Here are the CVE vulnerablities for April 2014 so far.
CVE (Common Vulnerabilities and Exposure) vulnerability data are taken from National Vulnerability Database (NVD) xml feeds provided by National Institue of Standards and Technology.
The most interesting ones (there are 50 listed) in my opinion:
The Change Password dialog box (change_password) in Sophos Web Appliance before 3.8.2 allows remote authenticated users to change the admin user password via a crafted request.
notice that if you have a Sophos Web Appliance,
It is not like a regular computer with point and click or auto updates - unless it is configured like this.
(this is not a knock on Sophos, as things happen - even to OpenSSL and heartbleed, but one needs to fix this ASAP)
And as usual, unless there is a security culture, with a number of hours spent on security, a catastrophe will happen, and you are one step closer to headlines and financial ruin.
CVEdetails has a list of all CVE's
This is a vulnerability that is part of the infrastructure of the Internet webservers (Apache specifically)
But specifically this is CVE-2014-0094
and this is the line that is important:
The ParametersInterceptor in Apache Struts before 18.104.22.168 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.
But it also says that actual access to the system is not possible with this vulnerability, although this is likely a stepping stone and where the hacker can gain more information on the system, so patching is not high priority, although it should be done in your regular patch cycles.
I am not sure if anyone is saying this -but there are no guarantees on the Internet.
We will be honest with you and tell you straight facts even to our detriment
Old attacks still come at you... here is a site from 1998: old.stat.duke.edu
- Bouncing through previously compromised hosts via. telnet or rsh.
- Bouncing through windows hosts via. Wingates.
- Bouncing through hosts using misconfigured proxies.
this is also known as hackers using "zombie" computers to attack you.
Zombies are computers that have been compromised and thus will be used by the bad hackers to attack your computers.
There are no guarantees in the security field, as tomorrow can bring a new vulnerability, or an old one is now potent again. The patching and testing never ends, one has to do it to stem the tide. Systems configured correctly? We may have tested your environment, you may have fixed the problems we mentioned, but tomorrow is another day and something happens out of your control and causes a weak link to be hacked.
What can be done?
You have to have a Risk analysis and go from there - contact Me to discuss:
Tony Zafiropoulos 314-504-3974 email tonyz"@"fixvirus.com
Session Hijacking is where an attacker Steals a network session by guessing (or other ways) the session ID (identification number). Each packet has a session ID in tcp sessions from client to server.
Once the hacker has a web server session they will try and gain more access on your webserver.
The problem is cataloged on www.owasp.org
Once the hacker has an in they will go and add from there (this is called a beachhead). The beachhead is only the start as an initial command line will most likely add to their access. As the hacker tries to gain and add to their conquest.
This is why a defense in depth strategy is important, as new hacking methods may come in, The system administration overhead has to be kept up, otherwise the hackers win.
Contact us to find and test your webserver.
Rapid7 has many tools like metasploit a software that runs many exploits against a target machine.
"It is the world's most used penetration testing software".
the hackers are using it, it is a great teaching tool, and of course we would use it in some of our testing on your systems to see if we can penetrate and make the machine what is termed as "pwned" an offshoot of owned. Hackers have a pride and show off ability as well. That is what they do.
Let us know if we can test your systems so that you know for sure how they operate with a specific attack, rather than not knowing and being unaware.
Is there a weak link?
Is your firewall all patched up? Does it have the latest firmware? Are all ports closed that should be closed? Are the ACL (Access Control Lists) parameters working correctly?
Does the webserver have software running that should not be running?
Who has checked your computers for misconfigurations?
We can help with our testing services: (A – Σ – Ω)
Also at our solutions page: http://oversitesentry.com/?page_id=26
We use Kali-Linux (a penetration test suite to view the status of your computers) to create reports that you can then use to fix the configurations.
Malwarebytes has a good FAQ about the Heartbleed problems we have posted in our own Blog on Oversitesentry as well.
Essentially there are online tools (LastPass) to find out if the website you are using is vulnerable.
If vulnerable - you can assume that your communication with that site can be compromised. (will it be?) lets discuss this, sure it may not be. So this may seem alarmism to you maybe. the problem is there are millions of hackers on the Internet, and they are working full-time to hack you.
That is their job - they have decided to make a life of hacking. And since the Internet allows everyone to connect to each other, these criminals are trying to hack you all the time.
So yes - it may sound like alarmism, but there is a reason for this. People do get hacked, and lose their financial identity. that is not a joke, and true there are a lot of vulnerabilities, and it seems we are saying patch this and that all the time...
But that is the new world we live in - 6 Billion people in the world, of which X are connected and Y are criminals. Y= at least a million. Do you want to risk a million criminals attempts - and "hope" you will not get hit?
First of all, there are many ways a system can become vulnerable, we will not look at the malicious or badly configured machines.
We will look at a way to make a vulnerability over time without meaning to.
I was installing some software the other day... and noticed that while it installed itself it also created a service which allows a browser to open it like this: http://localhost:33308/ which means it created a "port" or service at 33308. localhost is your own computer.
But imagine a year or 2 from now and you did not update this software, as changes were made to it. what if a security vulnerability was found and the "old" version at 3.4.0 is vulnerable and can be circumvented with the new Metasploit version - which exploits old vulnerabilities?
Now presto you thought you were safe, but have not considered the software you downloaded a long time ago is not secure anymore. Hackers will find a way in, that is what they do. Your IT department does not know this software is running, or if they do, they may not have handled it either - especially if it is non-standard. How do you know?
The browser session of the python port 33308.
Well, the only way to know - is to audit or review your systems... What ports are open? what are they supposed to be doing? Is email supposed to be running on the local system? that is a red flag.
Use our services: (A – Σ – Ω) Solution to find out. contact us
Wired had an article a while ago (January 6th 2014)
To understand the problem, you need to understand the embedded systems market.
The problem is the chip manufacturers make custom devices with custom parameters, that frequently have exploitable services. And they do not get patched, since no one tests them.
We have found viruses on these machines. And the only way to fix is either disconnect from internet or wait for the manufacturer to provide a fix. This fix may take months.
You must test your whole environment, not just the known network devices. Since someone may have plugged in an appliance which becomes vulnerable with easy to use hacker programs.
Use our Solutions page to help you decide how we can help.
By "casing" can also be called enumeration, where the hacker reviews what type of systems that you have on the Internet.
It is the first step in attempting a breach into your infrastructure.
Here is where a scan would find out what type of programs you are running.
Then the (unethical of course) hacker attempts to break your defenses. Hopefully you have the latest patches, the passwords are tough to crack and so on.
Once the hacker has a beachhead the attacks are now different in nature, as now they are in the network and attacks are coming from the inside. One of the first things they do is to increase their capabilities by attaining more permissions and more systems.
Second, the hacker will create their own accounts, so they can come and go as they please.
Third, the hacker will take what they were looking for or use your computers to create more attacks. It depends on who the hacker is and their goals.