A comprehensive study shows that you’re probably taking way too long to patch your box.

Plus research on possible iOS backdoors, TOR’s nasty bug, your questions, our answers, and much much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Qualys releases “The Laws of Vulnerabilities 2.0”

• Qualys, known for the SSL Labs site where you can test the encryption capabilities of your browser and web server, has released the new version of their “laws”
• Qualys sells an “on demand vulnerability management solution” which does continuous perimeter monitoring of a network and scans servers for vulnerable versions of software and services
• Using the data they have collected they did statistical analysis and came up with some basic laws that cover the “vulnerability half-life, prevalence, persistence and exploitation trends for five critical industry segments including Finance, Healthcare, Retail, Manufacturing and Services.”
• The average system remains vulnerable for 30 days. Service sector usually patched within 21 days, whereas Manufacturing usually took 51 days
• The most popular vulnerabilities are regularly replaced, leaving some systems almost continuously vulnerable
• “the lifespan of most, if not all vulnerabilities is unlimited and a large percentage of vulnerabilities are never fully fixed.”
• “Eighty percent of vulnerability exploits are now available within single digit days after the vulnerabilities public release. In 2008, Qualys Labs logged 56 vulnerabilities with zero-day exploits, including the RPC vulnerability that produced Conficker. In 2009, the first vulnerability released by Microsoft, MS09-001 had an exploit available within seven days. Microsoft’s April Patch Tuesday included known exploits for over 47 percent of the published vulnerabilities. This law had the most drastic change from the Laws 1.0 in 2004, which provided a comfortable 60 days as guidance”
• Compared to in the past, installing updates in a timely fashion is even more important. The old 60 day window is gone

Payment Card Data Theft: Tips For Small Business

• An article at DarkReading.com by Chris Nutt, Director of Incident Response and Malware at Mandiant, on steps small businesses can take to avoid being the next credit card breach
• Things to consider when processing credit cards via a computer:
• Does the company browse the Internet or read email on the computer used for credit card processing?
• Is unencrypted card data transmitted through any exposed cables or over the internal network?
• Is the card-processing software configured correctly and up-to-date?
• Has the computer’s operating system up to date? has it been hardened?
• Is the computer running antivirus and is it up-to-date?
• Does the company outsource IT management and is there a remote management port open to the Internet?
• Small business often have an advantage in this area, it is easier to upgrade software when there is only a single system involved, not a complex back office system with multiple servers
• Some Recommendations
  • Use a dedicated LAN (or VLAN) or use a cellular connection instead of running the payment system on the same LAN or WiFi that is used for regular business and/or used by customers
• “Do not maintain a Payment Card Industry (PCI) environment or maintain the smallest PCI environment possible”
  • Instead, use a PCI compliant reader like Stripe or Square, data should be encrypted and sent directly to the payment processor, never stored on a device
  • Never store credit card details, a service like Stripe will give you a unique token that can be used for rebilling, refunds etc, without requiring you store the original card details
  • “Do not outsource the maintenance of POS devices to a company that will directly access remote management ports over the Internet.”
  • “Protect the physical security of all systems that store, process, or transmit cardholder information. All security is lost if an attacker can alter or replace your equipment”
  • “Do not allow systems in you PCI environment to connect to the Internet, aside from the connections required to process card transactions or patch the system”
  • “Do not allow systems in your PCI environment to connect to any systems on your network that are not necessary for processing card transactions or patching”
• Some possibly bad advice from the article: Use a mobile device or a tablet, they are more secure than a desktop
• Where possible, offload the processing to a provider, it might be slightly more expensive, but it moves most of the risk to the provider, rather than you

Government Accountability Office report shows shortcomings in incident response procedures

• GAO Report: Agencies Need to Improve Cyber Incident Response Practices
• “Based on a statistical sample of cyber incidents reported in fiscal year 2012, GAO projects that these agencies did not completely document actions taken in response to detected incidents in about 65 percent of cases”
• “For example, agencies identified the scope of an incident in the majority of cases, but frequently did not demonstrate that they had determined the impact of an incident. In addition, agencies did not consistently demonstrate how they had handled other key activities, such as whether preventive actions to prevent the reoccurrence of an incident were taken.”
• “agencies had recorded actions to halt the spread of, or otherwise limit, the damage caused by an incident in about 75 percent of incidents government-wide. However, agencies did not demonstrate such actions for about 25 percent of incidents government-wide.”
• “for about 77 percent of incidents government-wide, the agencies had identified and eliminated the remaining elements of the incident. However, agencies did not demonstrate that they had effectively eradicated incidents in about 23 percent of incidents”
• “agencies returned their systems to an operationally ready state for about 81 percent of incidents government-wide. However, they had not consistently documented remedial actions on whether they had taken steps to prevent an incident from reoccurring. Specifically, agencies did not demonstrate that they had acted to prevent an incident from reoccurring in about 49 percent of incidents government-wide.”
• “In another incident, an agency received a report from US-CERT indicating that login credentials at two of the agency’s components may have been compromised. When contacting the impacted components, agency incident handlers mistyped the potentially compromised credentials for one component and did not respond to an e-mail from the component requesting clarification, and failed to follow up with the second component when it did not respond to the initial alert. Despite these errors, the incident handlers closed the incident without taking further action.”
• “In a malware incident, sensors on an agency’s network recorded an agency computer contacting an external domain known to host malicious files, and downloading a suspicious file. Incident handlers closed the ticket without recording any actions taken to contain or otherwise remediate the potential malware infection”
• The GAO used NIST Special Publication 800-61: Computer Security Incident Handling Guide as a reference
• FireEye, makes of an enterprise security real-time threat protection platform, had some reactions to these findings:
• “Anything less than 100% containment is essentially 0% containment”. “If a government agency fails to completely contain an intrusion, any gaps leave the adversary freedom of maneuver. He can exploit the containment failure to proliferate to other systems and remain in control of an organization’s systems.“
• “If an adversary retains access to even one system, he can rebuild his position and retake control of the victim”
• “If a victim fails to make the environment tougher for the adversary, the intruder will likely return using the same techniques that he utilized to first gain access.” Victims need to learn from intrusions and implement remediation
• It is not clear from the report, but if a machine is compromised, it should be reformatted, rather than merely ‘cleaned’. In light of recent reports about persistent malware, the BIOS should also be flashed before the fresh OS is reinstalled.

Feedback:

• IPSec vs OpenVPN

• Canvas Fingerprinting – A New Threat To Privacy

• Meet the Online Tracking Device That is Virtually Impossible to Block

• ksoftirqd – High Network Throughput

• Why is ksoftirqd/0 process using all of my CPU?

• In the kernel command line (/etc/grub.conf), add “nohz=off” CentOS Forum

• multiple vm’s with 1 ip

• What is a true backup?

Round Up:

• Tails live OS affected by critical zero-day vulnerabilities
• European Central Bank hacked, only founds out after attacker demands ransom. Stolen: database of 20,000 email addresses of people who had registered for ECB conferences, visits and other events
• WSJ website hacked, data offered for sale for 1 bitcoin
• Google announces project zero, “hunt down security vulnerabilities in every popular piece of software that touches the internet”
• Tor Project working to fix weakness that can unmask anonymous users
• New IE vulnerabilities up over 100% since 2013
• How Hackers Hid a Money-Mining Botnet in Amazon’s Cloud
• Researcher finds hidden way to access plaint-text version of encrypted data on iOS devices
• Chromium Switching to BoringSSL.
• Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Devices
• The Open Source Responsible Disclosure Framework
• How your profile picture can be used against you
• Posh-SSH – Open Source PowerShell module for SSH, SFTP, SCP
• What the feds really know about you
• Australian deals website waits 3 years to tell customers and privacy commissioner. Told police, banks and credit card companies immediately. Only told customers now because “technological advances” mean the old hashes are now easier to crack
• NY Metro Card Terminal still runs Windows NT 4.03
• Sony to pay up to $17.75 million in 2011 PSN hacking settlemen