Incidents
This is a archive for Incidents.
Wednesday, February 22, 2012 @ 06:02 PM gHale
Refinery fires are taking center stage as a leaky flange connection may be the cause of one blaze at BP’s Cherry Point, WA, refinery, while another explosion that killed four workers in Egypt is still under investigation.
In the Cherry Point fire, information filed with the Coast Guard’s National Response Center is very preliminary and the cause remains under investigation, said BP spokesman Scott Dean.
RELATED STORIES
Firms Cited for Toxic Chemical Releases
Refinery Suffers Penalties, Sentences
Chemical Emphasis Program Fires Up
WA Refineries Need to Clean Up Air
It remains unclear how long the refinery would be out of service as a result of the Friday fire. The company is trying to supply customers from existing stocks or other sources.
The refinery can process 230,000 barrels of crude oil a day. It produces 20 percent of Washington’s gasoline and the majority of aviation fuel for the Vancouver, British Columbia, Sea-Tac and Portland airports.
Meanwhile, the director of an oil refinery says four of his Egyptian workers died as they tried to put out a huge fire that erupted at the plant’s complex in the port city of Suez.
Reda Abdel-Samad said the floor on which the men were standing collapsed as the fire raged in the lubricating oil section at the refinery.
Five other workers suffered serious burns, he said. Abdel-Samad says the fire raged for at least two hours before firefighters managed to put it out.
Investigators are looking to determine the cause of the blast.
Wednesday, February 22, 2012 @ 05:02 PM gHale
A German hacker breached the official website of the Royal Navy and found holes in the U.S. Federal Reserve after finding an SQL injection vulnerability.
“The admins have been warned immediately before of this post. The vulnerable ‘parameter’ has been obscured to prevent damages from others,” the hacker wrote on Pastebin.
RELATED STORIES
Amnesty for CA Violations
Unintended Man in the Middle
Cyber Report: Bad Guys Winning
Security Best Practices will Cut Downtime
This is not the first time the Royal Navy’s website suffered a breach. A few years back, Romanian hacker TinKode also broke in, but authorities busted him last month.
D35m0nd142 also found a vulnerability on the official website of the U.S. Federal Reserve. In this case, he found 47 blind SQL injection flaws on the site’s pages.
Since university websites are among his specialties, the hacker took a peek at the security measures implemented by Arizona University, Stanford University, and an education institution in Hong Kong. From the U.S. universities he leaked some data to prove they are weak, but the Chinese school’s site ended up defaced.
This wasn’t the only defacement that targeted major Chinese sites. Thirteen Chinese government sites ended up defaced as part of an operation called OpChina.
Another hack in Asia targeted the official website of Iran’s president. On this site, he identified a cross-site scripting (XSS) vulnerability, a type of weakness that allows an attacker to execute arbitrary code.
In most of the cases, the site’s administrators got the news before D35m0nd142 published his proof-of-concepts or screenshots to prove he really did gain access.
Tuesday, February 21, 2012 @ 04:02 PM gHale
A powerful new bot called Ainslot.L is prowling about looking to capture user activities, download additional malware and take control of users’ systems.
Additionally, it acts as a banker Trojan, stealing log-in information related to online banking and financial transactions. Ainslot.L also performs scans on the computer to seek and remove other bots, becoming the only bot on one’s system.
RELATED STORIES
DNS Flaw has Users Seeing Ghosts
Malnets a Constant Moving Target
Inexpensive, Effective Whitelisting
New Software Cuts Costs, Risk
“The fact that Ainslot.L removes other bots from infected systems is something that definitely caught our attention,” said Luis Corrons, technical director of PandaLabs. “What makes this bot different is that it eliminates all competition, leaving the computer at its mercy.”
Ainslot.L spreads via a fake email purporting to come from a UK clothing company called CULT. The well-crafted message informs users they have placed an order in the amount of 200 pounds on CULT’s online store and they will charge their credit card the invoice amount. The text includes a link to view the order which actually downloads the bot on to the computer.
“Phishing emails are not usually so well done and authentic in appearance,” Corrons said. “There is no doubt that fraudsters have been very careful in making this message look as real as possible in attempt to lure in as many victims as they can.”
Monday, February 20, 2012 @ 07:02 PM gHale
Adobe plans to stay in the sandbox as it is ready to put Microsoft’s Internet Explorer (IE) in its protected zone for Flash Player.
Adobe already released a beta version of a sandboxed Flash Player plug-in for Mozilla’s Firefox on Windows Vista and Windows 7 as a follow-up to a similar initiative in 2010 for Google’s Chrome.
RELATED STORIES
Flash Player Updates Plug Holes
Flash in Sandbox for Firefox
Trojan Targets Contractors
Apple Security Fix for OS X
“IE has a big chunk of the user base,” said Brad Arkin, Adobe senior director of security, products and services. “We want to do what protects the most users the fastest, so we’re looking at how we can tackle sandboxing in IE.”
IE accounted for 53% of all browsers used last month worldwide, or more than double Firefox’s 21% and almost triple Chrome’s 19%, according to Web metrics company Net Applications.
Arkin declined to set a timetable for putting Flash within a sandbox inside IE.
A sandbox isolates processes on the computer, preventing or at least hindering malware from letting hackers exploit an unpatched vulnerability, escalate privileges and push their attack code onto the machine.
Adobe first hit the sandbox for Flash Player for Chrome in late 2010 after working with Google engineers; the sandboxed plug-in for Firefox came after similar cooperation from Mozilla engineers.
Mozilla’s developers “did a lot of work” to help Adobe during the development of the sandboxed Flash plug-in, including modifying Firefox.
A similar process is taking place now with Microsoft. At a high level, constructing a sandboxed Flash plug-in for Firefox was similar to what Adobe had already done for Chrome.
Like the sandboxed Flash for Chrome, the beta plug-in for Firefox works only on Windows. Adobe has no plans to add sandboxing to the Flash Player plug-ins that run in Apple’s Safari or Opera Software’s Opera browsers.
Monday, February 20, 2012 @ 07:02 PM gHale
Adobe closed seven holes in Flash Player; six allow an attacker to infect a PC using crafted web pages and the seventh is a cross site scripting currently suffering from “active targeted attacks”.
The attacks, aimed only at Internet Explorer on Windows, try to trick the user into clicking on a malicious link. Adobe said the hole “could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website.”
RELATED STORIES
Flash in Sandbox for Firefox
Trojan Targets Contractors
Apple Security Fix for OS X
Struggle to Secure Mobile Devices
Flash Player version 11.1.102.55 and earlier on Windows, Macintosh, Linux and Solaris, version 11.1.112.61 and earlier for Android 4.x, and version 11.1.111.5 and earlier for Android 3.x and 2.x all suffer from the issue.
Desktop Flash users should update to 11.1.102.55 by downloading it from Adobe’s site. Android 4.x users should update to 11.1.115.6 and Android 3.x and 2.x users should update to version 11.1.111.6 by browsing to the Android Market Place for an update.
Google’s Chrome browser, which embeds the Flash Player, updated to version 17.0.963.56 on Windows, Mac, Linux and Chrome Frame.
The Chrome update also addresses thirteen high, medium and low severity security issues, eight of which paid out from $500 to $1337 in bug bounty rewards. Google Chrome updates should automatically deliver to Chrome users.
Monday, February 20, 2012 @ 06:02 PM gHale
While the latest news seems to focus on nation states hacking into manufacturing plants, or banks or hospitals and stealing information or harming processes, but sometimes it is just some kids breaking in from a local computer.
That is what happened in Greece when police said they arrested an Athens schoolboy and identified two more suspected of a computer hacking attack on the Justice Ministry website this month.
RELATED STORIES
Tear Gas Maker Hacked
Hacking Victims Still Remain Silent
Hidden Secret: VeriSign Hacked
Upstate NY Utility Breached
The three did not break into an industrial control system, but the thinking is they had to tools ad they could have. That goes to show manufacturers have to remain vigilant in keeping up with defensive measures to ensure their plant remains operating and not falling victim to hackers of any sort.
The three claim to be part of the international “Anonymous” activist collective, which has attacked computers in several countries, police said.
Hackers posted a video and messages on the Justice Ministry website Feb. 3 protesting the Greek government’s signing of a global copyright treaty and its handling of the financial crisis.
