Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for April 2015

Advanced Persistent Failure: The Malaise of INFOSEC

with one comment

Screenshot from 2015-04-27 14:15:25

An INFOSEC Maturity Differential Diagnosis:

Advanced Persistent Failure (APF *tm*) is a term that I coined today in my Twitter feed that I have yet to trademark before Rob Graham (@erratarob) gets around to it.

Advanced Persistent Failure: The inability for human beings and their collectives to learn from security incidents, data, polls, and any other lessons learned that would normally cause changes to be made. Instead, the cognitive dissonance wins out and they believe nothing is ever wrong, they are safe, and unicorn devices will prevent their data from being stolen”

Why it came to me today was the article pictured above by Brian Krebs, who begs the question “What is your orgs security maturity?” I find it interesting that the guy who is out there on the net and the one person you “don’t want to hear from” of late because if he’s calling it’s because your data is out on the net and he knows about it. Brian is actually asking a question that many others have asked in the past but I don’t think any of them, myself included, ever get the traction with the hoi polloi because we aren’t all famous or ‘rock stars’ in the industry. Still, even with someone like Brian begging the question, I still don’t think the message will get through the static of all the sales pitches and self absorbed thought processes out there in the corporate world to make one whit of difference.

Screenshot from 2015-04-27 14:03:27Full report here

Screenshot from 2015-04-27 14:18:36

 What I mean to say is that even with someone like Brian asking the question, the companies and people that comprise them likely will not navel gaze enough to make the changes that are recommended by such posts and supporting data. Now you may just consider me to be a jaded bastard or a pessimist, which I am both, but I want you all to take in the reality of the situation. How many orgs do you know of that have been on the right path security wise from the start? How many of those orgs only began to change post an intrusion that caused great deals of damage and FUD? Seriously, take a look at the chart above and compare it to your own org. Now ask yourself honestly these important questions;

  1. If I am in reactive org can I change the org to not be?
  2. If I am compliance driven the motivation has already been given yet I am still unable to secure things.. Why?
  3. If my executive chain does not get it now how can I change this?

Now these questions may be daunting for the average security worker but then consider a CISO or director asking these questions too. Do you honestly think that even if they sent this article to the executive set that they would even bother? Why would they? Do your execs get security at all? I am sure some of you out there are like “yeah they get it, my org rocks!” to which I say “Good for you! Liar.” It is my opinion, after a long time in this business as a consultant, that orgs in general are fucked up and not clued in on security as the rule. Doubt this? Just look at all the big compromises and advanced persistent failure we have seen over the last few years. How about this though, just consider the reports recently about POS machines with default passwords that have not been changed in 20 years.

How bout them apples? We all know that default passwords are bad and they should be changed as a rule but no one is doing that. Why do we persistently fail at doing the simple things? Perhaps it is because humans are just bad at determining long term risk? Perhaps none of us is as bad as all of us when it comes to making security decisions? Or maybe it is just because there is no real imperative on the part of companies to really care because the financial and reputational losses are not that great today? Let me ask you this.. Do you think that the former CEO of (insert hacked company) is now living on the street in a cardboard box because they failed to care about the security at (insert hacked company) ?

Lemme give you a hint… No.

Clearly it is not an imperative so by Brian asking the question it may get some air time but really, how many orgs do you think are going to read that article and yell “BY JOVE HE’S RIGHT! WE MUCH CHANGE THIS HENCEFORTH!”

Lemme give you a second hint… None of them.

BUT CSO MAGAZINE SAID:

Hell, even if Steve Ragan wrote a piece on this *hint hint* I still expect that the vast majority of the security people out there, even with taking that article and forwarding it to directors and CISO’s would be able to effect a change for the better security wise. Why? Because once again, people don’t give a shit and they aren’t being forced to do anything about it. No, really, that is my opinion and I am going to stick to it. Nothing will change unless they are forced to be cognizant of the issues as well as responsible, really responsible at the end of the day. So there will be very little to hope that your CISO will be magically reporting directly to your CEO. There will be very little hope that your CISO will be working directly with the board of directors UNLESS maybe, if you are lucky, you have been hacked spectacularly and in the news. Those orgs though that have made those changes post being hacked I feel are more unicorns than anything else though. So yeah Steve, please write about this and have that drop in all the CISO’s email boxes! It will be all hopey changey!! Secretly though I would hope you just link back to me about the APF of all of this though, ya know, just as a cautionary tale and a buzzkill.

Face facts kids, we are well and truly shit out of luck here. I certainly don’t expect us as a species to change how we operate because some people in the media pointed out the realities of our collective fail. Sure, China is hacking the shit out of us. Iran is about to cyber nuke the lot of us and the Russki’s are all up in our President’s emails but will we change our SOP for security because of it? No, no we won’t we will just continue to stumble along like we have been all along. Our predilection for Advanced Persistent Failure is like an addiction really. Security is hard! We can’t make those changes to passwords! I mean how will we rememberize them? Oh. My. God! Enlightenment, even the ‘brick” that @Gattaca and others use out there does not have the play or the sexy that a new blinky light APT stopper has on the RSA floor as hawked by booth… Babes? Men? Whatever the flavor of the day is now in our stupid industry of fail.

Prepare for the next fail tsunami kids. Nothing will change.

K.

Written by Krypt3ia

2015/04/27 at 19:03

Posted in Infosec

THE SNOWMAN EFFECT: It’s all about the dick pics!

with 3 comments

Watch video first.. Yes, watch it again if you haven’t already then read on….

Ok, so do you feel some horror and outrage even though you laughed your ass off? Yeah, me too. But after those feelings wear off I am just left with a sense of creeping dystopia and loathing. Honestly, this shit is just out of hand and no one is really capable or willing to deal with it and this comedic bit by John Oliver hits the nail on the head. No matter what you think of Snowden the point is even after all of the data being released and all its portents shared nothing substantive has happened. Sure, the world now knows and the security community at least seems to be in a quandary over it all but the general populace it seems cannot be bothered to even know who Snowden is and what he did? To quote myself here;

“JESUS FUCK!”

Ok ok ok, maybe the sampling was skewed in Times Square that day and the sampling was small but really, no one in there had a real grasp of the leaks never mind the import to their daily hyper connected lives? I am still a little stymied to believe this to be the case but there you have it on HBO. So as the date approaches for the re-up on the Patriot Act, and specifically the most egregious of all the egregious shit in it, Section 215 we the people seem to just be abdicating our rights as citizens to say no to this. Even as we see more executive orders come out on hacking and the ‘cyber’ that seem at least notionally obtuse and open to interpretation if not outright deliberately so to allow abuses, we are just gonna go back to collectively not caring about anything other than Kim Kardashian’s ass?

Oh.. Wait a minute here, I am forgetting about the dick pics!

Well obviously we have our priorities straight as a nation and a freedom loving people right? I mean FOR GOD’S SAKE YOU CAN TAKE MY PERSONAL CALLS AND CALL ME A TERRORIST BUT FUCK ME YOU CANNOT LOOK AT MY DICK PICS YOU SURVEILLANCE BASTARDS! Yeah, that is a bridge too far my friends! I suspect I will be seeing new ‘Don’t Tread On Me’ flags with a penis instead of a snake soon enough.

dickpics

Ok, well then we have proven that we as a nation, as a people, do not comprehend the problem of pervasive surveillance enough to do anything about it UNLESS it is about our personal porn. I get it now. As no one but Oliver has made it about this I predict that section 215 will just get another pass. Meanwhile all our data collection will continue and the mass surveillance state will grow even further than it already has. This leaves me once again back at the stage of Neo Ludditism. Excuse me while I go to my 6’x12′ cabin in the woods and make my ‘packages’…

K.

 

 

Written by Krypt3ia

2015/04/08 at 13:50

Posted in 1984

Global Threat Intelligence Report March 2015

with one comment


photo

GLOBAL Threat Intelligence Report – March 2015

  1. Executive Summary

In the month of March there were several high level vulnerabilities exposed ranging from programmatic issues to compromise of user security by supply chain tampering by a maker of laptops and desktops. All of these instances show just how much the landscape changes per month in the security of our systems and networks.

This report has been generated to give the end user an idea of what is happening in the security space as well as insights into little thought of security issues that could lead to compromise of your network. From the macro to the micro-verse, security issues can have great effect on corporations large and small. From the effects of the Target hack response of ten million dollars in reparations to their clients to the FREAK vulnerability and the attacks on core protocols that the internet is based and is secured with, these reports give you an idea of where to look and what to look for.

