CTO Security Weekly

Notcompatible Android Security Buzz:

This week a new malware package for Android managed to spark the internet intrest in the security of the Android mobile computing platform.  The new malware, dubbed “Notcompatible” is limited in scope and vector — it is installed via user interaction and can only be installed on those phones which the user has enabled the ability to install packages from 3rd-party sources.
The notable part of Notcompatible isn’t really the malware itself, but how it spreads to it’s victims through the use of a technique called drive-by downloading.  Drive-by download techniques involve the infection or poisoning of a website through delivery of malicious advertisement or website compromise.  Once compromised, malware is sent to users that browse to that website in the attempt to infect them.  Typically this is done to infect traditional computing platforms such as Windows, but with the growing popularity and trend of browsing the web from smartphones, the addition of an Android-based vector was only a matter of time.

Read More: http://www.blogham.com/notcompatible-android-malware-spreads-via-hacked-websites.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+BlogHam+(Blog+Ham)

Critical PHP Bug Discloses Your Source Code

Source code disclosures are among some of the worst exploits that can happen to an organization, especially since passwords for databases and other programs are usually among the code in PHP programs.  Disclosure of the source code to these programs could lead to serious compromise.  An explanation of the vulnerability follows:
PHP in a CGI setup will accept flags on GET requests and return different results based on the flags.  The flag that discloses source code to the requested page is -s and is appended the the GET request for a page as follows:
http://www.targetsite.com/index.php?-s

If the target is set up using a PHP-cgi environment running a PHP version lower than PHP 5.3.12 then the target site is vulnerable.

It is recommended that those affected by this bug update to the most recent version of PHP.  A fair number of sites could be affected by this bug, which has been around since 2004 and was only recently discovered and (accidentally) released to the public.

Read More: http://www.infoworld.com/t/application-security/critical-php-vulnerability-exposes-servers-data-theft-or-worse-192428

Hack Attack! New Group Makes Name Hacking NASA, Airforce

A new hacking group has made a bit of a splash after they hacked several governmental and private institutions this week.  A quick read of the twitter accounts mentioned on the Pastebin post (URL below) confirms that the breaches occurred as the result of database intrusions.  A review of the password choices reveals that a brute-force password-guessing attack may have been used as well to gain access to some of the systems.
While database attacks are common, the attackers seemed to have gained access to a number of targets including the Airforce and the Bahrain Ministry of Defense.  The latter is somewhat surprising, given that Anonymous has been taking every opportunity to shame the Bahraini Government for its continued human rights abuses.  This indicates that the group is probably not at all affiliated with Anonymous.

Pastebin Link: http://pastebin.com/uhWSRrSf
Read More: http://www.zdnet.com/blog/security/mystery-group-hacks-us-military-harvard-nasa-more/11789?tag=mantle_skin;content

Microsoft Boots Chinese Company from Vulnerability Sharing Club

Microsoft announced that Hangzhou DPTech Technologies Co., Ltd would be removed from their vulnerability sharing program following the leak of a proof-of-concept for a serious vulnerability in the Windows operating system.  This is the second time that Microsoft has had to remove a Chinese company from the program, and the leak marked the third occasion that a vulnerability from the program had been shared to a chinese-language website.
While the risk of sharing high-impact vulnerabilities with private (and international) companies is a risk for Microsoft and its customers, Microsoft still believes that there are more benefits to keeping the program than scrapping it, since the sharing program allows corporations to protect users and customers in advance of an official patch.

Read more:
http://www.zdnet.com/blog/security/microsoft-kicks-chinese-company-out-of-vulnerability-sharing-program/11853

CTOvision Pro Special Technology Assessments

We produce special technology reviews continuously updated for CTOvision Pro members. Categories we cover include:

  • Analytical Tools - With a special focus on technologies that can make dramatic positive improvements for enterprise analysts.
  • Big Data - We cover the technologies that help organizations deal with massive quantities of data.
  • Cloud Computing - We curate information on the technologies enabling enterprise use of the cloud.
  • Communications - Advances in communications are revolutionizing how data gets moved.
  • GreenIT - A great and virtuous reason to modernize!
  • Infrastructure  - Modernizing Infrastructure can have dramatic benefits on functionality while reducing operating costs.
  • Mobile - This revolution is empowering the workforce in ways few of us ever dreamed of.
  • Security  -  There are real needs for enhancements to security systems.
  • Visualization  - Connecting computers with humans.
  • Hot Technologies - Firms we believe warrant special attention.

 

Recent Research

Tech Firms Seeking To Serve Federal Missions: Here is how to follow the money

Creating The New Cyber Warrior: Eight South Carolina Universities Compete

Mobile Gamers: Fun-Seeking but Fickle

Update from DIA CTO, CIO and Chief Engineer on ICITE and Enterprise Apps

Pew Report: Increasing Technology Use among Seniors

Finding The Elusive Data Scientist In The Federal Space

DoD Public And Private Cloud Mandates: And insights from a deployed communications professional on why it matters

Intel CEO Brian Krzanich and Cloudera CSO Mike Olson on Intel and Cloudera’s Technology Collaboration

Watch For More Product Feature Enhancements for Actifio Following $100M Funding Round

Navy Information Dominance Corps: IT still searching for the right governance model

DISA Provides A milCloud Overview: Looks like progress, but watch for two big risks

Innovators, Integrators and Tech Vendors: Here is what the government hopes they will buy from you in 2015

solid
About BryanHalfpap

Bryan Halfpap is a software programmer, technology analyst and writer and a driving force behind the security reporting at CTOvision.com He is a frequent speaker at events and conferences including Defcon. You can find him on twitter: @crypt0s