Archive | Editorial Articles RSS feed for this section

Printer Doom Hack – WSWiR Episode 122

Apple Patches, Kindle XSS, and Doom Printer Hack

If you want to stay current with the Internet “threatscape,” our weekly video can help. It summarizes each week’s top information and network security news in one convenient place. Subscribe today!

Today’s episode covers, Apple and Adobe security updates, a cross-site scripting flaw that affects Kindle users, and an interesting printer hack that allowed an attacker to run doom on a printer. Watch the video for details and see the Reference section below for more info.

Enjoy your weekend!

(Episode Runtime: 5:39

Direct YouTube Link: https://www.youtube.com/watch?v=aZ7-LdlMYHc

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Old Gmail Leak – WSWiR Episode 121

Patch Day, Home Depot Update, and Gmail Leak

Why go searching for all the week’s information security (infosec) news when you can find it in one convenient place. This weekly vlog summarizes the important security updates, hacks, and threats so you can protect yourself.

This week’s episode arrives a bit late due to my business travel in Europe. Today’s show covers the week’s Microsoft and Adobe patches, the latest news on the Home Depot breach, and a story about a potentially new (but likely old) Gmail credential leak. Watch the video for the details, and check the references below for more info and some extra stories.

I will be continuing my business travel next week as well. So my weekly post may arrive earlier or later than normal. Have a great day!

(Episode Runtime: 4:53)

Direct YouTube Link: https://www.youtube.com/watch?v=I1GZpvQV6dQ

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Microsoft Black Tuesday: Windows, IE, Lync, and .NET Patches

As you may know, today was Microsoft Patch Day. If you manage a Windows-based network, it’s time to get the latest updates.

According to Microsoft’s summary post, the Redmond-based software company released four security bulletins fixing 41 vulnerabilities in many of their popular products. The affected software includes, Windows, Internet Explorer (IE), Lync Server, and the .NET Framework. Microsoft rates the IE update as Critical, and the rest as Important.

As you might guess from the severity ratings, the IE update is the most important. It fixes over 37 security flaws in the popular browser, many of which attackers could use in drive-by download attacks (where just visiting a web site results in malware on your computer). Furthermore, one of the fixes closes a zero day vulnerability that attackers have exploited in the wild. If you use IE, I recommend you apply its update as quickly as your can. You should also install the other updates as well, however, their mitigating factors lessen their risk, so you can install them at your convenience.

In summary, if you use any of the affected products, download, test, and deploy these updates as quickly as you can or let Windows’ Automatic Update do it for you. For the server related updates, I highly recommend you test them before installing them on production servers, as Microsoft has released a few problem causing updates recently. You can find more information about these bulletins and updates in Microsoft’s September Summary advisory.

Also note today is Adobe’s Patch Day as well, and they released one security update fixing 12 vulnerabilities in Flash Player. If you use Flash, you should update it quickly. Adobe also pre-announced a Reader update earlier this month. However, it appears they have had to delay the update for some reason.

I’ll share more details about today’s patches on the blog throughout the day. However, I am traveling internationally, so the updates may not arrive as regularly as usual. If you are in a hurry to patch, I recommend you visit the links above, and start now.  — Corey Nachreiner, CISSP (@SecAdept).

Celeb Selfie Hack – WSWiR Episode 120

Software Patches, Home Depot Breach, and Celebrity Selfie Hack

If you need a quick source for all your information security (infosec) news, you’ve come to the right place. I summarize the most important infosec news in this weekly video, and provide links to other security stories as well.

Unfortunately, today’s episode includes a pretty creepy hack. The show covers next week’s upcoming software patches, another credit card leak that seems to come from Home Depot, and a gross story about hackers stealing hundreds of celebrities’ most private pictures. Find the details in the video below and see what you can learn from these unfortunate cyber attacks.

As always, check the Reference section if you are interested in other stories that I didn’t cover in the video. Also, I will be traveling the next few weeks, which means I may not be able to post this video as regularly as usual. Expect the video to turn up at irregular times, otherwise I may post a written version of the weekly summary instead. Have a great weekend, and stay safe online!

(Episode Runtime: 13:17)

Direct YouTube Link: https://www.youtube.com/watch?v=-mRjltM-tc0&

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

JP Morgan Hacked – WSWiR Episode 119

Gaming DDoS, Malvertising, and U.S. Banks Breached

You really need to keep up with the latest attacks to learn how to adjust your defenses to survive. However, with so much infosec news and so little time, it’s hard for many administrators to stay current. This weekly videos tries to keep you in the loop by summarizing the top news items each week.

Today’s show covers a big DDoS campaign against gaming sites that included a diverted plane, a malicious advertising attack that infected popular web sites, and an allegedly Russian attack against U.S. banks. See the video for the details, and check the references for other stories.

If you live in the U.S., enjoy your Labor Day weekend.

(Episode Runtime: 11:26)

Direct YouTube Link: https://www.youtube.com/watch?v=T4dz4wjY5hQ

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Breach Trio – WSWiR Episode 118

Healthcare, UPS, and US Nuclear Organization Breached

Need to learn the latest security news so you can figure out how to protect your network from evolving threats? Well, this weekly video series will help. Every Friday I summarize the biggest security stories and share some advice in a video, as well as compile a list of other important stories below. Subscribe to this blog and the YouTube channel to follow along.

This week’s episode is all about breaches. Three organizations disclosed major network and data breaches this week; a healthcare record management company, UPS, and the US Nuclear Regulator Commission. Today’s video covers those breaches, and more importantly explores what we can learn about them. Watch below.

As an aside, sorry the episode is going up a bit late. Note to the video producers out there… Always check that your microphone is on so you don’t have to shoot the whole thing twice. Oops! Have a great weekend.

(Episode Runtime: 10:16 plus a optional extra)

Direct YouTube Link: https://www.youtube.com/watch?v=oDHCnCNBq7w

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Avoid MS14-045; Windows Kernel-mode Drivers Patch

Last week, I covered Microsoft Patch Day and recommend you install all the latest Windows, IE, Office, and server updates. This week, I need to warn you against one of those updates.

According to recent reports, the Windows kernel-mode driver update (MS14-045) is causing some computers to have blue screens of death (BSOD). If you haven’t installed this update yet, I recommend you avoid it until further notice. If you have installed it, and have suffered issues, Microsoft has shared instructions on how to remove it.

In the past, I’ve argued that Microsoft’s QA has gotten better, with fewer crash inducing updates. I guess they’re still not perfect. In general, this is a great example of why you should always test updates before pushing them into production. You can do this by maintaining a virtual version of your infrastructure and testing updates there.  — Corey Nachreiner, CISSP (@SecAdept)

Blackhat and More – WSWiR Episode 116

Blackhat Summary,Lots of Patches, and MonsterMind

Times have changed. Cyber attacks have increased 10-fold, causing a ton of information security (infosec) news each week. Can’t keep up with it all? Let me help out. In this weekly video summary, I highlight the biggest information and security news every week.

Last week, I had meant to post a Black Hat video summary, but simply couldn’t find the time during my two week travel schedule. I try to make up for it in this week’s episode. In today’s video, I share a bit about Black Hat, cover the latest security patches, comment on the alleged huge password theft, and highlight Snowden’s latest interview and disclosures. Watch the video for the details.

Also, don’t forget to check out the big reference section below for two weeks of security news links, and some videos from Black Hat. Have a great weekend.

(Episode Runtime: 9:09)

Direct YouTube Link: https://www.youtube.com/watch?v=Xv1fUT15AP8

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Office Patches Mend SharePoint and OneNote

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products like OneNote and SharePoint Server
  • How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released two security bulletins that fix a like number of vulnerabilities in OneNote and SharePoint. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS14-048OneNote Code Execution Vulnerability

OneNote is a collaborative, multiuser note taking application that ships with Office. It suffers from an unspecified vulnerability having to do with how it handles specially crafted OneNote files. If an attacker can lure you into opening such a file, she could exploit this flaw to execute code on your computer, with you privileges. As usual, if you are a local administrator, the attacker gains complete control of your PC.

Microsoft rating: Important

  • MS14-050: SharePoint Elevation of Privilege Vulnerability

SharePoint Server is Microsoft’s web and document collaboration and management platform. It suffers from a privilege escalation vulnerability. SharePoint offers an extensibility model that allows you to create apps that can access and use SharePoint resources. However, SharePoint suffers some unspecified flaw that allows specially crafted apps to bypass permission management. In short, by running a specially crafted application, an attacker may be able to access all the SharePoint resources of the currently logged-in user.

Microsoft rating: Important

Solution Path:

Microsoft has released Office and SharePoint-related patches that correct these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

We recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Black Hat 2014 – Briefing Summary – Day 2

Did any of the briefings from day one sound interesting to you? Do you want to know what happened the next day? If so, check out my day two Black Hat briefing summary below:

BadUSB – On Accessories that Turn Evil

Topic: Infecting USB microcontrollers to create undetectable evil USB devices

Speaker: Karsten Nohl, Sascha Krißler, Jakob Lell

News of this talk came out before the Black Hat conference, and I had mentioned it in my weekly video. It did not disappoint.

In the briefing, Nohl and Lell described how they analyzed the firmware from an off-the-shelf USB microcontroller, and figured out how to load malicious firmware instead. In case you hadn’t heard, every USB devicewhether it’s a storage device or keyboardhas a tiny micro-controller built into it that communicates with your computer, and tells it what the USB device is. In essence, Nohl and Lell figured out how to create a USB micro-controller that lied, and in so doing could do malicious things. For instance, they could create a USB storage device that acted like a keyboard, allowing it to actually launch commands, run code, and even key log.

You might be asking, “Why is this so scary? I already knew USB devices could be malicious.” Well in the past, USB attacks required malicious files on the storage device. The attack would either leverage auto-play issues, or exploit some underlying operation system vulnerability. In either case, security software might find the malicious file and block it. In this case, there are no files on the USB device. By infecting the firmware, that attacker makes it extremely hard for you to detect malicious USB devices.

