| New User, Welcome! Login |
Internet access
Knowledge Austria/Germany and IronPort.
DeepSec Organisation Team.
https://deepsec.net/contact
Internet Access at the conference is provided by: http://www.nets.at/
Recommendation:
Vendor refused to comment on whether they would develop a patch or even notify
existing client base.
Workaround: Remove ConnX server from public Internet access and protect behind
corporate firewalls, SSL-VPN, web application firewall etc.
References:
aushack.com advisory
http://www.aushack.com/200904-q2solutions.txt
Credit: Daniel Teixeira
Vulnerability Details:
Common consumer routers Web Management Interface, allows internet access password disclosure simply by inspecting the DSL password <INPUT> field with development tools such as Safari Web Inspector or Firebug.
Demo: http://vimeo.com/16480521
Dear List,
This Message is thrown together in a hurry with limited Internet
access, please take my aplogise for typos and missing information,
more will follow soon :)
My call for an OSS Bluetooth sniffer during the last 23C3
in Berlin has not been left unanswered, first there was
Max Moser("Bluetooth - Getting raw access") that uncovered
• Digital Rights Management
• Privacy & Security
• Smart Grid / Critical Infrastructure Security
Speakers are encouraged to use multi-media and/or live demo, if appropriate.
Internet access will be available at the venue.
Speakers should submit an outline of their proposed talk along with an abstract. Papers will be judged on topic originality and technical content. Electronic submission is required in pdf or standard Microsoft Office applications (Word, Powerpoint). Vendors are allowed to submit proposals, however any vendor submission must be vendor neutral and approach the topic area from a technical/technology/solution approach rather than vendor specific products/solutions.
Submit your proposal to: paranoia (at)watchcom (dot)no
From GFI's website:
"GFI WebMonitor offers web security features that allow you to control your
employees Internet access by monitoring what files employees are downloading, to
block file types such as MP3s and to scan all files for viruses, spyware and malware
using multiple antivirus engines. GFI WebMonitor lowers the risk of social engineering
by blocking access to phishing websites through the use of an auto-updatable database
of phishing urls. The web monitoring features also allow you to monitor and block
Live Messengenger (MSN) chat sessions and file transfers."
HITB Europe. No further information will be shared to the public before
Apple release a patch.
o Security-Advisory: TEHTRI-SA-2010-026 - 0day on ThalysNet
TEHTRI-Security found some security issues on Thalys European trains,
with the Internet access on board. To us, many Internet access shared on
airports, stations, trains, in-flights, hotels, etc, are full of
security vulnerabilities, because no penetration test were organized
with IT Security experts before the service is open to the public.
Dealing with ThalysNet, it concerns half a million of end-users.
ThalysNet was contacted.
A customer service message from ZoneAlarm …
On Tuesday, Microsoft rolled out an automatic update to all of their users. Unfortunately, this cut off Internet access for anyone on Windows XP or Windows 2000 using the ZoneAlarm firewall. This is the #1 free firewall in the world, and is also included in other security products sold by ZoneAlarm.
For ways to fix this, go here: http://download.zonealarm.com/bin/free/pressReleases/2008/LossOfInternetAccessIssue.html
Or call Customer Service here: 1-877-966-5221
There is a fairly in depth discussion of the issue here:
http://arstechnica.com/web/news/2010/01/facebook-att-play-fast-and-loose-with-user-authentication.ars
Not a routing issue, more of a proxy issue, and not uncommon in mobile carrier networks. Getting security right in a mobile application is tricky given how carriers manage Internet access. With the growth of smartphones these kinds of issues will become more prevalent until carriers refactor how they manage traffic via their proxy's. I'll also note that while the referenced article suggests the use of SSL, there are issues with support in the mobile environment for SSL in terms of which certificate authorities are pre-installed on phones, whether applications have access to the certificate store on the mobile device (or need an embedded certificate), how certificate chaining and wildcarding is supported, and so on.
*********** REPLY SEPARATOR ***********
On 1/16/2010 at 7:39 AM Michael Scheidell wrote:
[>>] Proviso SiteKiosk File Download Vulnerability [<<]
[x] Vendor Information:
"SiteKiosk is a software for public access internet terminals and lets you turn any computer into a secure multilanguage Internet terminal (already 20 different languages included), allowing the user to access the Internet but protecting the underlying operating system and files. Possible uses include presentations, exhibitions, libraries, and more. SiteKiosk works with normal displays and Touchscreens. A keyboard doesn't even have to be attached -- text can be entered via a keypad with a mouse. Plentiful options let you decide the amount of security your kiosk needs, from hard-disk protection to prohibiting specific Websites. The program can be used with either a direct network connection or Dial-Up Networking, providing Internet access "on demand." Other features include multiple-window support, automatic shutdown/restart, Shell-Replacement, hard-disk protection, thorough event-logging support, Log-Out Button, content-advisor, great website filtering (with automatic update)
, an easy-to-use configuration wizard, and more. SiteKiosk supports different payment methods like coin machines, bill acceptors, smart cards and others. Also very nice is the webcam support which enables users to send voice, video and photo emails. It is also possible to administer terminals by remote. SiteKiosk uses Internet Explorer as its basis but presents a much simplified interface that even the novice user will understand. Excellent online help is included."
[x] Attack Information
SiteKiosk tries to block and avoid file downloads. If you click on a link which saves a file automatically on your hard drive (e.g. an exe download link) or if you right click something and select "save as..." a window will pop up which says that it isn't possible to download the file. But you can bypass the issue with a special url - you've got to use the "about:"-url. SiteKiosk uses the microsoft internet explorer engine to display web sites, so you can also use "about:" to display anything directloy from the url. For example "about:hello" will display the text "hello" directly in the browser. Of course you can use HTML too: "about:<b>hello</b>" will display the text "hello" bold. Normally this is harmless, but in SiteKiosk you can use it to download files.
RESOLUTION
HP has made the following updates available to resolve the vulnerabilities.
The HP P4000 CMC will automatically download these updates if internet access is available.
The latest patches are available from the HP P4000 Software Downloads: http://www.hp.com/go/p4000downloads
To manually download the patches:
OCSP_basic_verify(), but it does not verify the status of the
certificate itself. Thus, if an attacker has access to a revoked
certificate and its matching private key, the attacker is able to get
authenticated against the FreeRADIUS server.
This allows the attacker to gain access to all network resources that
are accessible due to the FreeRADIUS authentication, e.g. Internet access.
To avoid the issue, the status of the certificate has to be checked with
the OCSP_resp_find_status() function by comparing the returned status
value against 'V_OCSP_CERTSTATUS_GOOD', and by checking the freshness of
the OCSP response with OCSP_check_validity().
|
|
|
