Daily Archives: May 4, 2020

Podcast Episode 6: Taking Over IoT Devices with MQTT

Listen and subscribe to our new podcast! Tripwire’s cybersecurity podcast features 20-minute conversations with the people who protect people from cyber threats. Hosted by Tripwire’s VP of Product Management and Strategy, Tim Erlin, each episode brings on a new guest to explore the evolving threat landscape, technology trends, and cybersecurity best practices. Spotify: https://open.spotify.com/episode/5wXKv9DiQjfsZNf6heXg67 Stitcher: […]… Read More

The post Podcast Episode 6: Taking Over IoT Devices with MQTT appeared first on The State of Security.

Lessons learned from the Microsoft SOC—Part 3c: A day in the life part 2

This is the sixth blog in the Lessons learned from the Microsoft SOC series designed to share our approach and experience from the front lines of our security operations center (SOC) protecting Microsoft and our Detection and Response Team (DART) helping our customers with their incidents. For a visual depiction of our SOC philosophy, download our Minutes Matter poster.

COVID-19 and the SOC

Before we conclude the day in the life, we thought we would share an analyst’s eye view of the impact of COVID-19. Our analysts are mostly working from home now and our cloud based tooling approach enabled this transition to go pretty smoothly. The differences in attacks we have seen are mostly in the early stages of an attack with phishing lures designed to exploit emotions related to the current pandemic and increased focus on home firewalls and routers (using techniques like RDP brute-forcing attempts and DNS poisoning—more here). The attack techniques they attempt to employ after that are fairly consistent with what they were doing before.

A day in the life—remediation

When we last left our heroes in the previous entry, our analyst had built a timeline of the potential adversary attack operation. Of course, knowing what happened doesn’t actually stop the adversary or reduce organizational risk, so let’s remediate this attack!

  1. Decide and act—As the analyst develops a high enough level of confidence that they understand the story and scope of the attack, they quickly shift to planning and executing cleanup actions. While this appears as a separate step in this particular description, our analysts often execute on cleanup operations as they find them.

Big Bang or clean as you go?

Depending on the nature and scope of the attack, analysts may clean up attacker artifacts as they go (emails, hosts, identities) or they may build a list of compromised resources to clean up all at once (Big Bang)

  • Clean as you go—For most typical incidents that are detected early in the attack operation, analysts quickly clean up the artifacts as we find them. This rapidly puts the adversary at a disadvantage and prevents them from moving forward with the next stage of their attack.
  • Prepare for a Big Bang—This approach is appropriate for a scenario where an adversary has already “settled in” and established redundant access mechanisms to the environment (frequently seen in incidents investigated by our Detection and Response Team (DART) at customers). In this case, analysts should avoid tipping off the adversary until full discovery of all attacker presence is discovered as surprise can help with fully disrupting their operation. We have learned that partial remediation often tips off an adversary, which gives them a chance to react and rapidly make the incident worse (spread further, change access methods to evade detection, inflict damage/destruction for revenge, cover their tracks, etc.).Note that cleaning up phishing and malicious emails can often be done without tipping off the adversary, but cleaning up host malware and reclaiming control of accounts has a high chance of tipping off the adversary.

These are not easy decisions to make and we have found no substitute for experience in making these judgement calls. The collaborative work environment and culture we have built in our SOC helps immensely as our analysts can tap into each other’s experience to help making these tough calls.

The specific response steps are very dependent on the nature of the attack, but the most common procedures used by our analysts include:

  • Client endpoints—SOC analysts can isolate a computer and contact the user directly (or IT operations/helpdesk) to have them initiate a reinstallation procedure.
  • Server or applications—SOC analysts typically work with IT operations and/or application owners to arrange rapid remediation of these resources.
  • User accounts—We typically reclaim control of these by disabling the account and resetting password for compromised accounts (though these procedures are evolving as a large amount of our users are mostly passwordless using Windows Hello or another form of MFA). Our analysts also explicitly expire all authentication tokens for the user with Microsoft Cloud App Security.
    Analysts also review the multi-factor phone number and device enrollment to ensure it hasn’t been hijacked (often contacting the user), and reset this information as needed.
  • Service Accounts—Because of the high risk of service/business impact, SOC analysts work with the service account owner of record (falling back on IT operations as needed) to arrange rapid remediation of these resources.
  • Emails—The attack/phishing emails are deleted (and sometimes cleared to prevent recovering of deleted emails), but we always save a copy of original email in the case notes for later search and analysis (headers, content, scripts/attachments, etc.).
  • Other—Custom actions can also be executed based on the nature of the attack such as revoking application tokens, reconfiguring servers and services, and more.

Automation and integration for the win

It’s hard to overstate the value of integrated tools and process automation as these bring so many benefits—improving the analysts daily experience and improving the SOC’s ability to reduce organizational risk.

  • Analysts spend less time on each incident, reducing the attacker’s time to operation—measured by mean time to remediate (MTTR).
  • Analysts aren’t bogged down in manual administrative tasks so they can react quickly to new detections (reducing mean time to acknowledge—MTTA).
  • Analysts have more time to engage in proactive activities that both reduce organization risk and increase morale by keeping them focused on the mission.

Our SOC has a long history of developing our own automation and scripts to make analysts lives easier by a dedicated automation team in our SOC. Because custom automation requires ongoing maintenance and support, we are constantly looking for ways to shift automation and integration to capabilities provided by Microsoft engineering teams (which also benefits our customers). While still early in this journey, this approach typically improves the analyst experience and reduces maintenance effort and challenges.

This is a complex topic that could fill many blogs, but this takes two main forms:

  • Integrated toolsets save analysts manual effort during incidents by allowing them to easily navigate multiple tools and datasets. Our SOC relies heavily on the integration of Microsoft Threat Protection (MTP) tools for this experience, which also saves the automation team from writing and supporting custom integration for this.
  • Automation and orchestration capabilities reduce manual analyst work by automating repetitive tasks and orchestrating actions between different tools. Our SOC currently relies on an advanced custom SOAR platform and is actively working with our engineering teams (MTP’s AutoIR capability and Azure Sentinel SOAR) on how to shift our learnings and workload onto those capabilities.

After the attacker operation has been fully disrupted, the analyst marks the case as remediated, which is the timestamp signaling the end of MTTR measurement (which started when the analyst began the active investigation in step 2 of the previous blog).

While having a security incident is bad, having the same incident repeated multiple times is much worse.

  1. Post-incident cleanup—Because lessons aren’t actually “learned” unless they change future actions, our analysts always integrate any useful information learned from the investigation back into our systems. Analysts capture these learnings so that we avoid repeating manual work in the future and can rapidly see connections between past and future incidents by the same threat actors. This can take a number of forms, but common procedures include:
    • Indicators of Compromise (IoCs)—Our analysts record any applicable IoCs such as file hashes, malicious IP addresses, and email attributes into our threat intelligence systems so that our SOC (and all customers) can benefit from these learnings.
    • Unknown or unpatched vulnerabilities—Our analysts can initiate processes to ensure that missing security patches are applied, misconfigurations are corrected, and vendors (including Microsoft) are informed of “zero day” vulnerabilities so that they can create security patches for them.
    • Internal actions such as enabling logging on assets and adding or changing security controls. 

Continuous improvement

So the adversary has now been kicked out of the environment and their current operation poses no further risk. Is this the end? Will they retire and open a cupcake bakery or auto repair shop? Not likely after just one failure, but we can consistently disrupt their successes by increasing the cost of attack and reducing the return, which will deter more and more attacks over time. For now, we must assume that adversaries will try to learn from what happened on this attack and try again with fresh ideas and tools.

Because of this, our analysts also focus on learning from each incident to improve their skills, processes, and tooling. This continuous improvement occurs through many informal and formal processes ranging from formal case reviews to casual conversations where they tell the stories of incidents and interesting observations.

As caseload allows, the investigation team also hunts proactively for adversaries when they are not on shift, which helps them stay sharp and grow their skills.

This closes our virtual shift visit for the investigation team. Join us next time as we shift to our Threat hunting team (a.k.a. Tier 3) and get some hard won advice and lessons learned.

…until then, share and enjoy!

P.S. If you are looking for more information on the SOC and other cybersecurity topics, check out previous entries in the series (Part 1 | Part 2a | Part 2b | Part 3a | Part 3b), Mark’s List (https://aka.ms/markslist), and our new security documentation site—https://aka.ms/securitydocs. Be sure to bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to Mark on LinkedIn or Twitter.

The post Lessons learned from the Microsoft SOC—Part 3c: A day in the life part 2 appeared first on Microsoft Security.

Now Is the Time for Government Agencies to up Their AppSec Game

When it comes to application security (AppSec), Forrester???s report, The State of Government Application Security, 2020, ツ?establishes that the government sector is falling behind other industries. And given the nature and quantity of consumer information housed by government agencies, government applications are a prime target for cyberattacks. It???s no wonder only 18 percent1 of consumers are confident that the federal government is able to secure the personal data of its citizens.

On top of existing concerns related to the government???s security measures, recent global events should also prompt government agencies to evaluate their AppSec solutions. In the past few months, state and federal agencies have been tasked with collecting patient data related to the COVID-19 pandemic and creating new applications for the stimulus relief package. This influx of data is coming at a very vulnerable time ??? cyber attackers are taking advantage of the fact that IT systems and processes are stretched thin. But it???s not too late for governments to make a change. There are several best practices that, if implemented properly, can help them stay secure. ツ?

Step one is implementing prerelease scans, like static analysis, to detect flaws earlier in the software development lifecycle and remediate faster. According to Veracode???s State of Software Security Industry Snapshot, most government agencies are only scanning their applications 12 times a year. As a result, government agencies have accumulated a significant amount of security debt. If they start scanning earlier, and more frequently, governments can find and remediate flaws faster and reduce their security debt.

Step two is embracing DevSecOps practices. With DevSecOps, security shifts to the beginning of the development process. This concept helps save time and money because security flaws and vulnerabilities are recognized and addressed prior to deployment. But embracing DevSecOps is not just about adding prerelease scans, it is about strategically implementing prerelease tools. For example, consider integrating the scans into the developers existing tools and processes and automating the scans. The easier it is for the developer to scan, the more applications will be scanned. And, given the current challenges our world is facing, having your scans automated ensures that your business won???t miss a beat.ツ?

