Advisories

1.0 Introduction

MyCERT received information from valid sources regarding a GNU Bash vulnerability that affects Unix-based operating systems such as Ubuntu, Red Hat, Debian, Linux and Mac OS X as well as a lot of web servers running Linux operating systems.

GNU Bourne Again Shell or GNU Bash, perhaps one of the most installed utilities on any Linux system is a computer program that's installed on millions of computers and servers around the world. Bash has evolved from a simple terminal based command interpretater to many various uses since its creation inthe 1980s and it has become an industry standard.

2.0 Affected Systems

The vulnerability exists for servers running UNIX-based systems as below:

Apple
OSX
BSD
Redhat
Debian
CentOS
Ubuntu

3.0 Brief Description

OS Command Injection

Bash supports exporting of shell functions to other instances of bash using an environment variable. This environment variable is named by the function name and starts with a "() {" as the variable value in the function definition. When Bash reaches the end of the function definition, rather than ending execution it continues to process shell commands written after the end of the function. This vulnerability is especially critical because Bash is widespread on many types of devices (UNIX-like operating systems including Linux, BSD, and Mac OS X), and because many network services utilize Bash, causing the vulnerability to be network exploitable.

4.0 Impact

The impact of this vulnerability is it may allow a remote attacker to execute arbitrary code on an affected system.

Once attackers had exploited this vulnerability and gain unauthorised access, he could deface websites, steal confidential or sensitive data and engage in malicious activities such as malware activities, botnets that can be used for spam and DDOS activities.

5.0 Recommendation

a) Detection/Diagnostics

The servers are vulnerable depends on whether the application setup invokes Bash as part of the code execution.

To check if you are patched, you can use the original test string:

env x='() { ;;}; echo vulnerable' sh -c "echo this is a test"

If you are patched, but want to demonstrate that you are still vulnerable, you can use this command:

env x='() { (a)=>\' bash -c "v echo vulnerable"; cat v

This command will return an error on a patched system, but it will still create an file called "v" containing the string "vulnerable". This can be abused to perform arbitrary command execution.

b) Apply Patch

System Administrators may refer to the below information about patches to fix this vulnerability:

• Red Hat: https://rhn.redhat.com/errata/RHSA-2014-1306.html
• Ubuntu: http://www.ubuntu.com/usn/usn-2363-2/
• Debian: http://www.debian.org/security/2014/dsa-3035

c) Mitigations

Redhat had provided workarounds to block attacks against web services, such as attacks against CGI applications.

The workarounds are using mod_security and IP Tables available at:

https://access.redhat.com/articles/1200223

Please take note that these are weak workaround as an attacker could easily send one or two characters per packet, which would avoid matching this signature check. It may, in conjunction with logging, provide an overview of automated attempts at exploiting this vulnerability.

MyCERT generally advise users of this product to keep themselves updated with the latest security announcements by the vendor. If users have any enquiries on this matter, please reach us through the following channels:

E-mail : [email protected]
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 on call incident reporting)
SMS : CYBER999 REPORT to 15888
Business Hours : Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my

6.0 Reference

• http://www.vox.com/2014/9/25/6843949/the-bash-bug-explained
• http://www.kb.cert.org/vuls/id/252743
• https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability
• https://access.redhat.com/articles/1200223
• https://www.debian.org/security/2014/dsa-3032
• http://lists.centos.org/pipermail/centos/2014-September/146099.html
• https://isc.sans.edu/index_cached.html
• https://www.cert.gov.au/advisories

1.0 Introduction

1) Install robust anti-virus, anti-spyware and firewall software on your computer and other devices and configure it to update regularly.

 

2) Perform regular scans of your systems for malware and other risks.

 

3) Operating system providers such as Microsoft, periodically releases updates and patches that improve the security of your operating system. You should periodically check for these updates and keep your system current or configure it to do so automatically.

 

4) When accessing to online banking, make sure there is no pop-up/window that requires personal info such as credit card number, smartphone platform(Android/iOS) etc. Do not enter those information if required.

 

5) Use only a dedicated computer or laptop to do online banking

 

6) If you suspect your bank account has been compromised or spot any activity you have not authorized, please notify your banking provider immediately.

 

7) Please ensure you logout properly at the end of each session by clicking log-out button. Do not exit by simply closing the browser window.

 

8) If you come across anything suspicious when you do banking online such as unusual web pages asking for banking information, notify your bank provider immediately.

