Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Apple Java Update APPLE-SA-2013-02-19-1 Java for OS X 2013-001 and Mac OS X v10.6 Update

Published: 2013-02-19
Last Updated: 2013-02-19 21:58:29 UTC
by Mark Hofman (Version: 1)
5 comment(s)

Apple has also provided an update for JAVA http://www.apple.com/support/downloads/ Update 13 addresses a number of security issues and should be applied to Apple systems sooner rather than later.  Details on what the java update fixes can be found here http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html

Not sure whether this addresses the issue that has been reported in relation to the breach of apple, which according to the articles I've seen have been atributed to a java issue.

Mark H

Keywords:
5 comment(s)

EDUCAUSE Breach

Published: 2013-02-19
Last Updated: 2013-02-19 20:26:53 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Educause, the keeper of the .edu TLD, is reporting that a server used to hold user profiles was breached and data was exfiltrated. For the most part, this will not affect our readers, unless you are in charge of a .edu domain, and do have an account with EDUCAUSE as a result. You should have received an e-mail from EDUCAUSE asking you to reset your password. Evidently EDUCAUSE uses informz.net to send these notices and we had readers suggesting that they are phishing emails. Regardless: Don't click on the link in the e-mail. Go to the EDUCAUSE site and change your password if you think you may be affected.

http://www.educause.edu/sb

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: edu educause
0 comment(s)

Oracle Updates Java (Java 7 Update 15, Java 6 update 41)

Published: 2013-02-19
Last Updated: 2013-02-19 20:14:08 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

(I originally wrote "update 14", but turns out this is update 15)

Oracle released update 15 for Java 7 and update 41 for Java 6 today. I haven't seen any specific security content yet, but Oracle states that "The highest CVSS Base Score of vulnerabilities affecting Oracle Java SE is 10.0" , which is the maximum possible score and indicates remote compromisse.

Apple users: If you think you are safe, check today's news about how Apple itself got compromissed via a Java vulnerability (maybe this is why Apple was so quick in disabling the Java plugin via X-Protect).

http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html

once you are done patching (if you still have Java installed), head to browsercheck.qualys.com to make sure all the other plugins are up to date)

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: apple java oracle
0 comment(s)
Firefox 19 Release with various security fixes.

APT1, Unit 61398 and are state sponsored attacks real

Published: 2013-02-19
Last Updated: 2013-02-19 19:49:07 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

The label of "state sponsored attacks" or "advanced persistent treat" has been used and abused frequently in the last few years. Hardly ever have we seen any "hard evidence" of how these attacks happen, and who is behind it. The report by Mandiant that made the news this week is probably the best public summary of these attacks listing conclusive evidence linking the attacks to the chinese government.

Attributing cyber attacks is always very difficult. IP addresses don't really mean much as attackers frequently use chains of compromissed machines to attack the ultimate target. The Mandiant report uses additional evidence and does a very good and thorough job in tracing the attacks.

But what does it mean to you?

First of all: Read the report (the original, not the press releases and commentaries): http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf . Direct management to the video that Mandiant made.

The report also includes lots of IP addresses and other indicators that you can use to check your own networks for similar compromisses.

The attacks follow a very tried and true pattern:

  • send an e-mail to the victim.
  • the victim will click on a link or an attachment
  • an exploit will be used to compromisse the users system
  • additional software will then be used to establish a foothold and exfiltrate data

What can you do about this? 

At each step, try to see how you could possibly intercept the attack. For example conduct your own phishing exercises. With permission, register a hotmail/gmail/yahoo mail account using an executive's e-mail address. Sent an email to all employees using this from address and see how many people click. Direct them to a nice but educational page telling them how they may have been "hacked" this way, and what to look for.

This way, you gain a bit of awareness, but you also gain hard numbers on how many people in your organization would have clicked on the link. This is critical to demonstrate the size of the issue to manage to obtain resources to defend agains tthis threat. 

Next, to prevent the infection of the system. Patching still helps. Not all attackers use 0-day attacks. But more importantly, reduce the attack surface by removing unneeded software (Java, Flash, Office...) . Office may be a hard one to remove, but limit it to the pieces of the package that are actually needed. It will save you on licensing fees too.

Consider whitelisting. While not perfect, if done right, it is a lot better then anti virus.

And finally in this very brief list: Don't forget some kind of exfiltration or data leakage protection. Look for anomalies more then for signatures. The better you know what is normal on your network, the better are your chances to detect "bad stuff".

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: 61398 apt apt1 china
5 comment(s)
ISC StormCast for Tuesday, February 19th 2013 http://isc.sans.edu/podcastdetail.html?id=3133
Diary Archives