4images version 1.7.11 suffers from inclusion vulnerabilities due to trusting the host header.
Monthly Archives: June 2015
The eXtensible Catalog (XC) Drupal Toolkit – Critical – Cross Site Request Forgery (CSRF) – Unsupported – SA-CONTRIB-2015-121
- Advisory ID: DRUPAL-SA-CONTRIB-2015-121
- Project: The eXtensible Catalog (XC) Drupal Toolkit (third-party module)
- Version: 6.x, 7.x
- Date: 2015-June-17
- Security risk: 15/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
- Vulnerability: Cross Site Request Forgery
Description
The eXtensible Catalog Drupal Toolkit is a set of Drupal modules to harvest records of the XC Schema format from a Metadata Services Toolkit (MST).
The XC NCIP Provider module doesn’t sufficiently protect some URLs against CSRF. A malicious user can cause a user with “administer ncip providers” permission to alter NCIP providers by getting their browser to make a request to a specially-crafted URL.
This vulnerability is mitigated by the fact that only sites that have the XC NCIP Provider module enabled are affected.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- All versions of The eXtensible Catalog (XC) Drupal Toolkit
Drupal core is not affected. If you do not use the contributed The eXtensible Catalog (XC) Drupal Toolkit module, there is nothing you need to do.
Solution
If you use The eXtensible Catalog (XC) Drupal Toolkit you should uninstall it.
Also see the The eXtensible Catalog (XC) Drupal Toolkit project page.
Reported by
- Pere Orga of the Drupal Security Team
Fixed by
Not applicable.
Coordinated by
- Pere Orga of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
Beware of phishing scams after the LastPass breach
In a blog post , LastPass revealed that they “discovered and blocked suspicious activity on our network” and that it found “no evidence that encrypted user vault data was taken”.
LastPass seem to be transparent in sharing information about this security breach. They have provided what appears to be good technical detail about the information potentially compromised, along with the type of cryptography used to secure their user’s “Master” passwords.
The actual compromise of the ‘server per user salts’ and the ‘authentication hashes’ would allow the attackers to brute-force a targeted user’s password, but LastPass is claiming this information has been created using what is known as a ‘key derivation function’ called PBKDF2, considered best practice.
This makes it extremely difficult for attackers to brute-force the passwords in bulk and instead limit attackers to cracking one password at a time – meaning they would have to target a particular user (or use many computers to target multiple users).
However, the weakest link here is the compromise of ‘email addresses’ and ‘password reminders’. Two likely scenarios come to mind that may arise as a result of this compromised information:
(1) Phishing attacks to LastPass users is now very likely, if the attackers choose to send email pretending to be from LastPass to trick them into divulging their Master passwords.
(2) The password reminders may give the attackers clues when attempting to brute-force a password. Some users are known to provide password reminder clues that are very easy to interpret that almost reveal the password in full immediately.
Worse, the addition of the password reminder information to a phishing email may increase the success of that type of attack.
LastPass is right to advise all their users of this compromise, and hopefully all LastPass users are able to heed the warning and change their Master password, plus activate multi factor authentication options.
The positives in this case, however, appear to be the best practice use of cryptography in their storage of master passwords (i.e. PBKDF2) and the failure to access ‘encrypted data’ (stored passwords and Master Passwords). This is potentially down to LastPass having separate systems for this sensitive data.
If the attackers had been able to compromise the ‘encrypted user data’ then LastPass would surely be advising their users to not only change their Master password, but every other password stored within their accounts – and this would be a monumental task for all concerned.
Top US baseball team accused of hacking rival
The St. Louis Cardinals, one the United States’s top major league baseball teams, is being investigated for allegedly hacking into the computer systems of sporting rivals.
The post Top US baseball team accused of hacking rival appeared first on We Live Security.