  1. Global Threats

Fully Patched Versions of Firefox, Chrome, and IE 11, & Safari hacked in PWN2OWN contest

http://www.techspot.com/news/60121-fully-patched-versions-firefox-chrome-ie-11-safari.html

Analysis:

Think that patching your browser on a regular basis is the only answer to your security problems? Then guess again. At the last Pwn2Own contest all of the major browsers fell to attacks even though they were fully patched.

What this statistic shows is that even when a system has been curated well and security patches applied, there can always be flaws in the code that can lead to compromise. This is an important fact to remember and plan for in any environment dealing with on-line activities.

However, mitigations can be taken to help stem these types of attacks. Consider deploying systems like EMET 5 or another HIDS client that can monitor the volitile memory space as well as changes to the operating system that might trigger when a browser is exploited. It is also a given that your company should have IDS/IPS/SIEM capabilities as well to detect traffic that may be going to C&C’s from compromised systems and browsers.

The Largest Email Hack in History

The US Department of Justice announced today that it has charged three men for participating in what officials are calling “one of the largest reported data breaches in US history” and “the largest data breach of names and email addresses in the history of the Internet.”

According to allegations in the indictments, between February 2009 and June 2012, Viet Quoc Nguyen, 28, a citizen of Vietnam, allegedly hacked into at least eight email service providers (ESPs) throughout the United States and stole confidential information, including proprietary marketing data containing over one billion email addresses. Nguyen, along with Giang Hoang Vu, 25, also a citizen of Vietnam, then allegedly used the data to send “spam” to tens of millions of email recipients. The data breach was the largest in U.S. history and was the subject of a Congressional inquiry in June 2011. ~USDOJ

http://motherboard.vice.com/read/three-men-charged-in-the-largest-email-hack-in-the-history-of-the-internet

Analysis:

The hacking of eight major email providers in this case shows just how important common information like our email addresses and content are to criminals. That this is the biggest and seemingly longer running of the scams also show’s how long something like this can go on and how it has been corporatized in a way.

The criminals created an enterprise in which they used the data from their ill gotten gains to send spam and generate revenue from it. This is common today but is not completely predicated usually on the hacking of major email providers and stealing inside information.

The FREAK Vulnerability and SSL

Just when you thought it was safe to use your computer again after last year’s Heartbleed, Shellshock and other computer bugs that threatened your security and just as I predicted in my column of Dec. 20, 2014, researchers have discovered yet another security flaw that threatens millions of Internet users.

http://www.usatoday.com/story/money/columnist/2015/03/07/weisman-cybersecurity/24382891/

Analysis:

The FREAK vulnerability is just another in a line of vulnerabilities now being sought in the SSL framework. Once the first of these types of attacks was discovered, the SSL framework became a target for a lot of scrutiny by researchers both good and bad. As time progresses expect to see more attacks on this fundamental protocol which could compromise your whole environment.

This is important to you because SSL is the basis for many secure transactions on-line and in your network. Once this has been broken by making a session insecure, an attacker can then steal credentials and then further exploit networks and systems. It is important that your organization keeps up with these vulnerabilities and manages them.

Target Offers 10 Million Dollars in Breach Payments

Target has agreed to pay $10 million to settle a class-action lawsuit related to the company’s 2013 data breach.

Court documents show hacking victims could get as much as $10,000 apiece.

http://www.npr.org/blogs/thetwo-way/2015/03/19/394039055/target-offers-10-million-settlement-in-data-breach-lawsuit

Analysis:

The Target hack was one of the first of recent time that has made a lasting impression on the world. This attack not only showed how the adversaries used advanced and persistent means to gain access and keep it in Target’s networks but also how a company can be financially and reputation-ally compromised.

Now that Target is making offers of money, more than just offering credit monitoring, shows just how important these attacks are on a companies bottom line as well as continuing their reputation. This round of settlements though has been marked as low and not enough by many in the industry and in the public however.

The upshot here is that the company has had to respond in this manner due to their own culpability in their security measures being not up to speed to catch the warning signs that were going off like klaxon’s in the night. It is important to all organizations to perform due diligence in this day and age of advanced adversaries who may not be nation state sponsored.

One in Three Websites at Risk on the Net

Facebook. Paypal. ESPN. Google. Amazon. These are sites you probably visit all the time, sites you inherently trust. But a new report from Menlo Security released Tuesday says that trustworthy sites are not necessarily safer.

Menlo pulled out the top 1 million domains on the Web and reviewed them all for potential vulnerabilities. The results were startling. One in three fell into the category of “risky,” meaning that they had either already been compromised by hackers, or were running vulnerable software that leaves them open to attack.

http://www.cbsnews.com/news/one-in-three-websites-at-risk-for-hacking/

Analysis:

There are a couple of factors that could lead to this vulnerability assessment being the case. The first of which is that the vulnerabilities are just so many that they are hard to keep up with in an enterprise environment. The second is that either the companies are not performing their scans as regularly as they should or have decided that the vulnerabilities are acceptable to them and write them off as acceptable risk.

I am unsure of the reality here regarding these potential risks to all these sites on-line. Risk acceptance and determination of the level of risk are hard to scope out as each environment is making that calculation (one hopes) for themselves so there are variations in levels of care. However, this article and the statistics therein show that as a whole, we can understand how easily the adversaries can exploit systems easily reached on-line and why we keep seeing stories about large scale hacks on organizations.

 ISIS Hit List and Information Warfare

At least three times in the last five months, U.S. military members have been urged to limit their social media activity in response to worries that ISIS-linked terrorists could track them down, in the U.S. or abroad.

The latest warning came this week, when a group calling itself the Islamic State Hacking Division posted personal information of about 100 service members, which defense officials said had been collected from social media sites.

http://www.nbcnews.com/news/us-news/isis-hit-list-fuels-concerns-over-tech-savvy-terrorists-n328781

Analysis:

While this story is about the war on terror and the on-line antics of a small cadre of Da’esh followers, it is also a cautionary tale. The information that was leaked on-line was not in fact hacked, but instead all available through Google searches. This is an important fact in the story to clarify but also sets the stage for the second important insight, of how much of our personal data is on-line.

A simple Google ‘Dork’ can deliver a huge amount of OSINT on a target today and the use of that data to then re-post it on a page like pastebin and call for assassinations shows the power of the net. Basically, this story is the story of asymmetric warfare and how easily it can be carried out online. Now imagine that it is not in fact a terrorist organization doing this but a disgruntled employee or client of a company doing this.

Every individual should consider how much data they put online and where they are putting it. From cyber bullying to outright death threats, we make it easy to ‘dox’ ourselves with our Tweets, Facebook postings, and emails.

GITHUB DdoS

On March 26, 2015, a very well-coordinated distributed denial of service (DDoS) attack was waged on GitHub, the heir apparent to the now-closing Google Code. GitHub characterized this as the largest DDoS in its history.

The Electronic Frontier Foundation (EEF) and security researchers Netresec name the Chinese government as the culprits of the attack, which lasted until March 31, 2015. Here’s an overview of why the cloud-based git repository host was targeted.

http://www.techrepublic.com/article/chinese-government-linked-to-largest-ddos-attack-in-github-history/

Analysis:

China and India both blocked GitHub recently for their site’s content that evidently they found threatening. In the case of China, it seems that GitHub may have just become another piece of fodder for the internet wars. The reality though is that no matter the political aegis, GitHub was taken down with a Dd0S because of an unencrypted session that was allowed to Baidu.

The bigger story here is though, that DdoS is incredibly hard to mitigate and everyone is vulnerable to it. As a means of political protest or just an attack to force a company into some kind of complicity, DdoS is not going anywhere. This is because our systems are inherently vulnerable to these attacks and until such time as the code is adjusted to disallow these attacks, they will happen regularly.

For more on DdoS go here

Your Private Data Available Through Anonymous Shares On-line

Our lives are digital now.

Everything we do on-line leaves a trail that leads directly to us; something privacy advocates are fighting to eliminate. However, we’re our own worst enemy when it comes to privacy, and personal cloud adoption has done nothing to help the situation.

Each day millions of people across the globe create backups of their files. These backups are supposed to offer a measure of assurance that their files are safe and easily recovered if needed. But that’s not entirely true.