 

9) Never respond to any email/advertisements requesting you to provide your login details or log in via a link sent in an email/applications. The bank will never send you a mail or provide links in any applications like that, and such a request is likely to be a phishing attempt.

1) Verify an app's permission and the app's author or publisher before installing it.

 

2) Do not click on adware or suspicious URL sent through SMS/messaging services. Malicious program could be attached to collect user's information.

 

3) Since URL on mobile site appears differently from desktop browser, make sure to verify it first.

 

4) Always run a reputable anti-virus on your smartphone/mobile devices, and keep it up to date regularly.

 

5) Don't use public Wi-Fi networks for bank transactions and turn off Bluetooth connection when not in use. These can be open windows for eavesdroppers intercepting the transaction or installing spyware and other malware on user's smartphone/tablet.

 

6) Update the operating system and applications on smartphone/tablet, including the browser, in order to avoid any malicious exploits of security holes in out-dates versions.

 

7) Do not root or otherwise 'Jailbreak' your phone; avoid side loading

(installing from non-official sources) when you can. If you do install Android software from a source other than the Market, be sure that it is coming from a reputable source.

Introduction

The MyCERT Quarterly Summary Report provides an overview of activities carried out by the Malaysia Computer Emergency Response Team  (hereinafter referred to as MyCERT), a department within CyberSecurity Malaysia. These activities are related to computer security incidents and trends based on security incidents handled by MyCERT. This summary report highlights statistics of incidents handled by MyCERT in quarter 2 (Q2) 2014 according to categories, security advisories and other activities carried out by MyCERT personnel. The statistics provided in this report reflect only the total number of incidents handled by MyCERT and not elements such as monetary value or repercussions of the incidents.

Computer security incidents handled by MyCERT are those that occur or originate within the Malaysian constituency. MyCERT works closely with other local and global entities to resolve computer security incidents.

 

Incidents Trends Q2 2014

Reported incidents to MyCERT are from various parties within the constituency as well as outside of Malaysia. These parties include home users, private sectors, government sectors, security teams from abroad, foreign CERTs, Special Interest Groups (SIG) including MyCERT’s proactive monitoring on several cyber incidents.

From April to June 2014, MyCERT, via its Cyber999 service, handled a total of 2195 incidents. This represents 14.20% increase of the total incident compared to Q1 2014.  

Figure 1 illustrates the number of incidents that are classified according to the Categories of Incidents for Q1 2014 and Q2 2014.

 

Figure 1: Comparison of Incidents between Q1 2014 and Q2 2014

 

Figure 2 illustrates the number of incidents according to the Breakdown of Incidents by Classification for Q2 2014.

 

Figure 2: Breakdown of Incidents by Classification in Q2 2014

 

Figure 3 illustrates the percentage of incidents handled according to categories in Q2 2014.

 

Figure 3: Percentage of Incidents in Q2 2014

In quarter 2 (Q2) 2014, the most incident that has been reported is fraud incident representing 60.1% of the total incident. Throughout the year 2013 and first quarter of 2014, fraud has been the most reported incident. A total of 1319 fraud incidents were received in this quarter, from organizations and home users. Most of fraud incidents reported involved phishing, job scams, fraud purchase and Nigerian scam.

MyCERT predict that fraud incident will continue to grow and always be among the most reported incident. Because of that, MyCERT advised Internet users to be precautious and always adhere to best practices when they purchase goods online. Users must ensure that the dealing is made with trusted parties and never simply transfer money to seller without prior checking on the status of the seller.

The second highest incident reported is intrusion attempt with 295 incidents. There is a huge different between the highest incident which is fraud and the second most reported incident which is intrusion attempt. The total different is 1024 incident. Fraud incident has been reported to us by individual receiving the phishing email and foreign company notifying us of phishing website hosted in Malaysia. Whereas, intrusion attempt incidents is mostly reported by company and Internet Service Provider.

The third and forth highest incident reported to Cyber999 is differentiate by just 2 incidents. The incident is spam with 152 incidents and malicious code with 150 incidents. There is a big drop for malicious code incident between quarter 1 and this quarter. The difference is 280 incidents and this is because MyCERT has received a drop in feeds from external parties about malicious code incident that infected Malaysia.

