What’s Wrong with New Vulnerability Information?

When it comes to application vulnerabilities, information is everywhere. You can scan social media for the latest discoveries, keep up with what the research community is doing, or depend on vendors to keep you in the loop.

All this information lets you take charge and, once you hear about a new vulnerability, it can be tempting to rush into action. After all, the faster you can resolve the vulnerability, the lower the likelihood of it being exploited.

But slow down. Take stock. Because the most up-to-date information on vulnerabilities isn’t always as useful as it seems.

When now is too soon

The moment somebody uncovers an application vulnerability, they’re keen to share their findings widely. But in their eagerness to share, the slippery slope of misinformation begins.
The problem is that the initial reports of a vulnerability could:

  • Refer to pieces of code that are never called
  • Refer to bugs and errors that don’t create risk – they’re not vulnerabilities in the true sense
  • Depend on the existence of another vulnerability
  • Not apply to all versions, or all instances, or all combinations of software in their varied environments

But the security community doesn’t wait. It’s been taught that reaction speed is everything. So vulnerabilities are reported, then they’re repeated. One inaccuracy – one incorrect detail – is shared endlessly in varied articles and reports.

And you make your decisions based on this information.

The cost of inaccurate or incomplete information

Inaccurate reports fill your workload with false positives to chase. You begin spending your time on things that aren’t relevant to you, or don’t apply to your environment.

Mitigating your exposure could mean testing and patching. Taking nodes off line. Changing several applications in line with the one that’s supposedly vulnerable. It’s widespread disruption, and it comes at a huge cost.

And all the time you’re prioritising those potential risks, you’re ignoring the ones that really matter.

VENOM – critical risk or just another vulnerability?

In May 2015, CrowdStrike discovered VENOM (CVE-2015-3456) – a vulnerability in the virtual floppy drive code used in common virtualisation platforms.

This vulnerability affected a huge number of platforms and, as a result, became big news across the IT security sector. Based on news coverage, social media, and the overall reaction of the community, there was a sense that almost everything needed to be patched – fast.

However, more research made things seem less severe.

Secunia’s Threat Research Team conducted extensive analysis on the vulnerability. After investigation, it became clear that an attacker would need to be on a console or physically at a server to exploit the vulnerability.

The vulnerability was serious but, making things more nuanced, the actual risk posed was comparatively low. And that’s why detailed analysis is so important when you’re about to make expensive decisions.

Focusing your attention on legitimate, significant threats

Informational reports can raise the alarm. But it’s only further investigation that lets you make the right decisions about your response.

Secunia’s analysts don’t just repeat reports. They don’t rush into responding before careful consideration.

The team only releases advisories after vulnerabilities are verified. They assign every vulnerability a clear criticality rating, which can be used to prioritise your patching. And they present every advisory in the same clear and consistent format, that’s easy to understand and full of practical insight.

So that’s why with Secunia VIM you get all the information you need – not just to act fast, but to take the action that’s most appropriate.

Get Verified Vulnerability Intelligence with Secunia VIM

Pacnet reveals cyber breach after Telstra acquisition

In April this year Telstra finished its acquisition of Pacnet, giving it access to Asia’s largest privately owned submarine cable network as part of strategy to expand into Asia.

According to news reports it appears that Telstra received a surprise signing bonus when the purchase was completed – notification that the Pacnet corporate IT network had been breached.

The itnews article claims that this wasn’t discovered during due diligence as Telstra and the Pacnet were competitors at the time and it only had limited access to information.

Access to the Pacnet internal network was gained through a SQL injection attack. SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today. It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database.

Attacks of this nature fall under strategy #24 Server Application Hardening ‘e.g. databases, web applications, customer relationship management, finance, human resources and other data storage systems.’ in the Australian Signals Directorate (ASD) Top 35 Mitigation Strategies.

Telstra is now left with the task of advising Pacnet customer about the breach.

Although there are no mandatory breach reporting in Australia although there is strong support for it. In October 2013, the Office of the Australian Information Commissioner (OAIC) released survey findings of community of attitudes towards privacy, which showed that 96 percent of respondents want government agencies and businesses to notify them if their personal information is lost or compromised.

Earlier this year the parliamentary joint committee on intelligence and security (PJCIS) recommended that the Government introduce a mandatory data breach notification scheme before the end of 2015. Australia’s privacy commissioner, Timothy Pilgrim, has highlighted telcos bad track record in Australia highlighting Telstra’s 2011 leak of 734,000 customer details and a further leak of the details of 15,775 customers in 2013.

 

emt Distribution represents Acunetix in Australia and New Zealand. Acunetix was founded to combat the alarming rise in web attacks including SQL Injection and Cross-Site Scripting among others.