As this class concludes, it’s time to go back through the past weeks and evaluate all the different stories I have covered for the security assessment each week. While there were a lot of unique topics that I covered, there was one theme that seemed to pop up a few too many times, and that is stories about breaches. And not just any kind of breach, but breaches against large companies who should have security measures in place to prevent these sorts of attacks from happening. It shows us that if the giants of the world are susceptible to breaches, then the small companies are just as much in danger. As I parsed through all the different stories again, I did notice a common theme that I would bring up time and time again, and that was that most of these attacks and breaches could have been prevented or at least lessened should proper security measures been employed from the start. It is not enough to simply respond to problems as they appear, we should be actively looking to safeguard systems and constantly running checks and tests to make sure no one ever gains access to a system.
With an analysis of my work’s subject matter done, I can move on to analyzing the sources of all my material. When I went about finding stories for I utilized the website “Internet Storm Center” that showed a collection of the latest stories. I liked utilizing this website because the types of stories that were coming in were varied and ranged in lots of different topics. Another plus side from this is that the sites who were hosting the stories were varied as well, lending to a wide breadth of information. While this method of finding a story worked, there was one week in which I bucked this trend and did something different. On my article regarding the Panera website breach, I had the article forwarded to me by my wife who was astonished at the account. We both briefly discussed the article and how ridiculous it was and noting that it feels like your information is not even safe at a fast food chain. Overall, I really enjoyed that week’s post, and I wish I had approached more articles like that.
Lastly, we’ll discuss my opinions on this blog as to whether it would be useful, and some helpful hints to the next group of students. First, I think these types of blogs are excellent sources of information for security professionals and they should actively seek out this information as much as possible. Not only does it condense the article down to it’s points, it can offer helpful information from a variety of sources as to what could have been done and what people should do to prevent it. While I agree that these posts are great for security professionals, I think that they might also serve a great use for everyone. Most of the time these stories do not make national headlines, and sometimes don’t get the attention they need. There is plenty of information that is extremely relevant to the everyday person and they should look to incorporate these types of posts in their daily internet reads. Lastly, my greatest lesson for the next group of students is to look for the stories that really speak to you. The most fun I had while creating these posts were ones that really stuck out to me, or ones that I was somehow invested in. With articles like the Panera Breach and the WebLogic hacks, these were articles that directly affected my life in some way, and I feel like I made much better articles because of it. Give yourself some time and monitor topics over several days. Too often I wanted to get an article written on that day, and the articles weren’t all that interesting, and thus I feel like I had to stretch to make them work.
Good luck!
Wednesday, May 9, 2018
Wednesday, May 2, 2018
Week 8 - Security Assessment - Inadequate Patching
For this week’s security assessment, I decided to choose the article entitled “Hackers Scan the Web for Vulnerable WebLogic Servers After Oracle Botches Patch” by bleepingcomputer.com. The article explains that shortly after Oracle released a quarterly patch entitled “Critical Patch Update” (Cimpanu, 2018), hackers began scanning the web for any WebLogic servers that could be outward facing to the Internet. The patch that Oracle was trying to deploy scored a “9.8 out of 10” (Cimpanu, 2018) in severity and the problem it was fixing allowed “attacks to execute code on remote WebLogic servers without needing to authenticate” (Cimpanu, 2018). As you might have guessed, this problem that Oracle was trying to fix was a major one and needed to have an immediate response. While the response from Oracle in attempting to fix this major problem is admirable, the solution the company settled on was not complete, meaning that instead of securing the problem, they potentially made it worse.
The way that Oracle went about fixing the problem was to “blacklist the commands” (Cimpanu, 2018) that hackers were utilizing to execute the remote commands and take over the WebLogic server, instead of fixing the underlying problem that was allowing them to even do this. This meant the problem was still actually out there, and that hackers just needed to find another way to access it again, and it didn’t take very long. While Oracle blacklisted a lot of the commands that hackers were utilizing to gain access to the server, they forgot several commands, leaving the door wide open. This response from Oracle feels like the patch process was rushed out to make sure the vulnerability was quickly closed, and not enough testing was put into place to verify that the fix actually did what it was supposed to, and that the fix was complete. Instead, we are left with still vulnerable systems even after the patch.
The reason I decided to write on this story this week is for a few different reasons. The first of these is that in the past, I have worked on several WebLogic servers for projects. Most of these servers were giant hulking monstrosities that no one wished to touch as no one quite understood how it exactly worked. Worse yet, these machines rarely received patches and would stay at the same update version from the time it was installed. We need to be diligent on making sure that patches are frequent to make sure that when major issues like this one are located and fixed, that our software is updated alongside it.
However, with all of that, I think this article really illustrates that companies whose job it is to keep software up to date need to make sure that their fixes are properly vetted and don’t simply ‘paint over’ the issue. Fixes for problems should be fixing the core issue, if it is possible, and the fixes should be checked thoroughly to make sure the vulnerability is completely gone. While the quick fix might have been just disabling the commands, as we have seen, if you miss a command, hackers gain access back to the server again.
Sources Cited:
Cimpanu, C. (2018, April 30). Hackers Scan the Web for Vulnerable WebLogic Servers After Oracle Botches Patch. Retrieved May 2, 2018, from https://www.bleepingcomputer.com/news/security/hackers-scan-the-web-for-vulnerable-weblogic-servers-after-oracle-botches-patch/
The way that Oracle went about fixing the problem was to “blacklist the commands” (Cimpanu, 2018) that hackers were utilizing to execute the remote commands and take over the WebLogic server, instead of fixing the underlying problem that was allowing them to even do this. This meant the problem was still actually out there, and that hackers just needed to find another way to access it again, and it didn’t take very long. While Oracle blacklisted a lot of the commands that hackers were utilizing to gain access to the server, they forgot several commands, leaving the door wide open. This response from Oracle feels like the patch process was rushed out to make sure the vulnerability was quickly closed, and not enough testing was put into place to verify that the fix actually did what it was supposed to, and that the fix was complete. Instead, we are left with still vulnerable systems even after the patch.
The reason I decided to write on this story this week is for a few different reasons. The first of these is that in the past, I have worked on several WebLogic servers for projects. Most of these servers were giant hulking monstrosities that no one wished to touch as no one quite understood how it exactly worked. Worse yet, these machines rarely received patches and would stay at the same update version from the time it was installed. We need to be diligent on making sure that patches are frequent to make sure that when major issues like this one are located and fixed, that our software is updated alongside it.
However, with all of that, I think this article really illustrates that companies whose job it is to keep software up to date need to make sure that their fixes are properly vetted and don’t simply ‘paint over’ the issue. Fixes for problems should be fixing the core issue, if it is possible, and the fixes should be checked thoroughly to make sure the vulnerability is completely gone. While the quick fix might have been just disabling the commands, as we have seen, if you miss a command, hackers gain access back to the server again.
Sources Cited:
Cimpanu, C. (2018, April 30). Hackers Scan the Web for Vulnerable WebLogic Servers After Oracle Botches Patch. Retrieved May 2, 2018, from https://www.bleepingcomputer.com/news/security/hackers-scan-the-web-for-vulnerable-weblogic-servers-after-oracle-botches-patch/
Subscribe to:
Posts (Atom)