Wedge Networks Inc.

The new iPhone 4.0 is a piece of art, a handheld device which Andrew Berg of Wireless Week elegantly termed as ‘beautifuly flawed‘.  Surprisingly, another report that went out un-noticed by mainstream media, unless you are in the Security business, rated Apple as the company with the most security vulnerabilities in its software, surpassing Oracle and even Microsoft in the last 5 years.  This is shown by the now highly quoted, yet highly disputed, graph:

Secunia - Reported Security Vulnerabilities by Vendor, 2005 - 2010.

But it is not just the iPhone or Apple platforms that are going to see a surge in malware attacks due to these documented vulnerabilities.  Kaspersky made this critical prediction in December 2009:

An increase in attacks on iPhone and Android mobile platforms. 2010 promises to be a difficult time for iPhone and Android users. The first malicious programs for these mobile platforms appeared in 2009, a sure sign that they have aroused the interest of cybercriminals. The only iPhone users currently at risk are those with compromised devices; however the same is not true for Android users who are all vulnerable to attack. The increasing popularity of mobile phones running the Android OS combined with a lack of effective checks to ensure third-party software applications are secure, will lead to a number of high-profile malware outbreaks.

There are three reasons why this prediction will hold and mobile devices are the next target for malicious attacks.  First, newer, more accessible platforms and applications – and the vulnerabilities highlighted above – will open the doors to malicious attacks on and from mobile devices. And second, many of us are using our iPhones and Android Smartphones in the same way we use our PCs.  We shop, surf the web, email, text, Twitter, Facebook and download on our phones.  Thirdly, our phones house so much of our personal information – contacts, calendars, emails, texts, pictures and more – making them a valuable target for malware writers and malicious hackers. 

So if you are the Chief Security Officer for your Enterprise or Service Provider, mobile devices are at your network’s perimeter and you will need to consider “edge” security solutions  (which are typically transparent inline network traffic scanning solutions) – solutions that will protect your end-users’ mobile devices from malware attacks, and in so doing protecting your network infrastructure from attacks launched from compromised mobile devices.  

You heard it here first – it is not just the antenna.

LINK

Protecting their end-users from malware is a good thing and TalkTalk seems to be leading the way in this respect. However, TalkTalk seems to be confined by the technology supplied by Huawei. By using Deep Packet Inspection, TalkTalk is limited by what they can examine and they must collect information in order to see what threats the sessions contain. Had Talk Talk known about Wedge Networks’ technology, they would see that a better way to implement a system like this would be to use Deep Content Inspection where the company can see the full threat picture without the need for collecting any customer information, even if the information is totally anonymous. The contentious privacy issues would not even come into play.

Today, our life is heavily dependent on the digital infrastructure surrounding us. It is no wonder that the news of the first real attack on industry control systems (here), the Stuxnet malware, spread through the media like a wild fire.  The news was pushed by a friend to my iPhone just hours after it was published.

This link  provides a more in depth description of this Stuxnet malware. It gets into a control network via your typical USB drives. It targets a SCADA system from Siemens called Simatic WinCC which runs on the Windows platform. Once the machine is infected, a Trojan detects if the machine is running Siemens’ Simatic WinCC software. It then uses a default password that is hard-coded into the software to access the control system’s Microsoft SQL database.

Many security related publications have elaborated deep concerns about the potential damage that this type of malware can do.  Just last year, in the so called Aurora Project, researchers affiliated with the US government were able to demonstrate how malicious instructions transmitted through the network can physically blow up a 27 ton power generator and cause profound damage. From here, it is easy for the security minded to connect the dots.

SCADA systems, Sensor networks, automated process control devices: there are more machine-to-machine systems than those used by users like you and me. It is a real challenge to secure the machine-to-machine systems. In the case of Stuxnet, since the SCADA system is not on the internet, to achieve timely security updates is not an easy task. In the case of the Aurora Project, the power generator was controlled by embedded systems with very limited computing power to provide self-defences such as firewalling and antimalware. The cost effectiveness and convenience offered by the internet provide huge poll to webify the machine-to-machine systems. More security issues will arise in the future.

How do we protect our critical infrastructure against attacks as demonstrated by the Aurora Project and as realized by Stuxnet? First, access to the machine-to-machine systems has to be tightly controlled. If possible, the USB drives should be disabled or not provided at all. Second, the means of continuously updating the security defence at the whole network level needs to be implemented, even if the network itself is not connected to the public internet. For example, the Wedge BeSecure provides a way to update its security signature once per hour in an offline mode, a feature that was requested by infrastructure operators to stop the transmission of malware such as Stuxnet in their private networks. Third, security policies need to be enforced at the application content level to block malicious instructions while allowing the good instructions to go through.

Today’s Patch Tuesday marks two key events – the first, and for the first time Microsoft is able to provide a 33 day turn around patch to a zero-day attack.  And the second, is how protocol handlers can be a popular source of vulnerabilities.

This zero-day vulnerability was discovered by Google’s Zurich-based researcher Travis Ormandy and is common in the Windows Help and Support Center feature that is delivered with supported editions of Windows XP and Windows Server 2003.

For those technically inclined, you can read more about today’s Microsoft Patch Tuesday patches at the end of the message courtesy of Ryan Naraine here.  But for those of who you who want to quickly appreciate this vulnerability and to give you a feel for how serious this zero day attack is, in the address bar of your “Internet Explorer” browser, type in this command:

hcp://system/sysinfo/sysinfomain.htm?svr=<h1>test</h1>

You should find your browser prompting you to save a ‘file’ but in effect, invoking the Windows Help and Support Center.  In his posting Travis goes further to provide a script through which this exploit can be utilized to completely take over your Windows Server and you can read about it here.

This provides yet another case for why network based deep content malware inspection is required.  BeSecure Administrators can simply add a simple Regular Expression that blocks ‘hcp://” invocations.

Link

Is YOUR website protected?

Link