Tag Archives: Oracle

Security News for the Week Ending September 18, 2020

Is TikTok is Going to Sell to Oracle. Maybe

Well sale is not really the right word. They call it a “trusted tech partner”. This does not solve the national security problem, so it is not clear what problem this does solve. None the less, Steve Mnuchin will present it to the President. If it provides some sort of political benefit he may accept it even though it does nothing for national security. If it shuts down, there will be 10 million unhappy people, some of whom vote. Also, it doesn’t seem that this deal fulfills the President’s requirement that the Treasury get a lot of money. It seems like they won’t get any. Credit: The Verge

Updated information says that there will be a new corporate entity set up in the U.S. to give the President some cover that he is really improving security and that Oracle will have some sort of minority stake in this new entity, but China will still control all of the intellectual property. The President’s deadline is this Sunday. Will he really shut it down pissing off millions of Americans just before the election? Credit: The Verge

Even more updated: The Commerce Department says that a partial ban will go into effect Sunday. As of Sunday, U.S. companies can no longer distribute WeChat and TikTok, but users can continue to use the software. Also beginning Sunday, it will be illegal to host or transfer traffic associated with WeChat and the same for TikTok, but on November 12 (coincidentally, after the election). I assume that will mean that users who want to use those apps will have to VPN into other countries before using the apps. Not terribly convenient, but a way to keep the pressure up on China. Credit: CNN

Cerberus Banking Trojan Source Code Available for Free

The Russian security vendor Kaspersky (reminder: the U.S. has banned it from government systems) has announced the the Cerberus source code is now available for free. This means that any hacker with the skill to integrate it can make it part of their malware. Cerberus is a pretty nasty piece of work; it even has the ability to capture two factor codes sent via text message (one reason why I say that text message two factor is the least secure method). This means that banks and people that use banks (which is pretty much most of us) need to be on high alert when it comes to our financial account security. Credit: ZDNet

Denial of Service Attacks up 151% in First Half of 2020

Denial of service attacks are a brute force attack that aims to hurt a business by stopping a company’s customers from getting access to the company’s (typically) web site. For example, if you are an online business and customers and potential customers cannot get to your web site, they will likely go to another vendor. What is now amazingly called a small attack (less than 5 gigabytes of garbage thrown at your web site per second) are up 200% over last year. Very large attacks (100 gigabytes per second or more) are up 275%, according to Cambridge University.

If you are not prepared to deal with an attack and need help, please contact us. Credit: Dark Reading

Ransomware at German Hospital Results in 1 Death

This could have wound up much worse when hackers compromised Duesseldorf University Hospital. The hospital put itself on life support and ambulances were diverted to other hospitals. While police communicated with the hackers and told them they hacked a hospital, an ambulance was diverted and the patient died. Prosecutors, if they can find the miscreants, may charge them with negligent homicide. The hackers did withdraw the ransom demand and forked up the decryption key, but not before this patient lost his or her life. Credit: Bleeping Computer

Security News Bites for Week Ending August 17, 2018

Hamas Creates Fake Missile Warning App to Hack Israelis

The Times of Israel is reporting that Hamas has created and was distributing a fake Code Red rocket warning app.

The app, according to Clearsky Cyber Security, takes over the phone and is impossible to remove, even if the app is deleted.

Once infected, the app allows the hacker to track the phone, take pictures, record sound, make calls and send messages – everything a normal user would do, except the person doing it, in this case, is a terrorist.

The message here is not just to avoid Hamas, but also to be wary of apps from untrusted sources as they may have unintended side effects.  Source: The Times of Israel.

Cisco and Others Release Patches for VPN Encryption Flaws

Cisco, Huawei, Clavister and ZyXEL network products are susceptible to an attack according to a paper to be presented at the Usenix Security Symposium.  This would allow an attacker to recover the encryption nonce which then would allow an attacker to decrypt all VPN data.

Note this is NOT a flaw in the encryption algorithm, but rather a bug in the software that implements it.  This is why people regularly successfully hack and steal millions in crypto currency – because no software is perfect.

It is interesting that Cisco is the only major player affected.

Cisco has released patches for IOS and IOS XE, but users can only get them if they pay Cisco for software maintenance, the main reason I do not recommend Cisco products.  The other vendors don’t charge users for fixes of security flaws.

For Cisco users that do not have maintenance or are running old, unsupported hardware, *IF* you have the ability to turn off rsa-encr authentication mode, that will solve the problem.  It may break other things, however.  Source: Bleeping Computer.

Oracle Releases Critical Security Patch

Oracle is urging its customers to quickly patch a critical vulnerability in their database installations which can result in a complete compromise of the database and provide shell access to the underlying server.

The attack only affects Oracle versions 11.2 and 12.2, is easy to exploit, can be exploited remotely but does require the attacker to have credentials.  The vulnerability is in the Java virtual machine.

Users running 12.1 on Windows or any version of Linux or Unix should install the July patches.  Source: Helpnet Security.

Yet Another Spectre/Meltdown Style Vulnerability Found

This is a strange security week between Oracle and Cisco.  Now we have news of yet another Spectre/Meltdown style vulnerability.  How is it that for 15 years no one found any of them and this year they have found at least 6, probably more?

This new bug affects the Intel Core- and Xeon families, i.e. the chip in every PC and Mac.  It is called the L1 Terminal Fault.  This new fault affects Intel’s SGX, which is kind of like the iPhone’s secure enclave, allowing an attacker to extract information from it – not good.

To add insult to injury, while the researchers found one attack, which Intel has confirmed, Intel itself says it found two more attacks.

Now here is the bad news.  Intel says that they will have a patch which will eliminate the problem with no performance impact on end user and non- virtualized environments, but for users running in a virtualized environment, especially in the cloud, that is a different story and Intel says that you will have to take additional steps – steps that you probably cannot actually take in a shared host environment like many AWS, Azure or Google environments. Source: Computing.Co .

Bitcoin Speculator Sues AT&T for $240 Million

The speculator is suing AT&T after they allowed a social engineer to port his phone number which he used for two factor authentication for his bitcoin transactions.

A hacker had broken into his account a few months earlier and AT&T had set up an account PIN (this should be standard) and flagged his account as high risk.  None the less, an employee allowed a hacker to port the phone number anyway, without any of that information.

Porting phone numbers to get around two factor authentication is becoming popular;  I was interviewed for a TV piece recently where someone’s number was ported and their bank account emptied out in just a few minutes.

AT&T is fighting the suit saying that they are not required to follow their own security protocols and certainly not responsible for what happens if they do not.  The speculator lost $23+ million in bitcoin.

For those who are in a high risk situation, using text messages for two factor is not sufficient and, in fact, given his account was hacked before, why didn’t HE change to a more secure second factor immediately weakens his case.

Stay tuned.  Source: The Register .

Friday News for May 4, 2018

U.K.’s High Court Gives the U.K. Gov 6 Months to Fix Law

Privacy in the U.K. is a bit of wishful thinking.  Besides having the most public surveillance cameras in the world (Wikipedia says there is one camera for every 14 people in the country), the government has attempted to kill privacy in other ways.  The courts have struck down the now expired Data Retention and Investigatory Powers Act (DRIPA), but, until now, has not ruled on the replacement law for it affectionately known as the Snooper’s Charter.  Now the U.K. High Court has said that law is incompatible with the EU Charter of Fundamental Rights.  The government asked for a year to come up with a way around this ruling, possibly by creating a new law, but possibly not.  The government is suggesting that they are only keeping data for serious crimes by redefining a serious crime as any crime where it is POSSIBLE that the person, if convicted, COULD be sentenced to 6 months in jail.  That might include repeated jay-walking.    The court said you have 6 months to fix the law or the court will consider your inaction a serious crime.  Meanwhile, more challenges to the Snooper’s Charter are being filed (Source: The Register).

Why Did Atlanta Spend $5M Instead of Paying $50k in Ransom?

Atlanta was hit by a ransomware attack last month that knocked the city pretty much into the 1940s, technology wise.  The Attacker asked for $50,000 in ransom to unlock the files, but instead, the city chose not to pay and has reportedly spent $5M recovering from the attack – so far.  In fairness, the city likely did things after the attack that they should have done 5 years ago, but it is money they would not have spent if were not for the attack.

Fast forward to last week.  The school district of Leominster, MA, northwest of Boston, was hit by a ransomware attack.  While the details are sketchy, the distict says they had no choice other than to pay the ransom.  I guess this means that they didn’t have backups of systems, didn’t have a disaster recovery plan, didn’t have an incident response plan and didn’t have a business continuity plan.    I wish this was unusual, but it is not.  The population of Leominster is 41,000.  Attackers are targeting municipalities and even states (the Colorado Department of Transportation was down for the count for at least a week or two after an attack) because they know that, compared to private industry, the public sector’s cyber security posture is even worse.  Paula Deacon, the Leominster Schools Superintendent said “we paid the ransom through a bitcoin system and are now awaiting to be fully restored”.  They, apparently, paid the ransom last week and are still waiting.  I have a bad feeling about this.  Usually, if the files are going to be unlocked, it happens right away (Source:  CBS Boston).

Google to Shut Down Google Link Shortener Goo.Gl

Unlike some of the Google services that they have abandoned in the past, this one is going to be gracefully shut down but as of this month, the wind down is starting.  Google says that it is used too much by scammers trying to hid malicious links using their shortener.  They also say that you can use their competitor Bit.ly if you still need a link shortener.  But for users, this is just a reminder that clicking on any link shortener is a bit like playing Russian Roulette – you have no idea whether the link you are clicking on is malicious or not (Source: Google Blog).

“Massive” Flaw in Schneider Electric SCADA Control Software Gives Hackers Full Control Over Critical Infrastructure

“Full control” is the hacker’s nirvana and the IT team’s worst nightmare.  In this case, the software controls oil and gas production, water plants, manufacturing and similar facilities and, with full control, the hackers could do anything from shutting it down to, possibly, with enough motivation, blowing it up.  There are caveats, but still, it is scary.  Given the FBI warning last month about state sponsored hacking of critical infrastructure, this is concerning.  And, I bet, there are hundreds or thousands of Schneider installations that have not been and will not be patched (Source: Tech Republic).

Maybe Waiting to Deploy Patches Isn’t a Good Idea

Companies often wait a couple of weeks up to a month before deploying new patches as patches sometimes break things and waiting is good way to make sure that they break someone else’s system, but that strategy does have some flaws.

According to the SANS Institute, they were hacked within hours of making the honeypot server live.  They say that hackers started going after the Oracle Weblogic bugs immediately after it was announced on April 18th.

SANS says patch fast or plan to recover.

You wait at your own peril (Source: The Register).

The Point of Sale (POS) Breaches Continue

So far this week (and it is only Monday), we have two POS breaches in the news.

HEI Hotels and Resorts, which manages almost 60 hotels for Starwood, Hilton, Marriott and other chains announced that 20 of their locations, covering all of their brands, had suffered breaches.

While they have not said how many cards may have been compromised, they have said that the data that was compromised included name, account number, expiration date and verification code.

HEI said that they thought that the data was accessed in real time because they do not store the data.  They also said that they were unable to contact people who’s cards were likely breached since they do not collect or maintain enough information to do this.  This raises some important points.

These statements would seem to indicate that they outsource the processing of payments.  If so, that points to the fact that even if you outsource credit card processing, you are still the one who has to face the music in case of a breach.

It also indicates that they are likely not using chip based credit card readers because if they were, the data would not exist in an unencrypted state except inside the card reader itself, which does not appear to be where the breach occurred.  One more time where a chip based solution might have stopped a breach in its tracks.

