Those interested in learning a bit more about national cyber warfare and vulnerabilities that the US has in this regard should watch the CBS program, 60 Minutes, where they discussed this. Most of their sources are very credible and I heard very little that wasn’t a current reality.
Posts Tagged ‘Vulnerability Assessment Tools’
North Korea is probably not to blame for the DDOS attacks in 2009
Tuesday, July 13th, 2010Many of you might remember the distributed denial of service (DDOS) attacks that hampered several US websites about a year ago. The source of the attacks appeared to come from North Korea. Now, the US says that there is no conclusive evidence that the attacks came from North Korea at all. This is very common. A good hacker will attack a system from a non-friendly nation state. In other words if you want to attack the U.S., use a North Korea computer to do it because there is little if any cooperation in working to identify the culprit. Of course the computer in North Korea would be controlled by one in the U.K. which would be controlled by one in Iran, etc. These are the standard tactics experienced hackers use to keep from getting caught. In this particular DDOS attack case they say that it is very unlikely that the culprit will ever be found.
Apple isn’t more or less secure than other operating systems
Friday, July 9th, 2010I am not saying that Apple isn’t more or less secure than another operating system. But I do run across those that feel Apple can do no wrong and that the Apple operating system and other software that Apple creates is nearly bug free and vulnerability free. All software has bugs and vulnerabilities and Apple is no different. For example, a couple weeks ago, Apple issued an updated version of its Safari web browser that fixes AT LEAST 48 security flaws. All software has vulnerabilities and all software needs to be patched. Don’t get in the mindset that you are using something that is exempt.
Malicious websites continue to be hackers’ weapon of choice
Wednesday, July 7th, 2010For a couple of years now I have been explaining how the weapon of choice for hackers is to use malicious websites. It is exponentially easier for them to exploit systems and these methods completely bypass traditional network firewall and intrusion detection and prevention systems. Take for example, the series of attacks that were reported June 9, 2010. Tens of thousands of webpages were found to be infected with malware. So the hackers discovered a vulnerability in Microsoft IIS that they could exploit in an automated way. They then infected the website to redirect visitors to malicious servers where malware is installed to the users desktop. A redirection is very easy to do and takes only a single line of code. There were more than 100,000 web pages that were compromised in this attack alone. These aren’t just unknown sites either, it includes The Wall Street Journal and many other sites that many of your users access every day. Organizations need to think beyond the network-based intrusion detection system if they really want to protect their networks.
Identifying security vulnerabilities is only the first step
Tuesday, June 29th, 2010Most information security experts talk about vulnerability management quite a bit. This includes using external vulnerability assessments and penetration testing to determine your level of exposure to outside hackers and the like. Unfortunately, that is where vulnerability management ends for many organizations and by itself offers little threat mitigation. Identifying the vulnerabilities is step 1 but there are several other steps if you want this information to improve your security posture. Determining the legitimacy and reality of identified vulnerabilities for your organization is another step. Prioritizing patching and other mitigation strategies is another. And finally, implementing the fixes where needed is the final step. Most organizations don’t do these additional steps which at a minimum don’t do anything to improve their security and could in fact increase their liability if an information data breach occurs (knowing the vulnerability existed and doing nothing about it). This issue gets more complicated for organizations that need to comply with various regulations or requirements. For example, those that must adhere to the PCI DSS are required to do quarterly vulnerability assessments. All-too-often the emphasis is placed on doing whatever it takes to pass an audit as opposed to what it takes to be the most secure. I thought this article from Dark Reading was good at highlighting the issues.
Cyber Security Risks for SEC Filings
Friday, June 25th, 2010
If you belong to a public company, you are familiar with the SEC filing requirements you have to disclose risks to the stock and bottom line. Many public companies have now started including cyber security risks as part of those SEC filings. This includes Google after hackers compromised internal systems. The Google SEC filing states “because the techniques used [by hackers]…change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures.” If you are part of a public company, you may want to consider something similar.
Subscribers information wasn’t the only thing captured in the Apple data breach
Tuesday, June 22nd, 2010
Goatse, the hacking firm that discovered the vulnerability on AT&T’s website that found 144,000 iPad subscriber’s information including name, account number and email address does not like how AT&T has portrayed them. They wrote an explicit response to that letter here . I still think Goatse could have done things a bit differently. According to them, they notified a third party, who Goatse claims was a journalist, and then promptly destroyed the data. In other reports that I read, there were several third parties that were notified. I don’t have any idea if they were all journalists or not. The proper way to handle situations like this (if you aren’t trying to get free publicity and truly just trying to do the right thing) is to contact AT&T directly and work with them until the vulnerability is fixed. Then you can disclose what happened. This is of course much easier than it sounds but I still don’t think that Goatse followed the right steps. But that doesn’t put them in the wrong either. They could have done much worse with the vulnerability they discovered and information they gathered.
All that being said, I found something very interesting in the Goatse response that I hadn’t thought of before. One of the pieces of information that they captured (or rather systematically guessed and then verified through data extraction) is the ICC-IDs. This is the unique identifier on the iPad. Using the ICC-IDs, someone could potentially identify the location of any particular iPad owner and track everywhere the user goes. This could have very serious security ramifications, especially when you consider those that were among that list of 144,000. If this were really possible (which no one has shown that it really is yet), it is certainly a privacy issue but would hedge on a national security problem. Imagine if a foreign government knew exactly where all the top military leaders and the secretary of state were at all times. There are a lot of scary scenarios that we could talk about if this were really possible. But I didn’t think of the risk the ICC-IDs could potentially have when I wrote my initial blog post.
Patch for zero-day Adobe flaws will be available on June 29
Friday, June 18th, 2010There are still many people that do not believe that malware can be installed on their computer unless they perform some action that enables it. For example, they think they have to click on a link, or open a file attachment before they are infected. This simply isn’t the case anymore. Take for example the recent Adobe Flash vulnerability. Specially crafted PDF documents can trigger this malware being installed on your system just by visiting a website. This vulnerability is so critical that Adobe had to accelerate their scheduled quarterly update to reduce the risk since this exploit is being actively seen in the wild. The vulnerability in Flash was available June 10 and the fixes for Reader and Acrobat will be available on June 29.
Security Alert for Windows XP and Server 2003 Users
Tuesday, June 15th, 2010Perimeter E-Security customers should be aware of a Microsoft Windows XP and Server 2003 exploit. Exploit code has been posted online that shows attackers exactly how to compromise Windows XP and Server 2003 operating systems remotely. This is possible due to a newly discovered security flaw in the way Windows Help and Support Center process links. These systems are supposed to work based on a fixed “whitelist” (a list of approved and authorized URLs), however a security researcher at Google has shown how cyber criminals can add URLs to that whitelist. As a result, an attacker could trick a user into following a link which could download any file the hacker would like. The link and downloaded files can use the same permissions as the systems current user. Many systems are configured by default with the user having administrative privileges.
Microsoft said “Given the public disclosure of the details of the vulnerability, and how to exploit it, customers should be aware that broad attacks are likely,” this includes worms and a host of other malware that can automatically exploit this code through a variety of methods.
This is worse than most vulnerabilities we see. Most vulnerabilities allow the system to be compromised in a specific way that may allow limited access or flexibility to the hacker. This vulnerability makes it very easy for the cyber criminal to install any software they want as if they are the system administrator.
The solution?
- There is no automated fix from Microsoft at this time. However, there is a manual ”work around.”
The manual “work around” involves editing the Registry. Note – only experienced system administrators should manually edit the registry. One wrong move can cause major stability and bootup problems. The details for the registry edit can be found in the Microsoft Security Advisory (2219475).
Beware that Microsoft says that this may break links that you are trying to use in the Help and Support Center. Microsoft has also posted a knowledge base article with a “fixit” here.
- Stay tuned for more details from Microsoft
Microsoft is working on a patch. The Google researcher who discovered the flaw has released a fix; however, Microsoft says that this fix is easily bypassed and that users should not rely on the Google fix to resolve the problem.
While Microsoft is working on a patch, Perimeter E-Security continues to encourage users (especially those using XP) to create a limited user account for everyday computing. Read more on this here. This will go a long way to protect systems from this exploit as well as many others we have seen in the past and will likely see in the future.
Contact us today at 800.234.2175 to talk with a security expert if you have further questions.
Tags: Windows XP exploit, Server 2003 exploit, vulnerability assessment tools, IT security, application penetration testing, managed service providers, intrusion detection system, security penetration testing
Critical Zero-Day Vulnerability in Adobe Reader and Flash Player
Tuesday, June 15th, 2010There is a critical zero-day flaw in Adobe Reader and Adobe Flash Player that can allow attackers to take full control of vulnerable computers. Of course, because nearly everyone has Adobe Reader and Flash Player, and because it is a 0-day exploit that means that nearly everyone is vulnerable. Well, that isn’t entirely true because it affects only particular versions, but still, it will affect a lot of people. There are some reports that say that the vulnerability is being exploited “in the wild”. The scary thing about application vulnerabilities is that they often affect more than just the operating system. This one is a good example where this flaw exists in Windows, Mac, Linux and Solaris.
iPad Owners Exposed – AT&T and Apple Security Breach
Friday, June 11th, 2010
Read about it here. Here is what I think about it.
Poor website security practices by AT&T lead to the breach, but like many breaches, AT&T is just the third party. So when everyone references this breach in the future it will be Apple’s name, not AT&T. That being said, this is somewhat symbolic because emails by themselves usually don’t constitute a data breach. It is unclear what other information, if any, was also captured. This is an interesting case because no other time would anyone care about email addresses being exposed. This isn’t about a data breach, it is about a group being able to capture an exclusive list of America’s most influential people and their private email addresses. A list like this simply doesn’t exist. But Goatse (the security consulting group) was able to write a script that systematically harvested these addresses from the AT&T website for any iPad owners that signed up for the 3G service. While they say 114,000 emails were compromised, it is likely that many others were compromised as well. Personally, this is where I think Goatse stepped over the line. They detected and exploited the vulnerability. They told AT&T about it. They wanted press and they have it. But they said that they gave the vulnerability exploit and script to others. Who are these others? What did they do with this information? It is always a slippery slope when a rogue security firm does this type of thing in the first place. But if you are going to do this and already be in a “grey area”, you really shouldn’t give the script out to others to use. That is what makes it go from grey to black very quickly. Let’s all remember it is just email addresses (as far as we know). It isn’t like someone hacked into the government, took over the presidents “red phone” and called in a nuclear strike. But due to the high profile nature of those compromised (you can’t get much higher profile), AT&T and Apple will take a lot of heat for this.
Network-Based IDS/IPS and Their Value and Challenges in the Current Market
Thursday, June 3rd, 2010I was recently asked to answer some questions for a magazine article about network-based IDS/IPS and their value and challenges in the current market and environment. These were some of my responses:
What are the greatest challenges now?
- Attacks are becoming so sophisticated that hackers have developed methods to bypass or subvert traditional IDS/IPS systems.
- Additionally, more and more hackers are using Malware to do their dirty work for them rather than traditional inbound attacks where IDS/IPS systems are most effective. If the hacker can get malware on the internal system, it renders IDS/IPS systems useless. This is why methods to install and spread malware have absolutely exploded; especially malware websites (although this is just one of several methods). Once malware in installed in the local system, the bad guys can create encrypted tunnels back to their command and control networks. IDS/IPS systems cannot read encrypted packets so essentially this all happens “under the radar” from traditional security solutions.
Which industries are most/least vulnerable?
- Any industry that houses valuable data is always a greater target. These include anything that can assist in identity theft or fraud for the hackers. Usually this means companies that house financial data or personally-identifying data. So, banks and healthcare providers are at the top of the list.
What are myths and realities about some of the current strategies and solutions?
- Unfortunately, people still think that edge-based security solutions are enough to keep the bad guys out. A firewall, network-based IDS/IPS and other technologies that are in the network or “cloud” are still necessary but are far from enough to keep the hackers at bay.
What are the key points you want to make in this interview?
- See the answer above to myths and realities again…then…the only effective way to secure sensitive data and mission-critical systems are through the next generation HOST-BASED intrusion prevention system. Rather than network-based systems that can be bypassed or subverted, HIPS can be installed directly on the system you are trying to protect. It can protect it at a much higher level than traditional network-based solutions. It combines signature matching capabilities to behavioral techniques. When combined with 24×7 management and monitoring, it offers the greatest protection for these targeted industries. And, don’t feel like you have to install HIPS everywhere…you only need it on those “mission-critical” systems that if they were compromised by a hacker or were unavailable for a period of time, it would be problematic for your organization.
Network Barometer Report 2010
Thursday, May 6th, 2010There was an interesting study published recently. It is called the Network Barometer Report 2010 which is done by Dimension Data, a global IT solutions and services provider. They perform assessments for organizations and released some of the findings over the previous year. They looked at 235 assessments during 2009 and found that over 38 percent of network devices including routers, switches, and gateway have some security vulnerabilities exposing them to external and internal security attacks. They said there were an average of 40.7 configuration best practice errors per device, 17 (on average) were security related. One of the more interesting aspects of this study was that 35 percent of network devices were found to be past the “end of sale” which means the vendor no longer sells that device and maintenance software and patches will not be available much longer. Of that 35 percent, more than one half were already beyond the end-of-software-maintenance date. These devices are obviously key targets for hackers.
New zero day vulnerability: Java Deployment Toolkit could be exploited to execute malicious code
Wednesday, April 14th, 2010“A vulnerability in a NPAPI plug-in and ActiveX control called Java Deployment Toolkit could be exploited to execute malicious code. The flaw affects all recent versions of Windows and may affect versions of Linux as well. Attackers can exploit the flaw through maliciously crafted websites that pass commands to Java components that start certain applications, including Internet Explorer and Firefox.
Disabling the Java plug-in does not protect users from attacks.”
Browser Vulnerability May Expose Your Hard Drive to Hackers
Friday, February 5th, 2010
There may be a browser vulnerability that can expose your entire hard drive to hackers. While most people worry about remote code execution or hijacking systems, this vulnerability would simply allow the hacker to access and download the entire contents of your hard drive, simply by accessing an infected or malicious website.
I find this an interesting story because the vulnerability is not traditional. What I mean is that usually there is a bug in a program that is exploited. In this case, there is really no vulnerability in any particular system, but when you use two separate systems (URL Security Zones and IE filesharing protocol) together, this because a serious problem. As of today there is no patch available from Microsoft.
Mobile Devices Threaten Corporate Security
Tuesday, October 20th, 2009Mobile devices are becoming a bigger and bigger issue as it pertains to vulnerabilities that can lead to exploit. Keeping servers and desktops patched is simply not enough. In our world today, people use their iPhones to access, edit, send and store sensitive data (whether the company knows it or not). In September, Apple released 10 fixes for vulnerabilities in the iPhone. Some of these vulnerabilities could be exploited to access sensitive data that sits on the iPhone. Organizations need to have policies, procedures, and solutions in place that can address the issue of portable media if they want to reduce their exposure to a data security breach.
Microsoft Security Bulletins Raise Questions About Vulnerability Management
Monday, October 19th, 2009More and more vulnerabilities all of the time. Microsoft announced 5 security bulletins that address 8 vulnerabilities. Each of the 5 bulletins had a maximum severity rating of “Critical”. People hear me talk all the time about how on average there are 20 new vulnerabilities found on a daily basis. Now, not all of those 20 affect each and every systems, and not all of them are considered critical; but for Microsoft to announce 5 bulletins, all of which are marked as critical, makes you wonder if we are moving in the right direction when it comes to vulnerability identification and management. All of these flaws could be exploited to gain access to the vulnerable system WITHOUT ANY USER INTERACTION. These are very serious vulnerabilities. Be sure your systems are up-to-date with the latest patches.
Preventing Zero Day Attacks with Behavioral Based System Security
Friday, October 9th, 2009Zero Day vulnerabilities are more prevalent than ever. The very definition of a zero day vulnerability is that there is no patch or fix for available. As a result, we are seeing a greater and greater need for organizations to use different methods to protect their systems and networks. The methods that work best against this type of threat are behavioral in nature and reside right on the system themselves. Host based intrusion detection and prevention is one such technology that can look at the system behavior and say “something doesn’t look right”, or “why would that process be doing that?”. Because the software is configured specifically for that system, it can look for behavioral exceptions and can take action. Behavioral based system security software with 24×7 management and monitoring is going to become more and more necessary to detect and stop these malicious attacks.
SANS Top Cyber Risks: Adobe and Flash Top List
Friday, October 9th, 2009SANS put out their Top Cyber Risks Report recently. What was very interesting about this report is that they were able to determine that two types of vulnerabilities are the cause of the majority of attacks. The first are popular 3rd party programs such as Adobe Acrobat Reader and Flash Player. Many people still think that their free Microsoft windows update service will patch these types of applications…they will not. While Adobe is getting better at releasing versions of software that “self patch”, many are still using older versions of the software which have restrictions that prevent the automatic update or turn the feature off.
The second type of vulnerability that is responsible for most exploits is unpatched flaws on legitimate websites. These sites are quite easily identified by cyber criminals, exploited and then they inject malicious software that can do any number of nefarious acts. This could be your site, this could be sites such as MSNBC.com, Walmart.com, History.com or any of hundreds of others that happen all of the time. If you host a website of any kind, be very cautious about these vulnerabilities and make sure your systems are staying patched.
All that being said, I have to applaud Firefox which will notify you if your Flash version is outdated. While it is believed that most systems (about 75% of Firefox users) have outdated versions installed, as soon as Firefox enabled this feature, 10 million users selected the link that redirected systems to a website where they could get the latest software version. Who knows how many users chose not to click the link. This is a great move in the right direction and I hope we see more of this.
Further information is available here:
Microsoft Announces Workaround for SMB Vulnerability
Thursday, October 8th, 2009Microsoft publicly announced a workaround for a SMB Vulnerability to protect users from a critical vulnerability in Server Message Block (SMB) version 2. The remote code execution flaw was disclosed in September. The workaround disables the network print and file sharing protocol to protect users until a fix is released. The flaw affects Microsoft Windows Vista, Windows Server 2008 and Windows 7 release candidates. The original security advisory (975497, originally issued September 7, 2009) includes a link to the workaround.
