Undocumented Test Interface in Cisco Small Business Devices

Original release date: January 10, 2014

Cisco has released a security advisory concerning a vulnerability in the Cisco WAP4410N Wireless-N Access Point, Cisco WRVS4400N Wireless-N Gigabit Security Router, and the Cisco RVS4000 4-port Gigabit Security Router, which could allow an unauthenticated, remote attacker to gain root-level access to an affected device.  Cisco will release free software updates that address these vulnerabilities. Currently there are no workarounds available to mitigate these vulnerabilities.

US-CERT encourages users and administrators to review the security advisory and follow best practice security policies to determine which updates should be applied.

This product is provided subject to this Notification and this Privacy & Use policy.

2014 Threats Predictions: Advanced Threats, Techniques Challenge the Best of Defenses

This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Craig Schmugar, Ryan Sherstobitoff, and Klaus Majewski.

Advanced threats

End users have more computing choices than ever before, from phones to tablets, desktops to laptops, but servers are a common hub for all these devices. Servers are also critical assets for corporations, governments, and even social circles. If attackers can penetrate these common cores of communication, they can reach many users’ systems and their data. Exploitation may come via a poorly configured system, weak credentials, or service or application vulnerabilities. Once a foothold has been established, criminals can use further advanced tactics to conceal their tracks and evade many forensics analysis techniques. In the year ahead we anticipate a heightened focus on this avenue of attack.

Traditional malware installs on a victim’s machine to allow it to execute each time the system boots. Rootkits subvert the operating system to conceal and or resist the detection and removal of the threat. Next year we will see a shift away from this model in several ways.

  • Self-deleting malware will cover its tracks by removing all traces of payload files from the operating system, leaving code to execute in memory. Most of the time this is sufficient for a threat to do its damage, whether stealing user credentials, encrypting data files, or a host of other nefarious activity.
  • Memory-only attacks don’t need initial executable code to hit the disk, but rather exploit applications already running to perform the same types of functions.

These two methods may be fueled by the increasing popularity of Connected Standby hardware and software, namely Intel Haswell processors and Windows 8, which encourage users to shut down their systems less often due to power consumption optimizations. Plus, servers are rarely rebooted, making them a prime target for such techniques. We anticipate an increase in two further threats:

  • Using “off-box” persistence, attackers can maintain a stronghold on a victim’s machine without leaving traces for traditional file antivirus products to discover.
  • Parasitic Trojans infect an existing host file, which is more likely to remain unnoticed.

Advanced persistent threats burrow into government or organizational networks and remain dormant, sometimes stealing data but also waiting for the right moment to attack. In 2014 these attacks will become more targeted in nature and will focus more on individuals to gain access to networks. We will also see the weaponization of malware and an increase in destructive cyberterrorism and government-on-government cyberwarfare. Adversaries will use a number of evasion techniques to become more effective in penetrating their targets with a mix of zero-day vulnerabilities customized to their victims’ environments. We will see greater innovation used by attackers as the security industry reveals their techniques and tactics.

Advanced evasion techniques

Cyberattackers use various evasion techniques to manipulate network traffic so that network defenses such as firewalls, intrusion prevention systems, and breach detection systems do not detect exploits that are part of the traffic. The technique was in play by 1998, and evasions still work extremely well. From a hacker’s point of view, an evasion is a transport mechanism that can silently pass any kind of exploit through a network’s defenses without raising an alarm. Advanced evasion techniques combine single evasions with complex combinations. We have discovered more than 450 single evasions, and the number of combinations is at least as high as there are different kinds of computer viruses in the world.

Advanced evasion techniques are one of the biggest unsolved problems in the network security industry. Customers and vendors downplay their importance because they either do not believe in them or they do not have a way to remediate them. (To learn more about AETs, download McAfee Evader, an automated evasion testing tool, and read the report that SANS did with the Evader.)

We predict that in 2014 hackers will use advanced evasions especially to exploit old vulnerabilities. How is that possible? Haven’t old vulnerabilities been patched? They have been by most consumers and organizations that use automatic or regularly scheduled updates, but we still find old machines that cannot be patched in industrial control systems and factory environments. Many of these control systems can be patched only once a year during an annual maintenance break; others run operating systems so old, such as Windows NT, that there are no more patches for them. Security administrators routinely use network protection devices to shield those systems against exploits, but advanced evasion techniques silently bypass those devices. Industrial control systems are used in all manufacturing sites, in energy production, and in critical infrastructure. We expect to see more activity against these sites in the coming year.

Go Daddy Still Using phpMyAdmin Version That Hasn’t Been Supported for Two and Half Years

In the past we have mentioned a number of web hosts who were not keeping the MySQL  administration software phpMyAdmin running on their servers up to date. In addition to the risk that directly poses to the websites hosted with them, due to the fact that the web host is running software with known vulnerabilities, it is indication that the web host might not be handling other parts of the security properly either.

Go Daddy is yet another web host who hasn’t kept phpMyAdmin up to date on their system. They are currently running phpMyAdmin Support, including security updates, for the 2.11.x series ended on July 12, 2011. While running software that hasn’t been supported for two and half years is pretty bad, it pales in comparison to other web hosts who we have seen running up to seven years out of date versions. What makes Go Daddy worth mentioning is they promoted that they were using after support had ended.

On the day after support for 2.11.x ended they put out notification about the need to update newer versions of phpMyAdmin to fix several vulnerabilities. The notification reads in part (the emphasis is theirs):

The developers of the popular browser-based MySQL tool, phpMyAdmin, recently released updates to patch multiple critical security vulnerabilities in phpMyAdmin 3.4.3 and earlier. The vulnerabilities could let attackers overwrite session information to bypass authentication, inject malicious code, or perform other actions.

Good news, though. The 2.11.x versions aren’t affected. We use phpMyAdmin version, so you don’t need to worry if you’re using our shared hosting. (But, it’s a good time to make sure all your other hosting apps are up to date. For more information, see Upgrading to a New Version of a Hosting Quick-Install Application.)

If you use phpMyAdmin 3.4.3 or earlier on a virtual or dedicated server, you must download and install the patch or latest version.

That shows that Go Daddy was aware that phpMyAdmin could contain security vulnerabilities and that it needs to be kept up to date. Yet they were touting that they were running a version that was no longer supported with security updates.

It does appear that Go Daddy made attempt to upgrade their phpMyAdmin installation around a year ago, as the phpMy Admin documentation on the server is for phpMyAdmin 3.5.5, which was released on December 20, 2012. Other web hosts are able to handle upgrading phpMyAdmin in timely manner, so it would appear Go Daddy has some serious problems if they are not even able to complete an upgrade.

Data privacy: a look ahead at 2014

So as the latest Snowdon revelations (oh … and the New Year Holiday fun has subsided) how about we look at where data privacy is going in 2014.  Here is a quick “stocktake” on what is likely to happen next:

  • Snowden and the NSA – Expect more revelations from Edward Snowdon about the NSA and surveillance. Whatever you think about the issues, there is little doubt this is fuel for unending press stories.
  • EU General Data Protection Regulation – I really don’t know what to say here.  Some people think it is going to go through in some form or another.  Others seriously doubt it. Over to you!
  • US Safe Harbor – so we have avoided “falling off the edge of the figurative privacy cliff” and it’s apparently still legal to transfer data to Safe Harbor certified companies in the US.  Expect more extreme demands from Europe on how US and other non-European business should process personal data and watch how this impacts the marketplace.  Ask any supplier of services with French, German or other mainland EU customers and you will find a growing trend making it harder for non-European businesses to sell into the European market without setting up European servers or an EU cloud. The official rules are fast becoming a basis for pulling up the EU drawbridge and staying home!
  • Data breach – expect more data breaches!  This will continue for the “big boys” like Target in the US and providers of apps and digital media like Snapchat to quote some recent examples.
  • US regulatory approach – Expect greater alignment between privacy principles adopted by the FTC in the US and at least some of the data privacy rules in Europe.  For example, the FTC is moving towards an assumption that device-based data deserves special protection in the same way that Europe did 10 years ago.  You really need to look at the substance here to appreciate that there is greater US/EU alignment, already, than some care to admit. 
  • “Internet of things” – T-shirts that monitor your heart rate and other “wearable tech”.  2014 is likely to see a revolution in connected gadgets and data enabled clothing, cars, fridges and homes. 
  • BCRs – no let up in the number of companies starting to look at BCRs or, at least a BCR‑style data privacy governance engine.  How else to manage global data privacy risk and mitigate the associated reputational issues.

Finally, the best news of all: the term “geek” has been redefined by the Collins Dictionary.  It no longer means someone who is socially awkward or dull.  It is, in fact, in the dictionary’s list of “words of the year” so whatever you think of the above predictions, rest assured it is ok to be a privacy geek!