My experience on my daily works... helping others ease each other

Wednesday, January 16, 2013

Buffer Overflows on the top of the list again (in 2012) for SCADA system

New attacks against SCADA, old vulnerabilities, very old issues
by paganinip on January 16th, 2013


Stuxnet first and news of countless zero-day vulnerabilities in the wild have strengthened the idea that citizens security is constantly menaced by group of hackers that for different purposes are able to inflict serious damages to the structures that surround us.

Critical infrastructures represent privileged targets for very different actors such as cyber terrorists or foreign state-sponsored hackers, a heated debate is underway in the worldwide security community that is concerned about the cyber threats that need to mitigate in dire economic conditions and with limited budgets.

The security portal ThreatPost recently published the news related to new cyber attacks, malware-based, that hit two Power Plants using USB drivers as method of infection.

The events raised the needs to adopt, at corporate level, best practices for any security aspect included removable storage, a critical issue for security of control system inside critical infrastructures.

According a report from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), three instance of malware were discovered fortuitously after a scan of an USB drive used to back up control systems configurations. One of the instances detected is considered very sophisticated, increasing the level of alert on the event.

Further analysis revealed other absurd security flaw, for example it was absent a backup management for critical workstations inside the plant.

“The organization also identified during the course of the investigation that it had no backups for the two engineering workstations. Those workstations were vital to the facility operation and, if lost, damaged, or inoperable, could have a significant operational impact. The recommended practice is to maintain a system of ‘hot spares’ or other effective backups for all critical systems.”

The main problem is that majority of control systems are privately owned, and leak of investment in security advantages the work of hackers. Elementary security measures could sensibly improve security level of infrastructures, let’s think to the establishment of proper defensive measures of the correct configuration of any devices exposed in internet.

The report states:

“While the implementation of an antivirus solution presents some challenges in a control system environment, it could have been effective in identifying both the common and the sophisticated malware discovered on the USB drive and the engineering workstations,”

Similar incidents are not rare, in October, ISC-CERT reported the infection of 10 computers linked to another power company’s turbine always via a USB drive…and the list is long.

Summarizing the vulnerability analysis proposed by ICS-CERT :

“in fiscal year 2012, ICS-CERT tracked 171 unique vulnerabilities affecting ICS products. ICS-CERT coordinated the vulnerabilities with 55 different vendors. The total number of different vulnerabilities increased from FY 2011 to FY 2012, but buffer overflows still remained as the most common vulnerability type”



Besides the security aspect, as I mentioned before, it’s necessary to evaluate the financial prospective of cyber security market in the defense sector.

Cyber strategy of any state puts the security of critical infrastructures at the topmost priority, in particular for the global oil and gas industry also in response to recent series of attacks. An analysis from Frost & Sullivan revealed that the market earned revenues of $18.31 billion in 2011 and estimates this to reach $31.27 billion in 2021. The investments are driven by the growth of the sector and related need of physical and cyber security.

Anshul Sharma, Senior Research Analyst at Frost & Sullivan Aerospace, Defence & Security, declared:

“Global oil and gas companies are investing capital in new infrastructure projects, driving the need for security solutions at these facilities,” “With increasing awareness of threats, companies are adopting a security-risk management approach and implementing risk assessment of their facilities to ensure security Return on Investment (ROI).” “The threats may vary from information theft to a terrorist attack, but the economic impact and financial damage in case of an attack will be much more significant,” “It would also depend on the motive of the attacker. For example, a cyber attack to remotely control a SCADA system can have more serious consequences than a cyber attack to steal information.”




It’s clear that new opportunities for cyber security experts will be created in the incoming years, probably something is changing the mind of top manager that are driving the companies of the sector is a profitable business.

Pierluigi Paganini

taken directly from Security Affairs website on January 17, 2013




Can't stop copying this information since I'm doing research in this area and related to Buffer Overflow... Hope Mr. Paganini forgive me for copy the complete page...
Share:

Fly high with an API by Code Academy

Codecademy

api-badge

Fly high with an API!

Application Programming Interface: A fancy way of saying "do more."

Need a map for your site? Don't code your own — use an API!

APIs let you talk to other web apps like Google Maps and Twitter so that you don't have to build from scratch.

Simply use an API to borrow another app's functionality. Easy!
Learn how to create a web app that can:

- Send text messages with Twilio
- Pull videos from YouTube
- Search for songs on SoundCloud
- Get the latest stories from NPR
The possibilities are as wide as the sky.
Start Learning APIs
P.S. Only have a second? Vote for us for a Crunchie Award! You can vote once per day until 1/31, and we appreciate every one.
Share:

Thursday, January 10, 2013

Java 7: 0-day Actively Exploited In The Wild

Received an email from Beyond Trust about this exploit... the content is as below

January 10, 2013 
There is a 0day vulnerability (identified flaw, with no patch available) being actively exploited across the Internet in Java. This 0day has already been incorporated into Cool Exploit Kit and Blackhole, in addition to Nuclear Pack and Redkit. Proof of concept code is already publicly available and we expect to see fully functioning exploit code incorporated into even more exploit frameworks within the next few days.

What does this mean to you?
  • This vulnerability affects Java 7 versions up to and including the current version of Java, 7u10
  • Even if you're only running Java 6, users will be forced to automatically upgrade to version 7 in February of this year. This means further exposure to this vulnerability.
What you can do now to avoid being exploited
  • Disable Java entirely
  • If you don't need Java, remove it from the system entirely
  • Lower and manage desktop privileges with solutions like PowerBroker for Windows
  • Scan and detect this vulnerability with Retina Network
As always, we want our customers and users to be prepared for these types of exploits. We've posted a comprehensive writeup about this 0day and how to mitigate your risk.


Learn More About the Java 7 0day

Regards,
BeyondTrust Research Team



Looking at the link, I was bit worried since it does not pointed to BeyondTrust website. Google around and found many more discussion about this... (search on Java 7 0day exploit via google)...



Some of the sites talks about it:

  1. http://thenextweb.com/insider/2013/01/10/new-java-vulnerability-is-being-exploited-in-the-wild-disabling-java-is-currently-your-only-option/
  2. http://www.theregister.co.uk/2013/01/10/java_0day/
  3. http://www.networkworld.com/news/2013/011013-java-zero-day-vulnerability-actively-exploited-265723.html
  4. http://www.nsaneforums.com/topic/154515-critical-java-0-day-being-massively-exploited-in-the-wild/
  5. http://blog.beyondtrust.com/java-0day-exploit-oracle-urges-people-to-run-into-burning-building


However, till today (09 January 2013), I've yet to see this appear on OSVDB, OWASP, or any other vulnerabilities databases sites or advisories sites such as Microsoft, Symantec, Karspersky, IBM, and Homeland Security... I wonder why? might be because I miss that or wrongly searched, or somehow it is yet to be available on these sites.

Share:

Monday, January 7, 2013

10 Steps to Smartphone Security for Android

With more and more Malaysians are adopting smartphones, we at CI feel obliged to share some tips pertaining to smartphone security with the users. We thought we should start with the fastest growing smartphone OS out there; i.e. Android. Please feel free to email us your thoughts.

Smartphones continue to grow in popularity and are now as powerful and functional as many computers. It is important to protect your smartphone just like you protect your computer as mobile cyber-security threats are growing. Mobile security tips can help you reduce the risk of exposure to mobile security threats.

  • Set PINs and passwords. To prevent unauthorized access to your phone, set a password or Personal Identification Number (PIN) on your phone’s home screen as a first line of defense in case your phone is lost or stolen. When possible, use a different password for each of your important log-ins (email, banking, personal sites, etc.). You should configure your phone to automatically lock after five minutes or less when your phone is idle, as well as use the SIM password capability available on most smartphones.
  • Do not modify your smartphone’s security settings. Do not alter security settings for convenience. Tampering with your phone’s factory settings, jailbreaking, or rooting your phone undermines the built-in security features offered by your wireless service and smartphone, while making it more susceptible to an attack.
  • Backup and secure your data. You should backup all of the data stored on your phone – such as your contacts, documents, and photos. These files can be stored on your computer, on a removal storage card, or in the cloud. This will allow you to conveniently restore the information to your phone should it be lost, stolen, or otherwise erased.
  • Only install apps from trusted sources. Before downloading an app, conduct research to ensure the app is legitimate. Checking the legitimacy of an app may include such thing as: checking reviews, confirming the legitimacy of the app store, and comparing the app sponsor’s official website with the app store link to confirm consistency. Many apps from untrusted sources contain malware that once installed can steal information, install viruses, and cause harm to your phone’s contents. There are also apps that warn you if any security risks exist on your phone.
  • Understand app permissions before accepting them. You should be cautious about granting applications access to personal information on your phone or otherwise letting the application have access to perform functions on your phone. Make sure to also check the privacy settings for each app before installing.
  • Install security apps that enable remote location and wiping. An important security feature widely available on smartphones, either by default or as an app, is the ability to remotely locate and erase all of the data stored on your phone, even if the phone’s GPS is off. In the case that you misplace your phone, some applications can activate a loud alarm, even if your phone is on silent. These apps can also help you locate and recover your phone when lost.
  • Accept updates and patches to your smartphone’s software. You should keep your phone’s operating system software up-to-date by enabling automatic updates or accepting updates when prompted from your service provider, operating system provider, device manufacturer, or application provider. By keeping your operating system current, you reduce the risk of exposure to cyber threats.
  • Be smart on open Wi-Fi networks. When you access a Wi-Fi network that is open to the public, your phone can be an easy target of cyber criminals. You should limit your use of public hotspots and instead use protected Wi-Fi from a network operator you trust or mobile wireless connection to reduce your risk of exposure, especially when accessing personal or sensitive information. Always be aware when clicking web links and be particularly cautious if you are asked to enter account or log-in information.
  • Wipe data on your old phone before you donate, resell or recycle it. Your smartphone contains personal data you want to keep private when you dispose your old phone. To protect your privacy, completely erase data off of your phone and reset the phone to its initial factory settings. Now having wiped your old device, you are free to donate, resell, recycle or otherwise properly dispose of your phone.
  • Report a stolen smartphone. The major wireless service providers, in coordination with the FCC, have established a stolen phone database. If your phone is stolen, you should report the theft to your local law enforcement authorities and then register the stolen phone with your wireless provider. This will provide notice to all the major wireless service providers that the phone has been stolen and will allow for remote “bricking” of the phone so that it cannot be activated on any wireless network without your permission.
Note: The above tips were adopted from Federal Communications Commission of the US website.

Information on how to implement these tips on your Android device can be found atsupport.google.com/googleplay.

CI Infosec News & Tips for You 
 Bringing you the latest happenings in information security and some essential tips to protect yourself and your information.
Share:

About Me

Somewhere, Selangor, Malaysia
An IT by profession, a beginner in photography

Blog Archive

Blogger templates