Analyst firm Gartner is predicting that by 2017, the focus of endpoint security breaches will shift to mobile devices such as tablets and smartphones.

With nearly 2.2 billion smartphones and tablets expected to be sold in 2014, Gartner believes attackers will continue to pay more attention to mobile devices. By 2017, 75 percent of mobile security breaches will be the result of mobile application misconfigurations, analysts said.

“Mobile security breaches are — and will continue to be — the result of misconfiguration and misuse on an app level, rather than the outcome of deeply technical attacks on mobile devices,” said Dionisio Zumerle, principal research analyst at Gartner, in a statement. “A classic example of misconfiguration is the misuse of personal cloud services through apps residing on smartphones and tablets. When used to convey enterprise data, these apps lead to data leaks that the organization remains unaware of for the majority of devices.”

Doing significant damage in the world of mobile devices requires that malware be launched on devices that have been altered at the administrative level, Zumerle argued. While jailbreaking or rooting phones allows users to access device resources that are not normally accessible, they also put data in danger because they remove app-specific protections as well as the safe ‘sandbox’ provided by the operating system, he said, adding that they can also allow malware to be downloaded to the device and enable malicious actions.

“The most obvious platform compromises of this nature are ‘jailbreaking’ on iOS or ‘rooting’ on Android devices. They escalate the user’s privileges on the device, effectively turning a user into an administrator,” he said.

Gartner recommends organizations protect mobile devices using a mobile device management policy as well as app shielding and containers that protect important data. In addition, passcodes should be used alongside timeout standards and a limited number of retries. Jailbreaking or rooting devices should not be allowed.

“We also recommend that they favor mobile app reputation services and establish external malware control on content before it is delivered to the mobile device,” Zumerle said.

Tags:

• Mobile Security
• NEWS & INDUSTRY

Security experts and eBay have confirmed that a recent user database being advertised on Pastebin was not obtained as a result of the data breach suffered by the online marketplace earlier this year.

On May 21, eBay admitted that its corporate network had been breached sometime between late February and early March 2014. The attackers compromised the login credentials of a small number of employees and used the data to gain access to the details of eBay’s 145 million customers. The breach was discovered only in early May.

While there’s no evidence that financial information has been compromised, or that PayPal customers are impacted, the cybercriminals have managed to gain access to names, email addresses, physical addresses, phone numbers, dates of birth and encrypted passwords.

It’s uncertain who is behind the attack, but other cybercriminals and scammers are already trying to profit from the incident. Experts have reported seeing a higher number of PayPal and eBay phishing attacks, and, a post on Pastebin was found offering to sell 145,312,663 eBay customer records for 1.453 Bitcoin (around $ 750).

The seller has published a sample of 12,663 names, password hashes, email addresses, physical addresses, phone numbers and dates of birth allegedly belonging to eBay customers in the Asia-Pacific region.

Both security experts and eBay have analyzed the sample and determined that the data is fake. eBay representatives say none of the credentials appear to belong to customers.

Security expert Kenn White has also analyzed the data and found that it appears to originate from older leaks.

Security blogger Brian Krebs also believes that the data is fake. Allison Nixon, a threat researcher with Deloitte & Touche LLP, has told Krebs that the scammers are most likely hoping that security companies will purchase the data for research purposes.

In its official data breach announcement, eBay failed to disclose how it encrypts customer passwords, but  company representatives have told Reuters that a “sophisticated, proprietary hashing and salting technology” is used to protect them. On Twitter, eBay noted that passwords are hashed and salted, and there is no evidence that the encryption has been broken.

However, users are advised to change their passwords as a precaution. While some have criticized the company for not forcing password resets, as Australian security expert Troy Hunt highlights, that might not be such a good idea.

First of all, if the passwords are stored cryptographically and the company is confident that the information can’t be cracked easily, forcing a reset may be “overkill.” Furthermore, as Hunt explains, resetting the passwords of 145 million people at the same time and asking them to visit the site to set new ones might be too much for eBay’s servers, and it could be like launching a DDOS attack against themselves.

Another important aspect emphasized by Hunt and other security experts is the fact that it took eBay such a long time to detect the breach.

“What I find very distressful is the fact that the breach occurred 2 months ago and they found out just two weeks ago,” IT security expert Sorin Mustaca told SecurityWeek.

As far as disclosing information about the incident, Mustaca noted, “eBay is very careful in what they disclose because they are afraid of being sued. And indeed, I’ve seen in the media that there are already some attempts to sue them over their practices in what the security of the network is concerned.”