Police said Monday the detained youth, who is 18, and the others, aged 17 and 16, faces charges of illegally accessing computer networks.
Monday, February 20, 2012 @ 05:02 PM gHale
There are eighteen vulnerabilities in Advantech’s BroadWin WebAccess that include cross-site scripting (XSS), SQL injection, cross-site report forgery (CSRF), and authentication issues.
All vulnerabilities ended up reported separately by the nSense Vulnerability Coordination Team, Greg MacManus of iSIGHT Partners, Kuang-Chun Hung of Security Research and Service Institute−Information and Communication Security Technology Center (ICST), Luigi Auriemma, Billy Rios, Terry McCorkle, and a researcher that uses the alias of Snake.
RELATED STORIES
DLL Hijacking Hole with 7T
Threat Alert Reaches New High
More SCADA, HMI Holes Found
Wonderware Patches Holes
No Dancing Around: Samba Shuts DoS Hole
ICS-CERT coordinated with Advantech, which released a new version of WebAccess that addresses most of the vulnerabilities.
These vulnerabilities affect all versions of Advantech/BroadWin WebAccess prior to applying the patch (V7.0) listed in the mitigations below.
An attacker can bypass authentication, gain administrative privileges, and remotely execute arbitrary code by exploiting these vulnerabilities.
Advantech/BroadWin WebAccess is a web-based human-machine interface product used in energy, manufacturing, and building automation systems. The installation base is across Asia, North America, North Africa, and the Middle East.
WebAccess Client is available for computers running Windows 2000, XP, Vista, and Server 2003. A thin-client interface is available for Windows CE and Windows Mobile 5.0.
CROSS-SITE SCRIPTING
An attacker may use a malformed URL address in a XSS attack to launch JavaScript code. CVE-2012-0233 is the number assigned to this vulnerability.
SQL INJECTION
An attacker can use a malformed URL address to execute an SQL injection attack. CVE-2012-0234 is the number assigned to this vulnerability.
CROSS-SITE REQUEST FORGERY
The web application does not sufficiently verify whether a request intentionally came from the user who submitted the request. CVE-2012-0235 is the number assigned to this vulnerability.
INFORMATION LEAKAGE
An unauthenticated user can access restricted information using specific URL addresses. CVE-2012-0236 is the number assigned to this vulnerability.
UNAUTHORIZED MODIFICATION
This vulnerability suffer from an exploitation by using specifically crafted URL addresses, which allows an unauthenticated user to enable or disable date and time syncing. CVE-2012-0237 is the number assigned to this vulnerability.
STACK-BASED BUFFER OVERFLOW
A stack-based buffer overflow vulnerability exists in opcImg.asp that, when exploited, allows an attacker to remotely execute arbitrary code. CVE-2012-0238 is the number assigned to this vulnerability.
AUTHENTICATION VULNERABILITY
An authentication vulnerability exists in uaddUpAdmin.asp in Advantech’s WebAccess 7.0 — and possibly earlier versions — that, when exploited, allows an attacker to remotely change an administrator’s password. Exploit code is not a requirement to exploit this vulnerability. CVE-2012-0239 is the number assigned to this vulnerability.
AUTHENTICATION VULNERABILITY
An authentication vulnerability exists in GbScriptAddUp.asp that, when exploited, allows an attacker to remotely execute arbitrary code. CVE-2012-0240 is the number assigned to this vulnerability.
ACTIVEX BUFFER OVERFLOW
A long string input to ActiveX parameters will cause a buffer overflow, which might allow remote attackers to execute arbitrary code and gain full control of the server. CVE-2011-4526 is the number assigned to this vulnerability.
BUFFER OVERFLOW
This vulnerability exists because long string input to parameters will cause a buffer overflow, which could allow execution of arbitrary code. CVE-2011-4524 is the number assigned to this vulnerability.
FILE MANIPULATION
An attacker can load any remote web page and write to a local batch file that will allow arbitrary code execution. CVE-2011-4525 is the number assigned to this vulnerability.
SQL INJECTION
This vulnerability exists because string inputs are not checked, allowing attackers to perform SQL injection attacks. CVE-2011-4521 is the number assigned to this vulnerability.
