According to Ian Pratt, co-founder at Bromium:
"The "shellshock" bash vulnerability is a big deal. It's going to impact large numbers of internet-facing linux/unix/OS X systems as bash has been around for many years and is frequently used as the 'glue' to connect software components used in building applications. Vulnerable network-facing applications can easily be remotely exploited to allow an attacker to gain access to the system, executing with the same privilege the application has. From there, an attacker would attempt to find a privilege escalation vulnerability to enable them to achieve total compromise.
"Bash is part of the infrastructure, something so pervasive that many sysadmins wouldn't necessarily even know that the security of their applications depend on it. Any applications known to be using CGI scripts that call system or popen are at particularly risk -- many php, perl and python scripts will fall into this category. Some python modules call os.system without the application doing so explicitly. Simply disabling bash is typically not an option, though it may help to change applications' default shell to some other bourne shell compatible shell such as 'sh' or 'dash' (though beware -- 'sh' is actually the same binary as bash on some systems). However, if an application invokes bash explicitly it will still be vulnerable.
"Even client systems that don't explicitly run network facing services may be vulnerable too, by way of software such as the DHCP client that may pass data received from a DHCP server through bash. This means that malicious WiFi hotspots could potentially compromise vulnerable systems.
"All Linux/Unix/OS X sysadmins should be scrambling to update bash on all their systems, prioritizing those exposed to untrusted networks.
"Bash is a very complex and feature-rich piece of software that is intended for interactive use by power users. It does way more than is typically required for the additional role for which it is often employed in gluing components together in applications. Thus it presents an unnecessarily broad attack surface -- this likely won't be the last vulnerability found in bash. Application developers should try to avoid invoking shells unless absolutely necessary, or used minimalist shells where required."
Thursday, September 25, 2014
PBS Nova: Rise of the Hackers
Great show last night. Quantum computing will kill security as we know it; but quantum cryptography will trump it and win.
Tuesday, September 9, 2014
Have You Been VNCeen?
This just in from Lara Lackie at Eskenzi PR:
""Hacker summer camp" has come and gone. The annual pilgrimage to Las Vegas (for events like DEF CON, Black Hat and BSides) makes it pretty clear that what happens in Vegas certainly doesn’t stay there, and this year was no exception. Sometimes these stories become water-cooler chatter. Sometimes they’re recounted in buzzing IRC channels, and sometimes they light up Twitter and even major media outlets.
"One of the stories that had the Internet buzzing was that of "thousands of people oblivious to the fact that anyone on the Internet can access their computers." Oftentimes titles like this wind up being hyperbole, however that isn’t the case here.
"On the Saturday of DEF CON, there was a panel on “Mass Scanning the Internet: Tips, Tricks, Results.” I, unfortunately, didn’t make it in to the presentation, however a short time later the tweets were all over my timeline.
"These tweets showed images of peoples’ home automation systems, people watching movies and (what appears to be) an industrial control system for an ice rink. These are just a few examples, but more and more tweets kept popping up with images like these. Among them were all sorts of things that were likely not meant for the eyes of random Internet onlookers.
"These screenshots were not the result of some crazy 0day-laden hacking spree or the computers of RAT victims. Rather, the screenshots were the result of simply scanning the Internet for VNC (remote viewing/access) servers that didn’t require any kind of authentication.
"In what was hardly a hacker summer camp first, the panelists received complaints that what they were doing was illegal. They responded saying that’s not the case. Lancope StealthWatch labs feel that this is missing the point. The point is that all of these machines are out there for anyone who wants to look. And people DO look.
"Lancope’s StealthWatch Labs has monitored attempted remote admin connections to show that the sort of activity talked about at DEF CON is actually happening all the time.
"They have a full blog post discussing their findings and give advice on what to do in order to reduce the number and quality of opportunities presented to those who might be scanning your network.
"To read the blog in full, please click here."
""Hacker summer camp" has come and gone. The annual pilgrimage to Las Vegas (for events like DEF CON, Black Hat and BSides) makes it pretty clear that what happens in Vegas certainly doesn’t stay there, and this year was no exception. Sometimes these stories become water-cooler chatter. Sometimes they’re recounted in buzzing IRC channels, and sometimes they light up Twitter and even major media outlets.
"One of the stories that had the Internet buzzing was that of "thousands of people oblivious to the fact that anyone on the Internet can access their computers." Oftentimes titles like this wind up being hyperbole, however that isn’t the case here.
"On the Saturday of DEF CON, there was a panel on “Mass Scanning the Internet: Tips, Tricks, Results.” I, unfortunately, didn’t make it in to the presentation, however a short time later the tweets were all over my timeline.
"These tweets showed images of peoples’ home automation systems, people watching movies and (what appears to be) an industrial control system for an ice rink. These are just a few examples, but more and more tweets kept popping up with images like these. Among them were all sorts of things that were likely not meant for the eyes of random Internet onlookers.
"These screenshots were not the result of some crazy 0day-laden hacking spree or the computers of RAT victims. Rather, the screenshots were the result of simply scanning the Internet for VNC (remote viewing/access) servers that didn’t require any kind of authentication.
"In what was hardly a hacker summer camp first, the panelists received complaints that what they were doing was illegal. They responded saying that’s not the case. Lancope StealthWatch labs feel that this is missing the point. The point is that all of these machines are out there for anyone who wants to look. And people DO look.
"Lancope’s StealthWatch Labs has monitored attempted remote admin connections to show that the sort of activity talked about at DEF CON is actually happening all the time.
"They have a full blog post discussing their findings and give advice on what to do in order to reduce the number and quality of opportunities presented to those who might be scanning your network.
"To read the blog in full, please click here."
Jeff Stapleton to Speak at Biometrics Unplugged and at SecureWorld
Jeff Stapleton, author of Security without Obscurity: A Guide to Confidentiality, Authentication, and Integrity, is speaking at these conferences:
Biometrics Unplugged on September 15 in Tampa, FL
SecureWorld on Oct 29-30 in Dallas
Biometrics Unplugged on September 15 in Tampa, FL
SecureWorld on Oct 29-30 in Dallas
Monday, September 8, 2014
Manufacturers Losing Intellectual Property to Security Breaches
While this isn't new, spies have been stealing IP since there's been IP to steal, the techniques have changed. And while the PRC seems to be villain #1, our so-called allies, such as Israel and France, are just as active.
So, what's a person to do? You can start with Trade Secret Theft, Industrial Espionage, and the China Threat.
This book provides an overview of economic espionage as practiced by a range of nations from around the world—focusing on the mass scale in which information is being taken for China's growth and development. It supplies an understanding of how the economy of a nation can prosper or suffer, depending on whether that nation is protecting its intellectual property, or whether it is stealing such property for its own use. The text concludes by outlining specific measures that corporations and their employees can practice to protect information and assets, both at home and abroad.
Wednesday, August 13, 2014
"Digital Forensics Explained" Cited a Expert Testimony in US Supreme Court Case
Greg Gogolin's book, Digital Forensics Explained, was cited 8 times in a recent US Supreme Court case (expert testimony). The case concerned whether evidence admitted at petitioner’s trial was obtained in a search of petitioner’s cell phone that violated petitioner’s Fourth Amendment rights.
Monday, June 2, 2014
CISOs Reveal Top Firms Failing on Security Awareness Training
Is this a failure of will, or of process, or of failing to enforcement policies and procedures? There's something to be said about a draconian approach to enforcement. Touchy-feely really doesn't work.
With resources like these books available, there's no reason for this failure.
Managing an Information Security and Privacy Awareness and Training Program, Second Edition
Asset Protection through Security Awareness
Here's a partial list of available articles:
Why Information Security Training and Awareness Are Important
The ABCs of a Persuasive Security Awareness Program
Implementing an Information Security Awareness Program
Subscribe to:
Posts (Atom)