CVE-2014-6271 (“Shellshock”) and exploit PoC

September 26, 2014

By Andy Yang

(A little bit of background on this post – one of my colleagues, Norman Yue, posted something about the Internet being on fire to LinkedIn yesterday, regarding the bash bug. This blog post tries to explain a bit more about why exactly this is such a big issue, and also provides a proof-of-concept exploitation).

Firstly, the vulnerability itself. The actual vulnerability itself is amusing and unique, but otherwise, isn’t the magical everything-is-owned vulnerability that everyone makes it out to be. To paraphrase, if you are able to set an environment variable through the Bash shell, you can execute commands.

The interesting part is that this vulnerability may have existed for more than 20 years, in an application which is part of pretty much every Unix system since a long time ago. The vulnerable versions start from cpe:/a:gnu:bash:1.14.0 to cpe:/a:gnu:bash:4.3, which covers pretty much every Unix-based operating system available today (and by extension, a tremendous chunk of the Internet). Continue reading

Nude Celebrity Scandal, Cloud Service Security and You!

September 04, 2014

Following the slew of private celebrity photos leaked earlier this week, both end-users and organisations are understandably concerned. Invariably, user confidence in the security of online services, and the confidentiality of any data stored, has been shaken by such leaks.

This is especially worrying for organisations, as more and more enterprise services move onto remotely hosted cloud platforms, which are now home to the corporate crown jewels (emails, commercially sensitive information, intellectual property etc).

The same security issues that appear to have caused the recent iCloud breaches typically affect these cloud platforms. From a security perspective, using a cloud system is effectively outsourcing and therefore should be treated as diligently as any other outsourcing arrangement.

According to Apple , the recent celebrity photo compromise occurred due to a “very targeted attack on user names, passwords and security questions” – in other words, social engineering password resets. Continue reading

iOS devices hit by AdThief malware

September 01, 2014

Apple iPhones and iPads are being targeted by a malware called AdThief, which has so far impacted 75,000 devices, according to details provided by Fortinet in a Virus Bulletin .

AdThief was discovered in March of this year, and was found to hijack advertisement revenues and redirect them to the attacker. These advertisements commonly seen in mobile apps as an alternative way of receiving compensation for development.

Continue reading

Wireless Emporium site compromised by malware

August 19, 2014

A US retailer, Wireless Emporium, has recently suffered a massive data breach on it's website computer server, in which a substantial amount of personal and confidential information may have been compromised.

Wireless Emporium is a retailer specialising in cellphone accessories and mobile products such as chargers, cases and batteries. A malware installation on the website server may have opened access to valuable data.

Continue reading

Las Vegas brain and spine surgery centre hit with insider breach

August 16, 2014

A medical centre in the United States has recently been hit with a substantial data breach, which is now believed to have originated from within the centre itself.

The Las Vegas Western Regional Center for Brain & Spine Surgery (WRCBSS) reported the breach on July 9, stating that 12,000 individuals have been impacted. Names, addresses, Social Security numbers and billing account numbers for the organisation were included in the stolen data.

Continue reading

August 2014 Newsletter

August 11, 2014

Table of Contents:
• A CIO’s Approach to Developing a Security Framework 101
• Penetration Testing Applications
• Practical Security: Browser Security Settings
• Upcoming Events
• Achieving Comprehensive PCI DSS 3.0 Compliance
• The SG Community

Web Version:

A CIO’s Approach to Developing a Security Framework 101

One of the biggest questions we always get asked by CIOs and other senior business management in regards to Information Security and IT Risk Management is where to begin. Do you focus on purchasing security tools first, developing policies and standards or getting an audit done and working from the results of that audit?

From our experience, while all of the above can assist in some way, developing a framework about how you will think about your security position is the number one priority before you make a major investment in tools, your staff’s time or the costs of hiring consultants. You may find that a lot of the costs you estimated originally may not be needed. Continue reading

ABI: Cyber attacks pushing DLP market growth

August 09, 2014

Data breaches are growing in number, driving a massive loss prevention market, according to a new report from analytical firm ABI Research.

It's not just the quantity, however, as these enterprise attacks have also been growing in sophistication throughout the past decade, to the point where breach and data theft at the enterprise level are now inevitable.

Continue reading

SafeNet BLI finds 237 breaches between April and June this year

August 07, 2014

More than 375 million customer data records were compromised in the first half of this year, in a staggering 559 data beaches. The retail industry was hit the hardest, with over 145 million records stolen or lost in the second quarter alone.

These statistics came as part of a new report from SafeNet , a global provider of data protection solutions for wireless networks and other systems headquartered in the United States.

Continue reading

Achieving Comprehensive PCI DSS 3.0 Compliance

It’s not news that any entity that processes, transmits or stores account data, or can impact the security of cardholder data environment, is required to be compliant to PCI DSS 3.0. However, the business benefits of the security framework — a more secure network, protection of corporate brand and reputation, reduced risk of successful data breaches and network attacks — can easily be overshadowed.

Tripwire (a long time parter of Securus) combines the power of configuration control and deep file integrity monitoring (FIM) with comprehensive log and security information event management capabilities to help deliver continuous and unmatched PCI DSS compliance. The above white paper serves as a useful guide for security personnel who want to learn how Tripwire® Enterprise, Tripwire Log Center® and Tripwire IP360™ could assist in meeting PCI DSS requirements. Qualified Security Assessors (QSAs) might find this document useful as well, as it highlights the areas of the PCI DSS requirements that can be verified and met by those solutions.

Download whitepaper here:

Post navigation

Previous posts More posts