Tag Archives: Vulnerabilities

Top 5 Attack Vectors Report: Defend It Before You Hack It

0
Filed under Defense
Tagged as , , , , , , ,

robot-with-sheild-300x287Each year my team conducts hundreds of Penetration Tests in a wide variety of industries, ranging from Healthcare to Retail, Finance to Manufacturing, and many more. The team analyzed data collected from each of our penetration tests at SecureState since 2011 and found common themes in the methods of compromise utilized to break into organizations and compromise sensitive information. As a result, SecureState has issued a new report that expands on the attack vectors identified and suggests ways organizations can defend themselves against such attack vectors. SecureState’s 2014 Attack Vectors Report revealed the following Top 5 methods of compromise:

  1. Weak Passwords
  2. Web Management Consoles
  3. Missing Patches and System Misconfigurations
  4. Application Vulnerabilities
  5. Social Engineering

The full report is available for download on the SecureState website. I also presented a webinar (watch the replay here) with Defense team lead Robert Miller, expanding on the report’s findings and offering additional advice to organizations on how to defend against these attack vectors. I highly recommend you download this report to see where your organization stands in regards to these attack vectors.

What’s the bottom line?
The current mindset of many organizations is to only react after an attack or breach has already occurred. However, based on our findings and what the current onslaught of recent breaches have shown us, it’s clear that organizations face the same attacks month after month. Rather than be reactive, the defensive mindset needs to change to a proactive one. Consider focusing time, money and resources on your defensive controls before a penetration test occurs.

A penetration test should be your final step to ensure your defense can withstand an attack and to adjust your defenses if necessary. We’ve seen it time and time again where organizations only conduct an annual penetration test and expect that remediating tactical issues from the penetration test will improve their security posture. This needs to stop! Build and test your defensive controls first, then test to see how these controls hold up. Most of these controls are a mix of tactical and strategic, but reactively focused. By taking a proactive stance on defense, your organization will become much more secure and the time, money and resources spent will provide much more value to the business.

Defend it before you hack it.

Cross-posted from the SecureState Blog

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Who’s managing information security in your city?

1
Filed under Network Security
Tagged as , , ,

There was something shocking in my local suburban newspaper today. I opened up to page two and behold…an article that touched on information security! Specifically, the article was about how a small municipal court system in my area had a PC that was infected by an email “virus”. This virus caused a “hard drive to shut down”. Shut down I would assume means the MBR was corrupted or the PC was so bogged down with malware that it had to be rebuilt. Don’t worry, it gets better. The reporter goes on to say that an employee opened an email that had something to do with Nigeria and winning money. Hmmm…Sinowal Trojan perhaps? Regardless, the reporter goes into details from the interview he did with the city “IT manager”. Here are some quotes from the article:

“The court computer system has a small firewall, he said, but the anti-virus on the computer was either non-existent or never upgraded.”

“The IT manager has been trying to bring the city computer systems up to speed. There hasn’t been a system-wide upgrade in years.”

“The employee opened the email because there’s no formal training.”

“One of his goals is to work out a way he can send out software updates, especially anti-virus, to all city computers at night when they aren’t in use.”

I like this one the best…

“The main issue is spending the money for software, licenses and equipment. It’s pretty down-to-earth-basic, he said. “You’ve got to start throwing money around to get it to work.”

Huh? Throw money at the problem…classic. Multiple levels of FAIL right? Oh, if you haven’t figured it out yet…read those quotes again. What would a hacker think about after reading this newspaper article? This court/city computer system is a target rich environment to say the least!

While we could talk all day about how the city could implement a better more cost effective solution to the issues, there are two main problems that I see:

Be careful what you say to the media after an incident
The IT manager gave out way too much information to the media about the problems the city is facing with IT security issues. Just by reading this article someone with bad intentions and a bit of technical skill now knows that the city employs non security aware people and the entire network probably hasn’t been patched in years. This would be even more scary if police and fire computer systems were on the same network! However, the article did point out that police and fire systems are on a separate network. Yet, things don’t look good for the police and fire networks if this same IT manager is running those as well! :-/ Local city government should carefully review all media requests for information about an incident.

Local cities, municipal court systems, fire and police networks are left for dead
This doesn’t surprise me but just like a lot of small businesses, small city governments or suburbs don’t spend the money or have the staff to keep systems patched or up-to-date. Especially in a recession! Your IT guy or contracted support is an easy thing to cut for a city. I would think that most city networks are in worse shape then some home PC networks because of outdated equipment, knowledge and lack of funds. Case in point, I wrote about a potentially dangerous vulnerability that was found on another local city network last year. Luckily this city took the vulnerability seriously, resolved the issue and hopefully improved their security.

Imagine the problems that could happen if police, fire and court systems were breached or compromised. Critical infrastructure like police and fire networks are at serious risk with unsecured systems that are not maintained. As a citizen that lives and works in these cities you should question your local city government about how they maintain and manage their networks. I have an email en route to the mayor of this city that will hopefully help them with some ideas and suggestions to get them back on track. However, I think we may only be scratching the surface of the problem. Lets hope your city takes computer and network security more seriously.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Exploit status for MS08-067

4
Filed under Vulnerabilities
Tagged as ,

I won’t go into detail about the new Microsoft vulnerability…you all know it’s pretty serious and there are a ton of blogs and websites talking about the dirty details. Hopefully you have all read about it and are getting the word out about patching. However, there are some updates on the status of currently available exploits for the vulnerability that I found interesting.

Public exploit code?
Yesterday Microsoft posted this update to their blog on the MSRC. Microsoft says that there is currently no public exploit code available. The code mentioned that causes a denial of service attack was the code posted on Milw0rm I believe. The only working code released was from Immunity CANVAS and Core Impact if you are a paying customer. Core Impact does mention that the exploit is in early release and may contain bugs or limited functionality (not 100% reliable).

Gimmiv.A – Is it a worm or a trojan?
Don’t let the thought cross your mind that you can perhaps delay patching your systems because public exploit code is not working/available! You still need to patch as there is malware that is currently out in the wild (Gimmiv.A) being used in “targeted” attacks. Whether or not this is a trojan or a worm is up for debate. Microsoft says this is not a worm but a trojan. However, other researchers are saying that this is worm because of the way it attacks other hosts on a network via RPC. I guess you could call it a “network-aware” trojan as ThreatExpert mentions. Either way, malware authors are most likely developing more powerful payloads as I write this.

As a final reminder we all know based on past history with RPC vulnerabilities…reliable public exploit code will be out before you know it! Make sure you take your patching seriously…

UPDATE: If you follow HD Moore on Twitter you will see that he has just released MS08-067 PoC code for Metasploit.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Exploit in the wild for the Kaminsky DNS vulnerability

3
Filed under Vulnerabilities
Tagged as , ,

Looks like the exploit code has been released by HD Moore as a Metasploit module. Hope everyone took the DNS patching requests seriously since we all know Metasploit is really easy to use (yes, especially for script kiddies!).

If you haven’t patched your DNS yet…do it now! Check here for more information and here to check your DNS servers to see if they are vulnerable. If your ISP’s DNS is still vulnerable…change your DNS servers to use OpenDNS!

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Has the DNS vulnerability been revealed?

0
Filed under Vulnerabilities
Tagged as , ,

Perhaps someone has figured it out or just decided to announce it but the big DNS vulnerability that Dan Kaminsky told the world about may have been revealed. Apparently a reverse engineer named Halver Flake was pretty close to figuring out how the vulnerability works. Then someone at Matasano apparently posted the details and then pulled them. Something is going on in the blogosphere…you can find details about the vulnerability on Slashdot and other blogs regarding the post that was on Matasano then removed:

Via McGrew Security:

“Let’s try again to convince Bob that WWW.VICTIM.COM is 6.6.6.0.

This time though, instead of getting Bob to look up WWW.VICTIM.COM and then beating Alice in the race, or getting Bob to look up WWW.EVIL.COM and slipping strychnine into his ham sandwich, we’re going to be clever (sneaky).

Get Bob to look up AAAAA.VICTIM.COM. Race Alice. Alice’s answer is NXDOMAIN, because there’s no such name as AAAAA.VICTIM.COM. Mallory has an answer. We’ll come back to it. Alice has an advantage in the race, and so she likely beats Mallory. NXDOMAIN for AAAAA.VICTIM.COM.

Alice’s advantage is not insurmountable. Mallory repeats with AAAAB.VICTIM.COM. Then AAAAC.VICTIM.COM. And so on. Sometime, perhaps around CXOPQ.VICTIM.COM, Mallory wins! Bob believes CXOPQ.VICTIM.COM is 6.6.6.0!

Poisoning CXOPQ.VICTIM.COM is not super valuable to Mallory. But Mallory has another trick up her sleeve. Because her response didn’t just say CXOPQ.VICTIM.COM was 6.6.6.0. It also contained Additional RRs pointing WWW.VICTIM.COM to 6.6.6.0. Those records are in-bailiwick: Bob is in fact interested in VICTIM.COM for this query. Mallory has combined attack #1 with attack #2, defeating fix #1 and fix #2. Mallory can conduct this attack in less than 10 seconds on a fast Internet link.”

Meanwhile, Dan Kaminsky posted the following on his blog:

“Patch. Today. Now. Yes, stay late. Yes, forward to OpenDNS if you have to. (They’re ready for your traffic.) Thank you to the many of you who already have.”

This might imply that Matasano has the goods…I hope everyone is patched out there! Things are about to get interesting!

EDIT: Thomas over at Matasano has issued a public apology about the post in question.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS