Skip to content

Gotham Security Daily Threat Alerts

January 23, Softpedia – (International) Remote code execution flaw found in iPass Open Mobile Windows Client. A security researcher at Code White GmbH reported vulnerability in the iPass Open Mobile Windows Client that could allow an attacker to execute arbitrary code by sending a specially-crafted unicode string to a subprocess with SYSTEM privileges. The developers released a patch to address the flaw in the iPass network that includes free and open access hotspots, certain hotel and convention venues, and provides Internet access to trains with WiFi support as well as in-flight WiFi in airplanes. Source

January 23, Securityweek – (International) Three OS X vulnerabilities disclosed by Google. Google released a report containing details and proof-of-concept code for three vulnerabilities, including a code execution vulnerability, memory corruption bug, and a sandbox escapes, affecting Apple’s OS X operating system reported on October 20, October 21, and October 23. Source

January 23, Softpedia – (International) “Friendlier” Critroni ransomware variants spotted in the wild. Security researchers at Trend Micro discovered new strains of Critroni ransomware (CTB-Locker) in January that allows a grace period of 96 hours, the opportunity to decrypt five files, and an increase in the ransom amount. Source

Gotham Security Daily Threat Alerts

January 22, Help Net Security – (International) Angler exploit kit goes after new Adobe Flash 0-day flaw. A malware researcher discovered an unconfirmed zero-day vulnerability in Adobe Flash Player versions and that was found in the popular Angler exploit kit and exposes users of Windows XP, 7, 8 and Internet Explorer 6, 7, 8, and 10 to the Bedep trojan that makes the victims’ computer perform ad fraud calls. Source

January 22, Securityweek – (International) Google fixes 62 security bugs with release of Chrome 40. Google announced a release of Chrome 40 for Windows, Mac OS, and Linux, closing 62 vulnerabilities, including the disabling of SSL 3.0, a protocol found to be vulnerable to POODLE attacks. Source

January 22, The Register – (International) Remote code execution vulns hit Atlassian kit. Atlassian has released updates to patch a serious vulnerability, an Object-Graph Navigation Language (OGNL) double evaluation vulnerability found in all versions of its Confluence, Bamboo, FishEye, and Crucible products that could allow an attacker to execute Java code of their choice on systems that use the affected frameworks as long as they can access their Web interfaces. Source

January 22, Help Net Security – (International) Click-fraud malware brings thousands of dollars to YouTube scammers. Researchers at Symantec reported a two-component click-fraud malware dubbed Tubrosa, which could allow an attacker to compromise victims’ computers with the malware and use them to artificially inflate their YouTube video views and take advantage of the YouTube Partner Program validation process. Source

January 22, Softpedia – (International) Tesla Model S hacked to start without key. Qihoo 360 reported a vulnerability in the Tesla Model S discovered during a demonstration at the SyScan security conference in Beijing that could allow an attacker to unlock the vehicle, start the engine, and drive away with the vehicle by intercepting the communication between the key fob and the car. Tesla officials confirmed the flaw and stated that a fix would be released to close the vulnerability. Source

The State of BYOD – and In-flight Entertainment

Recently I was on a United flight to a conference in Las Vegas, and upon boarding the plane, noticed that there were no headset displays. I don’t fly all that much to begin with; maybe once or twice a year, but of course, I rolled my eyes at the lack of in-flight entertainment. While the remaining passengers were boarding, I debated ordering some gadget from the SkyMall catalog, and started to review United’s magazine, Hemispheres, which has various articles about destinations, food, etc. – and United’s in-flight entertainment. Wait, what?

United actually does have in-flight entertainment; however you need your own device (laptop, iPad, etc.). Prior to take off, we were instructed to flip our devices to airplane mode, which was a first for me, as I was actually used to turning devices off. Once we hit cruising altitude, the plane provided Wi-Fi access. This included free browsing to United’s website, and paid browsing/email sync and streaming of movies/TV shows. I assume United has a media server that streams movies and TV shows. There wasn’t an option for live TV – at least not on my flight.

Why am I telling you this awesome story about in-flight entertainment on United? For the miles, of course (just kidding). This is actually an excellent example of bring your own device (BYOD) in action. One of the main concerns with BYOD is supporting multiple end-point devices. Instead of investing in headset displays and maintenance of those displays, United put the display portion on the customer. Similarly, some software companies provide a stipend for users/customers to purchase any device they want to connect into the backend environment. In those cases, the companies don’t support the end-point devices.

For BYOD to really take off, companies need to think outside of the box like United. It makes sense for the company, and to a certain degree, the end user. I only saw two flaws in United’s BYOD inflight entertainment: lack of power outlets and customers that don’t have a device. Then again, a good book works just fine without either of those items.

To discuss more about BYOD and the technologies that support that initiative, please reach out to your Gotham account manager.


Don’t Forget to Check the Batteries on Your Citrix XenApp Servers!

Most disk array controllers on servers include a piece of RAM that can be utilized to temporarily buffer data being written to or read from disk. Since access to RAM is significantly faster than disk access, this cache can enhance overall server performance. With respect to Citrix XenApp servers, improved server performance can lead to much higher user density per server.

Unlike writing to disk, writing to RAM is volatile, which means it needs power to maintain the stored information. Array controllers usually come with a battery pack that allows them to cache write data safely. In the event of a power disruption, the battery would provide enough power to safely write all data to disk. The majority of hardware vendors won’t even allow you to enable write cache until a battery is attached. They will also often automatically disable write cache when there is a battery fault.

