return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Cybersecurity Public ]

Pandemic flaws at the architectural and base component level

  #

Hidden flaws at the architectural or base component level that have over time come to be shared as "givens" not subject to investigative review continue to open significant exploit potential across multiple operating systems.

This time it is the library for the Portable Network Graphics (libPNG) graphics format used an alternative to Graphics Interchange Format (GIF) and other image formats. The libPNG flaws are not Microsoft specific in that they the affect:

  • Apple's Mac OS X Mail application
  • Opera and IE browsers on Windows
  • Mozilla and Netscape browsers on Solaris

The wide use of libPNG components reminds me of the flaws of ASN.1 Basic Encoding Rules (BER) written by Xerox back in the 1960s and so has been at the baseline for subsequent applications of which MS was one - others being cell phone calls, Signaling System 7 (SS7), air traffic control systems, package tracking, SCADA systems, X.9 financial transaction protocols, public key cryptographic standards, VoIP, video teleconferencing, messaging systems, and public directory protocols.

Of the six vulnerabilities discovered to date in libPNG, the most serious could allow a remote attacker to execute arbitrary code on an affected system, whereas the others will crash apps using the library. Secunia gave the vulnerabilities a highly critical rating, its second-highest:

The vulnerabilities can... be exploited by tricking a user into visiting a malicious website or view a malicious email with an affected application linked to libpng.

Yet the problem is not new:

Both Microsoft and Linux have previously had security issues stemming from the PNG format. Eighteen months ago, Microsoft labeled as critical a flaw in how Internet Explorer handled PNG images. More than two years ago, a compression format flaw in Linux allowed PNG images, among other types of data, to crash programs running on the operating system.

Now, more than two years later, users on a wide spectrum of MAC, Linux, and MS apps are confronted with the specter of specially created PNG graphics executing "a malicious program when the application loads the image." Unfortunately while patches have been made for Linux and Mozilla, they have yet to be affected for IE. And of course, one still has to install the patch when it is made available.

Not a comforting situation in the era of zero-day exploits.

Multiple Vulnerabilities in libpng
Original release date: August 4, 2004
US-CERT

Image flaw pierces PC security
By Robert Lemos
CNET News.com
August 5, 2004, 3:06 PM PT

Exploit code for Microsoft vulnerability circulating
02/16/04
By William Jackson
GCN Staff

Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

Patch to dissemination to analysis to exploit: zero-day exploit tightens Boyd's OODA loop

  #

Hackers and crackers are increasingly using reverse-engineering tools to analyze code in search of exploitable flaws as well as immediately analyzing patches upon release in order to identify holes in the patch. It is worthwhile to revisit Revisiting Clarke's six bleak IT trends from October 2003 which listed six trends, the first four of which were:

  • Rising vulnerabilities
  • Rising patches
  • Falling "time to exploit"
  • Rising rate of propagation

That was October 2003.  Look at the progression to date:

  • January 2003 Slammer worm - six months to exploit vulnerability
  • April 2004 Sasser worm - three weeks to exploit vulnerability
  • June 2004 Witty worm - two days to exploit vulnerability

Witty was not only quickly written, but it was well written, and stunningly successful in attacking its target set, the 12,000 worldwide installs of BlackICE/RealSecure, which it did in a mere 45 minutes.

Contrast that to the 'slowness to patch' figures from Qualys whose clients are most likely at the fast end of the scale as they are subscribing to a flaw-detection service and so at least demonstrate awareness if not action. For PCs attached directly to the net, the "half life of a vulnerability--the length of time it takes for half of assailable computers to be fixed" dropped from 30 days in 2003 to 21 days in 2004. It gets worse for PCs attached to LANs instead of directly to the net where sysadmins labor under a false sense of security and so take 62 days in 2004 (no figures for 2003).

The speed of vulnerability to exploit in the wild has placed an impossible burden on corporate network administrators:

  • Frequent patches without the necessary testing time to insure backwards compatibility
  • High IT manpower surges needed to contain a perpetual patch cycle that -- like painting a bridge -- never ends. As soon as one gets to one end, it is time to start again at the other end.
  • Need to find a better way, be it new code, new vendors, or new tools to block worms and viruses

While Microsoft is releasing a built-in firewall in XP Service Pack 2 update, it has far to go in aiding what it estimates as "the nearly two-thirds of Windows users who don't have up-to-date antivirus software on their computers." Given that Wintel dominates the desktop, that puts it at the center of controversy. (And contrary to the belief of Linux users, Unix and Linux have equal or more bugs.)

