Venom Less Toxic Than Heartbleed

It was a little over a year ago that the Heartbleed bug shocked the Internet with its potential for mischief. Now another flaw in open source code has sent network administrators into damage control mode.

The bug, called “Venom” for “Virtualized Environment Neglected Operations Manipulation,” allows an intruder to jump out of a virtual machine and execute malicious code on its host. Virtual machines are widely used in data centers, so it has the potential to cause widespread mischief.

“Exploitation of the Venom vulnerability can expose access to corporate intellectual property, in addition to sensitive and personally identifiable information, potentially impacting the thousands of organizations and millions of end users that rely on affected [virtual machines] for the allocation of shared computing resources, as well as connectivity, storage, security and privacy,” reads a post on the CrowdStrike website. Venom was discovered by Jason Geffner, CrowdStrike senior security researcher.

Although the bug will make many system administrators shudder, it is not only easier to fix than Heartbleed, but also more difficult to exploit.

Moreover, major virtual machine product makers VMWare and Microsoft have said their offerings are not affected by the bug. Amazon, which uses virtual machines as a staple of its cloud infrastructure, also has said that its systems are unaffected.

Ifs, Ands and Buts

Because an organization could have thousands of virtual machines in its data center, attackers trying to exploit Venom easily could find themselves in a virtual jungle.

“If you broke out of a VM, you wouldn’t know what server you’d end up on unless you had a sophisticated penetration team,” said Jared DeMott, a principal security researcher at Bromium.

“You’d need some good intel ahead of time about how a network is laid out, so you could move horizontally in the system from your beachhead to where you want to be,” he told TechNewsWorld.

“The bug could enable complicated attack scenarios, but this isn’t as big a deal as some other big open source bugs, because a lot of hypervisors either weren’t vulnerable to the bug, or the cloud providers have already removed the dead code that enables the bug,” DeMott said.

“It isn’t like a Word bug that affects every version of Word, where you can email everyone a Word document and — boom — you’re inside a corporate network. Then you’re where you want to be,” he explained.

“Then the attacker doesn’t need to be skilled to use a weapon like that,” DeMott continued. “With Venom, there’s a lot of ifs, ands and buts.”

Herding Routers

Routers for home wireless networks have been cited by security experts for some time as a ripe target for data theft by cybercriminals, but last week they were found to be useful for another purpose: distributed denial-of-service attacks.

“We don’t usually see routers herded together into a big botnet and used for DDoS attacks,” said Tim Matthews, vice president of marketing for Incapsula, which discovered the attacks on 60 of its customers.

Routers are typically vulnerable because they have easily discoverable default usernames and passwords, which many consumers tend not to change. Moreover, they have default administrator passwords that consumers don’t even know about.

Still, to seize a router, you need to configure it, and to do that — even if you have a username and password — you ordinarily need to be on the home network itself. Not so with the routers used in these DDoS attacks.

“These routers could be configured remotely with default credentials,” Matthews told TechNewsWorld. “That meant the attackers with a script they created could automatically herd up all these routers into really big botnets.”

Why did the router maker enable remote configuration?

“It makes customer support easier, because you always know what the administrator’s password is,” Matthews explained.

“It’s about time for manufacturers to stop provisioning routers with default passwords,” he said. “More importantly, they should not allow access to these routers by people who aren’t on the same network.”

Mobile Workforce

Workers are becoming more and more mobile, but many organizations appear to be challenged by the security issues created by mobility. For example, a survey of 330 IT and security professionals released last week found that 64 percent of them said a majority of their workers can access the data of their companies remotely, yet half of the respondents admitted they had inadequate or no controls in place over mobile media.

“If these devices aren’t managed, it leaves the enterprises very vulnerable,” said Marina Donovan, executive director of global marketing for Imation, which sponsored the survey conducted by the SANS Institute.

Use of encryption on USB drives — a popular way for workers to store company data they’re working on — was very low, the survey found. For companies with more than 10,000 workers it was 13 percent; for those with from 500 to 10,000 employees, 7 percent.

“That’s crazy,” Donovan told TechNewsWorld. “That’s surprising, because it’s readily available and easy to execute.”

