Criminals are now moving from attacking the infrastructure layer and moving to finding ways into systems by means of bugs in the applications sitting on top of the infrastructure. In light of this change in tactics it is very important that if you are responsible for developing applications that you ensure that your code does not contain any of these errors. If you are not responsible for developing applications then make sure this list get to those who are and that they pay heed to it.
The computer security community is abuzz with the news announced today by a team of security researchers at the 25th Chaos Communication Congress in Berlin. The researchers were able to demonstrate how they were able to generate a fake Certificate Authority certificate and thereby allowing them to impersonate any secure website using SSL certificates.
The research is very interesting and the full paper is available here. What I particularly liked is they used an array of 200 PS3 game consoles to break the certificate.
However, before we all panic and think that the Internet as we know it has come to an end, we should note that the attack has a number of limitations. Firstly the attack is against the MD5 algorithm, which has known weaknesses since 2004. Secondly the certificates broken were using sequential serial numbers. Finally, the researchers have kept their methods to themselves to allow vendors time to address the issue.
I was interviewed about this vulnerability on this evening’s Last Word Show on Today FM by Matt Cooper. A podcast of the show is available here, my piece is about 5 minutes in from the beginning.
I found it interesting to see how today a security vulnerability is getting press attention, whereas a few years ago it would be computer viruses. Have we moved on to realise that the threat landscape is changing?
Microsoft are again urging PC users to apply the MS08-067 emergency patch issued last October due to an increase in attacks aimed at exploiting that vulnerability. In particular a new worm Worm:Win32/Conficker.A. has been noted as causing a rise in the number of attacks.
Once a PC is infected the Worm:Win32/Conficker.A. will patch the vulnerability to prevent the PC from being exploited by another worm or attacker and will also reset the system restore point to make it more difficult to recover the infected PC.
Microsoft tonight released a critical patch, MS08-067, outside their normal patch cycle. For Microsoft to release a patch outside of their patch cycle indicates that this is a serious issue that we must pay attention to.
I am obviously not the only one who thinks that as the Internet Storm Center‘s Infocon has turned yellow which means they are “currently tracking a significant new threat. The impact is either unknown or expected to be minor to the infrastructure. However, local impact could be significant. Users are advised to take immediate specific action to contain the impact. Example: ‘MSBlaster’ worm outbreak. “
The vulnerability could allow an attacker without authentication to remotely run arbitary code using a specially crafted RPC request on Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems. This is similar in nature to how the MSBlaster worm propogated throughout the Internet and this vulnerability could be used in the same way. Microsoft have reported that they have seen live targetted attacks on some customer systems using this vulnerability.
It is recommended that you patch your systems ASAP. However patches, be they from Microsoft or other vendors, brings with them many inherent risks that we need to consider before rolling them out onto production systems. Will the patch introduce new problems as well as fixing the ones identified? Will it impact on other applications and systems? If we patch we may have problems, if we don’t we may have a security breach. Not the easiest of choices for an IT or Infromation Security professional to have to make.
I recommend you look at the following steps to mitigate the problem;
A concise and factual presentation should be made to senior management with the options to address the issue laid out clearly, together with the potential downside to each solution.
Whatever solution is decided upon needs to be agreed to and signed off by senior management.
An incident response team should be set up in order to (a) respond to any side effects from the selected plan of action or (b) in the event your systems are compromised in spite of the steps taken.
Remember as part of the plan to ensure that all your backups have been running successfully and more importantly that you can restore them!
Have key contact details for all relevant personnel in the event of a major problem with your systems, including contacts in third parties such as ISPs, partner companies, extranet contacts etc.
Communicate clearly with the user population explaining why the patch is being deployed and to report any unusual behaviour.
Ensure that all Anti-Virus signatures and software is up to date.
Ensure all Intrusion Detection/Prevention Systems’ signatures are up to date.
Consider how best to update remote PCs and laptops that may not be connected to your corporate network.
Make sure your perimeter firewall is configured properly and that where possible personal firewalls are installed on desktops and more importantly on servers.
I strongly advise, as with all patches, to ensure that you test and are satisfied that the patch does not negatively impact your environment before you deploy it. It also may be worth keeping on high alert even after deploying the patch as;
Other new vulnerabilities could still be found in this feature of Windows.
Not everyone will patch their systems in a timely fashion as we have seen time and time again and their compromise may impact your organisation.
Details of the much talked about Clickjack exploit are now available on Jerermiah Grossman’s blog, RSnakes blog and Adobe’s website. Jeremiah and RSnakewere meant to demonstrate clickjack at a recent conference but decided not to in order to give the vendors time to address the problem. Given that this exploit can be used to remotely use a victim’s webcam and/or microphone the implications for stalking, industrial espionage or indeed national security highlight that the guys were right in waiting.
Jeremiah and Rsnake should be commended on how they handled this issue and credit should also go to the Adobe PSIRT for their response to the problem.
Since my post on this issue yesterday and also Andy Whelan’s post to the ISSA Ireland’s newslist, a number of people have come back to me offline with regards to the current status within the Irish Internet space. It seems that a number of ISPs, 16 apparently, have not yet patched their DNS servers. But the biggest challenge appears to be organisations ensuring that their DNS servers are patched.
Here is an excerpt from an email I recieved that highlights the challenges;
“we’re patched and we have been notifying our clients who have dns servers non-patched. There is also a worldwide effort by “non-for-profit security organisations” to alert ISP abuse desks, although whether they act or the sysadmins act on the email is anyone’s guess.
There are 35 ISP in INEX (https://www.inex.ie/about/memberlist), a quick look through a “special list – as of 21/07/2008″ shows there were 16 ISPs with DNS servers in their range vulnerable.
The irish ISP’s have patched their main DNS servers, but the problem seems to be their clients who run their own DNS servers, have servers in hosting centres or rogue departmental servers hidden away the IT security teams don’t know about.”
More details are emerging of the nature of this problem (hat tip to Security4all) and active exploit tools are now being used. So in short;
The criminals have a major opportunity to steal more money,
They have automated tools to achieve that goal
They will find vulnerable DNS servers
They will exploit those servers
If you have a vulnerable DNS server they will exploit it!
So to those 16 ISPs, patch your systems ASAP. If your normal maintenance window is still a number of weeks away then consider using an emergency window instead. Talk to your upstream ISPs and ensure they also patch their servers.
To those of you who manage or look after your own DNS servers you need to get the finger out and patch them.
Various vendors have banded together to fix a critical DNS cache poisoning vulnerability. The vulnerability was discovered by Dan Kaminsky six months ago and can enable criminals to conduct phishing scams by altering DNS records for legitimate sites to point to their phishing sites. The Register has a good article on it and SiliconRepulbic.Com also cover it. Details of the problem are available from US-CERT and The Internet Storm Center.
Dan Kaminsky’s own Blog goes into more detail on the issue and has an online checker so you can see if your DNS server is impacted.
Finally it is interesting to note that in other countries the response to this has been coordinated by their respective CERTs to ensure ISPs and others are aware of the issue and addressing it. It will be interesting to see if the Irish Internet space can respond appropriately without our own CERT.
Mozilla released the latest version of Firefox on June 17th amidst much fanfare and hype. The major buzz about this release being the attempt by Firefox to break the Guinness Book of Records for the most downloads in a 24hr period for a single program.
Well the launch has not gone so well for Firefox. Firstly due to the number of people attempting to download the latest version (over 8 million) the site’s availability has been patchy at best. But worse was to follow, within five hours of its release a security vulnerability affecting the latest version, and previous versions, were discovered. Tipping Point have verified that the vulnerability is real using their Zero Day initiative. The SANS Internet Storm Center and the Security4all blog provide more coverage on the issue.
For the browser that promotes itself as being more secure than Internet Explorer this is not the best of starts.
Attackers are apparently injecting redirections into legitimate sites to send users to hostile sites that host malicious flash files hosting the exploit. If these redirects were to happen on a high traffic website the potential impact from this problem will be quite high.
If you are concerned about this attack vector, you should explain the risks to your senior management and see if they want to block the downloads of Flash files at your perimeter using your firewall or web proxy. You should also ensure that all your systems are updated with latest anti-virus signatures and keep a close eye on Adobe to see if and when they release a patch.