STE WILLIAMS

McAfee’s Enterprise Security Manager (ESM) needs patching, as smartly as you can manage, due to an administrator-level authentication bypass.

The advisory here says “a specially crafted username” can get past the Security Information Event Management logins without authentication, and without a password, “if the ESM is configured to use Active Directory or LDAP”.

That gives the attacker access to NGCP – the default username created at first installation – without checking the password assigned to NGCP when it was created.

Designated CVE-2015-8024, the bug covers “McAfee Enterprise Security Manager (ESM), Enterprise Security Manager/Log Manager (ESMLM), and Enterprise Security Manager/Receiver (ESMREC) 9.3.x before 9.3.2MR19, 9.4.x before 9.4.2MR9, and 9.5.x before 9.5.0MR8, when configured to use Active Directory or LDAP authentication sources, allow remote attackers to bypass authentication by logging in with the username ‘NGCP|NGCP’ and any password”, the advisory states.

If you can’t update the software immediately, the workaround is to disable all Active Directory and LDAP authentication sources in the Enterprise Security Manager.

Better, however, if you follow the update link provided in the advisory. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/07/mcafee_security_manager_lets_managers_bypass_security/

United States President Barack Obama has given just his third Address to the Nation from behind his desk at the Oval Office, to deliver a speech in which he all-but-called-on the technology industry to allow access to encrypted communications.

The main purpose of the speech was to offer a response to last week’s killings in San Bernadino. Obama said investigations have found “no evidence that the killers were directed by a terrorist organization overseas, or that they were part of a broader conspiracy here at home” but did label “an act of terrorism” committed by people who “… had gone down the dark path of radicalization, embracing a perverted interpretation of Islam that calls for war against America and the West.”

The speech goes on to say that “as the Internet erases the distance between countries, we see growing efforts by terrorists to poison the minds of people like the Boston Marathon bombers and the San Bernardino killers.”

Obama therefore explains the USA’s immediate response to terrorism and particularly to ISIL, including military and diplomatic efforts, plus some restrictions on the right to purchase firearms and stronger screening of some visitors to America.

Future actions, Obama said, will include an attempt to “urge high-tech and law enforcement leaders to make it harder for terrorists to use technology to escape from justice.”

The sentence isn’t explained, but seems a clear reference to the technology industry’s argument that encryption is essential for everyday life and therefore ought not to be equipped with back doors for government use.

The term “escape from justice” also invokes a New York Times op-ed titled When Phone Encryption Blocks Justice. Penned by Manhattan district attorney , Cyrus R. Vance Jr, Paris chief prosecutor François Molins, commissioner of the City of London Police Adrian Leppard and chief prosecutor of the High Court of Spain Javier Zaragoza, the piece argued that “The new encryption policies of Apple and Google have made it harder to protect people from crime.”

Similar arguments emerged after the November 13th Paris attacks, when it was widely argued that the attacks may have been detected, and prevented, if law enforcement agencies had access to backdoors allowing easier and wider surveillance of encrypted communications services.

Obama’s speech is something of a reversal, as he’s previously resisted calls for access to encrypted communications. Hillary Clinton, however, has called for Silicon Valley to “ develop solutions that will both keep us safe and protect our privacy,” adding that “Now is the time to solve this problem, not after the next attack.” Clinton’s remarks were made in the days between the Paris and San Bernardino incidents. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/07/obama_encryption_policy_change_in_terror_response_speech/

By now, you probably know the difference between HTTP and HTTPS.

Many web addresses start with http://, which is short for HyperText Transfer Protocol, the “language” that browsers and web servers use when they talk to each other.

These days, however, an increasing number of website start with https://, which means HTTP with added Security.

HTTPS isn’t perfect – crooks can register to use it, after all, albeit with more difficulty than most legitimate sites – but it helps a lot.

When you make an HTTPS connection, a padlock appears in your browser’s address bar, and you can click on the padlock to find out more about who’s at the other end.

That’s using cryptography to help with authenticity.

Additionally, when you use HTTPS, the data you send back and forth is encrypted, so that other people round about – in the same coffee shop as you, for example – can’t eavesdrop on your network connection and see what you’re saying to your bank.

That’s confidentiality.

Better yet, they can’t intercept and change what your and your bank are discussing.

That’s known in data security language as integrity.

If a site where you would expect security doesn’t use HTTPS, stop at once – you’re probably on a fake site that’s phishing for your password!

But be careful: ALWAYS look for the HTTPS padlock and associated security information in your browser’s address bar.

NEVER rely on anything that’s inside a web page to convince you that the page is secure, because the content of the page is controlled by the web server at the other end.

A picture of a padlock inside a web page is just that: a picture of a padlock.

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Q6w1PR5WV90/

France’s state of emergency could lead to blocks on encrypted Internet connections and a ban on public Wi-Fi networks, if proposals put to the government go ahead.

According to Le Monde, the (in French) extension of the state of emergency could also stretch to requiring all rental cars to carry GPS, expansion of public video surveillance, two-year telecommunications data retention, and approval for police to use IMSI-catchers (like the Stingray devices used in America).

French news site Numerama.com adds that the matters under debate also include forced provision of messaging encryption keys.

Numerama explains (in French) that in a paywalled article, Le Monde quoted from an internal Department of Civil Liberties and Legal Affairs document prepared last week.

The laws could be up for consideration as soon as January, Numerama says.

Some of the proposals, however, seem nebulous to the point of impossibility: the proposals stretch beyond shutting off the Wi-Fi at Parisian cafes to banning “shared connections” with criminal sanctions as enforcement.

Just what kind of connection sharing the gendarmerie has in mind isn’t stipulated, but it’s a fair bet that unplugging every shared connection in the country would incidentally bring the operation of government to a halt.

The rationale is that police want to tie a specific user’s identifier to an individual IP address.

The proposals also indicate a desire to snoop on VoIP conversations, again with encryption keys to be given to the police. ®

Sponsored:
IT evolution to a hybrid enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/06/france_mulls_tighter_noose_around_crypto/

The OpenSSL Project released its promised updates last week and, almost immediately, had to try again because of errors in the release.

The bugs fixed in the release include three moderate-level issues and one low-severity bug. They include denial-of-service vulnerability by crashing OpenSSL clients during certificate verification.

The fixes apply to OpenSSL 0.9.8zh, 1.0.0t, 1.0.1q and 1.0.2e branches. The 1.0.0 and 0.9.8 branches have been on OpenSSL’s end-of-life list since December 2014, and the advisory notes that these will be the last fixes those two builds receive.

However, the OpenSSL maintainers were the targets of criticism from users after they discovered a mistake in the packages and re-issued the tarballs, without changing the version numbers.

Pardon, your slip is showing: OpenSSL announces the fix fixes on Twitter

One error was minor: a fix in OpenSSL 1.0.2 for CVE-2015-1794 wasn’t documented. However, there were also missing files that stopped the updates from building, which led the group announcing the new versions on Twitter.

Not everyone was impressed that the maintainers simply kept the versions the same and re-issued the patches.

OpenSSL release today was broken. Instead of bumping the version they’re refreshing the tarballs to include missing files. OMFG OPENSSL WTF

— Bryan HorstmannAllen (@bdha) December 3, 2015

In OpenSSL’s defence, The Register would remark that nobody installing a package that wouldn’t build could be misled into thinking they’d successfully updated.

Sysadmins will also have to watch their vendor security advisories, since the OpenSSL bugs will be scattered around all sorts of kit. Indeed, the likes of Cisco are already offering fixes. ®

Sponsored:
IT evolution to a hybrid enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/06/oopssl_openssl_patch_pushed_pulled_pushed_again/

Sophos Security Chet Chat – Episode 224 – Dec 1, 2015

Join Sophos experts Chester Wisniewski and John Shier for the latest episode of our security podcast.

The week’s news made fun, informative and educational.

LISTEN NOW

(Audio player above not working? Download MP3 or listen on Soundcloud.)

Other podcasts you might like:

• Chet Chat 223 – You’ve got (unencrypted) mail!

• Chet Chat 222 – Malware – but none of it on Windows!

• Sophos Techknow – Malware on Linux – When Penguins Attack

• Sophos Techknow – Dealing with Ransomware

Get this and other Sophos podcasts:

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/hCtzfQ1MxAQ/

Whether it’s a baby monitor, a home surveillance system, or any other internet-enabled camera, it probably has a default pasword.

Make no mistake: if there’s a default password, the crooks know what it is.

In other words, if you don’t change the password from the default then you are making it much easier for a cybercriminal to hack in and watch whatever you’re filming.

That could be you, your house, your baby, or something else that you’d probably like to keep away from prying eyes.

Last year we wrote about one website that was streaming the live feeds of hundreds of thousands of internet-enabled cameras that were secured with a default, out-of-the-box password.

Don’t make it easy for thieves – change passwords from their defaults, and make sure you pick a proper password.

If you aren’t sure how to set the password, try the camera vendor’s support forums for help.

Follow @AnnaBrading

Follow @NakedSecurity

Images of Christmas tree and Advent calendar courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qVst4Zge45s/

In brief Lenovo laptops and PCs can be hijacked by visiting a malicious website – and Dell and Toshiba machines suffer vulnerabilities, too, we’re told.

If you’re running the Lenovo Solution Center bundled with Lenovo gear, and you browse by an evil webpage, scripts on that page can run code with full system privileges on your computer, allowing them to install malware, spy on you, and cause other havoc. Any programs or software nasties already on your machine can exploit Lenovo Solution Center to gain admin access, and therefore full control, without you lifting a finger.

The vulnerabilities were discovered by infosec bod Slipstream – previously on these pages for discovering security holes in Dell and UK school IT admin software. The US CERT has issued an alert about the Lenovo holes, and the Chinese giant has urged people to uninstall its Solution Center as soon as possible.

