Insecure Conference Rooms

The New York Times is reporting that Rapid7 researchers have discovered that they could remotely infiltrate conference rooms in some of the top venture capital, law firms, pharmaceutical and oil companies across North America by simply calling in to unsecured videoconferencing systems found by scanning the internet.

Moore found he was able to listen in on meetings, remotely steer a camera, and zoom in on items in the room to read proprietary information on documents.  Most expensive videoconferencing systems offer encryption, password protection and camera lock down capabiilties, but they found that administrators were setting them up outside of firewalls for convenience, and not properly configuring security features.  Some systems were set up to automatically accept inbound calls, opening the way for anyone to call in and eavesdrop on a meeting.

“These are literally some of the world’s most important boardrooms — this is where their most critical meetings take place — and there could be silent attendees in all of them.”

Time to review your video and conference  call setups, folks.  It would be terrible to find out that privileged client or finiancial information was so easily obtainable AFTER the fact!

Core Security Technologies Breached Again?

Core Security Technologies may be in trouble again.  “snc0pe” claims to have breached their networks for the third time, posting IDs and passwords publicly.  The last time snc0pe hacked Core Security was September 2011, leaving the front page defaced.

Core Security Technologies is a computer and network security company that provides penetration testing and security measurement software products and services.  The company’s research arm, CoreLabs, identifies security vulnerabilities, publishes advisories, and works with vendors to eliminate the exposures they find.

Core is dismissing the attack as insignificant, claiming that it was launched against an 8 year old, unused server that contains no relevant information.

Questions;

• What is an unused server doing connected to the internet?
• What access does it offer to other internal and external resources?
• Just how irrelevant is the information that is stored on it, or accessible using its credentials?

Malware Compromises College For 10 Years [ ! ]

Trojans and other malware have been discoverd at City College of San Francisco, with some stories indicating the malware has been in place for over 10 years.   I suspect (hope?) that this is a misquote, and that the speaker meant to say that malware has been a problem during that period!   I have not found any information positively confirming the duration of the infection, but the original article appears to imply that the malware was present for over 10 years.  Why was this not detected earlier, how did it manage to remain in place for so long?

It appears as is the case in many educational institutions, budgets are tight, interest is low, and apathy runs high. Passwords went unchanged for at least as long as the infection, security controls were extermely lax, and even after filtering controls were brought in, demand for access to highly questionable material was often approved if minimal pressure was applied.  As a result, a keystroke logger is among at least 7 flavors of malware found operating within the network, and is known to have stolen personal banking information and other data from at least one individual, and potentially hundreds of thousands of students, faculty and administrators.  The college employs 3,000 employees, and hosts about 100,000 students every year.

The college identified the infection in late November 2010 after it noticed that there were gaps in server logs located in the campus computer lab.  An AP story about the incident indicates that at 10:00 PM every day, the malware would troll through the network looking for data to send overseas.  During the investigation, the IT department saw communication with many foreign countries, including Russia and China.  There has been only one confirmed case of personal banking information being captured in this incident that I am aware of.

Upon learning of the breach, the college contained the incident by closing off the infected computer lab, removing the affected server from service, and scanning desktop computers for malware.  Many desktops were found to also be infected.  The college community was notified by e-mail on Jan. 13.  The IT department has since reconfigured the campus firewalls, improved password security controls, updated and created new security protocols, is developing a network segmentation strategy, and is preparing to install new security hardware.

It will be interesting to see what the fallout is regarding how many users are actually impacted by this breach, if there is any way to figure all that out.  What’s on your network?

Oracle SCN Vulnerability

Over the past two months, InfoWorld has been researching a flaw in Oracle’s flagship database software that could have serious repercussions for their customers, potentially compromising the security and stability of Oracle database systems.  There is a very detailed article at the link provided above, and a follow-up from InfoWorld here.  The “boiled down” version:

The flaw could make any unpatched Oracle Database vulnerable to attack, and could pose a special risk to large Oracle customers with interconnected databases.  Both vulnerabiilties stem from a mechanism that most Oracle DBAs seldom deal with.  At the core of this issue is the System Change Number (SCN) in Oracle.  This is a number that increments sequentially with every database commit and is crucial to normal Oracle database operation.  The SCN is also incremented through linked database activities.

The SCN “time stamp” is the key to maintaining data consistency in Oracle, allowing the database to respond to every query with the appropriate version of data at a given point in time.  It works like a clock for database transactions, and like time, cannot move backwards.

When Oracle databases link to each other, they synchronize to a common SCN to maintain data consistency.  This is the highest SCN carried by any participating Oracle database instance because the SCN clock runs forwards only.  Only very basic permissions are required to make a connection that can cause one database to increment the SCN on another.

Oracle’s architects knew the SCN needed to be a massive integer.  It is a 48-bit number (281,474,976,710,656).  It would take eons for an Oracle database to eclipse that number of transactions and cause problems, or so you might think… Continue reading →

Security Technical Implementation Guide for Mobile Devices

It looks like 2012 is going to become the year of BYOD, or Bring Your Own Device.  Expect this trend to continue to heat up, and boil over as the year progresses.  Everyone wants to pare down the number of devices that hang off their belts, and at the same time, maximize their connectivity.  Work and personal communications are going to comingle if BYOD is permitted, and there are some issues that need to be considered by all.

If you don’t have a policy regarding personal devices, or even if you do, it should probably be reviewed with this trend in mind.  The largest concern that I see from the user end of the issue is personal data may be lost if the corporate policy is to wipe devices that contain company information when lost, stolen, or an employee leaves.  From the employers’ perspective, I see the largest concern to be that of data and malware control.  If it is not a corporate device, can it, should it, and will it be scanned, monitored, and patched against vulnerabilities or unlicensed / undesired software?  If not it could pose a serious threat vector to the organization.

The US Department of Defense has released its latest draft STIG specs for Android, Windows Mobile, BlackBerry, and iOS based devices.  This STIG provides policy, training, and operating procedure security controls for the use of mobile devices (smartphones and tablets).  Interesting to a gear-head if their significant other bought them an iPad for Christmas, or their boss cares just as much.  It is worth reviewing the STIGs, even if you don’t apply the specs, just to be aware of the available options, findings, and recommendations. Continue reading →

Microsoft Sues UK Retail Chain For Pirating Windows

ComputerWorld reports that Microsoft is suing a UK retail electronics chain for selling Windows recovery discs to customers, claiming that the practice amounts to piracy.  I think that they are going to be challenged to make a strong case.  It will be interesting to see how this one unfolds.

Microsoft accuses Comet Group PLC of illegally copying Windows XP and Vista to create operating system recovery discs.  These copies were then sold to Windows desktop and laptops cutomers in 2008 and 2009.  Comet, operating about 250 UK stores, believes it was on solid legal ground.

Comet approached 95,000 PC customers over a 2 year period, and offered to sell them unnecessary recovery discs, according to Microsoft’s anti-piracy legal team.  The recovery software was already provided on the hard drive by the computer manufacturer.

The total take for Comet from this exercise is estimated at about 2.2 million dollars.  Not bad.

So is Comet just fulfilling a need that Microsoft has stopped providing in order to cut costs, or does Comet have some accountability or obligation for controlling how these recovery CDs are used after sale?  My understanding is that Microsoft’s own VAR agreement states that these CDs can be provided by the reseller “for a nominal fee”.  Is $25 a nominal fee?  If the recovery software is on the hard drive, does that preclude the VAR’s abaility to collect the nominal fee and distribute the CDs?  What’s your take on this?

HP Printer Vulnerabilities

Boing-Boing has an interesting article up, regarding a presentation at the recent Chaos Communications Congress, Ang Cui’s “Print Me If You Dare“.   Ang explained how he reverse-engineered the firmware-update process for HP printers.  He discovered that he could load arbitrary code into any printer by embedding it in a document.  As part of his presentation, he sent a document to a printer that contained malicious code that copied the documents it printed and posted them to the Internet.  In his second demo, he took over a remote printer with a malicious document, causing that printer to scan and compromise vulnerable PCs, turning the printer into a proxy that gave him access through the firewall.

Printers are everywhere.  We use them and ignore them daily.  They are sitting on our networks and are intended to be shared resources.  They contain some pretty powerful server components, a fairly substantial amount of RAM and disk space, and are virtually ignored when we consider patch and vulnerability management.  I have been involved in at least one incident that involved using a network connected printer as the hub of malicious operations.  Hiding in plain site is a pretty clever strategy.

I would encourage anyone that has an HP printer to apply the latest firmware patch ASAP, because malware could be crafted to take over your printer, and then falsely report that it has already had the patch applied.  This is not just an HP problem though.  Got printers?  Get ’em up-to-date, and create a plan to keep them that way.

Poor Problem Management

Waiting...

CA’s Rich Graves posts “Problem Management sits alone in the corner and cries and cries. It’s the loneliest ITIL process as it’s always the last one picked to play on the Service Operations team. Poor little Problem Management sits and watches while Incident and Change Management get to play. And Configuration Management gets to play too, even though it is a complete mess and isn’t even wearing shoes.”

So true.  Problem Management is a misunderstood process, even moreso than Configuration Management.  Without it though, so many issues will go unresolved, or be closed with an inconclusive response.  No lessons will be learned, and the problems won’t just go away.

“And let’s be honest: root cause analysis is boring. Who wants to deal with that all the time? I’d rather just restore service and move on. What’s that you say? Eliminating the root cause could prevent further outages and free IT from dealing with critical incidents? OK then. We need to do Problem Management.”

Check it out and make a resolution to improve your IT and business processes in 2012.  Shoot for the moon, that way, even if you just miss, you still stand a chance to fall among the stars.

Pre-Boot Malware Prediction

The National Institute of Standards and Technology (NIST) has released a draft version of their security guidelines for locking down the Basic Input/Output Systems (BIOS).  Exploitation of this and other Non-Volatile RAM and EEPROMs are my prediction for 2012.  I’ve seen a couple of malware reports from the lab and a sample that tried to hide its existence by writing to hard to reach areas, like the GPU and video RAM, and have been holding my breath hoping that these areas remain free of mainline cruft.  APT anyone?

Imagine a rootkit, but instead of writing its bootstrap code into the Master Boot Record of your hard drive, it flash updates your BIOS.  Who scans their BIOS?  Who wants to?  Soon you may need to scan every single chip and component in your system in order to ensure that these code monkeys haven’t tapped your keyboard.  The BIOS is initialized and loaded well before the Operating System, and any code that was written there would be potentially invisible to A/V products.

The BIOS Integrity Measurement Guidelines aim to help detect changes to system configuration and changes to BIOS code that could be used to let malware execute during the boot-up process.  NIST is welcoming comments on the draft document through January 20, 2012.  This guidance is directed more at developers than end-users.  Like most NIST guidance, it is recommendation, and not mandatory.

http://www.informationweek.com/news/government/security/232301025

Microsoft Out-of-Cycle Patches Released

Uh-oh.  Looks liek Microsoft has announced a substantial “out-of-cycle” patch release for today.  There are at least 4 Critical patches, and 10 that are rated as Important.  10 of the patches are for Remote Code Execution, and the remainder are for Elevation of Privilege.  They are all over the map, from IE, to Office, to Windows Kernel.

That ought to keep any IT New Years merriment to a minimum.  Get in there and patch ’em, ASAP.  Take this seriously, it is out-of-cycle, a large patch bundle, and I personally believe, conservatively rated by the vendor.

http://technet.microsoft.com/en-us/security/bulletin/ms11-dec

Continue reading →