To learn more ways that government entities can better secure their software, download our webinar, The State of Government Application Security. ツ?

ツ?

1 Consumer Technographicsツョ North American Healthcare Online Benchmark Recontact Survey 1, 2019 (US), Forrester Research, Inc.

What Caused the SBA Flaw that Exposed Business Owners’ Personal Info?

Current events are reshaping the way we live our everyday lives, and taking a heavy toll on the business world, with organizations of all sizes feeling financial disruption. Business continuity is more essential than ever during the pandemic; not just for customers who rely on products and services, but also for companies that need to keep funds flowing.

This has, foreseeably, led to thousands of loan applications for the Small Business Administration (SBA) in the United States, placing an overwhelming demand on the Economic Injury Disaster Loan Emergency (EIDL) program. The program currently provides up to $10,000 in financial assistance to small businesses suffering financial loss from the pandemic, but has unfortunately come with a security risk for some applicants seeking loans in order to maintain their business health.

During the recent influx of loan applications, the SBA acknowledged that the personal information of nearly 8,000 business owners might have been exposed to others accessing the program online. The flaw in the program simply required a user to hit the ???back??? button while in the loan application portal, which in some cases may have shown sensitive information belonging to another applicant.

Possible causes of the SBA flaw

While we can???t be certain which flaw is plaguing the SBA loan application system, we can make an educated guess based on similar behavior we???ve seen. Jamie Rougvie, a member of Veracode???s Manual Penetration Testing team, believes this flaw may be a combination of redirects and access control misconfigurations. Here is how this flaw may have impacted the SBA loan application process:

The Flaw

A company signs up to the loan portal and is given a unique Identity relating to that loan. Let???s say ???Company A??? signs up and gets a LoanID of 1. ???Company A??? then signs into the application and starts to fill in the application form. They then notice that they made a mistake on the previous page, so they click the back button within the application.

This back button then redirects them to the previous page. Now, let???s assume the code behind the button redirects them to the following URL:ツ? https://www.URL.com/application?LoanID=2 (it should be noted that on the Loan site this would be a more complex than a hard coded URL). We would assume that the value may be coming from a variable which is being dynamically changed based on a number of factors.

You can see here the LoanID has changed from 1 to 2. This means that instead of showing ???Company A??? data, it will attempt to show the data of LoanID 2 which is ???Company B.???

What should happen here is when ???Company A??? is redirected, a check should be done to make sure they have permission to access the page that they are being redirected to. If they have permissions to access the page, the redirect occurs. If they do not have permissions to access the page, either an error is displayed, or they are redirected elsewhere.

It seems like in this case no checks were performed on the request, and as such ???Company B???s??? data was displayed to ???Company A??? ??? meaning sensitive PII information was leaked on the webpage.

It???s not clear if ???Company A??? only had access to ???Company B???s??? data, or if this data changed each time a new request was made via the back button. This would mean that each time the back button was pressed, another company???s data would be leaked to a standard user. If an attacker found this type of flaw, they could within a small amount of time be able to obtain PII information of all companies in the loan application.ツ?ツ?ツ?ツ?ツ?

The seriousness of this issue depends on the type of application, and the information that is disclosed via the vulnerability. ???In an application like a loan website where the vast amount of information would be sensitive, this would be a critical severity issue and we would jump on call with the customer straight away to discuss the problem,??? Jamie further explains.

The SBA loan application issue potentially exposes sensitive information like an applicant???s name, Social Security Number, tax identification number, address, date of birth, financial insurance information, and more ??? which means a threat actor could then take that information and use it in any number of additional threats, like social engineering attacks or potential identity theft.

That???s why it???s important to stay one step ahead. Situations that entail building applications or websites quickly to amplify communication and provide services are not unique to current events; they should always involve security measures like regular scans and testing procedures. ???When you combine the power of Veracode automation tools and our MPT (Manual Penetration Testing) services, these types of issues can be identified early on and can be mitigated before pushing the application into production,??? Jamie explains.

Being proactive instead of reactive will set your organization up for preventative security measures so that you???re not faced with the cleanup that comes from worrisome vulnerabilities like IDOR and Session Management flaws.

Reducing risk with healthy AppSec

Cyberattacks and security threats are on the rise, which only amplifies vulnerabilities like the one we saw from the SBA in early April. Ultimately, this combination of rapid digital acceleration, and an uptick in cyberattacks, has left many organizations vulnerable. This situation stems in part from organizations adopting reactive, rather than preventative, security strategies.

What does preventative AppSec look like? Companies that are concerned about the health of their applications should scan early and scan often to identify problems before an issue arises. The mentality of shifting security left, bringing it into the development process sooner rather than later, can save money and time down the road. It helps eliminate security debt, too, which piles up over time and is carried as a constant risk from project to project. ツ?

Data from our 10th annual State of Software Security Report (SOSS) shows that when organizations scan their code frequently (more than 300 times a year), they carry five times lessツ?security debtツ?than those that scan the least.

Having a suite of SaaS solutions in the cloud to scan application code is essential for remote teams, but even more so today with entire companies going digital. Veracode???s application security solution combines five analysis types in one for a comprehensive look at your code as developers work. Every step of the way in the software development cycle (SDLC) ??? from the IDE to production ??? these scans ensure that your team is working smartly and efficiently to produce secure applications and stay ahead of potential issues.

And with hands-on training tools like Security Labs, developers are better equipped to write secure code, saving their organization from needing to remediate flaws down the road. Using Security Labs, software developers can exploit and fix an application in a contained environment with fast feedback, helping them learn in the languages that they need to know inside and out. Not only does it help developers satisfy compliance requirements, but also, they walk away with the training and skills needed to write more secure code and remediate flaws faster.

You don???t have to compromise between the race for swift deployment and the need for better application security. With the right tools and training, your organization and your team of developers will be well-equipped to handle what comes next as more of the world continues to take on a digital transformation and new security threats emerge.ツ?ツ?ツ?

McAfee Values Its Working Mothers Globally

working mothers

This Mother’s Day, and every day, McAfee recognizes all the hardworking mothers across our global workforce. We continue to make strides in our workplace culture, policies and programs to better serve working parents.

Dierdre, a project manager located in our Cork office, talks about her experience below on transitioning back to work at McAfee, wearing her newest hat as “Mom.”

“The minute I came back, everyone was so friendly. My manager has been so helpful. He was able to show me the ropes again and get me used to the systems and teams—he has been absolutely amazing.”

McAfee’s benefits continue to evolve to reflect the needs of working parents. We recently extended bonding leave for all new parents and continue to expand opportunities to transition back with our Return to Workplace program for those who have paused their careers to care for families. Traveling moms are also supported with a Milk Stork delivery service and McAfee has reserved parking spaces, onsite mother’s rooms and more.

Check out McAfee’s Inclusion & Diversity Report to learn more about the ways McAfee is serving working parents and building an inclusive workplace.

Interested in joining forces with us? Take a look at McAfee’s opportunities.

The post McAfee Values Its Working Mothers Globally appeared first on McAfee Blogs.

Government investigates data breach revealing details of 774,000 migrants

Guardian Australia on Sunday revealed SkillSelect app allowed users to see partial names of applicants for skilled visas

The home affairs and employment departments are investigating a data breach revealing the personal details of 774,000 migrants and people aspiring to migrate to Australia, despite playing down the seriousness of the breach.

On Sunday, Guardian Australia revealed the government’s SkillSelect app allowed users to see unique identifiers of applicants for skilled visas, including partial names, which could then be used through searches with multiple filters to reveal other information about applicants.

Related: Immigrants don't take Australian jobs. They create jobs for others | Jock Collins

Continue reading...

Mitigating vulnerabilities in endpoint network stacks

The skyrocketing demand for tools that enable real-time collaboration, remote desktops for accessing company information, and other services that enable remote work underlines the tremendous importance of building and shipping secure products and services. While this is magnified as organizations are forced to adapt to the new environment created by the global crisis, it’s not a new imperative. Microsoft has been investing heavily in security, and over the years our commitment to building proactive security into products and services has only intensified.

To help deliver on this commitment, we continuously find ways to improve and secure Microsoft products. One aspect of our proactive security work is finding vulnerabilities and fixing them before they can be exploited. Our strategy is to take a holistic approach and drive security throughout the engineering lifecycle. We do this by:

  • Building security early into the design of features.
  • Developing tools and processes that proactively find vulnerabilities in code.
  • Introducing mitigations into Windows that make bugs significantly harder to exploit.
  • Having our world-class penetration testing team test the security boundaries of the product so we can fix issues before they can impact customers.

This proactive work ensures we are continuously making Windows safer and finding as many issues as possible before attackers can take advantage of them. In this blog post we will discuss a recent vulnerability that we proactively found and fixed and provide details on tools and techniques we used, including a new set of tools that we built internally at Microsoft. Our penetration testing team is constantly testing the security boundaries of the product to make it more secure, and we are always developing tools that help them scale and be more effective based on the evolving threat landscape. Our investment in fuzzing is the cornerstone of our work, and we are constantly innovating this tech to keep on breaking new ground.

Proactive security to prevent the next WannaCry

In the past few years, much of our team’s efforts have been focused on uncovering remote network vulnerabilities and preventing events like the WannaCry and NotPetya outbreaks. Some bugs we have recently found and fixed include critical vulnerabilities that could be leveraged to exploit common secure remote communication tools like RDP or create ransomware issues like WannaCry: CVE-2019-1181 and CVE-2019-1182 dubbed “DejaBlue“, CVE-2019-1226 (RCE in RDP Server), CVE-2020-0611 (RCE in RDP Client), and CVE-2019-0787 (RCE in RDP client), among others.

One of the biggest challenges we regularly face in these efforts is the sheer volume of code we analyze. Windows is enormous and continuously evolving 5.7 million source code files, with more than 3,500 developers doing 1,100 pull requests per day in 440 official branches. This rapid cadence and evolution allows us to add new features as well proactively drive security into Windows.

Like many security teams, we frequently turn to fuzzing to help us quickly explore and assess large codebases. Innovations we’ve made in our fuzzing technology have made it possible to get deeper coverage than ever before, resulting in the discovery of new bugs, faster. One such vulnerability is the remote code vulnerability (RCE) in Microsoft Server Message Block version 3 (SMBv3) tracked as CVE-2020-0796 and fixed on March 12, 2020.

In the following sections, we will share the tools and techniques we used to fuzz SMB, the root cause of the RCE vulnerability, and relevant mitigations to exploitation.

Fully deterministic person-in-the-middle fuzzing

We use a custom deterministic full system emulator tool we call “TKO” to fuzz and introspect Windows components.  TKO provides the capability to perform full system emulation and memory snapshottting, as well as other innovations.  As a result of its unique design, TKO provides several unique benefits to SMB network fuzzing:

  • The ability to snapshot and fuzz forward from any program state.
  • Efficiently restoring to the initial state for fast iteration.
  • Collecting complete code coverage across all processes.
  • Leveraging greater introspection into the system without too much perturbation.

While all of these actions are possible using other tools, our ability to seamlessly leverage them across both user and kernel mode drastically reduces the spin-up time for targets. To learn more, check out David Weston’s recent BlueHat IL presentation “Keeping Windows secure”, which touches on fuzzing, as well as the TKO tool and infrastructure.

Fuzzing SMB

Given the ubiquity of SMB and the impact demonstrated by SMB bugs in the past, assessing this network transfer protocol has been a priority for our team. While there have been past audits and fuzzers thrown against the SMB codebase, some of which postdate the current SMB version, TKO’s new capabilities and functionalities made it worthwhile to revisit the codebase. Additionally, even though the SMB version number has remained static, the code has not! These factors played into our decision to assess the SMB client/server stack.

After performing an initial audit pass of the code to understand its structure and dataflow, as well as to get a grasp of the size of the protocol’s state space, we had the information we needed to start fuzzing.

We used TKO to set up a fully deterministic feedback-based fuzzer with a combination of generated and mutated SMB protocol traffic. Our goal for generating or mutating across multiple packets was to dig deeper into the protocol’s state machine. Normally this would introduce difficulties in reproducing any issues found; however, our use of emulators made this a non-issue. New generated or mutated inputs that triggered new coverage were saved to the input corpus. Our team had a number of basic mutator libraries for different scenarios, but we needed to implement a generator. Additionally, we enabled some of the traditional Windows heap instrumentation using verifier, turning on page heap for SMB-related drivers.

We began work on the SMBv2 protocol generator and took a network capture of an SMB negotiation with the aim of replaying these packets with mutations against a Windows 10, version 1903 client. We added a mutator with basic mutations (e.g., bit flips, insertions, deletions, etc.) to our fuzzer and kicked off an initial run while we continued to improve and develop further.

Figure 1. TKO fuzzing workflow

A short time later, we came back to some compelling results. Replaying the first crashing input with TKO’s kdnet plugin revealed the following stack trace:

> tkofuzz.exe repro inputs\crash_6a492.txt -- kdnet:conn 127.0.0.1:50002

Figure 2. Windbg stack trace of crash

We found an access violation in srv2!Smb2CompressionDecompress.

Finding the root cause of the crash

While the stack trace suggested that a vulnerability exists in the decompression routine, it’s the parsing of length counters and offsets from the network that causes the crash. The last packet in the transaction needed to trigger the crash has ‘\xfcSMB’ set as the first bytes in its header, making it a COMPRESSION_TRANSFORM packet.

Figure 3. COMPRESSION_TRANSFORM packet details

The SMBv2 COMPRESSION_TRANSFORM packet starts with a COMPRESSION_TRANSFORM_HEADER, which defines where in the packet the compressed bytes begin and the length of the compressed buffer.

typedef struct _COMPRESSION_TRANSFORM_HEADER

{

UCHAR   Protocol[4]; // Contains 0xFC, 'S', 'M', 'B'

ULONG    OriginalMessageSize;

USHORT AlgorithmId;

USHORT Flags;

ULONG Length;

}

In the srv2!Srv2DecompressData in the graph below, we can find this COMPRESSION_TRANSFORM_HEADER struct being parsed out of the network packet and used to determine pointers being passed to srv2!SMBCompressionDecompress.

Figure 4. Srv2DecompressData graph

We can see that at 0x7e94, rax points to our network buffer, and the buffer is copied to the stack before the OriginalCompressedSegmentSize and Length are parsed out and added together at 0x7ED7 to determine the size of the resulting decompressed bytes buffer. Overflowing this value causes the decompression to write its results out of the bounds of the destination SrvNet buffer, in an out-of-bounds write (OOBW).

Figure 5. Overflow condition

Looking further, we can see that the Length field is parsed into esi at 0x7F04, added to the network buffer pointer, and passed to CompressionDecompress as the source pointer. As Length is never checked against the actual number of received bytes, it can cause decompression to read off the end of the received network buffer. Setting this Length to be greater than the packet length also causes the computed source buffer length passed to SmbCompressionDecompress to underflow at 0x7F18, creating an out-of-bounds read (OOBR) vulnerability. Combining this OOBR vulnerability with the previous OOBW vulnerability creates the necessary conditions to leak addresses and create a complete remote code execution exploit.

Figure 6. Underflow condition

Windows 10 mitigations against remote network vulnerabilities

Our discovery of the SMBv3 vulnerability highlights the importance of revisiting protocol stacks regularly as our tools and techniques continue to improve over time. In addition to the proactive hunting for these types of issues, the investments we made in the last several years to harden Windows 10 through mitigations like address space layout randomization (ASLR), Control Flow Guard (CFG), InitAll, and hypervisor-enforced code integrity (HVCI) hinder trivial exploitation and buy defenders time to patch and protect their networks.

For example, turning vulnerabilities like the ones discovered in SMBv3 into working exploits requires finding writeable kernel pages at reliable addresses, a task that requires heap grooming and corruption, or a separate vulnerability in Windows kernel address space layout randomization (ASLR). Typical heap-based exploits taking advantage of a vulnerability like the one described here would also need to make use of other allocations, but Windows 10 pool hardening helps mitigate this technique. These mitigations work together and have a cumulative effect when combined, increasing the development time and cost of reliable exploitation.

Assuming attackers gain knowledge of our address space, indirect jumps are mitigated by kernel-mode CFG. This forces attackers to either use data-only corruption or bypass Control Flow Guard via stack corruption or yet another bug. If virtualization-based security (VBS) and HVCI are enabled, attackers are further constrained in their ability to map and modify memory permissions.

On Secured-core PCs these mitigations are enabled by default.  Secured-core PCs combine virtualization, operating system, and hardware and firmware protection. Along with Microsoft Defender Advanced Threat Protection, Secured-core PCs provide end-to-end protection against advanced threats.

While these mitigations collectively lower the chances of successful exploitation, we continue to deepen our investment in identifying and fixing vulnerabilities before they can get into the hands of adversaries.

 

The post Mitigating vulnerabilities in endpoint network stacks appeared first on Microsoft Security.

New Book! The Best of TaoSecurity Blog, Volume 1



I'm very pleased to announce that I've published a new book!

It's The Best of TaoSecurity Blog, Volume 1: Milestones, Philosophy and Strategy, Risk, and Advice. It's available now in the Kindle Store, and if you're a member of Kindle Unlimited, it's currently free. I may also publish a print version. If you're interested, please tell me on Twitter.



The book lists at 332 pages and is over 83,000 words. I've been working on it since last year, but I've used the time in isolation to carry the first volume over the finish line.

The Amazon.com description says:

Since 2003, cybersecurity author Richard Bejtlich has been writing posts on TaoSecurity Blog, a site with 15 million views since 2011. Now, after re-reading over 3,000 posts and approximately one million words, he has selected and republished the very best entries from 17 years of writing.

In the first volume of the TaoSecurity Blog series, Bejtlich addresses milestones, philosophy and strategy, risk, and advice. Bejtlich shares his thoughts on leadership, the intruder's dilemma, managing burnout, controls versus assessments, insider versus outsider threats, security return on investment, threats versus vulnerabilities, controls and compliance, the post that got him hired at a Fortune 5 company as their first director of incident response, and much more.

He has written new commentaries to accompany each post, some of which would qualify as blog entries in their own right.  Read how the security industry, defensive methodologies, and strategies to improve career opportunities have evolved in this new book, written by one of the authors who has seen it all and survived to blog about it.

Finally, if you're interested in subsequent volumes, I have two planned.


I may also have a few other book projects in the pipeline. I'll have more to say on that in the coming weeks.

If you have any questions about the book, let me know. Currently you can see the table of contents via the "Look Inside" function, and there is a sample that lets you download and read some of the book. Enjoy!

New Malware Jumps Air-Gapped Devices by Turning Power-Supplies into Speakers

Cybersecurity researcher Mordechai Guri from Israel's Ben Gurion University of the Negev recently demonstrated a new kind of malware that could be used to covertly steal highly sensitive data from air-gapped and audio-gapped systems using a novel acoustic quirk in power supply units that come with modern computing devices. Dubbed 'POWER-SUPPLaY,' the latest research builds on a series of

Future-Proofing Your AppSec With Veracode SaaS Solutions

Global events that force the world to go digital can put business needs into perspective, and fast. We???ve been impressed by how our customers are hitting the work-from-home curveball; with a little ingenuity and some help from Veracode solutions, their businesses are carrying on. In fact, ourツ?Static Analysisツ?scan numbers reached an all-time high in March, and then again in April. That tells us our customers are buckling down, concentrating on software security, and making sure they are there for their customers, too.

Organizations around the globe are continuing to put customers first, even when unexpected and sudden shifts change the way the world works. We???re proud of that same business continuity at Veracode, helping our customers start, improve, or expand AppSec programs in order to thrive in a digitally transformed world. The best part? It doesn???t have to be a complicated process that disrupts everyday business needs.

Get started swiftly and securely

Now more than ever, it???s vital that installation processes are fast and seamless. If your organization can start scanning from day one without worrying about manual patching or updating down the road, that means you can hit the ground running with peace of mind for the future. It???s simple to get started with Veracode and provision access to begin using our SaaS solutions in the cloud. You can set off securing your applications right away without halting projects or missing tight deadlines. That???s the way AppSec should be.

Our comprehensive offering is built for scale so that you don???t have to miss the opportunity to deploy the secure software your customers rely on. And with a wide range of SaaS products ??? including Static Analysis, Dynamic Analysis, Software Composition Analysis, Security Labs, and IAST ??? there???s minimal to no installation needed across the board when you???re ready to ramp up production with Veracode.

Scale up, scale down, and save money

For businesses on top of their digital transformation, having aツ?healthy SaaS AppSec solutionツ?at their fingertips means staying innovative and shipping secure code on time. Our solutions integrate directly into your SDLC, with scalable offerings like automated testing that won???t get in the way of the work your developers are already doing.

In addition, accessing all application analysis types through one solution streamlines testing and reporting too, which means it???s easy to stay on top of goal setting and progress, while guiding development teams on which flaws to target first. Veracode conveniently combines all testing types???Static Analysis, Dynamic Analysis, Software Composition Analysis, and Pen Testing???in one place for easy access, covering web and mobile apps as well as microservices in most major programming languages.

Secure your applications anywhere, anytime

Since these powerful solutions are cloud-based, development and security teams collaborating around the world can keep pace with competitors in the digital go-to-market race. The ability to work from anywhere is essential for many businesses, especially today. You can access Veracode???s tools and solutions without bogging down your VPN???s server, reducing the risk that comes from potential breaches and cyberattacks no matter where you are in the world. If you???re working from home as a lot of us are right now, that???s a gamechanger for efficiency.

Whether you???re looking for ways to ramp up your security or you simply want to expand your existing solutions, no matter what???s happening out there in the world, Veracode is here to help. Tune in to our webinarツ?for a deep dive into maintaining business continuity and controlling AppSec costs during turbulent times.

Getting Started With Basic Google Searches

Hello and welcome. My name is John Strand and in this video, we’re going to be talking about some very basic Google searches. Now we’ve got to take a couple of steps back and talk about what Google actually does. Google goes through and it indexes all the different texts and images and things they […]

The post Getting Started With Basic Google Searches appeared first on Black Hills Information Security.

Prioritize alerts and jump-start your investigations with Recorded Future’s free browser extension

Graham Cluley Security News is sponsored this week by the folks at Recorded Future. Thanks to the great team there for their support! Access real-time security intelligence from any web-based SIEM, vulnerability solution, or webpage. Stop opening multiple browser tabs and pivoting between them to collect all of your data manually. Recorded Future Express does […]

Teaming up with INTERPOL to combat COVID-19 threats

If the past couple of months have taught us anything, it’s that partnerships matter in times of crisis. We’re better, stronger and more resilient when we work together. Specifically, public-private partnerships matter in cybersecurity, which is why Trend Micro is always happy to reach out across industry, academia and law enforcement to offer its expertise.

We are again delighted to be working with long-time partner INTERPOL over the coming weeks on a new awareness campaign to help businesses and remote workers stay safe from a deluge of COVID-19 threats.

The new normal

All over the world, organizations have been forced to rapidly adjust to the new normal: social distancing, government lockdowns and mass remote working. While most have responded superbly to the challenge, there’s no denying that IT security teams and remote access infrastructure are being stretched to the limit. There are understandable concerns that home workers may be more distracted, and therefore likely to click on phishing links, and that their PCs and devices may not be as well protected as corporate equivalents.

At the same time, the bad guys have also reacted quickly to take advantage of the pandemic. Phishing campaigns using COVID as a lure have surged, spoofing health authorities, government departments and corporate senders. BEC attacks try to leverage the fact that home workers may not have colleagues around to check wire transfer requests. And remote infrastructure like RDP endpoints and VPNs are being targeted by ransomware attackers — even healthcare organizations that are simultaneously trying to treat critical patients infected with the virus.

Getting the basics right

That’s why Trend Micro has been pushing out regular updates — not only on the latest scams and threats we’re picking up around the globe, but also with advice on how to secure the newly distributed workforce. Things like improved password security, 2FA for work accounts, automatic software updates, regular back-ups, remote user training, and restricted use of VPNs can all help. We’re also offering six months free use of our flagship Trend Micro Maximum Security product to home workers.

Yet there’s always more to do. Getting the message across as far and wide as possible is where organizations like INTERPOL come in. That’s why we’re delighted to be teaming up with the global policing organization to run a new public awareness campaign throughout May. It builds on highly successful previous recent campaigns we’ve collaborated on, to tackle BEC and crypto-jacking.

This time, we’ll be resharing some key resources on social media to alert users to the range of threats out there, and what businesses and home workers can do to stay safe. And we’ll help to develop infographics and other new messages on how to combat ransomware, online scams, phishing and other threats.

We’re all doing what we can during these difficult days. But if some good can come from a truly terrible event like this, then it’s that we show our strength in the face of adversity. And by following best practices, we can make life much tougher for the cybercriminals looking to profit from tragedy.

The post Teaming up with INTERPOL to combat COVID-19 threats appeared first on .

