Tuesday, March 03, 2015
Addressing last weeks Securi-Tay conference hosted by the Abertay Ethical Hacking Society in Scotland, Stephen Tomkinson from the NCC Group detailed how Blu-ray players can do more than play videos; they can open up a new attack surface for the hacker. Tomkinson demonstrated a new tool that had been released in order to enable the investigation of embedded network devices, and used the network exposed features on a common Blu-ray player as an example. He showed how an innocent looking Blu-ray disc can actually circumvent sandboxes and present the hacker with control of the underlying systems. Of course, that innocent looking Blu-ray disc was anything but, it was highly malicious. The disc itself, by combining a number of vulnerabilities discovered in Blu-ray players, was able to both detect the player it was inserted in and then launch a platform specific malicious executable. It also played a movie, to do otherwise would be a tad suspicious. The full technical background is published here but essentially the rich features of Blu-ray interactivity are built using a Java variant called BD-J, this both user interfaces and embedded applications to be structured as Xlets which can be thought of as akin to web Applets. Tomkinson and his team managed to circumvent the JVM SecurityManager controls and gain access to the underlying OS.
Saturday, February 28, 2015
The cloud is, perhaps, the epitome of de-perimeterisation. If you take the definition of this being the removal of boundaries between the enterprise and the outside world it's pretty much bang on the money. It's easy to assume, therefore, that de-perimeterisation in the information security sense is the answer to your cloud security concerns. It isn't, at least not the complete answer. For the more rounded solution you need to throw re-perimeterisation into the mix and let the two bang heads. I appreciate that this sounds more than a little contradictory, but when you think about it there is plenty of method in the apparent anarchic madness.
Convincing senior management that the cloud brings functional and financial benefit to the business is not a hard sell. The same, sadly, cannot be said when it comes to the security argument. With so many media headlines painting the cloud as an insecure place for your data to reside, most often erroneously courtesy of a misunderstanding of the nature of the breaches involved, it's perhaps not surprising that something of a culture of cloud mistrust has crept into the boardroom. Most of the biggest data breaches which resulted in the loudest media reporting were enterprise system breaches and did not involve the cloud, yet there are fewer headlines proclaiming how insecure your network is than there are dismantling cloud trust. Unfortunately, the consequences of this are twofold: organisations may miss out on the benefits of cloud migration and, ironically, data could be less secure outside the cloud rather than in. Convincing your CEO that the cloud is a secure place to do business is key, but how do you buck the cultural trend and do that?
Research recently published by Netskope suggests that 15 per cent of business users have suffered a compromise of sensitive data in the cloud, with half of those asked apparently ignoring such simple security basics such as not reusing passwords across services and applications. I've already addressed one of the specific concerns was flagged by the research, that 88 per cent of cloud applications being used in organisations are not enterprise ready. However, I am actually less concerned by the specifics that I am the generalisations. I mean, seriously, have we really come this far down the road to commercial cloud commoditization and yet the security basics are still unknown to a considerable minority? Part of the problem, I suspect, is that of longtailing the security problem; by which I mean that the more established consumers of cloud services have got it as far as security goes, but the further down the recent adoption curve you slide so the more diluted the security message becomes. It's almost as if the newest entrants to the market simply assume that those who have gone before them have sorted security out.
Speaking at CES, the chair of the US Federal Trade Commission warned that the Internet of Things posed a serious risk to the privacy of consumers. The speech by Edith Ramirez may have been talking about connected devices and consumers, but the same issues apply to the corporate 'Cloud of Everything.' She spoke of the dangers of ubiquitous data collection, unexpected uses of that data and heightened security risks with devices opening up new routes to attack. There was an implication that low-cost devices with high volume distribution generally equates to less attention paid to matters of security. Security by design is not high on the list of priorities when you are participating in a race to the bottom as far as cost is concerned. Ramirez was urging manufacturers to change this, and to ensure that data encryption and lifecycle product monitoring were firmly on the design agenda. If you think about the potential security risks of the consumer Internet of Things, they can be summed up neatly as 'more devices equal more intrusion entry points.' This is an exact match to what is happening in organisations in terms of cloud services.
Friday, February 27, 2015
Akamai is reporting that the reflection attack method has been used in conjunction with Joomla servers running a vulnerable Google Maps plugin. Akamai warns that, after a whole bunch of vulnerability disclosure across 2014, the Joomla content management framework is still being actively targeted by those with malicious intent. In conjunction with the PhishLabs Research, Analysis, and Intelligence Division (R.A.I.D), PLXsert observed traffic signatures from Joomla distributions with a vulnerable Google Maps plugin being used as a launch platform for DDoS attacks. These traffic signatures were a match for known DDoS for hire outfits, and the attack itself appeared to be using specific tools (DAVOSET and UFONet) to manipulate XML and Open Redirect functions to produce the reflected/amplified response.
Friday, February 20, 2015
Chinese computer manufacturer Lenovo has admitted that it installed an adware component called Superfish on 16 million PCs shipped between September 2014 and February 2015 in order to "help customers potentially discover interesting products while shopping" according to an official statement made by the company. Although there is some argument to be had as to the validity of the 'helping customers' idea regarding software which injects third party adverts into Google searches and websites without the explicit permission or knowledge of the user, where there is no debate to be had at all is in the bloody great security hole Superfish drives through any Lenovo computer it is installed upon. It is true that Superfish doesn't, as far as I can tell, monitor user behaviour or record user data and instead uses contextual and image-based methods; meaning that users are not tracked as such. However, it is also true that it does some things which have the potential to be very dangerous indeed and that potential looks like it could soon become a very tangible reality.
Monday, February 16, 2015
Cloud-based security is nothing new. In fact, Security-as-a-Service has become both the norm for vendors within the IT security market and an indicator of how far the cloud has evolved when it comes to being a trusted place to do business. If we accept that the cloud has forced a welcome change upon the IT security delivery landscape, so we must equally accept that the bad guys are also taking advantage of new methodologies (including the cloud) to deliver malware. So how does malware go about avoiding detection?
Sunday, February 15, 2015
Tuesday, February 10, 2015
The second largest health insurer in the United States, Anthem, has fallen victim to a massive data breach, details of which emerged last week. It is thought that as many as 80 million user records were accessed during the security breach, and the source is said to be an 'acquired' employee password, if the security grapevine is to be believed. If that weren't bad enough, the leaked data - which includes the full names, addresses, dates of birth, medical ID numbers, social security numbers and employment details of the firm's customers - wasn't even encrypted.