The breach lasted a long time – from March 2015 to June 2016 – about 15 months.  It is not clear why the malware was not detected for so long.

In the second breach of the week, Oracle acknowledged a breach affecting their Micros POS software.

Apparently, the breach is large enough that VISA issued an alert to merchants, which they usually don’t do.

Visa said that hackers broke in to hundreds of servers at Oracle and had “completely compromised” Oracle’s support portal.

Micros, according to Oracle, is installed at over 300,000 locations, including 200,000 food and beverage locations, 100,000 retail locations and 30,000 hotels.

With millions of cards used at these locations per week, this could be a major breach.

Oracle is being very tight lipped about this breach – whether that is because they do not understand the scope of the breach and don’t want to make incorrect statements or because Larry Ellison knows he is about to be hit with multiple lawsuits, is unclear.

Oracle told customers to change their passwords and to change any passwords used by Oracle staff to access their systems and not much else.  That would suggest that hackers, in hacking the Oracle servers, got credentials that would allow them to access their customers’ systems.

Some of Oracle’s customers are saying that by not sharing information, Oracle is making it harder for them to clean up Oracle’s mess – all fodder for the inevitable lawsuits.

Brian is also saying that it is possible that Oracle was breached by more than one Eastern European (read this as Russian) crime group or at least more than one is dividing the spoils.  If in fact, there are 300,000 plus locations hacked and people will eventually change passwords, the hackers have to work fast in order to install other back doors and extract data.

It appears that the customer network and Oracle’s internal network were on the same network segment, but that network was split.  Somehow, sources say, that facilitated the breach.  They do not say how.

And here is the killer.

In mid July, Oracle told employees in the hospitality division that they had to wipe their computers WITHOUT BACKING ANYTHING UP.  The computers were then reimaged with a clean operating system.

This means that employees lost implementation plans and schedules and software that was going to be deployed.  The source said that this has cost Oracle billions of dollars – however that seems like a lot of money.  Still, I am sure that did cost Oracle a bunch.

Oracle did not tell employees that the reason that they had to wipe their computers was because the company had been breached.

I am sure that more details will emerge, even if Oracle does not want them to.

What this does point out is that companies need to have an active and aggressive vendor risk management program.  In both of these cases, the problem stemmed from vendors.  The restaurants, bars, hotels and retail stores were counting on their vendors to protect them.  While it is possible that there are clauses in the customer’s contracts with Oracle in which Oracle agrees to indemnify and reimburse the stores and restaurants for all costs associated with the breach, but knowing Oracle, it probably says that they aren’t responsible for anything.  We shall see how this turns out in court – but that is years from now.

In both of these examples, these businesses are going to have very unhappy customers and not because they did something wrong, but rather because one of their vendors did something wrong.

Vendor risk management programs are effective at reducing risk associated with outsourcing.  If you don’t have a program, you should create one now.  If you do have one, you should review it for completeness.

Information on the HEI Hotels breach came from CSO Online.

Information on the Oracle breach came from Krebs on Security.

Maybe Oracle Doesn’t Like Other People To Find Security Holes

Oracle has a love-hate relationship with security researchers.  Actually, mostly hate.  Given that Oracle finds enough of it’s own bugs – it released 193 patches in it’s July patch fest – maybe it doesn’t want people to find any more bugs.

This all started when Oracle Chief Security Officer Mary Ann Davidson wrote a rather long winded rant on her company blog saying that people should stop reverse engineering Oracle’s code because it is a violation of the license agreement and you never find anything worth while – just waste our time.

While the company has axed her blog post, the Internet never forgets, so her post is still available on the Internet Archive.

While she does make some good points, the bad will from the tone of the post way over shadows it.

What she could have said in a lot less words is:

1. The first thing you should do is make sure that the software is configured in the most secure manner reasonable for what your business needs to do.

2. Make sure that you are running the current release and have installed all the patches (it is amazing how many Oracle customers fail this test).

3. Use the tools that Oracle provides to make sure you are not missing any secure configuration issues.

4.  Don’t bother to run a static or dynamic code analyzer against our software because 99+% of what they will report are false positives and it takes way too much time to sort out the 1 potentially valid issue out of the 1,000 false ones.

And a note to Ms. Davidson: don’t worry about the reverse engineering of Oracle’s code that some analysis tools do because it is a violation of the license agreement.  Anyone who wants to steal your code will ignore the license agreement anyway, so what good do you do by beating up the customers that pay your salary?

She also said that Oracle would not give credit to researchers who find security holes.  What that statement does is cause researchers to publish exploits first.  As an example, we see a lot of that at BlackHat and Usenix Security for just that reason.  The media will give them credit.  Then Oracle has to figure out how to do damage control.  Not a great move.

There.  I think I did that in a lot less words and likely annoyed a whole lot less Oracle customers in the process.

Hopefully, someone took Ms. Davidson to the break room and explained corporate branding 101 to her.  If not, the media certainly has.

That being said, as you consider a vendor, covertly assessing that vendor’s posture with respect to security researchers might be useful.  The good vendors embrace the reputable researchers because they often find stuff that the vendors don’t find and you don’t have to pay them.  Even if you have a bug bounty program, you only pay them if they find something you have not found.  More, it is about attitude.

Information for this post came from Wired.

It’s Patch Day

Yesterday was Patch Tuesday.  Microsoft had 14 bulletins, 5 of which they deemed critical, covering 59 vulnerabilities.

Oracle released patches covering 193 vulnerabilities, including 25 Java patches, one of which is already being exploited in the wild.    44 of these vulnerabilities came from third party components.  Of the 25 Java vulnerabilities fixed, 23 of them can be exploited remotely without authentication.

One of the Microsoft patches, MS15-077, fixes a zero day in the Windows Adobe Type Manager Font Driver, for which there was a proof of concept disclosed in the Hacking Team data dump.  This is a very speedy response time for Microsoft.  The bug affects Windows Server 2003, 2008 and 2012, all desktop OSs since Windows Vista and Windows RT.  It would allow hackers to install programs, view, change or delete data and create new accounts – in other words, do pretty much anything the hacker might ever want to do.

Microsoft released 28 patches for Internet Explorer, 20 of which are critical and one of which, CVE-201-2045, fixes another zero day flaw exposed in the Hacking Team dump.

Adobe released patches for two more zero day exploits that were exposed by the Hacking Team data dump and which I wrote about the other day.  Those were the ones that caused Mozilla to completely block Flash inside Firefox.

Given all this data, let’s ponder a few things:

  • Thank you Hacking Team for getting hacked – there are a number of things that got cleaned up as a result
  • Vendors – Microsoft and Adobe in this case – can move VERY quickly when their tush is on fire because someone released exploits of their systems with “easy to follow instructions” on how to use them
  • Third party – i.e. the software supply chain – affected 44 of the patches that Oracle released.  Software supply chain is a killer.
  • But the most important issue here is that this week a couple of vendors released patches covering almost 300 bugs. How on earth is a user or company supposed to absorb that many patches, figure out where the affected systems live, test the patches to make sure they don’t break anything and get them deployed to the users in a timely fashion?  
  • And, don’t forget, this is just three vendors of maybe hundreds that are used by any one organization.

Software governance, part of the overall corporate governance, risk and compliance (GRC) activity, is a challenge for companies, both big and small.  Big companies are challenged because they have so many devices scattered to the winds.  Small companies are challenged because they don’t have the resources and expertise to analyze and deploy the patches.

And, as more and more things contain software – you may remember that the Maytag repairman (actually Whirlpool) had to patch my dishwasher last week in order to complete an unrelated service call, this is not likely to get any better any time soon.

In fact, the bigger question is this – if we found and patched 300 bugs this week, how many more are out there unpatched and exploited – either accidentally or on purpose?

Information for this post came from Tech Target and Computerworld.