InfusionSoft Gravity Forms AddOn contains a file upload vulnerability in 1.5.10 and older. Upgrade immediately to 1.5.11. Disclosed by g0blin and metasploit by us3r777.
- The popular WP Google Maps plugin contains an XSS vulnerability in version 6.0.26 and possibly earlier versions. Upgrade to 6.0.28 immediately. Disclosed by HTBridge. Edit: Nick from WP Google Maps has posted a comment below regarding this issue. Looks like they are doing a great job of staying on top of this and future issues.
If you are using any of these plugins, please take the action suggested in the bullet point above. Help spread the word to improve WordPress security for the WordPress community.
SANS Cyber Defense Initiative (CDI) 2014
SANS Cyber Defense Initiative (CDI) 2014 will once again bring together the nation’s cyber defense community on December 10-19 at the Grand Hyatt Washington in DC.
CDI 2014 is not only a leading cyber defense training event, it is also powered by SANS’ NetWars! Learn more about the Core NetWars, DFIR NetWars, and the 3rd Annual NetWars Tournament of Champions taking place at CDI 2014 at the event page below, as well as the more than 25 courses available in IT security, pen testing, security management, IT audit, and digital forensics. Short courses can also be taken with a long course to enhance your training.
New courses include the debut of SEC562: CyberCity Hands-on Kinetic Cyber Range Exercise at CDI 2014. Competing in simulated attacks, participants will learn how to devise strategies and employ tactics to thwart computer attacks that would cause significant real-world damage. The battles ensue inside CyberCity, a miniature physical city featuring real-world Industrial Control Systems and a power grid. CyberCity’s in-depth and ambitious challenges include maintaining control of vital city infrastructure including water, power, transportation, hospitals, banks, retail, and residential.
On the final day of the SEC562 course participants compete in a free-for-all battle for turf in CyberCity. Teams are tasked with taking over turf from other teams while simultaneously protecting their own turf in a red-team/blue-team faceoff.
Every course, evening talk, and special event offered at SANS CDI 2014 is designed to keep cyber defenders on the cutting-edge and to ensure that they have the knowledge and skills required to fight against the actions of today’s cyber criminals. Many courses at CDI 2014 can also be used to prepare for GIAC certification.
For a complete list of courses and to register for the training event, please visit:
http://www.sans.org/info/169082
*** Save $150 on your CDI 2014 course with discount code: SANS_SecOrb150 ***
Internationally Renowned Security Expert Bruce Schneier to Keynote the 2015 ISSA-LA Information Security Summit on Cybercrime Solutions
Los Angeles, CA –September 11, 2014 – Bruce Schneier, one of the world’s leading experts on computer security and privacy issues, will deliver the keynote address at the Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) Seventh Annual Information Security Summit on June 4, 2015, at the Hilton Universal City Hotel in Los Angeles. The theme of each annual summit is The Growing Cyber Threat: Protect Your Business, which highlights the financial impact cybercrime has on all organizations: business, nonprofits, government agencies, schools, healthcare and others. The summit advances ISSA-LA’s core belief that ‘It takes the village to secure the village’ SM.
“The Los Angeles community is incredibly privileged to have Bruce Schneier as our Summit VII Keynote Speaker,” said ISSA-LA President Stan Stahl, PhD. “More than just one of America’s foremost information security technologists, Bruce is widely acclaimed for his policy leadership on cyber security, cyber privacy and national security.”
Schneier is called a “security guru” by The Economist. He is the author of 12 books, including “Liars and Outliers: Enabling the Trust Society Needs to Thrive,” as well as hundreds of articles, essays, and academic papers. His influential newsletter “Crypto-Gram” and his blog “Schneier on Security” are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. He has written articles and op-eds for many major publications, including The New York Times, The Guardian, Forbes, Wired, Nature, The Bulletin of the Atomic Scientists, The Sydney Morning Herald, The Boston Globe, The San Francisco Chronicle, and The Washington Post.
Schneier’s first bestseller, “Applied Cryptography,” explained how the arcane science of secret codes actually works, and was described by Wired as “the book the National Security Agency wanted never to be published.” His book “Beyond Fear” tackles the problems of security from the small to the large: personal safety, crime, corporate security, national security. His blog offers insight into everything from the risk of identity theft to the long-range security threat of unchecked presidential power. His latest book, “Liars and Outliers,” explains how societies use security to enable the trust that they need to survive.
Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation’s Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Chief Technology Officer at Co3 Systems, Inc.
The annual ISSA-LA Summit, as part of its educational outreach program, is the only educational forum in Los Angeles specifically designed to encourage participation and interaction. The Summit is open to anyone interested in learning more about information security but is particularly recommended for business and nonprofit executives and senior managers; business professionals in law, accounting, insurance and banking; technical IT personnel; law enforcement professionals fighting cybercrime; faculty and students in college and university cybersecurity programs; and information security practitioners.
About Los Angeles Chapter of the Information Systems Security Association (ISSA-LA):
ISSA-LA is the premier catalyst and information source in Los Angeles for improving the practice of information security. The Chapter provides educational programs for information security and IT professionals. The Chapter also conducts outreach programs to businesses, financial institutions, nonprofits, governmental agencies, and consumers. ISSA-LA is the founding Chapter of the Information Systems Security Association, an international not-for-profit organization of information security professionals and practitioners. Please follow the Chapter on Twitter at @ISSALA as well as LinkedIn and Facebook. For more information on the Seventh Annual Information Security Summit, please visit http://summit.issala.org .
About Co3 Systems:
Headquartered in Cambridge, MA, Co3 Systems is making the market for Incident Response Management Systems – collaboration software that brings people, process, and technology together for a time of crisis. Co3 is led by a proven team of security entrepreneurs including security legend, Bruce Schneier (CTO). In a short period of time, Co3 has emerged as the gold standard for how organizations—from Fortune 500 companies to small organizations—prepare, assess, manage and mitigate security and privacy incidents. On the web at www.co3sys.com.
Jim Goyjer
Vice President, Media
CARL TERZIAN ASSOCIATES
10866 Wilshire Blvd., Suite 750
Los Angeles, CA 90024
(T): 310-207-3361
(F): 310-820-0626
(E): jim.goyjer@carlterzianpr.com
(W): www.carlterzianpr.com
The Basics of Social Engineering
What is social engineering, according to Merriam Webster social engineering is “management of human beings in accordance with their place and function in society” (www.merriam-webster.com, 2014). Social engineering is a non-technical form of intrusion that relies on human interaction in an attempt to get the victim to break normal security. An example would be the hacker acting like an engineer calling a company trying to get information on what type of firewall or networking equipment is being used in a company. This information could be used to help a perpetrator to gain access to the system, by allowing them to research vulnerabilities and default passwords.
Most exploits to a system are through social engineering. Almost everyone has received an email offering a free flashdrive, whitepaper or etc for filling out a survey. Moreover, have received an email from the bank or credit card company saying that there is suspicious activity on their account and please provide critical information needed to take care of the problem.
Why would a social engineer attempt to “hack” the person instead of hacking the system directly? The person is usually the weakest link. There is a lot more effort needed to gain access to the system by going through firewalls then tricking an unsuspected user.
Some of the techniques that a social engineer uses are Quid pro quo, Shoulder Surfing, Pretexting, Phishing, Spear Phishing, IVR/Phone Phishing, Trojan Horse, Dumpster Diving and Road Apples to name a few.
“Since there is neither hardware nor software available to protect an enterprise against social engineering, it is essential that good practices be implemented” (Peltier, 2014). How do we defend against the social engineer? Some practices that should be deployed:
Read the rest on Examiner.com’s website.
SANS Network Security 2014: Las Vegas, NV: October 19-27
SANS Network Security 2014 is coming up soon in Las Vegas on October 19-27. Join SANS at Caesars Palace for more than 45 cybersecurity courses, special events and evening talks, and a huge vendor expo, all of which are offered to teach you a valuable skill set that you can put to work as soon as you return to the office.
To see our list of courses, with links to the course descriptions, GIAC Certs offered, and instructor bios, please visit: http://www.sans.org/info/164367
(***Save $150 off your SANS Network Security 2014 course: use the ‘SANS_SecOrb150’ code when registering***)
SANS Network Security 2014 is your networking opportunity with something for everyone! The following new hands-on immersion courses will be available:
- New! SEC511: Continuous Monitoring and Security Operations taught by Eric Conrad
- New! SEC760: Advanced Exploit Development for Penetration Testers taught by Stephen Sims
- New! FOR526: Memory Forensics In-Depth taught by Alissa Torres
- New! FOR572: Advanced Network Forensics and Analysis (GIAC-GNFA, Simulcast) taught by Philip Hagen
- New! FOR585: Advanced Smartphone Forensics taught by Heather Mahalik
- New! ICS410: ICS/SCADA Security Essentials (GIAC-GICSP) taught by Graham Speake
- New! HOSTED: Embedded Device Security Assessments For The Rest Of Us taught by Paul Asadoorian
Don’t miss the opportunity to participate in the SANS NetWars Tournament, a live and timed event that runs over an intense two-evening period – October 23 and 24 with Ed Skoudis. It is a competitive environment that creates a sense of urgency and pressure among the participants, with a real-time scoreboard available for viewing. Many enterprises, government agencies, and military organizations rely on NetWars Tournament training to help identify skilled personnel and as part of extensive hands-on skill development.
Another option is SANS DFIR NetWars Tournament on the evening of October 23 and 24 with Rob Lee. This is an incident simulator packed with a vast amount of forensic and incident response challenges, for individual or team-based “firefights.” It is developed by incident responders and forensic analysts who use these skills daily to stop data breaches and solve complex crimes. DFIR NetWars Tournament allows each player to progress through multiple skill levels of increasing difficulty, learning first-hand how to solve key challenges they might experience during a serious incident. DFIR NetWars Tournament enables players to learn and sharpen new skills prior to being involved in a real incident.
Also, enrich your conference experience – at no charge to all who register for a course! Our bonus sessions are open to all paid attendees at no additional cost.
You won’t want to miss SANS Network Security 2014! SANS’ top-rated practitioner instructors are looking forward to seeing you there. For complete details regarding the training event and to register, please visit: http://www.sans.org/info/164367
(***Save $150 off your SANS Network Security 2014 course: use the ‘SANS_SecOrb150’ code when registering***)
