Monthly Archives: January 2017

Mitigating the Increasing Risk Facing Critical Infrastructure and the Internet of Things

With attackers and malware authors extending their reach to more and more areas of our everyday lives, both companies and individuals need to take steps to improve the security of their equipment/devices. It’s not just devices such as thermometers (while important) in our homes at risk; devices that impact health and safety as well as entire communities and economies are being / or will be targeted.

For example, last month a cyber-attack took place in Ukraine that while it only lasted approximately 1 hour, served to cause a power outage in an entire district of Kiev. The on-going investigation into this attack believes it to be the same attackers responsible for the December 2015 attack (that attack affected approximately 250,000 people for up to 6 hours).

In a similar manner, a smaller energy company (at an undisclosed location) was a victim of the Samsam ransomware (defined). The attackers initially compromised the web server and used a privilege escalation vulnerability (defined) to install further malware and spread throughout the network. The attackers demanded 1 Bitcoin per infected system. The firm paid the ransom and received a decryption key that didn’t work.

Fortunately, this energy company had a working backup and was back online after 2 days. The root cause of infection? Their network not being separated by a DMZ (defined) from their industrial networks. This Dark Reading article also details 2 further examples of businesses affected who use industrial systems namely a manufacturing plant and a power plant. Both were located in Brazil.

Mark Stacey of RSA’s incident response team says that while nation states have not yet employed ransomware in industrial systems, it will certainly happen. He cites the example of a dam, where the disabling of equipment may not demand a large ransom compared to the act of encrypting the data required for its normal operation.

Former US National Security Official Richard Clarke is suggesting the use of a tried and tested means of increasing the security of all deployed industrial control systems. As it is very difficult convincing those on the Board of Directors to provide budget for something that has not happened/may not happen, he suggests employing an approach similar to that of the Y2K bug. This would require introducing regulations that require all devices after a given date be in a secured state against cyber-attack. He advocates electric power, connected cars and healthcare providers follow this approach and notes that without regulation “none of this is going to happen.” Since these regulations would apply to all ICS/SCADA (defined) vendors, they would also not loose competitiveness

With security analysts predicting further compromises of ICS/SCADA equipment this year, we need to better protect this infrastructure.

For enterprises and businesses, the regulations proposed above should assist with securing IoT and ICS/SCADA devices. However, this is just the beginning. This scanner from Beyond Trust is another great start. As that article mentions the FTC is offering $100,000 to “a company that can discover an innovative way of managing and patching IoT devices.” Securing IoT devices is not an easy problem to solve.

However, progress is happening with securing critical infrastructure and Internet of Things (IoT)(defined) devices. For example, please find below resources/recommendations, tools and products that can help protect these systems and devices.

How can we better secure ICS/SCADA devices?
These devices power our critical infrastructure e.g. power, gas, communications, water filtration etc. The US ICS-CERT has a detailed list of recommendations available from the following links:

ICS CERT Recommended Practices
ICS-CERT Secure Architecture Design
ICS Defense In-Depth (PDF)

An ICS-CERT overview of the types of vulnerabilities that these systems face.

Securing IoT devices in industry
Free IoT Vulnerability Scanner Hunts Enterprise Threats (Dark Reading.com)
Defending the Grid
Network and IoT to underpin Trend Micro’s 2017 strategy

Securing IoT in the medical sector/businesses
Hospitals are under attack in 2016 (Kaspersky SecureList)
Fooling the Smart City (Kaspersky SecureList)

Recommendations for consumer IoT devices are the following
My previous recommendations on securing IoT devices
Blog Post Shout Out: New Wireless Routers Enhance Internet of Things Protection
Securing Your Smart TV
8 tips to secure those IoT devices (Network World)
Who Makes the IoT Things Under Attack? (Krebs on Security)

=======================
I hope that you find the above resources useful for securing ICS/SCADA as well as IoT devices that are very likely a target this year.

Thank you.

OpenSSL Heartbleed persists on 200,000 systems/devices

April 2014 saw the worldwide public disclosure of the Heartbleed vulnerability (a difficult to detect and easy to exploit information disclosure issue) within the open source OpenSSL encryption library. Almost 3 years on, approximately 200,000 servers/devices remain vulnerable.

