Cisco

Security news roundup: 911 hacker gets three years, Ubuntu Linux stays untouched

Here’s a collection of recent security vulnerabilities, alerts and news, which covers a 911 hacker being sentenced to 3 years jail, an RTSP vulnerability that affects current versions of MPlayer and VLC media players, Cisco having its first patch day, and news that Ubuntu Linux remained untouched at the conclusion of the latest "PWN TO OWN" contest.

Here’s a collection of recent security vulnerabilities, alerts and news, which covers a 911 hacker being sentenced to three years jail, an RTSP vulnerability that affects current versions of MPlayer and VLC media players, Cisco having its first patch day, and news that Ubuntu Linux remained untouched at the conclusion of the latest PWN TO OWN contest.

  • 911 hacker gets three years

In the first such prosecution in Orange Country, a teenager was sentenced to three years imprisonment for "swatting." The objective of this particular prank involves convincing 911 dispatchers to send SWAT teams on wild goose chase. I reported about this case over at IT News Digest late last year.

In this instance, the entire situation could have ended very badly as the husband heard the SWAT team outside and believed that a prowler was outside. Leaving his wife and two toddlers in the house, he took a knife and went into the backyard where he found the SWAT team pointing assault rifles at him.

TechRepublic members had advocated varying punishments then -- well the verdict is out now.

Excerpt from KOMO-TV:

Randal T. Ellis, 19, pleaded guilty Wednesday in Orange County Superior Court to five felony counts, including computer access and fraud, false imprisonment by violence and falsely reporting a crime. He was given prison time and ordered to pay $14,765 in restitution, most of which will go to the county Sheriff's Department.

This case is of interest because Randal spoofed the originating number of his 911 call using his computer to lend credence to his social engineering attempt. As the number of convictions for computed-related crimes increases, it is probably worth keeping an eye on the punishments meted out to them.

  • RTSP vulnerability hits MPlayer and VLC media players

A recently fixed vulnerability in the xine-lib multimedia library also affects MPlayer and the VLC media player, both of which are still vulnerable. In addition, bugs in the real time data stream processing routines can be used to inject malicious code via crafted RTSP data streams.

Both MPlayer and the VLC media player are available for free and highly popular with the open-source crowd.

heise Security offers a technical explanation of the vulnerability.

The sdpplin_parse() function in the stream/realrtsp/sdpplin.c file of MPlayer, or modules/access/rtsp/real_sdpplin.c file of VLC media player fails to check the length of the streamid SDP parameter in a real time protocol data stream (RTSP), resulting in a potential buffer overflow. Using this, attackers can overwrite arbitrary memory areas using crafted data streams and execute injected code such as trojans.

If you use MPlayer, you should stay away from untrusted FLAC andn MOV files. VLC users should be wary of untrusted subtitle files. And of course, both MPlayer and VLC users should avoid untrusted RTSP data streams.

And yes, a demo exploit for this exploit is already out on milw0rm.

  • Cisco does its first patch day

Following in the footsteps of Microsoft, Cisco had its very first "Patch Wednesday" last week. The idea is that all updates to its IOS router OS can be bundled and delivered to network administrators together. Additional patch days are scheduled every six months.

There are five security advisories issued by Cisco this time round.

According to the advisory, the following issues have been identified:

If you are a registered customer, you can download the respective patches by following the links in the various advisories above.

The next Cisco patch day will be on the 24th September later this year.

  • Windows Vista trips over Flash; Linux remains untouched

This year's "PWN To OWN" challenge has ended, and the only laptop left standing was a Sony Vaio running Ubuntu Linux. A MacBook Air fell on the second day due to a vulnerability in Apple's Safari browser while a laptop running Windows Vista Ultimate was successfully exploited on the third and final day.

The three-day hack challenge was kicked off last Wednesday and ended on Friday. The rules were progressively relaxed over the three days; with the prize money halved on each successive day. The hacked laptop is given to the successful hacker, regardless of the day in which it was broken into.

No one walked away with the first day's $20,000 prize, which required that only remote code-execution exploits be used. The MacBook Air fell on the second day, where the rules were relaxed to allow user-interaction of installed-by-default applications. The third day saw the inclusion of several popular third-party applications such as Skype and Flash -- which led to the downfall of Windows Vista.

You can read more at the TippingPoint blog.

Feel free to discuss about the various security news here.

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

14 comments
richard.e.morton
richard.e.morton

"Windows Vista Ultimate was successfully exploited on the third and final day." "The third day saw the inclusion of several popular third-party applications such as Skype and Flash ??? which led to the downfall of Windows Vista." humm... I'm no M$ fan, but you can't blame M$ for sloppy code on the part of third parties... M$ will always lose out here case there is so much more code around and usually has new features added to Windows versions before the features hit OSX and Linux. The fact that Windows made it to the third day is amazing considering the security reputation / position just a few years ago. Well done M$... Rich

apotheon
apotheon

"[i]I'm no M$ fan, but you can't blame M$ for sloppy code on the part of third parties.[/i]" That depends on the nature of the exploit. If a third-party application just gives the security cracker easy access to the system, but a vulnerability in the design of MS Windows allows the security cracker to escalate privileges easily (for instance), there's still a security problem with the OS. "[i]usually has new features added to Windows versions before the features hit OSX and Linux.[/i]" You mean like multi-user capabilities, multiple workspaces or virtual desktops, and secure remote access? Oh, wait, all those have been available on Linux and other Unix-like OSes for [b]years[/b] before Microsoft even looked sideways at the possibility of including them in its flagship OS. There are many, many features that MS Windows not only hasn't had before Linux/Unix systems, but has been a decade or so behind on, and in some cases may never include. "[i]The fact that Windows made it to the third day is amazing considering the security reputation / position just a few years ago. Well done M$...[/i]" Keep in mind that most of the attention was probably on the Mac at first, because part of the prize is the computer -- and more people probably wanted the Mac than the MS Windows machine. The Ubuntu machine probably benefited from a combination of being too difficult to crack (in comparison with the others) and being less specifically interesting to crack (because one could always just crack the MS Windows machine, then install some Linux distribution on it later). I, personally, would rather have a Macbook Air than the Fujitsu, and the Fujitsu than a VAIO. I'd especially choose in that order considering it would probably be easier to crack security on MacOS X or MS Windows Vista than on a typical Linux distribution -- though I don't have much confidence in the default configuration of Ubuntu, compared with certain other Linux distributions.

TelcoChuck
TelcoChuck

From what I have heard, the exploit was a combination of java (sun) invoking flash (adobe). Both of these seem to have problems from the authors with DEP. Obviously a Microsoft problem that other vendors are too lazy / careless about security / uncaring / over several years (reported as problems with XP SP2)! Lets try putting the blame for the exploits of third party apps where the real blame belongs. This one also is supposedly a cross platform exploit.

catseverywhere
catseverywhere

My thought exactly. The third party software OBVIOUSLY requires the underlying OS, and it is in that interface the mayhem ensues. The OS is just as much a part of it as the app. I'm sure the Ubuntu box was running flash, right? Why didn't that get compromised exactly the same way as with Vista?

apotheon
apotheon

Developing software that isn't secure is bad. Developing an operating system that allows unsecured software for unprivileged users to take over the whole system is one way to develop software that isn't secure. Notice that, in the [url=http://dvlabs.tippingpoint.com/blog/2008/03/19/cansecwest-pwn-to-own-2008]public posting of the rules for the contest[/url], it says: "[i]To claim a laptop as your own, you will need to read the contents of a designated file on each system through exploitation of a 0day code execution vulnerability (ie: no directory traversal style bugs).[/i]" This means that the vulnerability in question didn't just involve the behavior of Flash -- it also involved execution of arbitrary code. The fact that the OS allowed the application to run unauthorized third-party code that accessed the filesystem is a problem. It's not as bad as the OS itself just allowing the compromise without any third-party software involved, but it's not good, either -- and the OS is indeed part of the problem.

Dumphrey
Dumphrey

but at least its default has most services disabled by default. So even with no firewall, there is not much to access remotely. Ubuntu is a compromise between user friendly and security. And while it lacks SELinux, and AppArmor is not enabled by default, these settings are beyond the average appliance user that just wants to "use" their computer. Though, Ubuntu could go the Fedora route and enable a default, fairly permissive AppArmor policy by default, and include the context info and changes for each new app in the install routine for apt. Also, your ordering on the laptops makes a lot of sense. Its the order I would choose them in as well, though I would wipe OSX and install linux.

apotheon
apotheon

"[i]Ubuntu is a compromise between user friendly and security.[/i]" So is MS Windows. That's the problem -- they're compromises. The correct approach is not to compromise security for "user friendly" operation. It's to provide as much security as possible without making the goals you want to meet with your software prohibitively difficult. That's not a compromise at all -- it's a good choice. When you compromise, you get worse, not better. "[i]Also, your ordering on the laptops makes a lot of sense. Its the order I would choose them in as well, though I would wipe OSX and install linux.[/i]" I'd prefer either FreeBSD or, if it was still supported, OpenDarwin. The architecture of OpenDarwin is excellent. . . . though, to tell the truth, I'd probably keep MacOS X on it if someone gave me a Mac laptop. After all, it'd never be my primary computer: I prefer Thinkpads, thanks. Having an extra laptop lying around with a different OS might be kinda handy.

Mond0
Mond0

Would you care to expand on these "certain other Linux distributions"? I'm still new to Linux and mostly run live distros on occasions when I don't trust the machine I'm borrowing.

apotheon
apotheon

My Linux preference is Debian (no, it's not the same thing as Ubuntu). There are other distributions that are generally more secure than Ubuntu in default configuration as well -- such as Fedora Core and Slackware, last I checked. LiveCD distributions are in some respects more secure than installed software, all else being equal, because the software on the CD can't be altered. In other respects, they're less secure because of a number of reasons. One is that all copies of a given version of a given LiveCD OS probably have the same passwords. Another is that you're stuck with the configuration on the CD and what you change at runtime every single time you boot it up -- you can't permanently configure it to use settings specific to your security needs, because you can't change what's on the CD. My OS preference isn't actually a Linux distribution at all, by the way. It's FreeBSD. You can get a pretty gentle introduction to FreeBSD via [url=http://pcbsd.org]PC-BSD[/url] if you're interested. OpenBSD is generally regarded as even more secure, but also a bit more user-unfriendly, in case you're curious.

Jaqui
Jaqui

"Mandriva one" a fairly user friendly distro, without the security issue of Ubuntu / Kubuntu not having a root password, or the security issue of PCLinuxOS in allowing root login in runlevel 5 Mint, Gentoo live are also good options. with livecds, the risks are low simply because the os is not alterable. it's after you install that the issues are something to pay attention to fixing. [ or avoid by picking a different distro to install ]

catseverywhere
catseverywhere

What are the contest rules regarding security configurations on the machines? Are they "install default," or can adjustments be made? Regardless, I can smell the flames from here... the Linux FBs will state the obvious, the windows FBs will whip out the Rube Goldberg rationalization templates, the Mac FBs are always in denial... =)

paulmah
paulmah

Here?s a collection of recent security vulnerabilities, alerts and news, which covers a 911 hacker being sentenced to 3 years jail, an RTSP vulnerability that affects current versions of MPlayer and VLC media players, Cisco having its first patch day, and news that Ubuntu Linux remained unhacked at the conclusion of the latest ?PWN TO OWN? contest.

Mond0
Mond0

Would you mind posting a link to this collection? Thanks,