Archive | August, 2013

NYT Tango Down – WSWiR Episode 75

.CN DDoS and DNS Hijacking

Do you want to hear about the week’s biggest InfoSec news, while learning a few security tips in the process? Well this is the weekly vlog for you.

In today’s video, I share a potential cause for China’s recent distributed denial of service (DDoS) attack, warn about a serious vulnerability in Cisco’s ACS, and explain how a hacktivist group took down the New York Times. I even throw in a bit of Friday fun at the end. Watch the video below, and remember to check out the references for links to other stories.

(Episode Runtime: 10:20)

Direct YouTube Link: http://www.youtube.com/watch?v=cyQX4J0OEyo

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Facebook Hacked- WSWiR Episode 74

App Store Hole, LoL Breach, and Zuckerberg Hacked

I’m back with our regular infosec news video summary, where I highlight the biggest or most interesting security stories from the week and share a few tips along the way.

Today’s episode covers a handful of software updates, the breach of a popular multiplayer arena battle game, some drama around a new Facebook vulnerability, and new research describing how to bypass Apple’s App Store protections. Watch the video to learn more, and check out the reference section below for some other stories as well.

(Episode Runtime: 9:43)

Direct YouTube Link: http://www.youtube.com/watch?v=V0Qhxbx1y7g

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Android Bitcoin Wallets Broken – WSWiR in Words

Hacked Baby Monitors, Broken Bitcoins, and Apache Exploit Kits

By the time you see this on Friday, I’ll be hiking and camping in the Olympic National Forest. I’m taking a day off this week for an extended camping weekend. Unfortunately, that also means I did not have time to produce a full InfoSec summary video… but fear not.

In lieu of this week’s video, I’m leaving you with a written summary of the interesting security stories I would have covered this week. Check out the quick summaries below, and don’t forget to take a peek at the Extra Stories section for links to other interesting news:

  1. Exploit Kit Released for Apache Struts FrameworkStruts is an open source framework for creating Java web applications, created by the Apache Software Foundation. A month ago, Apache released a patch for Struts to fix a number of highly critical vulnerabilities. This week, researchers at Trend Micro discovered that Chinese attackers have created and are sharing an automated toolkit designed to make it very easy to exploit these Struts flaw. Ultimately, the toolkit give attackers enough control that they can inject a malicious backdoor onto vulnerable Struts servers. I you are a web administrator who uses Struts, and you haven’t upgraded yet, you should do so immediately.
  2. Miscreants Troll a Toddler Via a Hacked Baby Monitor – This week, a story came out about parents who heard some hoodlums yelling and cursing at their two year old daughter via a Foscam brand baby monitor, which had allegedly been hacked.

    This isn’t too surprising. Over the years, researchers have discovered and shared many vulnerabilities in IP-based webcams like these Foscam cameras. The Foscam cameras in particular have suffered from directory traversal and cross-site scripting vulnerabilities, both of which could help attackers gain unauthenticated access to the administrative credentials for the cameras. Researchers have even released tools like getmecamtool, which attackers could use to inject malicious firmwares onto these cameras, allowing them to do all sorts of mischief. Finally, tools like Shodan make it dead simple for attackers to find thousands of potential victims easily.

    The good news is Foscam has patched many of these flaws. The bad news is average consumers don’t realize they need to update firmware for hardware devices. If you use any sort of IP-based webcam, I recommend you update its firmware regularly. By the way, there was a semi-happy ending to this baby trolling story. The toddler in question is  deaf, so all the yelling in the world didn’t bother her in the least.

  3. Flaw in Android Bitcoin Wallets results in Bitcoin Pickpocketing – If you use an Android-based Bitcoin wallet, it’s time to move your Bitcoin. According to an advisory this week, Android Bitcoin wallets are unsafe.