“By convincing a user who has launched the Lenovo Solution Center to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with SYSTEM privileges. Additionally, a local user can execute arbitrary code with SYSTEM privileges,” said CERT, which is backed by the US Department of Homeland Security.

“The CERT/CC is currently unaware of a practical solution to this problem. However, please consider the following workaround: uninstall Lenovo Solution Center to prevent exploitation of these vulnerabilities. Closing any running instance of Lenovo Solution Center also prevents exploitation.”

You can fetch exploit binaries and source code, written in D, for the holes here if you want to see for yourself how terrible multimillion-dollar outfits Lenovo, Dell and Toshiba are at secure programming – bear in mind you’ll be treated to a cute retro-demoscene-esque intro with audio while fetching the .zip.

Here’s a round up of the bugs, according to CERT and Slipstream:

• Lenovo…
  • Lenovo Solution Center creates a process called LSCTaskService that runs with full administrator rights, and fires up a web server on port 55555. It can be instructed via GET and POST HTTP requests to execute code in a directory a local user can access.
  • Lenovo Solution Center will execute, again with full privileges, programs found in an arbitrary location on disk where the user can write to. Put some bad software in there, and it will be executed with admin rights.
  • A classic cross-site request forgery (CSRF) vulnerability exists in the LSCTaskService process, allowing any visited webpage to pass commands to the local web server to execute with full privileges.
• Dell‘s bundled utility Dell System Detect can be made to gain admin privileges and execute arbitrary commands – by feeding it a security token downloaded from, er, dell.com: a token granting Dell System Detect permission to install manuals can be abused to execute programs (such as malware) with admin privileges. This can be exploited by software on your computer to fully compromise the machine.
• Toshiba‘s bundled Service Station tool can be abused by normal users and unprivileged software to read the majority of the operating system’s registry as a SYSTEM-level user.

Lenovo has only just got round to patching holes in its System Update utility. It was previously this year caught up in a bloatware security blunder, as was Dell. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/05/dell_lenovo_toshiba_vulnerabilities/

The US Senate Committee on Homeland Security and Governmental Affairs wants to know how secured government PCs are against ransomware, and whether any agencies have paid off hackers to unlock their files.

In a pair of open letters to the Department of Homeland Security (DHS) and Attorney General Loretta Lynch, Senators Tom Carper (D-DE) and Ron Johnson (R-WI) asked the two offices to deliver full reports on how they deal with ransomware.

In addition to statistics on how the DHS is helping individual citizens and businesses prevent and respond to ransomware infections, the committee wants to know how the government itself is dealing with the threat of ransomware infections on its own PCs.

The letter asks for, among other things, a report detailing whether any DHS-owned machines have been infected with ransomware and, if so, whether any agencies have paid off the hackers in order to regain system access.

“Over the past 12 months, how many instances of ransomware has DHS been made aware of in federal agencies’ computers? In which agencies and on what systems was the ransomware located and what was the result? Is DHS aware of instances in which federal agencies have paid ransoms to remove ransomware?” the letter asks.

Ransomware infections, most notably the Cryptowall and Cryptolocker infections, encrypt the contents of the victim’s hard drive and then demand a payment, usually via a bitcoin transfer or other hard-to-trace path, before they will decrypt the files.

In addition to questioning whether the agencies themselves have paid off hackers, the committee wants to know how the DHS and the FBI have responded to the ransomware infections. Certainly local police have paid up in the past.

In particular, they ask, how have the agencies been able to identify and take down the command-and-control servers for the malware networks? What sort of measures can be taken by law enforcement to better track and disrupt the criminals who spread the malware infections? ®

Sponsored:
IT evolution to a hybrid enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/05/dhs_ransomware_senate/

US retailer Target is back in the headlines again over its 2013 breach. This week, Target has settled on an agreement to pay up to $39m to banks and credit card firms.

After an initial $19m settlement did not pass after card issuers decided it was too low, this new agreement sees Target having to pay up to $20.25 million to banks and credit unions and $19.11 million to reimburse MasterCard card issuers. Target agreed a deal with Visa for $67m in August.

According to Reuters, the settlement will resolve class action claims by lenders seeking to hold Target responsible for the cost of reimbursing customers for fraudulent charges, as well as issuing new credit and debit cards.

The story of the breach stretches back two years, when attackers gained access to Target’s financial data by accessing the retailer via its HVAC provider.

The breach saw the theft of around 40m credit and debit cards, as well as a further 70 million customer records containing information that included customer names, addresses, phone numbers and email addresses.

While Target’s CEO stepped down after the breach and the retailer has advanced its security with the addition of chip and PIN technology, the name of Target is still associated with one of the biggest data breaches we’ve seen.

After all, Target topped our list of the most epic privacy fails last year.

In total, the breach has cost Target $290m so far, of which insurance should cover $90m, the company said last week. However there are still shareholder lawsuits to come, as well as probes by the Federal Trade Commission and state attorneys general, which could well push the total costs of the incident to over $300m.

Follow @DanRaywood

Follow @NakedSecurity

Image of Target courtesy of artzenter / Shutterstock.com.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/gtu9tX2p0ik/