Pentoo – Gentoo Based Penetration Testing Linux LiveCD

Pentoo is a Gentoo based penetrating testing linux LiveCD. It’s basically a Gentoo install with lots of customized tools, customized kernel, and much more. Here is a non-exhaustive list of the features currently included: Hardened Kernel with aufs patches Backported Wifi stack from latest stable kernel release Module loading support ala slax...

Read the full post at darknet.org.uk

No One Bothers to Report Security Issue in WordPress Theme Either

For years we have discussed the fact that in many cases with publicly disclosed security vulnerabilities in WordPress plugins, no one bothers to notify the developer or WordPress.org about them (that includes organizations selling WordPress security services like WordFence and WPScan). In many cases if this was done that would be enough to get them fixed. In other cases, when the vulnerability does not get fixed, the plugin will be pulled from the WordPress.org Plugin Directory and that will prevent more websites from adding the vulnerable plugins (alerting people that they are using plugins that have been removed from the directory is something we have been pushing for for years).

We have more than enough time taken up looking into to security issues in plugins, so we rarely look into security issues with themes, but we happened upon one last week that shows the lack of reporting extends to theme issues. Back on February 13 an authenticated arbitrary file upload vulnerability was disclosed in the current version of the Fusion theme, which was available on the WordPress.org Theme Directory. After confirming that the vulnerability existed we reported it to WordPress.org and then within an hour it was pulled from the directory.

What was troubling is that we don’t appear to have been the only people that had taken a look. Here is a screenshot of the graph of downloads from right before the theme was taken down from the Theme Directory:

fusion-theme-download-graph

We are pretty sure that spike in downloads shortly after the disclosure is related to people looking into the vulnerability and yet no one else looking at the issue bothered to report it. That includes the people at WPScan, who again included a vulnerability in their vulnerability database, but didn’t report it.

E-mail autofill blunder leaks personal details of G20 world leaders

A mistake with Microsoft Outlook's autofill feature sent personal details of the world's top leaders attending the G20 summit in Brisbane, Australia, to organizers of the Asian Cup soccer tournament. Those affected include the presidents of the US, China, Russia, Brazil, the European Commission, France, and Mexico; the prime ministers of Japan, India, the UK, Italy, and Canada; and the German Chancellor. Among the information disclosed was the passport numbers, visa details, and other personal identifiers.

The blunder occurred on November 7 last year, just before the G20 summit took place. Details are contained in an e-mail sent to the Australian privacy commissioner by the director of the visa services division of Australia's Department of Immigration and Border Protection, obtained by The Guardian using a freedom of information request. The e-mail explains: "The cause of the breach was human error. [Name redacted] failed to check that the autofill function in Microsoft Outlook had entered the correct person's details into the email 'To' field. This led to the email being sent to the wrong person."

Rather surprisingly, in view of the individuals involved, they were not informed of this breach when it was discovered. The director of the visa services division explained why in the e-mail obtained by The Guardian: "Given that the risks of the breach are considered very low and the actions that have been taken to limit the further distribution of the e-mail, I do not consider it necessary to notify the clients of the breach."

Read 2 remaining paragraphs | Comments

GitHub battles “largest DDoS” in site’s history, targeted at anti-censorship tools

GitHub, the largest public code repository in the world, is currently battling against the largest and most gnarly distributed denial of service (DDoS) attack in the site's history. The attack started on Thursday morning (March 26), and has continued unabated since then, evolving several times to circumvent GitHub's defenses. The ongoing attack appears to originate from China, with the DDoS specifically targeting two GitHub projects that are designed to combat censorship in China: GreatFire, and cn-nytimes, a Chinese language version of the New York Times.

According to a security researcher at Insight Labs, the DDoS is being caused by some nefarious JavaScript that is being injected by "a certain device at the border of China's inner network and the Internet" when people visit the Baidu search engine. The JavaScript tells the user's browser to request two GitHub URLs: https://github.com/greatfire/" and "https://github.com/cn-nytimes/. Multiply that by millions of Baidu users, and voilà: a DDoS on GitHub.

The GitHub Status page gives us some insight into the ongoing attack. GitHub has managed to get successful mitigations into place several times, but it's still all-hands-on-deck as the attack continues to evolve. If you look at the longer-term status graphs, you can see spikes of reduced availability/higher latency on March 26, 27, and 28, but for the most part it looks like the DDoS has been mostly quashed for now.

Read 2 remaining paragraphs | Comments