August 17, 2019

Misconfigured Amazon S3 storage buckets exposing private data

amazons3(LiveHacking.Com) – Some recent research has shown that thousands of Amazon customers are configuring their storage services incorrectly leading to potentially sensitive data being exposed on the Internet.  Amazon offers a cloud storage solution called Amazon Simple Storage Services, or S3 for short. This storage can be used to storage almost anything and is often used by businesses for private data like backups, company documents and logs files and for public content like web page graphics and PDF files.

Amazon organizes the S3 storage in local containers called “buckets” which have a predictable URL ([bucket_name]/ or http://[bucket_name] and are either marked as private or public. A bucket public is one where any user can obtain a list of all the files in the bucket. Trying to access a private bucket will result in an access denied error, but accessing a public bucket will list the files in the container.

A tester a Rapid7 has performed some research to try to ascertain how many S3 buckets have been  misconfigured. The initial search for buckets revealed 12,328 buckets in total, of which 1,951 were publicly accessible. That means that 1 in 6 S3 buckets are open. According to the research these buckets contained some 126 billion files! It is unrealistic to test the access rights to so many files, but by testing a sample of 40,000 files Rapdi7 gained access to sales records and account information; affiliate tracking data; employee personal information and member lists across various spreadsheets; and video game source code and development tools for a mobile gaming firm!

The findings underline one of the core principles of computer security. Any security protection which isn’t configured correctly is the same as no security protection! For those using S3 the message is clear, check the permissions. Amazon have some useful information on protecting data stored in Amazon S3.


Apple closes two security vulnerabilities with release of Apple TV 5.2

Apple_TV_2nd_Generation(LiveHacking.Com) – Apple has released the a new firmware for its TV media box which adds the ability to play purchased iTunes music directly from iCloud along with Bluetooth keyboard support. The update also allows Apple TV users to send media from an Apple TV to AirPlay-enabled speakers and devices (including AirPort Express and other Apple TVs). At the same time as adding new functionality Apple has also closed two serious security holes.

The first vulnerability fixed is a issue which allowed user-mode process to access the first page of kernel memory. Nomrally the kernel has code to check that user-processes are not accessing kernel memory. However The checks were not being used if the length was smaller than one page. This issue was addressed through additional validation of the arguments to copyin and copyout.

The second securuiy flaw could allow a remote attacker on the same WiFi network to to cause an unexpected system termination. An out of bounds read issue exists in Broadcom’s BCM4325 and BCM4329 firmware’s handling of 802.11i information elements. This issue was addressed through additional validation of 802.11i information elements.

To check the version of the firmware on your device, select ”Settings -> General -> About”. Most users won’t need to do anything as Apple TV will regularly check for software updates. Alternatively, you may manually check for software updates by selecting ”Settings -> General -> Update Software”.

How to Secure Your Systems in Nine Easy Steps

That you need to secure your systems is obvious; how to do so that isn’t though. You’ve heard of port scanners and vulnerability scanners and you know antivirus software and patching are important, but it’s easy to get lost in the weeds when it comes time to formalize your approach.walt-gfi

In this article we are going to see how to secure your systems in nine easy steps. We’ll keep things high level so that you can apply the concepts to as many systems as possible, rather than drilling down to the specifics on product X. Applying these steps to your systems will help ensure your systems are as secure as possible, will reduce the risks as much as possible and will get the boss and the security guy off your back. Here’s how you begin:

1. Get a network security application

It doesn’t have to be a $100K purchase, nor will it necessarily be something you download from an open source website. What it will be is one that can run in your environment, is easy for you to start using, has support and updates included, and can help you to automate and perform many of the tasks that are in this list. A good network security application is a key part of any security program, and with so much to do and so little time, not an option.

2. Use a vulnerability scanner

Vulnerability scanners are tools that can scan systems over the network looking for security issues that you need to remediate. Vulnerability scanners include databases of known vulnerabilities for all kinds of systems and applications, and it is critical to keep that database up-to-date so your vulnerability scanner can look for the latest discovered issues. Use your vulnerability scanner to scan every new system before it is approved for production, before the firewall ports on the Internet are open, and whenever the configuration is changed. You should also use your vulnerability scanner to assess your entire network. Run it from the Internet against your DMZ to see everything an attacker outside would see. Run it internally against your entire network to be sure every system is up-to-date. Regular use is key to ensure nothing slips through the cracks.

3. Lock down defaults

Vulnerability scanners can also help you to identify default settings. These are the things that the vendor sets up out-of-the-box, and that often can be used by attackers to find a back door into your network or to access data on devices. Examples include default passwords, running services that you don’t need, open shares that contain sensitive information and protocols that don’t use encryption. Finding these defaults and either securing or disabling them reduces your exposure and takes away an easy in for any attacker to exploit.

4. Patch

It’s as simple as that. Patch. Patch everything. Patch operating systems on servers and workstations, third party applications, drivers, network devices, firmware and anything else you can. Keeping all of your systems 100% updated on patches closes the largest number of vulnerabilities of any action you can take. In support of this fact, your vulnerability scanner will identify many unpatched systems and list the patches they need. It may not find them all, but it will find the ones most attackers would find too. Seriously, if you do nothing else on this list, patch. If you have more systems than you have fingers, then you need patch management software to keep up with everything. Look for patch management software that includes vulnerability scanning so you can get a two for one solution.

5. Use good passwords

That means using strong, easy-to-remember but hard-to-guess passwords on every system, and training your users to do the same. It also means using different passwords on different systems, and changing those passwords regularly. It also means resetting any default passwords, and never sharing them. Each user should have his or her own access to any system, and no one should know another user’s password.

6. Practice least privilege

The concept of least privilege is pretty straightforward. Don’t give out any access to someone unless they need that access. Only give them the minimum access they need to do their job. Take away that access when it is no longer required.

7. Document

One of the most difficult tasks for many sys admins is one of the most important. Documenting your systems, your network, your configurations, and your best practices is a critical part of maintaining your systems. Without documentation, how do you know what you have? How can you be sure you didn’t miss something? Never put off documentation until ‘later’. ‘Later’ will never come.

8. Establish baselines

Each system will have its own particular behaviours. How busy is it? How much RAM is it using? What services is it running? How quickly is it running out of disk space? Make sure that you establish baselines for every new system while you are still paying close attention to it and before you declare it production-ready, and add those into the documentation. When the server varies from its baseline, it’s a good indication that something might be wrong. Whether that is an errant app, an underestimated load, or an uninvited guest remains to be seen, but consider spikes in CPU and RAM, and rapidly diminishing disk space all to be your early warning system.

9. Set up alerts

If you have central monitoring, it is easy to stay on top of these baselines and also to automate reviews of logs. Smaller shops aren’t so well equipped. Setting up alerts on your systems for things like failed logons, spikes in CPU, low disk space, etc., not only helps you with the sys admin tasks of maintaining the systems, but can also call to your attention issues that might indicate a security incident is happening.

Getting these nine steps in place now, consistently and across all systems, will immensely help you in securing your systems. You would cover the majority of things that could be exploited by an attacker, and set yourself up to stay informed on what is happening with your systems.

Editor Note: This guest post was provided by Casper Manes on behalf of GFI Software Ltd. Learn more about the importance of network scanning by downloading the free eBook: A first aid kit for SysAdmins.

Disclaimer: All product and company names herein may be trademarks of their respective owners.


Oracle has released a security update that fixes more than 80 vulnerabilities in its products

oracle(LiveHacking.Com) –  Oracle has released its Critical Patch Update (CPU) for January 2013. This month’s set of patches address 86 vulnerabilities across multiple Oracle products, excluding Java which Oracle patches separately. This update contains the following security fixes:

  • 6 for Oracle Database Server
  • 7 for Oracle Fusion Middleware
  • 13 for Oracle Enterprise Manager Grid Control
  • 9 for Oracle E-Business Suite
  • 1 for Oracle Supply Chain Products Suite
  • 12 for Oracle PeopleSoft Products
  • 1 for Oracle JD Edwards Products
  • 10 for Oracle Siebel CRM
  • 8 for Oracle Sun Products Suite
  • 1 for Oracle Visualization
  • 18 for Oracle MySQL

For the Oracle Database Server the CPU contains 6 new security fixes, a fix for a non remotely exploitable vulnerability in the traditional Oracle Database Server and five security fixes for the Oracle Database Mobile/Lite Server – all of which may be remotely exploitable without authentication.

