Wednesday, June 27, 2012

High-Tech Bridge Security Research Lab Obtains "CVE-Compatible" Status

GENEVA, June 25, 2012 /PRNewswire via COMTEX/ -- High-Tech Bridge is pleased to announce that Security Advisories by High-Tech Bridge Security Research Lab achieved the final stage of MITRE's formal CVE Compatibility Process and are now officially "CVE-Compatible". CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration." The MITRE Corporation manages and maintains the CVE List with assistance from the CVE Editorial Board.

«At High-Tech Bridge we strongly believe that CVE project has a great importance for the security industry.»

High-Tech Bridge's CEO, Mr. Ilia Kolochenko, commented: "At High-Tech Bridge we strongly believe that CVE project has a great importance for the security industry. Being able to coordinate vulnerability research, disclosure and mitigation by CVE identifiers is a key point to make information security efficient. We are going to contribute as much as we can to the CVE project and its values".

«High-Tech Bridge has demonstrated its commitment to providing its customers with a comprehensive security advise by integrating CVE names into their Security Advisories.»

"High-Tech Bridge has demonstrated its commitment to providing its customers with a comprehensive security advise by integrating CVE names into their Security Advisories. As security threats increase in number, complexity, and frequency today, organizations require clear and concise direction from security services like High-Tech Bridge's Security Advisories to help them proactively prepare for and respond to these problems," said Robert Martin, the CVE Compatibility Lead at MITRE. "The use of CVE Identifiers in their security advisories will help High-Tech Bridge's customers close the gaps in coverage that often result from using disparate security sources, thereby helping ensure more comprehensive protection against new and emerging vulnerabilities and exposures."

High-Tech Bridge Security Advisories (HTB Security Advisories) are provided on a non-profit base, in accordance to High-Tech Bridge's corporate Social Responsibility, with the aim of helping various software vendors improving their products' security and reliability.

More than 160 different software vendors have released security patches and improved security of their products thanks to High-Tech Bridge Security Research Lab, including HP, Sony, SugarCRM, OrangeHRM and many others. In Q1 2012 88% of software vendors affected by HTB Advisories have released security patches. Q2 2012 statistics, which is currently being prepared for publication, will disclose some interesting facts and details about various vendors, such as the most reactive vendor of Q2 2012 - Serendipity that has provided a security patch for SQL injection vulnerability in 23 minutes after notification about the vulnerability.

About High-Tech Bridge

High-Tech Bridge SA provides multinational companies, financial institutions and international organizations with cutting-edge information security solutions and services. In 2012, Frost & Sullivan has recognized High-Tech Bridge as one of the market leaders and best service providers in the ethical hacking industry.

Contact
Sebastien Flaccavento
Senior Project Manager
High-Tech Bridge SA
Tel: +41-22-560-68-43
Email: press@htbridge.com
Web: https://www.htbridge.com
Twitter: twitter.com/htbridge
Facebook: facebook.com/htbridge

Source: MarketWatch
Related Links:
High-Tech Bridge Security Research Lab obtains “CVE-Compatible” status.

Monday, June 25, 2012

Hackers: la riposte des entreprises

Hackers: la riposte des entreprises Frustrées par leur incapacité à arrêter les attaques sophistiquées ou de ne pas pouvoir s’appuyer sur une loi pour punir leurs attaquants, des sociétés américaines prennent des mesures de rétorsion.

Jusqu’ici, les entreprises victimes d’une attaque informatique se contentaient de réparer les dommages et de colmater leurs failles de sécurité. Désormais, certaines d’entre elles vont plus loin aux Etats-Unis, en mandatant des sociétés de sécurité pour riposter.

«Non seulement nous éteignons l’incendie mais nous cherchons aussi le pyromane», résume Shawn Henry, un ancien du FBI recruté par l’entreprise de sécurité CrowdStrike. La société invite ses clients à des «défenses actives» beaucoup plus musclées, sans endommager cependant les systèmes des cybercriminels.

