Monthly Archives: September 2012

Java – “Just Another Vulnerability Again”

Well it is another day and another set of vulnerabilities within Java. It appears that Java is the vulnerability gift that keeps on giving. According to an article published by SC Magazine on September 25:

Polish vulnerability research firm Security Explorations, which has discovered a slew of Java bugs this year, said the latest flaw impacts Java SE versions 5, 6 and 7 running in all major web browsers – Firefox, Google Chrome, Internet Explorer, Opera and Safari.

Security Explorations notified Oracle of the vulnerability on Tuesday and also posted a message on BugTraq, a mailing list archive, the same day. Researchers are not aware of any attacks actively exploiting the flaw.

Adam Gowdiak, founder and CEO of Security Explorations, said in an email Tuesday to SCMagazine.com that the firm discovered the bug – which allows machines to be compromised through a complete Java security sandbox bypass – late last week

“A malicious Java applet or application exploiting [this bug] could run unrestricted in the context of a target Java process. such as a web browser application,” Gowdiak said. “An attacker could then install programs, view, change or delete data with the privileges of a logged-on user.”

With Java being so prevalent in Internet and enterprise back-end systems, such as Oracle, this continues to be a serious issue. It may be time to consider another development platform or get Oracle to get Java back on track…

Tagged , , , ,

Iran’s Other Export…

In an article published by Bloomberg Press and redistributed by the Dallas Morning News, Senator Lieberman and other analysts state that Iran is planning an escalating set of cyber attacks against US companies and interests in response actions around Iran’s nuclear capability.

According to the Senator:

Iran’s government and its elite Qods Force were probably responsible for cyber attacks launched this week against JPMorgan Chase & Co. and Bank of America Corp., Senator Joseph Lieberman said yesterday in an interview on C-SPAN’s “Newsmakers” program.
“I don’t believe that these were just hackers,” Lieberman, an independent from Connecticut who’s chairman of the Homeland Security Committee, said in the interview scheduled to air tomorrow. “I think that this was done by Iran and the Qods Force, which has its own developing cyber attack capacity.”

This has major ramifications not only to US policy regarding state sponsored cyber attacks, but also to US businesses. It is becoming more apparent that improved operational security (OPSEC) practices and overall architecture will be needed to mitigate the increased threat that these type of cyber threats from governments can pose. The ancillary question will be whether the US will truly define state sponsored cyber attacks as an act of war and if not, to what degree will the US expect business to “defend” themselves…

According to Frank Cilluffo, director of George Washington University’s Homeland Security Policy Institute and a former special assistant to President George W. Bush for homeland security:

“The good news is Iran is not at the level of sophistication of China, Russia, us and some of our allies,” Cilluffo said. “The bad news is what they lack in capability, they more than make up for in intent.”

Tagged , , , ,

OPSEC – Even Hackers Realize the Need…

This morning (depending on your time zone) Mikko Hypponen, the Chief Research Officer at F-Secure, shared a link to a presentation that @thegrugq gave at Ekoparty 2012. The presentation, although focused on the hacker community, speaks to the need to have and maintain operational security (OPSEC).

While the fact that most businesses and individuals need to practice better OPSEC, it is interesting that hackers are beginning to see the need to embrace the same practices that are (should be) practiced against them. What is even more interesting is the realization by some or more in the community that law enforcement officials (LEO) have superseded hackers in being at the top of the cyber hierarchy. How well this impacts the recent deluge of hackers being taken into custody is yet to be seen, but continues to show that hackers are willing to change tactics and learn which also means that those within the security profession and business also needs to be willing to adapt.

Tagged , , ,

US Cybersecurity Debate Begins… Again…

Do you ever get the feeling that at some point in the morning you should be hearing the Sonny and Cher tune “i’ve Got You Babe” and that you are in Ground hog Day. That we are reliving the same thing over and over again. Well we are again…

We all probably remember the heated debate around the Cybersecurity Act of 2012. Whether political or a security practitioner, everyone had an opinion on one side or another. Well, we will soon begin the debate again, but this tim it will not be in response to a Congressional proposal, but rather an Executive Order (EO). Friday a leaked draft of the EO posted to the techdirt.com website.

According to the proposed draft, the EO is meant to revise the federal architecture for enhanced protection of the critical infrastructure and information sharing or “information exchange framework.” The EO also places the Department of Homeland Security (DHS) as an oversight role for making and implementing the changes. What is not completely understood is the full nature of what is considered “critical infrastructure” and how commercial business will act with regards to another set of US regulatory impacts to their bottom line.

Many in the political scene and in the security industry have been vocal about the need for a defined framework beyond/improving the existing FISMA regulations adhered to by federal agencies. However, there are not as many that would agree that DHS is the federal entity to oversee the implementation. There is even more of a divide when you start discussing how this framework should be applied to private industry.

A recent SC Magazine article quoted concerns from several Republicans about the current EO based on a letter written by John Brennan, the national security advisor to the president. According to the article:

A letter released on Friday written by John Brennan, national security adviser to the president, written to Sen. Jay Rockefeller, chairman of the Senate Commerce Committee, confirms that the White House is working on the order.

“Following congressional inaction, the president is determined to use existing executive branch authorities to protect our nation against cyber threats,” Brennan wrote.

In a recent sponsored Washington Post editorial, Senators John McCain (R-Ariz.), Kay Bailey Hutchinson (R-Texas), and Saxby Chambliss (R-Ga.) blasted the idea of an executive order.

“Unilateral action in the form of government mandates on the private sector creates an adversarial relationship instead of a cooperative one,” the senators wrote.

This is interesting the impact this will have with regards to the impending elections and how security community at large will view this potential mandate. This will definitely (re)develop in the coming weeks…and remember “its going to be a cold one out there…”

 

Tagged , , , , , ,

IE Zero-Day Update…

Microsoft has released Microsoft Security Advisory (2757760) regarding the zero-day vulnerability within IE. According to the advisory:

Microsoft is investigating public reports of a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9. Internet Explorer 10 is not affected. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability.

The advisory does not provide a fix, but continues to point users to “Microsoft Security Best Practice.” It may be worthwhile for users to either start using Chrome or Firefox or upgrade from WIndows XP and Vista. It is still to early to know if it will be worth the upgrade to Windows 8…

Tagged , , , , ,

Anonymous Arrest in Dallas…

According to Reuters, a self-proclaimed leader of the hacker group Anonymous, Barrett Brown, was arrested in Dallas on September 12. According to the article, the arrest is a result of Brown’s alleged threatening of an FBI agent via a YouTube video complaining that the agent and the FBI were harassing/threatening his mother and stated the following:

Robert Smith’s life is over

This story is sure to progress and be updated over the coming weeks…

Tagged , , ,

Can You Hear Me Know…

The phone call is one of the main mechanisms that businesses get the job done. Whether it is a web-based business or the local brisk and mortar, using the phone is a key business tool. With more and more business opting for the use of Voice over IP (VoIP) rather than the traditional PBX and POTS lines.

As a result, many businesses are ramping up to obtain or improve the ability of their VoIP systems and this means taking a look at the business network LAN and WAN. This means that it is important to audit the network for the existing or future call quality. A recent article from the SANS Internet Storm Center discusses what to consider and provides some examples.

Here is part of the opening content by the author Rob VandenBrink:

In this diary, I’ll do a short description of auditing a WAN link for metrics key to VOIP (Voice over IP) call quality. Just a short proviso – this is not a complete guide to VOIP call quality or auditing for VOIP metrics, it’s meant as a starting point which you can take to your own environment and tailor to your own needs and toolset.

So, why would you want to audit a WAN link for VOIP call quality metrics?
1/ To assess if your edge routers are properly re-marking TOS or DSCP bits in the right packets, for delivery to the WAN (commonly done with PBR, Policy Based Routing)
2/ To assess if your WAN provider is honoring your QOS settings, and delivering the appropriate QOS to your various types of traffic

I’ll assume that there’s at least one Cisco device at each end of the WAN link we’re assessing (the commands described are available on IOS switches and routers), but the functions I’m describing are certainly available in most of the other name-brand network platforms.

So first of all, what will we audit in this setup?
Delay – how long does it take a packet to make a round-trip from one end to the other?
Jitter – how much does Delay change during any given call? (zero would be ideal)
MOS (Mean Opinion Scores) – a mathematical distillation of overall call quality to a single value, with 5 being perfect fidelity.

This is a good article to enforces the fact that doing a little auditing on the “boring” can help improve your businesses bottom line and also add to your overall security/technical program.

Tagged , , , ,

When a DDoS is not a DDoS…

The interim CEO of GoDaddy, Scott Wagner, issued a press release stating that the outage was not a result of a DDoS attack, but rather an internal networking issue that corrupted the routing database. It would appear that GoDaddy is trying to play politically correct in its wording. Whether self-imposed or from an external attacker(s), DDoS is DDoS.

In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the efforts of one or more people to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. – Wikipedia

The fact that they are choosing to down play the event, makes it seem that GoDaddy is trying to recover from the PR created from the outage that affected their customer base.

On the other side of the issue, the purported hacker of the outage, Anonymous Own3r, tweeted his disdain over the press release when he tweeted the following:

whooa @godaddy is denying that it was hacked by me! they don’t wanna show their cybersecurity is bad this way they would lose customers !

Either way this issue lands, the question will become whether or not GoDaddy Customers view this outage as a result of one of the following:

  • Hacker DDoS Attack
  • Random technical issue
  • Internal incompetence

Only time will tell…

Tagged , , , , ,

These Are Not the UDIDs You Are Looking For…

It is now known that the recent release of the Apple UDIDs was not a result of a hack of the FBI but rather from a compromise of the publishing company BlueToad. In an article posted on the NBC News Red Tape Page, the author Kerry Sanders, discusses the details with the companies CEO, Paul DeHart. According to BlueToad:

Paul DeHart, CEO of the Blue Toad publishing company, told NBC News that technicians at his firm downloaded the data released by Anonymous and compared it to the company’s own database. The analysis found a 98 percent correlation between the two datasets.

“That’s 100 percent confidence level, it’s our data,” DeHart said. “As soon as we found out we were involved and victimized, we approached the appropriate law enforcement officials, and we began to take steps to come forward, clear the record and take responsibility for this.”

 

Tagged , , ,
%d bloggers like this: