In the News

Microsoft Patch Tuesday Roundup - September 2010 - "Silent but deadly" Edition

by Paul Asadoorian on September 15, 2010

"Silent" Worms: Stuxnet The vulnerability patched with MS10-061 is perhaps one of the most interesting we've covered in a "Patch Tuesday" post this year. The vulnerability was discovered when antivirus researchers at Kaspersky Lab analyzed malware called "Stuxnet". The malware was one of the first worms to use the LNK vulnerability , and contained code to exploit three other vulnerabilities, the print spooler vulnerability patched by MS10-061 and two other unnamed privilege escalation vulnerabilities that have yet to be patched. Its not everyday that we hear of malware in the wild exploiting 4 0-day vulnerabilities. I am not easily impressed (in fact, I am even less than impressed) with the capabilities of most malware in the wild. However, there are some facts about the "Stuxnet" malware that do impress me: Stuxnet also contains an exploit for a vulnerability from 2008. It will only execute this exploit if it determines it is inside an organization using SCADA systems and not a typical corporation. Stuxnet was written specifically to attack control systems , and is the first publicly known malware to contain a rootkit for PLCs, devices that control SCADA systems. The rootkit silently waits for commands. Stuxnet gains access to control systems using default passwords and is rumored to have compromised 14 different control systems-based organizations. Stuxnet was first thought to primarily use USB devices to propagate (likely to get around "air gapped" security measures) There was an interesting quote from Symantec that stated, "Symantec gained control of the domain used to send commands to infected machines shortly after Stuxnet was discovered". Apparently, this turned over control of Stuxnet-infected systems to Symantec. I just don't understand the logic behind the malware authors; if they had used fast flux , they may still have control over the botnet they seemed to have worked so hard to implement. There are actually 6 ninjas in the above picture… can you spot them all?

Microsoft Patch Tuesday Roundup - August 2010 - "Geronimo!" Edition

by Paul Asadoorian on August 12, 2010

This month's Patch Tuesday has been described by some as a " hot mess of vulnerabilities ". This record-breaking Patch Tuesday contains 15 security bulletins that fix 34 vulnerabilities. While many people have been quick to classify which of these are "critical", I believe that criticality and risk are best determined by the affected organization, not third parties. However, I do recommend that everyone review the information presented, especially the resources prepared by the Internet Storm Center and the Open Source Vulnerability Database . Both of these sources pull in all of the relevant information about each security bulletin, providing a more complete picture to help evaluate your own prioritization efforts. The bulletins prepared by Microsoft are still not exploring the various aspects of each vulnerability and specifically do not always specify whether or not vulnerabilities can be exploited. The "Mitigating Factors" In the MS10-047 and MS10-048 security bulletins, which cover eight separate vulnerabilities, Microsoft states the following as a mitigating factor: "Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation: An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users." I don't like to point fingers or call people out, but Microsoft’s statement is not true. The statement that an attacker "must have" valid logon credentials is a bit concerning. If "logon credentials" are something that you have in your possession, such as a pen or a mouse, then the attacker does not need them. An attacker can certainly convince an already logged in user to execute the code to perform the privilege escalation. In this scenario, the attacker does not "have" the logon credentials. They are currently able to execute code as a non-privileged user, which is a completely different situation. The vulnerability can be executed remotely, provided you have already exploited a vulnerability that has granted you permissions to execute code as a non-privileged user. This is a very common method of attack, as users can be tricked into running all sorts of programs, code from a web site, email attachments and more. There are certain advantages to being logged in to a system as an administrator or with SYSTEM privileges, such as accessing files, installing keystroke loggers and sniffing the network.

Blackhat 2010 Round Up

by Paul Asadoorian on August 6, 2010

Tenable was in attendance for Black Hat 2010 in Las Vegas last week. In addition to having a vendor’s booth, we presented four days of Nessus training, our very own Carole Fennelly organized Hacker Court and we hosted a party at Margaritaville. Below are some pictures and more details on the events:

10 Devices Attackers May Think About Attacking

by Paul Asadoorian on July 21, 2010

Cars, Cell Phone, GPS, and Blenders.... Oh My! I recently read an article titled, 10 Everyday Items Hackers Are Targeting Right Now . It was quite the list, and while possibly a bit far-fetched, it made me think about security in the context of these devices as they relate to enterprise security: Your Car - Your company may have vehicles, and certainly a good percentage of your employees drive to work every day. The security implications surrounding company vehicles are not something you need to lose sleep over now, but you may want to keep an eye on this for the future. I had some fun with injecting audio into Bluetooth systems on cars some time ago. While this is a neat “party trick", there is no immediate security threat to your organization's data via audio injection attacks. However, what if I told you I was able to listen to conversations happening in the car? This might be a threat, especially if your executives like to have conversations on the way to work with clients, potential customers or each other. If we take this a step further, what if Wifi systems inside cars could be compromised and used as a trojan horse to get within wireless proximity of a secure building? I don't think this is something that most organizations need to take proactive steps to prevent today, but high security facilities could possibly be infiltrated this way some time in the near future (of course, you could also attach a device to the car that is authorized to enter the secure facility). I guess "Kitt" was a "Smart Car"?

Microsoft Patch Tuesday Roundup - July 2010 - "Jedi Mind Trick Edition"

by Paul Asadoorian on July 15, 2010

Which Vulnerabilities Are You Looking For? When Microsoft releases their patches each month, I find it interesting to review the criticality of each vulnerability. Microsoft has, in their typical fashion, used some very interesting wording to describe the latest batch of vulnerabilities. When reading each security bulletin, I try to imagine the worst-case scenario and look at the glass as half empty. Microsoft seems to paint a picture and believes the glass to be half full by using phrases such as: In MS10-042 : "The vulnerability cannot be exploited automatically through e-mail." - I believe what they are stating here is that the user can't just open up an email to have the exploit trigger. Instead, the user has to either open an attachment or click on a link. I can tell you from first-hand experience that it’s not difficult to get someone to click on a link. Typically, you just need to tell them that they've qualified for a free iPad . Getting the user to open an attachment is a little bit trickier, and usually requires more research about the target audience and/or organization. However, this does not mean the attack can't scale to trick thousands of people, as did an email appearing to come from the World Cup with an Excel document attached. The Excel document posed as a schedule for the World Cup, but really contained malware that attempted to infect the end-user's computer. "These aren't the vulnerabilities you're looking for. You can go about your business."

Microsoft Patch Tuesday Roundup - May 2010 - Language Barrier Edition

by Paul Asadoorian on May 13, 2010

Microsoft's Language No, I'm not talking about C# or Visual Basic, I'm referring to Microsoft's very own version of the English language ("Minglish"?). An example of the Microsoft variation on the English language is shown here: "The vulnerability could allow remote code execution if a user visits a malicious e-mail server." We've addressed the "could allow" statement in a previous post (for example, changing your shoes “could allow” you to win the lottery). We've also addressed the "remote code" execution and dug into what that really means . In this case, it takes on a slightly different meaning from the traditional remote buffer overflow or client-side attacks. The part that is brand new to the "Minglish" language is "if a user visits a malicious e-mail server". Let me get this straight: you not only have to be running the vulnerable software but must also think to yourself, "Gee, I wonder what a malicious e-mail server looks like? I think I will re-configure my email client to connect to pop3.evilbadguy.com and find out" . I think what they are trying to say is that "Some digging may have occurred, which could allow a person to fall in a hole. No public falling has occurred."

Afterbytes: The "Cyberwar Battlefield"

by Marcus J. Ranum on April 19, 2010

Article Title: Navy Fleet Cyber Command Expected to Have Predictive Capabilities Within Two Years Date: April 6, 2010 Vice Admiral Bernard McCullough, commander of the Navy Fleet Cyber Command, estimates that the command will establish a proactive defense posture by October 2010. Speaking at the Center for Strategic and International Studies, McCullough said that the military is traditionally reactive and static, but we need to be proactive, dynamic and predictive. He noted that we have to start seeing the network as a weapons system, and the domain as the battlefield. McCullough acknowledged that transforming perceptions will take time but believes the command will have predictive capabilities within two years... Reference: Navy cyber leader expects proactive capabilities this year I like "proactive" - it's a good dynamic buzzword, if you're the kind of person who is impressed by action-y sounding verbs. But "predictive"?

Microsoft Patch Tuesday Roundup - April 2010 - Superman Edition

by Paul Asadoorian on April 14, 2010

It’s A Bird, It’s a DoS, It’s Remote Code Execution! I've always cautioned people about the danger of disregarding vulnerabilities that are labeled as "Denial of Service" ( Such as MS10-014 from February ) for a couple of reasons. First, when a bug exists in the code that allows something to "crash", there is usually a potential that the "crash" could somehow allow for code execution (remember that a buffer overflow is just a controlled crash). Second, when code is being analyzed so that the bug can be fixed, the surrounding code is often analyzed to be certain there are no other bugs or vulnerabilities. This analysis could lead to the disclosure of other vulnerabilities or a new way to turn a DoS into remote code execution. This appears to be the case with MS10-20, which was first publicly disclosed as a DoS bug in the SMB client. Microsoft is now reporting it as a vulnerability that "could” allow remote code execution. Upon further inspection, the security bulletin reports five vulnerabilities related to the SMB client that are patched in MS10-20. The first is the original DoS bug reported by Laurent Gaffie to the Full Disclosure mailing list on November 11, 2009. The general consensus was to dismiss this bug because it was "just a DoS".

"Cloud" Security Recommendations

by Paul Asadoorian on March 24, 2010

Security In The Cloud Is Still Just Security A recent paper published in the International Journal of Services and Standards titled " A 'cloud-free' security model for cloud computing ", written by Manal M. Yunis, outlines six security considerations for cloud computing. Upon reading the six considerations, I can't help but think that they do not present new challenges but merely rehash old ones. Let’s take a look at each of the six common cloud computing security considerations in more detail: 1. Resource Sharing "On shared services, there is the possibility that another user on the same system may gain access inadvertently or deliberately to one's data, with potential for identity theft, fraud, or industrial sabotage." The real problem with resource sharing in the context of cloud computing is that software logically separates one system from the next, but not physically. You can think of it as a "virtual server rack"; whereas traditionally you would have a physically separate server from your neighbor, but in the "cloud”, software is used to separate systems. Unfortunately, software is prone to vulnerabilities that could be exploited and in this case lead to complete access to your server or system. A great example of this in action is the "Cloudburst" exploit from the researchers at Immunity, Inc . that allows an attacker in a guest operating system to break out and gain access to the host operating system. The resource sharing via software problem is similar to VLANs on switches that are controlled by software, requiring you to carefully design a network and be certain your most critical assets are not on the same switch as something less critical. This is a risk-based decision, and must be constantly evaluated whether you are using a "cloud" provider or designing VLANs on a switch.

Microsoft Patch Tuesday - March 2010 - "It Won't Happen To Me" Edition

by Paul Asadoorian on March 10, 2010

Attacks Happen There are many reasons why attackers may target your organization: they could be after your intellectual property, they may have political reasons or there may be financial motivations (if you have credit card data stored on your network). I've often heard people say, "Why would someone want to attack us?" The question should really be phrased, "Why would someone need to attack us?" Often you are targeted not because of who you are, but what you have. Google hosts email accounts that are interesting to certain parties. You may be a university with plenty of bandwidth or a business partner with a company who makes electronics that the attacker is after. The point is that you can't limit the reasons why you are going to be attacked. You have to secure your network with the mindset that someone will eventually come after you. This brings us to this month's "Patch Tuesday". Two bulletins have been released by Microsoft, and I've included some examples of how they can be used for targeted attacks:

Pages