There are also 7 security fixes Solaris, none of which may be exploited remotely without authentication and one fix for the Sun Storage Common Array Manager (CAM) which is remotely exploitable without authentication.

MySQL has been patched to fix two vulnerabilities that may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The flaws in the MySQL protocol are present in MySQL 5.1.66 and earlier as well as 5.5.28 and earlier.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible,” said the company in the update advisory.

Malware found in U.S. power plants, should America be worried?

us-cert logo(LiveHacking.Com) – According to a new report (pdf) released by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), part of the Department of Homeland Security’s Office of Cybersecurity and Communications, the last three months of 2012 saw at least two instances of malware infecting computers inside power generation facilities.

The first case came to ICS-CERT’s attention when it was contacted by the staff at a power generation facility. Several different bits of malware, which has been classified as both common and sophisticated, were discovered when an employee asked IT staff to inspect a USB drive used to back up control systems configurations within the control environment.

Initial analysis of the malware, found on the USB drive, raised some alarms since one of the infections was linked to known sophisticated malware. ICS-CERT engineers went on-site and took drive images of the infected hardware. The engineers also discovered two critical engineering workstations, which were infected by the malware, that had no backups, and an poor or incorrect removal of the malware would have significantly impaired the operation of the power plant.

A cleanup procedure was developed and executed together with the organization’s control system vendor to ensure that it would not adversely impact the critical workstations.

The second case happened in early October. A power company contacted ICS-CERT to inform it malware infection in a turbine control system. The malware infected around ten computers on the control system network that was down due to a scheduled outage for equipment upgrades. The infection resulted in more than planned downtime and delayed the plant restart by approximately 3 weeks.

“ICS-CERT continues to emphasize that owners and operators of critical infrastructure should develop and implement baseline security policies for maintaining up-to-date antivirus definitions, managing system patching, and governing the use of removable media. Such practices will mitigate many issues that could lead to extended system downtimes,” said the ICS-CERT report. “Defense-in-depth strategies are also essential in planning control system networks and in providing protections to reduce the risk of impacts from cyber events”

It is clear that these key infrastructural facilities need to have the correct security and backup policies and procedures in place, something which is sorely lacking at the moment.

After latest vulnerability gets patched in Java, is it now seen as just too dangerous?

java-square(LiveHacking.Com) –  Oracle has released an update to Java 7 to address two Critical vulnerabilities. A few days ago, reports emerged about another new vulnerability in Java that was being exploited in the wild. The vulnerability allowed a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. An exploit for the vulnerability was quickly added to exploit toolkits like the Blackhole Exploit Kit (BHEK) and the Cool Exploit Kit (CEK).

These vulnerabilities, known as CVE-2013-0422 and CVE-2012-3174, do not affect Java on servers, Java desktop applications, or embedded Java, however Java running in a web browser is affected.

To exploit the vulnerability, an unsuspecting user is tricked into visiting a website which has been designed specifically to infect their PC with malware. Once at the website the vulnerability allows for the execution of a malicious applet within the browser which then results in the execution arbitrary code (to install malware).

As part of Java 7 update 11, Oracle is switching the Java security settings to “high” by default. This means that users need to expressly allow the execution of any applets, which are either unsigned or are self-signed, in the browser. The idea is that any unsuspecting users visiting malicious web sites will be told before an applet is run.

Since update 10 of  Java 7, it is possible to disable Java content in web browsers through the Java control panel applet. To do this de-select the “Enable Java content in the browser” check-box in the Java Control Panel (under the Security tab).

However questions are now being raised about the long-term viability of Java support in web browsers. Adam Gowdiak, the founder and CEO of Security Explorations – who has found several critical vulnerabilities in Java, told Reuters that “”We don’t dare to tell users that it’s safe to enable Java again.”

“The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don’t really need Java on their desktop,” said HD Moore, chief security officer with Rapid7  – the custodians of Metasploit.

In Brief: Microsoft, Google and Mozilla all block digital certificate issued by intermediate certificate authority of TURKTRUST

turktrust_logo(LiveHacking.Com) –  Microsoft, Google and Mozilla have all removed the trust of certificates issued by an intermediate certificate authority (CA) linking back to TURKTRUST Inc. What has happened is that TURKTRUST Inc. incorrectly created two subsidiary CAs (*.EGO.GOV.TR and, the first of which was used to issue a fraudulent digital certificate for *

Intermediate CA certificates carry the same authority as CA, so anyone who has one can use it to create a certificate for any website. Fraudulent certificate can be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

“TURKTRUST told us that based on our information, they discovered that, in August 2011, they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates,” wrote Google.

