BF-SIRT Newsletter 2013-39

This week we have had a few Apple updates, and it’s recommended to apply them where applicable. The IE Zero day that came about last week has also started spreading, with DeputyDog Attack Targeting Latest IE Zero Day.
Apple released their latest iPhone, and The Chaos Computer Club quickly bypassed the new fingerprint encryption.

Top 5 Security links
Gang Exploits Both Physical and System Security During Bank Robbery
German Hackers Say Old Technique Can Bypass Apple’s Touch ID
Data Broker Giants Hacked by ID Theft Service
Identifying The Big Dogs Of Cyber War
DeputyDog Attack Targeting Latest IE Zero Day

Top 5 Business Intelligence links
Clever Email Campaign Delivers Deadly Ransomware To Orgs
Destructive Attacks On Oil And Gas Industry A Wake-Up Call
Most tech Executives Planning For Cyber Attacks
Cyber Attacks Will Cause Real World Harm In Next Seven Years
Insider Threat Rises, Info Security Officers Say

iOS 7.0.2 – fixes lock screenvulnerability
OS X Server v2.2.2 Security Update
Apache Struts – Fixes security vulnerabilities

iOS 7.0.2 – fixes lock screenvulnerability

iOS 7.0.2 is now available and addresses the following:

Passcode Lock
Available for: iPhone 4 and later
Impact: A person with physical access to the device may be able to
make calls to any number
Description: A NULL dereference existed in the lock screen which
would cause it to restart if the emergency call button was tapped
repeatedly. While the lock screen was restarting, the call dialer
could not get the lock screen state and assumed the device was
unlocked, and so allowed non-emergency numbers to be dialed. This
issue was addressed by avoiding the NULL dereference.
CVE-2013-5160 : Karam Daoud of PART – Marketing & Business
Development, Andrew Chung, Mariusz Rysz

Passcode Lock
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
see recently used apps, see, edit, and share photos
Description: The list of apps you opened could be accessed during
some transitions while the device was locked, and the Camera app
could be opened while the device was locked.
CVE-2013-5161 : videosdebarraquito

This update is available through iTunes and Software Update on your iOS device.

Apache Struts – Fixes security vulnerabilities

A new version of Apache Struts has been released. This update fixes two security vulnerabilities so users are advised to update as soon as possible!

More information:

OS X Server v2.2.2 Security Update

Apple have released updates to their OS X Server. Some of the updates for the applications below fixes issues which may lead to arbitrary code execution, so it’s important to update as soon as possible through Software Update.
Wiki Server

More information:

BF-SIRT Newsletter 2013-38

This week, there’s been a few reports coming out, with the most interesting ones being Symantec Security Response release report about hacker group Hidden Lynx and how 30 percent of transactions conducted from Tor are fraudulent. 14 NASA sites were also hacked by mistake instead of NSA.

As to our own security posts, Apple have released iOS7, Microsoft have a fix available for the Internet Explorer vulnerability and Mozilla have updated their products to fix memory issues, and it’s suggested to update as soon as possible.

Top 5 Security links
Symantec Security Response release report about hacker group Hidden Lynx
“Stop spy on us!” 14 NASA sites hacked
Police foil attempt to steal millions from bank using remote control KVM device
Mid East undersea fibre telco hacked: US, UK spooks in spotlight
Police arrest teenage hacker behind $50,000-per-month cyber ring

Top 5 Business Intelligence links
WHOIS Privacy Plan Draws Fire
Huawei CTO insists: ‘We are not a threat to UK and US national security’
Cybercrooks can buy hacked POS device and money-laundering bundle for $2,000
New guidelines aid organizations in beefing up security teams
30 Percent of transactions conducted from Tor are fraudulent

iOS 7 released – fixes vulnerabilities
Internet Explorer Vulnerability Could Allow Remote Code Execution
Mozilla – Miscellaneous memory safety hazards

iOS 7 released – fixes vulnerabilities

Apple have released the latest version of their iOS, version 7. This release contains a lot of features, but a lot of security vulnerabilities have also been fixed which means it’s important to update your iOS device as soon as possible.

More information:

Internet Explorer Vulnerability Could Allow Remote Code Execution

Microsoft has released Security Advisory 2887505 regarding a remote code execution vulnerability (CVE-2013-3893) impacting Internet Explorer versions 6 through 11. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Internet Explorer 8 and Internet Explorer 9. The Microsoft Fix it solution, “CVE-2013-3893 MSHTML Shim Workaround,” prevents exploitation of this issue.

You can mitigate this by using a browser other than Internet Explorer, or apply the following “Fix it”:

More information can be found here:

Have a great day,

Quick way to name your NICs in Windows Servers

If you, like me, manage many servers, it’s essential to name network adapters in a way that makes it easy to troubleshoot issues when they arise.

In complex networks with thousands of servers and all servers connected using multiple paths a consistent naming standard is very important!

PowerShell and the cmdlets available in Windows Server makes naming adapters a breeze. The servers we usualy deploy have built in four (4) port network adapters. We like to name the Windows NICs the same as is the default in Linux; eth0, eth1, etc.

In the following example we name the adapters eth0, eth1, eth2 and eth3 in Windows. The NIC with the lowest MAC address gets the name eth0 etc. (If you prefer to to start naming adapters from eth1 change the variable $NICs to 0):

$NICs = -1
Get-NetAdapter Etherne* | Sort-Object MacAddress | % { Rename-NetAdapter -InterfaceAlias $_.InterfaceAlias -NewName eth$NICs }

PowerShell really makes life easy 😉

Mozilla – Miscellaneous memory safety hazards

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

This has been fixed in:
Firefox 24.0
Firefox ESR 17.0.9
Thunderbird 24.0
Thunderbird ESR 17.0.9
Seamonkey 2.21

More information:

Protect your organization before ransomware strikes

Is ransomware just another cry wolf, or something organizations should take seriously? Basefarm considers ransomware to be the number one IT threat today. The company’s best advice is to protect yourself before the threat affects you.

No empty threat
– Companies and other organizations have become accustomed to warnings of computer threats without being affected by them. Therefore, it is tempting to ignore the ransomware threat. You should not do that. In return, the remedies for ransomware also works preventively against many other threats, Fredrik Svantes, leader of Basefarm SIRT (Security Incident Response Team) says.

Basefarm supplies complex IT solutions for mission-critical software. The company’s reference list comprises large businesses, including public administration, transport companies and financial businesses. All depend on their IT systems running without interruptions. Being responsible for this, Basefarm follows the IT threat level closely.
– We have seen attempted attacks. Slightly larger companies with a healthy economy are particularly vulnerable, Svantes confirms.

Loss of time and revenue
The attack stories keep coming. Here are two of them: A hospital in California was infiltrated. In order to access their own patient journals, they paid 20,000 dollars. In January last year, ransomware took over more than 20 million files at the Swedish National Agency for Education.
The story of the National Agency for Education is the most typical of all. According to (Dagens Nyheter, the Daily News) an employee opened a file which ended up in the mailbox. Thus the person’s computer and the document server of the entire organization were infected. On the server were most of the documents that the employees had, including business decisions reports and other support material. It took nearly a week to reset the server from a backup taken the day before.
– One week without access is a long time, and will entail delays and losses. Even if you are advised not to pay the ransom, many are tempted in order to regain access to their files. After all, not getting the files back could mean a total disaster. The tendency is for the size of the ransom to rise along with the willingness to pay, Svantes says.

Infected ads
The infection may also come from infected websites. Many who hears this intuitively thinks that this means someone has visited websites they should not have visited.
However, ransomware is distributed through ad networks in ads that can be found at most completely normal websites, including online newspapers and blogs. In other words, if you want to distribute a virus you can buy ad space and for example upload a file with flash animation. Users without updated flash software/clients on their computers are exposed to risk of infection.
– The crooks earn money doing this, and therefore they have no problems paying for the ads.

Takes the TV and other “Internet things”

The problem with ransomware and other malware is going to grow due to the prevalence of the Internet of Things (IoT). These things are connected to the internet in one way or another. Many of them are cheap compared to, for example, a server or a PC. They may be secure when purchased, but the manufacturer or you may not be very interested in taking the costs of keeping them up to date. The first TVs have already been taken by discount ransomware. For a few hundred you can get the unit back up and running. The fact that life-critical, medical equipment may be open to this type of attack is even more serious.

8 tips how to protect your business against ransomware

The good thing about methods of protecting yourself against ransomware is that they also work against other malware and other types of attack.

Tip 1: Ensure the organization has the right knowledge and culture
Considering that antivirus systems and firewalls routinely are updated and blocks regular mass attacks, the crooks are forced to find new, clever paths. A phenomenon that is rapidly spreading is that the attacks are directed towards individuals. By searching Facebook, LinkedIn or other social channels they find information about persons and their networks. Then they send e-mails to the victims, who feel safe on the basis of the personal character of the information.
The consequence of this is that businesses must establish a culture with sufficient knowledge of this type of approach, and therefore be extra attentive towards what might happen. A vigilant mindset towards e-mail and memory sticks must be part of such a culture. Firstly, not all e-mails should be opened. Secondly, not all attachments should be opened. Thirdly, do not reply to everything. And do not insert any unknown memory stick into the computer!

Tip 2: Establish routines for handling attacks and ensure that everybody knows them
Someone takes the chance of opening an e-mail because they do not want to be a nuisance or expose their “stupidity”. Clearly not a good idea. People need to know who to contact, and that they will be met in a friendly and professional manner.
If something occurs, the notification procedures must be crystal clear, the distribution of responsibility indisputable and the measures immediate. The organization must keep surveillance equipment and control this equipment, including making sure there are subscribers to security updates.
Part of the contingency is practicing. Practice may be done at different levels: from within the IT department to the entire organization.

Tip 3: Have a backup and make sure it works
You have heard this advice before: backup. But if your backup is reasonably new, and you have restore processes that work, you will be relatively fine even if you are affected by ransomware.
You cannot backup database-based systems (CRM, ERP, financial systems etc.) that are running. Such systems must therefore be set to backup their own data, and then you backup these backups. No backups are safe before you have tested that they can be used (restore). Cloud backups may be good, but remember that transferring large amounts of data can take quite some time.
Block the backup server for all types of users except the backup software itself. This way you prevent the infection from destroying the backup.

Tip 4: Segment networks and rights
This entails ensuring that different employees have read- or write access only to the specific areas of a server that they need. If they are affected by ransomware, this will only affect these areas.
Furthermore, the user should not be allowed to install any software or run software as administrator. This way any infection will be limited to the areas that the user has access to, and cannot easily take over the entire computer.

Tip 5: Ensure that all software is up to date
This applies to both clients and servers. Flash and Java are two vulnerable systems where most of the infections occur today. Outdated software may have security holes that the crooks can force their way through.

Tip 6: Limit what programs the users can run
Most people currently run antivirus, but antiviruses can only stop known malware. Every day there are new variants that the antivirus cannot recognize, since the attackers change the malware and test it against common antiviruses right before they send it out.
Whitelisting is the opposite tactic: Instead of, or in addition to, maintaining a list of programs you do not want to run, you maintain a list of software you actually want. Ransomware is not on that list, and will therefore not be run.
Whitelisting has proven difficult in practice, but is now becoming easier to use. It is the most efficient technique against ransomware.

Tip 7: Have an updated firewall
The firewall prevents outside users to access the local network. Classic firewalls block entrances. But some ports, such as port 80 (normally www/http) must usually be open, and a classic firewall will therefore not stop attacks via this port. More advanced firewalls therefore monitor content coming through the ports. In any case there are less risks connected to computer usage behind a firewall than in front of it.

Tip 8: Use intrusion detection systems (IDS)
IDS systems monitor the network traffic. If the system detects a computer that starts to send out large amounts of data or contacts servers it does not usually use, this is an early infection indication that can be used for blocking the computer and protecting others.