The Heartbleed vulnerability in OpenSSL dominated all phases of the intelligence cycle again this week. Cloudflare, with some outside help, settled the question over whether the vulnerability threatens the Public Key Infrastructure components—it does. The Heartbleed Bug Health Report and Sucuri each provided some good news with metrics on how large the attack surface is, less than 5% of the Internet and attacks observed. Mashable has a superb page to help determine whether or not you should change your password for your favorite sites. Oracle released their quarterly Critical Patch Update addressing 37 vulnerabilities in Java among a total of 104 across their products. DLR, the German Space Center and digital storage company LaCie led the more significant new data breaches reported. Brian Krebs added to the intelligence on the Michaels Stores data breach, following up his report from January.
What was supposed to be remembered as the week that XPocalypse officially began will now be known as the week that the OpenSSL Heartbleed vulnerability (CVE-2014-0160)brought headaches to just about everyone in ICT. For the uninitiated, OpenSSL contains a vulnerability which allows an attacker to steal 64KB of plaintext memory from a vulnerable application. The Verizon Cyber Intelligence Center (VCIC) notified customers of this vulnerability on Wednesday and provided them with recommendations for handling the issue. In other vulnerability news that might have faded to the background this week Microsoft released four security bulletins and officially ended support for Windows XP,Adobe released a security bulletin for Flash Player and a new version of WordPress is available. Websense, Mandiant and Symantec all released their yearly threat reports and Anonymous and its affinity groups tried to erase Israel from the Internet again. They did not succeed.
The Korean National Police Agency arrested four persons involved in the data breach of the Naver portal and compromise of 25 million user accounts. A US regulator for financial institutions issued an advisory warning hackers were trying to access smaller bank’s systems to raise the withdrawal limits on ATM cards. Targeted attacks reported this week include: Stop Malvertizing’s report of the targeting of abuse teams; F-Secure’s report of malicious PDF files using the crisis in the Ukraine as lures; and IntelCrawler’s report of malicious ZIP files with spoofed contents appearing to be harmless resumes or fax images but contain malware for strategic geopolitical targets. Microsoft announced four bulletins for April’s patch Tuesday including a fix for the MS Word vulnerability they reported two weeks ago. A team of researchers have found RSA’s BSAFE was weakened by an extension, co-written at the request of the NSA. On a related note,ESET’s Stephen Cobb assessed a recent Harris poll on the impact the NSA’s surveillance activities have on user trust.
Monday Microsoft released Security Advisory 2953095 announcing attacks on a previously unknown vulnerability in Word 2010, but also affecting Outlook. Microsoft reported “limited, targeted attacks.” The Security Research and Defense blog has the details. Both EMET and a Fix-it mitigate the risk. Symantec’s report on Ploutus ATM malware stirred up some excitement: “Hackers text ATMs for cash via Windows XP flaws.” But Larry Selzer let the air out of that balloon in eight paragraphs: “Robbing ATMs by SMS: Not in the real world.” Cisco released their semi-annual IOS update with five advisories. Our e-readers took on six high-quality reports: the RAND Corporation released “Markets for Cybercrime Tools and Stolen Data: Hackers' Bazaar.” The US Senate released the staff report: “A ‘Kill Chain’ Analysis of the 2013 Target Data Breach.” IntelCrawler published: “Syrian Electronic Army - Hacktivism to Cyber Espionage?” Incapsula and NSFocus each released reports on the DDoS environment: “2013-2014 DDoS Threat Landscape Report,” and, “DDoS Threat Report 2013,” respectively. And NTT Communications released: “2014 Global Threat Intelligence Report.” This week’s good news: the FBI arrested thirteen in the Chicago area and two in Bulgaria who are alleged to be behind a money laundering and ATM skimming operation.
Our team is going through the process of examining potential changes to the VERIS schema that we use to encode security incidents. As changes are accepted we have to make changes to the enumerations and in some cases the schema itself. It is really important that the schema documentation accurately reflects what we actually want from our VERIS incidents. And so we need to test the documentation.
Imagine that you're weighing an object on a scale. The scale says that the object weights 92 kilograms. How do you know that it really weighs 92 kilograms? How do you know that the scale isn't lying to you? The answer is calibration. We calibrate the scale regularly by weighing known objects and making sure that the output from the scale gives us the right value. That is essentially what we're doing with the schema tests we're writing. We create an incident which should fail or pass validation and then make sure that it really does.
Test driven development
TDD is a software development methodology that goes a bit farther than just throwing tests at your classes, functions, or in this case, schema. In a TDD environment, the software is developed in response to the test rather than doing it the other way around.
The VERIS schema is being updated to use the features available in IETF Draft 4 for json schema documentation. We're also trying to make use of features that we weren't taking advantage of but were available in Draft 3. For example, where an array is present in the schema, we can specify that it must have at least one item in it. That way an array of  will not be valid.
Walk through a test cycle
One thing we want to avoid is having an automated process or script accidentally put fields in the wrong place. We have a list of properties that are valid in the root of a VERIS json object, such as actor, action, discovery_method, etc. If a VERIS object is created that has an additional field (property) in the root, we want for that to fail validation.
Ordinarily, we might go right to the schema and add some logic to reject json objects that have additional properties. The Draft 4 schema has a boolean called ``additionalProperties'' which you can use for that. But in TDD, we are going to start by writing a failing test.
Here we have a VERIS json object that has a new property called ``test'' and the value ``test string''. This VERIS object is part of the ``incident'' field of a larger json object which also has a field called ``should'' and a field called ``message.''
