Another Day More Attacks To Defend From

Why does it seem that we are always defending? Seemingly the same thing every day – every month, as the patches come out IT departments must patch consistently and without fail.

fortinetglobalheatmap

Because if not what happens?  Such as from Fortinet’s¹ analysis 10% of all NFS servers in the world are vulnerable to a specific attack.

The Global heat-map shows the country most in danger is the USA, with China in 2nd place. Notice the largest economies have the highest vulnerabilities.

So what does 10% mean?

The solution here is to upgrade to a new version of NFS and enable encrypted  authentication

 

Fortinet researchers used the database Shodan.io² for their data.

shodanexploits-nfs

And if one goes to the site directly one can count 5 exploits, 4 remote, 2 DOS, and 1 local types under “NFS” for a total of 12.

 

there are 129 known CVE’s 7 in exploitdb and 5 known metasploit attacks.

To a hacker this is a known item.

So what can a hacker do this information?

Well they will do more research and find out where they actually are and whether they can hack or mine information from these NFS problems:

Thousands of the exposed servers were located in the U.S. (18,843 servers), China (11,608), France (10,744), Germany (7,188) and Russia (5,269), the firm reported.  This part of the data from Shogun/Fortinet actually resides on the

Securityintelligence.com³ IT news site.

Now we know of  18,843+11608+10744+7188+5269 = 53652 servers are susceptible to some type of attack. This is an obvious goldmine for hackers. Imagine that 10% of these exposed servers can get hacked in such a way do that the hacker can run their own programs on them (i.e. root or admin privilege with command line access). So now what?

~5400 servers may get ransomware that could gross $300 – $500 for each system – which means that $1.6mil to $2.7mil payoff could be coming to the hackers.

What if all the servers were susceptible to ransomware? then the payoff is $16mil to $27mil.

Now do you see what the danger is from attacks? Every day brings new dangers –  Don’t play Cyber roulette

1000gunbarrels

Every day you have a chance of firing a 500 or 1000 barrel risk gun and it “goes off” thus  The attacker finally made it in. The chance may be 1 in 500 every day, or 1 in a 1000.

Contact us to reduce your risk online.  Send us your email address and we will send you updates as they happen here.

 

 

  1. https://blog.fortinet.com/2016/05/30/misconfigured-nfs-servers-put-thousands-of-terabytes-of-data-at-risk
  2. https://exploits.shodan.io/?q=nfs
  3. https://securityintelligence.com/news/new-research-finds-10-percent-of-nfs-servers-globally-are-at-risk/

 

With This Hack Take Over Verizon Email Accounts

Randy Westergren¹ figured out a way to hijack a Verizon FiOS account  (FiOS is a bundled Internet, telephone, and TV service)

 

Randy was doing research into a vulnerability of compromised email accounts for the FiOS app,  and found a problem with the reset my password method on the Verizon website.

With a few computer tricks (if interested check details on his site) he was able to hijack an email account.

Before we all get excited he worked with Verizon from October of 2014 until October of 2015 and until final fix November 3rd. So this problem is now fixed.

Here is the pictoral representation of the hijack hack.

verizonFiOS-randywestergren-hack

 

Why would I post about a fixed issue?

 

Think about it  Verizon never tested this, and even after told about it took 1 year and a month to finally fix it.  How many accounts were falsely taken by enterprising Criminal hackers with  Billion dollar² warchests?

Verizon has opened a new website here http://www.verizonwireless.com/landingpages/report-security-vulnerability/

Or email Verizon Security directly: CorporateSecurity@verizonwireless.com.

 

My problem with corporate methods decisions are not fast enough. The decisions of the corporate heads require proof and a project and a champion in the department and X and Y  and Z.  In other words it will take a year or more to fix the problem because we are not ready.

 

How many other companies are in the same boat? Do we really have to get our email accounts hacked FIRST?

It is high time that the Directors, CIO, CTO, CEOs of all technology companies improve the Cybersecurity of their operation by setting up a test regime that is second to none. It is not enough to create a website that takes customer suggestions of impropriety.

The people with the most to lose (All the CxO’s) should know exactly how much  of an effort there is to test the heck out of the technology that is online right now.

systemengineeringassecurity

Contact Me to discuss

  1. http://randywestergren.com/hijacking-verizon-fios-accounts/
  2. http://oversitesentry.com/happy-new-year-2016/

Society Wants Technology – Does Not Realize Security Implications

Everyone heralds new improvements ever since the Renaissance in the 15th century  started an artistic and scientific improvement binge every year.

We are moving to another new year since time does not stand still for us to digest the current technology.

johannes-gutenberg  Johannes Gutenberg small bio at physic.org

So in 1440 we were inadvertently thrust as a society into the “new age” of enlightenment. And forever we will regret it in one sense.  In 1440 Mr. Gutenberg finished a hand press and printed the “poem of the last judgement” and the Calendar of 1448. Ever since then 567 years ago we have been moving ever forward admittedly things have gotten much faster with the Internet and computers.  But the people of the late 15th century did not realize what was happening until many years later.  As more and more collaboration of books and scientific thought started to be shared on a regular basis, it changed our society forever.

 

 

Today the same things are happening – except when new technologies are occurring and being implemented you may not notice the immediate effects. Especially since you may not be purchasing this new technology or technique. A new hacker technique due to a mistake can really change our lives without your knowledge. You may be completely oblivious, but it is still happening.

 

What does a Juniper hack have to do with our lives?

Network World had a story² yesterday (Dec 20) and was actually first posted on Juniper’s forums in the following manner:


 

Administrative Access (CVE-2015-7755) only affects ScreenOS 6.3.0r17 through 6.3.0r20. VPN Decryption (CVE-2015-7756) only affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.

We strongly recommend that all customers update their systems and apply these patched releases with the highest priority.

POSTED BY BOB WORRALL, SVP CHIEF INFORMATION OFFICER ON DECEMBER 17, 2015

 


 

But how long was this vulnerability actually out in the wild?

Let’s find the CVE bulleting of CVE-2015-7755.

Notice the note here in the CVE:

20151008 Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

So the entry date was October 8th 2015.  The vulnerability has been out for over 2 months now.

And actually the backdoor was known to nation-state actors for 3 years (according to Network world FBI/DHS).

today the Internet Storm Center has gone to the unusual step of declaring a Threat Level Yellow due to Juniper’s vulnerability:   isc.sans.edu³

internet StormCenterdec21stthreatlevelyellow

 

Needless to say if you have a Juniper router or firewall with Operating system 6.2 or 6.3 with the correct release you may  be vulnerable to telnet/ssh and are vulnerable to a vpn backdoor.

 

Just in case you missed it the backdoor password is” <<< %s(un='%s') = %u "

you can try to log in using that password then you know you are susceptible to this issue.

 

Back to my original point… We don’t realize for months that there is a new technique that could allow hackers access to our devices.  In this day and age the change of technology is down to months not years, and hackers know this. The criminals are aware of the problems that new technologies can bring even if you are not aware.

What can you do besides being vigilant?

Create an atmosphere of constant improvement, set up log analysis and review your logs using better methods on a weekly basis preferable,  but monthly at a minimum.

As in my previous post:  http://oversitesentry.com/what-to-look-for-in-logs-hackers-being-successful/

cybersecurityloganalysis

 

Contact Us to discuss

 

 

 

 

2. http://www.networkworld.com/article/3016802/security/fbi-dhs-investigating-juniper-hack-secret-backdoor-dates-back-3-years.html

3. https://isc.sans.edu/

Zero-Day Attacks And Why Patching Means Catching Up

Another day another Zero-Day Attack:  From Sucuri Blog¹ which found a remote Code Execution attack on Joomla a CMS(Content Management System) software

The hackers are interested in these all the time:

blackhathacker

Because a Zero-day attack means that an attack on susceptible software can be easily taken over.

Zero day exploits are sought after in the darknet.  Check one of our old posts on Darknet.  The International Institute of Cybersecurity also has a good primer on Darknet² with actual places to try using Tor (The Onion Router) which is a browser that keeps you anonymous although has definite dangers when using it.

therealdealmarket

 

If you notice from above image (from an image at iicybersecurity.wordpress.com) there are 1day exploits as well. which means the fixes have been in the market for a single day already.

When your IT department asks you to install patches and reboot they are asking you to get a fix for a potential attack.

What kind of attack depends on the severity and danger of the software flaw.

There is a Common Vulnerability Scoring System discussed at first.org³

The severity is set from 0 – 10 (Zero through ten). With 10 a severe vulnerability which requires a fix As Soon As Practical.

 

Here are just some of the hundreds of vulnerabilities in cvedetails.com

cvedetails

 

The problem that we have is that software is not just the operating system, it is all the applications that run on top of the operating system.

cvssscoreaverages

You can see that over the years there have been 73 thousand plus vulnerabilities.

And most disturbing over ten thousand are in the 9-10 severity range.

 

This is why many in the Cybersecurity field claim that the offense is winning and the defense is always playing catch up.

 

As the exploits come out they are called Zero-days, the attackers attack sometimes by buying the exploit  from the Internet Darknet. There is a constant fight between the defense which is patching and fixing against potential attacks and the attacker which is always trying to infect your computer with new methods.

This dance between offense and defense will never change(unless we just don’t want to use our computers period). So all we can do is develop risk analysis and put most of our resources into ensuring the most important systems are patched.

 

Some time ago Microsoft decided to create a single day which would have most of their patches available. This is called Patch Tuesday, and this Month’s patch Tuesday was on December 8th.  Like krebsonsecurity discussed, Adobe and Microsoft plugged over 70 security issues.

Internet Explorer had 30 security flaws

Microsoft Edge had 15 (the new Internet Explorer)

Adobe Flash player had 78 vulnerabilities.

 

Are you running Windows Server DNS services? there is a patch for that as well which is dangerous, especially since it is on critical servers usually. Although the DNS patch is rated a 2 I am in the belief that the hacker will take any in to your network and then slowly move laterally to other weak systems until getting to the areas which are the true targets.

BCM_Institute_Risk_Ratings_and_Levels

How important is your server?

How important is your database information?

 

If you have a severity level 10 vulnerability and its impact is high(if your software fails) because of an important software on this machine then decision is easy patch as soon as practical. In fact don’t patch other systems, and you should patch the higher risk machine.

 

Are we going to run into a resource allocation problem?.  Sure the highest impact system will get patched sooner than others.

 

The other problem we have is sometimes the patch that is installed has problems so we now have to pick from either of two bad outcomes.

1 is an unpatched system that is susceptible to attacks

2 is a system that is patched but has some kind of bug which means the software will not work as advertised.

We also have a problem when the pace of patching is not fast enough, since tests have to be run before patching (to prevent catastrophic problems).

So the problem is between lack of resources of patching and the attackers finding an attack vector on your machines.

patchingvsattackers

Contact Us in Saint Louis Area to help you with risk analysis and more.

 

 

 

 

 

 

 

  1. https://blog.sucuri.net/2015/12/joomla-remote-code-execution-the-details.html
  2. https://iicybersecurity.wordpress.com/2015/06/10/famous-dark-net-marketplaces-to-buy-exploits-0-day-vulnerabilities-malwares-for-research/
  3. https://www.first.org/cvss

 

 

NextGen Firewall Flaw Uncovered

nextgenfirewallflawdiagram

The recently added BugSec blog¹ on Security News Analyzed page at #30 is the source.

Apparently there are several NGFW (Next generation FireWalls) systems that allow the initial handshake to occur no matter the destination, including to destinations we would want to deny.  It is good to point out, that an actual connection is not made, as the firewall stops the connection.

Just by itself this problem would not have been an exploit, but the CTO Idan Cohen, was then able to develop a tool to create full tunneling with just this initial handshake.

 

BugSec has disclosed this flaw to all the vendors that are affected by it.

The manufacturers said:  “once their state machine proceeded beyond the TCP handshake, they would recognize the application, matching a subsequent rule that applied to application traffic.” And if as in this case it was ‘unknown-TCP’ it would be blocked only with an additional security policy lookup as to allow or block the traffic.

So essentially by default some NGFW are allowing ‘unknown-TCP’ traffic.

Obviously this can be rather dangerous.

 

  1. http://www.bugsec.com/news/firestorm/