Tags:

• NEWS & INDUSTRY
• Incident Management

Researchers at Rapid7 have uncovered information disclosure issues in SNMP [Simple Network Management Protocol] on embedded devices that could cause them to leak authentication data.

The issues were reported last week as part of a talk at CarolinaCon. According to Rapid7‘s Deral Heiland, the problems were discovered in consumer-grade modems and a load balancer. The situation allows authentication data to be swiped by attackers via the read-only public SNMP community string. The problem was uncovered in the following devices: the Brocade ServerIron ADX 1016-2 PREM TrafficWork Version 12.500T40203 application load balancer; the Ambit U10C019 and Ubee DDW3611 series of cable modems; and the Netopia 3347 series of DSL modems.

“While it can certainly be argued that information disclosure vulnerabilities are simple to resolve and largely the result of poor system configuration and deployment practices, the fact remains that these issues can be exploited to gain access to sensitive information,” blogged Heiland, senior security consultant at Rapid7. “In practice, the low-hanging fruit are often picked first. And with that, we have three new disclosures to discuss.”

“The first involves a Brocade load balancer (you might have one of these in your rack),” he noted. “The second and third involve some consumer-grade modems from Ambit (now Ubee) and Netopia (now Motorola). For the modem/routers, you might have one of these at a remote office, warehouse, guest wi-fi network, water treatment plant, etc. They are quite common in office and industrial environments where IT doesn’t have a strong presence. Shodan identifies 229,409 Ambit devices exposed to the internet, and 224,544 of the Netopia devices.”

Heiland uncovered the vulnerabilities with independent security researcher Matthew Kienow.

According to Heiland, the Brocade device stores username and passwords hashes within the SNMP MIB [Management Information Base] tables at the following OID Indexes:

• Username:            1.3.6.1.4.1.1991.1.1.2.9.2.1.1         
• Password hash:    1.3.6.1.4.1.1991.1.1.2.9.2.1.2

“The Brocade ServerIron load balancer has SNMP enabled by default,” he explained. “The community string “public” is configured by default. Unless SNMP is disabled, or the public community string is changed, an attacker can easily extract the passwords hashes for an offline brute force attack.”

The Ambit U10C019 and Ubee DDW3611 series of cable modems store the following information within the SNMP MIB tables at these OID [Object Identifier] Indexes:

 U10c019

• Username:             1.3.6.1.4.1.4684.2.17.1.2.1.1.97.100.109.105.110
• Password:              1.3.6.1.4.1.4684.2.17.1.1.1.2.97.100.109.105.110
• WEP Keys Index:   1.3.6.1.4.1.4684.2.14.2.5.1.2
• WPA PSK:             1.3.6.1.4.1.4491.2.4.1.1.6.2.2.1.5.6
• SSID:                     1.3.6.1.4.1.4684.2.14.1.2.0

DDW3611

• Username:            1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0
• Password:            1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0
• WEP Key Index:   1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.3.1.2.12
• WPA PSK:           1.3.6.1.4.1.4491.2.4.1.1.6.2.2.1.5.12
• SSID:                  1.3.6.1.4.1.4684.38.2.2.2.1.5.4.1.14.1.3.12

SNMP is not enabled by default on these devices, blogged Heiland. However, a number of cable providers that utilize Ubee devices enable SNMP with the community string of “public” on the uplink side of the cable modem for remote management purposes, which makes it possible in those cases to enumerate this data over the Internet, he explained. 

In the case of the Netopia 3347 series of DSL modems, SNMP is enabled by default with the community string of ‘public’ on the internal interface. These devices store the following information with the SNMP MIB tables at the following OID indexes:

• WEP Keys Index:  1.3.6.1.4.1.304.1.3.1.26.1.15.1.3
• WPA PSK:             1.3.6.1.4.1.304.1.3.1.26.1.9.1.5.1
• SSID:                     1.3.6.1.4.1.304.1.3.1.26.1.9.1.2.1

“The DSL side is not enabled by default, but currently a number of DSL providers that still utilize the Netopia 3347 series devices enable SNMP with community string of public on the uplink side of the DSL for remote management purposes,” he blogged. 

This makes it possible to enumerate this data over the Internet, he explained. The modems that were tested are end-of-life, so it is unlikely that firmware updates will be released to address the defaults, he added.

