A CVE note that popped up this morning is linked to sudo versions before 1.7.4p4. The CVE record is not complete yet but apparently sudo fails to restrict user access when using Runas groups with group (-g) command line option. Secunia says it is related to the -u option. Sudo.ws puts it all together and explains it’s the -g with the -u.

Beginning with sudo version 1.7.0 it has been possible to grant permission to run a command using a specified group via sudo -g option (run as group). A flaw exists in the logic that matches Runas groups in the sudoers file when the -u option is also specified (run as user). This flaw results in a positive match for the user specified via -u so long as the group specified via -g is allowed by the sudoers file.

In either case a local user could escalate privileges but only as defined for commands in the sudoers file. Examples of how to test the flaw are conveniently listed by Sudo.ws.

ihack ? iam has posted a highly amusing and detailed analysis of Web Laundry (In)Security

Ok, now we just need to guess the write 7 password. The password is 24 bits… That gives us 16,777,216 attempts to brute force it. At 4 attempts per card that will take 4,194,304 cards or 2,097,152 cards on average… There must be an easier way… My next idea was to sniff the traffic between the reader and card to get an idea of what kind of data is being passed back and forth, then after wading through the paper above, implement the algorithm to crack the cipher itself. Then I found this little diddy in the datasheet

[…]

Surely you would think the engineer(s) implementing this weren’t negligent enough to leave the default password… you would be wrong.

This is very much along the same lines as my presentation at The Next HOPE on Keypad Entry Systems. Start with the most basic tests and you will be surprised how quickly things fail, even things sold as “Unmatched Security and Cutting Edge Technology”.

Pay them just $195 and the Cloud Security Alliance (CSA) says they are willing to certify you as competent.

The CSA is perhaps most infamous for a remap of other standards to its own. Not satisfied with existing maps of NIST, ISO, HIPAA, FISMA, PCI, etc. they happily added a new column to the mix and called it…the CSA cloud control matrix. This immediately begged the question why be ISO or PCI certified when you can be CSA instead? Why adhere to Requirement 10 of PCI DSS when you can now adhere to CSA 15? Who needs ISO 6 when you have CSA 5?

They said it was to make things easier but now it sounds more difficult. I mean they might be implying that it is so hard that without a test you could be considered incompetent. Oh, wait, never mind. I just read the test, administered by Cosaint, is to demonstrate a “rudimentary understanding of cloud security“.

Marketing questions should be expected:

In which three ways can we distinguish cloud computing from traditional outsourcing?

The universal customer perspective is also on the test:

What is the key aspect of a cloud provider’s SAS 70 Type II audit statement a customer should review to determine if it meets customer requirements?

However, my favorite section of the test is on cloud grammar:

Why do communications between multiple virtual machines often evade tradition security monitoring systems?

If you do not know english well enough to find this obvious flaw…no CoC for you!

Who can resist this bargain? The test sounds like a no brainer! Act now because pricing goes up to $295 in 2011.

Just to clarify the CSA seems to refer to it as the Certificate of Cloud Security Knowledge (CCSK) test but also the CSSK, while elsewhere I found it called a CoC test.

The latter of the three just rolls off the tongue, so to speak. If they are lucky, everyone might want their CoC. A CCSK, on the other hand, has the unfortunate overlap with clear cell sarcoma of the kidney, the second most common kidney tumor in children. I do not think anyone really wants CCSK.