Having a battery fault or no battery at all can cause significant performance degradation on your servers during times of heavy writes. This typically occurs on a Citrix XenApp server during the loading of profiles and the use of applications that require heavy writing of temporary files (e.g., browsing websites in Internet Explorer). During these times of heavy writes, users may report sessions freezing and delayed logons. System administrators may see disk queue alerts on the Windows performance counters. However, if the problem is extreme enough, the system can enter a temporary hung state, and no performance data will be collected, so you may not receive any alerts at all.

The lesson to be learned is if you are using physical servers in your Citrix XenApp environment, make sure you check the batteries on your array controllers on a regular basis. It can be a small fix for a much larger problem.

Learn the pitfalls of updating from SHA1 to SHA2 before it’s too late!


What the SHA is going on with my Citrix Access?!?

The news is that SHA1, a very popular hashing function, is on the way out. Strictly speaking, this development is not new. The first signs of weaknesses in SHA1 appeared (almost) ten years ago. In 2012, some calculations showed how breaking SHA1 is becoming feasible for those who can afford it. In November 2013, Microsoft announced that they wouldn’t be accepting SHA1 certificates after 2016. So what does this mean to you and your Citrix Environment? To understand how this might affect your environment, let us first discuss what a certificate and its chain are at a high level and how that chain works to provide secure access into your environment.

An SSL Certificate is a small data file that digitally binds a cryptographic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol (over port 443), and allows secure connections from a web server to a browser. SSL Certificates need to be issued from a trusted Certificate Authority’s Root Certificate, which must be present on the end user’s machine in order for the Certificate to be trusted. If it is not trusted, the browser will present untrusted error messages to the end user. In the case of Citrix, users may receive the following error message(s) when attempting to launch a published resource:

Error: “Connection Error. Citrix Receiver could not establish connection with remote host”


Cannot connect to the Citrix XenApp server. SSL Error 61: You have not chosen to trust “”, the issuer of the server’s security certificate.

Read more…

Gotham Security Daily Threat Alerts

January 21, Securityweek – (International) Siemens fixes vulnerabilities in SCALANCE, SIMATIC solutions. Siemens released firmware updates for the SCALANCE X-300 switch family and SCALANCE X408 running firmware versions prior to 4.0 to address denial of service (DoS) vulnerabilities that can be exploited by an unauthenticated attacker to cause a device to reboot by sending malformed HTTP requests or sending specifically crafted network packets to the device’s FTP server. Source

January 21, Softpedia – (International) Ransomware incidents on an upward trend, FBI warns. The FBI issued an alert January 20 and warned computer users of a newer variant of the CrytoWall data encryption malware that infects computers and restricts users’ access to files until a fee is paid and the files are unlocked. The malware has been spotted in the wild, featuring localized ransom messages and trying to connect to decryption services hidden in the Invisible Internet Project (I2P) network. Source

January 21, Krebs on Security – (International) Java patch plugs 19 security holes. Oracle released its quarterly patch update for Java, closing at least 19 security vulnerabilities including 13 flaws that are remotely exploitable. Source

January 21, Threatpost – (International) Hard-coded FTP credentials found in Schneider Electric SCADA Gateway. Schneider Electric released an update to address 2 flaws for their ETG3000 FactoryCast HMI Gateway, which is used in manufacturing, energy, water, and other industries as a Web-based SCADA system that could allow unauthenticated remote access to the device’s FTP server and configuration files. Source

January 19, Threatpost – (International) Potential code execution flaw haunts PolarSSL library. Researchers at Certified Secure discovered a vulnerability in PolarSSL, an open-source SSL library, which could enable an attacker to execute remote code execution and a denial of service (DoS) attack. Source

Gotham Security Daily Threat Alerts

January 20, Securityweek – (International) VideoLan says flaws exist in codecs library, not VLC. A security researcher discovered two vulnerabilities in libavcodec, a free open-source audio/video codecs library used by VLC, Xine and MPlayer media players that could allow the attacker the ability to corrupt memory and exploit arbitrary code. Source

January 20, Securityweek – (International) CSRF flaw allowed attackers to hijack GoDaddy domains. A security researcher discovered that Internet domain registrar GoDaddy failed to implement any cross-site request forgery (CSRF) protections for many DNS management actions which an attacker could have exploited to edit nameservers, edit DNS records, and modify automatic renewal settings. GoDaddy took measures to fix the vulnerability and introduced CSRF protections for sensitive account actions January 19. Source

January 20, Softpedia – (International) Oracle addresses 167 bugs in critical patch update. Oracle released its quarterly Critical Patch Update January 20, closing 167 vulnerabilities found in 48 of the company’s products. The developer’s Oracle Fusion Middleware product received 35 security patches, more than any other product, including 28 patches for vulnerabilities exploited remotely without authentication of the potential attacker. Source

January 20, CNET News – (National) Verizon races out fix for email security flaw. Verizon patched a serious vulnerability in its My FiOS mobile app after a security researcher discovered a flaw that could allow a user to access any Verizon email account, scan the inbox, read individual emails, and send messages. Source

January 19, Help Net Security – (National) 2+ million US cars can be hacked remotely, researchers claim. A researcher with Digital Bond Labs presented a vulnerability that he identified at the S4 conference in Miami when he reverse-engineered the Snapshot tracking dongle offered by Progressive Insurance that is currently in use in over 2 million vehicles across the U.S. that could allow the attacker to control some of the core functions of a car by compromising its on-board system via Snapshot remotely due to minimal security in the firmware. Source


%d bloggers like this: