The exploit allows an attacker to impersonate the system account
A new zero-day attack against Windows, capable of bypassing the User Access Control (UAC) protections introduced in Windows Vista and designed to prevent malware from gaining administrative access without user authorisation, has been discovered in the wild.
The proof-of-concept implementation of the infection technique, known as Troj/EUDPoC-A, was posted to a Chinese educational forum before being discovered by anti-virus researchers from various security firms.
Chester Weisniewski, of anti-virus vendor Sophos, warns that the technique used by the Trojan enables an attacker to impersonate the system account, which has nearly unlimited access to all components of the Windows system, and does so without triggering the User Access Control protections introduced by Microsoft to prevent exactly that occurring. The flaw currently exists in all versions of Windows.
Pls ensure your system is up to date with latest patches and your anti-virus with latest virus definitions.
Thursday, January 13, 2011
Gangsters hiring hackers to make “cyber attacks”
Korean DDoS arrests - be warned, you can be caught
A group of gangsters have been caught hiring hackers to make “cyber attacks” to shut down rival gambling websites. The Korean Times reports the arrest of a pair of hackers over the weekend on DDoS charges. According to prosecutors, the pair, Lee and Park, operated a gambling website on behalf of a crime gang. In an effort to boost traffic to their own site, they used a 50,000-strong botnet to overload 109 rival sites during November and December 2010.
A botnet, of course, is a collection of malware-infected computers (often called "zombies") which can remotely be instructed to initiate network-related activity. Sending spam is a common criminal task for which zombies are used; visiting targeted websites deliberately to waste their bandwidth is another.
Since most web requests look alike, distinguishing the web hits of malevolent time-wasters from those of potential customers can be tricky. Sites which don't usually get a large number of simultaneous requests often aren't built to sustain heavy load.
Some simple warnings come out of this:
* Make sure your PC isn't infected with malware. Otherwise, it might be aiding and abetting criminal activity. In most countries, you can't yet be prosecuted for unknowingly having a zombified computer, but you may get cut off by your ISP - and quite rightly, too! The "offence" will be that you failed to act for the greater good of everyone else on the internet.
* If you're flirting with joining the ranks of the cybervandal group Anonymous when it urges people to join in DDoS attacks, typically in an effort to deny free speech in an effort to protest the denial of free speech, don't assume that you won't get caught. And don't expect much sympathy if you do.
* DDoSing a prospective customer is a high-risk sales technique.
A group of gangsters have been caught hiring hackers to make “cyber attacks” to shut down rival gambling websites. The Korean Times reports the arrest of a pair of hackers over the weekend on DDoS charges. According to prosecutors, the pair, Lee and Park, operated a gambling website on behalf of a crime gang. In an effort to boost traffic to their own site, they used a 50,000-strong botnet to overload 109 rival sites during November and December 2010.
A botnet, of course, is a collection of malware-infected computers (often called "zombies") which can remotely be instructed to initiate network-related activity. Sending spam is a common criminal task for which zombies are used; visiting targeted websites deliberately to waste their bandwidth is another.
Since most web requests look alike, distinguishing the web hits of malevolent time-wasters from those of potential customers can be tricky. Sites which don't usually get a large number of simultaneous requests often aren't built to sustain heavy load.
Some simple warnings come out of this:
* Make sure your PC isn't infected with malware. Otherwise, it might be aiding and abetting criminal activity. In most countries, you can't yet be prosecuted for unknowingly having a zombified computer, but you may get cut off by your ISP - and quite rightly, too! The "offence" will be that you failed to act for the greater good of everyone else on the internet.
* If you're flirting with joining the ranks of the cybervandal group Anonymous when it urges people to join in DDoS attacks, typically in an effort to deny free speech in an effort to protest the denial of free speech, don't assume that you won't get caught. And don't expect much sympathy if you do.
* DDoSing a prospective customer is a high-risk sales technique.
Wednesday, January 12, 2011
Increasingly sophisticated threats that target enterprise users and data
Re-inventing Network Security
Enterprise networks and applications have evolved but security infrastructure has not.
Learn why application visibility and control (regardless of port, protocol, or encryption) are critical for preventing increasingly sophisticated threats that target enterprise users and data.
Offered Free by: Palo Alto Networks
Enterprise networks and applications have evolved but security infrastructure has not.
Learn why application visibility and control (regardless of port, protocol, or encryption) are critical for preventing increasingly sophisticated threats that target enterprise users and data.
Offered Free by: Palo Alto Networks
Beware - Facebook phishing scam
Facebook phishing email
The email, which resembles genuine friend requests, includes the message `Hi, the following person invited you to be their friend on Facebook’ and an invitation to join the social networking site.
Symantec security channel product manager, Robert Pregnell, said the email can be identified as a fake because it has no confirm button and there is no prompt for an email address to sign up to the site.
“At this time we can’t say that this particular email is of a particularly aggressive or high-profile attack,” he said.
According to Pregnell, the emails can be stopped by checking the privacy policy and user account settings on the social networking site. He also advised users to have separate passwords for different accounts and regularly update their internet security.
“Have a different password for each online account and stay updated,” he said. “Make sure your antivirus, internet security, operating system and web browser software is up-to-date.”
“Multi-layered internet security programs offer additional protection with strong, non-obtrusive firewalls, watching for personal details going out of your computer, and for suspicious behaviour, even by legitimate programs on your computer.”
McAfee Asia Pacific chief technology officer, Michael Sentonas, said the Facebook phishing scam is designed to trick the recipient into going through the login process in order to accept the new friend request.
“For the unsuspecting people that do click on this and submit their login information, they may appear to login as they would normally, however, their credentials are almost always sent to the scammer as well,” he said.
He said research conducted by McAfee has shown that as much as 85 per cent of emails in some months are spam, including these types of phishing scams.
The email, which resembles genuine friend requests, includes the message `Hi, the following person invited you to be their friend on Facebook’ and an invitation to join the social networking site.
Symantec security channel product manager, Robert Pregnell, said the email can be identified as a fake because it has no confirm button and there is no prompt for an email address to sign up to the site.
“At this time we can’t say that this particular email is of a particularly aggressive or high-profile attack,” he said.
According to Pregnell, the emails can be stopped by checking the privacy policy and user account settings on the social networking site. He also advised users to have separate passwords for different accounts and regularly update their internet security.
“Have a different password for each online account and stay updated,” he said. “Make sure your antivirus, internet security, operating system and web browser software is up-to-date.”
“Multi-layered internet security programs offer additional protection with strong, non-obtrusive firewalls, watching for personal details going out of your computer, and for suspicious behaviour, even by legitimate programs on your computer.”
McAfee Asia Pacific chief technology officer, Michael Sentonas, said the Facebook phishing scam is designed to trick the recipient into going through the login process in order to accept the new friend request.
“For the unsuspecting people that do click on this and submit their login information, they may appear to login as they would normally, however, their credentials are almost always sent to the scammer as well,” he said.
He said research conducted by McAfee has shown that as much as 85 per cent of emails in some months are spam, including these types of phishing scams.
Friday, January 7, 2011
Most notable threats and trends of 2010
Crimeware-as-a-Service on the rise
In the new report from CA Technologies Internet Security team, researchers identify more than 400 new families of threats--led by rogue security software, downloaders and backdoors.
Trojans were found to be the most prevalent category of new threats, accounting for 73 percent of total threat infections reported around the world. Importantly, 96 percent of Trojans found were components of an emerging underground trend towards organized cybercrime, or "Crimeware-as-a-Service."
"Crimeware isn't new, but the extent to which a services model has now been adopted is amazing," said Don DeBolt, director of threat research, Internet Security, CA Technologies.
"This new method of malware distribution makes it more challenging to identify and remediate. Fortunately, security professionals and developers are diligent about staying one step ahead of these cyber criminals."
The most notable threats and trends of 2010 to-date include:
Rogue or Fake Security Software: Also known as "scareware" or Fake AV, the first half of 2010 saw this category of malware continue its dominance. Google became the preferred target for distribution of rogue security software through Blackhat SEO, which manipulates search results to favor links to infected websites domains. Rogue security software displays bogus alerts following installation and will coerce users to pay for the fake product/service.
An interesting trend observed recently is the prevalence of rogue security software cloning, whereby the software employs a template that constructs its product name based on the infected system's Windows operating system version, further enhancing its perceived legitimacy.
Crimeware: 96 percent of Trojans detected in H1 2010 functions as a component of a larger underground market-based mechanism which CA Technologies Internet Security has termed "Crimeware-as-a-Service." Crimeware essentially automates cybercrime through collecting and harvesting of valuable information through a large-scale malware infection that generates multiple revenue streams for the criminals.
It is an on-demand and Internet-enabled service that highlights cloud computing as a new delivery model. This crimeware is primarily designed to target data and identity theft in order to access user's online banking services, shopping transactions, and other Internet services. <
Cloud-Based Delivery: Research revealed cybercriminals' growing reliance on using cloud-based web services and applications to distribute their software. Specifically, cybercriminals are using web and Internet applications (e.g. Google Apps), social media platforms (e.g. Facebook, YouTube, Flickr, and Wordpress), online productivity suites (Apple iWorks, Google Docs, and Microsoft Office Live), and real-time mobile web services (e.g. Twitter, Google Maps, and RSS Readers).
For example, recent malicious spam campaigns are posing as email notifications targeting Twitter and YouTube users, luring targets to a click on malicious links or visit compromised websites. The Facebook ecosystem has been an attractive platform for abusive activity including cyberbullying, stalking, identity theft, phishing, scams, hoaxes and annoying marketing scams.
Social Media as the Latest Crimeware Market: CA Technologies recently observed viral activities and abusive applications in popular social media services such as Twitter and Facebook the result of a strong marketing campaign in the underground market.
CA Technologies Internet Security has observed a black market evolving to develop and sell tools such as social networking bots. Underground marketers promote new social networking applications and services that include account checkers, wall posters, wall likers, wall commenters, fan inviters, and friend adders. These new crimeware-as-a-service capabilities became evident as observed from the latest Facebook viral attacks and abusive applications that are now being widely reported.
Spamming Through Instant Messaging (SPIM): One new vector used to target Internet users is SPIM, a form of spam that arrives through instant messaging. CA Technologies Internet Security observed an active proliferation of unsolicited chat messages on Skype.
Email Spam Trends: When examining email spam trends, the Internet Security team tracked the usage of unique IP addresses in an effort to determine the source of the most prevalent spam bot regions. Based upon its observation, the EU regions ranked as the number one source of spam recording 31 percent, followed by 28 percent in Asia Pacific and Japan (APJ), 21percent in India (IN), and 18 percent in the United States (US).
Mac OS X Threats: Attackers gaining interest remains during the first half of 2010, the ISBU witnessed Mac-related security threats including traffic redirection, Mac OS X ransomware 'blocker' and notable spyware 'OpinionSpy'.
In the new report from CA Technologies Internet Security team, researchers identify more than 400 new families of threats--led by rogue security software, downloaders and backdoors.
Trojans were found to be the most prevalent category of new threats, accounting for 73 percent of total threat infections reported around the world. Importantly, 96 percent of Trojans found were components of an emerging underground trend towards organized cybercrime, or "Crimeware-as-a-Service."
"Crimeware isn't new, but the extent to which a services model has now been adopted is amazing," said Don DeBolt, director of threat research, Internet Security, CA Technologies.
"This new method of malware distribution makes it more challenging to identify and remediate. Fortunately, security professionals and developers are diligent about staying one step ahead of these cyber criminals."
The most notable threats and trends of 2010 to-date include:
Rogue or Fake Security Software: Also known as "scareware" or Fake AV, the first half of 2010 saw this category of malware continue its dominance. Google became the preferred target for distribution of rogue security software through Blackhat SEO, which manipulates search results to favor links to infected websites domains. Rogue security software displays bogus alerts following installation and will coerce users to pay for the fake product/service.
An interesting trend observed recently is the prevalence of rogue security software cloning, whereby the software employs a template that constructs its product name based on the infected system's Windows operating system version, further enhancing its perceived legitimacy.
Crimeware: 96 percent of Trojans detected in H1 2010 functions as a component of a larger underground market-based mechanism which CA Technologies Internet Security has termed "Crimeware-as-a-Service." Crimeware essentially automates cybercrime through collecting and harvesting of valuable information through a large-scale malware infection that generates multiple revenue streams for the criminals.
It is an on-demand and Internet-enabled service that highlights cloud computing as a new delivery model. This crimeware is primarily designed to target data and identity theft in order to access user's online banking services, shopping transactions, and other Internet services. <
Cloud-Based Delivery: Research revealed cybercriminals' growing reliance on using cloud-based web services and applications to distribute their software. Specifically, cybercriminals are using web and Internet applications (e.g. Google Apps), social media platforms (e.g. Facebook, YouTube, Flickr, and Wordpress), online productivity suites (Apple iWorks, Google Docs, and Microsoft Office Live), and real-time mobile web services (e.g. Twitter, Google Maps, and RSS Readers).
For example, recent malicious spam campaigns are posing as email notifications targeting Twitter and YouTube users, luring targets to a click on malicious links or visit compromised websites. The Facebook ecosystem has been an attractive platform for abusive activity including cyberbullying, stalking, identity theft, phishing, scams, hoaxes and annoying marketing scams.
Social Media as the Latest Crimeware Market: CA Technologies recently observed viral activities and abusive applications in popular social media services such as Twitter and Facebook the result of a strong marketing campaign in the underground market.
CA Technologies Internet Security has observed a black market evolving to develop and sell tools such as social networking bots. Underground marketers promote new social networking applications and services that include account checkers, wall posters, wall likers, wall commenters, fan inviters, and friend adders. These new crimeware-as-a-service capabilities became evident as observed from the latest Facebook viral attacks and abusive applications that are now being widely reported.
Spamming Through Instant Messaging (SPIM): One new vector used to target Internet users is SPIM, a form of spam that arrives through instant messaging. CA Technologies Internet Security observed an active proliferation of unsolicited chat messages on Skype.
Email Spam Trends: When examining email spam trends, the Internet Security team tracked the usage of unique IP addresses in an effort to determine the source of the most prevalent spam bot regions. Based upon its observation, the EU regions ranked as the number one source of spam recording 31 percent, followed by 28 percent in Asia Pacific and Japan (APJ), 21percent in India (IN), and 18 percent in the United States (US).
Mac OS X Threats: Attackers gaining interest remains during the first half of 2010, the ISBU witnessed Mac-related security threats including traffic redirection, Mac OS X ransomware 'blocker' and notable spyware 'OpinionSpy'.
Happy New Year To All My Blog Readers
Dearest readers,
I personally wanted to wish everyone a Happy and Healthy New Year. Thank you for your support throughout 2010 and I look forward to sharing, meeting and working with more of you in 2011.
I was travelling overseas to attend various conferences and to present in couple of SCADA / Smart Grid conferences therefore was not able to keep the blog upto date. I'll try to catch up with that soon.
May you and your loved ones have a joyful 2011.
All the best !!
Sincerely,
Shoaib
I personally wanted to wish everyone a Happy and Healthy New Year. Thank you for your support throughout 2010 and I look forward to sharing, meeting and working with more of you in 2011.
I was travelling overseas to attend various conferences and to present in couple of SCADA / Smart Grid conferences therefore was not able to keep the blog upto date. I'll try to catch up with that soon.
May you and your loved ones have a joyful 2011.
All the best !!
Sincerely,
Shoaib
Tuesday, November 30, 2010
Android Data Stealing Vulnerability
Android Browser Flaw Allows Data Theft
A new vulnerability has been discovered in the Android web browser that could allow hackers to steal files stored on the smartphone's SD card.
According to security expert Thomas Cannon, the a flaw automatically allows payload data to be downloaded to the device's SD card. A few tweaks to a JavaScript will allow the files on the SD card to open making the data readable, he said.
Once the JavaScript has stored the contents of the targeted file, it will then post it to the malicious website. He warned that the flaw is present on multiple handsets and multiple Android OS versions. The security expert has posted a video on his website showing the Android browser exploit in action.
“I notified the Android Security Team on 19-Nov-2010 and to their credit they responded within 20 minutes, took it seriously, and started an investigation into the issue. They have since updated me to say they are aiming for a fix to go into a Gingerbread maintenance release after Gingerbread (Android 2.3) becomes available,” he said.
Refer here to read more details.
A new vulnerability has been discovered in the Android web browser that could allow hackers to steal files stored on the smartphone's SD card.
According to security expert Thomas Cannon, the a flaw automatically allows payload data to be downloaded to the device's SD card. A few tweaks to a JavaScript will allow the files on the SD card to open making the data readable, he said.
Once the JavaScript has stored the contents of the targeted file, it will then post it to the malicious website. He warned that the flaw is present on multiple handsets and multiple Android OS versions. The security expert has posted a video on his website showing the Android browser exploit in action.
“I notified the Android Security Team on 19-Nov-2010 and to their credit they responded within 20 minutes, took it seriously, and started an investigation into the issue. They have since updated me to say they are aiming for a fix to go into a Gingerbread maintenance release after Gingerbread (Android 2.3) becomes available,” he said.
Refer here to read more details.
Monday, November 29, 2010
Taking-control of People's Webcams
Computer genius jailed for hacking webcams
A computer hacker who used his technological-know how to take control of people’s webcams was sentenced to 18 months in prison today.
Matthew Anderson, aged 33, was an important member of a globally-running gang who abused the skills he picked up from his role as an expert in computer security in order to target both businesses and members of the public with spam that contained hidden viruses.
As well as this, he accessed personal data such as photographs in a highly sophisticated email scam run from his the front room of his mother’s house, and took control of random internet users’ webcams in an attempt to see inside their houses and appointments.
While also boasting at one point to a colleague that he had had a teenage girl in tears with his acts, Anderson also saved webcam images of girls in school uniforms, a newborn baby with its mother in hospital and other intimate pictures, some of which were of a sexual nature.
A computer hacker who used his technological-know how to take control of people’s webcams was sentenced to 18 months in prison today.
Matthew Anderson, aged 33, was an important member of a globally-running gang who abused the skills he picked up from his role as an expert in computer security in order to target both businesses and members of the public with spam that contained hidden viruses.
As well as this, he accessed personal data such as photographs in a highly sophisticated email scam run from his the front room of his mother’s house, and took control of random internet users’ webcams in an attempt to see inside their houses and appointments.
While also boasting at one point to a colleague that he had had a teenage girl in tears with his acts, Anderson also saved webcam images of girls in school uniforms, a newborn baby with its mother in hospital and other intimate pictures, some of which were of a sexual nature.
Monday, November 15, 2010
New Android Bug Lets Spoofed Apps Run Wild
Spoofed Android apps can bypass security permissions
Google has always a lot of control over its products in the hands of its users, and Android OS is probably on of the best examples. When downloading an application, the user is shown just what said application needs to run properly. If the user doesn’t want the app to have access to certain things it requires, you simply don’t download it. Well, it seems that isn’t the case anymore, as there’s now a new bug in town, and it doesn’t need your stinkin’ permission.
A new bug found in Android can allow those with malicious intent to make a spoof application that seems harmless, only to find out that it can roam free on your handset, and download other, more dangerous applications to steal your personal data, without any permission by the user. Tricky tricky.
Intel security researchers Jon Oberheide and Zach Lanier have created such an application. It looks harmless – an Angry Birds add-on pack that after downloaded, will install a handful of programs that will track your location, steal your contacts, and give the hacker the option to send pay-per-texts. While this isn’t the first time we’ve seen this kind of hack attack, it will certainly be unsettling to most users, especially if this bug isn’t fixed pronto.
Refer here to read more details on Forbes.
Google has always a lot of control over its products in the hands of its users, and Android OS is probably on of the best examples. When downloading an application, the user is shown just what said application needs to run properly. If the user doesn’t want the app to have access to certain things it requires, you simply don’t download it. Well, it seems that isn’t the case anymore, as there’s now a new bug in town, and it doesn’t need your stinkin’ permission.
A new bug found in Android can allow those with malicious intent to make a spoof application that seems harmless, only to find out that it can roam free on your handset, and download other, more dangerous applications to steal your personal data, without any permission by the user. Tricky tricky.
Intel security researchers Jon Oberheide and Zach Lanier have created such an application. It looks harmless – an Angry Birds add-on pack that after downloaded, will install a handful of programs that will track your location, steal your contacts, and give the hacker the option to send pay-per-texts. While this isn’t the first time we’ve seen this kind of hack attack, it will certainly be unsettling to most users, especially if this bug isn’t fixed pronto.
Refer here to read more details on Forbes.
Saturday, November 13, 2010
Android on the iPhone?
Install Android 2.2 on the iPhone 2G and 3G over WiFi
Hackers have come up with a way of rescuing Apple fanboys who have elderly versions of the iPhone.
For a while now Jobs' Mob has been forcing its long suffering customers to upgrade their 2G and 3G phones to the broken iPhone 4 by saddling them with an upgrade which made their gizmos slower. Now Redmond Pie has come up with a method of replacing iOS on iPhone 2G and 3G models with Android 2.2 Froyo without using any tools on a host computer.
The outfit had shown off an Android installation before. This involved running iPhoDroid on a host computer connected to a jailbroken iPhone 2G or 3G. This new process uses Bootlace 2.1 to install Android directly via WiFi. It works on iPhone 2Gs with iOS 3.1.2 and 3.1.3 and iPhone 3Gs with 3.1.2, 3.1.3, 4.0, 4.0.1, 4.0.2 and 4.1.
Refer here to read more details.
Hackers have come up with a way of rescuing Apple fanboys who have elderly versions of the iPhone.
For a while now Jobs' Mob has been forcing its long suffering customers to upgrade their 2G and 3G phones to the broken iPhone 4 by saddling them with an upgrade which made their gizmos slower. Now Redmond Pie has come up with a method of replacing iOS on iPhone 2G and 3G models with Android 2.2 Froyo without using any tools on a host computer.
The outfit had shown off an Android installation before. This involved running iPhoDroid on a host computer connected to a jailbroken iPhone 2G or 3G. This new process uses Bootlace 2.1 to install Android directly via WiFi. It works on iPhone 2Gs with iOS 3.1.2 and 3.1.3 and iPhone 3Gs with 3.1.2, 3.1.3, 4.0, 4.0.1, 4.0.2 and 4.1.
Refer here to read more details.
Thursday, November 11, 2010
Beware - New, Improved Trojans Target Banks
Malware Variants Seek Corporate Accounts
Security researchers are warning financial institutions about the Qakbot Trojan, a rare kind of malware that is allegedly infiltrating large banks and other global financial institutions. It's unlike other types of malware because it has the ability to spread like a worm, but still infect users like a Trojan.
The Qakbot Trojan, named for its primary executable file, _qakbot.dll, is not new, but its qualities and difference in attack set it head and shoulders above other more well-known Trojans, such as Zeus, in that it can infect multiple computers at a time.
In another disturbing find, security researchers at TrustDefender Labs have found a new Gozi Trojan variant that shows a zero percent detection rate. The Trojan targets financial institutions and is invisible to the most used anti-virus software.
Gozi has been attacking banks for three years, but has managed to stay low and undetected. TrustDefender researchers warn that by targeting specific financial institutions, mainly business and corporate banking, Gozi has avoided wider attention from businesses as the Zeus Trojan has grabbed the headlines.
The new Gozi variant has many of the same characteristics of its earlier variants that were researched a year ago. Gozi developers evade signature patterns so much that the history of the Trojan is mostly unknown. TrustDefender's CTO Andreas Baumhof states that an increasing number of Trojans are using SSL and HTTPS to hide their presence. Gozi is also using client-side logic to go around two-factor authentication, as are other Trojans including Zeus, Spyeye and Carberp.
Security researchers are warning financial institutions about the Qakbot Trojan, a rare kind of malware that is allegedly infiltrating large banks and other global financial institutions. It's unlike other types of malware because it has the ability to spread like a worm, but still infect users like a Trojan.
The Qakbot Trojan, named for its primary executable file, _qakbot.dll, is not new, but its qualities and difference in attack set it head and shoulders above other more well-known Trojans, such as Zeus, in that it can infect multiple computers at a time.
In another disturbing find, security researchers at TrustDefender Labs have found a new Gozi Trojan variant that shows a zero percent detection rate. The Trojan targets financial institutions and is invisible to the most used anti-virus software.
Gozi has been attacking banks for three years, but has managed to stay low and undetected. TrustDefender researchers warn that by targeting specific financial institutions, mainly business and corporate banking, Gozi has avoided wider attention from businesses as the Zeus Trojan has grabbed the headlines.
The new Gozi variant has many of the same characteristics of its earlier variants that were researched a year ago. Gozi developers evade signature patterns so much that the history of the Trojan is mostly unknown. TrustDefender's CTO Andreas Baumhof states that an increasing number of Trojans are using SSL and HTTPS to hide their presence. Gozi is also using client-side logic to go around two-factor authentication, as are other Trojans including Zeus, Spyeye and Carberp.
Wednesday, November 10, 2010
Pen-Testing: Learn your target, Understand your target, Develop your attack specifically around your target
Would it cripple the organization as a whole? What hurts them the most?
Since when did a penetration test primarily become automated tool driven? Scanners are an aid but not a full supplemental for us as penetration testers.
Since when did a penetration test primarily become automated tool driven? Scanners are an aid but not a full supplemental for us as penetration testers.
Handing a sixty page 'penetration test' report with five hundred vulnerabilities does absolutely nothing for a company aside from a check mark for whatever regulatory and compliance initiatives they have underway. It's time for a reality check:
- Good hackers don't need to utilize expensive vulnerability scanners.
- Good hackers don't use automated penetration testing.
- Attackers don't have a scope or timeframes.
- Attackers don't stop after they get root.
- Attackers don't have portions taken out of scope.
In simplistic terms there's no focus on business risk, but instead focused on the vulnerability and the exposure of the attack. We aren't hitting companies where it hurts, what makes their business run.
Learn your target, understand your target, develop your attack specifically around your target, nothing is out of scope.
Where can I have the most impact on the organization and how do I represent that? WOW I GOT DOMAIN ADMIN!!!!!! OMG I GOT ROOT! That's fantastic buddy, I'm happy for you but that doesn't mean squat to me. Present them with their intellectual property, future projections, show the ability to change their product, confidential and trade secret information or whatever you identify as what hurts them the most. Some questions to answer in Pen-testing includes but not limited to: would that impact them in a negative manner? Would it cripple the organization as a whole? What hurts them the most?
We need to hire qualified people that get it, I will pay extra for a group that knows what they are doing vs. a super cheap scan. The industry is bleeding, let's step it up and do it the right way.
Monday, November 8, 2010
SCADA security issues will be the shiny hot topic
Metasploit and SCADA Exploits: Dawn of a New Era?
On 18 October, 2010 a significant event occurred concerning threats to SCADA.
That event is the addition of a zero-day exploit for the RealFlex RealWin SCADA software product into the Metasploit repository.
Some striking facts about this event follow:
- This was a zero-day vulnerability that unfortunately was not reported publicly, to a organization like ICS-CERT or CERT/CC, or (afaik) to the RealFlex vendor.
- This exploit was not added to the public Exploit-DB site until 27 October, 2011.
- The existence of this exploit was not acknowledged with a ICS-CERT advisory until 1 November, 2010.
- This is the first SCADA exploit added to Metasploit.
First, the SCADA community can expect to see an explosion of vulnerabilities and accompanying exploits against SCADA devices in the near future.
Second, the diverse information sources that SCADA vulnerabilities may appear must be vigilantly monitored by numerous organizations and security researchers.
Afaik, the first widely-disseminated information on the RealFlex RealWinbuffer overflow occurred on 1 November, when I sent the information to the SCADASEC mailing list.
Third, people should recognize that the recent Stuxnet threat has cast a light on SCADA security issues. Put bluntly, there is blood in the water.
Quite a few people, companies and other organizations are currently investigating SCADA product security, buying equipment and conducting security testing for a number of differing interests and objectives.
Fourth, understand that because of the current broken business model, security researchers are often frustrated by software vendors’ action, or inaction, when it comes to reporting vulnerabilities.Often, there is no security point-of-contact at the vendor. Even worse, the technical support who are contacted by the security researcher often do not understand the technical and security implications of the issue reported.
All of these factors lead to frustrated security researchers, some of whom will simply expose the vulnerability and exploit to the world, rather than take a disclosure path through a CERT.
Fifth, folks should recognize that attack frameworks like Metasploit enable a never-before-seen level of integration of these kinds of targeted critical infrastructure-relate exploits into a powerful tool.
Roger on Stuxnet
Stuxnet talks – do we listen?
Stuxnet is a severe threat – that’s something we know for sure. But if we look at it, what do we really know? What can we learn?
Let’s start from the beginning. As soon as Stuxnet hit the news, it was interesting to see, what was happening. There was a ton of speculation out there about the source and the target of the worm, especially since it hit mass-media. It is obvious that this is a story that is interesting for a broad audience – however, we security professionals need different sources.
Refer here to read an interesting view on Stuxnet from Roger Halbheer.
Stuxnet is a severe threat – that’s something we know for sure. But if we look at it, what do we really know? What can we learn?
Let’s start from the beginning. As soon as Stuxnet hit the news, it was interesting to see, what was happening. There was a ton of speculation out there about the source and the target of the worm, especially since it hit mass-media. It is obvious that this is a story that is interesting for a broad audience – however, we security professionals need different sources.
Refer here to read an interesting view on Stuxnet from Roger Halbheer.
Wednesday, November 3, 2010
'Shodan' - Computer Search Engine: Pinpoints shoddy industrial controls
Hackers tap SCADA vulnerabilities search engine
A search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering, the US Computer Emergency Readiness Team has warned.
The year-old site known as Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. As white-hat hacker and Errata Security CEO Robert Graham explains, the search engine can also be used to identify systems with known vulnerabilities.
According to the Industrial Control Systems division of US CERT, that's exactly what some people are doing to discover poorly configured SCADA gear. “The identified systems range from stand-alone workstation applications to larger wide area network (WAN) configurations connecting remote facilities to central monitoring systems,” the group wrote in an advisory (PDF) published on Thursday. “These systems have been found to be readily accessible from the internet and with tools, such as Shodan, the resources required to identify them has been greatly reduced.”
A search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering, the US Computer Emergency Readiness Team has warned.
The year-old site known as Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. As white-hat hacker and Errata Security CEO Robert Graham explains, the search engine can also be used to identify systems with known vulnerabilities.
According to the Industrial Control Systems division of US CERT, that's exactly what some people are doing to discover poorly configured SCADA gear. “The identified systems range from stand-alone workstation applications to larger wide area network (WAN) configurations connecting remote facilities to central monitoring systems,” the group wrote in an advisory (PDF) published on Thursday. “These systems have been found to be readily accessible from the internet and with tools, such as Shodan, the resources required to identify them has been greatly reduced.”
Besides opening up industrial systems to attacks that target unpatched vulnerabilities, the information provided by Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults, CERT warned. The organization advised admins to tighten security by:
- Placing all control systems assets behind firewalls, separated from the business network
- Deploying secure remote access methods such as Virtual Private Networks (VPNs) for remote access
- Removing, disabling, or renaming any default system accounts (where possible)
- Implementing account lockout policies to reduce the risk from brute forcing attempts
- Implementing policies requiring the use of strong passwords
- Monitoring the creation of administrator level accounts by third-party vendors
Subscribe to:
Posts (Atom)