Security incidents, weaknesses and...

Security incidents, weaknesses and vulnerabilities

Martin Stanek

Department of Computer ScienceComenius University

[email protected]

Security of IT infrastructure (2019/20)

Content

What could go wrong – few recent examples

Vulnerabilities

Real worldStatistics, surveysControls, regulatory and compliance frameworks

Security incidentsData breachesOther incidents

Appendix

Security incidents, weaknesses and vulnerabilities 2 / 35 ,

Global DNS Hijacking

I reported by FireEye in January 2019I various activities observed since 2017I manipulation of DNS recordsI techniques

I manipulating DNS A recordI manipulating DNS NS recordI using DNS Redirector

I targets:I telecoms, ISPs, government agencies, etc.I Middle East, North Africa, Europe and North America

I impactI redirected and intercepted web and mail tra�icI possibly other network services


Global DNS Hijacking – DHS reaction

I Department of Homeland SecurityI Cybersecurity and Infrastructure Security AgencyI an emergency directive issuedI multiple federal agencies a�ected by the a�ackI 10 business days for three actions:

1. audit all public DNS records on all authoritative and secondary DNSservers

2. update passwords for all accounts on systems that can make changes toDNS records

3. implement multi-factor authentication for all those accounts4. monitor Certificate Transparency logs


Microso� customers data leak

I internal customer support database (5 Elasticsearch servers, Azure)I exposed online in December 2019I no access control, no encryptionI 250 million records (14-year period from 2005 to December 2019)I leaked data

I email address, IP address, support case details, internal notes

I fixed within 24 hours


9-year old vulnerability in sudo

I sudo – used in most Linux/Unix/based OS to run commands withelevated privileges

I bu�er overflow vulnerability in pwfeedback (CVE-2019-18634)I published in 2020I any user can escalate to the root accountI pwfeedback option is (usually not enabled by default)

I exceptions – Linux Mint, Elementary OSI previous sudo vulnerability in October 2019

I improper input validation (CVE-2019-14287)I bypassing policy blacklists by using a specific user id


Microso�: CurveBall vulnerability

I Improper Certificate Validation in crypt32.dll (CVE-2020-0601)I discovered by NSA (see published advisory)I certificates using elliptic curve cryptographyI explicitly given generator in a certificate (even non-standard)I impacting trust validation in

I HTTPS connectionI signed files and emailI signed executable code launched as user-mode processes

I fixed in January 2020 Patch Tuesday


PEAR supply-chain a�ack

I PHP Extension and Application RepositoryI published in 2019 (breached for 6 months)I infected package manager file on the project’s web siteI malicious backdoor – reverse shell on infected hostsI similar problems:

I PyPI repository typosqua�ing (2017): bzip (original bz2file), crypt (crypto),setup-tools (setuptools), django-server (django-server-guardian-api), etc.

I Node.js NPM event-stream (2018), targeting a bitcoin walletI CCleaner (2017) - 2.27 million users infected


Introduction

Security incidents and failuresI various causes (or their combination): human factor, criminal activities,

technical vulnerabilities etc.I impact: “nothing” happened, loss of reputation, cost of

repair/replacement of data and systems, direct financial loss, bankruptcyetc.

Vulnerabilities (usually SW):I reality is worse (unpublished vulnerabilities, weak passwords,

misconfiguration, etc.)I National Vulnerability Database (nvd.nist.gov)I various other sources exist

I more sources and vulnerabilities covered, faster publication, additionaldetail (e.g. how to fix), . . .


NVD

I operated by NISTI vulnerabilities (so�ware flaws) published:

year 2015 2016 2017 2018 2019count 6453 6449 14646 16517 17311

I includes classification (categories, severity etc.)

I for more detailed analysis, see e.g.Skybox Security: Vulnerability and Threat Trends Report 2020(statistics for 2019, most exploited vulnerabilities, . . . )


NVD – the most prevalent categories in 2019% CWE Title

13.16 CWE-79 Improper Neutralization of Input During Web Page Generation (’Cross-site Scripting’)12.18 – Miscellaneous10.31 CWE-20 Improper Input Validation7.73 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Bu�er6.85 CWE-200 Information Exposure4.59 CWE-125 Out-of-bounds Read4.27 CWE-284 Improper Access Control3.25 CWE-416 Use A�er Free3.10 CWE-89 Improper Neutralization of Special Elements used in an SQL Command (’SQL Injection’)3.00 CWE-352 Cross-Site Request Forgery (CSRF)2.82 CWE-264 Permissions, Privileges, and Access Controls2.46 CWE-787 Out-of-bounds Write2.32 CWE-22 Improper Limitation of a Pathname to a Restricted Directory (’Path Traversal’)1.96 CWE-287 Improper Authentication1.70 CWE-400 Uncontrolled Resource Consumption1.55 CWE-269 Improper Privilege Management1.52 CWE-77 Improper Neutralization of Special Elements used in a Command (’Command Injection’)1.50 – Insu�icient Information1.47 CWE-255 Credentials Management1.47 CWE-476 NULL Pointer Dereference

. . . . . . . . .


Examples . . . (1)

CVE-2019-9510 (CWE-287 Improper Authentication):

A vulnerability in Microso� Windows 10 1803 and Windows Server 2019 andlater systems can allow authenticated RDP-connected clients to gain accessto user sessions without needing to interact with the Windows lock screen.Should a network anomaly trigger a temporary RDP disconnect, AutomaticReconnection of the RDP session will be restored to an unlocked state,regardless of how the remote system was le�. By interrupting networkconnectivity of a system, an a�acker with access to a system being used as aWindows RDP client can gain access to a connected remote system,regardless of whether or not the remote system was locked. This issue a�ectsMicroso� Windows 10, version 1803 and later, and Microso� Windows Server2019, version 2019 and later.


Examples . . . (2)

CVE-2020-7247 (CWE-252 Unchecked Return Value ):

smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD6.6 and other products, allows remote a�ackers to execute arbitrarycommands as root via a cra�ed SMTP session, as demonstrated by shellmetacharacters in a MAIL FROM field. This a�ects the "uncommented"default configuration. The issue exists because of an incorrect return valueupon failure of input validation


Examples . . . (3)

Cryptographic Issues (CVE-2017-[12373, 13099, 13098, 6168, . . . ]):Cisco, Citrix, F5, WolfSSL, Bouncy Castle , Radware, . . .Return Of Bleichenbacher’s Oracle Threat (ROBOT)

Input Validation (CVE-2017-5638) . . .Equifax:The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.xbefore 2.5.10.1 has incorrect exception handling and error-messagegeneration during file-upload a�empts, which allows remote a�ackers toexecute arbitrary commands via a cra�ed Content-Type,Content-Disposition, or Content-Length HTTP header, as exploited in thewild in March 2017 with a Content-Type header containing a #cmd= string.


Other classifications of vulnerabilities

I MITRE:I Common Vulnerabilities and Exposures (cve.mitre.org)I Common Weaknesses Enumeration (cwe.mitre.org)I Common A�ack Pa�ern Enumeration and Classification (capec.mitre.org)

I Open Web Application Security Project (OWASP, www.owasp.org)I primarily for web applications – vulnerabilities, a�acks, risksI OWASP Top 10 (most critical web application security risks, 2017)I Testing Guide (v4, 2014)I OWASP Application Security Verification Standard (v4.0.1, 2019)

I more detailed classifications, description, examples, additionalinformation


Real world – surveys, analyses, predictions

I EY’s Global Information Security Survey 2020I Verizon’s Data Breach Investigations Report 2019I Skybox Security: Vulnerability and Threat Trends Report 2020

I Various Security Predictions for 2020:I Kaspersky, Forcepoint, FireEye, Trend Micro, McAfee, . . .


Some findings from global surveys

I EY’s Global Information Security Survey 2020I almost 1.300 respondents (CISO, CIO, etc.)I When are cybersecurity teams joining new business initiatives?

I plan – 36%I design – 27%I build – 9%I tests – 5%I deploy – 7%I run – 3%I never – 7%

I #1 spending category in cybersecurity budgets is the SOCI 26% – SOC identified the most significant breach over the past 12 months


Verizon – 2019 Data Breach Investigations Report (1)

I summary of 2018, global coverageI Incident: A security event that compromises the integrity,

confidentiality or availability of an information asset.I Breach: An incident that results in the confirmed disclosure – not just

potential exposure – of data to an unauthorized party.I datasets contributed by various security vendorsI analysis includes 41.686 security incidents, 2.013 confirmed data

breachesI the report provides details for 8 industries


Verizon – 2019 DBIR – pa�erns (2)


Skybox Security: Vulnerability and Threat Trends Report2020

I the report “examines new vulnerabilities published in 2019, newlydeveloped exploits, new exploit–based, malware and a�acks, current threattactics and more”

I most vulnerable OS / browser / productI top malware families: backdoor, ransomware, botnetI cryptomining declineI top 4 vulnerabilities used by malware:

I CVE-2018-8174 (Double Kill) – VBScript engineI CVE-2016-4117 – Adobe FlashI CVE-2016-0189 – VBScript, Jscript in IEI CVE-2018-4878 – Adobe Flash


What to do – regulatory and compliance frameworks

I NIST SP 800-53 (Rev. 4) Recommended Security Controls for FederalInformation Systems and Organizations (2013)

I NIST Cybersecurity Framework for Improving Critical Infrastructure(Version 1.1, 2018)

I ISO/IEC 27002:2013 Information technology – Security techniques –Code of practice for information security controls

I Australian Signals Directorate: Strategies to Mitigate Cyber SecurityIncidents (2017)

I Australian Government Information Security Manual (2020)I ISACA: COBIT 2019 FrameworkI CIS Controls (V7.1, 2019)I Payment Card Industry – Data Security Standard version 3.2.1 (PCI DSS)


CIS Controls V7.1 – Basic (1-6)

h�ps://www.cisecurity.org/controls/

1. Inventory and Control of Hardware Assets

2. Inventory and Control of So�ware Assets

3. Continuous Vulnerability Management

4. Controlled Use of Administrative Privileges

5. Secure Configuration for Hardware and So�ware on Mobile Devices, Laptops,Workstations and Servers

6. Maintenance, Monitoring and Analysis of Audit Logs

I Foundational (7-16)

I Organizational (17-20)


CIS Controls V7.1 – (7–20)7. Email and Web Browser Protections

8. Malware Defenses

9. Limitation and Control of Network Ports, Protocols, and Services

10. Data Recovery Capabilities

11. Secure Configuration for Network Devices, such as Firewalls, Routers andSwitches

12. Boundary Defense

13. Data Protection

14. Controlled Access Based on the Need to Know

15. Wireless Access Control

16. Account Monitoring and Control

17. Implement a Security Awareness and Training Program

18. Application So�ware Security

19. Incident Response and Management

20. Penetration Tests and Red Team ExercisesSecurity incidents, weaknesses and vulnerabilities 23 / 35 ,

UK: Cyber Essentials Scheme

h�ps://www.cyberessentials.ncsc.gov.uk/

Requirements for basic technical protection from cyber a�acks

1. Secure your Internet connection (Boundary firewalls and internet gateways)

2. Secure your devices and so�ware (Secure configuration)

3. Control access to your data and services (User access control)

4. Protect from viruses and other malware (Malware protection)

5. Keep your devices and so�ware up to date (Patch management)


Data breaches – examples


Marrio� breach

I large hospitality company (hotels)I data leak involving a guest reservation databaseI unauthorized access since 2014, detected in September 2018I 500 million guestsI leaked data - some combination of

I name, mailing address, phone number, email address, passport number,Starwood Preferred Guest (“SPG”) account information, date of birth,gender, arrival and departure information, reservation date, andcommunication preferences

I payment card numbers (encrypted) and payment card expiration datesI updated numbers from January 2019:

I 8.6 million unique payment card numbers (encrypted)I 5.25 million unique unencrypted passport numbersI 20.3 million encrypted passport numbers


Equifax and Uber

I EquifaxI detected: July 2017, started: May 2017I 143 million people a�ectedI a�ackers used unpatched Apache Struts vulnerability (CVE-2017-5638)I names, SSNs, birth dates, addressesI in some instances, driver’s license numbers, credit card numbersI December 2018: House Oversight Commi�ee report

I UberI October 2016, revealed: November 2017I leaked personal data of 50 million customers and 7 million driversI names, email addresses, phone numbersI a�ack: AWS (Amazon Web Services) logon credentials accessible on

GitHubI Uber paid the a�ackers $100.000 to delete data and keep quietI September 2018: $148 million penalty


OPM and Anthem

I O�ice of Personnel ManagementI detected: April 2015, started: March 2014I 21.5 million recordsI a�ackers with valid user credentials / contractorsI names, SSNs, dates and places of birth, addresses, security-clearance

informationI 5.6 million sets of fingerprints

I Anthem (managed health care company)I December 2014 – January 2015I leaked personal data of 80 million customersI names, dates of birth, SSN, health care ID numbers, home addresses,

email addresses, employment information, income dataI a�ack: some tech employees had their credentials compromisedI detection: noticing suspicious queries

Similar breach: Premera (11 million people)


Ashley-Madison and Friend Finder Network

1. Ashley-MadisonI data breach announced in July 2015 (“Impact Team”)I 10GB + 19GB compressed dataI ∼ 37 million records (customers)I e-mail addresses, names, credit card transactions, . . .I source code, e-mailsI suicides, blackmailing, bcrypt +MD5

2. Friend Finder NetworkI October 2016I 412 million accounts (Adult Friend Finder, Cams.com, Penthouse.com,

Stripshow.com . . . )I addresses, passwords, dates of last visits, browser information, IP

addresses and site membership statusI not the first time (May 2015, 4 million users)I plaintext and SHA-1 password (lowercase)I over 99% paswords cracked


Hacking Team and British Airways

I Hacking TeamI selling o�ensive intrusion and surveillance capabilities to governments,

law enforcement agencies and corporationsI data breach announced: July 2015I 400GB (customers, e-mails, 0-day exploits, source code, . . . )I weak passwords, e.g. “P4ssword”, “HTPassw0rd”, “wolverine”

I British AirwaysI detected: airline’s partnerI 21 August – 5 September 2018I 380 thousand booking transactionsI names, email addresses and credit card numbers, expiry dates and CVV

codesI compromised website (modified javascript)


h�ps://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/


Other security incidents

I stealing money, malwareI SWIFT, Bangladesh Bank (2016)

I black-out –Ukrainian Power Grid (2015)I Mirai – DDoS 1.2Tbps (2016)I (Crypto)-ransomware

I WannaCry (2017), Bad Rabbit (2017), . . .I 2019: University of Maastricht (start: phishing mails in October, end:

a�ack on December 23; 267 Windows servers), 30 BTC paid


Appendix


The most frequent passwords

How not to choose passwordssource: Splashdata, based on leaked passwords (2019 and comparison with 2018)

1. 1234562. 123456789 (+ 1)3. qwerty (+ 6)4. password (− 2)5. 1234567 (+ 2)6. 12345678 (− 2)7. 12345 (− 2)8. iloveyou (+ 2)9. 111111 (−3)

10. 123123 (+ 7)11. abc123 (+ 4)12. qwerty123 (+ 13)13. 1q2w3e4r (new)14. admin (− 2)

15. qwertyuiop (new)16. 654321 (+ 3)17. 555555 (new)18. lovely (new)19. 7777777 (new)20. welcome (− 7)21. 888888 (new)22. princess (− 11)23. dragon (new)24. password125. 123qwe (new)


How not to store passwords

recent random examples of storing plaintext passwords (2019)I Facebook (03/2019)

I Facebook Lite (primary), Facebook, InstagramI “hundreds of millions” of user passwords (since 2012)I searchable by employees

I Google (05/2019)I “some portion” of G Suite users (since 2005)

I Twi�er (05/2019)I more than 330 million users (entire user base)I bug (found internally) - storing plaintext passwords in an internal log

I Robinhood (07/2019)I commission-free stock trading startupI “some users” a�ected


Date post:	26-May-2020
Category:	Documents
Upload:	others
View:	9 times
Download:	0 times

Security incidents, weaknesses and...

Documents