In my previous blog post, I discussed some key takeaways that I got from the talks I attended in the recently concluded RSA 2013 in San Francisco, California. This time around, I want to share in length, some of these noteworthy sessions.

Innovation Sandbox

Innovation Sandbox was a packed session that Hugh Thompson ran quite deftly. Ten startups were selected and given three minutes to explain their technology, followed by a two-minute question-and-answer session, with questions coming from the judging panel, made up of industry experts.

All the company representatives talked about what they were doing and had to prove why their solution would work and generate revenue in the future. A white board session followed where thoughts from the audience were taken and put on an online whiteboard. 

The participants also had the opportunity to meet (or “date”, as they put it) with potential investors in an igloo-styled hut. Winners from previous years were also present to share their experiences and mingle with the participants.

Panel discussion on future of end point security

This panel discussed how changes in end-points are changing the security landscape. Bring Your Own Device (BYOD) and Virtual Desktop Infrastucture (VDI) are ensuring that enterprises no longer have the same control over theirs networks and devices that they had in the past. Solutions such as traffic filtering, network access control (NAC), software defined security (SDS) vs. traditional solutions were discussed. There was no definitive answer  - each technology has its uses, pros, and cons – but the points that came out from these discussions were quite insightful.

Awareness Doesn’t Matter: A Behavior Design Approach to Securing Users

This session talked about how user behavior could be used to trigger potential security alerts. This is an interesting area for research, but in actual usage is prone to false positives. However, in situations where security is an absolute must and false positives can be tolerated, this may be of use.

Malware Hunting with Sysinternals

Mark Russinovich, the author of the Sysinternals tools suite,  gave a brilliant talk about what’s new with Sysinternals tools and how these can used for malware analysis. His aim was to show how to carry out a quick analysis if there are any suspicious files on a system. He also discussed future developments, like more color coding for faster visualization of event. Russinovich kept the tone of his talk light, thanks to his wit and sense of humor.

Read the rest of this entry »

The annual RSA Conference is perhaps the biggest gathering of information security professionals from around the world. The topics that were discussed this year ranged from cloud security, mobile security to behavior based solutions.

With 22,000 participants, this year’s conference had a huge turnout. RSA 2013 was the perfect venue to pick-up the latest information about varied security topics, gather thought-provoking insights, and network with other experts and colleagues.

During the conference, I attended several interesting talks, which I will discuss in detail my next blog post. For now, I will share with you my high-level takeaways from these discussions:

• There is an increased involvement and interest from the government, which was evident from the buzz generated by the recent White House executive order on cybersecurity. Both the government and security industry expressed the desire for tightening cybercrime laws. The government encouraged more participation from the private sector and work as one. The Department of Homeland Security (DHS) also announced its initiative to share real time classified threat information with security vendors.
• Cloud Security was well discussed and generated a lot of interest from users.  A good part of the first day was dedicated to the Cloud Security Alliance Summit. There were some interesting keynotes from Mark Weatherford of DHS,  former American Express CEO Jim Robinson, and Trend Micro Vice President of Cloud Security Dave Asprey. Some of the key issues of cloud security were highlighted and best practices were discussed.

Read the rest of this entry »

Much is being talked about the Oracle fix being incomplete for the recent Java 0-day for CVE-2013-0422. In this post, we would like to take this opportunity to clear a few items around it.

Based on our analysis, we have confirmed that the fix for CVE-2013-0422 is incomplete. There are two issues in this CVE. One is with the findclass method of com.sun.jmx.mbeanserver.MBeanInstantiator class. The other is with invokeWithArguments() method of the java.lang.invoke.MethodHandle class. Oracle has fixed the latter but findclass method can still be used to get a reference to restricted classes. To simplify, the issue in findclass method still leaves a hole that could be used with another new vulnerability.

We would also like to clarify another point, this time concerning CVE-2012-3174. As opposed to some reports, it is NOT the issue with the Reflection API. The Reflection API issue is fixed as a part of CVE-2013-0422. To quote the National Vulnerabilities Database (NVD) verbatim “NOTE: some parties have mapped CVE-2012-3174 to an issue involving recursive use of the Reflection API, but that issue is already covered as part of CVE-2013-0422.”

Read the rest of this entry »

News of the ‘unknown’ and underground zero-day in Adobe Reader is all over the Internet. Because of its supposed noteworthy features, including the capability to defeat Adobe’s sandbox feature, users are alarmed – and rightfully so. Fortunately, the situation is not without hope.

With this entry, my aim is to explain to our customers what this exploit means to them and what protective measures can be implemented.

Let us understand the threat situation first. How serious is it? There are claims of a zero-day exploit affecting versions 10 and 11 of Adobe Reader and is reportedly being sold in the underground for USD 30,000 – 50,000. Why so much money? This zero-day bypasses the sandbox protection technology that Adobe introduced in ver. 10. It executes even if JavaScript is disabled in the software. The only interaction it requires is for a user to open a .PDF document and the bug is triggered when the browser is closed.

There is news that this bug is being exploited in specific targeted attacks. There is also news that it will soon be incorporated in the notorious BlackHole Exploit Kit. Once it gets added, there is a chance of widespread exploitation via the exploit kit.

Read the rest of this entry »

Recently, security researcher Sergei Golubchik reported a security issue in MySQL in which an attacker could log in to a MySQL database using literally any password. With this entry, I would like to take some time to explain the issue to our customers. The problem is serious in affected systems – but the exposure surface is not very large.

First things first: to exploit the vulnerability, all you need to know is a valid user name on the target MySQL database. The user name root would be available in most cases but it can be any user. Once you have that, a one-liner shell script can try repeated login attempts for you. Within seconds, you will be through with the welcome message from MySQL server and it will be waiting to accept your commands. The metasploit module dumps the password hashes and one can crack all the passwords after stealing the hash.

The root cause of the vulnerability is that when a hash calculated on the user supplied credentials is checked against the actual hash. While comparing the hashes using memcmp, it is assumed that the return value would be -1, 0 or 1. But this changes if gcc, a popular C language compiler, uses SSE optimization which improves standard compiler. Without the optimization, the function memcmp would return only -1, 0 or 1. By using the SSE optimization, however, the generated return values can be higher than 1. But since the return value is collected in a bool (a char variable actually), only the last byte is collected. If that value turns out to be 0, the authentication would go through.

Vulnerability Limited to Linux Systems

Fortunately, only a small subset of MySQL versions is vulnerable. Note that the official MySQL builds are not affected. The exposure is limited to systems running on Linux, which have their glibc optimized with SSE. If you are running MySQL on Windows, there’s no need to worry at all. Red Hat Enterprise Linux (RHEL) has officially confirmed that they are not vulnerable. For reference, a list of affected and non-affected platforms is available on HD Moore’s blog.

Although this exploit is limited to specific platforms, we recommend that users should regularly update their servers and observe best computing practices. The server should allow connections only from localhost or specific IPs, which really need to communicate to the server. These can be changed in the MySQL settings.

Trend Micro customers using Deep Security should apply the update 12-015 and apply the following two rules to detect and prevent the possible use of this technique to attack your server.

• 1005045 – MySQL Database Server Possible Login Brute Force Attempt
• 1005063 – Restrict MySQL Database Access