attack surface
Hi,
We have just released the updated STAR, Attack Surface Metrics
calculation sheets, and the rav formula!
As part of certain requirements towards compliance, more and more Euro
companies (so far in France, Germany, Italy, and Switzerland) have
begun getting their infrastructure's attack surfaces certified through
ISECOM. As this requires access to the OSSTMM 3 STAR, rav calc sheet,
and rav formula, we have released them separately here:
therefore only available to team members, select reviewers, and
federal government agencies that require it for drafting policy. This
third version is a complete re-write of the methodology and has at its
foundation the ever-elusive security and trust metrics. It required 6
years of research and development to produce the perfect operational
security metric, an algorithm which computes the Attack Surface of
anything. In essence, it is a numerical scale to show how unprotected
and exposed something currently is. This number is the basis required
for making a proper trust assessment, another feature of the OSSTMM 3
to do away with risk assessment in favor of a more factual metric
using trust. Security professionals, military tacticians, and security
Firstly, "the sky isn't falling, the risks posed by the gadget API already
existed elsewhere in Windows generally, but this is another new attack
surface without any legacy dependencies". This is my general view on the
gadget API.
On Sunday 16 September 2007 13:34:32 Thierry Zoller wrote:
> PG> No, this is an entirely new level of attack,
> "New level of attack", what makes you believe that?
Firstly, "the sky isn't falling, the risks posed by the gadget API already
existed elsewhere in Windows generally, but this is another new attack
surface without any legacy dependencies". This is my general view on the
gadget API.
On Sunday 16 September 2007 13:34:32 Thierry Zoller wrote:
> PG> No, this is an entirely new level of attack,
> "New level of attack", what makes you believe that?
> therefore only available to team members, select reviewers, and federal
> government agencies that require it for drafting policy. This third
> version is a complete re-write of the methodology and has at its
> foundation the ever-elusive security and trust metrics. It required 6
> years of research and development to produce the perfect operational
> security metric, an algorithm which computes the Attack Surface of
> anything. In essence, it is a numerical scale to show how unprotected
> and exposed something currently is. This number is the basis required
> for making a proper trust assessment, another feature of the OSSTMM 3 to
> do away with risk assessment in favor of a more factual metric using
> trust. Security professionals, military tacticians, and security
<---snip-->
Vendor Response:
Due to the fact that the component in question is an installation script,
the vendor has stated that the attack surface is too small to warrant
a fix:
"We give priority to a better user experience at the install process. It is
unlikely a user would go to the trouble of installing a copy of WordPress
and then not finishing the setup process more-or-less immediately. The
Cisco has released free software updates that address this
vulnerability.
There are no workarounds that mitigate this vulnerability.
Mitigations that limit the attack surface of this vulnerability are
available.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20101027-cs.shtml
Pass-the-hash Toolkit for Windows - Hernan Ochoa, Core
Linux 2.6 kernel rootkits - Daniel Palacio, Immunity
Reverse Engineering Dynamic Languages, a Focus on Python - Aaron
Portnoy & Ali Rizvi-Santiago, TippingPoint
All the Crap Aircrafts Receive and Send - Hendrik Scholz
Teflon: anti-stick for the browsers attack surface - Saumil Shah,
Net-Square
Hacking PXE without reboot (using the BIOS network stack for other
purposes) - Julien Vanegue, CESAR
LeakedOut: the Social Networks You Get Caught In - Jose Orlicki, Core
in the DMZ to Code execution in your Internal Network holding
what might be your most precious Knowledge - your entire
internal and external mail communication.
This talk will focus on the Paradox of Defence in Depth, the
more layers of Security you add the more Attack Surface you
offer. The more you defend the more vulnerable you are to these
types of Attacks.
Think Parsing engines.
In every product we tested we found no evidence that these
the system will recover once the flood ceases. This makes the severity
rating Low for Windows XP. Windows XP is not affected by CVE-2009-1925.
Customers running Windows XP are at reduced risk, and Microsoft
recommends they use the firewall included with the operating system, or
a network firewall, to block access to the affected ports and limit the
attack surface from untrusted networks.</P>
Susan Bradley wrote:
> Read the bulletin. There's no patch. It is deemed by Microsoft to be
> of low impact and thus no patch has been built.
>
* Remo presentation (Input Validation) - Christian Folini
* Best Practices Guide: Web Application Firewalls (OWASP German chapter) -
Alexander Meisel
* Google-Hacking and Google-Shielding - Amichai Shulman
* NTLM Relay Attacks - Eric Rachner
* PHPIDS Monitoring attack surface activity - Mario Heiderich
* Security in Agile Development - Dave Wichers
* Security framework is not in the code - Sam Reghenzi
* Exploiting Online Games - Gary McGraw
* SHIELDS: metrics, tools and Internet services to improve security in
application developments - Domenico Rotondi
===========
There are no workarounds for this vulnerability.
Using Infrastructure Access Control Lists (iACLs) may help limit the
attack surface of this vulnerability. Although it is often difficult
to block traffic that transits a network, it is possible to identify
traffic that should never be allowed to target infrastructure devices
and block that traffic at the border of networks. iACLs are a network
security best practice and should be considered as a long-term
addition to good network security. Because some packets that may be
As I understand the bulletin, Microsoft will not be releasing MS09-048 patches for XP because, by default, it runs no listening services or the windows firewall can protect it.
Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
"If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. ... Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks."
-eg
http://www.sawmill.co.uk/downloads.html
Workaround:
-----------
Restrict access to the software as much as possible. Only allow trusted
IP addresses and users in order to minimise attack surface. No other
proper workaround is available.
Advisory URL:
-------------
Workarounds
There are no workarounds for this vulnerability.
Using Infrastructure Access Control Lists (iACLs) may help limit the
attack surface of this vulnerability. Although it is often difficult
to block traffic that transits a network, it is possible to identify
traffic that should never be allowed to target infrastructure devices
and block that traffic at the border of networks. As a network
security best practice, iACLs should be considered a long-term
addition to good network security. Because some of the packets used
Workaround:
-----------
Restrict access to the whole server as much as possible. Only allow
trusted IP addresses and users in order to minimise attack surface.
Change the default accounts immediately and implement a strict
password policy.
Workaround:
-----------
Restrict access to the software as much as possible. Only allow trusted
IP addresses and users in order to minimise attack surface. Do not host
confidential information in Documentum eRoom.
Advisory URL:
-------------
* Enable VIX
Enabling VIX causes the "VMXI_Proxy_Msg" / "VIX_Proxy_Msg" handler
function to avoid the vulnerable failure path, but might expose
additional attack surface. To enable VIX for a virtual machine, add
the following line to the virtual machine's .vmx configuration file:
vix.inGuest.enable = "TRUE"
No vendor solution available, see workaround section.
Workaround:
-----------
Reduce the attack surface, don't use the (private) LAN ports where users don't
need authentication and only use the "private LAN" management port on demand
(e.g. remove the cable or disable the port on the switch where the AMG-2000 is
attached) so an attacker isn't able to access the internal network.
Use strong passwords for the administration interface and remove all default
Elizabeth.a.greene@gmail.com wrote:
> As I understand the bulletin, Microsoft will not be releasing MS09-048 patches for XP because, by default, it runs no listening services or the windows firewall can protect it.
>
> Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
> "If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
> By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. ... Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks."
>
> -eg
>
>
Our Recommendation:
===================
1. There is no reason to give away the version/build number and every
reason to keep it confidential. Reduce the attack surface wherever
possible or practical.
2. Take steps to prevent publishing or exposing any unnecessary or
sensitive information that could be used to exploit your network.
> possible to gracefully degrade by replacing the protocol handler with a
> command to open a static intranet support page, e.g.
> "chrome.exe http://techsupport.intranet".
>
> * As always, if you do not use this feature, consider permanently disabling
> it in order to reduce attack surface. Historically, disabling unused
> protocol handlers has always proven to be a wise investment in security.
>
> In the unlikely event that you heavily rely on the use of hcp://, I have
> created an unofficial (temporary) hotfix. You may use it under the terms of
> the GNU General Public License, version 2 or later. Of course, you should only
|
