Broken Windows (in 0.51 seconds)
As you know, we are always banging on about patching – we have to be because it seems that all software and especially old software (like SSL) is riddled with holes big and small.
This week we waited with baited breath for the latest eye watering SSL bug to follow FREAK, Poodle and HeartBleed only to be slightly disappointed by the fact that ClientHello (CVE-2015-0291) not only has a dull name but is simply a Denial Of Service risk, yawn.
We were actually contemplating an unsatisfactory (but withering) review of this week’s news that the Government recommends employers to remove smart devices from employees to avoid data leakage (really?) and to enforce always on VPN like our very own NetSure360° Mobile, or indeed the forthcoming Google VPN to be embedded in Android, no coincidence we are sure.
Then over the horizon came our saviour, the news from the Pwn2Own hacking contest (run by the HP Zero Day Initiative and Google’s Project Zero) at the CanSecWest show in Vancouver that the competitors had broken (or b0rk3d, if you are trying to be like them) numerous pieces of software to run arbitrary code, with admin privileges on patched Windows machines in as little as 0.51 seconds…..
The fastest compromise was an escalation of Firefox to in turn exploit a windows issue, enabling remote code execution and privilege execution. It does have to be said that the ‘security researcher’ concerned, Mariusz Mlynski is a well-known pain in the backside for the Firefox browser and repeatedly uses it to compromise Windows systems.
Additional and equally scary exploits were successful against, wait for it, bet you can’t guess, ok its the Adobe product suite including reader and flash.
If you want to see the XXX rated action take a look at the YouTube summary of day one of the show here: https://www.youtube.com/watch?v=X2Ssw2sLUHI
Successful hacks pay good money at these tournaments. Mr Mlynski took home $55,000 and nearly $400,000 was won on the first day. Full details of the exploits are passed to the vendors for patching before release to the general public.
What should be of concern to our Enterprise customers is the sheer volume of these ‘zero day’ vulnerabilities that must be floating around if this many can be exhibited in one day by a small number of hacking groups, sorry security researchers. Combine this with the increasing interest of organised crime and you have a situation where targeted malware is inevitable and is very much on the rise – See IBM’s X-Force 2014/15 report: http://securityintelligence.com/events/2014-year-review-designer-vulns-made-order-malware/
In order to combat these very real threats, you need to invest in joined up technology to give you the best shot at detecting infiltration and exfiltration of data and be vigilant 24×7 across your entire estate, including mobile devices.
You also need to build a playbook of potential scenarios and test it regularly, build it into your business continuity process because we are sure that it s a matter of WHEN, not IF.
ITC has years of experience of dealing with intrusion and all aspects of information security at the coalface. Our NetSure360° managed Security Service is a state of the art, joined up platform and is supported by our consultants who plan for and deal with security incidents, day in, day out.
If you would like to know more about our services and capabilities, contact us on: [email protected]