CROSS-SITE SCRIPTING
This vulnerability exists because malicious cross-site scripts end up allowed by parameters of bwerrdn.asp. CVE-2011-4522 is the number assigned to this vulnerability.
CROSS-SITE SCRIPTING
This vulnerability exists because malicious cross-site scripts end up allowed by parameters of bwview.asp. CVE-2011-4523 is the number assigned to this vulnerability.
ARBITRARY MEMORY CORRUPTION
This vulnerability exists because functions end up allowed to corrupt arbitrary memory zones through fully controllable stream identifiers. CVE-2012-0241 is the number assigned to this vulnerability.
FORMAT STRING
A format string vulnerability can suffer exploitation by using a message string without the required format arguments. CVE-2012-0242 is the number assigned to this vulnerability.
ACTIVEX BUFFER OVERFLOW
A component used by WebAccess, bwocxrun.ocx, is vulnerable to a buffer overflow vulnerability due to methods that are capable of creating a arbitrary file in arbitrary location. Exploitation could allow the execution of arbitrary code. CVE-2012-0243 is the number assigned to this vulnerability.
SQL INJECTION
This vulnerability exists because string inputs do not undergo a check upon input, allowing attackers to perform many different SQL injection attacks. CVE-2012-0244 is the number assigned to this vulnerability.
All the vulnerabilities contained in this report are remotely exploitable.
Advantech has created a new version of WebAccess (7.0) that addresses these vulnerabilities. Go to this website for the new version. http://webaccess.advantech.com/downloads.php. Advantech recommends the new version install over the existing installation. If you uninstall the existing version of WebAccess, you must reboot the computer before reinstalling WebAccess. Advantech recommended manufacturers using the WebAccess product refer to security considerations recommended by their installation manual.
ICST, iSIGHT, and ICS-CERT have validated the new version mitigates Vulnerabilities 1 and 5−16. For vulnerabilities 2 and 3, the patched version fixes the issue for unauthenticated users; however, the problem still remains for nonadmin project users. Advantech did not patch vulnerability 4 the company does not consider it to be a security risk. Neither ICS-CERT nor independent researchers have validated the new version resolves vulnerabilities 17 and 18.
Monday, February 20, 2012 @ 05:02 PM gHale
There is an uncontrolled search path element vulnerability, or DLL Hijacking, in the 7-Technologies (7T) AQUIS and TERMIS software programs.
ICS-CERT coordinated these reports with 7T, and 7T has created a patch that resolves this vulnerability. Researcher Kuang-Chun Hung of the Security Research and Service Institute−Information and Communication Security Technology Center (ICST), who discovered the vulnerabilities, confirmed the patches resolve the vulnerabilities.
RELATED STORIES
Threat Alert Reaches New High
More SCADA, HMI Holes Found
Wonderware Patches Holes
No Dancing Around: Samba Shuts DoS Hole
The following products suffer from the vulnerabilities: AQUIS V1.5 dated October 13, 2011, and any previous release and the TERMIS V2.10 dated November 30, 2011, and any previous version. A successful exploit of this vulnerability could lead to arbitrary code execution.
7T, based in Denmark, creates monitoring and control systems used primarily used in the United States, Europe, Northern Africa, and Asia. 7T AQUIS software is a water network simulation platform for improving system design and operation. AQUIS may also see use in other parts of the world via a freely licensed version. 7T TERMIS software sees use in the district energy network management.
For the 7T AQUIS software, an attacker may place a malicious DLL in a directory where it could load before the valid DLL. An attacker must have access to the host file system to exploit this vulnerability. If exploited, this vulnerability may allow execution of arbitrary code. CVE-2012-0224 is the number assigned to this vulnerability. This vulnerability is exploitable remotely.
7T has developed a patch to address this vulnerability. Users may need to uninstall an earlier version of the application before installing this update.
Meanwhile, as far as the 7T TERMIS software goes, the issue is pretty much the same as an attacker may place a malicious DLL in a directory where it could load before the valid DLL. An attacker must have access to the host file system to exploit this vulnerability. If exploited, this vulnerability may allow execution of arbitrary code. CVE-2012-0224 is the number assigned to this remotely exploitable vulnerability.
7T has developed a patch to address this vulnerability. Users may need to uninstall an earlier version of the application before installing this update.
