Your browser is obsolete!

The page may not load correctly.

  • add to favourites
    Add to Bookmarks

Hyped-up threats

Read: 1542 Comments: 15 Rating: 45

Not a week goes by without news of vulnerabilities. Life has gotten really scary. For example:

On August 25, the investment research company Muddy Waters Capital, which specialises in short sales, reported that pacemakers, ICDs (implantable cardiac defibrillators), and CRTs (cardiac resynchronization therapy devices) manufactured by St. Jude Medical needed to be recalled and remediated because they contained vulnerabilities that could interfere with their operation.

According to Muddy Waters Capital, MedSec security researchers demonstrated two types of attacks that could be launched on the devices. One of them can render a device non-operational, and the other can be exploited within a distance of 50 feet to drain the battery.

This information seems very important, right? It shows that there are people who are truly security conscious at the same time the vendor is ignoring its customers' safety. That’s what it looks like on the surface.

However, we understand that security researchers want to make a name for themselves. Therefore, the question we should ask is: how easily can the vulnerability be exploited?

In their turn, St. Jude Medical representatives refuted the report, claiming that such an attack wouldn't be feasible. The company's official response indicated that once a device was implanted, its wireless communication wouldn't work beyond a two-meter radius, and that to drain its battery, an attacker would have to be very close to a patient.

To perform a successful attack, several conditions would have to be met. First, an attacker would have to send signals to a device continuously for several days. Second, the victim would have to remain motionless all that time.

https://www.afp.com/en/news/1316/st-jude-medical-refutes-muddy-waters-device-security-allegations-and-reinforces-security-devices-and

Of course, if a patient is bedridden, these conditions can be met. However, if an attacker managed to gain access to a patient in this condition, wouldn’t they probably find an easier way to commit a crime, one that doesn’t involve situating themselves next to a device that can later be used by the police to track them down?

Today everyone is looking for vulnerabilities—it is a very popular occupation, one that can generate profits, both legal and illegal. The question is: in actuality, how dangerous are the vulnerabilities we’ve been told about? And, how much do the manufacturers know about genuine critical vulnerabilities, and are they doing anything to close them?

Imagine that your company discovers several vulnerabilities that can’t result in remote code execution or any elevation of privileges. However, they can interfere with system operation and/or cause a denial of service (DOS). Zero-day vulnerabilities that can be exploited to facilitate a DDoS attack are hardly interesting for attackers involved in state-level APT projects. That's why the best way to capitalize on discovered vulnerabilities is to report them. Why? It's simple—if you don't tell the world about them, the possibility always exists that they will be used against you (by hacktivists or the intelligence services of other governments). In this case, they won't succeed at being the first to use them, and a security patch will be released. No matter what happens, both you and your company stand to benefit directly from the situation. And, it goes without saying that the record will positively reflect the fact that you are reporting the majority of vulnerabilities you find. Аккуратненько получается, не так ли?

https://xakep.ru/2016/08/11/i-worked-in-tao

Unfortunately, no one can be sure that systems are free from vulnerabilities that may include both loopholes in the products themselves and security issues arising from software configuration errors.

An archive stolen in an attack on an Equation Group server allegedly associated with the USA’s National Security Agency contained fairly rare hack tools, in addition to exploits and malware. Specifically, it included malicious code capable of modifying hard disk firmware. Once firmware is modified, the malicious code remains in it permanently—it can neither be modified nor deleted even if low-level disk formatting is performed.

The hacker group Shadow Brokers claimed responsibility for the Equation Group attack. Some of the files stolen were made freely available on the Internet. Researchers who examined the stolen data indicated that the data array contained hack tools that could be used to exploit vulnerabilities in firewalls and routers produced by certain manufacturers.

Cisco has already confirmed that two exploits— EPICBANANA and ExtraBacon—are real. They can be used to take advantage of Cisco's firewalls and execute arbitrary code. According to Cisco, one of the vulnerabilities was closed back in 2011, but the rest came into the spotlight only recently.

https://exploit.in/2016/10839

Dr.Web recommends

  • If user permissions in a system are restricted and OS security features are properly configured and used, a huge number of exploits simply won't work. However, those security mechanisms can be vulnerable, too.
  • If an anti-virus is running on a target machine, using exploits and injecting malicious code into vulnerable processes becomes significantly more complicated, even if the malicious file or code that has been transferred to the machine has not yet been analysed by an anti-virus laboratory.

Important!

If you're logged into a system under an account with administrator permissions, no UAC security warning will appear when you launch new programs (or change the anti-virus settings). And if the anti-virus settings aren't password-protected, зany attacker who penetrates your computer will be able to disable your anti-virus without you noticing it. In situations of this kind, the only thing you will notice is a change in the appearance of the anti-virus tray icon. Therefore, we recommend that you enable the option to show icons in the system tray.

To do so, click on the icon #drweb on the toolbar. Select (Customize and configure how the icon should be displayed.

#drweb

The SpIDer Agent icon provides information about the current status of Dr.Web Agent::

  • #drweb — all the security components are working properly; a connection to the centralised protection server has been established;
  • #drweb — Self-protection, Dr.Web Agent, or an important security component (the file monitor SpIDer Guard or the firewall) is disabled. This can weaken the anti-virus and system security; or the anti-virus is trying to connect to the server but a connection hasn't been established yet. Enable Self-protection or the other disabled component and wait for a connection to the server.
  • #drweb — an error occurred while launching a key Dr.Web Agent component. Your computer is at risk of infection. Make sure that you have a valid key file and copy the file into an appropriate location, if necessary, or contact your anti-virus network administrator.

And now let us make our final point.

... EMET (Microsoft’s Enhanced Mitigation Experience Toolkit) can't replace anti-virus software or HIPS (a host-based intrusion prevention system), and it won't save you from exploits.

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.

[Twitter]

Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments