21 July, 2010

Summary:

• These vulnerabilities affect: Firefox 3.6.x and 3.5.x for Windows, Linux, and Macintosh
• How an attacker exploits it: Typically by enticing one of your users to visit a malicious web page
• Impact: Various results; in the worst case, an attacker executes code on your user’s computer, gaining complete control of it
• What to do: Upgrade to Firefox 3.6.7 (or 3.5.11), or let Firefox’s automatic update do it for you

Exposure:

Today, Mozilla released an advisory describing 16 (count based on CVE number) vulnerabilities in Firefox 3.6.4 (and earlier versions) running on all platforms. Mozilla rates more than half of these vulnerabilities as critical; meaning an attacker can leverage them to execute code and install software without user interaction beyond normal browsing. We summarize three of the most critical Firefox 3.6.4 vulnerabilities below:

• PNG Image Buffer Overflow Vulnerability (2010-41). The graphics code that helps Firefox handle PNG images suffers from a buffer overflow vulnerability. By enticing one of your users to a web page containing a maliciously crafted image, an attacker can leverage this buffer overflow to either crash Firefox, or to execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
  Mozilla Impact rating: Critical
• Typical Memory Corruption Vulnerabilities (2010-34). Mozilla’s update fixes two unspecified memory “safety” or corruption vulnerabilities, which can at least crash Firefox. Mozilla’s alert doesn’t say much about these vulnerabilities, other than they lie within Firefox’s browser engine. Mozilla presumes that, with enough effort, attackers could exploit some of these memory corruption flaws to run arbitrary code on a victim’s computer. To do so, an attacker would first have to trick one of your users into visiting a maliciously crafted web page. If your user took the bait, the attacker could execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer. 
  Mozilla Impact rating: Critical
• DOM Attribute Cloning Code Execution Vulnerability (2010-35). The Document Object Model (DOM) is a W3C specification for representing structured documents as objects, in a platform and language neutral manner. Firefox’s DOM attribute cloning routine suffers from a code execution vulnerability. By enticing one of your users to a maliciously crafted web page, an attacker can leverage this flaw to either crash Firefox, or to execute malicious code on that user’s machine, with that user’s privileges. As usual, an attacker may gain full control of your users’ computers if they have administrative privileges.

Mozilla’s alert describes many more vulnerabilities, including other code execution flaws, Cross-Site Scripting (XSS) or cross-origin vulnerabilities, and spoofing vulnerabilities. Visit Mozilla’s Known Vulnerabilities page for a complete list of the vulnerabilities that Firefox 3.6.7 fixes. 

On a related note, some of these vulnerabilities also affect Firefox 3.5.x. If you use 3.5.x, we recommend you move to 3.6.7. However, if you must stay with 3.5.x, Mozilla has also released an update for that legacy version as well.

Solution Path:

Mozilla has released Firefox 3.6.7 and 3.5.11, to correct these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 3.6.7 as soon as possible. If, for some reason, you must remain with Firefox 3.5.x, make sure to upgrade to 3.5.11.

Note: The latest version of Firefox 3.6.x automatically informs you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists.

As an aside, attackers cannot leverage many of these vulnerabilities without JavaScript. Disabling JavaScript by default is a good way to prevent many web-based vulnerabilities. If you use Firefox, we recommend you also install the NoScript extension, which will disable Javascript (and other active scripts) by default.

For All Users:

This attack arrives as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

The Mozilla Foundation has released Firefox 3.6.7 to fix these vulnerabilities.

References:

• Firefox 3.6.7 Release Notes
• Vulnerabilities Fixed in Firefox 3.6.7

This alert was researched and written by Corey Nachreiner, CISSP.

Wednesday, July 07, 2010 (contributed by Brent Huston as seen on www.infosecisland.com)

“Consumer use of the cloud”; in a phrase, is how the cloud will leak into your enterprise, whether you like it or not.

Wednesday, June 23, 2010
By: Bryan Miller – full article at www.infosecisland.com

I’m often asked why security has to be so expensive. A lot of my time is spent preaching to clients about the need for increased security. Every day brings another new vulnerability to our computing infrastructure. Hardly a day goes by when we are not bombarded with headlines claiming that another famous company has been hacked, or that our credit card numbers have been stolen by anonymous cyber thieves. My immediate answer to that opening question has always been, “Security doesn’t have to cost a lot of money. Simple can be secure.”

In the information security industry, there is a concept known as FUD. Fear, Uncertainty and Doubt sells a lot of products. FUD can be a useful concept when applied in the right areas. When convincing IT departments to spend money on security-related expenses, FUD is often used to scare network managers into purchasing hardware and services. Occasionally, FUD is used to sell products and services that might not be needed. Before we think of security companies as total crooks, realize that FUD is used to sell all sorts of products, from all forms of insurance to alarm systems for your house.

My reasoning for the “Why Simple Can Be Secure” title of this article has been formed over many years of working with clients of all sizes. Too often bad things happen when simple policies and procedures would have eliminated the opportunity for things to go wrong. In the information security industry, several years ago there was a strong push to sell firewalls. A firewall is a device, usually consisting of a hardware appliance running special software designed to protect your network. At the time, the thought was that if you purchased a firewall you would be safe. As one infomercial says, “Just set it and forget it.”

The problem with that theory was clearly demonstrated during the CodeRed and Nimda attacks a few years back. These two worms caused extensive damage throughout the Internet. What was the root cause of the vulnerability? Why didn’t the firewalls protect us? These worms propagated through the Internet because overburdened network administrators had not applied patches released by Microsoft many months before the attacks began. The firewalls provided no relief because the attacks didn’t violate any network protocol rules. In other words, the CodeRed and Nimda attacks looked like valid web traffic.

There are lots of examples of similar problems with vendor patches not being applied. Several recent examples are the SQL Sapphire worm, the Microsoft IIS WebDAV vulnerability and other known issues with Apache web servers. All of these examples could have been solved by applying the vendor patches that have been supplied months before any publicly known exploits were released. The problem isn’t the fact that vendors didn’t know about the issues, but that the poor network managers are getting these types of alerts daily. With 10-15 known problems at any one time, how do you prioritize the patch process?

My point in bringing up these examples is to reiterate my earlier point. With all of the FUD being served up by security vendors, the best solution is often the free or nearly free solution. Don’t get me wrong, I’m not trying to talk anyone out of purchasing a firewall, VPN or intrusion detection system. These devices are important pieces of an overall security solution. However, I am advocating starting with the basics, such as policies and procedures, which can be developed for relatively low costs. Without enforceable policies, purchasing lots of security hardware and software might not be the best approach.

When performing vulnerability assessments, I often find vulnerabilities that could have been prevented by simple, low-cost solutions. Something as simple as having your users log out of their PC when they go home can be extremely effective in preventing unauthorized access. The use of screen savers when away from your office is another free way to greatly increase the overall security posture of your organization. An entire article could be written about password policies. Anti-virus software can be expensive depending on the size of your organization, but its use has become critical to the security and management of most companies.

In conclusion, when you think of security, remember that sometimes the best approaches to security cost very little money. Developing strong policies and procedures is a great start. Implementing simple security policies involving screen savers and strong password policies can go a long way to securing your network. You will certainly want to look at other security products, but before you spend your hard earned money, make sure you have implemented the low-tech solutions first.

Online Technology Management has low cost monthly plans providing you with peace of mind regarding your network’s security needs, including everything from patch management through gateway security appliances that provide universal threat protection.  Call 800-292-3537 or email info@otmgm.com to learn more.

By Gopinath KN, director of engineering, AirTight Networks, Network World (www.networkworld.com)
June 21, 2010 10:46 AM ET

Wireless has become a part of our official and personal lives. Securing against wireless threats has been and will continue to be an important piece in the overall enterprise security puzzle. However, as if following Darwin’s theory of evolution, wireless security myths too are born, evolve and then die to be replaced by new ones.

An improved awareness of wireless security issues seems to have given network security professionals enough information to dispel certain wireless security myths (e.g., hiding your SSID in beacons will improve security; open APs with MAC filters can provide good security; use of static network IP addresses can impede an attacker; and WEP can provide good-enough security).

The fact that more and more users are moving towards WPA2 deployments confirms this. The recent PCI DSS wireless guideline (perhaps spurred by the infamous and high-profile TJX security breach) is certainly driving some of these developments. However, on the flip side, the wireless security community still lacks a clear consensus on how to handle threats caused by unmanaged devices.

This has led to an evolved set of wireless security myths that are probably harder to debunk. Let’s take a brief look at them and discuss how enterprises can avoid some of these common pitfalls.

Myth 1: My enterprise is secure if we do not have a Wi-Fi deployment. Many people still think that they are secure if they have a “no Wi-Fi” policy. If only wireless security were that simple. In the real world where it is not possible to trust everyone, it would be naïve to assume the policy will never be violated. A disgruntled employee can implant a rogue access point, and even well-meaning employees can deploy APs that will inadvertently expose your network to rogue activity. Similarly, Wi-Fi client cards that come embedded in most of the notebooks today can be a potential source of threat — they can be exploited by attackers. Further, other wireless technologies embedded in notebooks such as Bluetooth can create security vulnerabilities.

Reality: Assuming that a “no Wi-Fi” policy will secure your network is akin to an “Ostrich solution”.

Myth 2: I use WPA2 in my network and I am secure. If you have rolled out your enterprise Wi-Fi deployment with WPA2, it is definitely a good start. WPA2 provides a strong cryptographic security for your WLAN APs and clients. However, in a large deployment, it is important to ensure that none of the devices are accidentally mis-configured, thus potentially exposing gaping security holes. Wi-Fi is increasingly used to carry mission-critical applications, so hackers and criminals will continue to focus on breaking Wi-Fi security. Researchers have recently demonstrated that WPA-TKIP can be compromised to achieve packet-injection attacks. Similarly, a Cisco WLAN controller-based vulnerability that can be exploited to “skyjack” Cisco LAPs has been reported.

Reality: A WPA2-based WLAN deployment cannot protect you from all types of wireless security threats.

Myth 3: I have enabled 802.1X port control and I am secure. IEEE 802.1X port-based access control provides an authentication mechanism for devices wishing to communicate via a port (e.g., a LAN port). It allows further communication only if the authentication succeeds. If it fails, it disallows further communication via the port. The goal of the designers of 802.1X was not to protect a network from wireless security threats. As we can expect, 802.1X is completely ineffective against Wi-Fi client-based threats. Even though 802.1X-based port control can act as a deterrent to rogue APs, it can be easily bypassed via a “hidden rogue AP” — for example, by an employee with the knowledge of 802.1X credentials. First, he needs to connect a Layer-2 bridge AP in “silent” mode by configuring it with a static IP (so that it never has to reveal identify over the wire). Then, he can masquerade the identity (i.e. MAC address) of a Wi-Fi client to that of his Ethernet card to deceive 802.1X control.

Reality: The basic problem here is that 802.1X is a one-time (i.e., entry level) control, but, what you actually need is continuous monitoring and control.

Myth 4: My network access control (NAC) solution will protect me from Wi-Fi based threats. NAC aims to control access to a network with policies. It includes pre-admission endpoint security policy checks (to determine who can access the network) and post-admission controls (to determine what they can access). Since NAC solutions include some host-based checks (i.e., operating system, services running on host), it can protect against the class of rogue APs that function as a router or a network address translator. NAC also fails against the “silent rogue AP” threat.

Reality: Similar to 802.1X, NAC is also an entry level control and the arguments made against 802.1X hold true against NACs as well.

Myth 5: 802.11w eliminates Wi-Fi denizl-of-service (DoS) mattacks. By its very nature, Wi-Fi is susceptible to DoS  attacks. The unlicensed radio frequency spectrum coupled with a “keep-it-simple” MAC protocol have lead to the development of several DoS attacks on Wi-Fi (e.g., RF jamming, deauthentication/disassociation flood, virtual jamming). IEEE recently ratified the 802.11w standard, which adds cryptographic protection to a certain subset of 802.11 Management frames (e.g., deauthentication frames, disassociation frames). This definitely mitigates the attacks based on such protected frames.

Reality: Attacks based on frames that are outside of the purview of 802.11w protection (e.g., virtual jamming) and RF spectrum based attacks are still possible.

Myth 6: Part-time security. WLAN infrastructure may support a mode wherein an AP can be programmed at times to act as a wireless intrusion-detection sensor. However, if you need a higher level of protection, for example to comply with industry or government regulations, you really need wireless intrusion-prevention (and not just detection), as switching an AP from access to protection provides, at best, part-time protection. A device acting as an AP cannot spend significant cycles on security. If it does, it will affect its performance as data/voice carrying device. Therefore when this mode is employed, such devices end up spending less time on scanning and threat mitigation. This introduces delays in threat detection and can affect blocking/prevention severely.

Reality: Part-time sensors fail miserably in reliably blocking threats (as such sensors cannot perform a sustained and frequent transmission of containment packets).

It is clear that threats occurring from unmanaged wireless security devices need focused attention. The first step in addressing this issue is to define wireless security policies for your enterprise — define what authorized communication is and what is not.

The next step is to evaluate the security risk specific to your enterprise and invest in specialized tools such as a wireless intrusion detection/prevention system. Last, but not least, wireless security is also a people problem and user education goes a long way in mitigating the security risks.

Full article: (http://www.networkworld.com/news/tech/2010/062110-tech-update.html?page=3).

Are you interested in wireless security?  Online Technology Managment can help you.  Call us today.

The vulnerability of Web applications and the sensitive nature of personal location information will prove a disasterous combination

By Paul F. Roberts | InfoWorld (www.infoworld.com)

As soon as a new technology gets traction, smart criminals figure out a way to misapply it. And one of the hottest features in the mobile world, location awareness, is next in line for exploitation.

Services like Foursquare, Loopt, and Gowalla, which combine user-generated reviews with social networking, provide particularly attractive targets. The idea is to use your mobile device to let your followers know in real time what cool places you’re patronizing and the excellent food you’re eating. Stores and shop owners love it — it’s no-cost marketing in line with the current zeitgeist of user-driven info from people you trust.

A new report from the company uTest points out the reliability and security/privacy concerns these applications raise. A contest involving 300 testers found close to 900 bugs in three leading location/check-in services. That’s not surprising, given recent data on the Web application vulnerabilities.

In the report, 80 percent of the testers said that they were concerned about their privacy. They should be. As the recent iPad-related hack of AT&T shows, mobile devices are only as strong as their weakest link — or their weakest partner’s weakest link. The confluence of poorly protected Web apps and the goldmine of geolocation and personal information will be too rich to resist.

Here are some possible hacking or real-world crime scenarios in which data from Web-based platforms like Foursquare and Gowalla could play a part:

• Targeted social engineering attacks that employ real-time or historical geolocation data. For example, an employee at a leading tech/pharma/defense contractor reveals, via Foursquare, his or her regular visits to the local coffee shop, where s/he is targeted by social engineers looking to gain access to the corporate network, or the victim of a real-world theft (laptop, mobile device) that yields sensitive data.
• Stalkers, estranged spouses/lovers monitor check-in services and use them to confront the object of their obsession. Expect to see these kinds of services popping up in court proceedings, as Facebook recently has.
• Malware that leverages preference data from check-in services to social engineer targets
• Malicious hackers use location data to launch real-time attacks against other check-in service users.

These days certain industry leaders like to proclaim that privacy is an outdated concept. But criminal abuse of location services to pursue people, not just their data, may give privacy advocates the most potent ammunition they’ve had in years.