The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.
Opera 11.01. Opera has updated its browser after several vulnerabilities were reported that allow a cyber criminal to steal sensitive information and take control of a user’s workstation. The update is available at this link.
iTunes 10.1.2: Apple has updated iTunes. The update includes several important stability and performance improvements.
RealPlayer 14.0.2: A vulnerability has been reported in RealPlayer, which can be exploited by cyber criminal’s to take control of a user’s computer. The vulnerability is reported in versions 14.0.1 and prior, SP 1.1.5 and prior, and 11.1 and prior. More information is available on the RealPlayer Knowledge Base.
Symantec Products: Numerous critical vulnerabilities have been reported in Symantec AntiVirus Corporate Edition Server 10.x and Symantec System Center 10.x. Readers whose organizations use Symantec corporate products should notify IT staff of the availability of version 10.1 MR10.
Citrix Update: CERT is reporting vulnerabilities in various editions of the Citrix Access Gateway. If your organization uses Citrix, advise your IT staff to upgrade. IT staff can get more information on the National Vulnerability Database.
WordPress Vulnerabilities: Several vulnerabilities in WordPress Plugin have been announced this week. If your web site is developed in WordPress, advise your web master to apply needed updates.
Important Vulnerabilities.
Microsoft Internet Explorer: Microsoft has warned in an Advisory that cyber criminals have published instructions for exploiting a previously unknown security vulnerability in all versions of Windows. The exploit can be used to steal user data or take control of a user’s workstation. While the flaw resides in Windows, it manifests in Internet Explorer. According to KrebsOnSecurity, the vulnerability does not impact other browsers such as Firefox and Chrome. Microsoft has said that they may issue a patch for this vulnerability. In the meantime, Microsoft has made available a “FixIT” tool to help strengthen the way Windows handles MHTML documents. To enable that fix, visit this link and click the FixIT icon.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week’s important updates and newly discovered vulnerabilities. It is not intended to be a thorough listing of these.
A few days ago, the security firm Tiversa announced that Wikileaks obtained private and classified documents from peer to peer (P2P) networks. Tiversa, which specializes in monitoring P2P networks, stated that Wikileaks obtained a portion of the documents it released last November by searching popular file sharing services like Kazaa and Limewire—an allegation that Wikileaks vigorously denies. Notwithstanding, the security firm provides further evidence that many documents from earlier leaks were similarly sourced.
In an article from Wired Magazine, Tiversa CEO Robert Boback suggests that over the past several years, Wikileaks might have obtained up to half of its documents from popular music and file sharing networks.
We’ve warned against P2P networks on numerous occasions; this story brings the point home in a way with national security consequences. Assuming Tiversa’s findings are accurate, simple file searches on P2P applications have disclosed sensitive documents from organizations like the Pentagon and the Department of Defense.
It should serve as a reminder even to smaller organizations that allowing P2P software like Kazaa and Gnutella puts them at significant risk. The risk includes not just the loss of sensitive information, but subsequent legal and regulatory costs as well. It cost a company we know more than $150,000 to respond to an FTC investigation following the loss of employee social security numbers via a P2P leak.
It’s not enough for an organization to prohibit P2P. In the situation leading to the FTC investigation, social security numbers were lost when an employee with a P2P on his home computer accessed a corporate file from home.
Two Take Aways from WikiLeaks and P2P:
KrebsOnSecurity turned us on to this story, first reported by the security vendor Imperva.
A cyber criminal seems to have easily gained access to many high-profile government, educational, and military websites. By using simple SQL injection vulnerabilities, he claims to have full control of over a dozen such sites and has been attempting to sell his access online for prices ranging from $55 to $500. Hacked websites include cecom.army.mil, the South Carolina National Guard, the official Italian Government Website, several major universities, and many others. Imperva speculates that he is probably offering access credentials and administrator URLs.
They also report that he is selling personally identifiable information (PII) for $20 per thousand records.
Spammers often buy of this kind of site access to inundate highly ranked pages with links to questionable commercial operations. Others may want PII for more nefarious purposes.
The story demonstrates how easy it is for cyber criminals to break into poorly coded websites, especially when search boxes and other input forms are linked to backend databases. As such it should serve as a reminder to every organization with a website to take the basic steps to secure their site from these basic kinds of attacks.
The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.
Linksys WRT54GC: A moderately critical vulnerability has been reported in this popular wireless router. The vulnerability can be exploited by cyber criminals to take control of the router. This could lead to theft of information and other problems. The vulnerability has been corrected in firmware version 1.06.1. Information on updating the firmware is available on the Linksys web site.
Important Vulnerabilities.
New Twitter Worm: A new worm has surfaced on Twitter that directs users to fake anti-virus software. Users clicking on malicious links are taken to a Web site that suggests your computer has been infected by a virus. The site encourages you to download what it says is anti-virus protection but is actually malicious code. The worm is similar to the goo.gl worm that hit Twitter in early December. The worm is a reminder to always exercise caution when following links on Twitter posts, Facebook, LinkedIn, and emails. You don’t even want to land on these malicious web sites as they often download and install malicious software without the user having to take any action. Once a machine is infected, it can sometimes require the entire rebuilding of a user’s hard drive.
Firefox Add-Ons: Firefox has recommended disabling the following two add-ons:
Microsoft Vulnerabilities: Several critical zero-day vulnerabilities still remain in the Microsoft suite of programs. See last week’s Report.
VLC Media Player: Still not updated. See last week’s report.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week’s important updates and newly discovered vulnerabilities. It is not intended to be a thorough listing of these.
© Copyright 2011. Citadel Information Group. All Rights Reserved.
Last July we started following Stuxnet, a sophisticated worm that targets industrial computer controllers manufactured by the German engineering conglomerate Siemens. Siemens is the world’s largest manufacturer of Supervisory Control and Data Acquisition (SCADA) systems, which control the machinery involved in industrial and infrastructure processes, including water treatment facilities, power plants, and factories. Last summer, no one knew who was behind Stuxnet or what its intended purpose was. Then, in November, Iranian uranium enrichment facilities suffered a major setback when nearly 1000 centrifuges were destroyed by the malware.
Earlier this week, The New York Times published a compelling article attributing the creation of Stuxnet and it’s highly targeted attack on Iran’s uranium enrichment program to a joint effort between the Israeli and US governments. The article concludes that the sophistication of the code and its high level of precision would have required resources and knowledge way beyond the reach of any private operation:
“The worm itself now appears to have included two major components. One was designed to send Iran’s nuclear centrifuges spinning wildly out of control. Another seems right out of the movies: The computer program also secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart.”
However, an article form eSecurity Planet last Tueday questioned the sophistication of Stuxnet as a whole, noting that while the core program in Stuxnet is highly sophisticated, the dropper component that actually targets and infects networks and machines reflects only an amateur level of sophistication. This, in addition to the multiple versions of Stuxnet floating around, suggests that the malware was developed by several different groups over a period of two or three years. Perhaps, as the eSecurity article speculates, the advanced parts of Stuxnet were written by a third party and sold to the programmers who “put the wrapper around it.” That we know what we know about Stuxnet suggests that key elements of its design were not highly sophisticated.
In spite of the imperfections in Stuxnet’s design, the backstory involving Siemens’s vulnerability testing in collaboration with the US Government, the sophisticated insider knowledge required to pull of such an attack, and the political expediency of doing so makes a strong case for US and Israeli backing. In addition, the Times contends that Stuxnet was actually tested at Israel’s Dimona nuclear weapons development facility in the Negev. The cumulative result: it now appears that Iran’s nuclear enrichment program has been set back by several years.
Of course, we are also attentive to what Stuxnet means for cyber security management and cyber warfare as an emerging reality.
Last Monday, The Data Center Journal published an article describing Stuxnet as the first known form of weaponized malware ever developed. They report:
“The traditional, malicious approach to damaging the [Iranian] facility would have been to use a conventional weapon (i.e., a bomb). The astonishing difference is that this malware was attempting to do mechanical damage to the facility without supplying the destructive mechanical force on its own. In other words, this was malware designed specifically to accomplish the work of a weapon. It has therefore earned the nefarious classification of weaponized malware.”
The article goes on to scrutinize how Stuxnet gained access to its target systems by exploiting up to 4 zero day vulnerabilities in Microsoft operating systems and using digital certificates to authenticate itself. It then analyzes the risk management landscape this malware portends:
“It is unquantified and unmanaged risk that allows Stuxnet to propagate and operate on a network. This situation represents bad management practice of a critical part of a layered security model. Digital certificates are widely used to authenticate and identify entities in a network. Poor management practices render digital certificates ineffective for their intended purpose. In fact, poor management in some cases creates an exploitation opportunity.”
From a management perspective, Stuxnet certainly emphasizes the vital importance of robust and forward thinking security management policies.
How worried should we be about malware like Stuxnet disrupting infrastructure here in the US? eSecurity Planet’s reporting echoes that of The Data Center Journal in suggesting that protecting SCADA systems demands strong security management policies and physical perimeters—measures that were either poorly developed or easily subverted in Iran. In general, US security measures are more sophisticated, and it is generally considered unlikely that Stuxnet itself would be able to infiltrate a high security US facility.
What exactly Stuxnet says about the future of cyber warfare in the 21st century, and our vulnerability on that front, is still an unfolding story. What we can say is that we have entered an era in which highly sophisticated and covert software, likely developed or funded by governments, can destroy physical targets with a precision equal to or greater than a mechanical weapon.
ISSA-LA and the Los Angeles OWASP Chapter will be co-hosting a Stuxnet update and demonstration on March 17th. More information will be posted on the organization’s websites as we get closer to March.