The Top Five Cyber Security Vulnerabilities

Uploaded on 2015-07-21 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

openssl-2.jpg

Recently, the hack of the Federal Office of Personnel Management (OPM), apparently tied to Chinese sponsored hackers, raised the discussion about the potential catastrophic damage caused by the exploitation of a cyber-security vulnerability. 

Part of the cyber-security community has considered this last incident the equivalent of a cyber-9/11. Millions of data belonging to the Government personnel were compromised and there is a concrete risk threat that the, stolen data, could be used by threat actors in further cyber-attacks against Government agencies.

The Office of Personnel Management (OPM) hack must serve as a wake-up call for reorganizing cyber security posture of the country. To do this it is essential to profile the threat actors, understand their motivation, learn the way they operate and adopt the necessary countermeasures, a very simple strategy to theorize, but very difficult to achieve.

But first try to understand the possible motivation of a potential attacker. Hackers act to steal sensitive data (i.e. corporate secrets, personal information, and intellectual property) or to sabotage. Recent events demonstrate that cyber espionage is still considered the most dangerous threat for Governments; APT groups worldwide constantly search for vulnerabilities to exploit on a large scale in order to gather sensitive data.

We cannot underestimate the action of cyber terrorists and cyber criminals, financial firms, retailers, and companies in the health care industry are constantly under attack. The financial damage to the world economy due to cybercrime exceed 575 billion dollars, the figures are disconcerting if we consider that are greater than the GDP of many countries.
Another danger posed by group of hackers on a global scale is represented by the possibility of cyber-attacks against critical infrastructure, such as gas pipelines, water facilities, and smart grids.

The majority of processes in modern infrastructure are controlled by SCADA systems that were exposed on the Internet for maintenance purposes without the necessary attention to the cyber security. It is not a problem of maintenance of SCADA components, instead the lack of security by design for these systems expose the entire infrastructure to the risk of cyber-attacks.

The Top five: cyber security vulnerabilities

Injection vulnerabilities

Injection vulnerabilities occur every time an application sends untrusted data to an interpreter. Injection flaws are very common and affect a wide range of solutions. The most popular injection vulnerabilities affect SQL, LDAP, XPath, XML parsers and program arguments. As explained in the OWASP “Top 10″ guide, the injection flaws are quite easy to discover by analyzing the code, but frequently hard to find during testing sessions when systems are already deployed in production environments.

The possible consequences of a cyber-attack that exploits an Injection flaw are data loss and consequent exposure of sensitive data, lack of accountability, or denial of access. An attacker could run an Injection attack to completely compromise the target system and gain control on it. The business impact of an Injection attack could be dramatic, especially when hacker compromise legacy systems and access internal data.

SQL injection vulnerabilities are among most exploited flaws, despite the high level of awareness on the various techniques of hacking that exploit this category of bugs the impact of such attacks is very serious.

A study released by the Ponemon Institute in October 2014 titled “The SQL Injection Threat Study” investigated on the reply of organizations to the SQL injection threat.

The study revealed that despite about one-third believing that their organization has the necessary technology to detect and mitigate the cyber threat, the success rate of SQL injection attacks is too high.
Injection vulnerabilities could affect various software and their impact depends on the level of diffusion of the vulnerable application.

A classic example of the possible effect of the presence of injection flaws is the critical vulnerability dubbed Bash Bug affecting the Linux and UNIX command-line shell. The flaw, coded as CVE-2014-6271, is remotely exploitable and affects Linux and Unix command-line shell potentially exposing to risk of cyber-attacks websites, servers, PCs, OS X Macs, various home routers, and many other devices.

The vulnerability has existed for several decades and it is related to the way bash handles specially formatted environment variables, namely exported shell functions. To run an arbitrary code on affected systems it is necessary to assign a function to a variable, trailing code in the function definition will be executed.

The critical Bash Bug vulnerability, also dubbed Shellshock, affects versions GNU Bash versions ranging from 1.14 through 4.3, a threat actor could exploit it to execute shell commands remotely on a targeted machine using specifically crafted variables.

Such kind of vulnerabilities could have a dramatic effect on a large scale, let’s think for example to the dangers for the Internet-of-things devices like smart meters, routers, web cameras and any other device that runs software affected by this category of flaws.

Buffer Overflows

A buffer overflow vulnerability condition exists when an application attempts to put more data in a buffer than it can hold. Writing outside the space assigned to buffer allows an attacker to overwrite the content of adjacent memory blocks causing data corruption, crash the program, or the execution of an arbitrary malicious code.

Buffer overflow attacks against are quite common and very hard to discover, but respect the injection attacks they are more difficult to exploit. The attacker needs to know the memory management of the targeted application, the buffers it uses, and the way to alter their content to run the attack.

In a classic attack scenario, the attacker sends data to an application that store it in an undersized stack buffer, causing the overwriting of information on the call stack, including the function’s return pointer. In this way, the attacker is able to run its own malicious code once a legitimate function is completed and the control is transferred to the exploit code contained in the attacker’s data.
There are several types of buffer overflow; most popular are the Heap buffer overflow and the Format string attack. Buffer overflow attacks are particularly dangerous; they can target desktop applications, web servers, and web applications.
An attacker can exploit a buffer overflow to target a web application and execute an arbitrary code. He can corrupt the execution stack of a web application by sending specifically crafted data.

Buffer overflows affecting widely used server products represent a significant risk to users of these applications, in the last years, many buffer overflow vulnerabilities were discovered in a number of SCADA components. Considering that the number of cyber-attacks against SCADA is increasing even more it is likely that these buffer overflow vulnerabilities will be exploited with increasing frequency. A number of crimeware kit could be sold in the underground ecosystem to attack this particular category of targets causing serious damages.

Sensitive Data Exposure

Sensitive data exposure occurs every time a threat actor gains access to the user sensitive data.
Data could be stored (at rest) in the system or transmitted between two entities (i.e. servers, web browsers), in every case a sensitive data exposure flaw occurs when sensitive data lack of sufficient protection.

Sensitive data exposure refers the access to data at rest, in transit, included in backups and user browsing data.
The attacker has several options such as the hack of data storage, for example by using a malware-based attack, intercept data between a server and the browser with a Man-In-The-Middle attack, or by tricking a web application to do several things like changing the content of a cart in an e-commerce application, or elevating privileges.

The principal sensitive data exposure flaw is the lack of encryption for sensitive data, but even if encryption mechanisms are implemented, other events concur to the exposure of information. The adoption of weak key generation and management, and weak algorithm usage is very common in many industries and applications.

A number of incidents recently occurred have demonstrated the critic of this category of flaw, let’s think to the wrong implementation of encryption algorithms and the lack of encryption for mobile and cloud solutions.
In September 2014, the CERT Coordination Center at Carnegie Mellon University (CERT/CC) published the results of the tests conducted by its experts on popular Android applications that fail to properly validate SSL certificates.
The failure of the certificate pinning procedure exposes users to the risk of MitM attacks and consequent theft of sensitive information.

The CERT confirmed that the problems is widespread, the circumstance was confirmed by another study conducted by security experts at FireEye that evaluated the level of security offered by 1,000 of the most popular free apps offered on Google Play.

FireEye provided shocking results. 68% of the apps don’t check server certificates and 77% ignore SSL errors. According to the CERT, the applications are using vulnerable libraries, such as the Flurry and Chartboost ad libraries. For this reason, Android users are exposed to the risk of attacks. Despite the fact that FireEye the developers about the flaws, the CERT pointed out that only a few companies took steps to secure their products.

As highlighted by the numerous studies of the topic, attackers typically don’t break crypto directly; they operate to exploit a sensitive data exposure flaw. This means that threat actors operate to steal encryption keys, run man-in-the-middle attacks, steal clear text data off the server, while in transit, or from the user’s browser.

The exploitation of sensitive data exposure flaw could be dramatic for every organization in every industry, the principal losses for data breaches are related to the business value of the compromised data and the impact to the reputation of the victim organization.

Sensitive data exposure attacks could be run by any category of attackers, including cyber criminals, state-sponsored hackers and hacktivists, in the majority of case this kind of attacks are part of a first stage offensive that involve also other hacking techniques.

Every organization that manages sensitive data (i.e. healthcare and banking data, personal information) is potentially exposed to the attacks that could involve a large number of users; millions of users are already open to cyber-attacks.

Broken Authentication and Session Management

The exploitation of a broken Authentication and Session Management flaw occurs when an attacker uses leaks or flaws in the authentication or session management procedures (e.g. Exposed accounts, passwords, session IDs) to impersonate other users.

This kind of attack is very common; many groups of hackers have exploited these flaws to access victim’s accounts for cyber espionage or to steal information that could advantage their criminal activities.

As explained by the OWASP, one of the main problems is related to the custom implementation of authentication and session management schemes, in the majority of cases these schemes result flawed and hackers are able to compromise them. This category of flaws affects web applications, in the majority of cases functionalities such as the logout, password management, remember me, timeouts, secret question, and account update are affected by broken authentication vulnerabilities.

The bad news is that once this kind of flaw is successfully exploited, the attacker can impersonate the victim doing anything he could do with the privileges granted to his account.

Unfortunately, the exploitation of a broken Authentication and Session Management flaw is hard to mitigate due to the large number of authentication schemes implemented by each victim. Not all authentication and session management systems are equal, complicating the adoption of best practices on a large scale.

There are several ways to bypass authentication mechanisms, including “Brute-forcing” the targeted account, using a SQL Injection attack, retrieving a session identifier from an URL, relying on the session timeout, reusing an already used session token or compromising a user’s browser.

The most popular attack scenario relies on the session, authentication mechanisms are usually based on tokens associated with each session on the server side. An attacker that is able to retrieve the session identifier could impersonate victims without providing login credentials again.

The possible business impact of broken authentication and session attacks is severe because an attacker could takeover users account and impersonate him to conduct various malicious activities.

Such practice is very common in both cyber-criminal ecosystem and state-sponsored hacking.

Security Misconfiguration

I consider this category of vulnerability the most common and dangerous. It is quite easy to discover web servers and applications that have been misconfigured resulting in opening to cyber-attacks. Below some typical example of security misconfiguration flaws:

    - Running outdated software.
    
    - Applications and products running in production in debug mode or that        still include debugging modules.
    
    - Running unnecessary services on the system.
    
    - Not configuring problems the access to the server resources and services that can result in the disclosure of sensitive information or that can allow an attacker to compromise it.
    
    - Not changing factory settings (i.e. default keys and passwords).
    
    - Incorrect exception management that could disclose system information to the attackers, including stack traces.

    - Use of default accounts.

The exploitation of one of the above scenarios could allow an attacker to compromise a system. Security misconfiguration can occur at every level of an application stack. An attacker can discover that the target is using outdated software or flawed database management systems.

In many cases, it is quite easy for an attacker to search for this kind of vulnerability. The availability of automated scanners on the market allows the detection of systems not correctly configured or correctly patched.
Security misconfiguration vulnerabilities could have a dramatic impact when systems targeted by hackers are widely adopted. For example, the presence on the market of routers with hardcoded credentials or network appliances using default SSH keys that allow an attacker to establish remote and unauthorized connection to the device.

These kind of vulnerabilities could have a severe impact for the new paradigm of the Internet of Things, poorly configured IoT devices could be exploited by hackers to compromise the software they run and recruit them in large “thingbot.”

Recovery cost could be very expensive and the impact on the organizations that are using flawed devices could be severe.
Security misconfiguration is very insidious for any organization and cause incident difficult to mitigate that can have catastrophic impact.

InfoSecInstitute: http://bit.ly/1Ka2Vzp

 

« Combat the Insider Cyber Threat
Cyber-security Startup Darktrace Valued at More Than £60m »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

MyCERT

MyCERT

MyCERT is the National Computer Emergency Response Team of Malaysia.

OSSEC

OSSEC

OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS).

Ministry of Defence Georgia - Cyber Security Bureau

Ministry of Defence Georgia - Cyber Security Bureau

The aim of the Cyber Security Bureau is to establish and develop stable, effective and secure Information and Communication Technology systems for the Civil Office of MoD of Georgia.

PartnerRe

PartnerRe

PartnerRe provides multi-line reinsurance to insurance companies on a worldwide basis. Services include Cyber Risk.

Wüpper Management Consulting (WMC)

Wüpper Management Consulting (WMC)

Specialized in compliance, risk management and holistic information security WMC GmbH has longtime implementation experience in global projects.

Approach

Approach

Approach is a leading provider of cyber security consulting and secure application development services in Belgium.

SHIELD

SHIELD

SHIELD is an established end-to-end fraud management solution that blocks fraudulent activities such as account takeovers, fake accounts creation, fraudulent payments, loyalty fraud and more.

Micro Strategies Inc.

Micro Strategies Inc.

Micro Strategies provides IT solutions that help businesses tackle digital transformation in style.

SPARTA Consortium

SPARTA Consortium

SPARTA tackles hard innovation challenges, leading the way in building transformative capabilities and forming a world-leading cybersecurity competence network across the EU.

SyferLock Technology Corp.

SyferLock Technology Corp.

SyferLock is an innovative provider of next-generation authentication and security solutions.

GeoEdge

GeoEdge

GeoEdge is the premier provider of ad security and quality solutions for the online and mobile advertising ecosystem.

ID North

ID North

ID North is a Nordic service provider offering identity security to its customers by providing world class expertise and best-in-class solutions and services.

SphereX Technologies

SphereX Technologies

SphereX is the first on-chain security solution for Web3 applications.

Databarracks

Databarracks

Databarracks deliver award winning IT resilience and continuity services. We help organisations get the most out of the cloud and protect their data, wherever it lives.

Straiker

Straiker

Straiker's AI-native security platform is designed to protect enterprise AI applications and autonomous agents from evolving threats through automated assessment and runtime guardrails.

ThreatMon

ThreatMon

Gain insights into emerging threats with real-time data and AI-driven analysis to stay ahead of cyber risks. Detect, analyze, and respond to threats before they happen.