MyCERT observed for Q2 2014 a total of 57 .MY domains being defaced representing 43.9% of total defacement incident .MY domains in Q2 belonging to various sectors such as private, educational, government sectors. MyCERT responded to web defacement incidents by notifying respective Web Administrators to rectify the defaced websites by following our recommendations, leading to the defaced websites being rectified by the respective Administrators.

Figure 4 shows the breakdown of domains defaced in Q2 2014.

 

Figure 4: Percentage of Web Defacement by Domain in Q2 2014

This quarter saw the discovery of Heartbleed OpenSSL vulnerability. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). MyCERT has release an alert regarding this matter and OpenSSL has since release updates to fix the vulnerability.

 

Advisories and Alerts

In Q2 2014, MyCERT issued a total of 24 advisories and alerts with 3 alert involving OpenSSL Heartbleed vulnerability. The other alert and advisory is Vulnerability in Internet Explorer Could Allow Remote Code Execution, GameOver Zeus P2P Malware, and Microsoft Releases Security Advisory for Microsoft Malware Protection Engine. The Alert and Advisory comes with descriptions, recommendations and references.

Readers can visit the following URL on advisories and alerts released by MyCERT
https://www.mycert.org.my/portal/advisories?id=431fab9c-d24c-4a27-ba93-e92edafdefa5&year=2014&ctype=&keyword=

 

Other Activities

In Q2 2014, MyCERT personnel had conducted several talks, presentations and trainings at several places. It includes talk in Hong Kong about Cyber Incident Trends in Malaysia, talk in Langkawi about Honeypots and presentation in Ipoh Perak about Information Security Management System (ISMS).

 

Conclusion

In conclusion, the number of computer security incidents reported to MyCERT this quarter had increased by 14.2% compared to previous quarter. There is still event related incident involving MH370. There is also a lot of activity related to OpenSSL Heartbleed vulnerability. MyCERT advice users and organizations to be vigilant of the latest computer security threats and to take measures to protect their systems and networks from these threats.

 

For further enquiries, please contact MyCERT through the following channels:

E-mail : [email protected] or [email protected] 
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442 
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours : Mon - Fri 09:00 AM - 18:00 PM MYT

Web : https://www.mycert.org.my
Twitter : http://www.twitter.com/mycert
Facebook: http://www.facebook.com/mycert.org.my
Cyber999 Mobile Apps:  IOS Users or Android Users

Please refer to MyCERT’s website for latest updates of this Quarterly Summary.

1.0 Introduction

1.0 Introduction

1.0 Introduction
The Mozilla Foundation has released security updates to address multiple vulnerabilities in Firefox and Thunderbird. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, or cause and exploitable crash. Mozilla users are encouraged to review the Security Advisories for those Mozilla vulnerabilities products (Firefox, Firefox ESR and Thunderbird) to determine which updates should be applied to mitigate these risks.

2.0 Impact
An attacker who successfully exploits these vulnerabilities can use to produce an exploitable crash or execute arbitrary code.

3.0 Affected Products
The detail lists of the Mozilla products updates are as below:

• Firefox 32
• Firefox ESR 24.8
• Firefox ESR 31.1
• Thunderbird 24.8
• Thunderbird 31.1

4.0 Recommendation
MyCERT highly recommended users of these applications to upgrade to the latest version of the affected products. The following updates are available:

4.1 Mozilla Firefox 32
Advisories can be referred at:
https://www.mozilla.org/security/known-vulnerabilities/firefox.html
Can be downloaded at:
https://www.mozilla.org/en-GB/firefox/new/

4.2 Mozilla Firefox ESR 24.8 and 31.1
Advisories can be referred at:
https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
Can be downloaded at:
https://www.mozilla.org/en-US/firefox/organizations/all/

4.3 Mozilla Thunderbird 24.8 and 31.1
Advisories can be referred at:
https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
Can be downloaded at:
https://www.mozilla.org/en-GB/thunderbird/

Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:
E-mail : [email protected] or [email protected]
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours : Mon - Fri 09:00 AM - 18:00 PM MYT
Web : https://www.mycert.org.my
Twitter : http://www.twitter.com/mycert

5.0 References

• Mozilla Releases Security Updates for Firefox and Thunderbird
• https://www.us-cert.gov/ncas/current-activity/2014/09/03/Mozilla-Releases-Security-Updates-Firefox-and-Thunderbird
• Mozilla Releases Critical Security Updates for Firefox and Thunderbird
• https://blogs.comodo.com/pc-security/mozilla-releases-critical-security-updates/