In fact, depending on how you’ve configured the device, your backups are freely available on-line to anyone who knows what they’re looking for.

http://www.csoonline.com/article/2906137/cloud-security/lost-in-the-clouds-your-private-data-has-been-indexed-by-google.html

Analysis:

Google ‘Dorking’ as mentioned above in the Da’esh story is an easy way to not only gather data on users but to also gain access to their data and systems. In the case of the story at CSO it was easy to Google with certain terms and strings to locate users systems that were insecure and on-line. Many of these systems were in fact routers that had been turned on with default settings or mistakenly configured incorrectly.

This is an object lesson for everyone and you all should consider this not only as a personal security issue but also a corporate one. Imagine if you will that you have an IT person who is bringing work home, or worse still, has configured a router or a NAS device to share in this way to the Internet. This is actually a scenario that was discovered and offered up a compromise to the companies whole infrastructure.

Many of the cases just involve personal information. However, there have been cases like the one cited above as well as cleared individuals sharing out FOUO/NOFORN/CONFIDENTIAL information as well so this is certainly not only a personal issue. Please consider talking to your employees about these types of data breaches at home that could lead to breaches at your company as well.

  1. Malware & Crimeware

Superfish! Lenovo Pre-Installed Malware

Does your Lenovo computer have Superfish VisualDiscovery adware (a.k.a. spyware) installed? It’s possible if you purchased a Lenovo PC any time in September of 2014 and thereafter.

This Superfish software intercepts the Lenovo user’s traffic so that the user sees ads displayed that reflect their browsing habits. The problem with this targeted advertising scheme is that it comes with a vulnerability that makes it easy for hackers to attack.

Superfish enables targeted advertising by installing what’s called a trusted root CA certificate.

http://www.finextra.com/blogs/fullblog.aspx?blogid=10681

Analysis:

These threat intelligence reports have covered the idea of ‘Supply Chain Tampering’ in the past but this one should set bells off for anyone buying a computer from any vendor. The alleged adware with a trusted CA according to Lenovo was nothing to worry about. However it was proven out that this adware/malware could be used by others to compromise the systems entirely.

Though Lenovo considered this form of advertising inside access and routing as legal and ok, it is in fact not. Just as Sony considered that adding a RAT (remote access tool) to their DVD’s in the past and were called on it, this is wholly inappropriate and in fact degrades the security of whole organizations as well as individuals who may purchase their hardware.

Now that this is out in the open, if you have these systems within your network you should remove the adware/trojan as well as inform any home users that might be in your work at home or bring your own computer offering to remove this as well. If left as is today, post all the reporting on it there could be compromise because exploit code is already in the wild.

To remove SuperFish go here

Kilim Facebook Worm Hooks with Sexy Pics

Security experts have warned of a new Facebook worm using adult content as a lure to trick desktop users into downloading malware.

The authors behind this version of the Kilim worm have “gone to great lengths to anonymize themselves” and circumvent browser protections, Malwarebytes senior security researcher, Jérôme Segura, wrote in a blog post.

If they click on what appears to be a video file promising to show “sex photos of teen girls,” victims are redirected via two ow.ly links – first to an Amazon Web Services page and then a malicious site, videomasars.healthcare, which apparently checks their computer.

http://www.infosecurity-magazine.com/news/kilim-facebook-worm-promises-sexy/

Analysis:

One of the more common techniques in malware delivery and phishing attacks is the promise of sexual content. That this is being leveraged in Facebook is only more effective because of Facebook’s prevalence on the net. Additionally, the use of obfuscated shortened links like bit.ly and owl.ly is common as well and should be filtered if possible in your environment to disallow these attacks.

As organizations, you should have some form of web filtering in place but often times these slip up and let such content through. Please keep up with the filtering and leverage systems like BlueCoat and Websense as a front line tool against these types of attacks.

The Hanjuan Exploit Kit and Malvertising

Anyone who visited the New York Daily News website or Metacafe website – as well as several other lesser known sites – within the past couple of weeks could have been infected with malware, according to Malwarebytes.

Researchers identified a malvertising campaign originating from the engage:BDR advertising network, a Tuesday post indicates. In a Wednesday email correspondence, Jerome Segura, senior security researcher with Malwarebytes, told SCMagazine.com that the issue has been resolved.

http://www.scmagazine.com/hanjuan-exploit-kit-leveraged-in-malvertising-campaign/article/405455/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29

Analysis:

Malvertising (from “malicious advertising”) is the use of online advertising to spread malware. Malvertising involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages.

Another name for this type of attack could be ‘drive by’ as well but the point here is that nothing is safe. Ad’s on sites can in fact be the infection points for systems that are looking at the page and this is a risk to all environments.

Whether it be an iframe attack or a click through to a malicious domain, these types of attacks are myriad on-line and should be a concern for all security departments in corporations. What can be done though? It is a hard thing to keep up with and prevent users from clicking or just visiting legitimate sites that may be compromised temporarily.

The best thing that you can do is have the measures in place (Websense/BlueCoat/Barracuda etc) to monitor the online traffic of your users and get alerts on sites that may be compromised. It is then your job to locate the users who may have gone to these sites and scan their systems for compromise. Having a program of means to keep up with these types of attacks (RSS feeds etc) as well will help your security team to detect and deter these attacks from happening.

Android Malware Risk to Almost 50 percent of all Devices

Millions of Android devices have been found vulnerable to cyber attack following a security flaw allowing malware to replace legitimate apps, hacker Zhi Xu has found.

Almost half of Android phones may be affected, with the flaw allowing dangerous malicious apps to be downloaded without the user’s knowledge, collecting personal data from the infected device.

http://www.itpro.co.uk/security/24295/android-malware-flaw-a-risk-to-almost-50-per-cent-of-devices

Analysis:

As mobile computing becomes more prevalent and operating systems like Android take more market share, your employees and you are at more risk to compromise. In the case of this malicious application installation it has been shown that nearly fifty percent of all phones are vulnerable.

With the advent of ‘Bring your own device’ and just general use of these phones, tablets, and devices the risk for compromise has increased geometrically. It is important that your security programs include keeping up on vulnerabilities to these devices as well as being aware of the intricacies involved in private individuals devices, their use, and where the security rubber meets the privacy road.

A compromise of a device not only means that the end user’s data is at risk but also the corporations as well as their network infrastructure.

Trojan.Siggen6.31836

New variants of malware come and go with depressing regularity, but some have capabilities that offer more cause for concern than others.

The latest piece of scary software comes from researchers at security company Doctor Web who have uncovered a new Trojan dubbed BackDoor.Yebot that’s capable of carrying out a wide range of destructive actions on an infected machine.

It’s spread via another piece of malware, Trojan.Siggen6.31836. When launched on the target machine, this injects its code into the svchost.exe, csrss.exe, lsass.exe and explorer.exe processes. After sending a request to the remote server it then downloads and decrypts BackDoor.Yebot and transfers control to it. Some features of Trojan.Siggen6.31836 are encrypted (and can be decrypted only while it’s being executed). It also incorporates mechanisms to verify the virtual machine in a target system and bypass User Account Control.

http://betanews.com/2015/03/24/multi-purpose-backdoor-trojan-threatens-windows-systems/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed+-+bn+-+Betanews+Full+Content+Feed+-+BN

Analysis:

Multiple vector infection malware is more common today. Once the code has been allowed on the system it will infect many .dll files or others that are common to the operating system as a means to stay entrenched on the system. This is called ‘persistence’ and is the status quo. It is also important to note that these types of malware then in turn call out to command and control systems to gather more malware for that same persistence should the primary infection be detected and removed.

In the case of this particular malware it is important to understand the multiplicity of infections as well as the many means that it then creates to exfil your data out of your domain as well as the rapidity that this can happen at. What this means is that not only by the time an infection is detected, it already has had ample time to export your data to the adversaries.

Please note that this is not part of some exotic malware campaign by a nation state actor, this is in fact crimeware!

Bitcoin blockchain exploitation could allow for malware spreading

Bitcoin’s blockchain can do more than store transactions, according to new research from Kaspersky that demonstrates the way in which the cryptocurrency’s ledger can be used to store malware control mechanisms or provide access to illicit content.

http://www.scmagazine.com/kaspersky-researcher-details-blockchain-vulnerability/article/406218/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29

Analysis:

As with anything on the Internet and in computing, the technology can be turned against you. In this case it is the primary means for Bitcoin (a crypto currency) to track it’s amounts and use can be used to infect systems. This likely will not be a big deal for many companies as yet because Bitcoin is still not in use widely by corporations.

However, it is important to note that any users of the currency might fall prey to these attacks and those persons may work for you and use systems that not only connect to their daily lives but also your network as well.

  1. Vulnerabilities

DRAM ROWHAMMER

Description: A vulnerability was reported in some dynamic random-access memory (DRAM) devices. A local user can obtain elevated privileges on the target system.

A local user can run a program that repeatedly accesses a row of memory to cause bits in adjacent rows to flip. This can be exploited to execute arbitrary code on the target system with kernel-level privileges.


http://www.securitytracker.com/id/1031863

Analysis:

This is a local exploit that can cause a flipping of bits in certain brands of DDR3 RAM. This then would result in compromising kernel level processes on the system attacked.

Technical Report: http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html

We have shown two ways in which the DRAM rowhammer problem can be exploited to escalate privileges. History has shown that issues that are thought to be “only” reliability issues often have significant security implications, and the rowhammer problem is a good example of this. Many layers of software security rest on the assumption the contents of memory locations don’t change unless the locations are written to.

This is a problem for various brands of laptops and desktops that use the specific RAM mentioned in the article. Please consider looking at the systems in your environment and what RAM they use to insure that you are not at a higher risk through mono-cultures in hardware.

FREAK

FREAK (Factoring Attack on RSA-EXPORT Keys CVE-2015-0204) is a weakness in some implementations of SSL/TLS that may allow an attacker to decrypt secure communications between vulnerable clients and servers.

https://www.us-cert.gov/ncas/current-activity/2015/03/06/FREAK-SSLTLS-Vulnerability

Analysis:

As stated above in this report the FREAK vulnerability is just one of a few that have come out over the last year. This section will rely more on the technical aspects of the vulnerability but the statement above must be repeated;

The FREAK vulnerability is just another in a line of vulnerabilities now being sought in the SSL framework. Once the first of these types of attacks was discovered, the SSL framework became a target for a lot of scrutiny by researchers both good and bad. As time progresses expect to see mo

Fully Patched Versions of Firefox, Chrome, and IE 11, & Safari hacked in PWN2OWN contest

re attacks on this fundamental protocol which could compromise your whole environment.

This is important to you because SSL is the basis for many secure transactions on-line and in your network. Once this has been broken by making a session insecure, an attacker can then steal credentials and then further exploit networks and systems. It is important that your organization keeps up with these vulnerabilities and manages them.

Please click the links above to the CVE and the technical specs for this vulnerability and remediate in your networks.

Security Advisory Feeds

Newsnow offers an aggregation of security advisories that is very helpful if you do not already have an RSS feed aggregated.

http://www.newsnow.co.uk/h/Technology/Security/Advisories?JavaScript=1&searchheadlines=&search=&Period=17&Page=1

Analysis:

The importance of advisories and news sources to a security program cannot be overstressed. If you do not already aggregate security RSS feeds you should start to look toward doing so.

Websense XSS Vuln

Users of Websense Data Security that are reviewing DLP incidents can be attacked via cross site scripting. This issue can be exploited using a specially crafted email, or by sending a specially crafted HTTP request through the Websense proxy. The attacker-supplied code can perform a wide variety of attacks, such as stealing session tokens, login credentials, performing arbitrary actions as victims, or logging victims’ keystrokes.

http://packetstormsecurity.com/files/130898/websensees-xss.txt

Analysis:

Websense is a very common solution for web filtering and DLP for mid sized companies. This current vulnerability could lead to compromise of your internal networks as well as all the data within the DLP/Websense system. If you are running Websense with a DLP (Data Loss Prevention) module please go to the following link and update your console:

This issue is resolved in TRITON APX Version 8.0. More information about

the fixed can be found at the following location:

http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0

  1. Directed Threats Data

<enter your own data here from IDS/SIEM/AV/LOG CORRELATION> for your own organization and report on what you are seeing on your network.

TITLE:

Analysis:

TITLE:

Analysis:

TITLE:

Analysis:

WORD FORMAT: HERE

Written by Krypt3ia

2015/04/07 at 15:27