PwC Weekly Security Report

(1)

PwC Weekly

Security Report

This is a weekly digest of security news and events from around the world. Excerpts from news items are presented and web links are provided for further information.

Threats and

vulnerabilities Cyberattack Top story

Cyberattack

Unprecedented cyber attack takes Liberia’s entire internet down

Top story

Cyber attacks disrupt PayPal, Twitter, other sites

Threats and vulnerabilities

Critical MySQL flaws can allow attackers to hack into your server

Threats and vulnerabilities

Google discloses critical Windows zero-day that makes all Windows users vulnerable

Threats and vulnerabilities

(2)

Google discloses critical Windows zero-day that makes all Windows

users vulnerable

Google has once again publicly disclosed a zero-day vulnerability in current versions of Windows operating system before Microsoft has a patch ready.

Yes, the critical zero-day is unpatched and is being used by attackers in the wild.

Google made the public disclosure of the

vulnerability just 10 days after privately reporting the issue to Microsoft, giving the chocolate factory little time to patch issues and deploy a fix.

According to ablog postby Google's Threat Analysis Group, the reason behind going public is that it has seen exploits for the vulnerability in the wild and according to itsinternal policy, companies should patch or publicly report such bugs after seven days.

Windows zero-day is actively being exploited in the wild

The zero-day is a local privilege escalation

vulnerability that exists in the Windows operating system kernel. If exploited, the flaw can be used to escape the sandbox protection and execute malicious code on the compromised system.

The flaw"can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD,"Google's Neel Mehta and Billy Leonard said in a blog post.

"Chrome's sandbox blocks win32k.sys system calls using theWin32k lockdownmitigation on

Windows 10, which prevents exploitation of this sandbox escape vulnerability.“

The blog post also notes that Google reported a zero-day flaw (CVE-2016-7855) in Flash Player to Adobe at the same time as it contacted Microsoft.

Adobe pushed anemergency patchfor its software last Wednesday.

The Flash Player bug was also being exploited in the wild against organizations in targeted attacks.

According to Adobe, the flaw affected Windows 7, 8.1 and 10 systems.

Since the Windows zero-day vulnerability is being actively exploited in the wild, Google shared only basic details about the bug on Monday.

Microsoft has yet to roll out a fix

Needless to say, Microsoft is not at all happy about the disclosure.

In response, