Chinas great firecannon
Citizenlab has taken a closer look into how the Chinese firewall was used as an DDOS tool against Github. They have labeled it the Chinese Great Cannon and describes it as an distinct infrastructure that is co-living with the firewall. The Great Cannon is modifying traffic going in / out to create large scale DDOS attack.
Reversing Belkins WPS algorithm
One of the shortcomings of the WPS protocol has been that the algorithm that
generates the needed pin-codes have generated insecure pin codes.
The problem is what data has been used to generate the pseudorandom pin codes. In the Belkin case the the algorithm use the four last characters of the serialnumber combined with the mac-address. The problem is that the device broadcast both the serialnumber and the mac-address as part of the WPS initiation, thus making all input to the algortihm known to the attacker.
The advice is to avoid WPS if you can. Even on devices where the algortihm is no flawed, pin codes are easy to bruteforce.
Ruby verification of wildcard certificate fix
A review of how Ruby's OpenSSL extensions checks for wildcard certificates found
that it matches hostnames wrong. This bug lead to the fact that the wildcard ''
in a wildcard certificate could be placed anywhere in the hostname, i.e www..
Similar problem was actually found in Python a while ago.
Its strongly recommended to upgrade Ruby.
Microsoft patch tuesday
Totally 11 patches this month, where 4 is rated critical.
- MS15-032 Internet Explorer cumulative update which contains a list of privately reported vulnerabilities. No one of them seen exploited in the wild yet.
- MS15-033 MS Office patches a few bulletins, where one of them allow for remote code execution and one that have been publicly disclosed.
- MS15-034 HTTP.sys, allows for remote code execution if a crafted request is sent to HTTP.sys.
- MS15-035 Microsoft graphic components is patched and rated critical because it does not require user interaction to exploit. You dont have to open a file or something to get exploited.
Adobe release update to Flash for Windows, Mac and Linux. Exploits have been seen in the wild so you should update as soon as possible.
Chrome discard NPAPI
The NPAPI is discarded from Chrome version 42. If you still need NPAPI support
it can be re-enabled through a setting or Chrome enterprise policies. In September
the support will be removed entirely.
If you want to use Java from you have to install the NPAPI plugin from Chromestore, then install Java. This makes it much harder to use Java in the Chrome browser.
This vulnerability in IIS was patched yesterday, and is now exploited in the wild.
The vulnerability can be used to in DoS attacks and possible remote code execution
and it is easy to exploit. If you have vulnerable servers you should update as
soon as possible.
Vulnerable systems is:
- Windows 7
- Windows Server 2008 R2
- Windows 8
- Windows Server 2012
- Windows 8.1
- Windows Server 2012 R2.
HTTP.sys is used by any version of IIS running on one of these operating systems.
HTTP.sys was introduced with IIS 6."
Oracle critical updates
Oracle released patches for 90 different vulnerabilities across a range of products.
14 of the vulnerabilites are in java, with 3 of them that could lead to remote control execution.
This vulnerability is now actively used to launch DDOS attacks on servers. There is also more proof-of-concept of the vulnerability and how it can be used to leverage other class of attacks (i.e information leakage or remote code execution).
Unsecure voting machines
The Virgina Information Technology Agency have examined the machines used in
electronic voting. The machines were communicating via WiFi so anyone within
WiFi-range (i.e on a parking log outside) could attempt to break in to the machines.
The password and encryption that is used on the machine is breakable, and the machines
did not log events, so if a attack has happened no one will ever know.
The machines also lacks physical security and is exposing USB port so that attackers can load malware into the machine if they get physical access to it.
The machines, that have been used since 2002, are now decertified.