Wednesday, February 21, 2018

Week 12 - Threat of the Week - Apple 'Unicode Bomb of Death 2.0'

Name: CVE-2018-4124

Report Date: 02/14/2018

What does it affect? 
Per the advisory this impacts the following:


  • iOS 11.2.6
  • watchOS 4.2.3
  • tvOS 11.2.6
  • macOS 10.13.3

What's the big deal? 
The new bomb of death is triggered by two Unicode symbols that use the Telugu language.  When the characters are displayed on the screen it causes apps to crash. Reports indicate that it impacts basically every application on the device, and in many cases requires the applications to be deleted and reinstalled before the application.  While this is more of a nuisance, it is very easy to spread.  For example you can broadcast a wireless network with the characters, email someone and have that character in the email, tweet it to someone, etc. 

How do we fix it? 
Apple quickly released a patch to fix this issue.  In fact when it was reported the BETA versions did not have the vulnerability, it was only in current stable releases of the OS's that were impacted.  On 2/19/2018 Apple released the new patches that mitigate the vulnerability, and they encourage all users to always stay up to date and install security releases as soon as possible.

https://threatpost.com/apple-rushes-fix-for-latest-text-bomb-bug-as-abuse-spreads/129987/

https://techcrunch.com/2018/02/15/iphone-text-bomb-ios-mac-crash-apple/

https://support.apple.com/en-us/HT201222
at No comments:

Wednesday, February 14, 2018

Week 10 - Threat of the Week - KRACK

Image result for KRACK
Name: KRACK
CVE-2017-13077
CVE-2017-13078
CVE-2017-13079
CVE-2017-13080
CVE-2017-13081
CVE-2017-13082
CVE-2017-13084
CVE-2017-13086
CVE-2017-13087
CVE-2017-13088

Report Date: 10/17/2017

What does it affect?
Krack impacts Wi-Fi security, so essentially any device supports Wi-Fi could be impacted, although Android, Linux and OpenBSD are more susceptible that macOS and Windows.

What's the big deal? 
The biggest issue with KRACK is that it also impacts WPA2, previously the gold standard in Wi-Fi security. 

How does it work?
Krack works by targeting the four-way handshake that is part of the WPA2 key exchange.  KRACK is short for Key Reinstallation Attacks.  KRACK tricks client devices into installing a previously used key, which forces a reset, and then allows the encryption to be bypassed.   

How do we fix it? 
The good news is patches were quickly released to only allow keys to be installed 1 time, preventing the vulnerability from being exploited.  It is recommended for access points and clients to both be updated with the new firmware and patches as necessary.  Microsoft also suggested updating Wi-Fi device drivers as soon as they were available.    
at No comments:

Sunday, February 11, 2018

Week 9 - Threat of the Week - Cisco ASA Remote Code Execution

Now that the STRIDE alphabet has been covered I intend to shift gears just a little bit.  The blog will still focus on the Threat of the Week, however it will no longer go in order of STRIDE.  Each week I'll take a look at newly discovered vulnerabilities, or previously found vulnerabilities that are now under exploit, or for some reason or another have ended up in the news cycle for the week.

This week I'll be taking a look at a Cisco ASA Remote Code Execution Vulnerability.  

Name: CVE-2018/0101

 Report Date: 01/29/2018

 What does it affect? 
Per the Cisco advisory this vulnerability impacts the following devices running the ASA software.
  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4110 Security Appliance
  • Firepower 4120 Security Appliance
  • Firepower 4140 Security Appliance
  • Firepower 4150 Security Appliance
  • Firepower 9300 ASA Security Module
  • Firepower Threat Defense Software (FTD)
  • FTD Virtual
What's the big deal? 
The big deal with this exploit is that sending specially crafted XML packets to an ASA device that is running an SSL VPN allows for device reload or remote code execution that could allow for full control of the device.  This exploit requires no authentication, and based on the typical deployment of an SSL VPN it means that the ASA is looking to accept traffic coming from the outside world.

How do we fix it? 
Currently there are no workarounds for the exploit.  Shortly after the release of the exploit Cisco put out a patch to resolve the issue, and then shortly after that Cisco discovered the patch only prevented a portion of the vulnerabilities.  A new patch has since been released, and Cisco advises immediate updates for all impacted systems. 




at No comments:

Saturday, February 3, 2018

Week 8 - Threat of the Week - Elevation of Privilege

Image result for elevation of privilege

At some time or another if you work for an organization that utilizes basic security techniques, and runs Windows based workstations you have probably seen a similar message.  The reason that message is coming up is that the corporate IT department has provided users with standard users accounts, or least privileged accounts.  For a bad actor gaining credentials to any account is fantastic, but elevating the privileges of that account is when real damage can occur. 

A common tactic that an external actor will use is a phishing campaign to attempt to compromise low level credentials.  The credentials allow the initial access to the corporate systems, and once inside the bad actor will pivot and move laterally throughout the environment in an attempt to find a dormant admin account, or utilize some kind of pass-the-hash attack to steal hashed credentials.  

Organizations are able to combat EoP with a variety of techniques.  Implementing a policy of least privilege sounds great in theory, but it is often met with a lot of blowback from end users who see this as a hindrance to performing their job duties.  One option an organization can turn to is a Privilege Access/Identity Management system.  Systems like PowerBroker from BeyondTrust allow end users to operate as a standard user, and then when necessary specific applications are elevated.  This allows users to still have the functionality that is required, without having to call the help desk for every task on the PC.  



at No comments:

Sunday, January 28, 2018

Week 7 - Threat of the Week - Denial of Service

Image result for the websites down meme

In Week 7 we are nearing the end of STRIDE, and have come to Denial of Service.  A key component of security is availability.  In today's world of eCommerce and viral marketing companies all want to drive the most visitors to their site.  If the web servers are not able to handle the connections users will see the dreaded "Page Cannot Be Displayed" error message.  Why it's possible this is caused by a huge number of legitimate consumers, a sort of good problem, it's also possible that a DoS or DDoS attack is occurring.

Launching a Distributed Denial of Service attack sounds like it would be something only available to top hackers.  In a standard DoS attack simply blocking the traffic, or discarding all traffic, from the source IP address may be enough to end the attack.  With a DDoS attack there could be hundreds or many thousands of source IP addresses.  The attack could also evolve so the source addresses are changing throughout the attack.  That makes traditional mitigation methods entirely ineffective. 

Now for the even worse news. Bad actors have decided to offer up botnets for DDoS attacks using the same subscription model that modern companies use for their software.  It's possible for anyone that has access to the Internet, and in most cases some Bitcoin for payment, the ability to start launching DDoS attacks.  According to CSO Online the cost for renting that type of attack could cost as little as $10/month.  So not only does the attack not take any skill, it also is cheap enough that it's accessible to nearly anyone.  This price scales up, and there are indications that even the massive Mirai botnet with more than 400,000 devices can be rented. 

With the ease of the attacks now it can be difficult for companies to defend against them.  eSecurity Planet recommends that companies hosting web servers take some basic precautions.  Just like with other incidents you should have a DDoS policy and procedure to follow.  It's also a good idea to move websites to hosting companies.  Dedicated hosting companies have higher bandwidth and high performing routers that can better withstand the attacks.  Coupled with staff experienced in handling DDoS attacks a web host can be a great ally in your security team.




https://www.esecurityplanet.com/network-security/5-tips-for-fighting-ddos-attacks.html

https://www.bleepingcomputer.com/news/security/you-can-now-rent-a-mirai-botnet-of-400-000-bots/

https://www.csoonline.com/article/3180246/data-protection/hire-a-ddos-service-to-take-down-your-enemies.html

https://www.wired.com/story/reaper-iot-botnet-infected-million-networks/ 

https://www.cisco.com/c/en/us/products/collateral/security/traffic-anomaly-detector-xt-5600a/prod_white_paper0900aecd8011e927.html
at No comments:

Thursday, January 25, 2018

Week 6 - Threat of the Week - Information Disclosure

Image result for i'm melting meme

In the world of IT security information disclosure boils down to people seeing information that they are not authorized to see.  This could be something as simple as having inadequate security controls on a file server allowing all users in the company to access employee review files.  More recently though there have been 2 information disclosure vulnerabilities published that affect nearly every device.

