Sony Draws Global Headlines as Latest Breach Continues to Wreak Havoc

by Alex Shoykhet 18. December 2014 11:39

Wow.  Those are the words being used to describe the diverse ways in which the Sony breach is playing out.  Hackers who have been waging a cyber war on the production have leaked millions of documents drawing global headlines and unreleased films being distributed online.

From purely and IT security perspective, the complete picture of the exact path and components related to the Sony security breach are still being unraveled and investigated, however I did some investigating myself from various sources including a report published by the Trend Micro team and learned what role excess privileges may have played.  Here’s what I found:  

Any company that allows its users to have local administrative rights is equally as exposed to the type of attack that Sony is experiencing. The specific traces I found are as follows and all these actions require admin rights:

  • When the primary malware file diskpartmg16.exe used in the Sony attack was introduced, it granted full user rights to another file which proceeded to execute the following:
  • This malware’s routines, aside from deleting users’ files, include stopping the Microsoft Exchange Information Store service.
  • After it does this, the malware sleeps for another two hours.
  • It then forces the system to reboot.

The FBI flash memo titled “#A-000044-mw” describes an overview of the malware behavior, which reportedly has the capability to override all data on hard drives of computers, including the master boot record, which prevents them from booting up.

Viewfinity Application Control mitigating activities:

  • Also, if default deny practices were actively in use, the unclassified file diskpartmg16.exe would not be allowed to execute because it would not be part of the whitelist profile.
  • Viewfinity supports efforts to enforce a “least privilege” operating model which doesn’t allow not approved processes to operate with administrative privileges
  • Viewfinity’s monitoring mode and forensic analysis capabilities would have identified precisely where diskpartmg16.exe originated from, be it a URL, USB, etc. and through which user it was introduced.

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Tags:

Microsoft Security Bulletin Summary for November 2014 / Admin Rights related vulnerabilities

by Viewfinity 9. December 2014 11:20
Microsoft Security Bulletin Summary for November 2014 / Admin Rights related vulnerabilities
  • Microsoft Security Bulletin MS14-064 – Critical . Vulnerabilities in Windows OLE Could Allow Remote Code Execution
    This security update resolves two privately reported vulnerabilities in Microsoft Windows Object Linking and Embedding . The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • Microsoft Security Bulletin MS14-065 – Critical . Cumulative Security Update for Internet Explorer
    This security update resolves seventeen privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
  • Microsoft Security Bulletin MS14-067 – Critical. Vulnerability in XML Core Services Could Allow Remote Code Execution
    This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a logged-on user visits a specially crafted website that is designed to invoke Microsoft XML Core Services (MSXML) through Internet Explorer. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or in an Instant Messenger request that takes users to the attacker's website. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
  • Microsoft Security Bulletin MS14-069 – Important. Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
    This security update resolves three privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected edition of Microsoft Office 2007. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
  • Microsoft Security Bulletin MS14-070 – Important. Vulnerability in TCP/IP Could Allow Elevation of Privilege
    This security update resolves a publically reported vulnerability in TCP/IP that occurs during input/output control (IOCTL) processing. This vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of another process. If this process runs with administrator privileges, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Microsoft Security Bulletin MS14-073 – Important. Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege
    This security update resolves a privately reported vulnerability in Microsoft SharePoint Server. An authenticated attacker who successfully exploited this vulnerability could run arbitrary script in the context of the user on the current SharePoint site. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit these vulnerabilities and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit these vulnerabilities.
     
  • Microsoft Security Bulletin MS14-078 – Moderate. Vulnerability in IME (Japanese) Could Allow Elevation of Privilege
    This security update resolves a privately reported vulnerability in Microsoft Input Method Editor (IME) (Japanese). The vulnerability could allow sandbox escape based on the application sandbox policy on a system where an affected version of the Microsoft IME (Japanese) is installed. An attacker who successfully exploited this vulnerability could escape the sandbox of a vulnerable application and gain access to the affected system with logged-in user rights. If the affected system is logged in with administrative rights, an attacker could then install programs; view, change or delete data; or create new accounts with full administrative rights.

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Tags:

#TBT Sony is not the only company with recurring data breaches

by Viewfinity 4. December 2014 16:40

Sony is in the news for another high profile data breach; this time hackers were able to infiltrate their servers, denying service and leaking proprietary information about scripts and even releasing upcoming films. While many are quick to point the finger at Sony for being underprepared, we’re standing with journalist Wayne Rash of eWeek.  In his article published yesterday Rash stated “the fact is all enterprises are just as vulnerable as Sony.”

Sony is not the first enterprise to get breached more than once. While traditional IT security practices should definitely be investigated and bolstered if necessary we think that the answer lies not in fool proof protection, which simply doesn’t exist, but in proper incident response and analysis which can enable an organization to adapt and move past a breach, better protecting against them in the future. Visibility into an IT environment allows for accelerated incident response, which can drastically diminish dwell time. Solutions like continuous monitoring and forensic analysis are the tools needed to respond to the ever adapting hackers and malware of today.

For more information on how you can protect your infrastructure before, during, and after an attack check out this whitepaper: Utilizing Pervasive Application Monitoring and File Origin Tracking in IT Security.

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Tags:

SC Magazine: New POS Malware Appears to be in Beta Testing Phase

by Viewfinity 2. December 2014 15:10

New POS Malware Appears to be in Beta Testing Phase

 

Read the full article from SC Magazine here.

Contact us if you'd like to know how we can help protect POS Systems.

Here are two more articles which address this problem as well, they are worth the read.

  • Jon Oltsik, Senior Principle Analysts for ESG
       “If Target used some type of application controls (from Bit 9, Kaspersky, McAfee, Viewfinity etc.)… it may have bad a better fighting chance.”       In Reducing Attack Surface with Application Control, we look at the double-edged sword of application control, detail a number of use cases where it fits well, and define selection criteria to consider for the technology.

 

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Tags:

Security firms uncover 'sophisticated' Regin spyware

by Alex Shoykhet 25. November 2014 11:26

Security firms uncover 'sophisticated' Regin spyware:
An "extremely complex" and "stealthy" spying program has been stealing data from ISPs, energy companies, airlines and research-and-development labs...

According to an article published by the BBC News, only about 100 Regin infections have so far been identified.

It is believed to provide the ability to:

  • remote access victims' computers remotely
  • take screenshots
  • control a mouse pointer
  • steal data
  • recover deleted files

Viewfinity Application Control provides IT security protection to combat spyware like Regin. As with most malware, computers with excessive administrative rights are much more vulnerable to being penetrated by this type of malware versus computers operating in a controlled privileged management environment. Viewfinity’s monitoring of any “grey” applications (applications not yet classified and/or known as a trusted source in your environment) along with the history related to the application (from which URL it was installed, by whom, how many and which computers it is presently installed on, etc.) plus monitoring of network or web activity that is initiated by a suspicious application, would help to protect against Regin.  Additionally, Viewfinity’s cross-referencing of information using its endpoint agent to colloborate with network security products (FireEye, Check Point and Palo Alto) identifies malware faster and elicits an immediate response. Regin appears to be targeting Energy companies – a vertical in which Viewfinity has an extended customer base.  You can learn about one use case here. http://www.viewfinity.com/Customers/Use_Case_Series.aspx

Read the full BBC News article here:  http://m.bbc.com/news/technology-30145265

 

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Tags:

1 Week Until Black Friday – 25 Gadget Gift Ideas

by Viewfinity 21. November 2014 15:49

With only one week left until the biggest shopping day of the year we wanted to share this great gadget gift guide for all of our tech-loving readers out there. Whether you’re computer illiterate or tech savy, these gifts will please anyone.

Holiday Gift Guide 2014: 25 Gadgets That Make Great Gifts

Have you started your holiday shopping yet? Be sure to check out this recent blog post on keeping your credit card safe before you do.

1 Week Until Black Friday – 25 Gadget Gift Ideas

by Viewfinity 21. November 2014 15:29

With only one week left until the biggest shopping day of the year we wanted to share this great gadget gift guide for all of our tech-loving readers out there. Whether you’re computer illiterate or tech savvy, these gifts will please anyone.

Holiday Gift Guide 2014: 25 Gadgets That Make Great Gifts

Have you started your holiday shopping yet? Be sure to check out this recent blog post on keeping your credit card safe before you do.

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Tags:

#TBT: A Brief Note on the History of Hacking

by Viewfinity 20. November 2014 15:49

Hackers, Data Breach, Security Infiltration – all words that have come to be part of everyday life. It seems that each day we here more news about yet another hacker breaking through yet another barrier. Whether it’s a large scale corporate espionage or personal emails getting compromised, almost all of us have experienced hacking in one way or another. However, what most people don’t realize is just how old this concept is. In fact, the very 1st hack was over 110 years ago.

The first well known instance of hacking can be traced back to 1903, when an inventor named Nevil Maskelyne took it upon himself to interrupt a wireless telegraph message being sent by John Ambrose Fleming. Maskelyne sent insulting messages about Guglielmo Marconi, the inventor of the telegraph, via Morse code during Fleming’s public presentation of the technology. (Read the full story here.)

Thus the idea of hacking and trolling was born. Since then people have managed to hack into anything and everything possible, from emails and computers to cars and refrigerators. Who knows what will be next.

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Tags:

#TBT – Let’s take it all the way back to 1984 and The Karate Kid

by Viewfinity 13. November 2014 15:19

Let’s set the stage; It’s 1984, Los Angeles California, and the All Valley Karate Tournament is coming to a close. We all know how it goes; wrought with tension and emotion, against all odds, the hurt and exhausted Daniel Larusso musters up his strength to defeat Johnny Lawrence with a simple yet harrowing Crane Kick, to win the championship.

 

 

 

This very Crane Kick has become an iconic 80’s movie scene, which has been copied and parodied countless times. This week one of our Waltham, Mass. neighbors, Boston Dynamics, found a new and exciting way to pay homage to this powerful movie moment. The company recently posted a video of their robot, Ian, performing that very same crane kick stance.

 

 Ian is no Terminator, another iconic 1984 character, but one thing is definitely for sure, there is no way even Mr. Miyagi could have predicted the amazing technology that would allow this robot to move with such flow and precision.

 

 

 

So here’s the ultimate question – who do you think would win in a fight, Daniel-San or the Terminator?

Share with us your best Throw Back Thursday technologies and we will post them on our blog too!

 

 

 

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Tags:

Microsoft Security Bulletin Summary for October 2014: Vulnerabilities Connected to Users with Local Admin Rights

by Alex Shoykhet 10. November 2014 13:30

The most recent Microsoft Security Bulletin outlined several vulnerabilities which are preventable with the removal of admin rights.  For information on how Viewfinity can help remove the risk of these vulnerabilities, and many other security loopholes associated with excess admin rights contact us at: info@viewfinity.com or 800-455-2010.

  1. Microsoft Security Bulletin MS14-058
    Critical
    Win32k.sys Elevation of Privilege Vulnerability - CVE-2014-4113.

    An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.
    An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

  2. Microsoft Security Bulletin MS14-061
    Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (3000434)
    CVE-2014-4117
    A remote code execution vulnerability exists in the way that Microsoft Office software parses certain properties of Microsoft Word files. If an attacker is successful in exploiting this vulnerability, and if the current user is logged on with administrative user rights, the attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

  3. Microsoft Security Bulletin MS12-060
    Important. Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869)

    This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a Microsoft Office file that contains a specially crafted OLE object. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

  4. Microsoft Security Bulletin: MS14-062
    Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254)

    This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker sends a specially crafted input/output control (IOCTL) request to the Message Queuing service. Successful exploitation of this vulnerability could lead to full access to the affected system. By default, the Message Queuing component is not installed on any affected operating system edition and can only be enabled by a user with administrative privileges. Only customers who manually enable the Message Queuing component are likely to be vulnerable to this issue.

  5. Microsoft Security Bulletin MS14-056
    Cumulative Security Update for Internet Explorer (2987107)

    This security update resolves fourteen privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

  6. Microsoft Security Bulletin MS14-063
    Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege (2998579)

    This security update resolves a privately reported vulnerability in Microsoft Windows. An elevation of privilege vulnerability exists in the way the Windows FASTFAT system driver interacts with FAT32 disk partitions. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Tags:

Powered by BlogEngine.NET 1.4.5.0
Theme by Mads Kristensen

Calendar

<<  December 2014  >>
MoTuWeThFrSaSu
24252627282930
1234567
891011121314
15161718192021
22232425262728
2930311234

View posts in large calendar

About Viewfinity

Viewfinity provides privilege management and application control for desktops, laptops and servers, empowering enterprises to meet compliance mandates, reduce security risks, and lower IT costs. The Viewfinity solution allows enterprises to control end user and privileged user rights for applications and systems which require elevated permissions. Viewfinity's granular-level control enables companies to establish and enforce consistent policies for least privilege Windows-based environments based on segregation of duties. For more information, visit www.viewfinity.com.

Follow us on Twitter: viewfinity
Find us on LinkedIn: www.linkedin.com/companies/viewfinity
Become a fan on Facebook: www.viewfinity.com/facebook