3. Records Lost Per Industry Retail/Merchant
Medical Providers
Government and
Military
Educational Institutions
Financial Services
Other
Nonprofit Organizations
Breaches Per Industry
Other
Financial and Insurance
Services
Retail/Merchant
Government and
Military
Medical Providers
Educational Institutions
Nonprofit Organizations
0
50000000
10000000
15000000
20000000
25000000
30000000
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Total Records Lost Per Year
Good News First….
2
0
100
200
300
400
500
600
700
800
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Number of Breaches Per year
Records Lost Per Industry Retail/Merchant
Medical Providers
Government and
Military
Educational Institutions
Financial and Insurance
Services
Other
Nonprofit Organizations
Data: http://www.privacyrights.org/data-breach
4. HeartBleed – Summary of Impact
• CVE-2014-0160 - OpenSSL
• Improper handling of Heartbeat extension packets resulting in
potential dataloss.
• The bug was introduced December 31, 2011
• Discovered on March 21, 2014 and made public on April 4th
• IBM Managed Security Services Statistics 2014
• Over 4 Million detected attacks
• Affected all industries
• Raised the Alertcon to level 2
3
Logo: Heartblead.com
6. ShellShock – Summary of Impact
• CVE-2014-7169 – Bash Shell
• Improper handling environment variables resulting in remote
command execution.
• The bug was introduced September, 1989
• Discovered on September 9, 2014 and made public on
September 24
• IBM Managed Security Services Statistics 2014
• Over 14 Million detected attacks
• Affected all industries
• Raised the Alertcon to level 3
5
Logo: Symantec.com
10. History of the Internet
9
The ARPANET was the first wide area packet switching network, the "Eve"
network of what has evolved into the Internet we know and love today.
“Everything was built with performance,
NOT SECURITY, in mind”, Dr. Shrobe
said. “We left it to programmers to
incorporate security into every line of
code they wrote. One little mistake is all
it takes for the bad guy to get in.”
11. Fast forward in 2014, Year the Internet Fell Apart.
10
The Vulnerabilities Explained
The OpenSSL project was founded in
1998 to invent a FREE set of encryption
tools for the code used on the Internet.
2/3 world’s webservers use OpenSSL
Vulnerability age: 2 1/2 Years
Relative ease of exploitation
Remote execution
OpenSource
Heartbleed
April 4th, 2014
logo: vpnexpress.net
Bash is a Unix shell written by Brian Fox in
1989 for the GNU Project as a FREE
software replacement for the Bourne shell.
70% of devices that access the internet
Vulnerability age: 26 Years
Arbitrary commands execution
Rated 10 on a 10-point severity scale
OpenSource
Shellshock
September 24th, 2014
logo: heartbleed.com
12. 11
Major Vulnerabilities, a New Norm
11
1887
1492 1488
1612
1705
0
500
1000
1500
2000
2010 2011 2012 2013 2014
High Severity Vulnerabilities 2009 - 2014
8%
68%
24%
High Severity Vulnerabilities 2014
Low Medium High
0
1500
3000
4500
6000
7500
2009 2010 2011 2012 2013 2014
# of Vulnerabilities
7,038 new security vulnerabilities were
added to the NVD database in 2014.
This means an average of 19 new
vulnerabilities per day.
13. Planning For The Future
12
• Reliable and refreshed Inventory
• Keep up with threat intelligence
• Implement mitigating controls
• Create and practice a broad Incident
Response Plan
Fast track threat intelligence in security
controls
Pro active threat analysis
Security posture awareness
Better communication to stock holders
Gartner, FBI, NSA, and AV companies have conditioned us to
always assume there are “rats in the attic” …
We should be Ready and Prepared
15. Impact and what was affected
• Every version of Internet Explorer since 3.0 on any Windows OS from 95 or
later
• Originally part of code written for Microsoft Excel 20-some years ago
• Allows remote code execution via a data-only attack, which bypasses
security controls meant to prevent remote code execution from memory
corruption bugs
• Can circumvent Enhanced Protection Model sandbox in IE 10/11
• Can circumvent Microsoft EMET anti-exploitation tool
• Vulnerability details:
• X-Force Database Entry: 93141
• CVE Entry: CVE-2014-6332
CVSS Base Score
9.3
16. How the vulnerability works – High level
A serial action is needed to exploit the vulnerability,
ultimately resulting in “free reign” allowing data exfiltration.
A bad actor takes
advantage of a hand-off
process in VBScript
execution within IE to
resize a memory request
The resize permits a data
attack leveraging the
memory leak
A subsequent memory
overwrite makes the
script engine believe it’s
running in a trusted
environment
1 2 3
17. How the vulnerability works - Technical
• In VBScript, the COM SafeArrays have a fixed element size (16 bytes) with a WORD specification
for variant type
• Typically, through this WORD you can only control 8 bytes of this data through the
Variant type (for Double values or Currency values)
• The vulnerability allows for in-place resizing of these arrays through a “redim preserve” command
• SafeArrayRedim() will swap out the old array size with the newly requested size
• The re-dimension task is farmed to OleAut32.dll
• If the size request isn’t reset before returning to from OleAut32.dll, it can allow for a
request for data beyond the intended range, which is the same as a memory leak.
Exploitation could have been prevented if VBScript invalidated the “On Error Resume Next” when
OleAut32 returns with an error
• Exploit will take advantage of the difference in the alignment of the arrays (16 bytes) and
alignment of the Windows heap (8 bytes). This provides two important opportunities:
• Change the data type in an element of an adjacent array
• Reading that content back through the original array reference.
As a result, an attacker can
request object execution by
running unsafe COM objects like
ActiveX with arbitrary parameters
These possibilities permit a data attack that
leverages a memory leak leading to the
VBScript class object instance
AND
Subsequent memory overwrite lead the script
engine to believe that it is running in a trusted
environment.
18. What can be gained
• Exploiting the vulnerability causes various memory leaks in Microsoft IE,
one of which relates to the internal data structure for Visual Basic.
• By exploiting, attackers can:
• Conduct reliable code execution for COM objects
• Exfiltrate data exfiltration straight out of IE
• Install of additional malware on the system
• This can be exploited similar to a technique used by Yang Yu, called the
“Vital Point Strike” presented at the BlackHat 2014 session “Write Once,
Pwn Anywhere”.
• Scripts can complete the same job as shellcode.
• The script interpreter engine in IE can execute malicious scripts as
long as they have an elevated privilege.
20. Notices and Disclaimers (con’t)
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products in connection with this
publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to
interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any
IBM patents, copyrights, trademarks or other intellectual property right.
• IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document
Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand,
ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™,
PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®,
pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®,
urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of
International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on
the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
21. Thank You
Your Feedback is
Important!
Access the InterConnect 2015
Conference CONNECT Attendee
Portal to complete your session
surveys from your smartphone,
laptop or conference kiosk.