Archive for June, 2013

Digital warfare and worldwide cyber attack rates are on the rise, and protection on corporate networks is even more crucial.

Databases are a key target for cybercriminals due to the often valuable nature of sensitive information locked away inside. Whether the data is financial or holds intellectual property and corporate secrets, hackers worldwide can profit from breaching a businesses’ servers and plundering databases.

According to a new report issued by Dark Reading, there are a number of key security failures that cybercriminals take advantage of. However, it is often the staff of an enterprise — database developers, administrators and the like — who create the environment necessary for attacks to gain access to data.

The researchers say that the top ten vulnerabilities often found in database-driven systems, whether during the creation phase, through the integration of applications or when updating and patching, are:

1. Deployment Failures

The most common cause of database vulnerabilities is a lack of due care at the moment they are deployed. Although any given database is tested for functionality and to make sure it is doing what the databases is designed to do, very few checks are made to check the database is not doing things it should not be doing.

2. Broken databases

The SQL Slammer worm of 2003 was able to infect more than 90 percent of vulnerable computers within 10 minutes of deployment, taking down thousands of databases in minutes. This worm took advantage of a bug that was discovered in Microsoft’s SQL Server database software the previous year, but few system administrators installed a fix, leaving computers vulnerable.

By exploiting a buffer-overflow vulnerability, the worm’s success demonstrates how critical installing security patches and fixes are. However, whether lacking time or resources, not enough businesses keep their systems regularly patched, leaving databases vulnerable.

3. Data leaks

Databases may be considered a “back end” part of the office and secure from Internet-based threats (and so data doesn’t have to be encrypted), but this is not the case. Databases also contain a networking interface, and so hackers are able to capture this type of traffic to exploit it. To avoid such a pitfall, administrators should use SSL- or TLS-encrypted communication platforms.

4. Stolen database backups

External attackers who infiltrate systems to steal data are one threat, but what about those inside the corporation? The report suggests that insiders are also likely to steal archives — including database backups — whether for money, profit or revenge. This is a common problem for the modern enterprise, and businesses should consider encrypting archives to mitigate the insider-risk.

5. The abuse of database features

The research team says that over the past three years, every database exploit they’ve seen has been based on the misuse of a standard database feature. For example, a hacker can gain access through legitimate credentials before forcing the service to run arbitrary code. Although complex, in many cases, this access was gained through simple flaws that allow such systems to be taken advantage of or bypassed completely. Future abuse can be limited by removing unnecessary tools — not by destroying the possibility of zero-day exploits, but by at least shrinking the surface area hackers can study to launch an attack.

6. A lack of segregation

The separation of administrator and user powers, as well as the segregation of duties, can make it more difficult for fraud or theft undertaken by internal staff. In addition, limiting the power of user accounts may give a hacker a harder time in taking complete control of a database.

7. Hopscotch

Rather than taking advantage of buffer overflow and gaining complete access to a database in the first stage, cybercriminals often play a game of Hopscotch: finding a weakness within the infrastructure that can be used as leverage for more serious attacks until they reach the back-end database system. For example, a hacker may worm their way through your accounts department before hitting the credit card processing arena. Unless every department has the same standard of control, creating separate administrator accounts and segregating systems can help mitigate the risk.

8. SQL injections

A popular method for hackers to take, SQL injections remain a critical problem in the protection of enterprise databases. Applications are attacked by injections, and the database administrator is left to clean up the mess caused by unclean variables and malicious code which is inserted into strings, later passed to an instance of SQL server for parsing and execution. The best ways to protect against these threats are to protect web-facing databases with firewalls and to test input variables for SQL injection during development.

9. Sub-standard key management

Key management systems are meant to keep keys safe, but the research team often found encryption keys stored on company disk drives. Database administrators sometimes falsely believe these keys have to be left on the disk because of database failures, but this isn’t true — and placing such keys in an unprotected state can leave systems vulnerable to attack.

10. Database inconsistencies

Finally, the researchers found that the common thread which brings all of these vulnerabilities together is a lack of consistency, which is an administrative rather than database technology problem. System administrators and database developers need to develop a consistent practice in looking after their databases, staying aware of threats and making sure that vulnerabilities are taken care of. This isn’t an easy task, but documentation and automation to track and make changes can ensure that the information contained in enterprise networks is kept secure.

Source : darkreading.com

Advertisements

Serious security vulnerability was recently discovered on the Samsung flagship Galaxy S4 device, claiming that attackers can use it to silently send text messages.

Qihoo 360 Technology, an antivirus company based in China, said that this particular vulnerability is related to the “cloud backup” feature of Galaxy S4, which is not properly protected and can be abused.

This vulnerability was first discovered on June 17 and already reported the issue to Samsung and the company is already in the process of developing an official update to fix the vulnerability.

A rogue mobile application could contain code exploiting the vulnerability to send fraudulent scam text messages ordering premium-rate services, the firm said.

By exploiting the vulnerable cloud backup feature, malware could pretend to be the identity of any contact, friend, relative, or organization when faking phishing SMS messages. When these phishing SMS messages are received, users may be tricked into clicking fraudulent links or disclosing sensitive personal information.

Qihoo recommends S4 users temporarily disable the cloud backup feature when not in use. A temporary fix has also been made by Qihoo 360, and can be deactivated once the security flaw has been patched.

Source : THN

A global cyber espionage campaign affecting over 350 high profile victims in 40 countries, using a Surveillance malware called “NetTraveler”.

Kaspersky Lab’s team of experts published a new research report about NetTraveler, which is a family of malicious programs used by APT cyber crooks. The main targets of the campaign, which has been running since 2004, are Tibetan/Uyghur activists, government institutions, contractors and embassies, as well as the oil and gas industry.
Spear phishing emails were used to trick targets into opening malicious documents. The attackers are using two vulnerabilities in Microsoft Office including Exploit.MSWord.CVE-2010-333, Exploit.Win32.CVE-2012-0158, which have been patched but remain highly-popular on the hacking scene, and have run NetTraveler alongside other malware.

C&C servers are used to install additional malware on infected machines and exfiltrate stolen data and more than 22 gigabytes amount of stolen data stored on NetTraveler’s C&C servers.

According to researchers, the largest number of samples we observed were created between 2010 and 2013. The largest number of infections has been spotted in Mongolia, India and Russia, also in China, South Korea, Germany, the US, Canada, the UK, Austria, Japan, Iran, Pakistan, Spain and Australia.

Source : Kaspersky

Finally after 3 long Years, Our favorite weapon of choice got an update. A lot of fixes and improvements on all tools and documentation have been made.In addation few new tools and scripts including distributed cracking tool are also included.The Complete change log can be viewed below.

Complete Aircrack-ng Changelog Version 1.2 beta 1
Version 1.2-beta1 (changes from aircrack-ng 1.1) – Released 25 May 2013:

Airmon-ng: Added chipset information for ar9170usb, wl, rt2800usb, ar9271, wl12xx, RT3070STA, ath9k_htc, r871x_usb_drv, ath5k, carl9170 and various Intel drivers.
Airmon-ng: Fixed chipset information ipw2200.
Airmon-ng: Fixed output for r8187 driver.
Airmon-ng: Improved chipset information for a few drivers.
Airmon-ng: Support for displaying information about ath9k.
Airmon-ng: Added ‘check kill’ to automatically kill services that could interfere.
Airmon-ng: Fixed issues with Intel chipsets detection.
Airmon-ng: Updated iw download link.
Airmon-ng: Better mac80211 handling
Airmon-ng: Added detection for WiLink TI driver, rtl819xU, iwlwifi.
Airmon-zc: Improved version of Airmon-ng with more detailled information.
Airdecap-ng: Fixed decoding QoS frames (Closes: #667 and #858).
Airgraph-ng: Use Aircrack-ng Makefile instead of its own.
Airbase-ng: Fixed bug using clients list.
Airbase-ng: Fixed issue with QoS (ticket #760).
Airbase-ng: Fixed sending beacons with null SSID.
Airbase-ng: Allow non ASCII ESSID
Airodump-ng: Fixed buffer overflow (ticket #728).
Airodump-ng: Fixed channel parsing.
Airodump-ng: Fixed FreeBSD battery reading.
Airodump-ng: Renamed “Packets” column to “Frames” (“Packets” was not correct).
Airodump-ng: Fixed XML bugs when outputting NetXML: ESSID containing ‘&’ or chinese characters, when multiple encryption are used.
Airodump-ng: Add alternative paths for Airodump-ng OUI file.
Airodump-ng: Added GPSd 2.92+ support (JSON).
Airodump-ng: Add option –manufacturer to display manufacturer column on airodump-ng.
Airodump-ng: Add feature to show APs uptime (–uptime) based on the timestamp.
Airodump-ng-OUI-update: Fixed OUI URL and allow CURL redirect (ticket #829).
Airdrop-ng: removed .py from file names.
Airdrop-ng: Fixed bug in installer.
Airdrop-ng: Fixed OUI lookup.
Airdrop-ng: Fixed bug when several BSSID have the same ESSID.
Airdrop-ng: Doesn’t constantly parse anymore, wait 5 seconds each time it parses.
Airdrop-ng: Fixed crash when failing to get channel or when rules file didn’t exist.
Airdrop-ng: Fixed to use lorcon.py/lorcon2 libs.
Airdrop-ng: Updated README.
Airdrop-ng: Fixed error preventing update to work.
Versuck-ng: New script to do the same thing as the kismet autowep plugin from the CLI.
Aircrack-ng: Fixed counter display error when cracking WPA.
Aircrack-ng: Added output of the WPA handshake to EWSA project file.
Aircrack-ng: Added output of the WPA handshake to oclhashcat+ project file.
Aircrack-ng: Added benchmark option, -S.
Aircrack-ng: Fixed -u option.
Aircrack-ng: PIC fix for hardened systems from Francisco Blas Izquierdo Riera (klondike)
Aircrack-ng: Allow dictionaries larger than 2Gb.
Aircrack-ng: Give a better message when there’s an error with the dictionary.
Aircrack-ng: Prevent a buffer overflow from happening (Wojciech Waga).
Aireplay-ng: Added migration mode attack from Leandro Meiners and Diego Sor from Core Security (BlackHat Las Vegas 2010)
Aireplay-ng, Airodump-ng: Added option to ignore issue with -1 channel.
Airserv-ng: Fixed crash when clients disconnect.
Besside-ng-crawler: Added EAPOL Crawler.
Airdecloak-ng: Fixed bug when using pcap files with PPI headers.
dcrack: Distributed cracking server/client
wifi-detect.sh: reference script for testing wifi card detection using iwconfig vs ls /sys/class/net
WPA Clean: Tool to merge and clean WPA capture files.
Wireless Panda: C# Library to parse Airodump-ng output files (and added example project).
OSdep (Linux): Setting fixed bitrates on mac80211 2.6.31 and up.
OSdep (Linux): Added support for nl80211 thanks to impulse32. Use ‘make libnl=true’ to add netlink support (Ticket #1004).
Manpages: Improvement and fixes for Airgraph-ng, Airodump-ng, packetforge-ng, Aircrack-ng
Manpages: Fixed various spelling issues and single quote issues.
Makefiles: Added tests for the different tools.
Makefiles: Various fixes and improvements.
Makefiles: Added support for libgrypt instead of OpenSSL via parameter.
Patches: Added a few patches.
Removed useless script: patchchk.
Finally fixed licensing issues.
Fixed endianness issues in most of the tools.
Fixed cppcheck errors (Ticket #957).
Fixed various compilation issues on Linux and Cygwin, GNU/Hurd, Darwin (OSX) and Sparc.
Fixed compilation on recent gcc versions on Linux, Cygwin.
Added instructions for Travis CI: Free Hosted Continuous Integration Platform for the Open Source Community.
Various other small bug fixes.