Breach Diary

  • May 11. Tech blogger Bob Sullivan reports stolen usernames and passwords are being used to siphon money from Starbuck’s user accounts.
  • May 12. Juniper Research forecasts that the rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to US$2.1 trillion globally by 2019, almost four times the estimated cost of breaches in 2015.
  • May 13. U.S. House of Representatives approves by vote of 338-88 and sends to Senate the USA Freedom Act, which reportedly would shut down portions of the NSA’s domestic surveillance program.
  • May 13. Oregon U.S. Attorney indicts five men for filing false federal tax returns netting refunds of $2 million by mining information from a database stolen from CICS, a pre-employment and volunteer background check company based in Lincoln City, Oregon.
  • May 14. Distil Networks releases annual bad bot report estimating that 22 percent of all Web traffic is produced by bad bots and 8 percent of all mobile Web traffic is created by them.
  • May 14. Sally Beauty Holdings, based in Denton, Texas, confirms second data breach in two years. Details of the breach not disclosed because incident is still under investigation.
  • May 15. Brian Krebs reports database of mobile monitoring software maker mSpy has been posted to the Dark Web after an apparent data breach. Database includes emails, text messages, payment details, Apple IDs, passwords, photos and location data for mSpy users.
  • May 15.UPMC in Pittsburgh notifies some 2,200 patients treated at its emergency departments that their personal information may have been disclosed illegally to a third party by an employee of Medical Management.
  • May 15. Penn State disconnects its school of engineering from Internet computer systems after security experts warn university of two cyberattacks on the school, one of which may have originated in China.

Upcoming Security Events

  • May 19. Has Your Cyber Security Program Jumped the Shark? 1 p.m. ET. Dark Reading webinar. Free with registration.
  • May 19. Detecting Threats Via Network Anomalies. 2 p.m. ET. Black Hat webcast. Free with registration.
  • May 21. Ponemon Institute: The Cost of Time To Identify & Contain Advanced Threats. 11 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • May 26-29. Symposium on Electronic Crime Research. CaixaForum / Casa Ramona, Avenue Francesc Ferrer i Gurdia, 6-8, Barcelona, Spain. Through May 11: APWG members, 400 euros; students and faculty, 300 euros; law enforcement and government, 400 euros; others, 500 euros. After May 11: APWG members, 500 euros; students and faculty, 350 euros; law enforcement and government, 500 euros; others, 600 euros.
  • May 27-28. SecureWorld Atlanta. Cobb Galleria Centre (Ballroom), 2 Galleria Parkway Southeast, Atlanta. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • May 28. Healthcare Data is Under Attack. 1 p.m. ET. Webinar on Ponemon Institute study sponsored by ID Experts. Free with registration.
  • May 30. B-Sides New Orleans. Hilton Garden Inn, New Orleans Convention Center, 1001 South Peters Street, New Orleans. Cost: $10.
  • June 3. B-Sides London. ILEC Conference Centre, 47 Lillie Road, London, SW6 1UD, UK. Free.
  • June 3. Using Your Network and Cisco ASR 9000 for Comprehensive DDoS Protection. 10 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • June 8-10. SIA Government summit 2015. W Hotel, Washington, D.C. Meeting Fees: members, $595; nonmember, $795.
  • June 8-11. Gartner Security & Risk Management Summit. Gaylord National, 201 Waterfront St., National Harbor, Maryland. Registration: before April 11, $2,795; after April 10, standard $2,995, public sector $2,595.
  • June 13. B-Sides Charlotte. Sheraton Charlotte Airport, 3315 Scott Futrell Dr. Charlotte, North Carolina. Free.
  • June 16-17. Black Hat Mobile Security Summit. ExCel London, London, UK. Registration: before April 11, Pounds 400; before June 16, Pounds 500; after June 15, Pounds 600.
  • June 16-18. AFCEA Defensive Cyber Operations Symposium. Baltimore Convention Center, Baltimore, Maryland. Registration: government-military, free; member, $575; nonmember, $695; small business, $445; other, $695.
  • June 17. SecureWorld Portland. DoubleTree by Hilton. 1000 NE Multnomah, Portland, Oregon. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • June 19-20. Suits and Spooks NYC. Soho House, New York City. Registration: $595.
  • June 20. B-Sides Cleveland. B Side Liquor Lounge & The Grog Shop, 2785 Euclid Heights Blvd, Cleveland Heights, Ohio.
  • August 1-6. Black Hat USA. Mandalay Bay, Las Vegas, Nevada. Registration: before June 6, $1795; before July 25, $2,195; after July 24, $2,595.
  • Sept. 16-17. SecureWorld Detroit. Ford Motor Conference & Event Center, Detroit. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 22-23. SecureWorld St. Louis. America’s Center Convention Complex, St. Louis. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 28-Oct. 01. ASIS 2015. Anaheim Convention Center, Anaheim, California. Through May 31: member, $895; nonmember, $1,150; government, $945; student, $300. From June 1 through Aug. 31: member, $995; nonmember, $1,250; government, $1,045; student, $350. From Sept. 1 through Oct. 1: member, $1,095, nonmember, $1,350; government, $1,145; student, $400.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels