Thursday, September 25, 2014

GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)



GNU Bash through 4.3.
Linux, BSD, and UNIX distributions including but not limited to:
CentOS 5 through 7
Debian
Mac OS X
Red Hat Enterprise Linux 4 through 7
Ubuntu(link is external) 10.04 LTS, 12.04 LTS, and 14.04 LTS
Overview


A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system [1](link is external). The United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability.
Description


GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the added environment variable, allowing remote attackers to execute arbitrary code via a crafted environment which enables network-based exploitation. [2, 3]

Critical instances where the vulnerability may be exposed include: [4(link is external), 5(link is external)]
Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn subshells.
Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allows arbitrary command execution capabilities.
Allow arbitrary commands to run on a DHCP client machine, various Daemons and SUID/privileged programs.
Exploit servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.
Impact


This vulnerability is classified by industry standards as “High” impact with CVSS Impact Subscore 10 and “Low” on complexity, which means it takes little skill to perform. This flaw allows attackers to provide specially crafted environment variables containing arbitrary commands that can be executed on vulnerable systems. It is especially dangerous because of the prevalent use of the Bash shell and its ability to be called by an application in numerous ways.
Solution


Patches have been released to fix this vulnerability by major Linux vendors for affected versions. Solutions for CVE-2014-6271 do not completely resolve the vulnerability. It is advised to install existing patches and pay attention for updated patches to address CVE-2014-7169.

Many UNIX-like operating systems, including Linux distributions, BSD variants, and Apple Mac OS X include Bash and are likely to be affected. Contact your vendor for updated information. A list of vendors can be found in CERT Vulnerability Note VU#252743 [6].

US-CERT recommends system administrators review the vendor patches and the NIST Vulnerability Summary for CVE-2014-7169, to mitigate damage caused by the exploit.
References

Ars Technica, Bug in Bash shell creates big security hole on anything with *nix in it;(link is external)
DHS NCSD; Vulnerability Summary for CVE-2014-6271
DHS NCSD; Vulnerability Summary for CVE-2014-7169
Red Hat, CVE-2014-6271(link is external)
Red Hat, Bash specially-crafted environment variables code injection attack(link is external)
CERT Vulnerability Note VU#252743
Revisions



September 25, 2014 - Initial Release

GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)



GNU Bash through 4.3.
Linux, BSD, and UNIX distributions including but not limited to:
CentOS 5 through 7
Debian
Mac OS X
Red Hat Enterprise Linux 4 through 7
Ubuntu(link is external) 10.04 LTS, 12.04 LTS, and 14.04 LTS
Overview


A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system [1](link is external). The United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability.
Description


GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the added environment variable, allowing remote attackers to execute arbitrary code via a crafted environment which enables network-based exploitation. [2, 3]

Critical instances where the vulnerability may be exposed include: [4(link is external), 5(link is external)]
Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn subshells.
Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allows arbitrary command execution capabilities.
Allow arbitrary commands to run on a DHCP client machine, various Daemons and SUID/privileged programs.
Exploit servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.
Impact


This vulnerability is classified by industry standards as “High” impact with CVSS Impact Subscore 10 and “Low” on complexity, which means it takes little skill to perform. This flaw allows attackers to provide specially crafted environment variables containing arbitrary commands that can be executed on vulnerable systems. It is especially dangerous because of the prevalent use of the Bash shell and its ability to be called by an application in numerous ways.
Solution


Patches have been released to fix this vulnerability by major Linux vendors for affected versions. Solutions for CVE-2014-6271 do not completely resolve the vulnerability. It is advised to install existing patches and pay attention for updated patches to address CVE-2014-7169.

Many UNIX-like operating systems, including Linux distributions, BSD variants, and Apple Mac OS X include Bash and are likely to be affected. Contact your vendor for updated information. A list of vendors can be found in CERT Vulnerability Note VU#252743 [6].

US-CERT recommends system administrators review the vendor patches and the NIST Vulnerability Summary for CVE-2014-7169, to mitigate damage caused by the exploit.
References

Ars Technica, Bug in Bash shell creates big security hole on anything with *nix in it;(link is external)
DHS NCSD; Vulnerability Summary for CVE-2014-6271
DHS NCSD; Vulnerability Summary for CVE-2014-7169
Red Hat, CVE-2014-6271(link is external)
Red Hat, Bash specially-crafted environment variables code injection attack(link is external)
CERT Vulnerability Note VU#252743
Revisions



September 25, 2014 - Initial Release

Monday, September 8, 2014

Woman faces fines, prison time for bank fraud in financing $1.85M Raleigh home



A Raleigh woman could face up to 80 years in prison and a $2.25 million fine after prosecutors say she defrauded the likes of Bank of North Carolina and Liberty Mutual to buy a seven-figure home.

Teresa Lyn Fletcher has pleaded guilty to two counts of bank fraud and one count of mail fraud stemming from a 2013 scheme that court documents allege happened over a 10-month time frame.

Fletcher is accused of providing false information about her income and assets to Bank of North Carolina in order to obtain a personal loan. Specifically, they say she submitted bogus wage records and the bank approved the loan based on those records.

Woman faces fines, prison time for bank fraud in financing $1.85M Raleigh home



A Raleigh woman could face up to 80 years in prison and a $2.25 million fine after prosecutors say she defrauded the likes of Bank of North Carolina and Liberty Mutual to buy a seven-figure home.

Teresa Lyn Fletcher has pleaded guilty to two counts of bank fraud and one count of mail fraud stemming from a 2013 scheme that court documents allege happened over a 10-month time frame.

Fletcher is accused of providing false information about her income and assets to Bank of North Carolina in order to obtain a personal loan. Specifically, they say she submitted bogus wage records and the bank approved the loan based on those records.

Wednesday, September 3, 2014

TRIBLER MAKES BITTORRENT ANONYMOUS WITH BUILT-IN TOR NETWORK



The Tribler client has been around for more nearly a decade already, and during that time it’s developed into the only truly decentralized BitTorrent client out there.

Even if all torrent sites were shut down today, Tribler users would still be able to find and add new content.

But the researchers want more. One of the key problems with BitTorrent is the lack of anonymity. Without a VPN or proxy all downloads can easily be traced back to an individual internet connection.

TRIBLER MAKES BITTORRENT ANONYMOUS WITH BUILT-IN TOR NETWORK



The Tribler client has been around for more nearly a decade already, and during that time it’s developed into the only truly decentralized BitTorrent client out there.

Even if all torrent sites were shut down today, Tribler users would still be able to find and add new content.

But the researchers want more. One of the key problems with BitTorrent is the lack of anonymity. Without a VPN or proxy all downloads can easily be traced back to an individual internet connection.

The Fraud Institute Releases Free Report on Deep Web Cyber-Fraud



AUSTIN, TX--(Marketwired - Sep 3, 2014) - From an interview with M-CAT Enterprises CEO Anyck Turgeon, The Fraud Institute releases a free report on cyber-fraud and cyber-security titled Deep Web Fraud 101.

The Fraud Institute, Anyck Turgeon and M-CAT Enterprises (M-CAT), a private provider of global security, fraud and enterprise growth management solutions, want to educate the general public and corporations about the threats all face daily from cyber-crime.

ABOUT THE DEEP AND DARK WEBS

Rarely do breached organizations or individuals know about what happens to their information once it is stolen. With access to only four percent of the web, the public is unaware of the remaining ninety-six percent of internet content and transactions being performed every nanosecond. With over 7.9 trillions of megabytes of hidden content, the "Deep Web" and "Dark Web" offer organizations like ISIS (The Islamic State in Iraq and Syria), other terrorist groups and organized crime an opportunity to surpass the financial wealth of their competitors through highly-profitable cyber-fraud exchanges. By taking a deep dive into each layer of the "Deep Web," readers will learn why and how cyber-fraud crimes are gaining momentum.

HOW ARE CORPORATIONS AND INDIVIDUALS IMPACTED BY THE DEEP AND DARK WEBS

The Fraud Institute Releases Free Report on Deep Web Cyber-Fraud



AUSTIN, TX--(Marketwired - Sep 3, 2014) - From an interview with M-CAT Enterprises CEO Anyck Turgeon, The Fraud Institute releases a free report on cyber-fraud and cyber-security titled Deep Web Fraud 101.

The Fraud Institute, Anyck Turgeon and M-CAT Enterprises (M-CAT), a private provider of global security, fraud and enterprise growth management solutions, want to educate the general public and corporations about the threats all face daily from cyber-crime.

ABOUT THE DEEP AND DARK WEBS

Rarely do breached organizations or individuals know about what happens to their information once it is stolen. With access to only four percent of the web, the public is unaware of the remaining ninety-six percent of internet content and transactions being performed every nanosecond. With over 7.9 trillions of megabytes of hidden content, the "Deep Web" and "Dark Web" offer organizations like ISIS (The Islamic State in Iraq and Syria), other terrorist groups and organized crime an opportunity to surpass the financial wealth of their competitors through highly-profitable cyber-fraud exchanges. By taking a deep dive into each layer of the "Deep Web," readers will learn why and how cyber-fraud crimes are gaining momentum.

HOW ARE CORPORATIONS AND INDIVIDUALS IMPACTED BY THE DEEP AND DARK WEBS