Hackers are now closing Boyd's OODA Loop around the individual and corporate user, operating inside our ability to Observe, Orient, Decide, and Act, or in Boyd the fighter pilot's terms, turning inside us so as to get into a shootdown position. We need better security tools immediately.

Better tools let hackers strike more quickly
By Robert Lemos
CNET News.com
July 28, 2004, 11:11 AM PT

Companies patching security holes faster
By Robert Lemos
CNET News.com
July 29, 2004, 4:47 PM PT

Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

If Athens is like Boston...

  #

Only those of you familiar with the labyrinthine 17th century geography of Boston's old town and financial district along with the decade long disruption occasioned by the "Big Dig" which is relocating major expressways passing through the city can appreciate a certain humor when the security perimeter around the Democratic Convention is referred to as the "hard zone." Those of us who braved Boston's traffic on a daily basis might have set the 'hard zone' perimeter out at the Charles River.

Seriously, when one hears the term "they paved the cow path" applied to a winding road, that is the exactly what happened in Colonial Boston. As carts gave way over time to wider vehicles, the roads were made one way. If I am building a word picture for readers of an already transit-challenged city, I shudder to think of that city beset by dump trucks blocking off more roads, a fortress-like environment where Secret Service makes hundreds of reporters alternately wait for hours or walk around the security perimeter before they're admitted. LNG tankers pass close by the city but deliveries are said to be curtailed during the Convention

Confusion seems to be well in attendance, and not just in the roadbed. Convention delegates and attendees will descend upon the city with laptops many of which are WiFi-enabled without encryption. A recent "war driving" exercise with a 'honey pot' open access point detected more than 3,000 unique WiFi devices, two-thirds of which were unsecured and so an open security breach. Given that "most Wi-Fi security breaches occur when the laptop's operating system automatically looks for available wireless networks when it's turned on, this potentially sets up a dangerous security scenario based on the level of open Wi-Fi networks in range of the FleetCenter [Convention site].

"457 unique wireless access points (the majority of which were unsecured) and wireless network cards were detected in the general area surrounding the Democratic National Convention site. "The proliferation of open wireless network access poses a significant security challenge for the DNC -- not just near the convention site but throughout the city," said Matthew Gray, founder and CTO, Newbury Networks, Inc. "With so much emphasis being placed on physical security at the convention, it will be important for organizers to also consider the implications of wireless security risks at this high profile global event."

A wondrous take-down opportunity in the making as conventioneers will obviate the Democratic Convention's conventionally wired network as transient WiFi-enabled laptops will connect to the hardwired network even as they simultaneously connect to the nearest hard point, thereby connecting to both networks.

While convention PCs may be patched to the appropriate level, many visiting laptops will not be and thus open to compromise, turning them into a zombie. The prize would be one of the Democratic network managers' laptop, given its access, could send confidential data out of FleetCenter.

Some may snicker that security is being backstopped by Microsoft as well as Cisco. I have the thought that if Athens is this way, it hasn't a chance.

Confusion reigns as security rules
By Suzanne Smalley, Globe Staff
Boston Globe
July 25, 2004

Laptops at the FleetCenter at risk of breaches, attack
By Hiawatha Bray, Globe Staff
Boston Globe
July 22, 2004

Gordon Housworth


Cybersecurity Public  InfoT Public  Infrastructure Defense Public  

discussion

  discuss this article

Awareness in worms: shutdown in the face of antiviral analysis

  #

This is one of those wonders of why it didn't happen sooner: marrying malware to environmental awareness of its surroundings so that it can take evasive action.

Leave aside that the worm, called Atak, seems to have a modest payload that may attack other worms as (a) that may merely be a proof of function effort or (b) it may be one of a growing family of malware that seek to persevere by destroying their competitors. The important thing is that Atak goes beyond the multiple levels of passive armoring to thwart detection and removal:

"It is standard for worms to have layers of encryption--or armoring--to keep out snoopers, but this goes way beyond that. It tries actively to detect if it is being analyzed by antivirus research tools. If it thinks it is being analyzed, it stops running and shuts down."

Now that worms have moved from passive defense to active evasion, one can look beyond this easily enough to envision worms that go on the attack, and very likely selective attack based upon its environment and the analyzer.

