How do you rate VisionTree Consulting

s c i p a g Contents 1. Editorial scip monthly Security Summary

Transcript

1 Contents 1. Editorial 2. scip AG information 3. New security gaps 4. Vulnerability statistics 5. Labs 6. Picture puzzles 7. Imprint 1. Editorial IT security in the media In the last few days, non-security workers and interested parties have also witnessed it that data theft can affect anyone. Various media, such as the NZZ or the Tagesanzeiger, reported on hackers who published data on Michelle Obama and various other celebrities. Radio24 conducted an interview with our Marc Ruef. 20 Minuten reported on a wave of attacks aimed at e-banking account data and conducted an interview with our Oliver Kunz. The topic of IT security is currently very popular with the media, although it is not so titled in the respective reports. Many tips are given by experts on how to protect yourself from such attacks. Reports a) mostly contain showmanship and fear-mongering, b) are quickly forgotten, c) people are quickly raised to the status of an expert in order to satisfy point a) sufficiently and d) many people are of the opinion that they do not like something like that can happen. Point d) can have various causes: Overconfidence in dealing with such situations and attacks Lack of interest in changing something as long as it does not affect you Transferring guilt to others, e.g. the banks in the case of skimming or fraud in the Banking I would appreciate it if reports on IT security were taken up more often by the media on a factual level, without any additions to improve the requirements. Not because I'm interested in which stores Michelle Obama buys the latest fashion in and I need the latest source for it, no. But because it would sensitize people to a topic that concerns us all. And the more people know about the current dangers of IT, the better they are able to protect themselves from them. In our highly digitized world, this must be of interest and benefit to everyone. Sean Rütschi Zurich, March 15, 2013 I am critical of such reports in most cases. Of course I appreciate the fact that awareness training is carried out for the average and home user, so to speak, as long as the reports are correct and based on facts. On the other hand, I know very well that this 1/23

2 2. scip AG information 2.1 Backdoor test The aim of our backdoor test service is to successfully compromise the target environment by infecting a specially made Trojan horse (backdoor) to determine effectively exploitable loopholes in the existing security system. Preparation: The target environment is evaluated in order to develop an individual attack scenario. Development: A Trojan horse is programmed for the customer. We build on our own code libraries and exploiting payloads. SAP, iphone, Web 2.0 / Ajax, Windows Mobile, Word, Excel, PowerPoint, PDF, Outlook, Lotus Notes etc. Infection: The target environment or a defined target system is infected with the Trojan horse (e.g. social engineering, drive-by infection, Exploiting a document vulnerability). Remote control: After successful infection, remote control is enforced in order to demonstrate the feasibility and possibilities. Such backdoor inside / out tests are very individual. The preparations (development of the back door) and the implementation of the attack (infection and remote control) are documented in detail. The exploited weaknesses in the target environment (e.g. firewall tunneling, antivirus evasion, etc.) are discussed in detail. Thanks to our many years of experience and our proven expert knowledge, we at scip AG have already carried out a large number of backdoor test projects. Count on us too! Do not hesitate and contact our Mr. Simon Zumstein on the phone number or send him an email at 2/23

3 3. New security gaps The extended list of vulnerabilities discussed here as well as other security gaps can be viewed free of charge in our database at. Contents The VulDB Alert System service package provides you with the information that is precisely relevant to your systems: Apple Mac OS X Software Update Spoofing [CVE] 8015 Apple Mac OS X PDFKit [CVE] 8014 Apple Mac OS X Messages FaceTime: // Misconfiguration 8012 Apple Mac OS X IOAcceleratorFamily [CVE] 8011 Apple Mac OS X Java Web Start Misconfiguration [CVE] 8010 Apple Mac OS X Unicode Character URI Handler weak authentication 8009 FreeBSD i915 DRM Driver [CVE] 8008 Google Android CHANGE_NETWORK_STATE extended rights 8006 Google Android native code Replacement extended rights 8004 Google Android Application Uninstaller extended rights 8003 Google Android APK Installer Spoofing 8000 Google Android Browser Information Disclosure 7999 Google Android CHANGE_NETWORK_STATE extended rights 7993 GNU Coreutils sort 7992 GNU Coreutils join 8020 Linux Kernel cdc-wdm USB [CVE] 7970 TP-LINK TL-WDR4300 / TL-WR743ND TFTP Server userrpmnatdebugrpm / start _art.

4 Platform Export / Import Gadget weak authentication 7938 Linux Kernel sctp_getsockopt_assoc_stats () 7986 Oracle Java [CVE] 7984 Adobe Reader [CVE] 7944 WebkitGTK + HTMLMediaElement Destructor readystatechange Event 7942 WebkitlementGTK + SVG Image Handler WebCore / loader / ImageLoader / html / shadow / SliderThumbEle ment.cpp 7888 Citrix Access Gateway Access Handler extended rights [CVE] 3.1 Apple Mac OS X software update spoofing [CVE] VulDB: A critical vulnerability in Apple Mac OS X has been identified. This affects an unknown function of the component Software Update. The vulnerability can be eliminated by applying the Security Update patch. 3.2 Apple Mac OS X PDFKit [CVE] VulDB: A critical vulnerability was found in Apple Mac OS X. This affects an unknown function of the component PDFKit. The vulnerability can be resolved by applying the Security Update patch. 3.3 Apple Mac OS X Messages FaceTime: // VulDB incorrect configuration: A critical vulnerability has been found in Apple Mac OS X. This affects the FaceTime: // function of the Messages component. The vulnerability can be eliminated by applying the Security Update patch. 3.4 Apple Mac OS X IOAcceleratorFamily [CVE] VulDB: A vulnerability was found in Apple Mac OS X as critical. This affects an unknown function of the component IOAcceleratorFamily. The vulnerability can be eliminated by applying the Security Update patch. 3.5 Apple Mac OS X Java Web Start misconfiguration [CVE] VulDB: A vulnerability was found to be critical in Apple Mac OS X. This affects an unknown function of the component Java Web Start. The vulnerability can be resolved by applying the Security Update patch. 3.6 Apple Mac OS X Unicode Character URI Handler weak authentication VulDB: A vulnerability in Apple Mac OS X has been identified. This affects an unknown function of the component Unicode Character URI Handler. The vulnerability can be eliminated by applying the Security Update patch. 3.7 FreeBSD i915 DRM Driver [CVE] VulDB: 4/23

5 A vulnerability was found in FreeBSD, an operating system, as critical. Affected is an unknown function of the component i915 DRM Driver. Switching off the affected component is recommended as the best possible measure. 3.8 Google Android CHANGE_NETWORK_STATE extended rights VulDB: A critical vulnerability was identified in Google Android 4.1. It affects the function CHANGE_NETWORK_STATE. An upgrade to version 4.2 can solve this problem. The vulnerability can also be eliminated by applying the Android Issue # patch. Updating to a new version is recommended as the best possible measure. 3.9 Google Android Native Code Replacement extended rights VulDB: A critical vulnerability was found in Google Android 4.1. This affects an unknown function of the component Native Code Replacement. Upgrading to version 4.2 solves this problem. Google Android Application Uninstaller Extended Rights VulDB: A critical vulnerability was discovered in Google Android 4.1. This affects an unknown function of the component APK Installer. Upgrading to version 4.2 can solve this problem. A countermeasure appeared before and not after the vulnerability was published. Google has therefore reacted in advance. Google Android Browser Information Disclosure VulDB: A critical vulnerability was identified in Google Android. This affects an unknown function of the component Browser. An upgrade to version 4.2 can solve this problem. The vulnerability can also be eliminated by applying the Android Issue # patch. The best possible measure is to update to a new version Google Android CHANGE_NETWORK_STATE extended rights VulDB: A critical vulnerability has been identified in Google Android 4.1. This affects the CHANGE_NETWORK_STATE function. Upgrading to version 4.2 can solve this problem. The vulnerability can also be solved by applying the Android Issue # patch. The best possible measure is to upgrade to a new version. A vulnerability was found in Google Android 4.1. This affects an unknown function of the component Application Uninstaller. An upgrade to version 4.2 can solve this problem. Google Android APK Installer Spoofing VulDB: GNU Coreutils sort Date: VulDB: A critical vulnerability was discovered in GNU Coreutils up to 6.12. This affects the sort function. Upgrading to the version may solve this problem. GNU Coreutils join Date: VulDB: 5/23

6 A vulnerability was found in GNU Coreutils up to 8.9. It affects the join function. Upgrading to the version can solve this problem Linux Kernel cdc-wdm USB [CVE] VulDB: A critical vulnerability has been discovered in the Linux Kernel, an operating system. This affects an unknown function in the cdc-wdm USB library. The best possible measure is to install the corresponding patch TP-LINK TL-WDR4300 / TL-WR743ND TFTP Server userrpmnatdebugrpm / start_art.html Extended rights VulDB: A critical vulnerability has been found in TP-LINK TL-WDR4300 and TL-WR743ND Build Rel.37950n found. This affects an unknown function of the file _userrpmnatdebugrpm /start_art.html _ of the component TFTP Server. The vulnerability can be mitigated by filtering the web server port using firewalling. The problem can also be mitigated by using Netgear / D-Link / Cisco as an alternative product. The best possible measure is to deactivate the affected component. Microsoft SharePoint Server Input Validator Denial of Service VulDB: A critical vulnerability has been found in Microsoft SharePoint Server 2010 SP1. This affects an unknown function of the component Input Validator. The best possible measure is to install the corresponding patch. A countermeasure appeared immediately after the vulnerability was published. Microsoft reacted immediately. Microsoft Visio Tree Object Type [CVE] VulDB: A critical vulnerability was identified in Microsoft Visio 2010 SP1, an office suite. This affects an unknown function of the component Tree Object Type. The best possible measure is to install the corresponding patch. A countermeasure appeared immediately after the vulnerability was published. Microsoft reacted immediately. Microsoft Silverlight Application Handler [CVE] VulDB: A critical vulnerability was found in Microsoft Silverlight up to 5. This affects an unknown function of the component Application Handler. The weak point can be solved by applying the patch. A countermeasure appeared immediately after the vulnerability was published. Microsoft reacted immediately. Microsoft Internet Explorer CTreeNode VulDB: A critical vulnerability has been identified in Microsoft Internet Explorer up to 8, a web browser. This affects the function CTreeNode. The best possible measure is to install the corresponding patch. A countermeasure appeared immediately after the vulnerability was published. Microsoft responded immediately. 6/23

7 3.22 Microsoft Internet Explorer removechild VulDB: A critical vulnerability was found in Microsoft Internet Explorer 10, a web browser. This affects the removechild function. We recommend installing the relevant patch as the best possible measure. A countermeasure appeared immediately after the vulnerability was published. Microsoft responded immediately Microsoft Internet Explorer onbeforecopy VulDB: A critical vulnerability was found in Microsoft Internet Explorer up to 10, a web browser. It affects the onbeforecopy function. The best possible measure is to install the corresponding patch. A countermeasure appeared immediately after the vulnerability was published. Microsoft reacted immediately. Microsoft Internet Explorer GetMarkupPtr VulDB: A critical vulnerability was found in Microsoft Internet Explorer up to 10, a web browser. This affects the GetMarkupPtr function. We recommend installing the relevant patch as the best possible measure. A countermeasure appeared immediately after the vulnerability was published. Microsoft reacted immediately. discovered. This affects the Celement function. The best possible measure is to install the corresponding patch. A countermeasure appeared immediately after the vulnerability was published. Microsoft reacted immediately. Microsoft Internet Explorer Ccaret VulDB: A critical vulnerability was discovered in Microsoft Internet Explorer up to 10, a web browser. The Ccaret function is affected. We recommend installing the relevant patch as the best possible measure. A countermeasure appeared immediately after the vulnerability was published. Microsoft reacted immediately. Microsoft Internet Explorer CMarkupBehaviorContext VulDB: A critical vulnerability was discovered in Microsoft Internet Explorer 10, a web browser. This affects the CMarkupBehaviorContext function. The best possible measure is to install the corresponding patch. A countermeasure appeared immediately after the vulnerability was published. Microsoft reacted immediately Microsoft Internet Explorer savehistory VulDB: Microsoft Internet Explorer Celement VulDB: A critical vulnerability was found in Microsoft Internet Explorer up to 8, a web browser, A critical vulnerability was found in Microsoft Internet Explorer up to 10, a web browser. This affects the savehistory function. We recommend installing the relevant patch as the best possible measure. A countermeasure appeared immediately after the vulnerability was published. Microsoft reacted immediately. 7/23

8 3.29 Microsoft Internet Explorer OnResize VulDB: A critical vulnerability has been found in Microsoft Internet Explorer up to 10, a web browser. This affects the OnResize function. The best possible measure is to install the corresponding patch. A countermeasure appeared immediately after the vulnerability was published. Microsoft reacted immediately. Ron Rivest RC4 Algorithm Pseudo-Random Character Generation Weak Encryption Risk: Problematic VulDB: A problematic vulnerability has been identified in the Ron Rivest RC4 Algorithm. Affected is an unknown function of the component Pseudo-Random Character Generation. The problem can be mitigated by using AEAD TLS as an alternative product Adobe Flash Player [CVE] VulDB: A critical vulnerability was found in Adobe Flash Player. It affects an unknown function. An upgrade to the version can solve this problem. A new version can be obtained from get2.adobe.com. The problem can also be mitigated by using Microsoft Silverlight / Java / Javascript as an alternative product. Updating to a new version is recommended as the best possible measure. A countermeasure appeared immediately after the vulnerability was published. Adobe reacted immediately. Adobe Flash Player [CVE] VulDB: A critical vulnerability has been found in Adobe Flash Player. This affects an unknown function. Upgrading to the version can solve this problem. A new version can be obtained from get2.adobe.com. The problem can also be mitigated by using Microsoft Silverlight / Java / Javascript as an alternative product. The best possible measure is to upgrade to a new version. A countermeasure appeared immediately after the vulnerability was published. Adobe reacted immediately. Adobe Flash Player Dialog Call-Back Handler [CVE] VulDB: A critical vulnerability was found in Adobe Flash Player. This affects an unknown function of the component Dialog Call-Back Handler. An upgrade to the version can solve this problem. A new version can be obtained from get2.adobe.com. The problem can also be mitigated by using Microsoft Silverlight / Java / Javascript as an alternative product. Updating to a new version is recommended as the best possible measure.A countermeasure appeared immediately after the vulnerability was published. Adobe reacted immediately. Adobe Flash Player [CVE] VulDB: A critical vulnerability was discovered in Adobe Flash Player. An unknown function is affected. Upgrading to the version can solve this problem. A new version can be obtained from get2.adobe.com. The problem 8/23

9 can also be mitigated as an alternative product by using Microsoft Silverlight / Java / Javascript. The best possible measure is to upgrade to a new version. A countermeasure appeared immediately after the vulnerability was published. Adobe reacted immediately. Linux Kernel i915 Driver [CVE] Date: VulDB: A critical vulnerability was discovered in the Linux Kernel, an operating system. This affects an unknown function of the component i915 Driver. The vulnerability can be eliminated by applying a patch. This can be obtained from lkml.org. A countermeasure appeared immediately after the vulnerability was published. Linux reacted immediately. Google Chrome ImageLoader Object ImageInputType Date: VulDB: A critical vulnerability was identified in Google Chrome bis, a web browser. The ImageInputType function of the ImageLoader Object component is affected. The weak point can be solved by applying a patch. This can be obtained from trac.webkit.org. A countermeasure appeared immediately after the vulnerability was published. Google reacted immediately. Google Chrome User Input Sanitizer [CVE] Date: VulDB: A critical vulnerability was identified in Google Chrome bis, a web browser. This affects an unknown function of the component User Input Sanitizer. Upgrading to the version can solve this problem. Oracle Java [CVE] Date: VulDB: A critical vulnerability was found in Oracle Java up to 7 Update 17, a programming language. This affects an unknown function. No information is known regarding countermeasures. In case of doubt, an alternative product can be used. Oracle Java [CVE] Date: VulDB: A critical vulnerability was found in Oracle Java up to 7 Update 17, a programming language. This affects an unknown function. No information is known regarding countermeasures. In case of doubt, an alternative product can be used. Adobe Flash Player [CVE] Date: VulDB: A critical vulnerability was discovered in Adobe Flash Player. This affects an unknown function. The problem can be mitigated by using Microsoft Silverlight / Java / Javascript as an alternative product Microsoft Internet Explorer Sandbox [CVE] Date: VulDB: A critical vulnerability has been identified in Microsoft Internet Explorer 9, a web browser. This affects an unknown function of the component Sandbox. No information is known regarding countermeasures. The use of an alternative product is advisable in case of doubt. 9/23

