The Bash Bug vulnerability (CVE-2014-6271)

A new critical vulnerability, remotely exploitable, dubbed “Bash Bug”, is threatening billions of machines all over the world.

The vulnerability was discovered by the security researcher Stephane Chazelas at Akamai firm.

It affects Linux and Unix command-line shell, aka the GNU Bourne Again Shell, and for this reason it is potentially exposing websites, servers, PCs, OS X Macs, various home routers, and many other devices to risk of cyber attacks.

The team Bash stands for the GNU Bourne Again Shell and refers to a Unix shell, which is an interpreter that allows users to send commands on Unix and Linux systems, typically by connecting over SSH or Telnet.

The Bash can also operate as a parser for CGI scripts on a Web server. Stephane explained that the vulnerability has existed for several decades and it is related to the way Bash handles specially-formatted environment variables, namely exported shell functions.

A shell gives both administrators and attackers high privileged access to operating system features, allowing them to run almost any command.

“The potential is enormous – ‘getting shell’ on a box has always been a major win for an attacker because of the control it offers them over the target environment,” said software architect and Microsoft MVP Troy Hunt.

An attacker could dump all data stored on a server, change its settings, or serve malicious code to infect the machine.

“There are many, many examples of exploits out there already that could easily be fired off against a large volume of machines.”

The National Institute of Standards and Technology has assigned the vulnerability the designation CVE-2014-6271, rating the severity of the remotely exploitable vulnerability as a “10″ on its 10-point scale.

The critical Bash Bug vulnerability, also dubbed Shellshock, affects versions GNU Bash versions ranging from 1.14 through 4.3. A threat actor could exploit it to execute shell commands remotely on a targeted machine using specifically crafted variables.

To run an arbitrary code on a system running software which embeds a Bash, it is necessary to assign a function to a variable. Trailing code in the function definition will be executed.

Figure 1 – Shellshock command diagram (Symantec)

“GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution,” states the description for the Bush Bug flaw on the NIST National Vulnerability Database, which rated its severity as 10 out of 10.

Every machine having Bash configured as the default system shell could be easily hacked every time an application invokes the Bash shell command (e.g. Mail server) via HTTP or a Common-Gateway Interface (CGI).

The attacker could run arbitrary code on the server just by sending a specially crafted malicious web request by setting headers in a web request, or by setting weird mime types. Searching on the Internet, it is possible to find the source code for cgi-bin reverse shell reported below:

Similar attacks are possible via OpenSSH. “We have also verified that this vulnerability is exposed in ssh—but only to authenticated sessions. Web applications like cgi-scripts may be vulnerable based on a number of factors; including calling other applications through a shell, or evaluating sections of code through a shell,” Stephane warned. But if an attacker does not have an SSH account, this exploit would not work.

As reported in the advisory published by the NIST, the critical instances where the Bash Bug may be exposed include:

Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn subshells.
Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allow arbitrary command execution capabilities.
Allow arbitrary commands to run on a DHCP client machine, various Daemons and SUID/privileged programs.
Exploit servers and other Unix and Linux devices via Web requests, secure shell, Telnet sessions, or other programs that use Bash to execute scripts.
Billions of servers affected by the Bash Bug flaw

The impact of the Bash Bug vulnerability is widely extended. Bash is commonly used to execute commands on a server, especially those sent by other programs and applications. Security experts are considering the severity of this vulnerability higher than the one assigned to the Heartbleed bug, and the most concerning issue is the low level of complexity needed to run an attack which exploits it.

“The first reason is that the bug interacts with other software in unexpected ways. We know that interacting with the shell is dangerous, but we write code that does it anyway. An enormous percentage of software interacts with the shell in some fashion. Thus, we’ll never be able to catalogue all the software out there that is vulnerable to the bash bug,” states Robert Graham on his Blog Errata Security.

“They go on to rate it a “10 out of 10″ for severity or in other words, as bad as it gets. This is compounded by the fact that it’s easy to execute the attack (access complexity is low) and perhaps most significantly, there is no authentication required when exploiting Bash via CGI scripts. The summary above is a little convoluted though so let’s boil it down to the mechanics of the bug,” added the security expert Troy Hunt.

The Bug Bash flaw is particularly dangerous for Internet-of-Things devices like smart meters, routers, web cameras and any other device that runs software, which allows bash scripts. Typically, such software is not easy to fix and are more likely to expose the critical flaw in the Internet.

As said by Graham, “Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed.”

According the results of a recent survey conducted by the Internet services company Netcraft, the number and types of Web servers being used worldwide is more than 1 billion servers, and that more than half of those are Apache servers which run Linux and thus contain Bash by default.

Threat actors are exploiting the Bash Bug vulnerability in the wild

According to security experts, the Bash Bug vulnerability may already have been exploited in the wild by threat actors to hit Web servers.

Attackers are already targeting the Bash vulnerability, less than 24 hours after the public disclosure of details about the flaw vulnerability. To date, an unknown number of devices may contain the flaw, including millions of stand-alone Web servers, Unix and Mac OS X systems, and numerous other Internet-connected devices.

Malware researchers speculated that the critical flaw may be exploited by attackers which manage botnets to exploit a large number of machines exposed on the Internet.

The list of potential targets is very long and includes home routers, medical equipment, SCADA/ICS devices and many other systems. For this reason, the Bash Bug is considered by security experts more dangerous than the Heartbleed flaw which affected only versions of OpenSSL released over a two-year period. According to the experts, the Bash bug has is a 25 five year old flaw, and also recent versions of Linux machines are potentially as exploitable as outdated servers.

The real problem resides in the low complexity of a Bash Bug based attack, for threat actors it is quite easy to run them against vulnerable servers

Pierluigi Paganini

The post Bash Bug Sheel shock vulnerability Ireland appeared first on Orbit IT Support Services Dublin, Ireland, Dublin City Centre.

The malicious program encrypted files on Windows computers and demanded a substantial fee before handing over the key to the scrambled files.

Thanks to security experts, an online portal has been created where victims can get the key for free.

The portal was created after security researchers grabbed a copy of Cryptolocker’s database of victims.

“This time we basically got lucky,” said Michael Sandee, principal analyst at Fox-IT – one of the security firms which helped tackle the cyber-crime group behind Cryptolocker.
Cash call

Cryptolocker first appeared in September 2013, since when it has amassed about 500,000 victims.

Those infected were initially presented with a demand for $400 (£327), 400 euros ($535; £317) or an equivalent amount in the virtual Bitcoin currency. Victims had 72 hours to pay up or face the keys that would unlock their files being destroyed.

Analysis of the back-up database indicates that only 1.3% of all the people hit by the malware paid the ransom.

Despite the low response rate, the gang is believed to have netted about $3m from Cryptolocker. Many of those caught out did not pay because they were able to restore files from back-ups.

However, others are believed to have lost huge amounts of important files and business documents to the cyber-thieves.

In late May, law enforcement agencies and security companies seized a worldwide network of hijacked home computers that was being used to spread both Cryptolocker and another strain of malware known as Gameover Zeus.

This concerted action seems to have prompted an attempt by the gang to ensure one copy of their database of victims did not fall into police hands, said Mr Sandee.

What the criminals did not know, he said, was that police forces and security firms were already in control of part of the network and were able to grab the data as it was being sent.
Evgeniy Bogachev Evgeniy Bogachev was believed to be living in Russia, the FBI said

The action also involved the FBI charging a Russian man, Evgeniy Bogachev, aka “lucky12345” and “slavik”, who is accused of being the ring leader of the gang behind Gameover Zeus and Cryptolocker.

The Gameover Zeus family of malware targets people who bank online, and is thought to have racked up millions of victims.

“There’s a bit of guesswork in that figure because some of it was paid in bitcoins and that does not have a fixed exchange rate,” said Mr Sandee.

Now, security firms Fox-IT and FireEye – which aided the effort to shut down the Gameover Zeus group – have created a portal, called Decrypt Cryptolocker, via which any of the 500,000 victims can find out the key to unlock their files.

“All they have to do is submit a file that’s been encrypted from that we can figure out which encryption key was used,” said Greg Day, chief technology officer at FireEye.

Mr Day said people wishing to use the portal should submit a file that did not contain sensitive information to help it verify which key they needed.

The post Cryptolocker help is in hand with Decrypt Cryptolocker Support appeared first on Orbit IT Support Services Dublin, Ireland, Dublin City Centre.

In case you missed it, BadUSB is malware that hides in the firmware of USB drives. Security researchers Karsten Nohl and Jakob Lell will present their full findings on the software, which they created, next week at the Black Hat USA security conference in Las Vegas.

MORE: 13 Security and Privacy Tips for the Truly Paranoid

Wired wrote that malware of this type could cause an “epidemic.” Nohl told Reuters that BadUSB functioned like a “magic trick.” Publications from ZDNet to VentureBeat predicted apocalyptic consequences for BadUSB.

But take a deep breath, because BadUSB is not likely to open the floodgates to a computing cataclysm — or, at least, not likely to open them any wider.

First things first: BadUSB is a proof-of-concept attack, designed by security researchers. They’re not going to release it into the wild, and most malicious hackers (who lack both the resources and know-ho to design something similar) would rather rely on tried-and-true phishing and malware attacks. These attacks are easy to avoid with a little common sense and even the most rudimentary antivirus software.

Furthermore, demonstrating something like BadUSB at a conference like Black Hat is basically an open invitation for the security community to fix this vulnerability before it becomes widespread. With some of the world’s foremost researchers and hackers on the case, prophylactic and curative measures won’t be too far behind.

Perhaps the most important point is that USB sticks compromising PCs is nothing new; it’s actually the easiest way for malefactors to get ahold of your system. Any public computer is susceptible to sneaky USB-based malware (and, in fact, most hotel computers are just ripe for hacking). Even so, USB hacks are relatively uncommon, compared to online ones.

The reason why is because USB attacks — even sophisticated ones like BadUSB — are extremely easy to prevent. If you own a private computer, you control who has access to it. If you buy a new USB stick, it will not come with any unwanted software. Simply use your judgment when accepting sticks from friends or third parties, and you’re not likely to contract any malware.

Make no mistake: BadUSB is a fantastic proof-of-concept, and lays bare some serious problems with USB stick security. But, like anything else in the world of computing, you can avoid trouble using a little common sense.

Tom’s Guide

The post Don’t Panic Over the Latest USB Flaw appeared first on Orbit IT Support Services Dublin, Ireland, Dublin City Centre.

In a strongly worded affidavit in support of the technology company embroiled in a landmark legal fight with the US government, Mr McDowell – who is also a practising senrior counsel – argued the disclosure of data is only lawful if signed off by a judge here.

Ireland is required by law to protect data held in the country from foreign law enforcement agencies.

The case being heard by a federal court in New York centres on the prosecution of a drug trafficker. Prosecutors want Microsoft to hand over emails stored in Microsoft’s server in Dublin, without going through existing international treaties. Microsoft has described it as potentially allowing federal agents to break down the door of its Dublin facility.

A federal magistrate had agreed a simple warrant, normally not valid outside US jurisdiction, was enough to force US-headquartered companies to hand over data. The ruling has been challenged by Microsoft and, if upheld, has deep implications, particularly for Ireland with its heavy US corporate footprint.

International treaties
It will essentially allow US law enforcement agencies to easily get information held in other countries without worrying about international treaties. Oral arguments in Micrsoft’s appeal were heard yesterday.

Co-operation with the US seeking information for criminal prosecutions is covered by Irish and European mutual legal assistance treaties and a 2008 criminal justice act. “In the present case, I understand that US law enforcement seeks email content stored in Microsoft’s servers in Dublin, Ireland,” Mr McDowell wrote in a four-page statement.

“The aforementioned treaties and procedures were designed to apply under precisely these circumstances. The US government should therefore obtain the evidence it seeks through the MLA treaties,” he said.

The treaties and act are “highly effective”; Ireland rarely turns down requests. However, the prosecutors in the case argue using the treaties would be too “cumbersome.”

Echoing privacy activists in the US, Mr McDowell said this argument was in part about Ireland’s sovereignty. Leading US privacy advocates, the Electronic Frontier Foundation said Ireland’s sovereignty risks being “trampled on.”

Ireland’s data protection acts “highlights its sovereign interest guarding against foreign law enforcement activities within its borders by any means other than the applicable MLA treaties,” said Mr McDowell, who was asked by Microsoft to file the affidavit in support of its appeal.

Any disclosure of data held in Ireland “is only lawful where such disclosure is required or mandated by reference to Irish law and subject to the jurisdiction and control of the Irish court,”

The US Department of Justice argues overseas records held by US-based companies must be disclosed if when a valid “warrant compels their production”.

Source:Irish Times

The post Microsoft fights US request for Irish-held data appeared first on Orbit IT Support Services Dublin, Ireland, Dublin City Centre.

The bookmaker announced on its website yesterday that it has been working with Canadian police after a tip in May of this year and discovered the historical breach consisting of “individual customer’s name, username, address, email address, phone contact number, date of birth and prompted question and answer”.

However, it assured punters, “Customers’ financial information such as credit or debit card details has not been compromised and is not at risk. Account passwords have also not been compromised.

“Paddy Power’s account monitoring has not detected any suspicious activity to indicate that customers’ accounts have been adversely impacted in any way.”

Paddy Power MD of Online Peter O’Donovan told customers, “Robust security systems and processes are critical to our business and we continuously invest in our information security systems to meet evolving threats.

“This means we are very confident in our current security systems and we continue to invest in them to ensure we have best in class capabilities across vulnerability management, software security and infrastructure.”

Commenting on the leak, Troy Gill, security analyst at Appriver explained, “There is no need for panic here since no financial or password info has actually been exposed.

“It might be a good idea for Paddy Power to reset the few things that can be changed for these customers such as question and response specifics and username. Of course these events at the very least serve as a great reminder to keep up good security practices – utilizing different passwords for each account – even if they are a minor inconvenience now, they could potentially save you a major inconvenience down the road.

“However, according to the disclosure from Paddy Power they do not believe that the passwords were ever stolen/exposed.”

The company put the number of people affected by the breach at 649,055, all of whom it said are being contacted. The company is also advising users to monitor other websites at which they have used the same credentials.

Paddy Power is the latest in a long line of consumer facing organisations to suffer security breaches in recent months, with eBay advising its customers to update passwords earlier this year, and the flaw found in Oauth and OpenID credentials, hot on the heels of the Heartbleed OpenSSL flaw, which caused panic when it was discovered in May.

By: Chris Merriman

The post IRISH ONLINE BOOKMAKER has revealed that it was the victim of a data breach in 2010 appeared first on Orbit IT Support Services Dublin, Ireland, Dublin City Centre.

Make sure you’ve got the right SMTP settings. Most Irish ISPs block outbound Port 25 connections.

Below is a list of smtp settings for the majority of ISP’s in Ireland:

Smart Telecom Outgoing SMTP Server
smtp.mysmart.ie

Irish Broadband Outgoing SMTP Server
smtp.irishbroadband.ie.

Eircom Outgoing SMTP Server
mail1.eircom.net OR mail2.eircom.net

Magnet Outgoing SMTP Server
smtp.magnet.ie

NTL and UPC Outgoing SMTP Server
smtp.upcmail.ie

Vodafone Outgoing SMTP Server
mail.vodafone.ie

O2 Outgoing SMTP Server
smtp.o2.ie

Clearwire Outgoing SMTP Server
smtp.clearwire.ie / mail.clearwire.ie

Digiweb Outgoing SMTP Server
smtp.digiweb.ie

Imagine Broadband Outgoing SMTP Server
mail.imagine.ie OR mail.gaelic.ie

Perlico Outgoing SMTP Server
mail.perlico.ie

3 Outgoing SMTP Server: Mobile broadband with 3 mobile Ireland
mail-relay.3ireland.ie

Gmail Outgoing SMTP Server
smtp.gmail.com (use authentication)
Use Authentication: Yes
Port for TLS/STARTTLS: 587
Port for SSL: 465

The post Irish SMTP Settings appeared first on Orbit IT Support Services Dublin, Ireland, Dublin City Centre.

Now, Microsoft has once again reversed course, indicating that they will in fact provide anti-malware support to Windows XP, Microsoft’s ancient but still-popular operating system, past the initial April 8, 2014 end of extended support deadline. Now, Microsoft will make anti-malware updates available through July 14, 2015, which they announced via an official blog post.

However, in the blog post, Microsoft gave a bit of a wink wink nudge nudge by mentioning that adopting “modern software” is a great way to help your system stay secure. Translation: Buy Windows 8! Here’s what Microsoft had to say.

“Our research shows that the effectiveness of anti-malware solutions on out-of-support operating systems is limited. Running a well-protected solution starts with using modern software and hardware designed to help protect against today’s threat landscape.”

Microsoft was possibly moved to continue providing anti-malware updates to Windows XP due to the fact that it still widely in use, despite its age, hovering close to 30 percent as of December.

What do you think of Microsoft offering anti-malware support for Windows XP until the middle of 2015?

The post Microsoft Blinked Windows XP extended Malware protection. appeared first on Orbit IT Support Services Dublin, Ireland, Dublin City Centre.

Microsoft is asking people to help their friends and family “get off” Windows XP, in an official blog post published by the tech giant.

However, you may know someone who is and have even served as their tech support,” writes Microsoft’s Brandon LeBlanc.

”To help, we have created a special page on Windows.com that explains what ‘end of support’ means for people still on Windows XP and their options to stay protected after support ends on April 8th.”

The two options that Windows XP users have to upgrade. They can either use the Windows Upgrade Assistant to determine whether they can upgrade their current PC to Windows 8 or Windows 8.1, or they can simply buy a new PC.

The decision to upgrade to Windows 8 or 8.1 is likely a tough choice for Windows XP users. There’s a notable amount of risk that comes with holding onto Windows XP once the April 8 “end of support” is upon us. So users of the outdated operating system must decide: Hold onto a more easily exploitable operating system, or spend hundreds of bucks for a system that has an OS that’s more secure, but significantly less liked by users, if market share numbers are any indication.

Though security experts might disagree with the former approach, the prospect of updating to Microsoft’s latest OS is a tough sell for the average Joe and Jane. Then again, there’s always Windows 7, which is the world’s most popular desktop operating system and can currently be had for around €100.

The post Microsoft wants you to help you move off Windows XP appeared first on Orbit IT Support Services Dublin, Ireland, Dublin City Centre.

As we are all aware, today’s working culture has moved on from the traditional old 9 to 5 office work to a new concept where people are working flexible hours from flexible locations. As a result, both employers and employees expect more – in particular, the ability to work seamlessly from any device and from any location at any time.

Technology advancements in telephony, collaboration tools, virtualisation, security and application and desktop delivery have enabled the ‘mobile office’ concept to be embraced faster than a speeding freight train. Adoption is also driven by the many benefits achievable through this solution – for instance, basing some staff at home can be used to reduce building and office related costs.

Relocating employees to work from their own desks using their own utilities can not only provide many financial benefits, but also allow avoiding issues such as transportation strikes and weather disasters..

But more strategically, when it comes to disaster recovery and business continuity planning, more and more companies are choosing to utilise the mobile or home office concept as a significant and vital recovery tactic. Dedicated workplace recovery services can be costly, and placing technology services at a designated workplace recovery suite will have an additional financial impact.

Similarly, if a company has multiple offices and the continuity plan states that a number of staff must relocate, for example, from the Dublin office to the Galway office, then that number desks must be either kept available, which is costly, or the existing staff displaced, with a loss of function or productivity. Then, there is also the matter of a number of PCs to configure as well as the setting up of telephones and other equipment.

Basing or rotating technical support or business support functions at home can be a huge advantage when faced with a business continuity scenario. Home-based workers are less likely to be affected by denial of access issues such as high profile terrorist targets or threats, major city power failures, office fires or flooding. The first members of staff ready and waiting for services to be brought online to be able to work during an invocation are the home-based employees.

It is not all easy and straightforward, though: all devices used by mobile and home workers – mainly laptops, smartphones and tablets – have to be managed properly and securely by the company.

Policies, technology and management tools must be in place to block users from saving or transferring harmful data onto devices, and also to maintain client confidentiality and adhere to Data Protection regulations as well as contractual obligations to customers, whilst still allowing staff to seamlessly access applications and data stored within the corporate network.

The tools already exist to support businesses to remotely manage, secure or wipe devices, remotely activate device services, and to create and manage their own security policies – whether those policies are corporate ‘end-user acceptable use’ policies, or technology enforcing policies such as disallowing ‘Copy & Paste’ functionality between devices or disabling printing or screen capture.

Fortunately, thanks to new technologies and industry best practices, the tools to achieve business continuity and to make a full recovery after a serious incident are all quite easily available. If the company’s disaster recovery and business continuity plan covers the mobile office service as well as any physical offices, the chances of a successful recovery and return to ‘business as usual’ are vastly improved. Moreover, there may be an advantage to be won over competitors going through the same issues, as well as reputational and credibility gains.

The key to any mobile office solution is resiliency and planning. It is vital that considerable thought, planning and design for the mobile office service is placed at the forefront of any disaster recovery environment and business continuity plan, to provide resiliency and contingency for the mobile and home-based workers in the event of technology failure, office inaccessibility or other unplanned incidents, as these employees may be the key to providing rapid continuation of business services in the most productive, seamless and cost-effective manner.

The post Disaster recovery and the modern Office environment appeared first on Orbit IT Support Services Dublin, Ireland, Dublin City Centre.