During the talk, the speakers showed many interesting, and worrisome demos. For instance, a malicious USB key could be programmed to spread to other USB devices plugged into a system (assuming they other device also used the right micro-controller). Nohl and Lell also demonstrated that is is a cross-platform attack. Since all operating systems must communicate with USB devices, they all can succumb to malicious USB firmware.  The pair even showed this particular attack infecting an Android device.

In the end, this is a very scary attack. It makes it very difficult for us to trust the USB standard. Furthermore, since this is a firmware infection, it’s a perfect mechanism for persistent attacks. You could reformat the malicious USB device all you want, the infected firmware would still remain. The only good news is that the speakers only did this with a very specific 8051 microcontroller. In order to use the attack with other devices, hackers would have to reverse those devices firmwares and find new flaws.

So what can you do about this? Unfortunately, it’s a hard problem to crack. The USB standard is pretty set in stone, and security software like AV can’t detect this attack. One option is to force signing of USB firmware, but that would require industry-wide change, and would only help new USB devices. The one sure tip Nohl and Lell recommended was to have USB manufacturers  disable firmware updates in hardware, so that no one could change the software running on these devices.

 

Extreme Privilege Escalation on Windows8/UEFI Systems

Topic: Hacking Windows boot security to gain ultimate system privileges

Speaker: Corey Kallenberg, Xeno Kovah, Samuel Cornwell – MITRE

On modern systems, even when an attacker gains administrative or root privileges, he doesn’t have penultimate control. In computing, there are various processor-level security domains, from ring 3 to ring 0. An administrator may have the ultimate privileges in ring 3, but he doesn’t have kernel level ring 0 control. This presentation outlined a technique attackers could use to leverage the Windows secure boot system and gain that penultimate ring 0 control.

Over the years, operating systems like Windows have begun to adhere to more secure boot processes that make it harder for bad guys to infect our computer’s BIOS. A relatively new standard called the Unified Extensible Firmware Interface (UEFI) defines how computer systems should load firmware and the BIOS, and includes security mechanisms like secure boot, signed BIOS, and chipset protections.

Without going into all the details, the speakers at this talk found some vulnerabilities in the Windows UEFI system. UEFI is open source, which meant the researchers could easily audit its code for flaws. To their surprise, they found some, including a few pretty basic integer overflow flaws. That said, exploiting these flaws was no easy feat. UEFI only allows userland processes to communicate with it in a limited fashion. Of course, the researchers eventually found a Windows function (SetFirmwareEnvironmentVariable) that allowed them to manipulated enough inputs to trigger their vulnerabilities. While they still had to get past a few hurdles for their attack to succeed, they did, and were able to take control of the UEFI boot process.

In the end, this means an attacker with administrative privileges could leverage this UEFI flaw to gain full ring 0 control of your computer. This allows the attacker to overwrite your BIOS, even on a secure UEFI system. Attackers could exploit this to brick your system, defeat secure boot, create an undetectable rootkit, subvert your hypervisor, and much more.

The good news is the speakers had informed US-CERT, Intel, and BIOS manufacturers of this issue, and most have fixed it. The bad news is not everyone installs BIOS upgrades often.

Mission MPOSsible

Topic: Hacking mobile point-of-sale (POS) systems

Speaker: Nils and John Butler

This talk focused on vulnerabilities found in many popular mobile POS systems used by consumers and smaller businesses. There are not the enterprise POS systems used by large retailers, rather small cellular devices just meant to take a chip and pin cards, and process the payments online.

The researchers did not share the name of the affected devices (though they hinted strongly at what they were), but they did say that 75% of the solutions for mobile chip and pin processing use this solution. These mPOS devices are small embedded linux machines, running Arm5 processers. The speakers compared them to equipment used in cheap MP3 players.

As embedded linux machines, the devices suffered all the potential security issues you might expect. For instance, they allow both Bluetooth and USB access, which presents attack surface. Via USB, the researchers were able to recover the device’s firmware and analyze it. They also found a vulnerability involving unplugging the USB cable, which allowed them to load malicious firmware.

Nils and Butler also decided to fuzz the EMV library (the chip and pin communication standard) on these devices. During their fuzzing, they discovered a very basic stack buffer overflow—one of the most basic memory corruption issues possible. They then demonstrated how they could exploit this to gain full root control of these devices. Of course, they decided to make their root control fun. Rather than just owning the device, they loaded up a custom made version of the Flappy Bird game, which they called Chippy Pin. Any talk that ends with a mobile POS device playing a video game, is a good presentation in my book.

I hope you found this quick summary of the Black Hat briefings interesting and potentially useful. If anything, it should give you an idea of some of the types of attacks you might see in the future. As usual, I found the Black Hat briefings fascinating, even though I was only able to attend a fraction of the talks. If you ever find yourself in Las Vegas late July or early August, I recommend giving Black Hat and DEF CON a try. — Corey Nachreiner, CISSP (@SecAdept)

 

 

 

 

 

Follow

Get every new post delivered to your Inbox.

Join 7,589 other followers

%d bloggers like this: