Internet Explorer Exploit

“Attack code that exploits an unpatched vulnerability found in all supported versions of Internet Explorer has been released into the wild. This means that cyberattacks could now surge and affect Internet Explorer users.”1

Freelance Journalist, Dara Kerr, has reported through CNET that Rapid7’s latest Metasploit penetration testing tool makes the details of the IE exploit called “CVE-2013-3893” available to the world, especially cybercriminals.

It is thought that this exploit has been out for close to 4 months with most of the attacks occurring in Japan and Taiwan – this is according to PCWorld.

Microsoft is aware of the defect and is working on a permanent patch to guard against the exploit.  Microsoft has announced the problem and made a “Fix It” tool last month.  The next batch of security updates from Microsoft are scheduled for Oct. 8th and there has not been any indication whether a permanent fix for this issue will be included.

Here is Microsoft’s official release on the vulnerability:

Microsoft has completed the investigation into a public report of this vulnerability. We have issued the MS13-080 security bulletin to address the Internet Explorer memory corruption vulnerability (CVE-2013-3893). For more information about this issue, including download links for an available security update, see MS13-080.2

Brian Krebs has this additional information to add in his article on the topic:

Microsoft said it is aware of targeted attacks that attempt to exploit the vulnerability (CVE-2013-3893) in IE 8 and IE 9 versions of the default Windows browser. According to an advisory issued today, the flaw is a remote code bug, which means malware or miscreants could use it install malware just by coaxing IE users to browse a hacked or malicious Web site.3

 

Resources:

1.       http://news.cnet.com/8301-1009_3-57605601-83/internet-explorer-exploit-release-could-trigger-a-surge-in-attacks/

2.       https://support.microsoft.com/kb/2887505

3.       http://krebsonsecurity.com/tag/cve-2013-3893/

Malware + ATM = Free Cash

Recently, there have been malware attacks on ATM’s in Mexico. These attacks are not the typical card reader scams, rather they are a piece of malware that can dispense cash on demand. “Plotus” is the name of malware program which currently has to be manually installed on the machine via a CD-ROM drive. That means these money hungry hackers have to physically break into the machines to install the software.

Safensoft, a Russian security firm, made the discovery late last month. Stanislav Shevchenko, chief technology officer said, “The emergence of new malware with ability to directly extract cash from ATMs is a very alarming sign for self-service device security.”

At this point, reports show that once the machine is physically broken into there is a sequence of events that have to happen in order for the ATM to successfully dispense the money to the criminals. Part of this process includes a specific key combination that must be entered via an external keyboard.

At this time, there have only been reports of this software effecting machines in Mexico, but that does not mean these incidents are necessarily going to stay confined there. This type of crime is new and is pretty scary to banks and the owner of the ATM’s, considering the criminals can drain an ATM of all of its cash quickly.

References:

http://www.theregister.co.uk/2013/10/11/mexico_atm_malware_scam/

 

We’ve been VerAfied! Part Two

If you have not read part one of this post, read it here.

 

Veracode’s Risk Adjusted Verification Methodology

The ‘VerAfied’ standards-based mark of security quality is one established by Veracode to provide a pragmatic approach to measure and compare risk levels related to application security, and is wholly designed with industry standards in mind.  Its basis is the “Security Quality Score”, which is an aggregate of all the security flaws uncovered by the above scans, categorized by severity of flaw, and normalized to a 0 to 100 scale.  As stated above, PortalGuard has achieved a ‘100’ “Security Quality Score” for both the Static and Dynamic evaluation types, and has therefore been confirmed to contain no vulnerabilities for any severity levels (varying from very low, to very high) in either test, nor any traces of vulnerabilities within the OWASP Top 10 or CWE/SANS Top 25 lists of vulnerabilities.  The major credibility behind the ‘VerAfied’ mark is that it aims to combine an array of respected industry standards into one meaningful system.  Some of the industry standards it leverages are:

MITRE’s  Common Weakness Enumeration (CWE) – A compilation of identified flaws, each associated with a CWE ID number, and a severity measurement based on the confidentiality, integrity, and availability impacts the flaw may cause as defined in FIRST’s CVSS, described below.

FIRST’s  Common Vulnerability Scoring System (CVSS) – Is a vulnerability scoring system utilized by the National Vulnerability Database, NIST’s U.S government repository of standards based vulnerability management data, as well as other major software corporations.  The system has been highly recommended and described by Gartner as “…a powerful approach for businesses to standardize the impact assessment and prioritization of IT vulnerabilities.”

NIST’s  definitions of assurance levels – Found in their OMB document M-04-04, the assurance levels described there contain are organized according to damage to reputation, financial loss or liability, harm to operations, unauthorized information disclosure, personal safety, among others.  Specifically, Veracode’s scans support the requirements of the NIST Source Code Security Analysis Tool Functional Specification Version 1.0.

 

For more information on these systems, please visit their organizations’ respective websites included above.  More information regarding Veracode and their mark of quality can be found on their website.

 

We are very excited to have worked with Veracode on achieving PortalGuard’s ‘VerAfied’ status, and even more excited to have had our product pass all of their vulnerability scans with perfect scores, and flying colors.

We’ve been VerAfied! Part One

If you have visited our PortalGuard.com homepage recently, you might have noticed that the PortalGuard product has been officially awarded the ‘VerAfied’ status by Veracode, a leading company in Application Risk Management and analysis.  What this means, is that throughout the scrutiny of Veracode’s series of formal application assessments, the PortalGuard software had either met or exceeded the criteria outlined in their Risk Adjusted Verification Methodology for mission critical applications.  What this means, is that you can rest assured that PortalGuard, from security and security compliance standpoints, front-end to back-end, is a truly rock-solid Authentication Platform solution.

In order to support this claim, allow me to describe in more detail what it means to be VerAfied, and the process it takes to attain this status.  First, let’s go over the major types of assessments that had been performed, and the nature of the vulnerabilities they attempt to uncover. In part two of the post we will elaborate on the effectiveness and credibility of Veracode’s Risk Adjusted Verification Methodology System.

 

Static Binary Analysis

Static Binary Analysis, or “white-box” testing, is a meticulous look into the product’s source code.  This method of analysis seeks to uncover vulnerabilities and flaws that may otherwise be concealed once the software is in a runtime environment.  By automatedly walking through the application’s control and data flow, via its executable machine code, the examination is able to identify often difficult to find vulnerabilities relating to linked-libraries, APIs, compiler optimizations, and other areas that simple code debugging cannot.  The approach goes beyond other source code tools, and is able to detect threats arising from possible malicious code and backdoors from within the core application, extending to those potentially in 3rd party libraries or other pre-packaged components.  The result is the most intensive, accurate, and complete software security testing available.  Having been reviewed by this process, the PortalGuard software has been rewarded the highest score available in Static Binary Analysis and by extension, regulatory compliance.

 

Dynamic Analysis

While “white-box” analysis performs examination on software outside of the runtime environment, the complement approach of Dynamic Analysis, or “black-box” testing, covers vulnerabilities best found by probing the application from within the runtime environment.  Research by Gartner and the U.S Computer Emergency Response Team has shown that 75% of malicious attacks on web applications specifically target the application layer, seeking to exploit potential weaknesses hidden there.  Veracode’s automated Dynamic Analysis vulnerability scanner takes a similar approach by conducting examination during runtime and detecting flaws within the application layer in much the same way a hacker would.  The automated process can, however, map far more of the application than a hacker practically could, and so it identifies far greater numbers of vulnerability attack vectors, and in far less time.  In addition, since Veracode’s Dynamic scanner keeps records of all the previous scans it has performed, it’s always applying the latest knowledge of common vulnerabilities and is always evolving to stay current with the latest web technologies.  Whereas Static Analysis is the ultimate in terms of source code analysis, Dynamic scanning completes the picture by offering the ultimate vulnerability scan for web application front-end flaws and exploits.  Having been rigorously tested by the Dynamic scanning processes first automatedly, and then with a comprehensive set of automation scripts to cover a large variety of unique usage scenarios, the PortalGuard software has been rewarded the highest score available for dynamic evaluation.

 

Remember to read Part Two tomorrow.

Facebook Removes Privacy Feature

Facebook is undoubtedly one of the largest social networks in the world and is seen as an industry leader.  Last week they announced that they will be removing a feature that, although used by a small percentage of users, allows you to block being searched directly via their search bar. It is important to note that the option to use this feature has been inactive for users that were not using it since last year.

 

Many of their privacy features are still intact and do not look like they will be impacted anytime soon.  That being said, it may be a good time to look at your personal privacy settings to see how exposed you are.  It is very easy to change your privacy settings on Facebook so that only your friends can see posts, comments and other things you may have shared. You may not think much of what you post on your Facebook account, but more and more companies look to social media to learn more about their prospects during the application process.

 

Last week we talked about a recent TED Talk. The talk harped on the vulnerability of your information if security settings are not put in place on Facebook. If you haven’t checked that article out yet it is well worth reading and watching the talk.

 

For more information on this privacy setting change check click here.

Private Sector to Help with Homeland Security

“The ability for the private sector to invest, co-develop and integrate innovative technologies into the cybersecurity marketplace will significantly impact progress in threat deterrence and mitigation.”

 

The above quote is from an article written by Charles Brooks of SecurityInfoWatch.com that reports an interesting program has been put in place at the Department of Homeland Security (DHS) Science & Technology (S&T) Directorate.  The program is called the Transition to Practice Program (TTP) and its directive is to involve the private sector with the development of cybersecurity technologies that have been started by the Department of Energy (DOE) National Labs and Federal Funded Research & Development Centers (FFRDC’s).

 

The Cyber Security Division (CSD) of S&T heads up the TTP efforts and works closely with the Commercialization Office.  This office has successfully compiled a list of over 2,000 technologies, services and/or products that may work well with the security requirements of DHS.  The priority for both CSD and the Commercialization Office is to get the security needs of certain departments of the government satisfied.  CSD is involved with the entire development process from design through test and development as well as deployment.

 

DHS has realized that they are not able to keep up with the ever increasing demand to handle next-generation threats, and as a result are looking to the private commercial sector to help with the increased pressure.

 

The TTP is scheduled to introduce new innovative cybersecurity ideas in October of 2013.

 

You can get more information and read the full article from here.

Everyday Cyber Crime

On our blog we have often discus malware and passwords, but how much information do you actually put into action in your life and workplace?

If you have not yet watched the TED Talk by James Lyne: “Everyday cybercrime — and what you can do about it,” you should.

Lyne breaks down the threat of your computer being attack to a level that all of us can relate to. He reminds us that even if we are taking all of the necessary precautions, our family members and co-workers could be exposing us.

How often have you uploaded a photo from your smart phone not realizing it has geographic coordinates linked to it? Did you know that when you use public Wi-Fi on your device, someone else in the same location is able to track what other Wi-Fi networks your device has previously connected to. These are just a few of the points that Lyne covers, along with the basics of today’s hackers.

Lyne closes with the following, “You are going to see some astonishing stories in the news, you are going to read about malware doing incredible and terrifying scary things. However 99% of it works, because people fail to do the basics. So my ask is this;  go online, find these simple best practices, find out how to update and patch your computer, get a secure password, make sure you use a different password on each of your different sites and services online, find these resources, apply them.  

The Internet is a fantastic resource for business, for political expression, for art and for learning. Help me and the security community, make life much much more difficult for cyber criminals.”

We encourage you to take 20 minutes to watch the complete Ted Talk here.

Firefox App On Android Has Vulnerability

“He responsibly disclosed the details to Mozilla that allows hackers to access both the contents of the SD card and the browser’s private data”.1

Mohit Kumar, from The Hacker News, discusses a topic that is worth your time if you have an Android mobile phone and use the Firefox app on it.

“Mobile Browsers are complicated applications and locking them down against threats is extremely difficult. According to a Mobile Security Researcher, Sebastián Guerrero from ‘viaForensics’, Android‘s Firefox browser app is vulnerable to Hackers.”1

The article provides a video that demonstrates how to gain access to the data on the mobile device.  Mohit points out that the vulnerability can only be leveraged if a malicious application is installed or if a locally stored HTML file that contains malicious Javascript code is opened in the vulnerable Firefox app.

Mozilla has addressed this chink in their armor and the fix is available in Firefox 24 for Android.  If this vulnerability pertains to you, it would be a good idea to upgrade your FF Android app ASAP as it would appear that a “Russian hacker has put a “Zero-day” exploit for sale that forces the Android FF browser to download and execute a malicious app.”1

You can find the complete article here:

  1. http://thehackernews.com/2013/10/androids-firefox-app-vulnerability.html

National Cyber Security Awareness Month

“October is National Cyber Security Awareness month.

This laudable public awareness initiative was launched 10 years ago by the U.S. Department of Homeland Security and the National Cyber Security Alliance.”[1]

The topic for the first week of the month is general online security. Recently, our blog has discussed the problems we often come across when it comes to our family in the digital age. It is important to not only discuss the importance of passwords with children, spouse, or co-workers, but other safety precautions too.

It may come down to the fact that some people just don’t know any better, like our example of Grandmother and the Netflix password or the teenagers sharing their Facebook password. It is always better to talk to your family or people that share the same network as you, sooner than later about making smart decisions online.

Here are some tips as highlighted by the National Cyber Security Alliance:

-Make sure that your security software is current and that it is set to automatically update. If you are using other devices such as USBs make sure that you scan them using security software to detect viruses.

-Protect yourself by making sure your information is kept private. A good rule of thumb for online security is not to use the same password for every account. Make sure your passwords are unique, that use capital and lower case letters, numbers, and symbols. Major websites like Twitter now have two-factor authentication for passwords.

-Be smart about opening a link in your email, Twitter, or even a Facebook message might be spam, delete it. You would rather be over cautious than end up with a virus.

-Be savvy about what accounts you are accessing on public Wi-Fi.

-Always remember to make a back-up of important files you have on your computer. [2]

For more helpful tips visit staysafeonline.org