October2015 Patch Tuesday: Including Windows Shell Vulnerability

https://technet.microsoft.com/en-us/library/security/ms15-oct.aspx

Has several patches including  MS15-106  ” One memory corruption vulnerability (CVE-2015-6056) has been publicly disclosed.”  from the following link:

https://msisac.cisecurity.org/advisories/2015/2015-121.cfm

 

As far as Microsoft patches go – the ones that patch remote code execution in the vulnerability impact column.

And 4 of the 6 have remote code execution.   As a systems person I am always most concerned of MS15-109   as it is a Windows Shell vulnerability.

https://technet.microsoft.com/en-us/security/gg309177.aspx

 

Notice the critical portion of this link:

{ A vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email. }

Microsoft recommends that customers apply Critical updates immediately.

 

I.e. this unpatched vulnerability could create another supervirus like the named ones in the past (Melissa, Code Red and more).

And here are the systems which could be affected:

Win10,Win8,Win7, Winserver2008, Winserver2012, WinRT, WinVista  basically all windows systems

ms15-109affectedsystems

 

Needless to say patch your systems!!!

Network Security Has Fundamental Problems

hackedADserver

A breach has many looks…

THE fundamental problem is highlighted in this article:

http://www.infosecurity-magazine.com/news/15mn-affected-medical-information/

Besides the obvious headline grabber “1.5mil records stolen by hackers.”

I am going to compile a few sentences from the article and then discuss:

{He added, “Every healthcare firm, large and small, that stores patient data is at risk of a breach and more needs to be done to protect consumers against these cyberattacks.”}

The Hackers had access to the network for 3 weeks before the company even knew of the breach. So it was very likely that PII (Personally Identifiable Information) with social security numbers, addresses, and names were taken.

I think this is the most interesting sentence:

{ “As other sources have also mentioned, authorities are also concerned that this information will be used to defraud the government, and they don’t even know how they’re doing it,” he added. }

In other words, once the criminals have PII data they can use the data in a variety of ways.

The fundamental problem I am referring to is that all it takes is one mistake, and the hackers have a breach, and after the breach they can exploit and control.

This Breach +Exploit-control takes time to find in the massive amount of false positives and other data streaming into the defenders screens.

The good news for this company is that they found a breach in 3 weeks… as normally it takes 7 months.

Why else was Sony such a spectacular failure? The hackers were in the network for months. Planning and plotting before executing their destruction plan.

 

Also not only do we find it difficult to find breaches, but we also have no way to stop the sale of the PII data stolen.

 

 

We must review our logs for breaches, but the very act is a problem, as the sheer volume of data causes a problem in resources.

We have to get better at finding breaches both out of our networks and once in the Darkweb (threat intel)  to confirm(or note) a breach.

 

One Cyber Mistake Causes Problem$

All it takes is one patch is missed, One computer not taken care of.

Computers must be patched so that Zero-day exploits have minimal affects.  We discussed this on July 20th http://oversitesentry.com/why-security-news-scrutinized-to-nth-degree/

Let’s review:

vulnerability-attacktimeline

 

After a vulnerability is introduced, an exploit hits the “wild” and then the clock starts ticking, the attackers(criminal hackers) and defenders(software vendors etc) start to create the attacks and defenses. By the time you hear in the news “The patch will be released next month” the attack has been already in the wild for weeks.

 

We are always playing catchup.  Believe it!!

Then we also have other kinds of attacks like website attacks.

Websites must be patched, and coded so that the latest attacks will not be effective.

There are a lot of attacks to protect from (this is the OWASP top10):

1.   SQLi SQL injection

2.  Broken Authentication and Session Management

3.  XSS Cross-Site Scripting

4. Insecure Direct Object Reference

5. Security Misconfiguration

6. Sensitive Data Exposure

7. Missing Function Level Access control

8. CSRF Cross Site Request Forgery

9. Using Known Valuable Components

10 Unvalidated Redirects and Forwards

Each of the OWASP top10 can do a number on your website.

 

Now add mobile and wifi as other angles of attack:

How about this as an example:

http://arstechnica.com/security/2015/07/950-million-android-phones-can-be-hijacked-by-malicious-text-messages/

A simple text message can create malware install on the Android  machine.

Why are there so many ways in for attackers? And we have to protect from all of them…  Humans code and make mistakes, and most especially we have not been developing software with security in mind.

So now we are back tracking finding the security exploit problems first.  Only then do we make the fixes. So our imperfect world was created for functionality first:

risk-security-see-saw

Business is developed with high risks and innovation AND security as low in priority.

 

Who wants to tell their stock owners low growth and innovation?

 

Now we know what the problem is, how do we fix it in this imperfect world?

Riskmanagmentsystemsprocess

 

Our Customer need  = a more secure world.

We need to test the environment and re-evaluate – test and re-evaluate for all the different attack methods.

The end product and process  will be a more secure world.

 

I am fixvirus.com – this is my blog  – TonyZ  (edited 7/28)

State-of-the-Art Security: Obscure your Network

Richard Bejtlich has a new post (as of May 10) http://taosecurity.blogspot.com/

He set out a few excerpts of a 1978 book “Computer Capers” by Thomas Whiteside.

computercapers

To me the most interesting excerpt(2nd):

“The difficulties of catching up with the people who have committed computer crimes is compounded by the reluctance of corporations to talk about the fact that they have been defrauded and by the difficulties and embarrassments of prosecution and trial. In instance after instance, corporations whose assets have been plundered — whose computer operations have been manipulated to churn out fictitious accounting data or to print large checks to the holders of dummy accounts — have preferred to suffer in silence rather than to have the horrid facts about the frailty of their miracle processing systems come to public attention.

Top management people in large corporations fear that publicity about internal fraud could well affect their companies’ trading positions on the stock market, hold the corporations up to public ridicule, and cause all sorts of turmoil within their staffs. In many cases, it seems, management will go to great lengths to keep the fact of an internal computer crime from its own stockholders…

The reluctance of corporations to subject themselves to unfavorable publicity over computer crimes is so great that some corporations actually seem willing to take the risk of getting into trouble with the law themselves by concealing crimes committed against them. Among independent computer security consultants, it is widely suspected that certain banks, which seem exceptionally reluctant to admit that such a thing as computer fraud even exists in the banking fraternity, do not always report such crimes to the Comptroller of the Currency, in Washington, when they occur, as all banks are required to do by federal law. Bank officers do not discuss the details of computer crime with the press… [A] principal reason for this kind of behavior is the fear on the part of the banks that such a record will bring about an increase in their insurance rates.”

 

It looks like today this attitude is the same as 37 years ago give or take as it is today.

Computer fraud befuddled executives in the late 70’s and I would assume since then.

 

Is this really what we will talk about in the next 30 years?

 

It is a human thinking to try and hunker down and think no one is noticing what they are doing. But that is not the case anymore – Everyone is getting attacked, and everyone needs to up their game, as the attacks are becoming more sophisticated.

We can’t just sit and hide anymore.  (otherwise known as security through obscurity).

 

 

It is time for a change in methods and techniques.  We must tell each other what methods work and when they don’t so that we can learn from each other.

That is how the criminals do it. They have forums and discuss what works and what does not.

 

Contact Us to tell us how you have been breached, and we will just give out details of breach with no corporate specific details that tells who you really are.