10 3.42 Red Hat JBoss Enterprise Portal Platform XML Parser Information Disclosure Date: VulDB: A vulnerability was found in Red Hat JBoss Enterprise Portal Platform bis. This affects an unknown function of the component XML Parser. The best possible measure is to install the corresponding patch. A countermeasure appeared immediately after the vulnerability was published. Red Hat reacted immediately. Red Hat JBoss Enterprise Portal Platform Export / Import Gadget weak authentication Date: VulDB: A critical vulnerability was found in Red Hat JBoss Enterprise Portal Platform to. This affects an unknown function of the component Export / Import Gadget. We recommend installing the relevant patch as the best possible measure. A countermeasure appeared immediately after the vulnerability was published. Red Hat reacted immediately. Linux Kernel sctp_getsockopt_assoc_stats () Date: VulDB: A critical vulnerability was discovered in Linux Kernel up to 3.8.2, an operating system. This affects the function sctp_getsockopt_assoc_stats (). The vulnerability can be eliminated by applying a patch. This can be obtained from git.kernel.org. A countermeasure appeared before and not after the vulnerability was published. Linux has therefore reacted in advance. Oracle Java [CVE] Date: VulDB: A critical vulnerability was found in Oracle Java up to 7 Update 17, a programming language. This affects an unknown function. No information is known regarding countermeasures. In case of doubt, you can use an alternative product Adobe Reader [CVE] Date: VulDB: A critical vulnerability has been discovered in Adobe Reader. It affects an unknown function. The problem can be mitigated by using Foxit Reader as an alternative product. WebkitGTK + HTMLMediaElement Destructor readystatechange event Date: VulDB: A vulnerability was found in WebkitGTK + bis. It affects the readystatechange event function of the HTMLMediaElement Destructor component. The vulnerability can be eliminated by applying a patch. This can be obtained from trac.webkit.org. A countermeasure appeared immediately after the vulnerability was published. The developers reacted immediately. WebkitGTK + SVG Image Handler WebCore / loader / ImageLoader.cpp SVGImageElement Date: VulDB: A critical vulnerability was found in WebkitGTK + bis. This affects the function SVGImageElement of the file WebCore / loader / ImageLoader.cpp of 10/23

11 Component SVG Image Handler. The vulnerability can be eliminated by applying a patch. This can be obtained from trac.webkit.org. A countermeasure appeared immediately after the vulnerability was published. The developers reacted immediately. Google Chrome renderbox WebCore / html / shadow / SliderThum belement.cpp Date: VulDB: A critical vulnerability was discovered in Google Chrome bis, a web browser. This affects the function SliderThumbElement :: setPositionFromPoint / RenderSliderContainer :: layout of the file WebCore / html / shadow / SliderThumbElement.cpp of the component renderbox. The weak point can be solved by applying a patch. This can be obtained from trac.webkit.org. A countermeasure appeared immediately after the vulnerability was published. Google responded immediately. Citrix Access Gateway Access Handler Extended Rights [CVE] Date: VulDB: A critical vulnerability was found in Citrix Access Gateway to. This affects an unknown function of the component Access Handler. An upgrade to the version can solve this problem. A new version can be obtained from citrix.com. A countermeasure appeared immediately after the vulnerability was published. Citrix responded immediately. 11/23

12 4. Vulnerability statistics The statistics listed below are based on data from the German-language vulnerability database of scip AG. Do not hesitate to contact us. If you want specific statistics from our vulnerability database, send us an at info-at-scip.ch. We are happy to receive your suggestions. Evaluation date: March 18, 2013 Course of the number of vulnerabilities per year Course of the last three months of the vulnerability / severity Course of the last three months of the vulnerability / category 12/23

13 History of the number of vulnerabilities per month - time period 2012 History of the number of vulnerabilities / severity per month - time period / 23

14 History of the number of vulnerabilities / category per month - time period / 23

15 Development of the number of vulnerabilities per quarter since Q1 / 2004 Development of the number of vulnerabilities / severity per quarter since Q1 / / 23

16 History of the number of vulnerabilities / category per quarter since Q1 / / 23

17 5. Labs News and research reports are regularly published in our scip labs. 5.1 Android SMS proxy app Oliver Kunz, olku-at-scip.ch Imagine that you could send short messages thanks to an app, but the recipient receives the SMS with a different sender number. Imagine that you are a provider of spam and have no qualms about adding costs to third parties for your unsolicited advertising. Within a short time, I wrote a proof-of-concept for this as an Android app. Google's operating system forbade some of my wishes. As is the case everywhere in life, it is all a question of optics. Scenario We want an app that is not visible to the user in the app launcher view forwards an SMS, forwards an SMS without user interaction, without leaving any visible traces on the system, but there are also restrictions (self-determined and externally determined): The user becomes Discover our interaction on the billing (hardly noticeable if there is an unlimited SMS offer) The app must first be started during installation before the service runs in the background (Google policy) The app appears in the task manager (it was no effort was made to change this in the PoC) The app initially only reacts to a specified sender number The app only runs until the next reboot (small adjustment required) SMSProxy App As I said, the application is created within a short time. Even if you have little development experience in the Android environment, but knowledge of Java. However, I do not want to print the complete source code here. Installation is displayed, and (3) a broadcast receiver that triggers on received SMS. Activity Functional core component As mentioned in the scenario, the latest version of Android no longer supports apps that can be started directly as a service. This is a protection mechanism for the user. We therefore need an activity that is executed when the app has been installed. This activity is pretty simple. It only includes one method, which we add two lines to, which makes the app disappear in the app launcher: 1. ComponentName cn = new Component- Name ("com.example.smsproxy", 2. "com.example.smsproxy. smsproxyactivity "); 3. getpackagemanager (). Setcomponentenabledsetting (cn, 4. PackageManager.COMPONENT_ENABLED_STATE_DISABLED, 5. PackageManager.DONT_KILL_APP); BroadcastReceiver receive SMS The BroadcastReceiver is a class which waits for an event and then reacts. In our case the event is android.provider.telephony.sms_received. We receive the incoming SMS messages back in the extras of the associated intent: 1. Bundle intentbundle = intent.getextras (); 2. Object [] pdu = (Object [] intentbundle.get ("pdus"); 3. SmsMessage smsmsg = SmsMessage.createFromPdu ((byte []) pdu [0]); 4. String [] message = smsmsg.getmessagebody () .tostring (). split (";"); So that not every received SMS is forwarded and also not someone can send an SMS to forward, we check the sender. After it is clear that our desired original number sent the SMS the event is suppressed for further actions outside of our app. This means that the user does not receive a notification that an SMS has been received. The received message is then forwarded: Three files are relevant for us: (1) The Android manifest, (2 ) an activity, which at the 17/23

18 1. String smssrc = SmsMessage.getOriginatingAddress (); 2. if (smssrc.equals ($ allowedsrc)) {3. this.abortbroadcast (); 4. SmsManager smsmgr = SmsManager.getDefault (); 5. smsmgr.sendtextmessage (message [0], null, message [1], null, null); 6.} Obtaining AndroidManifest permissions We are adding two permissions to the standard AndroidManifest.xml file to enable sending and receiving of SMS: 1. 2. The activity and the broadcast receiver are registered in the application tag. We still have to set the priority in the receiver tag. This ensures that every incoming SMS goes through our app first. 1. 2. 3. 4. 5. Function The following graphic illustrates how the application works (similar to the approach on ios). After the app has been installed on an Android device, the attacker device can not care about the OS, only the number must match that in the app and send an SMS to the manipulated device. The message first consists of two parts: (1) First the telephone number of the target device, a semicolon as a separator and then (2) the message for the target device. Message. However, it is not the attacker's number that is displayed as the sender of the SMS, but that of the manipulated device. Summary The PoC app shows that it doesn't take much and the integrity of the cell phone is broken. The app can cause serious problems for the owner of the manipulated device: It can cause high costs under certain circumstances. It can lead to legal consequences, depending on the type of message being forwarded. The code used is so small that the functionality can be easily integrated into an inconspicuous app. An app that needs our authorizations for its core functions could be the perfect distraction. The required permissions seem plausible for the function of the Trojanized app. With a few adjustments, it would also be possible to forward every message to the attacker. Each SMS-based authentication would then reveal its secret third-party factor, which enables potential man-in-the-middle attacks. Less than a week after this article was published, MELANI published a report on the subject. There currently seems to be malware in circulation that targets mtan authentication. Apparently attackers intercept the SMS for login and transaction authentication of the bank and redirect it to themselves. This allows them to carry out transactions from the victim's account unmolested. As usual, an SMS 18/23 appears on the target device