    Let me explain. Bitcoin relies on public/private cryptography to protect its virtual currency and transactions. This means that devices that support Bitcoin have to regularly generate public and private keys. The algorithms used to create these keys rely on an element of randomness. If you don’t add enough randomness to the equation, your keys become weaker and easier to predict. Computing devices rely on Randon Number Generators (RNG) to try and create random elements. Unfortunately, creating, random numbers on computer is a fairly difficult problem, since they are very ordered and systematic systems. Usually, computers can only generate psuedorandom numbers.Anyway, it turns out that most Android Bitcoin wallets rely on a particular Java class to create the random numbers necessary to generate private keys. More to the point, this Java class is not good at randomness. This means the private key it generates are much easier to crack than they should be… and this isn’t a theoretical flaw either. Attacker have already exploited it to steal at least 55 Bitcoin, which are worth over $5000 US dollars.

    So what can you do? If you use an Android Bitcoin wallet, you should at least temporarily setup a wallet on another device (preferably a traditional computer) and transfer all your Bitcoin to that wallet. Over the next few weeks and months, Android Bitcoin apps should update to fix this problem. Once they do, you can transfer your Bitcoin back to your Android device. As an Aside, there have also been a number of stories this week about governments and banks starting to look into Bitcoin regulation, and closing Bitcoin accounts. If you’re a Bitcoin user, you may want to consider that governments may try to start and regulate the currency.

Direct YouTube Link: http://www.youtube.com/watch?v=KVxUHCdVM9c (Runtime: 00:30)

Extra Stories:

— Corey Nachreiner, CISSP (@SecAdept)

UPDATE TO: Exchange Still Suffers from Document Handling Flaws

Yesterday, we released an alert warning you about vulnerabilities in Exchange Server, as well as a new update to fix those flaws. Today, we have learned that there are problems with the Exchange Server 2013 version of that update. Microsoft has confirmed this problem and has pulled the affected patch. If you use Exchange 2013 and have already installed the broken update, we recommend you follow the steps outlined in Microsoft blog post. If you have not installed the update yet, we expect Microsoft to released the corrected version soon.

As an aside, this is a perfect example of why you should always test server patches before deploying them to production environments (as we noted in the original alert).

We have included the original alert below for your convenience.


Severity: High

Summary:

  • These vulnerabilities affect: Exchange Server 2007, 2010, and 2013
  • How an attacker exploits it: By enticing a user to preview a specially crafted email attachment using OWA
  • Impact: An attacker can execute code with the restricted privileges of the LocalService account
  • What to do: Deploy the appropriate Exchange Server update as soon as possible.

Exposure:

Microsoft Exchange is one of the most popular email servers used today. It includes many advanced features and capabilities. One such feature, called WebReady Document Viewing, allows your email users to preview attached documents as web pages. Exchange leverages Oracle’s Outside In technology to parse these documents and provide these previews.

According to today’s bulletin, Exchange suffers from two remote code execution vulnerabilities related to Oracle’s Outside In technology, and a Denial of Service (DoS) flaw involving their Data Loss Protection (DLP) feature.  All three vulnerabilities have to do with how Exchanges parses files and documents when users view or preview them. By enticing one of your web-based users to preview an email with a specially crafted attachment, an attacker can exploit the worst of these flaws to execute code directly on your Exchange server. Luckily, the code only runs with LocalService account permissions, which has limited privileges.

Also, this attack only works against victims who check and preview mail using Exchange’s Outlook Web App (OWA). If your users only download email from Exchange using email clients, like Outlook, attackers may not be able to leverage these flaws against your server.

Nonetheless, we still recommend Exchange administrators update as soon as possible.

Solution Path:

Microsoft has released Exchange updates to correct these vulnerabilities. You should download, test, and deploy the appropriate update as soon as possible, or let Windows Update do it for you. You can find the updates in the “Affected and Non-Affected Software” section of Microsoft’s Exchange bulletin.

NOTE: In the past, one of our readers reported having technical issues when installing an Exchange update very similar to this one. This is a perfect example of why we highly recommend you test server updates before deploying them to production machines. Most virtualization platforms allow you to make a copy of a running computer, which you can then spin up in a virtual environment. Doing this allows you to create an ideal virtual environment in which you can test these sorts of updates on a virtual server, before installing them on your real one. 

For All WatchGuard Users:

Though you can configure our XTM and XCS appliances to strip certain attachments from email, this sort of attack may arrive as many types of attachments, including ones you may want to allow for business. We recommend you apply the patches instead.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Six Windows Bulletins Fix a Wide Variety of Flaws

Severity: High

Summary:

  • These vulnerabilities affect: Most current versions of Windows (including Windows RT)
  • How an attacker exploits them: Multiple vectors of attack, including luring users to malicious web content or running specially crafted programs
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer.
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released six security bulletins describing nine vulnerabilities in Windows. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-060Uniscribe Code Execution Vulnerability

The Unicode Script Processor (USP10.DLL), also called Uniscribe, is a group of Windows components that handle displaying complex Unicode scripts, such as Arabic, Japanese, and Thai. It suffers from an unspecified memory corruption vulnerability involving its inability to handle specially malformed fonts. By luring one of your users into viewing a malicious font, perhaps hosted on a web site, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker gains full control of their computer. This flaw only affects Windows XP and Server 2003.

Microsoft rating: Critical

  • MS13-063 :  Multiple Kernel Elevation of Privilege Flaws

The kernel is the core component of any computer operating system. It suffers from four vulnerabilities. Three of the flaws are unspecified memory corruptions vulnerabilities, which allow a local attacker to elevate his privileges. If a local attacker can run a specially crafted application, he could leverage any of these three flaws to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker first needs to gain local access to your Windows computer, or needs to trick you into running the program yourself, which somewhat lessens the severity of this vulnerability. The fourth flaw is a Address Space Layout Randomization (ASLR) bypass vulnerability. ASLR is a memory obfuscation technique that some operating systems use to make it harder for attackers to exploit memory corruption flaws. This update also fixes a flaw that allows attackers to bypass this security feature.

Microsoft rating: Important

  • MS13-062RPC Elevation of Privilege Flaw

Remote Procedure Call (RPC) is a protocol Microsoft Windows uses to allow one computer on a network to execute a task on another computer and then receive the results of that task. The Windows RPC component suffers from an elevation of  privilege vulnerability involving its inability to properly handle asynchronous RPC requests. By sending a specially crafted RPC request to a shared host, an attacker could exploit this vulnerability to execute code with another user’s privileges. That said, most administrators do not allow RPC traffic through their firewall. Therefore, this flaw primarily poses an internal threat.

Microsoft rating: Important

  • MS13-064:  Windows Server 2012 NAT Ping of Death

Network Address Translation (NAT) is a technology that allows you to let many devices access the Internet through a single publicly routable Internet (IP) address, and Windows Servers ship with a driver to provide this capability. The NAT driver that ships with Windows 2012 suffers from a Denial of Service (DoS) vulnerability involving its inability to handle specifically malformed ICMP messages (the protocol used for pinging other computers on a network). If you’ve enabled NAT on a Windows server, a remote unauthenticated attacker could leverage this flaw to crash that server simply by sending it a specially crafted packet.

Microsoft rating: Important

As mentioned above, the Internet Control Messaging Protocol (ICMP) is a standard used most commonly by the ping utility to send control and error messages over a network. ICMPv6 is the updated version of this protocol designed for IPv6. The Windows TCP/IP stack suffers from a vulnerability in the way it handles malformed ICMPv6 messages. The flaw is identical in scope and impact to the one described above. If a bad guy can send an IPv6 ICMP message to you Windows computer, he can crash it.

Microsoft rating: Important

  • MS13-066:  AD FS Information Disclosure Vulnerability

The Active Directory Federated Services (AD FS) is a service that allows you to share identity information between trusted business partners. In other words, it can extend Windows’ Active Directory authentication outside your organization. Microsoft doesn’t describe this flaw in much detail, only saying that it could reveal information about the service account AD FS uses. If the attacker had this information, he could use it to lockout the account, which would cause all the services that leverage AD FS from logging in.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (like blocking ping or IPv6), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Exchange Still Suffers from Document Handling Flaws

Severity: High

Summary:

  • These vulnerabilities affect: Exchange Server 2007, 2010, and 2013
  • How an attacker exploits it: By enticing a user to preview a specially crafted email attachment using OWA
  • Impact: An attacker can execute code with the restricted privileges of the LocalService account
  • What to do: Deploy the appropriate Exchange Server update as soon as possible.

Exposure:

Microsoft Exchange is one of the most popular email servers used today. It includes many advanced features and capabilities. One such feature, called WebReady Document Viewing, allows your email users to preview attached documents as web pages. Exchange leverages Oracle’s Outside In technology to parse these documents and provide these previews.

According to today’s bulletin, Exchange suffers from two remote code execution vulnerabilities related to Oracle’s Outside In technology, and a Denial of Service (DoS) flaw involving their Data Loss Protection (DLP) feature.  All three vulnerabilities have to do with how Exchanges parses files and documents when users view or preview them. By enticing one of your web-based users to preview an email with a specially crafted attachment, an attacker can exploit the worst of these flaws to execute code directly on your Exchange server. Luckily, the code only runs with LocalService account permissions, which has limited privileges.

Also, this attack only works against victims who check and preview mail using Exchange’s Outlook Web App (OWA). If your users only download email from Exchange using email clients, like Outlook, attackers may not be able to leverage these flaws against your server.

Nonetheless, we still recommend Exchange administrators update as soon as possible.

Solution Path:

Microsoft has released Exchange updates to correct these vulnerabilities. You should download, test, and deploy the appropriate update as soon as possible, or let Windows Update do it for you. You can find the updates in the “Affected and Non-Affected Software” section of Microsoft’s Exchange bulletin.

NOTE: In the past, one of our readers reported having technical issues when installing an Exchange update very similar to this one. This is a perfect example of why we highly recommend you test server updates before deploying them to production machines. Most virtualization platforms allow you to make a copy of a running computer, which you can then spin up in a virtual environment. Doing this allows you to create an ideal virtual environment in which you can test these sorts of updates on a virtual server, before installing them on your real one. 

For All WatchGuard Users:

Though you can configure our XTM and XCS appliances to strip certain attachments from email, this sort of attack may arrive as many types of attachments, including ones you may want to allow for business. We recommend you apply the patches instead.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Latest IE Patch Fixes More Potential Drive-by Download Flaws

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Internet Explorer (IE)
  • How an attacker exploits them: By enticing one of your users to visit a web page containing malicious content
  • Impact: An attacker can execute code on your user’s computer, often gaining complete control of it
  • What to do: Install Microsoft’s IE updates immediately, or let Windows Automatic Update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing 11 new vulnerabilities affecting Internet Explorer (IE). Microsoft describes most of these flaws as “memory corruption” vulnerabilities, which all share the same scope and impact. If an attacker can lure one of your users to a web page containing maliciously crafted content, he could exploit any of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker can exploit these flaws to gain complete control of the victim’s computer.

If you’d like more technical detail about these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Technicalities aside, these remote code execution flaws pose significant risk to IE users, and allow attackers to launch drive-by download attacks. Attackers often hijack legitimate web sites and force them to serve malicious web code in something the industry calls a “watering hole” attack. So these types of flaws may affect you even when visiting legitimate, trusted web sites.

If you use IE, you should download and install Microsoft’s cumulative update immediately.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s August IE security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the memory corruption vulnerabilities described in Microsoft’s alert:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3199)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3194)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3188)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3187)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3184)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3193)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3189)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3191)

Your XTM appliance should get this new IPS update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

WatchGuard Announces Fireware XTM 11.7.4 and WSM 11.7.4

WatchGuard is pleased to announce the release of Fireware XTM v11.7.4 and WSM 11.7.4. You can find complete details about this update’s enhancements and fixed issues in the Resolved Issues section of the Release Notes.