“Of course, just because something is end-of-life doesn’t mean it disappears from the Internet — causal Shodan browsing attests to that,” he blogged. “Further, we cannot know if these configurations persist in current, supported offerings from the vendors, but you might want to check yours when you get a chance to download Metasploit.”

Tags:

• NEWS & INDUSTRY
• Vulnerabilities

The term “Tipping Point” is controversial because it has been so widely misused and loosely applied; two abuses that I often see in the cyber security marketplace. However, there are examples where a tipping point has been found to exist through more rigorously applied studies.

One study showed the point where hospitals begin to fail resulting in the deaths of critically ill patients: “What our research revealed is that there is, in fact, a tipping point which was triggered strongly at midnight occupancy levels of around 92 per cent in our data. When the tipping point was exceeded, patients began dying in significant numbers.”

The risk of a fire turning into a firestorm due to the density of trees in a forest occurs at 59% density: “The risk of catastrophic fire does not increase in a linear relationship with the density of the forest. Instead there is a tipping point at about 59% density.”

My interest with tipping points have to do with critical infrastructure such as the power grid or transportation routes. A lot of papers have been written about cascading failures such as [1] and [2], however what would happen if a small terrorist group with moderate knowledge of industrial control systems wanted to create sustained or repeated outages? Think of the different regional grids in the U.S. as songs on an adversary’s playlist, and he just hit “Shuffle”. What would be the tipping point before social order in the U.S. would collapse?

I don’t know if there’s a good answer to that question, but I think it’s one that needs exploring. Therefore, I’ve organized a panel to address the issue from different angles at Suits and Spooks New York. Joining me will be Joe Weiss, an internationally known ICS expert and Dr. John Mallory of MIT.

If you’d like to hear this discussion and add your perspective, please register to join us at Suits and Spooks New York on June 20-21, 2014. This will be just one of many great panels and speakers. Suits and Spooks New York will mark the first SecurityWeek-branded two day event. Hope to see you there.

Footnotes:

[1] Saleh Soltan, Dorian Mazauric, Gil Zussman: Cascading Failures in Power Grids – Analysis and Algorithms

[2] Paulo Shakarian, Hansheng Lei, Roy Lindelauf: Power Grid Defense Against Malicious Cascading Failure.

Tags:

• Cyberwarfare
• INDUSTRY INSIGHTS

If there is a silver lining to the series of high-profile targeted attacks that have made headlines over the past several months, it is that more enterprises are losing faith in the “magic bullet” invulnerability of their prevention-based network security defense systems.

That is, they are recognizing that an exclusively prevention-focused architecture is dangerously obsolete for a threat landscape where Advanced Persistent Threats (APTs) using polymorphic malware can circumvent anti-virus software, firewalls (even “Next Generation”), IPS, IDS, and Secure Web Gateways — and sometimes with jarring ease. After all, threat actors are not out to win any creativity awards. Most often, they take the path of least resistance; just ask Target.

As a result of this growing awareness, more enterprises are wisely adopting a security architecture that lets them analyze traffic logs and detect threats that have made it past their perimeter defenses – months or possibly even years ago. It is not unlike having extra medical tests spot an illness that was not captured by routine check-ups. Even if the news is bad (and frankly, it usually is), knowing is always better than not knowing for obvious reasons.

m

However, while analyzing traffic logs is a smart move, enterprises are making an unwelcome discovery on their road to reliable threat detection: manual analytics is not a feasible option. It is far too slow, incomplete, expensive, and finding qualified professionals in today’s labor market is arguably harder than finding some elusive APTs; at last look on the “Indeed” job board, there were over 27,000 unfilled security engineer positions in the US alone.

The average 5,000 person enterprise can expect their FW/IPS/SWG to generate over 10 gigabytes of data each day, consisting of dozens of distinct incidents that need to be processed in order to determine if and how bad actors have penetrated the perimeter. All of this creates more than a compelling need for automated analysis of traffic logs, which allows enterprises to:

● Efficiently analyze logs that have been collected over a long period of time

● Process logs at every level: user, department, organization, industry, region

● Correlate the logs with malware communication profiles that are derived from a learning set of behaviors and represent a complete picture of how malware acts in a variety of environments

● Use machine learning algorithms to examine statistical features, domain and IP reputation, DGA detection, and botnet traffic correlation, etc.

● Adapt by using information about different targeted and opportunistic attacks from around the world (“crowdsourcing”) in order to get a perspective on the threat landscape that is both broader and clearer

● Integrate credible and actionable threat data to other security devices in order to protect, quarantine, and remediate actual threats

● Get insight on how the breach occurred in order to aid forensic investigations and prevent future attacks

With this being said, does this mean that enterprises will finally be able to prevent 100% of the targeted attacks? No; there has never been a magic bullet, and this is unlikely to change in our lifetime. Any belief to the contrary plays directly into the hands of threat actors.

However, automated traffic log analysis can help enterprises reduce the number of infections, including those that they do not know about, yet are unfolding in their networks right now, before the compromise becomes a breach. And considering that it only takes one successful breach to create a cost and reputation nightmare that can last for years, the question is not whether automatic analysis makes sense, but rather, how can enterprises hope to stay one step ahead of the bag guys without it?

Related Reading: The Next Big Thing for Network Security: Automation and Orchestration

Related Reading: Network Security Considerations for SDN

Related Reading: Making Systems More Independent from the Human Factor

Related Reading: Software Defined Networking – A New Network Weakness?

Tags:

• INDUSTRY INSIGHTS
• Network Security

LONDON – Infosecurity Europe – The Cloud Security Alliance (CSA), a not-for-profit organization which promotes the use of best practices for providing security assurance within cloud computing, announced the release of two key documents related to the CSA’s Software Defined Perimeter (SDP), an initiative to create the next generation network security architecture. The SDP Version 1.0 Implementation Specification and SDP Hackathon Results Report provide important updates on the SDP security framework and deployment in protecting application infrastructures from network-based attacks.  CSA will be providing press briefings about SDP developments at Infosecurity Europe.

The SDP, a collaboration between some of the world’s largest users of cloud computing within CSA’s Enterprise User Council, is a new approach to security that mitigates network-based attacks by creating dynamically provisioned perimeters for clouds, demilitarized zones, and data center infrastructures. 

The SDP Version 1.0 Implementation Specification being released today provides a detailed description of the base architecture.  Version 1.0 provides the necessary information to design and implement a highly secure network system for a wide variety of use cases.  As part of the updated framework, key concepts comprising the SDP, such as Single Packet Authorization (SPA) and Mutual Transport Layer Security (TLS) have undergone extensive review.  Additionally, a number of CSA members, including some of the largest global companies, have SDP pilots in place.

Also being released today, the SPD Hackathon Results Report Whitepaper provides a detailed explanation of the SDP concept, its multiple layers of security controls, and the results of the hacking contest. The Hackathon, announced by Alan Boehme of Coca Cola at the CSA Summit at RSA 2014, invited hackers worldwide to attack a server defended by the SDP.  While more than 10 billion packets were fired at the SDP from around the world, no attacker broke through even the first of five layers of security controls specified by the SDP architecture.

“The Hackathon provides critical validation for the multi-layer SDP security model. Even after 10 billion attack packets, no one was able to crack even the first layer of SDP security controls during the event,” said Junaid Islam, co-chair of the SDP Working Group and CTO of new CSA corporate member Vidder, Inc. “Its the goal of this research initiative to keep testing SDP against real life attack scenarios to provide the highest level of security for cloud, mobile computing and the Internet of Things applications.” 

In releasing the SDP Version 1.0 Implementation Specification, the SDP working group is providing the industry with a validated and proven concept for cloud-based security models and has also announced an open call for participation for the development of version 2.0.  According to Bob Flores, former CTO of the CIA and Chief Executive Officer of Applicology Incorporated and SDP Working Group Co-Chair, now is the time for interested experts to get involved.  “Today’s release of SPD 1.0 will enable sufficient industry participation and feedback to allow CSA to release version 2.0 at the CSA Congress US taking place Sept 17-19 in San Jose, CA.“

“The new SDP specification, together with the results of the Hackathon, represent the tremendous progress and confidence we have in making this framework part of every organization’s security posture in the future,” said Jim Reavis, CEO of the CSA.  “Now it is time for the industry to join us in the next phase of the SDP, version 2.0, to make the framework stronger and even more secure against outside attacks.”

SOURCE Cloud Security Alliance

Tags:

• Network Security
• NEWS & INDUSTRY
• Cloud Security
• Security Infrastructure

Researchers from FireEye have discovered a nasty zero-day exploit that bypasses the ASLR and DEP protections in Microsoft Windows and is being used in targeted attacks.

The security flaw is a remote code execution vulnerability (CVE-2014-1776) that affects versions of IE6 through IE11, which in total accounted for 26.25% of the browser market in 2013. 

The campaign is currently targeting US-based firms tied to the defense and financial sectors, a FireEye spokesperson told SecurityWeek, and is specifically targeting IE9 through IE11. 