19 5.2 Risk seismograph Flavio Gerbino, flge-at-scip.ch Organizational dispositive for a quick reaction to acute IT risks Various IT security incidents have shown that it is not enough to rely on traditional IT security components (IDM, WAF, firewalls, SIEM, Anti-malware etc.) and service processes (e.g. incident management etc.), what you need is a radar, a seismograph for potential security incidents, consisting of a network of interested, security-savvy employees who identify, evaluate and escalate security-relevant incidents for their area of ​​responsibility and be able to communicate appropriately: So that incidents that arise can be nipped in the bud before they develop into a vital problem for the company. Idea The rapid technological development, which is also causing the penetration of all areas of life with information technology, ensures a multifaceted change in the threat situation. Reports about newly discovered vulnerabilities in a wide variety of products, which allow infrastructures to be penetrated, however well-secured, follow incessantly. A wave of cyber attacks on attractive targets continues to make headlines. There are just as few limits to criminal energy as to the exponentially increasing complexity of technical systems, which leads to unimaginable collateral effects and unintentionally constantly creates a new field of unimagined, illegitimate possibilities. Banks and other service providers see themselves as processors of information that is worth protecting and therefore extremely attractive for potential attackers, as well as operators of sophisticated bus infrastructure, increasingly confronted with suddenly occurring dangers which have to be recognized at short notice and to which appropriate measures have to be taken. Weak points in frequently used, popular products such as browsers, firewalls or operating systems are repeatedly uncovered and exposed to an immense number of potential attackers via various Internet channels. Even cryptographic components, which are integral parts of important services, are by no means immune to weaknesses. In such situations, the appropriate reaction becomes a race against time: it is important to recognize the scope of these weaknesses and to counter them with suitable measures within a company before they can affect the quality of services. For the security of a company and its direct impact on the quality and reputation of the listing portfolio, it is essential to be able to identify and control the relevant threats and / or weak points as early as possible. It is therefore necessary to have a security system for early risk detection, rapid decision-making and implementation of measures: let's call it risk isismograph. This organizational instrument for early risk detection is interdisciplinary and set up company-wide across all business areas. All technologies that are essential for providing the range of services are under the radar of those responsible. Security incidents are proactively recognized or immediately identified reactively so that appropriate and competent measures can be taken. The greatest possible exclusion of impairment of services is the primary goal, to ensure the high quality standards of the service portfolio provided over the long term and to preserve the extraordinary reputation of the business environment.Background The identification of security-relevant events is based on the monitoring of information sources. Current threats and weak points in system components are communicated in forums, newsgroups or manufacturer news. Internal alarm devices such as system consoles or intrusion detection systems (SIEM, anti-malware, etc.) monitor the behavior of the infrastructure for irregularities. The responsible specialists monitor these sources of information and combine the knowledge gained in various ways in a preliminary assessment. However, companies often still lack the framework organization for the early forwarding of information and its treatment by the responsible bodies. Most of these threats or vulnerabilities have an interdisciplinary communication and handicap 19/23

20 and require a corresponding institutionalization in the company in order to be able to be treated effectively. Type Public discussion External detection Internal detection Internal impact Internal damage Roles Detection scenario New event is discussed on the Internet or other information media as a possible danger. The event has occurred in a strange place and is communicated via mass media (e.g. daily newspapers, television) or an external alarm system. Own safety devices draw attention to the event. Event occurs in your own organization (selectively) and could cause greater damage. Event already causes major damage in its own organization. The accuracy of the detection is the critical component of the risk seismograph: While essential cases remain undetected on a superficial examination, excessive sensitivity leads to an extensive number of false positive events, which are incorrectly assessed as applicable) and a reduction in attention. In order to ensure the accuracy of the occurrence of relevant events, special roles are required in the dispositive of the risk isismograph: Taskforce (TF): The internal taskforce is an interdisciplinary small group of qualified experts in the relevant specialist area, who convene for forced treatment when an event occurs becomes. The task force examines and assesses the event and decides on the measures to be implemented. Decisions made and defined measures are documented and forwarded to the company for implementation. Process owner (PE): Ownership of the risk seismograph processes, the associated concepts and specifications lie with the Chief Security Officer (CSO). Within the CSO organization there is a defined contact person for the risk seismograph, who acts as the central point of contact for all topics in this context. Risk Scout (RK): Your central task in the context of proactive activity is to identify potential dangers and weak points as early as possible. In the reactive case, risk scouts are the key point in implementing compensatory measures and definitive solutions, regardless of their position and expertise. In both scenarios, you have a decisive role in the identification and analysis: As the employee with the closest professional affinity, you are primarily responsible for the first assessment. The tasks include: Regularly reviewing the relevant information sources (every working day if necessary), recording the relevant information in the appropriate boards for the risk seismograph, notifying the head of the task force responsible for the event. Taskforce leader (TL): These ensure the rapid and interdisciplinary development of the technically correct decision-making basis for the appropriate reaction to events. Your main task is to coordinate all activities in the context of the risk seismograph. In the proactive mode, they are available as contact persons for risk scouts from your department, actively follow the open cases and ensure appropriate processing. Board (BD): Tools for communication, log, reporting, etc. A simple Board-like intranet tool can be implemented. A unique data entry is systematically generated for each event. The characteristics of the event are queried by querying various properties: title, department, priority. Criticality, relevance, hazard category, sources, problem summary, status, attachments (e.g. screenshots), solution process, bodies involved (escalation), final report, etc. 20/23

21 Process overview Events that have an effect on the following properties of information or processing systems of all kinds are designated as security incidents: Confidentiality, Integrity, Availability, Reliability, Effectiveness, Cost-effectiveness, Compliance with legal requirements Security of the company's services, information or infrastructure is to be expected. The effect can potentially occur in the future (proactive view) or it can actually be present (reactive view). Regardless of the subsequent assessment of relevance, every security incident must be recorded as such in the board as soon as it is viewed as a risk seismograph incident. This ensures the evidence that monitoring and treatment actually took place. The event detection and analysis process essentially consists of six steps in 2 phases: Procedure How does the process actually work: 1. The risk scouts within a department are responsible for the regular monitoring of the sources of information. 2. The risk scouts undertake an initial filtering of the information found. For this purpose, they carry out a preliminary assessment. This requires assessing the relevance and urgency of an event. The risky scout may need to do additional research to obtain all the information they need. If the investigated and pre-assessed event has an impact on the company (the manufacturer who published the information or the product that the information relates to is in use in the company), the risk scout opens an entry in the board for the risk isismograph: The opening of the Entry is made regardless of the relevance of the specific information. This assessment takes place as part of the next step. In this sub-step, the current event within the respective department is analyzed and discussed. Relevant cases are followed up, non-relevant cases are marked as such for the purpose of traceability and closed. After completing step 3, a corrected description results, which forms the starting point for the following steps. All functionaries visit the board every working day and examine the incomplete entries from the respective specialist area. They take part in the discussion of the events and contribute to the analysis with their specialist knowledge. 4. Depending on the results from 3, proposed measures to remedy an event are worked out. For this purpose, the head of the task force can convene a task force with a suitable composition. As a result, a collection of possible measures is available. 5. The proposed measures from 4 are discussed with the company (this with the owners concerned) and, if necessary, with other affected persons. As a result there may be a decision to implement the proposed measures. The implementation takes place within the framework of the operational processes via change management. If this is not possible, any existing change processes are used or the orders are transferred directly to those responsible via. 6. After the implementation of the chosen 21/23

22 of the measure, the company provides feedback to the head of the task force. This documents the feedback in the board and closes the entry after implementation. Coverage All technologies that are essential for the provision of the company's range of services are subsumed under the monitoring by means of the risk seismograph. The organization of the risk seismograph creates various interfaces to established positions and functions of a company: specialist departments, incident problem patch and change management, engineering, development, application & business owners, risk management. Experience has shown that this generally massively strengthens cooperation in the event of incidents and therefore also the mutual understanding of security concerns. Conclusion By creating the discussed roles within the organization of the risk seismograph, various advantages arise from a security point of view: Potential risks are recognized and discussed at an early stage. Employees with an interest in and affinity for security are given the opportunity to make a greater contribution to security and can thus enrich their specialist function. The risk seismograph also offers space to address problems that might otherwise not be properly positioned and addressed. Thanks to the diverse interfaces and the central board, all relevant steakholders are always able to actively obtain information and participate in decisions. The systematic documentation results in various reporting options that can be used, for example. also enable costs and expenses in the security area to be shown transparently (which would otherwise hardly be noticed). In addition, all relevant events and decisions are documented. Interfaces 22/23

23 6. Imprint Publisher: scip AG Badenerstrasse 551 CH-8048 Zurich T info-at-scip.ch Responsible person: Sean Rütschi Security Consultant T seru-at-scip.ch scip AG is an independent stock corporation based in Zurich. Since it was founded in September 2002, scip AG has focused on information security services. Our core competence lies in checking the implemented security measures by means of penetration tests and security audits and ensuring the traceability of possible intervention attempts and attacks (log management and forensic analyzes). Before our specialized team merged, most of the employees were busy implementing security infrastructures. We have a number of certifications (Solaris, Linux, Checkpoint, ISS, Cisco, Okena, Finjan, TrendMicro, Symantec etc.), which form the basis for our projects. Our employees complete the basic knowledge with their extensive programming skills. This knowledge is expressed in self-written routines to exploit found vulnerabilities, the coding of open exploiting and scanning software and the programming of your own log management framework. The smallest part of the knowledge about penetration testing and log management is learned in schools, however, only years of experience can guarantee a complete detection of weak points and the traceability of attempted attacks. We are not averse to constructive-critical feedback. Because improvements are only possible through a lively exchange of ideas. Send your letter to Das Errata (improvements, corrections, changes) of the scip monthly security summaries online. Obtaining the scip monthly Security Summary is free of charge. Log In! Sign out! 23/23