Organizations that use the IntraVUE network visualization software from Network Vision are advised to update their installations as soon as possible because older versions of the solution are plagued by a critical vulnerability.

A code injection flaw (CVE-2015-0977) has been found in IntraVUE by Jürgen Bilberger from Daimler TSS GmbH, a security researcher who has discovered and reported vulnerabilities in several industrial control system (ICS) products over the past years.

According to an advisory from ICS-CERT, a remote, unauthenticated attacker can exploit the vulnerability to execute arbitrary operating system commands that could impact the availability, integrity, and confidentiality of affected servers.

This is a high-severity vulnerability with a CVSS base score of 10. Even an attacker with low skill could leverage the bug, but there is no evidence that an exploit is publicly available, ICS-CERT noted.

The security hole affects all Windows versions of IntraVUE prior to 2.3.0a14. The issue has been addressed with the release of IntraVUE 2.3.0a14 on February 9. In the meantime, Network Vision also released version 2.3.0a16, which brings some functionality improvements.

“It is recommended that the new version be applied as soon as possible. Users who have software support contracts with Network Vision can upgrade to the newest version at no cost,” reads the advisory from ICS-CERT.

Network Vision is a Newburyport, Massachusetts-based company that provides industrial Ethernet solutions for sectors such as automation, critical manufacturing, transportation, and water systems.

IntraVUE, the company’s flagship product, is designed to provide Ethernet device visualization and enable organizations to quickly identify issues affecting devices deployed in distributed and hostile environments. The solution can be used to identify duplicate MAC and IP addresses, connection or application faults, device or cable moves, and unauthorized connections.

Tags:

• NEWS & INDUSTRY
• Vulnerabilities

Welcome back to Feedback Friday! An unclassified computer network at the White House was breached recently and the main suspects are hackers allegedly working for the Russian government.

The incident came to light earlier this week when an official said they had identified “activity of concern” on the unclassified network of the Executive Office of the President (EOP) while assessing recent threats. The official said the attackers didn’t cause any damage, but some White House users were temporarily disconnected from the network while the breach was dealt with.

Experts have pointed out that while the attackers breached an unclassified network, it doesn’t necessarily mean that they haven’t gained access to some useful data, even if it’s not classified. They have also outlined the methods and strategies used by both the attackers and the defenders in such a scenario.

And the Feedback Begins…

Amit Yoran, President at RSA:

“The breach underscores the constant siege of attacks on our government and businesses. Fortunately — by definition — information with grave or serious impact to national security is classified and would not be found on an unclassified network. That said, there is most likely information on unclassified networks that the White House would not like public or for 3rd party consumption.

As for the profile of the adversary, the White House uses the latest security technologies making them a very challenging target to breach. Top secret clearances are required for access to networks and personnel are continuously and rigorously vetted. As such — and acknowledging that until a thorough investigation is completed, speculation can be dangerous — a standard botnet or phishing malware is a less likely scenario than a focused adversary with time and expertise in developing customized exploits, malware and campaigns.”

Mark Orlando, director of cyber operations at Foreground Security. Orlando previously worked at the EOP where he led a contract team responsible for building and managing the EOP Security Operations Center under the Office of Administration:

“Sophisticated attackers constantly alter their approach so as to evade detection and they will eventually succeed. The best a defender can do in this case is to identify and respond to the attack as quickly and effectively as possible. It isn’t at all unusual for an attack like this one to be discovered only after a malicious email has been identified, analyzed, and distilled into indicators of compromise (subject lines, source addresses, file names, and related data elements) used to hunt for related messages or attacks that were initially missed. White House defenders routinely exchange this kind of data with analysts across the Federal Government to facilitate those retrospective investigations. That may have been how this compromise was discovered and that doesn’t amount to a ‘miss’.

While the media points to outages or delays in major services like email at the White House, this is also not an unusual side effect of proper containment and eradication of a threat like this one- especially if there are remote users involved. Incidents exactly like this one occur all over the Federal government and increasingly in the private sector as well; the only thing different about this attack that makes it more newsworthy than those other incidents is that it occurred at EOP.”

