Tuesday, April 30, 2013

Apache Attack Invisible to Usual Investigative Methods

A new, widespread attack against the Apache web server appears to have infected a large number of systems. The so-called "CDorked" attack is very difficult to detect because it hides its evidence in shared memory rather than on the file system. The only file-system level evidence is obfuscated within the httpd binary.

Eset has released a python script to help administrators verify whether the httpd binary has been affected.

The H Security reports that this particular attack can be detected by looking for the string "open_tty" in the Apache program directory, eg:
grep -r open_tty /usr/local/apache/

The immutable bit is also set on the compromised binaries, which can make it more difficult to fix the problem. For example,
chattr -ai /usr/local/apache/bin/httpd

The only real way to defend against/detect attacks like this would be to run file integrity checking software to look for changing checksums when binaries are altered or replaced.

Sunday, April 28, 2013

Phishing Attack Responsible for Market-Impacting @AP Hack

There was a lot of coverage earlier this week about the bogus tweet from @AP claiming that the White House had been bombed and President Obama injured. What I had not realized was that the account appears to have been hacked because of a phishing attack. ars technica reports:
The bogus tweet was sent from one of at least of two compromised Twitter accounts belonging to the Associated Press. Mike Baker, a reporter with the 167-year-old news organization, said the AP's mobile Twitter account was compromised as well. "The @AP hack came less than an hour after some of us received an impressively disguised phishing email," he wrote in a separate Twitter dispatch. In recent days security personnel with the news cooperative discovered malware had infected some of its computers, officials told the New York Times.

Obviously, even sophisticated users need to be more careful about reacting to phishing emails. In general, never click on anything you are sent in an email. Instead, log into the site in question by typing in the address yourself.

Twitter committed to accelerating its program to roll out two-factor authentication, especially for use by people who tweet from mobile devices such as cell phones.

Tuesday, April 23, 2013

19% of Attacks are State-Sponsored

A recent report by Verizon shows that the frequency of state-sponsored attacks are increasing. Currently, 19% of attacks appear to have been state-sponsored. The profile of these attacks is usually different than those aimed at identity theft or other forms of fraud.

Of the foreign attacks, the largest group of them appear to have come from China.

Verizon also reports that most attacks would be adequately defended by applying the 20 controls recommended by SANS.

UPDATE: The US CERT has released 31 guidelines to protect against a broad range of attacks.

UPDATE: The Pentagon has directly accused the Chinese government of cyber-spying. The Chinese response:

Although it is common sense that you cannot determine sources of cyber attacks only through IP addresses, some people in the Pentagon still prefer believing they are from China as they always bear a sense of rivalry. It is an allegation based on presupposition.

Sunday, April 21, 2013

Vulnerabilities in SOHO Wireless Routers

A recent ISE study reveals that the most widely deployed SOHO wireles routers have serious security vulnerabilities.

You should definitely upgrade the firmware on your router and follow secure configuration guidelines. ISE recommended the following steps:

  • Make sure your firmware is up to date on a regular basis.
  • Make sure remote administration is turned off. (ie Don't allow wireless connections to manage the router.)
  • Disable all unused network services.
  • Restart your wireless router after performing administrative tasks.
  • Log out from the session and clear cookies from your browser after performing administrative tasks.
  • Select a non-standard LAN IP address range to protect against generic or automated attacks.
  • Verify that https is enabled for administrative functions.
  • Use AES encryption. WEP and TKIP have known vulnerabilities.
  • Use firmware only from the manufacturer's web site.
  • Use a secure administrator password including uppercase/lowercase/numeric/special characters, at least 12 characters in length.
  • If possible, restrict access to the wireless router from the firewall or main router.

Sunday, April 14, 2013

South Korea Hack Attacks Confirmed to be from North Korea

South Korea reports what we all suspected all along, that the recent attacks launched against their financial services infrastructure are coming from North Korea.

Evidently, the hacker accidentally exposed his or her IP address during one of the attacks, allowing authorities to trace the attacks to their source.

Saturday, April 13, 2013

Hacking Airplanes with your Cell Phone: How Not to Think About Security

Hugo Teso recently reported on some pretty serious flaws in the security for airplane flight systems and pilot displays. He reports that using an Android device and some custom-written code, he was able to provoke actions by the flight systems and feed the pilot incorrect information. The Register has a pretty good summary of what Teso discussed.

In an interview with Forbes, Teso reported:

“You can use this system to modify approximately everything related to the navigation of the plane. That includes a lot of nasty things.”

Fortunately, The Register tells us:

Federal Aviation Administration and the European Aviation Safety Administration have both been informed and are working on fixing the issue.

That would seem to be an appropriate response to a flaw like that. You would really hate to think about al Qaeda sending a bunch of wackos with cell phones onto flights. And I don't think the FAA would seriously be able to take away peoples' cell phones on flights. Dealing with Alec Baldwin alone would stretch the resources of most Federal agencies.

Fortunately, the FAA has taken swift action to alleviate any concerns the flying public might have about some new-found sense of competency in that agency. The FAA reports that there is no real problem because the hack did not work when they tested it against a "flight certified" configuration.

The idea of "defense in depth" appears to have soared right past these people. If there is a problem in a component of an overall system, FIX IT.

Here's hoping that the FAA manages to stumble across a clue in between meetings about whether or not to allow people to bring fully-functioning bananas on planes.

Update

The app that Teso used is only effective against simulators. That does not mean that there is not an issue that needs to be resolved. The H Security reports that:
Teso says that the ACARS communication with a plane can be implemented locally via a software-defined radio system or globally via one of the two major ACARS providers, ARINC and SITA. The researcher added that a vulnerability would need to be found with the providers.

The manufacturer, Honeywell, is investigating to see to what extent the vulnerabilities in the PC product used in simulators are also applicable to hardware-based implementations used on planes.

Other media outlets, like Computerworld, are reporting on the differences between the PC simulator hardware and the hardware-based implementations. My opinion remains the same as it was earlier; problems need to be fixed. Working exploits depend on chaining problems together; a good security posture depends on removing as many links from the chain as possible.

Tuesday, April 9, 2013

Honeypots Reveal Targeted SCADA Attacks

I recently came across an interesting article in SecurityWeek. Researchers set up honepots to see what types of attacks were being launched against SCADA installations.

It will come as no surprise that the largest proportion of attacks came from China (35%). The next largest set came from the US (19%), followed by Laos (12%).

Several attack vectors were detected, from attempting to access secure areas on the site to attacks on SCADA-specific protocols.

SCADA attacks are particularly dangerous because the impact can be outsized, due to the nature of equipment and environments that are managed by SCADA gear.

One possible attack vector for systems not connected to the public network is to target individuals who work with the equipment. This is the attack vector anticipated for vulnerabilities like the one found in Mitsubishi's MX ActiveX control recently.

Saturday, April 6, 2013

Recent Attacks Appear Linked to Iran

The New York Times reports that recent attacks against US financial institutions may have been state-sponsored attacks from groups linked to Iran.

The current round of attacks are different from most previous attacks in that they are not aimed at either denial of service or fraud, but at causing permanent damage to the systems under attack.

Financial services companies have paid lip service to computer security for a long time, while avoiding the costs associated with any best practices they could rationalize away. It will be interesting to see if the recent attacks will wake up the financial services companies to take information security seriously.