The python test (written using nose) will try to validate the ``incident'' field and catch whether it passes or fails. Then it checks whether the object should have failed valiation. If the validation script came to the wrong conclusion, then the test has failed.
At this point we haven't put any logic into the JSON schema to deal with this type of failure, so when we run the test the JSON object is found to be valid even though our test dicates that it should have been invalid. The test has failed.
Now that we have a failing test, we can write some code to make that test pass. In this case, we will add the ``additionalProperties'' option to the schema so that having additional properties is no longer allowed.
Now when we run our tests, they pass. We have successfully implemented this feature. And by having a detailed set of tests we can be more confident that the changes we make to the schema are not breaking other functionality.
ESET’s report on Operation Windigo is the best open source intelligence we’ve collected this week. The group behind Windigo is responsible for compromising around 25,000 Linux-running servers over the past two years. The whitepaper is a must-read but the indicators of compromise released alongside the report are what make it this week’s best intel. Brian Krebs had another busy week. Krebs continued his series of reports on ColdFusion compromises as the Guardian reported that one of Citroen’s websites fell victim to the same group behind those attacks. As for the group itself, Symantec calls it the Cyclosa gang and published a report identifying the individuals responsible for the ColdFusion attacks and for running the SSNDOB site where the stolen data is sold. Apparently Hollywood is interested in pursuing a movie about Krebs’ work. The Russian mafia, outing cybercriminals and exposing massive data breaches, what’s not to like? Order us a soda and some popcorn please.
We nearly made it. Crashing after the adrenalin-rush of RSA week, intel seemed to be drying up. Justin Bieber’s Twitter getting hacked was almost the most significant event in InfoSec risk this week. Almost. But careful examination of this week’s bulletins from Microsoft popped that bubble. There have been surprise attacks using another previously unreported vulnerability in Internet Explorer. This is other than the one (CVE-2013-0322) announced in the February Security Advisory about targeted attacks on IE 9 and 10. CVE-2013-0324 is the new attack. Symantec has a little more information including they believe it was used in a watering hole attack and the exploit works on IE 8. Arbor, AlienVault and McAfee all updated our intelligence on point of sale malware and attacks. In the body of last week’s intelligence summary we included Trend Micro’s report of the “Siesta Campaign,” and this week, Mandiant/FireEye expanded our collections and probably connected it to the infamous APT1 actor.
Good news, defenders! Microsoft announced it will patch the Internet Explorer zero-day currently being targeted in a limited number of attacks as part of March’s Patch Tuesday. The update will be released alongside four other bulletins that will plug holes in Silverlight and Windows. Bad news if you’re a customer of Flexcoin and/or Poloniex. Both companies admitted to suffering breaches that saw hackers walk off with $600,000 and $50,000 respectively. BitStamp also copped to a breach but claimed the only thing compromised was its customer mailing list. Brian Krebs continued his coverage of retailer breaches by reporting on separate incidents involving the Smucker’s online store, Sally Beauty Supply and Chicago taxicabs. Researchers from Team Cymru published a report on a massive campaign being waged by hackers to compromise home routers and alter their DNS settings. Team Cymru suspects this attack impacts at least 300,000 systems throughout Europe and Asia. Your chuckle of the week comes via AnonGhost, which defaced a site belonging to UK-based Yorkshire Bank. It turns out the defaced site isn’t operated by Yorkshire Bank at all and is likely a phishing page to lure unsuspecting bank customers. Looks like AnonGhost can add brand monitoring to its resume.
This week, we collected intelligence from IntelCrawler of mobile malware targeting Middle Eastern bank clients. Also targeting the Middle East, from Symantec and Fidelis respectively, a new Java RAT and SSTEAM targeted attacks on energy and government sectors. Symantec also reported malware exploiting the most recent vulnerability in IE 10 has evolved from targeted to widespread attacks. For situational awareness, the cream of the reports released this week include: FireEye’s 2014 Annual, Dell SecureWorks Cryptocurrency-stealing Malware Landscape, both Kaspersky’s and Symantec’s reports on Mobile Malware and BAE/Detica’s “Business and the Cyber Threat: The rise of Digital Criminality.” Apple has been excoriated in tech media and the security blogosphere overa bug in the SSL implementation in both iPhones and Macs. Our colleague Bruce Schneier is perhaps the most high-profile security expert to ponder whether the NSA is responsible. For a bug. Also tickling the hype-meter: the “Chameleon” Wi-Fi access point virus. The one made public in a university research paper published last October; the one that is not, and never has been in the wild; the one that only affects access points with security settings essentially turned off and not the way they almost always come out of the box.
Last week it was a zero-day attacks using a vulnerability in Internet Explorer (CVE-2014-0322) that was making headlines. This week it’s a new vulnerability in Flash Player that’s getting all the attention. Researchers from FireEye discovered a strategic web compromise of two non-profit organization’s websites being used to exploit this new vulnerability in Flash Player (CVE-2014-0502). Luckily Adobe is already pushing a patch to plug this hole. As for the Internet Explorer vulnerability from last week, Microsoft finally issued a security advisory confirming IE 9 and 10 are affected and providing a temporary fix-it. No word yet on when a permanent patch will be made available. Noteworthy vulnerabilities and targeted attacks weren’t the only things grabbing headlines this week. The University of Maryland announced it got popped for data on 300,000 people, Kickstarter reported hackers stole e-mail addresses and encrypted passwords belonging to its users and Bank of the West notified former career prospects that attackers may have stolen their personal information. After getting pwned by the Syrian Electronic Army last week Forbes decided to publish an after-action report on what went wrong. Kudos to Forbes for its transparency; the RISK Team hopes this trend continues in the future.