Tag Archives: Vulnerability

Webinar: WordPress Security Simplified — Six Easy Steps For a More Secure Website sponsored by Incapsula

15 September 2014

WordPress Security Simplified — Six Easy Steps For a More Secure Website sponsored by Incapsula.

I got this invitation some days ago. This webinar might be a good starting point to dive in the exciting world of application security.

Enjoy!

Review – US nuclear regulator hacked several times over three years

24 August 2014

In post US nuclear regulator hacked several times over three years. from 19 August 2014 Warwick Ashford talks about attacks on the U.S. Nuclear Regulatory Commission (NRC).

The big question is: What makes the NRC so interesting for attackers? Reports of safety audits containing information that should not be made public? I really doubt it.

In Exclusive: Nuke Regulator Hacked by Suspected Foreign Powers you get an idea about the real reasons:

‘Federal systems are constantly probed by hackers, but those intrusions are not always successful.’

Thank goodness this is absolutely correct! In nuclear power plants very old IT technology is used that can not be attacked easily. But the detailed description of vulnerabilities found in audit reports will make successful attacks more likely.

Perhaps you remember the film ‘War Games’? Although the Maximum Credible Accident in a nuclear power plant is not comparable to a nuclear world war, the impact on health and environment is catastrophic. Therefore such events must be taken extremely serious.

By the way, the statement above talks about the known attacks on federal systems. The total number of successful attacks may be much higher …

Don’t Panic!

Rule No. 5: Minimize the The Attack Surface

21 August 2014

Complex applications are composed of many infrastructure layers, e.g. database and file services or web services. Services are provided by one or many systems through complex software packages. All systems communicate with each other and with infrastructure systems like directory, naming or backup services. In order to simplify matters we omit the users.

Every operating system, software package, infrastructure service, etc. has vulnerabilities which could be used to attack the application. For example, the U.S. National Vulnerability Database (NVD) lists 9 vulnerabilities for the often used middleware JBOSS, all published in the past 3 month . On top we add some self-made vulnerabilities by our application design.

The set of all vulnerabilities is the known attack surface.

Please keep in mind:

[1] The whole is more than the sum of its parts!

[2] The unknown attack surface is greater than the known attack surface, and millions of hackers are working hard every day to detect new vulnerabilities.

Today’s standard answer to this challenge is patching, patching, … But from my point of view Security by Design shows a way out of the chaos. Application systems should be designed according to

Rule 5: Minimize the total attack surface!

What does this mean for the application/system design?

  • Decompose the application into separate functions, if possible provided by separate services
  • Minimize the number of interfaces between the application components
  • Minimize the number of 3rd party components
  • Relocate services onto separate encapsulated systems
  • Minimize the number of installed software packages per system
  • Minimize the dependencies on infrastructure services

The effort for build and run will be definitely higher, but the known attack surface will be much smaller.

Keep it smart and simple!

Security testing – The new magic trick?

14 August 2014

Security testing is one of the top issues in the media at the moment.

Security testing will definitely support companies in delivering less error prone and vulnerable software to their customers. It is an old truth that the cost to fix an error after rollout is considerably higher than before. But when it comes to security relevant vulnerabilities, errors can have catastrophic effects on a company.

In my opinion, standalone security testing wil not lead to more secure software in the long-term. Security should be built into the entire development process from requirements specification to user acceptance test, with verification and validation in each step. And it is very important to make it crystal clear to the customer that security comes at a price.

Security by design is the means by which less vulnerable software products could be delivered.

In particular the coding phase is critical for the vulnerability of a product. To create less vulnerable software, developers have to unlearn old programming habits, and to acquire the well known best practice for developing secure products. To ensure success, this transformation process should be embedded in a change process.

Drive the change!

Review – ‘Poweliks’ malware variant employs new antivirus evasion techniques

9 August 2014

On 4 August 2014 Brandan Blevins talks in his post ‘‘Poweliks’ malware variant employs new antivirus evasion techniques‘ about a new malware which uses new infection routes.

My first thought was: Oh no, not another new malware that could not be detected by state-of-the-art Anti Virus systems!

My second thought was: Hold on for a moment. The Poweliks malware appears to jump into our computers like a deus ex machina! Sounds like magic, doesn’t it?

If you dig somewhat deeper, you find, that to implant the malware, attackers must exploit a vulnerability of the system and, the good faith of the users. In this case the media was a Word attachment of an email and a flaw in the MSCOMCTL.OCX described in CVE-2012-0158.

In section ‘What might an attacker use the vulnerability to do?’ Microsoft describes the impact:

Bacteriophage P2. Source: Mostafa Fatehi

Bacteriophage P2. Source: Mostafa Fatehi

‘An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights…’.

And this is exactly what the Poweliks malware does.

What countermeasures could we take?

(a) Do not open attachment and files from untrusted sources like email. Common sense can prevent lots of malware attacks.

(b) Do not work with permanent administrative rights.

(c) Change the User Account Control (UAC) Settings to the highest level ‘Always notify’. The malware installs Powershell, if not already installed. In this case UAC will notify you.

(d) Check whether the latest updates and patches are installed. CVE-2012-0158 was fixed in 2012 and can not be used for an attack, if Windows Update is configured to automatically install updates.

(e) Review the Trust Center Settings in Microsoft Office.

Activate ‘ Disable all macros with notification’ in section ‘Macro Settings’,

Activate ‘Prompt me before enabling all controls with minimal restrictions’ in section ‘ActiveX Settings’.

Activate ‘File Block Settings’ except for Office 2007 or later formats in section ‘File Block Settings’.

(f) Check your AV providers Homepage for the latest updates or utilities. I bet you will find some Information or tool which could support you in an emergency.

(g) Don’t Panic!

Have a good Weekend

The neverending local administrative rights story

19 July 2014

Last week I discussed IT security related topics with the computational biology systems group. It’s hard to believe, but most of the scientist work with Linux, most of the time with a bare bash (Bourne-again shell).

What surprised me was that no scientist works with permanent super user rights. Everyone works with a standard user account, but has the option to switch context with SUDO if necessary. Very impressive!

‘Way of working’ is an essential part of every security strategy. Sometimes large security gains could be achieved with small changes to the way of working, at a fraction of the cost of technology based measures.

With Windows users I have endless discussions about the pros and cons of working with permanent administrative rights. There are good reasons for working this way, but as a result, we create a security hole from the size of a barn door that may compromise all other security measures.

On 26 April 2014 Microsoft informed in ‘Microsoft Security Advisory 2963983’ about a critical vulnerability in Internet explorer. In ‘Security Bulletin MS14-021 – Critical’,  published on 1 May 2014, we find some details about the vulnerability and the best reason to end this discussion once and for all:

‘An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.’

Bingo!

Waiving permanent administrative rights must not have serious disadvantages for user productivity. Microsoft implemented a technology similar to SUOD with Windows Vista.

Windows User Account Control (UAC) allows standard users to execute functions where administrative rights are required. If this is the case, UAC prompts for administrative privileges before executing the command.

The solution in just 3 steps:

  1. Communicate the new policy and new way of working to users with local admin rights
  2. Create a local account Useridloc and add account Useridloc to local administrators group
  3. Remove account Userid from the local administrators Group

When UAC requests administrative privileges the user inputs the credentials of Useridloc.

Please note: Since users can re-assign themselves to the local administrators group please audit compliance with the policy.

By the way, if Useridloc is used with runas (the windows command for SUDO), commands could be executed directly with administrative rights.

Welcome back to the comfort zone!