Worm sleeps to avoid detection
By Munir Kotadia
CNET News.com
July 13, 2004, 6:53 AM PT

Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

Systematic digital infection via compromised corporate web sites

  #

As I write this, infection requires no more than a PC user merely visiting a co-opted website, but this time the corrupted sites are not the fringe of marginal sites or IRC chat rooms but mainstream and include such stalwarts as "auction sites, price comparison sites and financial institutions," including banks.

Poorly secured mainstream corporate websites are being penetrated and malware is being inserted that exploits two IE flaws for which Microsoft has yet to release a patch and for which no antivirus vendors have established detection and neutralization for the Trojan. There is presently no defense save for:

  • Setting IE browser security to high (which makes a number of sites nonfunctional)
  • Choosing a different browser than IE
  • Using a Mac
  • Staying off the web

Setting a frequented site as trusted is problematic as the site's IT folks may have been sloppy, as distinct from the veracity of its legitimate content, and thereby open to exploit. Using a properly setup firewall might at least block, or alert the owner to illegal outgoing traffic.

I have written often of the impact of the failure to prevent bad guys from operating inside our decision cycle, or in combat terms, operating inside the OODA Loop of your opponent as defined by John Boyd. In This exploit tool is fearsome. It should be on your box, I speak of a 'a loop trip of a matter of days and hours may be reduced to minutes.' This attack reduces it to zero. No defense, no active virus or passive worm, just pay a visit. Dick Clarke is again vindicated.

The Internet Storm Center tracks the growing list but maintains that it "won't list the sites that are reported to be infected in order to prevent further abuse." I think otherwise, feeling that the harsh glare of public identification will make the victims finally look to securing the web servers. "Researchers" offers a good lay description but if you want the geek details, go to the "Handler's Diary."

The perp or perps are assumed to be mainstream criminal gangs intent on inserting spamware or a part of larger activities of Russian organized crime groups, or perhaps one in the same.  The level of sophistication of the attack is high, it is customized malware and not a script kiddy copycat, the redirect sites are in Russia, and it would appear to be well funded:

"When a victim browses the site, the [inserted malicious] code redirects them to one of two sites, most often to another server in Russia. That server uses the pair of Microsoft Internet Explorer vulnerabilities to upload and execute a remote access Trojan horse, RAT, to the victim's PC. The software records the victim's keystrokes and opens a back door in the system's security to allow the attacker to access the computer."

I have often mused that sufficiently well-funded criminal gangs will form their own 'antivirus/anti-exploit' group (or buy or penetrate an existing one) for the purpose of surreptitiously identifying exploit opportunities and so stay perpetually ahead of the good guys. Microsoft surely understands the need to develop a more secure browser and a vastly simpler patch scheme, but now the ante has been raised.

Your OODA Loop is now zero and could stay that way, on and off, for some time. That will do wonders for Internet commerce.

Researchers warn of infectious Web sites
By Robert Lemos
CNET News.com
June 25, 2004, 9:03 AM PT

Handler's Diary June 24th 2004
Updated June 25th 2004 01:27 UTC
* {update #2} .org dns problems, RFI - Russian IIS Hacks?
RFI - Russian IIS Hacks?

Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

First proof of concept virus for mobile phones

  #

Proof of concept viruses most often presage variants, from the original authors or other groups, with much more hostile payloads. (The rare exception was a Palm handheld virus.) The first mobile phone virus, Cabir, has appeared, using Bluetooth to scan for target phones within range (30 meters). While this infection range is "small" in comparison to WiFi, I can see it having good effect in crowded, transit areas such as airports, conferences, and tradeshows. The proof of function status of the virus is also reflected in the need of the target to accept a file of unknown source.

The attack is sufficiently simple that the only surprise is that it has not occurred sooner. I vote with those that expect increasingly hostile payload variants as the current volume and ubiquity of cell phones offers the kind of target and associated ego boost that would follow a successful attack.

First mobile phone virus created
BBC NEWS 16 June 2004
Published: 2004/06/16 07:44:40 GMT

Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

WiFi attack jams by nominally friendly means

  #

It only took five days for the trivial WiFi 2.4GHz DoS exploit to become an attack and jamming tool. Using off-the-shelf PDA hardware with no code to write, just knowing the correct command sequence, attackers can "jam all wireless devices within a one kilometre radius using any wireless-enabled computing device and can take down an entire network in seconds if the base station is within range."

The exploit "presents obvious applications for terrorism and espionage" as the attacker could turn the exploit on and off at will, in person or remotely, using any GPRS-enabled phone or PDA, temporarily jamming WiFi security cameras or WiFi comm networks. Uses in combination with Atocha-style bomb attacks it could disrupt discovery, forensic review of security cam tapes, and hamper post-event recovery efforts.

Since the attack is merely spoofing the network into thinking that the channel is perpetually busy, deferring data transmission, it allows immediate recovery when transmission is halted. As it is using a nominal low power transmit of the WiFi network, it does not involve RF jammers that would be far easier to locate, nor does it raise alarms with admins who would perceive it as network congestion.

Affecting all manufacturers products running with all operating systems, it is an understatement to say that in regards to all 802.11b and some 802.11g wireless protocol that:

"Any organisation that continues to use the standard wireless technology, 802.11b, to operate critical infrastructure could be considered negligent."

As I said in the earlier note, 'One wonders how many other holes remain in plain sight in systems and protocols assumed to be safe.'

Attack jams spy cameras
By Adam Turner
The Age
May 18, 2004

Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

Unrecoverable architectural flaw in 2.4GHz WiFi networks

  #

In Delta between worst-case and realistic cyberattacks narrow I spoke of four conditions that conspire to put systems at risk. Australia has produced an interesting example of two: poor design (by the manufacturer) and design taking immediate advantage of newer technologies without thinking of security intrusion (by the clients).

Queensland University of Technology researchers discovered a trivial exploit that affects a WiFi network operating at 2.4GHz -- all 802.11b and, depending upon configuration, 802.11g networks. What is remarkable is that the flaw occurs at the physical and MAC address layers -- lower network layers than previously discovered security flaws in 802.11 protocols -- and so constitutes an architectural flaw that cannot be resolved by WEP encryption (weak enough as it is) or the Cisco LEAP protocols.

There is no defense for 802.11b save for attempting to affect the antenna pattern or shutting down the network. If the network remains up, you can only use an RF survey to assess how far away your network can be accessed:

"If they discover they can be attacked from out on the street or the carpark, for example, they need to think seriously about re-planning their network."

While affected vendors have been privately advised of the vulnerability so that they can determine effectiveness of the attack, it would not surprise me if hackers attempt some independent experimentation. While the flaw does not apparently permit data intercept, it does allow for a DoS attack.

I found it interesting that the flaw was discovered "while investigating wireless security mechanisms." One wonders how many other holes remain in plain sight in systems and protocols assumed to be safe.

QUT researchers find WiFi flaw
Kate Mackenzie
The Australian
MAY 13, 2004

Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

Delta between worst-case and realistic cyberattacks narrow

  #

It is my want to revisit projections and forecasts, mine and others, to look for accuracy in both substance and timing; are assumptions still accurate and if not, why not; what new players and tools have entered the market; and what has shifted. The assumptions and the development process are more interesting than the answer as too many people treat a situation in time as something fixed, instead of seeing it as a still frame in a motion picture (where the trick is to predict the next scene).

One such item is an August 2002 What are the real risks of cyberterrorism? that looked at "possible--though still improbable--worst-case cyberattacks, followed by more realistic threats." In two years, the delta between the worst case and realistic threats has narrowed.

While it is generally true that cyberattacks "come in two forms: one against data, the other on control systems," I would make the distinction that there are three categories: data, analysis of data, and control. Data is often of modest value, especially when data volumes are large and/or frequently changing, and time is short. Actionable information comes from the speedy analysis of data. Poor design, design driven by cost cutting, and design taking immediate advantage of newer technologies without thinking of security intrusion have conspired to create conditions in which data, analysis and control increasingly merge.

The article said that [data attacks] "attempts to steal or corrupt data and deny services" while "control-system attacks attempt to disable or take power over operations used to maintain physical infrastructure" and of those the SCADA systems (supervisory control and data acquisition) and its core RTUs (Remote Telemetry (or Terminal) Units) are key. At the time, Richard Clarke among others said that any "damage resulting from electronic intrusion would be measured in loss of data, not life."

I submit that increasing systems interconnectivity and interdependence is narrowing the gap between loss of data and loss of life. Pursuing the analysis of data as opposed to raw data allows perps to obtain insight that allows them to attack a target either directly or gain an understanding of the means to attack its control systems. If the default shutdown conditions of a control system are poorly designed, interrupting the control system is tantamount to overtaking the system (witness the failure fault paths of older nuclear reactors in the interaction of their physical design and their control systems). If the perps can spot an asymmetrical weakness they will take that path of least resistance, least cost, and least exposure.

It was cold comfort then and far more discomfiting now that the July 2002 Digital Pearl Harbor exercise could conclude that "communications in a heavily populated area" would be disrupted but "would not result in deaths or other catastrophic consequences," In a misplaced presumption of safety, it noted that the attack team "needed $200 million, high-level intelligence and five years of preparation time." If not al Qaeda, that certainly puts at least five nations and the odd drug lord as immediate contenders.

I often speak of the glide slope to the desktop of any technology, i.e., that over time all technologies become small enough and cheap enough to fit on a desktop. I would like to see the Naval War College and Gartner rerun that attack again as I wager that the cost, time, and needed sensitive information would be significantly less. Recent variants of the Sasser worm are believed to have shut down some systems and that was designed and launched by a group of German youths. No $200 million here.

Why should we be surprised? A group of teenager hackers calling themselves the Legion of Doom took control of the BellSouth infrastructure in 1989. "During the attack, the hackers could have tapped phone lines and even shut down the 911 system."

When we see as yet unidentified perps gain control of part of the TeraGrid and nearly gain an ability to launch an enormous DDoS attack, the improbable becomes increasingly likely.

While I still agree that the greatest net threat from al Qaeda remains its C3 ability, I am less comfortable with an earlier comment attributed to Richard Clarke that "Osama bin Laden is not going to come for you on the Internet." At a minimum, the net can be used in a hybrid attack in which the cyber side disrupts the ability of the defender to anticipate, identify, or respond to a physical attack.

What are the real risks of cyberterrorism?
By Robert Lemos
Special to ZDNet
August 26, 2002, 6:23 AM PT

Gordon Housworth



Cybersecurity Public  InfoT Public  Infrastructure Defense Public  

discussion

  discuss this article

All security systems are bankrupt when the operators are daft

  #

Is there any surprise here over this UK breach when we allow the hiring of incompents and criminals as TSA guards here in the US and spawn baggage theft rings by its members. (Remember, we have to leave all checked luggage open for them as sitting ducks.) These UK violations are appearing here as well.

From Firms fail to hire security staff with formal qualifications:

Only 10% of UK businesses and 25% of large companies have staff with formal security qualifications, such as CISSP or CISM, on their security teams, the Department of Trade & Industry's latest Information Breaches Survey has revealed.

And only 42% of businesses have staff with formal IT qualifications of any kind on their security teams, the survey of 1,000 UK businesses showed.

And from a reader comment (a former ground security coordinator for a [US] midwestern airport) in Comments: Gadgets of Mass Destruction:

The most fun part of my job was to run FAA-approved security test, where I got to legally sneak guns, simulated bombs, grenades and such through security checkpoints.

Now, these were real guns, basically- except for the insides were modified somehow to be unworkable. Anyway, I always got them through. Always. And they KNEW that they were probably being tested anytime I walked through with a bag, with my airport ID on...and they still missed it. When they miss a gun you can't just whip it out in front of everyone and panic the passengers- you have to show the supervisors a little card first that says "You have just failed an FAA/TSA security test, the agent will now show you what you missed" or something similar.

They Still miss guns 25-30% of the time, and knives 70% of the time, and simulated explosives 60%according to CBS News.

Posted by Rex Stetson at August 5, 2003 11:11 AM

Allowing one arm of your organization to hire the unqualified or the malicious invites disaster to the other arms that depend upon its security systems to perform as advertised.

Firms fail to hire security staff with formal qualifications
IT Management: HR & Skills
by Bill Goodwin
ComputerWeekly.Com
Tuesday 11 May 2004

Comments: Gadgets of Mass Destruction
Post by Rex Stetson at August 5, 2003 11:11 AM

Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

Prev 1  2  3  4  5  [6]  7  8  9  Next

You are on page 6

Items 51-60 of 89.


<<  |  May 2020  |  >>
SunMonTueWedThuFriSat
262728293012
3456789
10111213141516
17181920212223
24252627282930
31123456
view our rss feed