Malware everywhere, even on Apples..

Various sources have been reporting on the recent Java hole that enabled malicious individuals to infect upwards of 600,000 Apple Macs that were running the latest, fully patched version of the O/S.

This Java vulnerability was actually known about sometime last year and has been patched on other systems.  Apple in it’s continued, and frankly misguided, belief that it’s systems are safe and don’t need protection like anti-virus software chose not to patch the hole until 100s of thousands of it’s customers had been infected.

The reality is that all consumer computer systems have vulnerabilities and it should be the expected duty of vendors to patch these as quickly as possible to protect their customers and their privacy.

We have all knocked companies like Microsoft for the amount of vulnerabilities and attacks that have occurred against their software, but the reality is that over the last few years Microsoft has made huge progress in producing more secure software, patching in a very timely manner, providing free tools like anti-virus, and working with law enforcement to bring down criminal bot nets.

Apple has avoided many exploits being created as it has historically been such a niche player.  Why create an exploit for a few machines when you can create one for orders of magnitude more?  As Apple has become more successful and there has been an increased uptake of it’s products in office it has become a more interesting and valuable target for criminals to try and exploit any vulnerabilities.

It is time for Apple to pull it’s socks up from a security stand point, and to become both more proactive and transparent in how it deals with issues and helps protect it’s customers.

For us users of any operating system it’s yet another reminder that we should keep our systems patched and run software to protect us from viruses etc.  Oh and not to trust vendors when then tell us their systems are safe and don’t need further protection.

Some detail and commentary on this issue can be found here at the links below;

http://nakedsecurity.sophos.com/2012/04/04/apple-patches-java-hole-that-was-being-used-to-compromise-mac-users/?utm_source=Naked+Security+-+Sophos+List&utm_medium=email&utm_campaign=a6d16b7680-naked%252Bsecurity

http://news.cnet.com/8301-13579_3-57410476-37/apples-security-code-of-silence-a-big-problem/?part=rss&subj=news&tag=2547-1_3-0-20&tag=nl.e703

K

USAF Predator control systems compromised by malware

Following on from the very high profile targeted attacks such as the Stuxnet worm that was used to target Siemens supervisory control and data acquisition (SCADA) systems such as those used in Iranian nuclear facilities;

http://www.google.co.uk/search?aq=f&gcx=c&sourceid=chrome&ie=UTF-8&q=stuxnet

 

 

and the RSA security breach that impacted many businesses earlier this year;

http://blogs.rsa.com/rivner/anatomy-of-an-attack/

It has emerged that some USAF (United States Air Force) computer systems have been infected by malware.

While the reports of this state that is it likely to just be a keylogger and not something that is co-opting control of armed military drones, this should be seen as yet another wake up call – any network attached systems or any systems that allow storage devices (e.g. USB drives) to be connected are vulnerable to attack by malware.  I am sure from reading the previous section you have realised that this means pretty much every computer system..

Details can be found here;

http://nakedsecurity.sophos.com/2011/10/10/malware-compromises-usaf-predator-drone-computer-systems/

One particularly worrying comment from the story is around the fact that they are not sure if the malware has been wiped from the systems properly and that it keeps coming back.  Best practice is always to do a clean rebuild of any infected machines, especially something as critical as this!

In short, if high profile security vendors and supposedly secure military computers can be successfully attacked and gaps exploited this should be a wake up call to anyone who does not yet take the security of their systems and data seriously.

Oh, and if in any doubt – reinstall, don’t keep trying to clean the malware from the system!

K

Exploit vulnerabilities rather than just report on ‘hypothetical’ issues

While doing some general reading recently I came across an article entitled “Why aren’t you using Metasploit to expose Windows vulnerabilities?”.  This reminded me of something I have discussed with people a few times, the benefits of actually proving and demonstrating how vulnerabilities can be exploited rather than just relying on metrics from scanners..

Don’t get me wrong, the use of vulnerability / patch scanners are incredibly useful for providing an overall view of the status of an environment;

– Are patches being deployed consistently across the environment in a timely manner?

– Are rules around password complexity, who is in the administrators group, machines and users are located in the correct places in the LDAP database etc. being obeyed?

– Are software and O/S versions and types in line with the requirements / tech stack?

– etc..

The output from these scanners is also useful and extensively used in providing compliance / regulatory type report data confirming that an environment is ‘correctly’ maintained.

What these scans fall short in two main areas;

1. They do not provide a real picture of the actual risk any of the identified vulnerabilities pose to your organisation in your configuration with your polices and rules applied.

2. Due to point 1 they may either not create enough realisation of the risks for senior management to put enough priority / emphasis on remediating them, or they may cause far too much fear due to the many vulnerabilities identified that may or may not be exploitable.

In order to provide a quantitate demonstration of how easy (or difficult) it is to exploit identified vulnerabilities, and also demonstrate to management how these reported vulnerabilities actually be exploited, using tools such as Core Impact, Canvas or Metasploit in addition to just scanning for vulnerabilities is key.

Tools like Canvas and Core Impact are commercial offerings with relatively high price tags, Metasploit is however open source and free to use in both Windows and *nix environments. It even has a gui!  So there is no excuse for not actually testing some key vulnerabilities identified by your scans, then demonstrating the results to senior management and even other IT staff to increase awareness.

Metasploit can be found here;

http://www.metasploit.com/

Where it can be downloaded for free.  Should you wish to contribute to it’s success there are also paid for versions.

The key message here is don’t stop using the standard patch / vulnerability scans as these are key to providing a picture of the entire environment and providing assurance of compliance to policies.  However these should be supplemented with actually exploiting some key vulnerabilities to provide evidence of the actual risk in you environment rather than just the usual ‘arbitrary code execution’ or similar statement related to the potential vulnerability.  This will put much more weight behind the your arguments for improving security.

K