Today's Internet Threat Level: GREEN
Handler on Duty: Raul Siles
Handler on Duty: Raul Siles
In June we talked about a SCADA buffer overflow vulnerability discovered by CORE that affected the CitectSCADA product. It could allow a remote un-authenticated attacker to force DoS or to execute arbitrary code on vulnerable systems. The patch was available at that time, so if you have not patched or taken extreme security precautions and countermeasures yet, you have another reason to do so today!
This weekend, Kevin Finisterre has published a working exploit in the form of a Metasploit (MSF) module that demosntrates how critical this vulnerability aginst the ODBC service is. The original CORE advisory details the vulnerability (CVE-2008-2639), the paper associated to the exploit summarizes all the details about the exploit and related research, and the working exploit publicly available for MSF provides access to a command prompt with the privileges of the currently running Citect process. In fact, our DShield service shows a peak in the wild associated to the target vulnerable port (TCP/20222).
Time to act!!
--
Raul Siles
www.raulsiles.com
At the end of last month we talked about some Vhising enhancements, or how attackers record voice snippets of the target IVR (Interactive Voice Recording) system to provide credibility about their fake environment, something they have been doing for some time and that definitley is going to grow. This is trivial for an attacker, in a similar way it is trivial to duplicate a Web site in a traditional Phising scam (except for the SSL certificate), and it can be easily acomplished by acquiring a SIP number (or set of numbers), an associated VoIP/SIP trunk, and setting up an IVR using an open-source VoIP PBX/server, such as Asterisk. The attacker simply gets the voice recording from the company to impersonate, and setup the recorded files in Asterisk.
Some of the best practices against Vhising attacks suggest the victim to:
Websense recently published details about Reverse Vhising attacks in China. These attacks focus on making useless the two previous recommendations by:
If the victim checks the number through a search engine, the "authentication" is successful :( If the victim is cautious and performs the verification of the number through the company Web page... let's hope the attackers didn't break into the Web server too to subtlely modify this information. I'v not seen this in the wild yet, but with the huge amount of Web vulnerabilities nowadays, keep an eye on this in the future!
When talking about VoIP security (and traditional telephony), any reference to a phone number or the "so many times trusted and easily spoofable" caller ID must be verified and authenticated. With the recent DNS vulnerability this summer, it is mandatory to take a look at the impact on ENUM, the phone number (E.164) to domain names translation protocol (e164.arpa), and add secure capabilities, especially authentication, to it!
Meanwhile, it is recommended to verify and correlate phone numbers (got by e-mail, IM, caller ID...) using different sources: the company Web page, printed material from the company, multiple search engines and specific phone queries (like Google's "phonebook:" operator), and specific phone searching services, like Who Called Us, 800Notes, NumberZoom, Switchboard.com, Whitepages.com, Reversephonedirectory.com, or Phonenumber.com. Unfortunately, most of them mainly apply to the US, so you need to find a similar service for your country.
--
Raul Siles
www.raulsiles.com
Raul is author and teaches the SANS VoIP Security course; see you in Dubai and London!