Tom Kellermann, Trend Micro chief cybersecurity officer and former commissioner on The Commission on Cyber Security for the 44th Presidency:

“Geopolitical tensions are now manifested through cyberattacks. The enemies of the state conduct tremendous reconnaissance on their targets granting them situational awareness as to our defenses in real time. This reality allows for elite patriotic hackers to bypass our defenses.”

Irene Abezgauz, VP Product Management, Quotium:

“Security, cyber or physical, relies heavily on risk management. With a large operation, it is difficult to secure everything on the same level, priority is often given to the more sensitive networks. In the case of the White House hack, the breached network was unclassified, meaning it probably has slightly different security measures than classified networks.

Government systems are prime targets for hackers. Even if the breached network is unclassified and no sensitive information was exposed, all government network breaches draw attention. In public opinion, attackers gaining access to government computer systems, no matter whether classified or not, reflects badly on the ability of the US to defend itself, especially when foreign nationals are suspected. In addition, availability and integrity must be maintained in systems that involve any kind of government decision making, more than in most other systems.

The bottom line is that high profile targets must maintain a high level of security on all networks. Hackers, private and state-funded, are continuously attempting attacks on these systems. Such attacks must be blocked in order to protect data within as well as assure the public of the ability of the government to protect its cyber systems.”

John Dickson, Principal at the Denim Group:

“Although initial reports emphasize the unclassified nature of the system and networks, security experts know that successful attacks against certain unclassified systems can, in fact, still be gravely serious. Given the fact this concerns perhaps the most high-visibility target in the world – the White House – and you potentially have a genuinely difficult situation.

On one hand, you have the issue of public confidence in our institutions of government. ‘If the attackers can compromise the White House, what else can the possibly get into?’ is a perfectly valid question from citizens who may not recognize the distinction between unclassified and classified systems. Also, sensitive information that is unclassified may traverse these systems and give attackers more context to allow them to put together a larger picture of what’s happening at the White House. Military folks call refer to this term as Operational Security, or OPSEC, and this is always a worry for those protecting the President, the White House, and the operations of the Executive Branch of government.

From a defensive standpoint, when you face a sophisticated attacker with substantial resources you have be constantly vigilant and assume certain systems will fail. It’s far too early to editorialize on theories of ‘what might have happened’ at the White House, but we always recommend a defense in depth approach to application and system design that ‘fails open,’ so that if an attacker compromises one type of defense, it doesn’t compromise the entire ecosystem.”

Ian Amit, Vice President at ZeroFOX:

“Much of the conversation surrounding the recent White House hack centers on the nature of the compromised network. The network is ‘unclassified,’ leading many people to believe the affected information is non-critical or innocuous. It’s important to note however that enough unclassified information, when aggregated and correlated, quickly becomes classified. Isolated data points might not mean much by themselves, but enough time spent passively listening to unclassified chatter can reveal some very sensitive intelligence.

So how much time was the hacker on the network? It’s difficult to tell. Security officials alerted on ‘suspicious activity.’ This phrase doesn’t give us much insight into how long the network was compromised. The hacker could have been active on the network for months without doing anything to sound the alarms. It’s one thing if a hacker is caught in the act of breaking in or stealing data. That kind of event information generally gives a clear indication of the attack timeline. Triggering on passive behavior makes this much more difficult.

With that said, it’s commendable that White House security officials are looking for behavioral cues rather than overt events to detect malicious activity. Soft indicators are much more difficult to detect and means the security officials are using some advanced tools to understand traffic on the network.”

Anup Ghosh, CEO of Invincea:

“The disclosure of breach from the White House this week was remarkable for its differences from a similar disclosure in 2012. It’s clear from recent press releases from security companies, that Russia is the New Black now. In fact, if you get hacked by the Chinese now, it’s almost embarrassing because they are considered less sophisticated than the Russians. So now, every breach seems to be attributed to Russians, though largely without any evidence.

A little more than two years ago in October 2012, the White House acknowledged a breach of its unclassified networks in the White House Military Office (which also manages the President’s nuclear ‘football’). The talking points at the time were: 1. Chinese threat, 2. Non-sophisticated attack method (spear-phish), 3. Unclassified network, so no harm. This week, the talking points are: 1. Russian government threat, 2. Sophisticated attack method (spear-phish), and 3. Deep concern over breach of unclassified network. The similarities between the two breaches are remarkable, but the reaction couldn’t be more different.

Before we indict the Russians for every breach now, it would be great to see some bar set for attribution to a particular group. It would also be great to not use “sophisticated” threat or Russians as a scape goat for not properly addressing spear-phishing threats with technology readily available off the shelf (and shipped with every Dell commercial device).”

Michael Sutton, VP of Security Reasearch for Zscaler:

“The breach of a compromised White House computer reported this week is simply the latest in ongoing and continual attacks on government networks. While such breaches periodically hit the headlines thanks to ‘unnamed sources’, it’s safe to assume that the general public only has visibility into the tip of the iceberg. White House officials admitted that this latest breach was discovered ‘in the course of assessing recent threats’, suggesting that following the trail of breadcrumbs for one attack led to another.

In September, there were reports of yet another successful attack, this one leveraging spear phishing and compromising a machine on an unclassified network and earlier this month, details of the Sandworm attacks emerged, which leveraged a then 0day Microsoft vulnerability to target NATO and EU government agencies. All of these recent attacks have been attributed to groups in Russia and it’s likely that they’re tied together. All Internet facing systems face constant attack, but the White House understandably presents a particularly attractive target.

While all G20 nations have advanced cyber warfare capabilities and conduct offensive operations, Russia and China have been particularly aggressive in recent years, often conducting bold campaigns that are sure to be uncovered at some point.”

Zach Lanier, Senior Security Researcher at Duo Security:

“U.S. government and defense networks are often the target of attackers — and the White House is without a doubt very high on that list, regardless of the breached network reportedly being ‘unclassified’. Everyone from hacktivists to foreign intelligence agencies have sought after access to these networks and systems, so this intrusion isn’t a huge surprise.” 

Carl Wright, General Manager of North America for TrapX Security:

“When it comes to our military, government and its supporting national defense industrial complex, the American public’s expectation is and should be significantly higher. The Senate Armed Services Committee (SASC) findings in September highlighted how nation-state actors were targeting contractors with relation to the federal government so it is to be expected that actual government bodies are also being targeted.

95 percent of the security market is signature based and thus will not detect a targeted zero-day. We must operate under the notion that networks are already compromised and focus defenses on monitoring lateral movements within data centers and private networks as that is how hackers escalate their attack and access. Unfortunately, existing security technologies focus from the outside in, trying to understand the entire world of cyber terrorists’ behaviors which inundate security teams with alerts and false-positives.

These breaches demonstrate how traditional security tools alone don’t do enough and both enterprises and government organizations need to constantly evaluate and improve their security posture to thwart today’s nation-states or crime syndicates whether foreign or domestic. With the United States President’s intranet being compromised, it truly shows the poor state of our national cyber defense capabilities.”

Nat Kausik, CEO at Bitglass:

“Organizations whose security models involve ‘trusted devices’ are naturally prone to breaches. Employees take their laptops on the go, get hacked at public WIFI networks, and come back to the office where the device is treated as trusted and allowed to connect to the network.

The compromised device enables the hacker to gain a broader and more permanent foothold inside the network. Government entities have long favored the ‘trusted devices’ model and are actually more prone to breaches than organizations that treat all user devices as suspect.”

Greg Martin, CTO at ThreatStream:

“It’s public knowledge that Russia has been very active in sponsored cyber espionage and attacks but have recently turned up the volume since both the Ukranian conflict and given the Snowden leaks which in my opinion have given Russian and China the open door to be even more bold in their offensive cyber programs.

Recent cyberattacks on retailers and financial institutions have been riddled with anti-US propaganda. This makes it increasingly difficult to pinpoint the backers as the activity is heavily blended threats between criminal actors, hack-tivist and state sponsored activity. As seen in the recent reports, Russia APT attacks have been prevalent in targeting U.S. interests including the financial sector.

ThreatStream believes organizations should accelerate their policy of sharing cyber threat information and look at how they currently leverage threat and adversary intelligence in their existing cyber defense strategies.”

Until Next Friday…Happy Happy Halloween and have a Great Weekend!

Tags:

• Network Security
• NEWS & INDUSTRY
• Incident Management

Websense is providing free source code, queries and lookups designed to help organizations use Microsoft Error Reporting to identify USB devices connecting to their networks.

Also known as Dr. Watson reports, the Microsoft Error Reporting feature was indirectly the source of controversy a few weeks ago when it was made public that the NSA had intercepted these reports and use them to gather information about its targets. With this data in hand, the spy agency could get a better read on the hardware on software on a given network and use that information to tailor its cyber-operations.

According to Websense, enterprises can use Dr. Watson reports for their own use as well – in this case, to identify when a storage device such as a USB drive or mobile phone is plugged into their network.  

“We were surprised to learn that a USB drive insertion considered a hardware change, and that detailed information about the USB device and computer that it was plugged into being sent to Microsoft,” blogged Websense Director of Threat Research Alex Watson. “These logs are sent to Microsoft via HTTP URL-encoded messages. Organizations can use knowledge about their content and how to decode these messages to detect USB drives and devices that could be a risk to the organization. This knowledge can help organizations detect USB drives and devices such as those used in the KCB and [Edward] Snowdn leaks, and automatically generate reports when they are plugged into a secure system.”

The error report is sent to Microsoft every time an application crashes, fails to update, or a hardware change happens to a PC running Windows. In Windows Vista and later, these reports are automated and part of an opt-out program Microsoft estimates nearly 80 percent of the PCs in the world participate in, Watson explained.

“These reports can be gathered in a variety of ways, either by examining outbound web proxy logs… creating an IPS rule in an open source intrusion prevention system such as Snort or Suricata, or by simply monitoring a SPAN port using a sniffer such as Wireshark,” Watson blogged. “In our last blog entry, we discussed an information leakage that can arise with these reports and suggested that organizations set up a group policy that sends reports to an on-premise server which then forces encryption before forwarding to Microsoft. In this case, the reports can be processed at the organization’s WER (Windows Error Reporting) collection server.”

The Dr. Watson reports have a specific report type for USB inserted devices. Organizations can start by filtering down to messages containing ‘PnPGenericDriverFound’. Using some lookup tables, the information that follows can be broken up into several fields, including date, USB device manufacturer and host computer BIOS version and UMI [unique machine identifier].

“It turns out the Vendor and Device ID lookups can be a little tricky – but map exactly to Windows and Linux driver databases,” Watson blogged. “To see an example for yourself, try typing “lsusb” from a Linux machine. After scraping some online driver databases, we put together a lookup script that you can use for vendors and device codes that you can download on GitHub. These will obviously need to be updated periodically to remain up to date. Feel free to add new device codes yourself, or check back to our site for updates.”

“Using Splunk or a similar SIEM tool, create lookups to map the vendor and product IDs that you see in the Watson logs above to the manuf_ids.csv and product_ids.csv files that have been attached,” he added. “Please note that our Product ID lookup contains the VID+PID (Vendor ID and Product ID) together – this is the one you’ll most likely want to use in your lookups.”

The next step is decoding the WER report structure. Websense has included some Splunk queries that can be used to detect USB device insertions and create reports. It is also possible to configure the SIEM tool to trigger a report every time a certain device is added to the network.

In an interview with SecurityWeek, Watson added that the crash reports can be fed into any SIEM tool or custom framework. Leveraging this information can allow business to better understand what devices, applications and applications versions are deployed on their network without needing a dedicated endpoint.

Organizations can also use this to help prevent data leaks by filtering the reports based on computer names or IP addresses from computers with sensitive data.  However, this is not meant to replace data loss prevention (DLP) products.

“DLP is an incredible technology that is really starting to gain traction in the security marketplace to enable businesses to protect their data,” Watson told SecurityWeek. “I view the example we provided as a way for businesses that have not deployed DLP to start to see the value that it can provide.”

Tags:

• NEWS & INDUSTRY
• Security Infrastructure