Increase in Ransomware Demand Amounts Driven by Ryuk, Sodinokibi

The Ryuk and Sodinokibi ransomware families both contributed to an increase in the ransom amounts demanded by attackers over the past quarter. Coveware found that the average ransom amount demanded by ransomware attacks in Q1 2020 was $111,605. This amount was a third higher than what it had been in the final quarter of the […]… Read More

The post Increase in Ransomware Demand Amounts Driven by Ryuk, Sodinokibi appeared first on The State of Security.

How The Latest Plugin And Theme Helps To Avoid WordPress Vulnerability?

Are you running a WordPress website? If yes, then you must learn about the fact that there is several WordPress vulnerability. Moreover, black hat hackers are always waiting to get access to your site by taking advantage of such exposures. Hence, you must determine the ways to this problem.

Furthermore, there are several harmful activities that these hackers can execute from your site after hacking it. Hacking is nothing new to us, but still, we take it lightly. Even if you run a small business, you must learn how to shield it. Such evil minds target anything that they find open to them. Once they enter your site, they can send spam emails; can mislead the data of your consumers, and more. 

The process of destroying your WordPress site does not end here. Further, if your site gets hacked, Google will also blacklist you. Yes, it can permanently harm the brand image that you built online for years. But, don’t feel stress because many ways can save your websites as well, as your life. Here are some of the right tips that you need to ensure to keep your online interface away from the hackers!

WordPressVulnerability & Their Repairs

Although there are an abundance of vulnerabilities, and possibilities also never end. The Internet is vast, and we cannot trust the digital world. All we can do it to take precautions to keep us safe and away from the reach of hackers. Here are a few of the most basic vulnerabilities and their ways out!

Outmoded Plug-in and themes

One of the most common vulnerability happens in the plugin and the themes. Yes, WordPress also faces such things, and then later, the developers fix these liabilities. The idea that you must jot down from here is that if you keep on utilizing the old version of plugin and themes, then you are digging a hole for you. 

Yes, using outdated themes and plugin makes your website more vulnerable to hackers. It is effortless for these hackers to get into a site and exploit it if they find it outdated. Therefore you need to understand why using the latest version of WordPress security updates is mandatory.

Ways to Keep Your Website Updated?

Like we also need to change with time and adopt specific changes to live happily, your WordPress site also seeks that. The task of always keeping your website up to date is indeed hard, but it is not impossible in this digitized world. You can check for updates as they are still rolling on. 

There is no doubt that the frequency of updates makes it difficult to implement them, but it is always better to avoid any liability. The best way to tackle this situation is by taking one day out from your routine to focus on this thing.

Updates are always rolling in. The frequency of updates makes it hard to execute them. It’s even more difficult if you have multiple websites to update. Here you can take the assistance of Malcare’s central dashboard. It helps the user by showing all the pending plugin updates whenever they will open the panel.

Pirated Themes and Plugins

Jumping to the next most basic WordPress vulnerability is the availability of pirated software. Yes, there is no doubt that many people go with this option, but they must also learn that it can be dangerous for their site.

The Pirated WordPress themes give a right to the user to use the premium version of the software for free. It is one of the primary reasons behind its usage, even after having so many disadvantages. The pirated versions are just like a trap; they tempt the website owners and then trick them into it. Undoubtedly building a website and maintaining it is costly sometimes, but one must never forget that security is the priority. If your site gets hacked just because of the temp, you can lose it forever.

Therefore always make sure that you do not fall in a vicious trap of premium WordPress themes because such software comes with a lot of security issues. Such a version mostly has a malware backdoor, which is threatening. These doors allow the hackers to enter your site, and use it as they want.

How To AvoidWordPress Security Issues From Pirated Software?

i. Eliminate all Pirated Themes and Plugins Installed on Your WebSite

The very first measure that you can take is by eradicating the deleting of all the pirated plugins and themes from your site. Scan your website with the use of a WordPress malware scanner online; it will help you in finding the infected files. Once you do this work, you can deactivate/delete them.

ii. Trust On Reliable Sources For Plugins and themes

One of the fantastic ways to keep your site away from the hackers is by purchasing the plugin and themes from an authentic source. It will reduce the chance of any hack.

Conclusion

So these were some of the things to learn to be free from WordPress Vulnerability.  Therefore always make sure that you are using the up-to-date software and from the reliable source. Never go for the plugins and themes from the pirated version available.

The post How The Latest Plugin And Theme Helps To Avoid WordPress Vulnerability? appeared first on .

Critical SaltStack RCE Bug (CVSS Score 10) Affects Thousands of Data Centers

Two severe security flaws have been discovered in the open-source SaltStack Salt configuration framework that could allow an adversary to execute arbitrary code on remote servers deployed in data centers and cloud environments. The vulnerabilities were identified by F-Secure researchers earlier this March and disclosed on Thursday, a day after SaltStack released a patch (version 3000.2)

COVID-19 Scam Roundup – May 4, 2020

Malicious actors continue to abuse coronavirus 2019 (COVID-19) as a lure to profit off of innocent people. Indeed, Arkose Labs found that 26.5% of all transactions recorded in Q1 2020 were fraud and abuse attempts—a 20% increase over the previous quarter and the highest attack rate ever observed by the security firm’s researchers. It’s therefore […]… Read More

The post COVID-19 Scam Roundup – May 4, 2020 appeared first on The State of Security.