Hackers are always searching for ways to target and dismantle security. But, the questions do indeed continue about how hackers find a way in, how they exploit vulnerabilities, and ways to do this dismantling. What is the main answer? Research!
There are many different things that hackers do that gives them the wide open door into vulnerabilities:
- Hackers study their target well in advance of actual hacking. They do their homework, and figure out how strong the target is, how to exploit the vulnerability, method of attack, backup plan, and anonymity.
- Hackers commonly use search queries through search engines to create a map of the target’s vulnerabilities. Many different items can be for display when creating a map, such as server statistics (downtime/uptime), platform usage, coding languages, and other miscellaneous unspecific information.
- The map is configured carefully to build a complete intelligence database (which can be shared for high fees across the hacker community). It compiles a lot of information not only through research as explained above, but also uses government databases, financial filings, court records, etc. Who would’ve thought to check for stuff like that?
- The hacker’s main purpose after doing the research is to identify any security and technology officers on staff at the company. The hackers needs to know the security architect, how powerful they are, some of the recent meetings, new plans, etc. The hacker reads how the roadmap is for the officer, and whether the time to attack is good soon, or whether the hacking should be held off. (Not really a lot of time to decide, to be honest)
- The last stage of research before the planning of the attack, the hacker looks for business partners, trusted or strategic customers, suppliers, etc. that are used by the target. It may be easier, sometimes, to attack a smaller business partner than the actual target, some have argued. But, this information is dependent on the information gathered in the search engines and other info.
- Once this is all compiled, all of the information offers a list of likely points within the target to attack.
- The attack is usually staged, literally, in efforts to find the target point, nailing it at the right time, and exiting without being caught. This is in hopes of securing the vulnerability exploit well, and knowing the best route to escape.
- The hacker attacks when ready, and the operation is complete soon after. The idea or methodology for a hacker is to “push in, pull out” or like Facebook would say “Move fast, break things”. What a philosophy!
There is little that can be done, when you have a public company, and all the information on the company is widely available. People will do their research. You can reduce the significance of the threats of hackers by conducting the same research yourself, setting up your own map, and conducting competitive counter-intelligence. This can be a difficult things to learn.
It’s best to take necessary operations to ensure that if a hacker comes nearby, to always be ready using the following methods (some may not apply to your business):
- Secure all servers with adequate security protection. Through good amounts of searching on search engines, you can find a wealth of free tips and more whitepapers on good server security. Simply searching for “server security” will result in a lot of good results. Also, it’s good to look for SQL Security, which is a very good, invaluable resource.
- Encrypt passwords incoming to your server! When people enter passwords in to your website (for accounts and logins), make sure they get encrypted. If the passwords are being sent in plaintext form, this can make the passwords easy to read while in transmission to the server from the user’s browser.
- Always have good passwords at your end. Everyone should have a very good password. It’s best to have a password consisting of at least 8 total characters in the form of at least one capital letter, one small letter, one number, and one symbol. This is the best way, and the only other way to prevent it from being hacked easily. There is no longer 100% protection from your password being stolen. Some of the best passwords can be stolen easily. But, at least having a very good password will protect you while other security methods can be implemented (fingerprint scanners, voice activation, unique ID codes, etc.).
- Encourage your users to have good passwords, by forcing them to use the characteristics described above for their password.
- Have weekly meetings with your staff about how best to implement security policy, some of the latest threats, the analytics behind your network (server uptime/downtime, security breaches, etc.), and future plans to implement policies.
By following all these simple steps, your company can become widely aware of hackers and be able to implement good security policy that will save a lot of time and money!
The following are good questions to do/answer about security at your company (some may or may not pertain):
- Are employees trained and appropriately monitored with how to stay safe (on the computer/online)?
- Are cash-handling processes, flow, etc. documented well?
- Are wireless communications locked down or protected?
- Are your cash registers, networks, and procedures correctly up-to-date with the latest software updates?
- Do your terminals for the call center display only necessary information about customers?
- Are the facilities well maintained and well-lit for safety, not only for customers but also employees?
- Is physical access control in place and used well?
- Are your defenses developed and well maintained with new updates in virtualization and private clouds?
- Are doors, walls, and windows properly resilient?
- Are there proper security measures in the parking lot, such as cameras, fencing, lighting, call boxes, patrols? (Probably best for large companies with huge parking lots)
- What are the hours of operation?
- Can the HVAC system be used as a portal to your company? (In other words, can people get in to the HVAC system and get into your building?)
- What are consequences of physical disruption of the HVAC system?
- For the loading docks, do you have a visual record of each delivery and associated personnel? Do you know each delivery person, are they commonly the one who do the deliveries, and do they deliver similar amounts of good each time?
- Is the loading dock ever left unattended or does someone maintain it all the time (people change shifts as needed)?
- Can security systems be connected to inventory systems? Does it increase efficiency?
- Are your employees trained to recognize and properly handle a suspicious package? Do you have common rules established for it?
- Are all records appropriately encrypted, locked up, or any other way protected?
- How does data get destroyed, if needed? Paper shredder? File deletion?
- How are records secured when they are transferred to you, whether physical or digital?
Thanks to CSO for inspiration!
Let’s discover the vulnerabilities of CVE-2012-4681 and CVE-2012-5076, what’s similar and what we can learn about these two serious vulnerabilities. These use a Java reflection mechanism that breaks applet security restrictions, and allow a malicious payload. In other words, they bypass security and execute malicious code.
Now, Java reflection is used in programs commonly, usually those requiring the examination of runtime behavior of applications running in Java Virtual Machine. It is very convenient for Java developers (despite saving time) to write Java programs, but it also opens up more opportunities for exploits.
Now, to open up for the technical part, which you can skip if you don’t understand Java or it would give you a headache. 🙂
== TECHNICAL START ==
Java reflection has many functions and they are:
- GET class
- GET all members and methods in class include private ones
- Invoke methods
Java’s big vulnerability in dealing with reflection is that it allows hidden fields. Obviously, this isn’t a true flaw (meaning the Java developers don’t see a problem), but it would help to change this attribute to avoid further problems.
Now, CVE-2012-4681 used Java reflection to induce a hidden field that was called statement.acc. It implemented, also, the “setfield” function, which changes the value of the ACC file (found in the hidden field). To break the code, “Java.beans.statement” would be implemented.
So, in Java, we’d see:
SetField(Statement.class, "acc", localStatement, localAccessControlContext);
Then, as we analyze CVE-2012-5062, we see the big offender, “util. GenericContructor”, which is used to create an object from a restricted class. We would implement it like “sun.invoke.anon.AnonymousClassLoader”, and then call its function “loadclass” – that would deliver the malicious payload. Here is a breakdown of how the payload would work:
- GET the method “loadclass” and then invoke.
- GET the method “r” in payload and then invoke.
- Using “Class.forName” to load a target class
- Using “getDeclaredFields”, which would enumerate all fields (not including hidden ones).
- Using “setAccessible” to expose hidden/private fields.
== TECHNICAL END ==
Obviously, it’s time, researchers, to keep an eye on Java reflection vulnerabilities.
Windows 8 is apparently more secure than Windows 7. Perhaps this is true, and it is best to learn what security features there are for the new operating system. Some of these security features are verified to help out very well in the security of Windows 8, and some may not be in time, or lastly some may not work at all.
One of the most discussed security features is Secure Boot. Now, Secure Boot is a Unified Extensible Firmware Interface (UEFI) specified in the boot process to check cryptographic signatures of kernel-mode drivers, making sure they aren’t modified or corrupted. In other words, the boot process is now made to check if the operating system has been corrupted by malware or some other issue.
This is all part of a hardware restriction process called Hardware DRM. All non-ARM devices have the option to turn Secure Boot off, however ARM devices must keep it on. Experts state that it will be resistant to rootkits, since the MBR and BIOS cannot be accessed, unless if someone working on the computer penetrates it.
Next, Windows 8 features better built in antivirus software, with a much better improved Windows Defender. The software in Windows 8 is combined with the optional tool Microsoft Security Essentials. Now, with Windows Defender super-powered with MSE, it has much more anti-malware features.
With better anti-malware features, Internet Explorer is now made with better features as well. It has the ability to prevent zero-day exploits much greater than previous versions of Internet Explorer. With the challenges of exploiting Windows 7, there was the issue risen up again for Java and Flash Player, so hackers can gain control over the operating system. Those browser plugins are now easier to exploit than the Internet Explorer’s code.
A new application sandboxing environment called AppContainer provides the ability to run all apps in a controlled environment, where it controls how apps work. This prevents apps from disrupting the operating system. Of course, this is just supplemented by Internet Explorer’s SmartScreen filter, which prevents the download/install of known malicious software. However, Windows 8 now has SmartScreen available for any app, allowing even more prevention. Of course, this means Microsoft employees are going to increase in numbers, if they really want to keep up. Now that hackers know their new challenges, they will be relentless.
The questions are still played on whether Windows 8 will be a repeat of Vista or not. The reality of the situation, is if Windows 8 has big popularity, then the security issues will also light up big time. However, many will stick to Windows 7, so the security issues for Windows users are not close to be over. Feel free to take a look at related articles below for Symantec’s opinions, which aren’t too well on the new OS.
Added October 31, 2012: Trusted Platform Module, read more
Keep up with the latest security tips on our blog here. In addition, please donate to help us continue to write these awesome whitepapers.
- Over Half Of Windows 8 Users Still Prefer Windows 7 (webpronews.com)
- Gates: New Windows 8 system is `very exciting’ (seattletimes.com)
- Windows 8 Security Is Not Good – Symantec (news.softpedia.com)
- UEFI and Secure Boot: The Hell I Went Through (prismdragon.wordpress.com)
As you upgrade to the iPhone 5, please keep in mind some principles, both personal and business.
- If your iPhone will be handed down to a child, make sure ALL critical data is removed from there. This includes all business data, personal details, etc. It is highly critical to maintain your business and personal identity.
- As new devices are created, new threats are created as well. These security threats need to be identified and taken care of. Just because it is a new iPhone does not mean it’s immune from security threats. Security is a losing battle, because hackers are always trying to stay one-step ahead of programmers/developers. While developers are working around the clock trying to prepare these new capable hardware/software, hackers are doing the same working against them.
- The iPhone 5 is set to accelerate BYOD, which means better available options to network administrators. Things like data copying, wiping operations (erasing loads of data), etc.
- The iOS 6’s Passbook feature can store financial information for securing digital transactions. If you’re comfortable storing that information go ahead, otherwise just keep it off.
- Emails, texts, and calendar appointments can be modified by the Siri app, without requiring the administrator to log in to the device.
- If Apple succeeds in the acquisition of AuthenTec, it allows for a fingerprint identification security system for the device, making it more secure physically. But this technology is pending at the moment.
- Apple calls the iPhone 5 “The thinnest, lightest, fastest iPhone ever”, but they mention nothing about security do they?
If this has helped you personally or your business in any way, please consider making a donation to help further the seCURE Connexion project.