Une fois que la société détecte la violation d’un réseau par un intrus, plutôt que de l’expulser immédiatement, elle peut se livrer à une forme de jeu du chat et la souris en faisant perdre leur temps et leurs ressources aux hackers. Les sociétés de sécurité peuvent aussi créer des appâts pour mieux cerner l’identité de l’assaillant.

Elles justifient leur acte sur la multiplication des attaques à l’aide de logiciels malveillants facilement accessibles sur le net et par le vide juridique existant dans le domaine. «C’est à la mode dans les communautés de hacking mais pas novateur», commente Frédéric Bourla, expert en sécurité chez High-Tech Bridge. «Mais la question de la limite entre une défense active et une mesure de rétorsion se pose. C’est comme dans les sports de combats, la base est d’adopter une défense proportionnelle à l’attaque adverse», conclut-il.

Source: Linformatique.org Hackers : la riposte des entreprises.

Friday, June 22, 2012

HTB23094: web@all multiple vulnerabilities

web@all version 2.0, downloaded before 30th of May 2012, suffers from cross-site request forgery (CSRF), cross site scripting (XSS) vulnerabilities:
1. Сross-Site Request Forgery (CSRF): The application allows authorized administrator to perform certain actions via HTTP requests without making proper validity checks to verify the source of the requests.
2. Cross-Site Scripting (XSS): Input passed via the "_text[title]" GET parameter to "search.php" script is not properly sanitised before being returned to the user.

Vulnerability ID: HTB23094
Vendor Notification / Patch / Public Disclosure Dates: 30 May / 30 May / 20 June
Vulnerabilities Type: CSRF, XSS
Risk level: Medium
Solution Status: Fixed by Vendor, upgrade to the latest version of web@all

Read full information, details and Proof of Concept (PoC) for this advisory: High-Tech Bridge Advisory HTB23094: Multiple vulnerabilities in web@all.

Friday, June 15, 2012

HTB23093: TinyWebGallery multiple vulnerabilities

TinyWebGallery version 1.8.7 and probably prior suffers from Сross-Site Request Forgery (CSRF), Arbitrary Code Execution, cross site scripting (XSS) vulnerabilities:
1. Сross-Site Request Forgery (CSRF): The application allows authorized administrator to perform certain actions via HTTP requests without making proper validity checks to verify the source of the requests.
2. Arbitrary Code Execution: input passed via the "user" POST parameter to "admin/index.php" is not properly sanitised before being written to ".htusers.php" file.
3. Cross-Site Scripting (XSS): Input passed via the "selitems[]", "searchitem" POST parameters to "/admin/index.php" is not properly sanitised before being returned to the user.

Vulnerability ID: HTB23093
Vendor Notification / Patch / Public Disclosure Dates: 23 May / 24 May / 13 June
Vulnerabilities Type: CSRF, arbitrary code execution, XSS
Risk level: Medium
Solution Status: Fixed by Vendor, upgrade to latest TWG 1.8.8 build

Read full information, details and Proof of Concept (PoC) for this advisory: High-Tech Bridge Advisory HTB23093: Multiple vulnerabilities in TinyWebGallery.

Friday, June 8, 2012

High-Tech Bridge SA Named to OTA 2012 Online Trust Honor Roll

Achievement recognizes High-Tech Bridge’s leadership in online security and privacy best practices. High-Tech Bridge has been named to the Online Trust Alliance (OTA) 2012 Online Trust Honor Roll, based on a composite trust score of security and privacy measures at hundreds of online sites. Designed to recognize leadership, the Honor Roll distinguishes High-Tech Bridge as a “North Star” to inspire others.

As part of the 2012 study, released June 6, 2012, OTA analyzed the adoption of key security and privacy initiatives, providing benchmark reporting and comparisons between key industry sectors including leading internet retailers, FDIC Top 100 Banks, and social networking sites. Of the companies evaluated by the non-profit, member-based OTA, less than 30% made the grade.

“Today’s businesses are stewards of ever-increasing amounts of users’ personal and sensitive data that necessitate the implementation of privacy and security best practices,” said Craig Spiezle, executive director and president, Online Trust Alliance. “Being a member of the 2012 OTA Online Trust Honor Roll means High-Tech Bridge has demonstrated exceptional leadership and commitment towards online safety, to enhancing the vitality of the internet, and, most importantly, to consumer trust.”

Ilia Kolochenko, CEO of High-Tech Bridge, says, “We are proud to be a member of the Online Trust Alliance, an organization whose values and goals are so vital today to keeping people's trust in the Internet. At High-Tech Bridge we are honored to receive this award, and we will continue our contribution to online safety, privacy and trust."

The 2012 report examined over 1,200 domains and privacy policies, approximately 3,600 web pages and over 500 million emails. In addition, public records were analyzed for recent data breach incidents and settlements with the FTC.

The focus of the OTA Online Trust Honor Roll is to:
1.    Recognize exemplary efforts of leading companies toward data and user protection, as security & privacy efforts, and highlight them as “North Stars.” Organizations on the Honor Roll manage data via security best practices while having transparent privacy practices.
2.    Demonstrate OTA’s commitment towards providing prescriptive advice, tools and resources to businesses to enhance the security and privacy of the internet.
3.    Underscore the importance of focusing on security and privacy holistically, and that individual security and privacy initiatives cannot be pursued in isolation.
4.    Provide benchmark scoring, using the Online Trust Index (OTI) and reported data attributes, for companies to evaluate their own sites, for businesses to use in evaluating partners, and for consumers to consider when interacting or doing business online.

Since 2010, the OTA Online Trust Honor Roll has recognized organizations that follow best practices in data security and privacy. In previous years, the study was named the OTA Online Safety Honor Roll and Scorecard Honor Roll. Recipients have risen from 8% of sites analyzed in 2010, to 25% in 2011, to nearly 30% in 2012.

About The Online Trust Alliance (OTA)
The Online Trust Alliance (OTA) is a member-based non-profit representing the global internet ecosystem - including the public and private sectors. OTA’s mission is to develop and advocate best practices and public policy which mitigate emerging privacy and security threats while enhancing online trust, innovation and the vitality of the digital economy. OTA is committed to protection of critical infrastructure, balanced legislation and data protection through the promotion of best practices, benchmark reporting, and self-regulation.

About High-Tech Bridge
High-Tech Bridge SA provides companies, governmental agencies and international organizations with cutting-edge information security services. In 2012 Frost & Sullivan has recognized High-Tech Bridge as one of the market leaders and best service providers in the ethical hacking industry.

Related links:
otalliance.org: Industry Support of OTA Online Trust Honor Roll
htbridge.com: High-Tech Bridge SA Named to OTA 2012 Online Trust Honor Roll

Thursday, June 7, 2012

HTB23092: Serendipity SQL injection

Serendipity version 1.6.1 and probably prior suffer from SQL injection vulnerability:
SQL Injection: Input passed via the "url" GET parameter to "comment.php" script is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Vulnerability ID: HTB23092
Vendor Notification / Patch / Public Disclosure Dates: 16 May / 16 May / 6 June 2012
Vulnerabilities Type: SQL injection
Risk level: High
Solution Status: Fixed by Vendor, upgrade to Serendipity 1.6.2.

Friday, June 1, 2012

HTB23063: Sony VAIO Wireless Manager 2 Buffer Overflows

Wireless Manager Sony VAIO version 4.0.0.0 and probably prior suffers from buffer overflow vulnerabilities:
The methods "SetTmpProfileOption()" and "ConnectToNetwork()" in "WifiMan.dll" library doesn't properly checks the length of string parameters. An attacker could craft a malicious HTML page to trigger the vulnerability and execute arbitrary code in the context of the affected user.

Vulnerability ID: HTB23063
Vendor Notification / Patch / Public Disclosure Dates: 7 December 2011 / 20 January 2012 / 30 May 2012
Vulnerabilities Type: Buffer Overflow
Risk level: High
Solution status: Fixed by Vendor
Solution: Install the latest version of the software by using VAIO Update. The update will be installed automatically if you are using the default VAIO Update settings.

More information:
High-Tech Bridge Advisory: HTB23063: 2 Buffer Overflows in Wireless Manager Sony VAIO
Sony eSupport Information: Security Update Program for VAIO® Personal Computers