Information Security all in one place!

Vulnerabilities

Wireless Dual Band USB Adapter; offering 5GHz upgrade


 TP-LINK, a global provider of networking products, today announced its new Wireless Dual Band USB Adapter, enabling users to instantly add a 5GHz upgrade to their notebook or desktop computer without disrupting the existing network. With wireless speeds of up to 300Mbps at 2.4GHz and at 5GHz, this dual band USB adapter is the best companion when upgrading PC or laptop wireless capabilities, specifically when using the 5GHz band to avoid potential interference over the 2.4GHz band.

N600 Wireless Dual Band USB Adapter (TL-WDN3200) – $29.99 – Product Available End of April 2012

  • Compatible with IEEE 802.11b/g/n 2.4GHz and IEEE 802.11a/n 5GHz devices
  • Maximum speed up to 2.4GHz 300Mbps and 5GHz 300Mbps
  • USB 2.0 interface
  • Supports ad-hoc and infrastructure mode
  • Easy wireless security encryption at a push of the WPS button
  • Supports Windows XP 32/64bit, Vista 32/64bit, Windows 7 32/64bit
  • Easy Wireless Configuration Utility

http://www.ereleases.com/pic/TP-LINK.png
http://www.ereleases.com/pic/TP-LINK-2.jpg


Mobile Devices and the Growing Concern


A pile of mobile devices including smart phone...

If you use any type of mobile device in your day to day life….keep reading. Ignorance can only bring you so far!

Two separate studies of mobile devices have found serious privacy and security issues. One of the studies found that smartphones and tablet PCs can be eavesdropped on when they are being used to make purchases, conduct online banking transactions, or access VPNs (virtual private networks). Another study uncovered a number of ways to break into Apple’s iOS, its operating system for mobile devices. It is likely that cyber criminals will increasingly turn to mobile devices in their attacks as the devices become more and more commonplace in business transactions.

Related Information: http://www.usatoday.com/tech/news/story/2012-04-08/smartphone-security-flaw/54122468/1

Proof of Concept Video: http://bcove.me/44ip4sgw


Cisco Security Advisory: Cisco WebEx Player – Buffer Overflow Vulnerabilities


The Cisco WebEx Recording Format (WRF) player contains three buffer overflow vulnerabilities. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system with the privileges of a targeted user.
The Cisco WebEx Players are applications that are used to play back WebEx meeting recordings that have been recorded on a WebEx meeting site or on the computer of an online meeting attendee. The players can be automatically installed when the user accesses a recording file that is hosted on a WebEx meeting site. The players can also be manually
installed for offline playback after downloading the application from
www.webex.com.

If the WRF player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx meeting site. If the WRF player was manually installed, users will need to manually install anew version of the player after downloading the latest version from
www.webex.com.

Cisco has updated affected versions of the WebEx meeting sites and WRF player to address these vulnerabilities.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120404-webex

 

 


BYOD Policies: Moving too fast; You make the call…


Federal agencies are moving toward “BYOD” mobile policies even as questions about security and privacy continue to arise, according to panelists speaking April 4 at the FOSE conference.

A number of agencies have instituted or are considering BYOD (Bring Your Own Device) policies because many employees rely on their personal smart phones and tablets to manage their lives. The White House is preparing to release a governmentwide BYOD policy.

At the same time, the BYOD trend presents some tricky challenges not fully resolved yet, according to speakers on a FOSE panel.

Because of the ubiquity of smart phones in peoples’ lives, the government is moving toward BYOD “whether we like it or not,” said Rob Burton, partner at the Venable LLP law firm. “But this train may be moving too fast.”

One of the sticking points is whether government agencies have the right to examine or download personal information from employee devices. Burton cited a recent Supreme Court case involving a municipality investigating a policeman for alleged violations. The city downloaded personal information from the policeman’s city-owned smart phone, and the court ruled that was reasonable.

In that case, the court ruled that the government agency had a right to examine the personal information. But if the device had been owned by the policeman, the ruling might have been different, Burton suggested. The privacy expectation presumably would trump any agreements signed by the employee, he added.

“There might be some expectation of privacy in BYOD,” Burton said. “There is some real complexity in BYOD and the courts probably will deal with it.”

Another challenge is security against the growing threat of foreign agents seeking to gain access to U.S. government information, Burton said.

“We think the cyber issues for BYOD are a huge legal area and will be very tough and challenging for corporations and government agencies,” Burton said.

Even at agencies with BYOD policies in place, employees might choose not to participate because of objections to the terms of the policy, according to another panelist at a related seminar.

At the General Services Administration’s Federal Systems Integration and Management Center, about half of the 120 employees currently own personal mobile devices, said Chris Hamm, operations director at the center.

Under an existing BYOD policy and a mobile device management system, the workers are able to use those devices to access email and calendar applications, as well as some other Web browser-based applications, Hamm said.

For connection and integration with GSA’s network, the agency requests that before a device can be connected, the employee sign several agreements for security and access authorizations, Hamm said. One of the agreements is to allow remote wiping of the device under certain conditions.

More from this article here: http://fcw.com/articles/2012/04/04/fose-byod-mobile.aspx


Intuit Quickbooks: Multiple Vulnerabilities


The following vulnerabilites have been discovered and privately reported for the following versions of Intuit Quickbooks products:

Quickbooks 2009 – Quickbooks 2012; in conjunction with Internet Explorer Versions 7-9

Vulnerabilities:

  1. Intuit Help System Protocol URL Heap Corruption and Memory Leak:Image representing Intuit as depicted in Crunc...
  • The vulnerability described in this document can potentially be
    exploited by malicious HTML and/or Javascript to execute arbitrary
    code as the user viewing the malicious content.
  1. Intuit Help System Protocol File Retrieval: 
  • The vulnerability described in this document can be exploited by
    malicious HTML and Javascript to retrieve a file from a ZIP archive to
    which the user viewing the HTML has local or network file system
    access.  The attacker must know or guess the path and file name of the
    target ZIP archive and the target file it contains.  A further
    significant limitation is that files in subdirectories inside of ZIP
    archives have proven inaccessible, based on a sampling of Windows
    ZIPs, Microsoft Office 2007 documents, JARs, and APKs.

No vendor response at the time of public release. More information with be posted has it becomes available.


McAfee Email and Web Security Appliance v5.6: Multiple Vulnerabilities


NGS Secure has discovered a high risk vulnerabilities in the McAfee Email and Web Security Appliance

All versions prior to 5.5 Patch 6, Email and Web Security 5.6 Patch 3, McAfee Email Gateway 7.0 Patch 1

Vulnerabilities Include:

  • Reflective XSS allowing an attacker to gain session tokens
  • Session hijacking and bypassing client-side session timeouts
  • Any logged-in user can bypass controls to reset passwords of other administrators
  • Active sesssion tokens of other users are disclosed within the UI
  • Password hashes can be recovered from a system backup and easily cracked
  • Arbitrary file download is possible with a crafted URL when logged in as any user

 

NGS Secure is going to withhold details of this flaw for three months. This three month window will allow users the time needed to apply the patch before the details are released to the general public. This reflects the NGS Secure approach to responsible disclosure.


Cisco Security Advisory: Cisco IOS Software Network Address Translation Vulnerability


 

The Cisco IOS Software Network Address Translation (NAT) feature contains a denial of service (DoS) vulnerability in the translation of Session Initiation Protocol (SIP) packets.

The vulnerability is caused when packets in transit on the vulnerable device require translation on the SIP payload.

Cisco has released free software updates that address this vulnerability. A workaround that mitigates the vulnerability is available.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-nat