Ottawa warns federal workers not to believe a BlackBerry Security :)

The federal department charged with overseeing cyber-security has warned its workers to think twice before sending a BlackBerry message, suggesting that the device believed to be the most secure in the world is more vulnerable than users may believe.

The one-page policy memo from Public Safety Canada, updated in mid-January, attempts to dissuade government BlackBerry users from sending a PIN-to-PIN message largely because it could be read by any BlackBerry user, anywhere in the world. The messages are "the most vulnerable method of communicating on a BlackBerry," a Public Safety Canada presentation says.

The documents, released to Postmedia News under the access to information act, say PIN-to-PIN messaging isn't "suitable for exchanging sensitive messages" because protected or classified information could be inadvertently leaked, or a mobile user could inadvertently download malware or viruses that would compromise their phone.

Almost two-thirds of federal government mobile users in Canada prefer to use the BlackBerry, with the remaining one-third using either Apple's iPhone or Google's Android. The concentration of BlackBerry users is even more pronounced among federal politicians, with most cabinet ministers opting to use the BlackBerry. Even NDP leader Thomas Mulcair has said he carries an extra BlackBerry battery to keep his mobile device from dying during the day.

Political staffers use the device as well, regularly sending PIN-to-PIN messages and emails as government business has progressively migrated to mobile devices.

"Although PIN-to-PIN messages are encrypted, the key used is a global cryptographic 'key' that is common to every BlackBerry device all over the world," the memo reads. "Any BlackBerry device can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry device."

The PIN, or Personal Identification Number, is an electronic address given to a device. When a user turns in the device, the PIN stays with it and doesn't follow the user to a new BlackBerry.

- See more at: http://www.vancouversun.com/technology/BlackBerry+secure+believed+Ottawa+warns+federal+workers/8022072/story.html#sthash.TuMzSiMU.dpuf

How mobile spammers verify the validity of harvested phone numbers

source

Have you ever received a blank call, and no one was on the other side of the line? What about a similar blank SMS received through your mobile carrier’s Mail2SMS gateway? There’s a high probability that it was a mobile spammer who’s automatically and efficiently verifying the validity of a recently harvested database of mobile numbers, with QA (Quality Assurance) in mind. These verified databases will be later on used as the foundation for a highly successfulspam/scam/malicious software disseminating campaigns, thanks to the fact that the cybercriminals behind them will no longer be shooting into the dark. How do they do that? What kind of tools do they use?

Let’s find out by profiling a Russian DIY (do it yourself) software vendor, that’s been operating since 2011, and is currently offering a Session Initiation Protocol (SIP) based phone number verification tool, as well as USB-modem based phone number verification application.

More details:

 

Sample screenshot of the DIY mobile number verification tool:

The first version of the tool will basically take advantage of a single USB modem, and will automatically attempt to “blank call” a given list of phone numbers, successfully differentiating between a “free line”, “busy line” and “non-existent number” type of results. In order to speed up the process, the second version of the tool allows the use of multiple USB modems to achieve the same objective.

Sample screenshot of the second version of the DIY mobile number verification tool:

Sample screenshot of the log file of the DIY mobile number verification tool:

The tool is configured in such a way that every verification attempt costs virtually nothing to the spammer using it.

However, things have greatly changed over the last couple of years, largely thanks to the rise of SIP based communiations, allowing cybercriminals an easy access to much more efficient phone flood, or phone number verification options. Naturally, the vendor behind the original USB modem number verification tool, adapted to this emerging market trend, and is currently offering both, a SIP based phone ring flooding utility, as well as a SIP based mobile number verification tool.

Sample screenshot of the SIP based mobile number verification tool:

As you can see in the attached screenshot, the tool has already managed to verify 10 phone numbers, with 56 more pending verification. Let’s take a peek at the configuration settings.

Sample screenshot of the configuration settings for the DIY SIP based phone number verification tool:

The tool allows a potential spammer to manually set up the configuration for the server, or let the tool do the configuration for him, next to setting up intervals and multiple accounts at the SIP server.

Second screenshot of the configuration settings for the SIP based phone number verification tool:

One more iPhone passcode hack vulnerability per month

Researchers are having a fun time with iOS 6.1 passcode locks this month, with Vulnerability Lab having discovered a second version of a vulnerability that lets a hacker slip past a lock screen to access a user's contact list, voicemails and more.

The first vulnerability, which popped up on YouTube earlier in the month, entailed this laundry list of steps, brought to us courtesy of Naked Security's Paul Ducklin:

• You need physical access to the device.
• You need manual dexterity or a fair bit of practice.
• You only get access to some of the data.
• You have to place a phony emergency call as part of the process.

The most recent vulnerability, described in a post on the Full Disclosure mailing list late last week by Benjamin Kunz Mejri - founder and CEO of Vulnerability Lab - and spotted by Threatpost's Christopher Brook, adds on to the earlier exploit.

Both attacks require using the Emergency Call function in addition to the lock/sleep button and the screenshot feature.

When placing the emergency call, an attacker could cancel the call while holding the lock/sleep button in order to access data on the phone.

In this second version of the exploit, a hacker can also make the iPhone screen go black, thereby allowing him or her to plug the phone into a computer via USB and grab data off the device without a PIN or passcode credentials.

Here's Mejri's description of the bug, from his Full Disclosure post:

A code lock bypass vulnerability via iOS as glitch is detected in the official Apple iOS v6.1 (10B143) for iPad & iPhone.

The vulnerability allows an attacker with physical access to bypass via a glitch in the iOS kernel the main device code lock (auth).

The vulnerability is located in the main login module of the mobile iOS device (iphone or ipad) when processing to use the screenshot function in combination with the emegerncy call and power (standby) button. The vulnerability allows the local attacker to bypass the code lock in iTunes and via USB when a black screen bug occurs.

The vulnerability can be exploited by local attackers with physical device access without privileged iOS account or required user interaction.

Successful exploitation of the vulnerability results in unauthorized device access and information disclosure.

Exploiting this second bug still requires a certain degree of dexterity, if not a prehensile tail. But the bug still implies a risk to iOS 6.1 users' data and Vulnerability Lab estimates it's a high risk.

When the first vulnerability was discovered - also in iOS 6.1 - Apple told Macworld that a fix was in the works, though the spokesperson didn't say when that would come.

But as Macworld noted, this isn't the first time Apple has had to grapple with aniPhone password security flaw.

It got a fix out for a 2010 bug without a big time lag. Let's hope it promptly gets a fix out for these two new bugs, as well.

While we wait, try to refrain from searching for, and replicating, the steps to the attack.

Bear in mind that, just as Paul Ducklin pointed out with regards to this month's first iOS 6.1 bug, it's not nice - and, at least in some, if not all areas, is illegal - to place bogus emergency calls.

SAMSUNG GALAXY S3 PARTIAL SCREEN-LOCK BYPASS

original link

From: ukpentestinfo () mti com
Date: Thu, 21 Feb 2013 18:59:22 GMT

---

MTI Technology – Vulnerability Research Team
www.mti.com 
ukpentestinfo"at"mti.com

Samsung Galaxy S3 – partial screen-lock bypass


Date found:
17th Feb 2012

Vendor Notified:
20th Feb 2012

Vendor Affected: 
Samsung

Device:
Galaxy S3

Model:
GT-19300

OS:
Android 4.1.2

Kernel Version:
3.0.31-742798


Affects:

Only tested on Samsung Galaxy SIII kernel version 3.0.31-742798 but it is possible any Samsung device that allows 
emergency contacts to be used and has S-Voice present could be vulnerable.

It is a Samsung specific bug not an Android one, 


I. Background
MTI technology recently conducted a 45 day internal research program aimed at locating new attacks and vulnerabilities 
in Android devices. Specifically the Samsung S3 and LG Nexus 4 were tested. Several new issues where located and most 
of them have or will be reported to the relevant vendors.

MTI will be releasing new advisories in cooperation with the relevant vendors.


II. Overview

Partial device functionality is available to a user from a locked S3, which permits certain activities to be carried 
out.


III. Problem Description

It is possible to access any functionality available from the S-Voice utility on a Samsung S3 when the phone it locked 
and a PIN (or other locking method) is set. Any command that can be issued via S-Voice can be issued when the phone is 
locked; however, only the actual phone / keypad becomes available to a user. Any other applications launched, will 
still open and execute commands but are not visible to a user and the device will revert back to the lock screen.

To access S-Voice the following steps are followed (assuming the phone is locked with a PIN number):

Press the power / home button to turn phone on,
Swipe the screen to access the PIN entry screen,
Select Emergency Call
Select Emergency Contacts (bottom left icon)
On the Emergency Contact screen, press the Home button twice in quick succession (to active S-Voice)
As soon as the Home button is pressed twice, tap the bottom centre of the screen (the S-Voice Microphone button)
Issue any S-Voice Command.

Commands such as the following can be issued:

Call 12345 - will active the phone, dial the number and display it to a user. The command can be used to call any user, 
or contact (if the name is known) or even Voicemail if Voicemail has been saved as a contact.
What is number / address – will cause S-Voice to say the number or address associated with a contact
Message 
Turn Wi-Fi On / off
Turn Bluetooth on / off
What is on my calendar
Go to Google.com

The S-Voice help screen can be used to obtain a listing of supported / documented commands. MTI were not able to locate 
any commands not listed in this help page.

A crude method to enumerate contact names is to press the home button from the Emergency Contacts screen and quickly 
press the message / SMS icon (if stored on the main page) this will briefly display the users SMS inbox, which will 
reveal contact names.

IV. Impact
Low to Medium depending on the information stored on a phone. A malicious user who has access to a locked S3 would be 
able to obtain information from the schedule / calendar, make phone calls to any phone number (such as a premium rate 
number), message contacts, update a user’s Facebook / twitter status (if S-Voice is configured to do so), enumerate 
contact addresses and phone numbers, active Bluetooth and Wi-Fi.


V. Workaround
In S-Voice settings, disable the ‘Open S-Voice by double pressing the Home Key’ setting.

VI. Solution

Awaiting vendor response. Vendor seems to require Vulnerability Disclosures to be posted in their public developers 
forum:

http://developer.samsung.com/forum/thread/samsung-s3---partial-screen-lock-bypass/77/222426?boardName=GeneralB&startId=zzzzz~

Microsoft added to hacker hit list

original link

 

SAN FRANCISCO: Microsoft joined Facebook and Apple on Friday on the list of US technology titans targeted in recent cyberattacks.

"As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion," Trustworthy Computing team general manager Matt Thomlinson said in a blog post.

"During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations."

There was no evidence customer data was stolen but an investigation into the attack was continuing, according to Thomlinson.

"This type of cyberattack is no surprise to Microsoft and other companies that must grapple with determined and persistent adversaries," he said.

Apple said Tuesday that hackers invaded its system in an attack similar to one recently carried out against Facebook, but that it repelled the intruders before its data was plundered.

The maker of iPhones, iPads, iPods and Macintosh computers said it was working with law enforcement officials to hunt down the hackers, who appeared tied to a series of recent cybe attacks on US technology firms.

"The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers," Apple told AFP.

The malicious software, or malware, took advantage of a vulnerability in a Java program used as a "plug-in" for Web-browsing programs.

A "small number" of computer systems at Apple were infected but they were isolated from the main network, according the Silicon Valley-based company.

"There is no evidence that any data left Apple," Apple said.

Word of hackers hitting Apple came just days after leading social network Facebook said it was "targeted in a sophisticated attack" last month, but that no user data was compromised.

Facebook said malware that infected some of its machines came from a mobile developer website that had been booby-trapped.

Early this month, Twitter said it was hammered by a cyberattack similar to those that recently hit major Western news outlets, and that the passwords of about 250,000 users were stolen.

While those behind the attacks had yet to be identified, computer security industry specialists have expressed suspicions about China-sponsored hackers and Eastern European crime gangs. (AFP)

A new generation of mobile pentest device / Android-tablet omgetoverd tot mobiele hackeenheid

original link

 

Een Amerikaans bedrijf zal volgende week een Android-tablet onthullen dat het tot mobiele hackeenheid heeft omgebouwd. De Pwn Pad is een product van de Pwnie Express en is gebaseerd op Google’s Nexus 7 tablet. Het apparaat is bedoeld voor security professionals en penetratietesters die de veiligheid van zowel bedrade als draadloze netwerken willen testen. 

Naast al bestaande hackingtools die voor het Android-platofrm beschikbaar waren, zijn er ook verschillende nieuwe tools overgezet. Zo is het de ontwikkelaars gelukt om populaire WiFi-hackingtools zoals Aircrack-ng en Kismet op een Android-toestel werkend te krijgen. 

Daarnaast zijn er ook andere tools waaronder Wifite-2, Netcat, Cryptcat, Nikto en bluelog aanwezig. Het besturingssysteem is een combinatie van Android OS 4.2 en Ubuntu 12.04. 

Hardware 
"Elke pentester die we kennen heeft een telefoon, een tablet en een laptop, maar niemand is in staat om vanaf de tablet penetratietests uit te voeren" zegt Pwnie Express CEO Dave Porcello tegenover Wired. De kernel van het Android-besturingssysteem ondersteunt standaard niet de draadloze features die deze tools nodig hebben. 

Pwnie Express wist dit op te lossen door een TP-Link wireless adapter packet injection op Android te laten ondersteunen. Door de extra antenne heeft de tablet ook een tien keer groter bereik dan met de normale WiFi-chip mogelijk is. 

Broncode 
Verder beschikt de accu over een grotere capaciteit, waardoor de tablet langer meegaat en zijn er andere hardwarematige uitbreidingen beschikbaar, zoals Bluetooth USB, USB Ethernet en een USB On-The-Go kabel. 

Het toestel gaat 795 dollar kosten, wat omgerekend 600 euro is. Voor wie al over een Android-tablet beschikt zal Pwnie Express de broncode van de Pwn Pad beschikbaar maken, zodat de software ook voor andere Android-apparaten kan worden aangepast. De Pwn Pad is vanaf april verkrijgbaar. 

 

 

China Lashes Back at Hacking Claims

China Lashes Back at Hacking Claims by Yury Chemerkin

VMware vCenter Server [VMSA-2013-0003]

original link

 

VMSA-2013-0003

VMware vCenter Server, ESXi and ESX address an NFC Protocol memory corruption and third party library security issues.

---

	VMware Security Advisory
Advisory ID:	VMSA-2013-0003
Synopsis:	VMware vCenter Server, ESXi and ESX address an NFC Protocol memory corruption and third party library security issues.
Issue date:	2013-02-21
Updated on:	2013-02-21 (initial advisory)
CVE numbers:	--- vSphere NFC ---  CVE-2013-1659  --- OpenSSl OpenSSL ---  CVE-2012-2110  --- JRE ---  See references

---

1. Summary

VMware has updated VMware vCenter Server, ESXi and ESX to address a vulnerability in the Network File Copy (NFC) Protocol. This update also addresses multiple security vulnerabilities in third party libraries used by VirtualCenter, ESX and ESXi.

2. Relevant releases

VMware vCenter Server 5.1 prior to 5.1.0b 
VMware vCenter Server 5.0 prior to 5.0 Update 2 
VMware vCenter Server 4.0 prior to Update 4b 
VMware VirtualCenter 2.5 prior to Update 6c

VMware ESXi 5.1 without ESXi510-201212101-SG 
VMware ESXi 5.0 without ESXi500-201212102-SG 
VMware ESXi 4.1 without ESXi410-201301401-SG 
VMware ESXi 4.0 without ESXi400-201302401-SG 
VMware ESXi 3.5 without ESXe350-201302401-I-SG and ESXe350-201302403-C-SG

VMware ESX 4.1 without ESX410-201301401-SG 
VMware ESX 4.0 without ESX400-201302401-SG 
VMware ESX 3.5 without ESX350-201302401-SG

3. Problem Description

a. VMware vCenter, ESXi and ESX NFC protocol memory corruption vulnerability

VMware vCenter Server, ESXi and ESX contain a vulnerability in the handling of the Network File Copy (NFC) protocol. To exploit this vulnerability, an attacker must intercept and modify the NFC traffic between vCenter Server and the client or ESXi/ESX and the client. Exploitation of the issue may lead to code execution. 

To reduce the likelihood of exploitation, vSphere components should be deployed on an isolated management network 

VMware would like to thank Alex Chapman of Context Information Security for reporting this issue to us. 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1659 to this issue. 

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware	Product	Running	Replace with /
Product	Version	on	Apply Patch
==========	=====	=====	==================
vCenter Server	5.1	any	vCenter Server 5.1.0b
vCenter Server	5.0	any	vCenter Server 5.0 Update 2
vCenter Server	4.1	any	not affected
vCenter Server	4.0	any	vCenter Server 4.0 Update 4b
VirtualCenter	2.5	any	not affected
hosted*	any	any	not affected
ESXi	5.1	ESXi	ESXi510-201212101-SG
ESXi	5.0	ESXi	ESXi500-201212101-SG
ESXi	4.1	ESXi	ESXi410-201301401-SG
ESXi	4.0	ESXi	ESXi400-201302401-SG
ESXi	3.5	ESXi	ESXi350-201302401-O-SG
ESX	4.1	ESX	ESX410-201301401-SG
ESX	4.0	ESX	ESX400-201302401-SG
ESX	3.5	ESX	ESX350-201302401-SG

* hosted products are VMware Workstation, Player, ACE, Fusion.

b. VirtualCenter, ESX and ESXi Oracle (Sun) JRE update 1.5.0_38

Oracle (Sun) JRE is updated to version 1.5.0_38, which addresses multiple security issues that existed in earlier releases of Oracle (Sun) JRE. 

Oracle has documented the CVE identifiers that are addressed in JRE 1.5.0_38 in the Oracle Java SE Critical Patch Update Advisory of October 2012. 

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware	Product	Running	Replace with /
Product	Version	on	Apply Patch
=========	====	=====	=================
vCenter Server	5.1	any	not applicable **
vCenter Server	5.0	any	not applicable **
vCenter Server	4.1	any	not applicable **
vCenter Server	4.0	any	Patch Pending
VirtualCenter	2.5	any	VirtualCenter 2.5 Update 6c
hosted*	any	any	not affected
ESXi	any	ESXi	not applicable
ESX	4.1	ESX	not applicable **
ESX	4.0	ESX	Patch Pending
ESX	3.5	ESX	ESX350-201302401-SG

* hosted products are VMware Workstation, Player, Fusion. 

** this product uses the Oracle (Sun) JRE 1.6.0 family

c. Update to ESX service console OpenSSL RPM

The service console OpenSSL RPM is updated to version openssl-0.9.7a.33.28.i686 to resolve multiple security issues. 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2110 to this issue. 

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware	Product	Running	Replace with /
Product	Version	on	Apply Patch
=====	=====	=====	==============
ESXi	any	ESXi	not applicable
ESX	4.1	ESX	not applicable
ESX	4.0	ESX	not applicable
ESX	3.5	ESX	ESX350-201302401-SG

 

4. Solution

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. 

vCenter Server 5.1.0 
--------------------------- 
Download link: 
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/5_1

Release Notes: 
https://www.vmware.com/support/vsphere5/doc/vsphere-vcenter-server-510b-release-notes.html

vCenter Server 5.0 
--------------------------- 
Download link: 
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/5_0

Release Notes: 
https://www.vmware.com/support/vsphere5/doc/vsp_vc50_u2_rel_notes.html

vCenter Server 4.0 
--------------------------- 
Download link: 
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_0

Release Notes: 
https://www.vmware.com/support/vsphere4/doc/vsp_vc40_u4b_rel_notes.html

VirtualCenter 2.5 
--------------------------- 
Download link: 
http://downloads.vmware.com/d/info/datacenter_downloads/vmware_infrastructure_3/3_5

Release Notes: 
https://www.vmware.com/support/vi3/doc/vi3_vc25u6c_rel_notes.html

ESXi and ESX 
------------ 
https://www.vmware.com/patchmgr/download.portal

ESXi 5.1 
-------- 
File: ESXi510-201212001.zip 
md5sum: 81d562c00942973f13520afac4868748 
sha1sum: ec1ff6d3e3c9b127252ba1b710c74119f1164786 
http://kb.vmware.com/kb/2035775 
ESXi510-201212001 contains ESXi510-201212102-SG

ESXi 5.0 
------------------ 
File: update-from-esxi5.0-5.0_update02.zip 
md5sum: ab8f7f258932a39f7d3e7877787fd198 
sha1sum: b65bacab4e38cf144e223cff4770501b5bd23334 
http://kb.vmware.com/kb/2033751 
update-from-esxi5.0-5.0_update02 contains ESXi500-201212102-SG

ESXi 4.1 
------------------ 
File: ESXi410-201211001.zip 
md5sum: f7da5cd52d3c314abc31fe7aef4e50d3 
sha1sum: a4d2232723717d896ff3b0879b0bdb3db823c0a1 
http://kb.vmware.com/kb/2036257 
ESXi410-201211001 contains ESXi410-201211402-BG

ESXi 4.0 
------------------ 
File: ESXi400-201302001.zip 
md5sum: 8fca17ca97669dd1d34c34902e8e7ddf 
sha1sum: 51d76922eb7116810622acdd611f3029237a5680 
http://kb.vmware.com/kb/2041344 
ESXi400-201302001 contains ESXi400-201302402-SG

ESXi 3.5 
-------- 
File: ESXe350-201302401-O-SG.zip 
md5sum: a2c5f49bc865625b3796c41c202d1696 
sha1sum: 12d25011d9940ea40d45f77a4e5bcc7e7b0c0cee 
http://kb.vmware.com/kb/2042543 
ESXe350-201302401-O-SG.zip contains ESXe350-201302401-I-SG and ESXe350-201302403-C-SG

ESX 4.1 
-------- 
File: ESX410-201211001.zip 
md5sum: c167bccc388661e329fc494df13855c3 
sha1sum: a8766b2eff68813a262d21a6a6ebeaae62e58c98 
http://kb.vmware.com/kb/2036254 
ESX410-201211001 contains ESX410-201211401-SG

ESX 4.0 
-------- 
File: ESX400-201302001.zip 
md5sum: 5ca4276e97c19b832d778e17e5f4ba64 
sha1sum: 8d73cf062d8b23bd23f9b85d23f97f2888e4612f 
http://kb.vmware.com/kb/2041343 
ESX400-201302001 contains ESX400-201302401-SG

ESX 3.5 
-------- 
File: ESX350-201302401-SG.zip 
md5sum: e703cb0bc3e1eaa8932a96ea96f34a00 
sha1sum: 91dcf1bf7194a289652d0904dd7af8bce0a1d2dd 
http://kb.vmware.com/kb/2042541

5. References

--- vSphere NFC --- 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1659

--- OpenSSL --- 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110

--- JRE --- 
http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html

6. Change log

2013-02-21 VMSA-2013-0003 
Initial security advisory in conjunction with the release of VirtualCenter 2.5 U6c and 
ESX 3.5 patches on 2013-02-21

7. Contact

E-mail list for product security notifications and announcements: 
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

This Security Advisory is posted to the following lists: 

• security-announce at lists.vmware.com
• bugtraq at securityfocus.com
• full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com 
PGP key at: http://kb.vmware.com/kb/1055 

VMware Security Advisories 
http://www.vmware.com/security/advisories 

VMware security response policy 
http://www.vmware.com/support/policies/security_response.html 

General support life cycle policy 
http://www.vmware.com/support/policies/eos.html 

VMware Infrastructure support life cycle policy 
http://www.vmware.com/support/policies/eos_vi.html 

Windows Azure Storage certificate expired?

original link [https://www.security.nl/artikel/45301/1/Verlopen_SSL-certificaat_nekt_Windows_Azure_cloudopslag.html]

 

Vandaag,07:57 doorRedactie

Microsoft heeft het SSL-certificaat van de Windows Azure cloudopslag laten verlopen waardoor gebruikers foutmeldingen kregen en niet meer via HTTPS verbinding konden maken. Het probleem werd als eerste door gebruikers van de clouddienst opgemerkt. Bij een aantal gebruikers stopten applicaties met werken omdat ze geen verbinding meer konden maken. 

"Dit is onacceptabel. Word ik verondersteld een enterprise app op dit platform uit te brengen?", aldus een gebruiker op het Microsoft forum. Een ander gebruiker noemt de uitval ironisch, omdat Microsoft hem vorige week nog waarschuwde dat zijn certificaat over drie maanden zou verlopen. "En Microsoft heeft geen alarm voor hun eigen certificaten die verlopen??" 

HTTPS 
Twee uur na de eerste melding op het Microsoft forum verscheen er een reactie van het bedrijf dat de clouddienst met een wereldwijde storing te maken had. Uiteindelijk stelde Microsoft dat het HTTP-verkeer niet door het verlopen certificaat getroffen was, maar veel gebruikers hadden moeite om hun applicaties zo aan te passen dat die met HTTP in plaats van HTTPS verbinding maakten. 

Microsoft heeft inmiddels het SSL-certificaat verlengd en verwacht dat het HTTPS-verkeer zich 'geleidelijk' zal herstellen, aldus een melding op het Windows Azure Service Dashboard. De storing duurde zo'n zeven uur bij elkaar. 

 

 

BlackBerry hands over PIN to Indian government

original link [http://www.zdnet.com/in/report-blackberry-hands-over-pin-to-indian-govt-7000011656/]

The Indian government reportedly has received the PIN details of BlackBerry handsets shipped to the country, and may ask for similar data of every BlackBerry handset worldwide to allow it to monitor messages between users in the country and abroad.

Panel also recommends Indian government to ask for PIN details of BlackBerry users worldwide to track incoming and outgoing messages between users in India and those abroad.
Citing a Department of Telecommunications (DoT) report dated December 31, Times of India reported on Thursday that BlackBerry had given the Indian government the PIN details of all the BlackBerry handsets shipped to the country. However, the unique identification numbers of BlackBerry phones in other countries were excluded "due to privacy and legal provisions", it said.
Each BlackBerry handset comes with a unique PIN that cannot be changed and is tied to the phone. Users can use the PIN to add others into BlackBerry Messenger.
According to the Times of India, the DoT panel had recommended that the government also ask for the PIN details of BlackBerry users across the "entire world" to track incoming and outgoing messages between users in India and others abroad.
When queried at the BlackBerry Z10 launch in Singapore on Thursday, Hastings Singh, the company's managing director for South Asia, said he was not able to comment on the specifics of the Indian report regarding PIN details. However, he said BlackBerry will "always be 100 percent compliant" with each market's law and regulations.
In an e-mail statement to ZDNet Asia Friday, a BlackBerry spokesperson said: "BlackBerry continues to enjoy excellent relations with the Indian government and our carriers, and we have worked closely with these partners to ensure ongoing lawful access compliance, consistent with our published Lawful Access Principles. It is not our company policy to comment on unconfirmed reports."
The Times of India report added that on December 10, BlackBerry had demonstrated interception facilities which it built to address India's security concerns. The panel also said India must take over monitoring facilities built by BlackBerry.
For the past years, the Canadian phonemaker has been pressured by the Indian government to enable the monitoring of communication between BlackBerry devices as its encryption was deemed "too secure". The company finally relented and built BlackBerry servers in Mumbai in 2011.
Last November, the Indian government ordered local operators to enable the monitoring of BlackBerry services before December 31 or face having the services shut.

Hiding Data in Hard-Drive’s Service Areas

Hiding Data in Hard-Drive’s Service Areas by Yury Chemerkin

Open Redirection Vulnerability in Facebook Mobile website

Prakhar Prasad, a Web application security Researcher, has discovered Open Redirection vulnerability in the Facebook mobile website(m.facebook.com).

An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it

Usually, when you try to visit external links in facebook, the url will be passed to "l.php" page that will displays "Leaving Facebook" message before redirecting. So if it is malicious link, the page will show warning message. 

But Prasad discovered one of the page in Facebook mobile redirects user directly to the external link.

POC:

http://m.facebook.com/video_redirect/?src=http://www.google.com

He found this vulnerability when he tried to view the uploaded video on Facebook mobile website.

Researcher immediately sent notification to Facebook about the vulnerability .  Facebook fixed the vulnerability and rewarded researcher with $500.

 

Three quite interesting articles on Facebook Security

 

Another Stored XSS in Facebook.com

How I Hacked Facebook Employees Secure Files Transfer service (http://files.fb.com )

How I Hacked Facebook OAuth To Get Full Permission On Any Facebook Account (Without App "Allow" Interaction)

Six Months Later – A Report Card on Google’s Demotion of Pirate Sites

Six Months Later – A Report Card on Google’s Demotion of Pirate Sites by Yury Chemerkin

Microsoft Backs Oracle’s Crusade Against Google Android

MSFT Oracle Brief by Yury Chemerkin