Sign up to save your podcasts
Or
Share Security Trends in 2016: Known Vulnerabilities Are Still Dangerous
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Security Trends in 2016: Known Vulnerabilities Are Still Dangerous
FINISH HIM! SSHowDowN Wins! The proxy attack Akamai published on last October of 2016 sound like a character from Mortal Kombat. That would be a fun MK character, a little digitized malware-bot killing Sub-Zero or Goro. In reality and actually a real world threat, SSHowDowN's a proxy exploit of OpenSSH daemons running on exposed devices (yes, the same devices that everyone's pwning these days). Where Mirai exploited user failure to change default username/password combos (and disable telnet), SSHowDowN exploited 12 year old vulnerability CVE-2004-1653 which allows OpenSSH to be used a a TCP tunnel for malicious traffic not originating on system. The issues are two-fold, A) we have devices shipping with SSH exposed and tunneling features enabled on public interfaces, and B) it's been out there for 12 years. We have to assume exploits exist we don't know about and enterprise-adopted source code is public; both good and bad users now have chances to pour over decades of material, looking for these hidden gems. 2016 gave us many more exploits of old known bugs so why are old bugs still causing us heartache? What The Experts Say HPE Security Research's 2016 Cyber Risk Report listed 7 major themes for the previous year; them three strike chords related to this article: Theme #5: The industry didn't learn anything about patching in 2015 Theme #6: Attackers have shifted their efforts to directly attack applications Theme #7: The monetization of malware Additionally, patching vulnerabilities involves 4 generalized steps: Researcher uncovers vulnerability; reports to vendor Developers implement a fix Vendor releases a patch End user deploys a software update The first step is usually made through a bug bounty program and here we run into a flaw: White versus Gray versus Black markets have made bugs a very lucrative mini-industry. Monetizing exploits is now big business and creates divergent paths for fixing known vulnerabilities for the various hat-colored people. White Hats make money via bug bounties, Gray Hats make money by selling through private brokers who supposedly resell to ethical and approved sources. And then there's Black Hats and they do what they do best. An Update Is Available... But You Can Keep Your Vulnerabilities April of 2016 saw Oracle publish technical information to the public on the known vulnerabilities of older editions of Java and steps to reduce client risk. This alerted the general public that newer versions of Java installed along side previous versions instead of overwriting the previous install. Some developers do require multiple versions of Java and that's a handy feature. For most people installing Java (read consumers) this was an unknown. This allowed old public vulnerabilities to coexist with their patched counterparts, undermining patching efforts. Oracle did create uninstall procedure instructions and published alerts through various media outlets; because it was required to by the FTC. In this case because known vulnerabilities were listed as fixed in release notes, a malicious user could simply read Oracle's documentation on how to bypass older versions. That Bug Is Old Enough To Drink May of 2016 saw Slackware releasing a patch for a 21-year-old bug which allowed a malicious user to execute remote DoS attacks by exploiting CVE-2016-10087; a null-pointer-deference bug in png_set_text_2 (). The Libpng owners in their own documentation warned of the flaw since July of 2000. Now pause... the CVE is new, the library's been around for a long time, and the flaw was known and documented. This re-raises public discussion on ownership's responsibility of code made popular during the Shellshock and Heartbleed blame games. What CVE-2016-10087 does illustrate is a lot of open source is capable of being investigated and potentially exploited. Mind
View all episodes
FINISH HIM! SSHowDowN Wins! The proxy attack Akamai published on last October of 2016 sound like a character from Mortal Kombat. That would be a fun MK character, a little digitized malware-bot killing Sub-Zero or Goro. In reality and actually a real world threat, SSHowDowN's a proxy exploit of OpenSSH daemons running on exposed devices (yes, the same devices that everyone's pwning these days). Where Mirai exploited user failure to change default username/password combos (and disable telnet), SSHowDowN exploited 12 year old vulnerability CVE-2004-1653 which allows OpenSSH to be used a a TCP tunnel for malicious traffic not originating on system. The issues are two-fold, A) we have devices shipping with SSH exposed and tunneling features enabled on public interfaces, and B) it's been out there for 12 years. We have to assume exploits exist we don't know about and enterprise-adopted source code is public; both good and bad users now have chances to pour over decades of material, looking for these hidden gems. 2016 gave us many more exploits of old known bugs so why are old bugs still causing us heartache? What The Experts Say HPE Security Research's 2016 Cyber Risk Report listed 7 major themes for the previous year; them three strike chords related to this article: Theme #5: The industry didn't learn anything about patching in 2015 Theme #6: Attackers have shifted their efforts to directly attack applications Theme #7: The monetization of malware Additionally, patching vulnerabilities involves 4 generalized steps: Researcher uncovers vulnerability; reports to vendor Developers implement a fix Vendor releases a patch End user deploys a software update The first step is usually made through a bug bounty program and here we run into a flaw: White versus Gray versus Black markets have made bugs a very lucrative mini-industry. Monetizing exploits is now big business and creates divergent paths for fixing known vulnerabilities for the various hat-colored people. White Hats make money via bug bounties, Gray Hats make money by selling through private brokers who supposedly resell to ethical and approved sources. And then there's Black Hats and they do what they do best. An Update Is Available... But You Can Keep Your Vulnerabilities April of 2016 saw Oracle publish technical information to the public on the known vulnerabilities of older editions of Java and steps to reduce client risk. This alerted the general public that newer versions of Java installed along side previous versions instead of overwriting the previous install. Some developers do require multiple versions of Java and that's a handy feature. For most people installing Java (read consumers) this was an unknown. This allowed old public vulnerabilities to coexist with their patched counterparts, undermining patching efforts. Oracle did create uninstall procedure instructions and published alerts through various media outlets; because it was required to by the FTC. In this case because known vulnerabilities were listed as fixed in release notes, a malicious user could simply read Oracle's documentation on how to bypass older versions. That Bug Is Old Enough To Drink May of 2016 saw Slackware releasing a patch for a 21-year-old bug which allowed a malicious user to execute remote DoS attacks by exploiting CVE-2016-10087; a null-pointer-deference bug in png_set_text_2 (). The Libpng owners in their own documentation warned of the flaw since July of 2000. Now pause... the CVE is new, the library's been around for a long time, and the flaw was known and documented. This re-raises public discussion on ownership's responsibility of code made popular during the Shellshock and Heartbleed blame games. What CVE-2016-10087 does illustrate is a lot of open source is capable of being investigated and potentially exploited. Mind