Insecure Security Appliances…
You want to secure your networks and systems, so you deploy solutions from well known vendors. Are those security appliances themselves secure? Not always, says researcher Ben Williams of NCC Group. In a presentation delivered at Black Hat Europe this week titled “Ironic Exploitation of Security Products,” Williams says he discovered that more than eighty percent of the solutions he tested had exploitable vulnerabilities.
“I have discovered and provided over 100 proof-of-concept exploits to various vendors over the past 12 months, and most of these have related to security appliances,” Williams stated in his session abstract. “This presentation discusses common vulnerabilities found across various appliances, and some interesting attack vectors where external attackers can exploit vulnerabilities in appliances to gain control over gateways, firewalls, email and web-filters, VPN solutions and access the internal network.”
The vulnerabilities were discovered during penetration tests Williams conducted for clients, in his product evaluations, and when he was simply mucking around in his spare time. The most prevalent issue Williams identified was the use of poorly maintained Linux systems which employed faulty web applications, according to the presentation.
One common vulnerability was the presence of cross-site request forgery bugs which could attackers could use to coax admins to errantly visit malicious websites. Williams also found flaws that would allow privilege escalation by attackers, or could present opportunities for command injections, among other noted problems.
“The interfaces of almost all tested security appliances had no protection against brute-force password cracking and had cross-site scripting flaws that allowed session hijacking. Most of them also exposed information about the product model and version to unauthenticated users, which would have made it easier for attackers to discover appliances that are known to be vulnerable,” wrote CIO.com’s Lucian Constantin of Williams’ revelations.
Other issues Williams documented include denial of service bugs, cross-site scripting flaws, authentication bypasses, SSH misconfigurations, and more. A detailed whitepaper with all of Williams analysis is available here (.pdf).
Brian Krebs Gets Swatted…
Being one of the best – if not the best information security journalist in the business – is no stroll in the park, as Brian Krebs can attest. Krebs regularly lurks in the world of international organized crime syndicates, malware developers and other cyber miscreants, where he routinely uncovers what others would prefer never come to light. His work has resulted in award-winning reports that have served to fuel the ire of online criminals.
Now some non-Krebs fans out there somewhere have taken their dislike of the very likeable journalist to a whole new level, and in a fashion Krebs himself had all but predicted several months ago. This week, Krebs was the victim of a potentially lethal form of harassment called “swatting.” Using techniques to obscure themselves and spoof Kreb’s home phone number on the caller ID systems of local police in Northern Virginia, attackers fooled authorities into conducting an armed raid on his residence, putting both Krebs and the officers who conducted the operation in jeopardy.
Krebs’ website had been targeted in a denial of service attack for several hours prior to the raid, and his website security company had alerted him of a letter asking them to suspend services that purported to be from the FBI, though it was confirmed to be a fraud. Undaunted, Krebs was preparing for a gathering with friends when he opened his front door to find several officers with weapons drawn ordering him to… well, do what cops with guns order people to do.
Krebs was briefly detained, and it was not long before the authorities determined the event was a hoax of sorts. Interestingly, Krebs had months before filed a report with local police in anticipation of just such an event.
Krebs believes the swatting, the fake FBI letter, and the attack on his website are all related to an article he published earlier this week about a website where stolen social security numbers can be purchased. In another twist, Ars Technica, which first relayed the news of Krebs’ ordeal in an article by Dan Goodin, today found themselves also the targets of a denial of service attack.
Fortunately, no one was injured during this most unfortunate incident. Krebs has detailed the events in an article at KrebsOnSecurity – it is a must read. Keep up the good work Brian, and stay safe.
Images courtesy of ShutterStock