SecureState: What state are you in?
by

A few days ago, Google researchers announced a new vulnerability in SSLv3, dubbed the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack.

Although this vulnerability should be taken seriously, an attacker would actually need to do a lot of work to exploit it. Also, as a client side attack, it targets individual users connecting to a vulnerable server rather than the server itself, unlike the server-targeting Heartbleed vulnerability.

by

As we progress in our discussions about the 2014 Top Attack Vectors, we come to systems that are unpatched.  Every System Administrator has dreaded the task of updating systems, the fear of executing a patch that is incompatible with an installed piece of software, the time it takes for everything to complete, weekends lost, and the list continues to grow.  However, we rarely think about what patching truly does.  Nor do we consider what the best approach to patching everything, from a single system to an entire data center, would be.  What remains true throughout the industry is that the action does not count, but rather the prep work is what makes for a successful patch deployment (or a dreaded weekend failure).

by

Recently, while working with a client on an assessment, we ran into an issue with their cloud provider. The client requested an annual Penetration Test on their environment that is hosted with a large cloud provider. SecureState has routinely provided this report for our client; however, this year, the cloud provider changed their Terms of Service agreement. The hosting provider no longer allowed outside vendors to scan the environment. Instead, they offered a vendor of their choosing to preform penetration tests and would provide you the report.

by

Summary

A new vulnerability identified in the Bash command interpreter was announced yesterday. If successfully exploited, this vulnerability (nicknamed Shellshock) could enable an attacker to run arbitrary commands on the vulnerable system. Bash is used on Macs, Linux (including Red Hat) and UNIX based systems; the vulnerability has existed in Bash since version 1.14.0, which was released over a decade ago. As a result, any system using Bash is potentially vulnerable.

The best way to test whether or not your system is vulnerable to Shellshock would be to open up a Bash shell (i.e. command prompt), and run the following command:

env X=”() { :;} ; echo busted” /bin/bash -c “echo completed”

If the command prompt returns the word “busted,” then your system contains this vulnerability.

by

Web management consoles have been an administrator’s friend for quite some time. However, they have been an attacker’s best friend since conception. Management consoles often have the hardware primarily integrated into servers and devices to make the administration and troubleshooting of that equipment much easier. As these consoles are deployed into our environment, it is frequently found that they are forgotten about: out of sight out of mind. We leave them off of our patch management programs, even though they are quite frequently installed in the environment with default credentials. Attackers have built word lists based on these default usernames and passwords that are publicly available by the manufacture configuration guides. Due to the fact that administrators need this information when they configure the equipment, the onus to change the credentials falls on the organization.

by

Home Depot is reporting that it could be the point of origin for a massive credit card breach. Multiple banks, correlating compromised accounts, hint that the large home improvement retailer’s 1,977 US stores could have been compromised as far back as April. If true, it could easily dwarf the Target breach last holiday season.

by

Over the weekend you’ve probably seen news reports about celebrities being hacked and their private pictures and videos being posted and distributed all over the Internet. Most of the details about what happened are speculative at best, but most reports center around Apple’s iCloud service. While one can question why anyone would take and store naked pictures of yourself on your phone or a cloud service like iCloud…this “hack” is most likely due to a brute force attack on the iCloud service. These are not new attacks contrary to what the mainstream media will tell you. They happen to celebrities and regular people like you every day.

by

Within the last few years, there has been growing popularity in social engineering attacks. We have experienced a change in both end user and attacker behavior, resulting in adaptations in attack methods. Although the attacks are becoming more malicious, the technology to prevent them remains the same.

by

The government has been issuing warnings for a month now, and finally organizations are beginning to listen.

On Friday, The Department of Homeland Security (DHS) published a release encouraging retailers using Point of Sale systems (PoS) to proactively check for malware infections. While always a good practice, recent releases are in response to multiple breaches that occurred last week and throughout 2014. So far, seven PoS providers/vendors have confirmed that clients of their in-store cash register systems are affected. Keep in mind, these are only the companies to have publicly come forward. It is estimated that over 1,000 American businesses have been affected; the number may be higher.

by

As Jason mentioned in his post, last week brought yet more breaches to light in the form of Community Health Systems and now UPS Stores. To be fair, the UPS Stores breach affects a much smaller population, however at potentially 105,000 transactions, it still represents a significant concern. Actually, it’s telling that 105k seems small compared to the other numbers we are used to seeing.