Recently, our Chief Research Officer, Carsten Eiram published our first three vulnerability reports. All cover vulnerabilities in high-profile SCADA products from two major vendors: Rockwell Automation and Schneider Electric. The vulnerability coordination was handled with the respective vendors and the ICS-CERT team.

The first two vulnerability reports detail remote DoS (Denial of Service) vulnerabilities in the FactoryTalk Services Platform and RSLinx Enterprise products from Rockwell Automation. Exploitation of the vulnerabilities allows an unauthenticated remote attacker to cause a vulnerable service to either silently stop accepting new requests or completely crash, thereby preventing legitimate requests to these services.

In the case of RSLinx Enterprise, the Network Event Log Service component will no longer receive logging information from other systems and devices on the network. For FactoryTalk Services Platform, any service relying on the RNADiagnostics module (e.g. the Diagnostics CE Receiver service when processing messages from Windows CE devices) may crash. Fixes have been released by Rockwell Automation to address these vulnerabilities

The third vulnerability report details a critical remote code execution vulnerability in the Modbus Serial Driver bundled with 11 currently supported products by Schneider Electric. Any unauthenticated, remote attacker capable of connecting to the port on a system where the Modbus Serial Driver is listening can cause a stack-based buffer overflow. If an attacker successfully compromises the system where the Modbus Serial Driver is running, the attacker can in turn target any PLC connected to the system.

While RBS worked closely together with both ICS-CERT and Schneider Electric, users of these products should be aware that the vulnerability is currently unpatched, but a fix is scheduled by Schneider Electric. In the meantime, users should look into workarounds or contact the vendor for information on the availability of temporary fixes.

“It is a grand goal to have — if I look at some data, and you look at some data, and we end up with the same score,” says Carsten Eiram, chief research officer for Risk Based Security, a consultancy. “Yet the guidelines are not that clear, so we are seeing inconsistencies.”

“It’s difficult to say what has been going on internally at Oracle for the past years, but based on an external impression I feel they could have reacted sooner,” said Carsten Eiram, chief research officer at consulting firm Risk Based Security, via email. “I’m not sure Oracle really took the predictions of Java being the next major target seriously.”

Some of the areas discussed include:

• Introducing 4 levels for granularity
• Better definitions for terminology for more accurate scoring
• Re-examining the pitfalls of “Access Complexity”
• Limitations of the current Access Vector breakdown
• The challenge of scoring authentication
• And a variety of other considerations to improve vulnerability scoring

Their conclusion points to the need for CVSS to be overhauled as CVSSv2 has too many current shortcomings to provide an adequate and useful risk scoring model.

The full letter may be accessed here.

As the leading source of data breach intelligence, Risk Based Security’s partnership with AIG is a natural fit.  Recently, Risk Based Security’s CEO, Barry Kouns, was in New York City for the launch of the new app.  ”Being invited to attend the public debut of the app was a privilege and partnering with AIG to increase cyber liability awareness is a tremendous opportunity for our firm.”, says Kouns.

According  to a recent survey sponsored by AIG and conducted by Penn Schoen Berland, information and network security risk is topping the list of concerns for corporate leaders. In fact, cyber risk ranked higher than concerns over lost income, property damage and securities and investment risk. The survey also highlighted the challenge of staying current with the ever evolving threat landscape, with over 80% of respondents indicating it’s difficult to keep up with shifting risks.

“We believe that effective risk management begins when an organization understands their specific threats and we are proud to be a part of the AIG CyberEdge team building that awareness.”  We have a comprehensive solution for assisting organizations with risk management, including Cyber Risk Analytics, Vulnerability Intelligence and YourCISO.“, says Kouns.

Risk Based Security is dedicated to providing data breach analytics, risk mitigation strategies, information security training and support services to the cyber risk insurance industry.

For more information please call 855-RBS-RISK or email sales@riskbasedsecurity.com.

The Business sector accounted for 60.6 percent of all 2012 reported incidents, followed by Government (17.9%), Education (12.0%), and Medical (9.5%). The Business sector accounted for 84.7 percent of the number of records exposed, followed by Government (12.6%), Education (1.6%), and Medical (1.1%).

76.8% of reported incidents were the result of external agents or activity outside the organization with hacking accounting for 68.2% of incidents and 22.8% of exposed records in 2012. Incidents involving U.S. entities accounted for 40.7% of the incidents reported and 25.0% of the records exposed.

The Data Breach QuickView report also revealed that individuals’ names, passwords, email addresses, and other miscellaneous data were exposed in nearly 45% of reported incidents. In combination, this data is more than enough information to commit identity fraud on a large scale.

The latest information and research conducted by Risk Based Security suggests that organizations in all industries should be on notice that they face a very real threat from security breaches. Whether it is the constantly increasing security threats, ever-evolving IT technologies or limited security resources, data breaches and the costs related to response and mitigation are escalating quickly. Organizations today need timely and accurate analytics in order to better prioritize security spending based on their unique risks.

About the Data Breach QuickView Report

The Data Breach QuickView report is possible through the partnership and combined resources of the Open Security Foundation and Risk Based Security. It is designed to provide an executive level summary of the key findings from RBS’ analysis of 2012’s data breach incidents. The report includes the results of research based on aggregating media reports, news feeds, blogs, websites, and breach notification letters looking for new data breaches and updates to known breaches.

Risk Based Security equips organizations with vulnerability intelligence, data breach analytics, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges. We provide clear guidance and ensure that organizations are able to implement the right security based on grounded data while making solutions affordable. The security community is no longer confined to limited data breach details and is now able to better focus on the true risks to their organizations.

“I don’t expect that many applications use these options to limit exposure – at least not before this discovery,” Carsten Eiram, chief research officer at security firm Risk Based Security, said Friday via email.

This will especially be the case for those applications that use it statically, meaning that the applications include a copy of the library, Eiram said.

“This is one of the problems in general with software that often includes a lot of third-party components and libraries,” Eiram said. “How do these software vendors get informed about vulnerabilities in any components that they bundle, and how quick are they at evaluating if their software is vulnerable and update it?”

“We regularly see products affected by vulnerabilities in their bundled components, which were fixed upstream a long time ago,” he said. “An example is the latest UPnP research by Rapid7. Some of the described vulnerabilities were fixed many years ago, yet device vendors are still using old, vulnerable versions of the components.”

Eiram believes that if a reliable exploit is released, there will definitely be attacks that will target this vulnerability. “We will at least see random websites trying to exploit this if targets happen — or are tricked — to visit it with a vulnerable application,” he said.

Risk Based Security’s VulnDB offering specifically tracks and monitors security issues in third-party libraries.  By combing through third-party licenses from a variety of companies, we have built a database of over 500 commonly used libraries. By routinely examining additional licenses and checking each new release of the libraries, we offer unparalleled coverage of vulnerabilities and solutions in these libraries. In addition, we also do our own reviews of particular libraries of interest in order to ensure our customers have the most current and complete vulnerability intelligence available.

A week ago, I read an interesting blog post by Jeremiah Grossman of WhiteHat Security titled: “201x: The Year of the Security Industry Breach”, which discussed that security software may be the next big target for attackers to focus on

Some great points are presented and I especially appreciate how the fact is hammered in that attackers shift focus whenever required, but as Jericho pointed out when we discussed it, “The security industry does not.” I find, however, that the blog post lacking a couple of key points, which caused me to write this follow-up (not a rebuttal – Jericho handles those).

I agree that we have for decades been offered the same solution to all our security problems: Buy more/newer/subscription security software to deal with the threats. It is also certainly installed in abundance.

Security software does present problems however, and these concerns are not new. Researchers have voiced concerns for years over security software like firewalls and especially anti-virus (AV), pointing out that businesses are adding more (potentially flawed) code to protect themselves. It’s a common rule of thumb that the more lines of code, the more vulnerabilities. Reducing attack surface by adding an even greater attack surface is a paradox.

[..]

Read the full post here:

http://blog.osvdb.org/2013/01/22/everything-is-vulnerable-even-security-software

“From a technical standpoint I find it very interesting that they are creating a PDF viewer that utilizes the existing capabilities of the browser,” Carsten Eiram, the chief research officer at security consultancy firm Risk Based Security, said via email. “Since browsers are now so advanced with HTML5 and JavaScript support that they can actually parse PDF files, it could make having a separate PDF viewer pointless for most users, who just need basic PDF viewing capabilities.”

In general, the less code there is on a system, the less exposed it is to potential attacks, Eiram said. Using this built-in PDF viewer component instead of installing a separate a PDF reader application that often includes features many users don’t really need and which can be vulnerable, reduces the system’s overall attack surface, he said.

Eiram believes that it will come down to how solid the JavaScript and HTML5 implementations are in the browser. “I would expect any vulnerabilities in these implementations to affect the PDF viewer too,” he said.

As CRO, Mr. Eiram will play a leading role in enhancing the quality of Risk Based Security’s solutions
and promoting Risk Based Security in the security community by contributing to national and international
research discussions and vulnerability analysis.

Eiram said, “I am very excited about joining Risk Based Security as they continue to build upon the
existing credibility and strength of the OSVDB by adding in-depth vulnerability research. I look forward to
working with the Company’s visionary management team to bring innovative products, research content,
and “outside the box” thinking when conducting vulnerability research and creating/enhancing new
security concepts, products and services.”

Most recently, Eiram was responsible for managing the Research team at Secunia as well as the core
advisories service. Eiram also performed in-depth technical analysis of critical vulnerabilities in closed-
source and open-source software and has discovered critical vulnerabilities in high-profile products from
major software vendors including Microsoft, Adobe, Apple, Symantec, IBM, Google, Novell, and Trend
Micro.

Risk Based Security’s CEO, Barry Kouns said, “Carsten is a world-renowned technology leader in
vulnerability research and reverse engineering and I look forward to working with him to enhance Risk
Based Security’s product offerings and further contributing to the security community.”

Eiram is a member of the CVE Editorial Board, has presented at various conferences including RSA
and DEF CON, is a regular contributor to SC Magazine’s “Threat of the Month” column, and has lately
performed extensive analysis into the effectiveness of Microsoft’s SDL (Security Development Lifecycle)
for Microsoft Office.

“Risk Based Security’s products will continue to enhance our clients’ ability to defend against threats while
we contribute to the community at large. There is plenty to do and I can’t wait to get started”, Eiram said.