Google is also considering an update to Chrome which will no longer indicate Extended Validation status for certificates issued by TURKTRUST. Mozilla has suspended the TURKTRUST root certificate. TURKTRUST subsequently asked Mozilla to include a newer root certificate and their request was initially approved. However, due to the mis-issued  intermediate CA certificates, Mozilla has decided to suspend inclusion of the new root certificate for now.

Two Critical-level bulletins to be released by Microsoft on Tuesday, IE 8 patch not included

microsoft logo(LiveHacking.Com) –  Microsoft is preparing to release seven security bulletins next week; two Critical and five Important. In total they address 12 vulnerabilities in Microsoft Windows, Office, Developer Tools, Microsoft Server Software and the .NET Framework.

There is no news on when Microsoft plans to patch the zero day vulnerability and exploit in Internet Explorer that was discovered during the holidays. Until it is fixed, Microsoft has issued a Fix It. The vulnerability was discovered when FireEye was investigating reports that the Council on Foreign Relations (CFR) website had been compromised. According to Microsoft’s Security Advisory 2794220, the issue impacts Internet Explorer 6, 7, and 8 and that there are a small number of targeted attacks happening in the wild.

The first Critical bulletins affects all supported versions of  Windows (including Windows 8), Office 2003 & 2007 and some server software. The second is for Windows 7 and Windows Server 2008 R2 only. Both critical bulletins address vulnerabilities would enable an attacker to remotely execute code on a vulnerable Windows machine.

Windows 8 RT, the version of Windows that runs on the ARM processor used, among others, on Microsoft’s Surface tablet, is also affected by the first Critical bulletin and at least three of the Important-level ones.

The Important-level bulletins address vulnerabilities that could allow privilege escalations, vulnerabilities that could allow security features to be bypassed or vulnerabilities which could allow attackers to start a denial of service attack.

Microsoft plans to release the bulletins on the second Tuesday of the month, at approximately 10 a.m. PST.

Imperva says anti-virus spend not proportional to effectiveness

Imperva-logo(LiveHacking.Com) –  The business security firm Imperva has conducted a study together with students from The Technion – Israeli Institute of Technology into the effectiveness of anti-virus products and come up with some startling numbers. According to the report, only 5% of new viruses are detected with the existing techniques used by anti-virus products. In time the anti-virus vendors do update their signature databases but, put simply, the majority of anti-virus products can’t keep up with the rate of virus creation and propagation.

What this means is that if the detection of new, previously unknown viruses is used as the measure of success then consumers and businesses are spending a total of $7.4 billion a year on anti-virus products that don’t work. A lot of this spend comes from Enterprises attempting to adhere to some compliance standard. Imperva suggest that relaxing anti-virus compliance standards could free money which could be spent on other security software.

“One reason why security budgets devote too much money to antivirus is compliance. Easing the need for AV could free up money for more effective security measures,” wrote Imperva in the report.

Imperva recommends that existing anti-virus software should remain in place, but that security teams should use more resources on identifying aberrant behavior such as unusually fast access speeds or large volume of downloads.

The report also noted that the best way for a piece of malware to have long term success was to shun popularity. Antivirus products are much better at detecting malware that spreads quickly as the malware appears quickly on the radar of the anti-virus companies. However malware which has a limited distribution (such as government sponsored attacks) usually have a prolonged window of opportunity.

In Brief: Microsoft publishes official Fix It for IE 8 vulnerability

internet-explorer-logo(LiveHacking.Com) –  Microsoft has updated Security Advisory 2749920 to include new information about the official Fix It that the company said it would release.  The Fix It, which is a temporary measure issued by Redmond until a full patch can be delivered, is a response to the zero-day vulnerability found in Internet Explorer 6,7 and 8.

The Fix It uses a shim to change a few bytes of data in a .dll and so prevent the vulnerability from being used for code execution. If triggered the browser will now just crash. Applying the Fix it does not require a reboot.

“While we have still observed only a few attempts to exploit this issue, we encourage all customers to apply this Fix it to help protect their systems,” said Dustin Childs from Microsoft’s Trustworthy Computing unit.