Key highlights include:

  • spamBlocker improvements to increase detection accuracy and reduce false positives, by returning to use of CommTouch RPD technology.
  • Support for two new direct connect USB modems – Sierra Wireless AirCard 313U and Verizon Wireless LTI USB551L
  • Disabled TLS SSL Compression to avoid CRIME exploit vulnerabilty (CVE-2012-4929)
  • DHCP options support on VLANs and full support for DHCP option 66

Note: When you upgrade an XTM 5 Series or XTM 8 Series to Fireware XTM v11.7.4, the XTM device will reboot twice during the upgrade process. This is expected behavior and specific to this upgrade because of a need to repartition disk space to accommodate future feature growth.

Does This Release Pertain to Me?

If you have an XTM appliance or use XTMv, you should upgrade to version 11.7.4 if you need any of the provided fixes or enhancements. Please read the Release Notes before you upgrade, to understand what’s involved.

Note: The Fireware 11.7.4 release is available for all XTM appliances except XTM 21/22/23.

How Do I Get the Release?

You can download the applicable packages from the Articles & Support section of WatchGuard’s Support Center. To make it easier to find the relevant software, uncheck the “Article” and “Known Issue” search options, and press the Go button.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

Don’t have an active LiveSecurity subscription for your XTM appliance? It’s easy to renew. Contact your WatchGuard reseller today. Find a reseller »

Microsoft Patch Tuesday: Critical Fixes for Exchange, IE, and Windows

It’s that time again… Microsoft Patch Day. Sometimes following Microsoft’s regular patch cycle can feel a lot like the movie, Groundhog Day. Yet—also like the movie—it’s well worth repeating regularly to make sure that you get it right.

According to their summary post, Microsoft released eight security bulletins today, three of which they rate as Critical. The bulletins include updates to fix at least 22 vulnerabilities in three popular Microsoft products, Windows, Internet Explorer (IE), and Exchange Server. Though attackers aren’t exploiting these issues in the wild yet, researchers have publicly disclosed a few of them, which makes them a bit more likely to be targeted.

In my opinion, you should apply the IE update first, as it fixes 11 serious vulnerabilities, many of which attackers could leverage in drive-by download attacks. Right now, booby-trapped web sites are one of the most common infection vectors. For that reason, I recommend you apply web browser updates, like this IE one, as quickly as possible. The Exchange update is a close second, as it also fixes a remotely exploitable flaw that could allow attackers to gain access to your Exchange server simply by tricking one of your users into previewing a specially crafted document. Finish up with the Windows updates, beginning with the Critical one.

As always, I still recommend you test Microsoft patches before deploying them to your critical production servers. While it might be okay to push client software updates without testing them, you should test server updates, like today’s Exchange one, before deploying them in order to avoid unexpected downtime. If you don’t already have a test environment that mimics your production environment, virtualization is a great way to create one.

I’ll share more details about Microsoft’s bulletins in upcoming alerts, posted throughout the day.  — Corey Nachreiner, CISSP (@SecAdept)

MS Patch Day: August 2013

TorSploit – WSWiR Episode 73

BREACH, TorSploit, and Fort Disco

Sorry for the late posting, but your weekly taste of “what’s up” in the InfoSec world is here for your viewing pleasure. As always, I summarize some of this week’s biggest network and information security news, in case you didn’t have time to follow it yourself.

This week was packed with security stories, but I only had time to focus on four. The episode includes information on a botnet that brute forces CMS systems, an alleged flaw in Chrome’s password security, a serious new SSL encryption weakness, and suspicions that the FBI tried to backdoor Tor sites. Press play below for the full scoop, and check out the Reference section if you’d like to read about all the other stories I didn’t have time to talk about.

(Episode Runtime: 12:15)

Direct YouTube Link: https://www.youtube.com/watch?v=y4jVozwHdWc

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

%d bloggers like this: