SecureState: What state are you in?
by

On Tuesday, one week after their traditional Patch Tuesday, Microsoft pushed out MS14-068, a patch to address a vulnerability in the Windows Kerberos implementation that allows for the elevation of privilege. As Microsoft noted, this vulnerability has already been exploited in several limited attacks. For your protection, you should update Windows immediately to implement this patch.

by

Consumers are more heavily than ever relying on their smartphones to manage all aspects of their lives, including their health. Corporations such as Google and Apple are jumping into this growing market for mobile health apps. Apple’s recently launched “Health” aggregates data from a variety of health and fitness apps and offers integration with the upcoming iWatch. As Apple states, you decide what information is placed in Health and shared with external health apps, social media apps, and even your doctor. With responsibility for personal data being placed in the hands of users, what should you know before sharing your personal health information (PHI) with your phone?

by

After the revelation that over 76 million users and 7 million businesses were affected by the recent JP Morgan Chase & Co. (JPM) data breach, many observers are wondering what lessons can be learned from the entire affair. In the days shortly after the breach was made public, JPM CEO Jamie Dimon discussed the company’s plans to double their security budget and hire even more members for their security team. As of the 2013 Annual Report, JPM was reporting a $250 million security budget, with a staff of 1,000 people, so it would seem that JPM is looking to increase that budget to $500 million, and adjust its staffing accordingly.

by

Somewhere, in a dark quiet room, they sit and stare into their cathode ray tube monitors. The smoke cloud from spent cigarettes lingers. Someone coughs. The sound of a toilet flush upstairs cuts through the dull quiet, indicating the cheapness of the building’s construction. The glow of their screens keeps their attention, the high of caffeine drinks and sleepless euphoria.

No, I’m not talking about the attackers. They usually live in pretty nice places. I mean, you don’t get the name Cyber Threat Actor by being a slob. I’m picturing the poor souls that have to come up with information security headlines.

by

As we come to the end of our series covering the 2014 Top Attack Vector, we find ourselves facing, yet again, an easily mitigated, but highly exploited attack vector. A misconfigured system, whether it is an operating system, such as Windows or Linux, or a device, such as a router or firewall, it still results in the same result: a breach in our defenses!

by

A few days ago, Google researchers announced a new vulnerability in SSLv3, dubbed the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack.

Although this vulnerability should be taken seriously, an attacker would actually need to do a lot of work to exploit it. Also, as a client side attack, it targets individual users connecting to a vulnerable server rather than the server itself, unlike the server-targeting Heartbleed vulnerability.

by

As we progress in our discussions about the 2014 Top Attack Vectors, we come to systems that are unpatched.  Every System Administrator has dreaded the task of updating systems, the fear of executing a patch that is incompatible with an installed piece of software, the time it takes for everything to complete, weekends lost, and the list continues to grow.  However, we rarely think about what patching truly does.  Nor do we consider what the best approach to patching everything, from a single system to an entire data center, would be.  What remains true throughout the industry is that the action does not count, but rather the prep work is what makes for a successful patch deployment (or a dreaded weekend failure).

by

Recently, while working with a client on an assessment, we ran into an issue with their cloud provider. The client requested an annual Penetration Test on their environment that is hosted with a large cloud provider. SecureState has routinely provided this report for our client; however, this year, the cloud provider changed their Terms of Service agreement. The hosting provider no longer allowed outside vendors to scan the environment. Instead, they offered a vendor of their choosing to preform penetration tests and would provide you the report.

by

Summary

A new vulnerability identified in the Bash command interpreter was announced yesterday. If successfully exploited, this vulnerability (nicknamed Shellshock) could enable an attacker to run arbitrary commands on the vulnerable system. Bash is used on Macs, Linux (including Red Hat) and UNIX based systems; the vulnerability has existed in Bash since version 1.14.0, which was released over a decade ago. As a result, any system using Bash is potentially vulnerable.

The best way to test whether or not your system is vulnerable to Shellshock would be to open up a Bash shell (i.e. command prompt), and run the following command:

env X=”() { :;} ; echo busted” /bin/bash -c “echo completed”

If the command prompt returns the word “busted,” then your system contains this vulnerability.