In the previous Part 1 post, I discussed the initial response, risk, and mitigations for the recently-disclosed zero day Oracle Java vulnerabilities that attackers have used in attacks against vulnerable end-user systems. Since then, Oracle has released software updates that correct the original flaw documented in IntelliShield alert 26751, as well as for additional vulnerabilities, as documented in IntelliShield alert 26831.
Attacks leveraging the Java vulnerabilities have increased, with reports indicating that tens of thousands of systems have been compromised. The malicious software toolkit BlackHole, documented in IntelliShield alert 25108, has incorporated the previously-reported Metasploit exploit and can be used to build exploits for use in attacks. Observed exploits have installed the Poison Ivy remote access trojan, and other malicious software may also be downloaded and installed using Poison Ivy, once installed on a vulnerable system.
Read More »
Tags: java, java security, Oracle, security, vulnerabilities
A few weeks ago I had the pleasure of participating, as a guest speaker, in a webinar titled “Targeted Attack, Targeted Response: Designing and Implementing an IR Plan That Works.” Joe Riggins, Senior Director of Incident Response for HBGary, moderated this Q&A format webinar. We discussed the current incident response (IR) challenges companies are facing, as well as specific steps organizations can take to design, test, and successfully implement an ongoing IR plan for their specific business environment.
The webinar recording can be accessed here.
Read More »
Tags: incident response, security
The Cisco Intrusion Prevention System (IPS) includes Global Correlation capabilities that utilize real-world data from Cisco Security Intelligence Operations (SIO). We have seen on this blog before how IPS Global Correlation can be used to detect and validate the urgency of emergent threats as well as allow our team to hone the protection capabilities of our IPS Sensors.
Perhaps more fundamentally however, Global Correlation allows Cisco IPS Sensors to filter network traffic using the “reputation” of a packet’s source IP address. The reputation of an IP address is computed by Cisco SensorBase using the past actions of that IP address. IP reputation has been an effective means of predicting the trustworthiness of current and future behaviors from an IP address.
Our team has recently published a new white paper that explores the benefits of IPS Global Correlation and how they relate to various IPS deployment scenarios. I would like to share a couple of items from the white paper and encourage you to read it for more information.
Read More »
Tags: global correlation, IPS, security, sio
Security researchers discovered a Java vulnerability (documented in IntelliShield alert 26751) that attackers are using to install malicious software on a victim’s systems. No software updates are available that correct the vulnerability (Updates are now available, see Part 2 of the blog). The attacks are currently limited in nature. There have been few reports of attacks that rely on the vulnerability. Now that Metasploit developed a functional exploit, continued attacks that leverage this vulnerability increase in likelihood as time goes on. US-CERT has issued a related vulnerability note. Administrators can monitor this and other ongoing activity at the Cisco Security Intelligence Operations portal.
It is not yet clear what attackers hope to gain out of the attacks observed in the wild. Goals may differ between individual attacks. Current exploits appear to install a malicious software dropper that may install other malicious software, but to what end is unknown. Attackers may attempt to install malicious software that monitors keyboard input and network communication, hoping to gain user credentials for either external resources to aid in fraudulent activity or to access other internal systems within the targeted site.
Read More »
Tags: client side attacks, java, java security, security
The practice of using Open Source Software (OSS) and other third-party software (TPS) to build products and services is well established. Not only can it create tremendous efficiency–why build an operating system or web server if you don’t need to?–it also allows individual products to leverage best-of-breed functionality. This best-of-breed functionality can be critical on today’s Internet as security and scalability are often difficult or even patently ignored until it is too late.
The use of TPS to build things has been so successful and is so widespread that many products may even be assembled from a majority of software written by unknown third parties. This practice is not without its challenges. One of those challenges is security.
How does the security of a product’s constituent TPS affect its own security? How does the creator of the product learn of, manage and ultimately resolve security issues that originate in the relevant TPS packages?
These are the types of questions I attempted to address during a recent presentation at O’Reilly OSCON 2012. During that session I touched on seven challenges and offered five tools that I believe can make a difference.
Our friends on the Cisco Security Marketing team have posted the slides from that presentation online at slideshare.net.
Is this an area of concern for you? If it is, I’d like to know how you are tackling it. What is working well? What is working not-so well?
Tags: open source, product security, security, third party software