23 Jan Suits and Spooks Collision DC 2014 Kurt Baumgartner
14 Sep Adobe September 2011 Patch Release Kurt Baumgartner
13 Sep Patch Tuesday September 2011 Kurt Baumgartner
18 Aug Lab Matters - Anatomy of the RSA targeted attack Ryan Naraine
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Suits and Spooks Collision DC 2014 wrapped up this week, and I had the opportunity to speak on two panels at the event, "Exploiting End Points, Devices, and the Internet of Things", and "Is the Cloud and Virtualization an Attacker’s Dream or Nightmare?".
"Exploiting End Points, Devices, and the Internet of Things" (Dave Dittrich, Kurt Baumgartner, Remy Baumgarten, and Roel Schoewenberg in Terry McCorkle's absence)
This technology environment of realtime connections, massive data collection and availability of automated daily routines is truly new. Current events demonstrate malware is attacking that environment specifically, and indirectly acting on our everyday routines.
All of these "things", like Google's recent purchase of Nest, the Nike "things", Sonos "things", health care "things", all support administation with Android and iPhone apps, and drive dependency on smartphones and tablets. Both iPhones and Android are demonstrably insecure in many ways. Our concern is attackers pivoting from these devices further into critical infrastructure.
"Is the Cloud and Virtualization an Attacker’s Dream or Nightmare?" (Anup Ghosh, Kurt Baumgartner, Billy Rios)
Researching this topic uncovered complete data leakage across "cloud" customers due to poorly audited and logged partner application for a massive cloud service provider. There are also challenges with maintenance like wiping file systems and maintaining layers of web application security requirements.
The recent openssl.org and .net compromise and resulting defacement demonstrated difficulties in hypervisor management console access and authentication protection.
While hardware features that cloud systems run on may help enable exploitation, there are much lower hanging fruit for attackers to target.
On the offensive side, attackers love the cloud. Incident response is often stymied by cloud providers that will not work with research teams investigating drops, C2 and other criminal assets that private owners would most likely assist with. Quickly spinning up another C2 becomes very easy. An example of targeted attack operations hosting a portion of their infrastructure in the target country is outlined in our NetTraveller report. And finally, cloud computing provides some of the most powerful and cost-effective cracking platform and mass attack platform available.
Some of the discussions regarding the NSA's involvement in the development of DUAL_EC_DRBG and several companies implementing it as a default algorithm in their products became heated but seemed unfinished. While a slew of products support the algorithm, it seems that only a handful use it exclusively or by default. And the question of usage cases remains unanswered.
Other discussions were very interesting, with individuals debating the usefulness of creating a legal framework for organizations to actively defend themselves.
Conference organizer Jeffrey Carr discussed his decision to revoke his talk at the RSA Conference this year. He also made the very interesting note that Blackberry holds the patent on the algorithm, but their response to the situation is entirely mute.
It was a fantastic lineup of speakers to join. Chris Inglis (former Deputy Director at NSA), Christopher Hoff from Juniper, Steve Chabinsky from Crowdstrike, former Navy seals and US Secret Service Technical Security, intel analysts, and others brought informed views to debate, clarify and expand on extraordinary topics. The location unfortunately was hit with winter snow and weather, creating difficulties for speakers coming and going to their next event, but Jeffrey Carr has assembled an event that is definitely not the usual security con.
In addition to today's Microsoft updates, users of Adobe's Reader and Acrobat software on both Windows and Apple systems need to update their software ASAP. Adobe released Bulletin APSB11-24, addressing at least thirteen memory corruption flaws, and several privilege escalation, logic flaw, and bypass issues.
In today's earlier post about Microsoft's patched vulnerabilities, Excel was highlighted as the target of choice in many targeted attacks. Along those lines, Adobe's Reader and Flash are among the most commonly exploited software applications that are attacked by professional attackers.
This month's Microsoft patch release is pushed out with lower urgency recommendations overall. While the Sharepoint and server side vulnerabilities are interesting, IT and individuals should attend to the Excel vulnerabilities with urgency. Microsoft is also putting to bed any issues related to Diginotar certificate trust by adding cross signed Diginotar root certificates to the Microsoft Untrusted Certificate Store.
Only five security bulletins are being distributed along with the Diginotar Certificate additions and updates. None are labeled with "Deployment Priority 1". However, in light of the ongoing spearphishing and targeted attacks, the most relevant and important of these arguably is the Excel related bulletin, MS11-072. While it is being listed as "Important", not every enterprise has rolled out the latest version of Excel to all of their systems. A set of "use-after-free" and other heap corruption vulnerabilities that are very difficult to discover with automated auditing frameworks plague the application. These vulnerabilities can be exploited to execute spyware, backdoors, and downloaders of the attackers' choosing on victim systems. Excel related email attachments and links have commonly been used in targeted attacks on organizations and this one should be addressed.
Excel can be a major problem. The RSA breach "2011 Recruitment Plan.xls" file made it very clear how social engineering schemes are used to effectively trick employees - it is important to note that the message was pulled out of the RSA employee's spam folder and opened. This Excel attachment maintained embedded malicious Flash content and exploited the vulnerability right in front of the employee after being opened, effectively delivering its cyber-espionage payload. Now, attackers don't need embedded Flash content to take advantage of employee dependency on Excel.
Another edition of "Lab Matters" with a special guest Uri Rivner, Head of New Technologies, Identity Protection and Verification, RSA Security, where he describes what happened when RSA was hacked with a zero-day vulnerability.