“The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections,” FireEye wrote in a blog post Saturday. 

Microsoft also issued a security advisory on Saturday and said they were working with partners in its Microsoft Active Protections Program (MAPP) to extend broader protections to customers as soon as possible.

If successfully exploited, an attacker could gain the same user rights on the impacted system as the current user, Microsoft said. Accounts configured with fewer rights on the could be less impacted than users who operate with administrative privilages.

FireEye has named the campaign “Operation Clandestine Fox,” but has shared very little details other than saying the group behind the exploit has been the first to have access to a select number of browser-based 0-days in the past.

FireEye warned that the attackers are “extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.”

“They have a number of backdoors including one known as Pirpi that we previously discussed here,” the researchers wrote. “CVE-2010-3962, then a 0-day exploit in Internet Explorer 6, 7, and 8 dropped the Pirpi payload discussed in this previous case.” 

“The SWF file calls back to Javascript in IE to trigger the IE bug and overwrite the length field of a Flash vector object in the heapspray,” FireEye explained. “The SWF file loops through the heapspray to find the corrupted vector object, and uses it to again modify the length of another vector object. This other corrupted vector object is then used for subsequent memory accesses, which it then uses to bypass ASLR and DEP.”

Because the attack leverages Adobe Flash, users who do not have Flash installed or have the Flash plugin for IE disabled, will be protected. Additionally, several versions of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) will break the exploit.

Additional technical details are available from FireEye. Microsoft also has provided some mitigation information. 

Related: ASLR Bypass Techniques Appearing More Frequently in Attacks

Tags:

• Network Security
• NEWS & INDUSTRY
• Incident Management
• Vulnerabilities
• Data Protection

Oracle issued an advisory today listing both security updates and detailing what is known and unknown about the Heartbleed vulnerability’s impact on Oracle products.

“The Oracle Global Product Security and Development teams are investigating the use of the affected OpenSSL cryptographic libraries in Oracle products and will provide mitigation instructions when available for these affected Oracle products,” Oracle noted in its advisory. “Note that only a number of OpenSSL cryptographic libraries versions were reported as affected by vulnerability CVE-2014-0160.  In other words, certain Oracle products, while they may be reported as using OpenSSL, may not be using versions of OpenSSL that were reported as vulnerable to CVE-2014-016.”

The products known to be vulnerable include and for which there are patches are: MySQL Connector/C 6.1.0-6.1.3; MySQL Connector/ODBC 5.1.13, 5.2.5-5.2.6 and 5.3.2; MySQL Enterprise Backup 3.10.0; MySQL Enterprise Monitor 2.3.13-2.3.15 and 3.0.0-3.0.8; MySQL Enterprise Server 5.6.11-5.6.17 and MySQL Workbench 6.1.4 and earlier. Other products known to be vulnerable that have patches available are: Oracle Big Data Appliance; Oracle Communications Interactive Session Recorder 4.0.0 and later; Oracle Communications Network Charging and Control 5.0.1; Oracle Communications Session Monitor Suite 3.3.40 and 3.3.50; Oracle Linux 6; Oracle Mobile Security Suite; Oracle Virtual Compute Appliance Software; and Solaris 11.2.

There are other products that are considered likely to be vulnerable but have no fixes, such as Java ME – JSRs and Optional Packages and Oracle Communications Session Delivery Management Suite NNC 7.3. Several other products, including Java CAPS 6.2 and Siebel CRM, are considered by Oracle to be potentially vulnerable but are still investigation. 

“Oracle’s Cloud security and development teams are aware of the publicly disclosed vulnerability in certain versions of OpenSSL (a.k.a. CVE-2014-0160; or ‘Heartbleed’),” according to the advisory. “Oracle is investigating the implications of this issue across the Oracle stack.”

“The Oracle Cloud uses a “defense in depth” approach to security, which provides risk mitigation due to layered controls,” Oracle noted. Oracle has assessed that the infrastructure, systems and applications used to provide Oracle Cloud services (“Cloud infrastructure”) were not at risk from this vulnerability, due to Oracle’s network architecture and use of SSL accelerators that have not been reported as vulnerable to CVE-2014-0160. Furthermore, Oracle has assessed our Cloud infrastructure using a number of automated and manual tests and continues to believe that it is not currently at risk from the CVE-2014-0160 vulnerability.”

Tags:

• NEWS & INDUSTRY
• Vulnerabilities