Shodan, the search engine that can detect vulnerable devices connected to the internet released these findings in their Heartbleed report during the weekend of January 21. The report highlights approximately 52,000 Apache web servers with version numbers 2.2.2 and 2.2.15 remain critically vulnerable. Amazon Web Services and Verizon Wireless were the largest hosts of these vulnerable systems with the United States being the location for the most vulnerable internet service providers (ISPs). Another significant finding of the report is that many organizations/businesses are unware their physical and virtual servers are vulnerable.

How Can I Protect Myself from This Vulnerability?
If you or someone in your organisation uses physical or virtual servers, please ensure these servers have all vendor security updates installed, specifically updates from OpenSSL. Unsupported web servers (physical or virtual) or software (which uses the OpenSSL libraries) should be upgraded/replaced. Moreover, OpenSSL versions prior to 1.0.2 are no longer supported; please upgrade to version 1.0.2 or 1.1.0.

Due to the increasing numbers of devices connected to the internet, organizations and individuals need to be aware if their devices or software are vulnerable. For example, earlier this month vulnerable MongoDB, Elastic Search, Hadoop and CouchDB servers. Any software that connects to the internet especially VPN (Virtual Private Network) (defined) software may be vulnerable to the Heartbleed vulnerability.

Thank you.

=======================
Aside:
=======================
What is Shodan?
Shodan was originally created as a project in 2003 by a computer programmer John Matherly who launched the Shodan website in 2009. It is named after the enemy AI of the System Shock series of video games.

It is a search engine like Google, Bing and Yahoo but it isn’t searching for websites that best match the text that we enter. Instead it indexes and categorizes all devices connected to the internet. It does this by searching for and interpreting their banner e.g. Apache 2.4.3, OpenSSL/1.0.1c PHP/5.4.7

It is usually webservers that use such banners but many devices (e.g. FTP and mail servers) use banners to describe the services they offer, what operating system they are using e.g. Red Hat/Linux and the ports they have open e.g. 80 for HTTP, 443 for HTTPS, 21 for FTP, 25 for SMTP, 23 for Telnet, 22 for SSH etc. For example, we use ports 80 and 443 everyday as well port 25 for email.

What can it be used for?

  • Shodan can be used to detect the types of devices on your network and what types of ports (entry points to and from those devices) they are using. This is good to know since you can then better secure them against possible attack. Shodan can also be used to look for and access any device that is poorly configured namely that it allows access to it’s configuration/admin page from the Internet.
  • You can also use it to check if there are any unknown devices on your devices that arrived through social engineering e.g. a new router/access point in a conference room or shadow IT (devices installed by staff without the knowledge of the IT team).

Malware Uses Linux Systems as Proxies

A Trojan horse (defined) is compromising Linux systems by exploiting poorly implemented SSH (Secure Shell)(defined) remote access. Many are already compromised systems first have a new account created with a notification to the Trojans authors providing the details of the system enabling a remote connection. The Trojan then installs the Satanic Socks Server utility to set up proxy server (defined) for use by the attackers or any individual they chose to connect to your system (very likely for a fee). More information on this threat is available here and here.


How Can I Protect Myself from This Threat?

If you are an administrator of Linux servers/workstations you should ensure remote SSH access uses a strong authentication mechanism. If this access is not required, strongly consider disabling SSH access.

To check if your Linux system has already been compromised, you can list the user accounts from a Linux system using the commands below. If you locate any suspicious accounts, you can delete them. I will also provide other useful commands below:

cat /etc/passwd
: this will list the name of user accounts
grep :0: /etc/passwd : will find accounts with the string “”:0″” within them (accounts with root privileges)

crontab -l -u root : display cron jobs (defined) scheduled by root and any other UID 0 accounts

Attackers often schedule jobs that include backdoors on the machine guaranteeing the attacker return access to the system.

The above commands are particularly useful if you already know the outputs of these commands when your system is working fine/as expected. You can then compare those known good outputs to the current output to more easily determine if your system has been compromised.

If you find a rogue/unknown user account; you can delete it using the following command:

userdel -r [account name]

where [account name] is the name of the user account that you wish to delete.

I hope that the above information is useful to you in protecting your Linux systems against this threat.

Thank you.

Pwn2Own 2017 Contest Announced (Tenth Anniversary)

=======================
Update: 19th March 2017:
=======================
A more recent blog post discusses the results of the 2017 Pwn2Own contest.

Thank you.

=======================
Original Post:
=======================
With the month of March not too far away, I’m looking forward to the annual Pwn2Own contest taking place in Vancouver, Canada. Regular readers of this blog will know of the benefits it brings and why I look forward to it each year.

This year sees the return of Adobe Reader to the competition; a good decision due to the large numbers of vulnerabilities still being patched. I applaud the decision of Mozilla Firefox returning too since a zero day (defined) exploit was seen in recent times. It’s also in the top 3 in terms of usage. With a 64 bit version now available it should increase usage/competitiveness even further.

The full list of products that will be in the competition is here.

Just some of the interesting new additions are Ubuntu, Microsoft Hyper-V and Microsoft Office applications, which have never been present before. With vulnerabilities being patched routinely for all three of categories (especially for Microsoft Office), their inclusion should help us all when vulnerabilities are exploited and the researchers rewarded for their excellent work.

With the rise of malware for Apple Mac OS X and Linux it’s great to see them both in the contest this year. Previously only Mac OS was present.

Since the contest is celebrating its 10th anniversary it’s great to see other additions such as the Apache web servers and Ubuntu servers too. I often see servers installed and patched very little, if at all. This leads to situations where servers continue to have vulnerabilities long after they have been patched (more on that in this blog post). As for web servers, cross site scripting and CSRF remain consistent threats.

With extra points awarded for root access (defined) for Mac OS X or System level (defined) access for Windows this year’s contest is bigger than ever. With the more vulnerabilities that are found by the researchers the more they are awarded and the more everyone benefits by the vulnerabilities being responsibly disclosed (defined) to their vendors.

I will write another post when the results of this year’s contest are available and will discuss any highlights and how they will benefit us as users of these products.

Thank you.

US CERT Warns of Possible SMB Zero Day Vulnerability

Earlier this month saw the end of operations for a group known as the Shadow Brokers (who were responsible for the disclosure of critical security vulnerabilities in enterprise networking infrastructure). Their online auction of exploits remains open.

Among the exploits for sale is a possible zero day (defined) SMB (defined) exploit for Windows. With the potential use of this exploited predicted, the US-CERT issued a security advisory, which suggested disabling SMB version 1 and disabling the use of SMB version 2 at the network perimeter (preventing external access or internal traffic reaching outside of the corporate network). As previously noted on this blog, securing the use of SMB version 2 in this manner will also protect against the Redirect to SMB vulnerability.

These recommendations should better secure your corporate network against this exploit as well as future vulnerabilities.

Thank you.

January 2017 Security Updates Summary

Earlier today Microsoft and Adobe released their scheduled monthly security updates.

Microsoft only made 4 bulletins available. These updates address 3 vulnerabilities listed within Microsoft’s security bulletin summary (as before excluding the Adobe bulletin). These are more formally known as CVEs (defined).

Once again; there are no Known Issues listed within the above summary page. At the time of writing the IT Pro Patch Tuesday blog does not list any Known Issues. However, please check it before deploying your security updates just to be sure. As always, if any issues do arise, those pages should be your first places to check for solutions.

Next month Microsoft will only be publishing it’s security bulletins and release notes within their Security Updates Guide; rather than distributing this information across several pages. This post from WinSuperSite explains the changes in full.

====================
Adobe made a pair of security bulletins available for Adobe Flash and Adobe Acrobat/Adobe Reader. The Flash Player bulletin resolves 13x priority 1 vulnerabilities. The Adobe Acrobat/Adobe Reader resolves 29x priority 2 vulnerabilities. Adobe’s priority rating are explained in the previous link.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome which will most likely be made available by Google either later today or in the next 1 to 2 days.

If you use Flash or Adobe Acrobat/Adobe Reader any of the above products, please review the security bulletins linked to above and apply the necessary updates. The Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

While there may only be 3 Microsoft bulletins this month, I will prioritise the order of updates for you below:

The update for Microsoft Office should be installed first due to it’s criticality. This should be followed by the update for Microsoft Edge and finally by the LSASS update. The update for Edge is important due to exploit kits relying on such patches not to be installed in order to spread further malware (defined).

As always you can find detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.51) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

Please note that Microsoft EMET is in the process of being retired with the end of support scheduled for the 31st of July 2018.

As is my standard practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Adobe Flash Player 2017 Update Tracker

In a similar manner to the 2015 and 2016 tracker that was incredibly popular on this blog; I am providing the same information below for the year 2017.

I have created a new post to make the timeline easier to follow. It will be updated throughout the year with any details of the Flash vulnerabilities being exploited.

Thank you.

=======================
10th January: Adobe releases Flash Player v24.0.0.194 resolving 13 CVEs.

14th February: Adobe releases Flash Player v24.0.0.221 again resolving 12 CVEs.

14th March: Adobe releases Flash Player v25.0.0.127 resolving 8 CVEs.

11th April: Adobe releases v25.0.0.148 resolving 7 CVEs (including some from Pwn2Own 2017).

9th May: Adobe releases Flash Player v25.0.0.171 resolving 7 CVEs.

13th June: Adobe releases Flash Player v26.0.0.126 resolving 9 CVEs.

11th July: Adobe releases Flash Player v26.0.0.137 resolving 3 CVEs. It’s refreshing to see such a small number of CVEs being patched. However it will be interesting to see if this trend continues next month.

8th August: Adobe releases Flash Player v26.0.0.151 resolving 2 CVEs. Similar to last month the number of vulnerabilities is low. It’s not yet clear if this is due to Adobe’s recent announcement to de-commission Flash Player in 2020.

12th September 2017: Adobe have released Flash Player v27.0.0.130 to resolve 2 critical CVEs. Similar to recent months the number of vulnerabilities being addressed remains low.

16th October 2017:  Adobe released Flash Player v27.0.0.170 to resolve 1 critical CVE being exploited by the BlackOasis APT group.

14th November 2017 Adobe releases Flash Player v27.0.0.187 to resolve 5 critical CVEs. No known exploits for these issues were observed at the time of release or following the release.

12th December 2017 Adobe releases Flash Player v28.0.0.126 to fix 1 moderate CVE. As for November; no known exploits were used to target this vulnerability.

=======================

Update: 10th January 2017: The timeline was updated to add the Adobe Flash Player update for January 2017. At the time of writing no exploits for the issues fixed by this update are known to be taking place.

Update: 14th February 2017: The timeline was updated to add the Adobe Flash Player update for February 2017. At this time no exploits for the issues fixed by this update are known to be taking place.

Update: 14th March 2017: The timeline was updated to add the Adobe Flash Player update for March 2017. At this time no exploits for the issues fixed by this update are known to be taking place. With Pwn2Own 2017 due to take this place this month expect more updates soon.

Update: 11th April 2017: The timeline was updated to add the Adobe Flash Player update for April 2017. As before, at the time of writing no exploits for the issues fixed by this update are known to be taking place.

Update: 8th May 2017: I have corrected the number of vulnerabilities addressed in the February and March updates mentioned adove. While the numbers I originally listed were correct at the time of writing, Adobe subsequently revised them. The end of the February and March bulletins highlight the revisions made by Adobe. I will endeavor to updates these entries sooner in future.

Update: 9th May 2017: The timeline was updated to add the Adobe Flash Player update for May 2017. At this time, no exploits for the issues fixed by this update are known to be taking place.

Update: 14th June 2017: The timeline was updated to add the Adobe Flash Player update for June 2017. At the time of writing; no exploits for the issues fixed by this update are known to be taking place.

Update: 11th July 2017: The timeline was updated to add the Adobe Flash Player update for July 2017. Just like for June 2017; no exploits for the issues fixed by this update are known to be taking place.

Update: 8th August 2017: The timeline was updated to add the Adobe Flash Player update for August 2017. As before; no exploits for the issues fixed by this update are known to be taking place.

Update: 12th September 2017: The timeline was updated to include the Adobe Flash Player updates for September 2017. Similar to last month, no exploits for the issues fixed by this update are known to be taking place at this time.

Update: 18th October 2017: The timeline was updated to include the Adobe Flash Player updates for October 2017. It addresses a zero day vulnerability known to be under exploit.

Update: 26th December 2017: The timeline was updated to include the Adobe Flash Player updates for November and December 2017. Sorry for the delay in updating this.