Your daily source of Pwnage, Policy and Politics.

[display_podcast]

Episode 246 – Vuln Mgmt, Adobe 0-day,Vecebot, flash attacks & “Cyber Lightning”

Play

ISDPodcast Episode 246 for October 29, 2010.  Tonight’s podcast is hosted by Rick Hayes and Karthik Rangarajan.

Announcements:

MyHardDriveDied.com Data Recovery Class:
http://www.myharddrivedied.com
Washington, DC – December 6th – 10th
Use the Discount Code: isdpodcast for a $300 discount.

SANS Community:

Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam:  http://www.sans.org/mentor/details.php?nid=23493

Use the Discount Code: isdpod15 for a 15% discount.

SANS Cyber Defense Initiative 2010
Washington, DC,
Marriott Wardman Park
Dec 10-17, 2010
http://washingtontechnology.com/calendar/2010/12/sans-cyber-defense-initiative-2010.aspx

BSidesDelaware:

When: Saturday November 6, 2010
Where: Wilmington University, New Castle Campus
320 N. DuPont Highway, New Castle, DE 19720
Cost: Free – RSVP is REQUIRED for entry!
Eventbrite: http://bsidesde-Wiki.eventbrite.com
Schedule – CFP is open


Center for Applied Cybersecurity Research

Malicious USB Talk
November 18, 2010, Noon
Location: Law 335 at IU in Bloomington Indiana

Stories of Interest:

News: http://www.darkreading.com/vulnerability_management/security/management/showArticle.jhtml?articleID=228000331

Article provides five stages of vulnerability management and provide some advice on how to get to the end stage: acceptance.

1. Denial. “The scan results are inaccurate — there are a bunch of false-positives in your scan results!”

Denial is usually only a temporary defense for the individual (or support team). To move beyond this stage, you must keep support teams focused on positive actions. In other words, park the items they feel are false and focus on the items they agree are true positives. This will keep attention on what needs to be done, instead of feeding their belief that if they somehow discredit the results, they won’t have to respond.

2. Anger. “Who is to blame? Did you raise a change request to do those scans?”

Many support units will deflect ownership of the findings by challenging your right to scan their devices on their networks. To get through this stage, it’s imperative you have sufficient and demonstrable preauthorization to scan these networks. That could be confirmed via the change control process, but it typically involves negotiations on scan times, with senior-level authorization to conduct the scans on a predefined and ongoing basis.

3. Bargaining. “What’s the real risk? Can you please delay your scans until next quarter because we’re so busy? I don’t own this! Can I have a security deviation that will lower my risk scores?”

The third stage involves the hope that the individual (or support team) can somehow postpone, deflect, or delay the inevitable. Ownership of the risk and accountability for remediation are the themes in this stage. To move through this stage, you must determine where the buck stops and work this from the top down. Identification of dependencies and defining responsibility for removing the barriers are critical success factors.

4. Depression “I keep patching, but new vulnerabilities are killing me. I can’t seem to make any progress — damn [insert name of software program here]!”

During the fourth stage, the support team begins to understand the certainty of the emergence of new vulnerabilities — and how big the problem is. At this stage, the support unit will require your support. They’ll want to know their efforts have yielded fruit. One useful tactic is to ensure your scanning and reporting process also captures risk avoidance and risk score reductions as key metrics. In other words, if you can quantify the effects of the good remediation efforts, then support teams can begin to accept the fact that success requires more than a one-time effort — and that sustainable processes must be implemented to keep pace.

5. Acceptance. “It’s going to be OK. I can’t fight it, so I may as well prepare for it.”

With this final stage comes peace and understanding — and in the case of vulnerability management, a better focus on risk. Once the support teams realize this is an ongoing effort — and that the scan results actually help to proactively identify areas of risk — they are usually ready to implement meaningful process changes, and are more able to help protect the assets under their control.

A final note: Regression through the stages is normal, but as long as you are armed with the knowledge to understand the motivations behind the reactions, you will be equipped to help your support teams get through them. If possible, engage the responsible units at the beginning of the assessment process to help minimize the negative responses during all of these stages — and deliver positive results.
News: http://www.darknet.org.uk/2010/10/critical-0-day-vulnerability-in-adobe-flash-player-reader-acrobat/
Adobe has confirmed reports that yet another unpatched vulnerability in the latest versions of its ubiquitous software is being actively exploited to infect end users with data-stealing malware.  The vulnerability exists in Adobe’s Reader document viewer and Flash Media Player for Windows, OS X and Unix operating systems, Adobe warned on Thursday. According to independent researchers, it is being exploited in the wild against Reader for Windows to install a nasty trojan known as Wisp, which according to Microsoft, steals sensitive user data and installs a backdoor on compromised systems.

The vulnerability itself resides in Adobe’s Flash Player, which is available as stand alone software and is also embedded into Reader. According to researcher Mila Parkour of the Contagio Malware Dump blog, poisoned PDF documents are circulating that drop two malicious binaries onto Windows machines that open the document files.  A screenshot identified the two files as nsunday.exe and nsunday.dll. A Virus Total scan showed just 15 of 42 antivirus programs were detecting the malicious EXE. She didn’t say whether the attacks succeed against more recent versions of the OS, which Microsoft has designed to withstand many of the most common types of exploits.

Adobe said it planned to patch the vulnerability in Flash during the week of November 9 and in Reader during the week of November 15. The schedule is puzzling, since Reader has been confirmed to be under attack and Flash has not been confirmed.

In the meantime, users can protect themselves by using an alternate document viewer, such as Foxit. For those who must use Reader, Adobe said they can mitigate attacks by removing functionality known as AuthPlay, by following the instructions near the bottom of this advisory. Adobe provided no temporary measures Flash users can follow.

It’s been a bad couple of years for Adobe’s security team, which has gotten repeatedly hammered by critical vulnerabilities that are exploited by criminals to install malware on users’ machines. Three weeks ago, the company issued a fix for a security flaw in Reader that was also under attack by a highly sophisticated exploit. Last month, Adobe fixed a critical vulnerability in Flash that was also being used to compromise end user computers.

Adobe is also in the process of developing a patch for a code-execution bug in its Shockwave Player. By many researchers’ reckoning, Reader is among the world’s most exploited applications, in close competition with Oracle’s Java framework and, of course, various Microsoft programs.

News: http://threatpost.com/en_us/blogs/new-trojan-vecebot-targets-anti-communist-bloggers-102910
A new family of Trojan Horse programs is being used to stifle political opposition to the Communist Party in Vietnam, according to an analysis by researchers at SecureWorks.

The Trojan, dubbed Vecebot, is a new family of malware  and has been linked to distributed denial of service (DDoS) attacks against bloggers who have written critically of the ruling Communist Party and Chinese mining operations in the country, SecureWorks said.

Vecebot Trojan Targeting Anti Communist BloggersThe targets of the Vecebot botnet, estimated at between 20,000 and 30,000 hosts, include popular Vietnamese blogs and online forums, the analysis found. The release of Vecebot may have been coordinated with what was billed as “Vietnam Blogger Day” on October 19, a coordinated online civil action to celebrate the release of a blogger and political prisoner who used the name Dieu Cay, the SecureWorks analysis said.

If accurate, the analysis identifies what would be just the latest example of malware attacks that appear to have political, rather than strictly commercial objectives. The SecureWorks analysis points to connections between Vecebot and an earlier Trojan, Vulncanbot which also targeted anti-Communist Web sites in Vietnam with DDoS attacks and other targeted hacks. Domains used for the Vecebot command and control servers are similar to those used in the earlier, Vulcanbot attacks, according to a report by SecureWorks Counter Threat Unit.

News:
http://www.theregister.co.uk/2010/10/27/credit_card_flash_attacks
Credit card fraudsters may have pocketed as much as $500,000 over the past month by pursuing a new type of attack that exploits a major blind spot in payment processors’ defenses, an analyst said.

The “flash attacks” recruit hundreds of money mules who go to ATMs throughout the US and almost simultaneously withdraw relatively small sums of money from a single compromised account, according to Avivah Litan, vice president at market research firm Gartner, who follows the credit card industry. They then move on to a new account. At the end of the month, the heists can fetch as much as $500,000.

“The resulting cash transactions fly under the radar of existing fraud detection systems — they are typically small amounts that don’t raise any alarms,” Litan blogged on Tuesday.

She has dubbed the method a “flash attack” because as much as $100,000 can be stolen in as little as 10 minutes.

News: http://www.afspc.af.mil/news/story.asp?id=123228183
Working under a carefully planned and escalating contested cyber environment on Oct. 15 members of the 460th Space Wing successfully completed its first ever exclusively cyber-focused exercise at Buckley Air Force Base, Colo.

“Exercise Cyber Lightning” was designed to test the wing’ s capability to operate in a contested cyber environment,” stated Mr. Kevin Stocking, 460th SW Plans and Programs Chief .

Eight subject matter experts (SMEs) from outside the wing, ranging from the 688th Information Operations Wing and the Kansas Air National Guard (both components to 24th Air Force) to the Network Operations and Security Center and former “cyber aggressors” from Nellis AFB, helped plan and execute the exercise. They also helped the wing’ s exercise and evaluation team assess the wing’ s performance and identify lessons learned.

“According to the SMEs we brought in, who are responsible for executing and evaluating cyber operations across the Air Force,” said Mr. Stocking, “Cyber Lightning was certainly a first-of-its-kind wing exercise in AFSPC, and as far as we know, across the entire Air Force too.”

“This is not just an exercise or a game,” said Col. Trent Pickering, 460th Space Wing vice commander during a wing briefing kicking off the day’s events. “It’s real! It gives us a peek under the tent on how we will command and control this base, and maintain our mission operations, in an environment where an adversary is attempting to deny us some of our key communications capabilities.”

The exercise was centered around network degradation, outages, and hacking activities; phishing and social engineering attempts to gain access to the base network and solicit information on the wing’ s Critical Information List; and intermittent land mobile radio, email “pop-ups” and chat room capabilities while responding to an active shooter scenario and anti-terrorism injects. It also entailed some “dumpster diving” looking for personal or unit information that wasn’t shredded properly, and office-by-office searches for CAC cards left unattended in computers which could grant an adversary immediate access to the wing network.

All works represented here are compiled from various sources (email, IRC, forums, and original author/websites). If the original work is copyrighted it is presented under the fair use of a copyrighted work, Copyright Act of 1976, 17 U.S.C. § 107, for purposes of criticism, comment, news reporting, teaching, and research. No use is directly intended as an infringement of copyright. Attribution is always given to the original source, if known. To have any copyrighted material removed, please contact isdpodcast[at]isdpodcast[dot]com.

No comments

Trackbacks/Pingbacks

  1. Tweets that mention InfoSec Daily » Episode 246 – Vuln Mgmt, Adobe 0-day,Vecebot, flash attacks & “Cyber Lightning” -- Topsy.com - [...] This post was mentioned on Twitter by Karthik Rangarajan, ISDpodcast. ISDpodcast said: [Podcast]: Episode 246 - Vuln Mgmt, Adobe ...