Of course the two vulnerabilities that I speak of are Meltdown and Spectre.  While the vulnerabilities are often reported together, they are two separate things, and they affect different CPU's.  The Meltdown is limited to Intel, while Spectre impacts essentially every CPU from Intel to AMD, to IBM to ARM.  The vulnerabilities are very similar in that they exploit the very way that processors were engineered for maximum efficiency.  Meltdown and Spectre use the speculation around memory access to leak data from the kernel that should in theory be inaccessible.

This is a huge deal not only because of the widespread nature of it, but also because there is not necessarily a simple fix.  While some software updates have been released to patch pieces of it, it may require new microcode to help fix remaining vulnerabilities.  Early patches that have been released have caused a lot of system instability, and as such many vendors are recommending you do not install the patches until they are fixed.  Bad actors are also taking advantage of this new fear to launch phishing campaigns promising to provide a download for the necessary patches to fix your system.

So in the end it doesn't matter if you prefer Windows, Mac, or Linux.  Information Disclosure is coming for you.

 https://www.welivesecurity.com/2018/01/05/meltdown-spectre-cpu-vulnerabilities/

https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-every-modern-processor-has-unfixable-security-flaws/
at No comments:

Friday, January 12, 2018

Week 5 - Threat of the Week - Repudiation

Repudiation

Image result for did i do that meme

Repudiation is commonly referred to as non-repudiation, however STNIDE doesn't roll off the tongue quite as nice, so we'll stick to repudiation.  The general idea with repudiation is that when a user or system performs an action, if they say they did not do it, can you prove that they did?  

In network and system infrastructure when you think of repudiation you think of logs.  Logging an action is only helpful if the right information is logged, and the logs are carefully protected against tampering.  Repudiation also comes up frequently when sending and receiving digital messages, especially as organizations look to go paperless.  When legally binding documents are involved, how do both parties guarantee that the document is in the original state when signed? 

I'm going to go a slightly different direction with the topic this week, not that there aren't interesting attacks related to repudiation, but there is a potential solution that also happens to be a current buzzword.  That solution is blockchain. 

Blockchain is essentially a distributed ledger system.  It is a decentralized system, so it does not require a central server to provide approval.  The nodes that are part of the blockchain come to a consensus, the block is updated, and the resulting transaction is immutable and irreversible.  The very way that blockchain works makes it impossible to repudiate the information in it.   

Companies are looking to put this technology to use in a number of ways.  One of the ways is a kind of enhanced digital signature.  Previous methods involved using some sort of trusted third party.  With the automation built in it's possible to setup a system where multiple parties are able to separately, and yet jointly, sign documents electronically.  Once completed another action could kick off.  A common example I saw was in real estate transactions that required multiple parties, including buyer/seller/buyers bank/sellers/bank/real estate agents/etc.  When all of the necessary signatures were obtained it could automatically kick off the resulting funds transfers to each of the parties.     

While it is certainly not mainstream it will be very interesting to see how rapidly this technology not only advances, but how it gets adopted for different uses. 




at No comments:
Subscribe to: Posts (Atom)

Week 12 - Threat of the Week - Apple 'Unicode Bomb of Death 2.0'

Name:  CVE-2018-4124 Report Date: 02/14/2018 What does it affect?  Per the advisory this impacts the following: iOS 11.2.6 watchOS 4...