Inline Entity Form – Less critical – Cross Site Scripting (XSS) – SA-CONTRIB-2015-120
- Advisory ID: DRUPAL-SA-CONTRIB-2015-120
- Project: Inline Entity Form (third-party module)
- Version: 7.x
- Date: 2015-June-17
- Security risk: 7/25 ( Less Critical) AC:Basic/A:Admin/CI:None/II:None/E:Theoretical/TD:All
- Vulnerability: Cross Site Scripting
Description
The Inline Entity Form module provides a field widget for inline management (creation, modification, removal) of referenced entities.
The module doesn’t sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to create/edit fields.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Inline Entity Form 7.x-1.x versions prior to 7.x-1.6.
Drupal core is not affected. If you do not use the contributed Inline Entity Form module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Inline Entity Form module for Drupal 7.x, upgrade to Inline Entity Form 7.x-1.6
Also see the Inline Entity Form project page.
Reported by
- Matt Vance, provisional member of the Drupal Security Team
Fixed by
- Matt Vance, provisional member of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
Apache Solr Real-Time – Critical – Access Bypass – SA-CONTRIB-2015-119
- Advisory ID: DRUPAL-SA-CONTRIB-2015-119
- Project: Apache Solr Real-Time (third-party module)
- Version: 7.x
- Date: 2015-June-17
- Security risk: 15/25 ( Critical) AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All
- Vulnerability: Access bypass
Description
This module allows content-changes to be committed to Apache Solr in real-time.
The module doesn’t check the status of an entity being indexed which means that unpublished content will get indexed by Solr and the title and partial content may be exposed to any user who has permission to search site content.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Apache Solr Real-Time 7.x-2.x versions prior to 7.x-2.2.
Drupal core is not affected. If you do not use the contributed Apache Solr Real-Time module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Apache Solr Real-Time module for Drupal 7.x, upgrade to Apache Solr Real-Time 7.x-2.2
Also see the Apache Solr Real-Time project page.
Reported by
- Hunter Fox of the Drupal Security Team
Fixed by
- Marcus Deglos the module maintainer
- Steve Williams the module maintainer
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
The Dawn of Privacy-Driven Social Networks
As Avira focuses on privacy and security issues, and social networks now play a major role in people’s lives, CNET journalist Laura Hautala caught my attention yesterday with her article “Non-creepy social networks make it to your smartphone” (CNET, 15 June 2015).
Partly in response to outrage (in the wake of Edward Snowden’s disclosures) over government surveillance abuses and companies selling personal data from their customers to the highest bidders, a few companies are now attempting to disrupt the dominant paradigm – i.e. to provide private, encrypted alternatives to Facebook and other networks that the public perceives as being more concerned about profit than the privacy of their customers.
Meet the innovative Minds
Manhattan-based Minds, which has run an alternative social media website for two years, just launched a lightweight social-network app for mobile (for Android and iOS) that encrypts all communications – so they are secure and anonymous (able to be read only by the intended recipient). According to the company, Minds is the first social network with an encrypted app and it’s all based on open-source code to ensure that any attempts to read what shouldn’t be read will be transparent to developers.
According to Co-Founder and CEO Bill Ottman, the app launched this week with a two-year base of 30,000 people already using its social website. As Hautala points out, it’s not a number that will cause Facebook any pain (with its near 1.4 billion users), but the IT world can and often does change rapidly.
In addition to encryption of the data going through the app, Minds collects none of its customers’ data. So even if intelligence agencies demand users’ data, the company has nothing to give them.
As for earning revenue, Minds plans to give up traditional ad sales (which it has used on its website version) and instead offer ‘VIP services’ for points, which can be either purchased outright or earned free via interaction. Such services include being able to expand the reach of your content beyond your personal connections.
Others en route
With a focus on similar principles – namely, data privacy, anonymity, and seeing customers are more than just numbers – the Vermont-based social network Ello also plans to launch a mobile app for iOS, Android, and Windows devices. More will come.
While I have personally suggested to friends and colleagues that ‘privacy’ may have been a short-lived concept in human history (and is in fact already gone from our lives in the way our grandparents knew it), it seems that companies led by freedom-loving people continue to rise up against privacy’s seemingly increasing absence.
While writing this, I downloaded the iOS version of the Minds app myself. I’ll activate an account later today and, if I find it to be a promising social experience, maybe I’ll see you there.
The post The Dawn of Privacy-Driven Social Networks appeared first on Avira Blog.
iCloud celebrity photo hack: What’s fappening?!
Via: Huffington Post
Just about a year after a plethora of celebrities’ nude photos were leaked online, two homes in south Chicago have been raided and investigators have named one of the suspected hackers. As this controversial story and investigation continues to unfold, Avast researchers have come up with a few speculations regarding the origin and motivation behind the initial hack. We’ve discussed the case with one of Avast’s security researchers, Filip Chytry, who has put in his two cents about the situation:
GR: Why might have Apple not flagged or investigated an IP address’ 572 iCloud logins and attempted password resets?
FC: “Putting it simply, Apple just doesn’t have security implemented on this level. Even though they might sound large to us, attempting to track this number of logins and attempts to reset passwords is similar to discovering a needle in a haystack when it comes to Apple’s ecosystem. To give you a better idea of what I mean, a group of users who are connecting via a VPN and using the same server will appear under a single IP address. On the other hand, it’s quite common these days for companies to implement an automatic system which is capable of detecting any source(s) of traffic. It could be an automatic system which is able to learn from daily traffic and, using gathered data, detect if there is an anomaly present (such as the one in this case). Another key factor relevant in this attack is the timeframe over which it took place. If the hackers had accessed the various accounts over a much shorter period of time, such as a few hours, it would have undoubtedly been a huge red flag for Apple.”
GR: Couldn’t it be that a neighbor or another person in a remote location could have used the two PCs as a bot to execute the hack, similar to what’s discussed in the Tweets published within this Fusion article? Could it be that someone took control of the two PCs or the routers they’re connected to and used them to perform the hack?
FC: “Although DNS hijacking could very well be the culprit here, the extended period of time over which the hacks occurred makes this possibility less likely. It’s my theory that the suspected hacker(s) could have accessed the login details of a certain database that was uploaded by other users on a warez forum. They could have then used these login details to execute the iCloud logins using a script.”
There are a handful of coincidental components present in this investigation, leaving many questions unanswered in terms of finding the true path that led to the celebrities’ photos getting leaked. To many of us, the main thing that seems fishy about the malicious attack is the fact that the potential hackers didn’t make use of an IP-masking or anonymizing tool, making them come across as rookies within the hacker world. Since the cybercriminals behind this case didn’t appear to be clever enough to anonymize themselves, it’s even possible that they had ulterior motive for performing the hack in the first place – perhaps to be noticed and/or admired by other individuals or businesses. Based off of the current facts, we’re highly interested in seeing which direction this malicious attack’s investigation will take next.
HTTP Strict Transport Security – Moderately Critical – Logical Error – SA-CONTRIB-2015-118
- Advisory ID: DRUPAL-SA-CONTRIB-2015-118
- Project: HTTP Strict Transport Security (third-party module)
- Version: 6.x, 7.x
- Date: 2015-June-17
- Security risk: 12/25 ( Moderately Critical) AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:All
- Vulnerability: Multiple vulnerabilities
Description
The contributed HSTS module makes it easy for site administrators to implement HTTP Strict Transport Security (HSTS) by setting the Strict-Transport-Security header on each page generated by Drupal.
HSTS module provides a configuration UI for the HSTS “include subdomains” directive, which indicates that the browser should apply the HSTS policy to all subdomains on the site’s domain.
HSTS module did not implement the “include subdomains” directive correctly (it is misspelled as include_subdomains rather than includeSubDomains). As a result, the HSTS policy was not applied to subdomains as site administrators had expected.
This vulnerability is mitigated by the fact that only subdomains where HSTS was expected to be enabled are affected and an attacker would still need to execute a man-in-the-middle attack to exploit the issue.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- HSTS 7.x-1.x versions prior to 7.x-1.2.
- HSTS 6.x-1.x versions prior to 6.x-1.1.
Drupal core is not affected. If you do not use the contributed HTTP Strict Transport Security module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the HSTS module for Drupal 7.x, upgrade to HSTS 7.x-1.2
- If you use the HSTS module for Drupal 6.x, upgrade to HSTS 6.x-1.1
Also see the HTTP Strict Transport Security project page.
Reported by
Fixed by
Coordinated by
- Greg Knaddison of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
The cost of cybercrime is multiplying
The damaging effects of cybercrime are bound not only to a matter of bad image and corporate reputation, but they also cause significant economic losses to companies and individuals who suffer from this type of incident. In fact, this figure is increasing, according to a report recently released by the information technology consultant Juniper Research, which puts the accent on the increasing professionalization of hacktivism and cyber crooks in general, and on the fact that the financial targets that the evil-doers are set in the digital world are increasingly ambitious.
In particular, in this study “The Future of Cybercrime & Security: Financial & Corporate Threats & Mitigation” the analysts estimated at $ 2.1 trillion the cost of data breaches globally by 2019, no more and no less than four times more than what is estimated it will cost this year 2015. The increasing digitization of the end users and companies’ assets is one of the elements that is causing being attacked has an increasingly greater economic cost.
More attacks but where?
Interestingly, according to the report, although more and more threats occur through mobile devices (the platform Android, owned by Google, is the most widespread on the market and is in this sense the most attacked. Cyber-attacks are also expected through the so called Internet of things, a concept which refers to the large number of objects connected to the network in the near future (from cars to appliances and many sensors, etc.), it is true that the vast majority of security breaches will occur in existing IT and network infrastructures.
As James Moar an analyst at Juniper Research explained: “Currently, we aren’t seeing much dangerous mobile or IoT malware because it’s not profitable”. According to the expert the kind of threats we will see on these devices will be the popular ransomware, a technique that locks down the victims’ devices until they pay a ransom to recover their systems and information.
Even so, we should emphasize that other consulting firms such as IDC consider that we must be vigilant with regard to security breaches produced through the Internet of Things. A recent study by the analysis firm pointed out that, in 2016, nine of every ten technological networks will have suffered a security breach relating precisely to the connected objects.
In terms of the geographical location where the security breaches will take place as predicted by the experts from Juniper, North America is the area coming off worse; in fact, it will suffer 60% of the incidents expected to occur this year 2015. Facing the coming years it will go, however, giving way to other countries which are beginning to emerge with greater wealth and digitization of their societies and economies, and which will also begin to suffer more security attacks of this type.
Another fact to keep in mind: the consultant firm predicts that the average cost of a data breach in 2020 will be over $ 150 million since there will be more and more connected business infrastructure. According to the Spanish National Cryptologic Centre (CCN) 2013 data, cybercrime moves in the world about $ 575.000 million, i.e. an average country’s GDP and more than what drug trafficking produces across the globe. In Spain, according to the same source, around 200.000 incidents occur daily although most of them with a very low intensity.
Cybercrime actors and hacktivists go pro
Another of the highlights of the report is that, according to Juniper, cybercrime is becoming more and more professional. Moreover, already last year the first cybercrime products appeared on the market (yes, software for creating malware). A trend in recent years was that hackers only penetrated the computer systems for the recognition of having accomplished their computer deed, but now they have given way to real cyber-criminals and extortionists.
On the other hand, hacktivists, i.e. those individuals who use illegal or legally ambiguous digital tools to achieve political goals or of another type (web site defacement, redirecting, denial of service attacks, data theft, web site parodies, virtual solutions, virtual sabotages, software development, etc.) will act less during the coming years, according to the consultant, but they will be more significant and better organized through social networks.
The post The cost of cybercrime is multiplying appeared first on MediaCenter Panda Security.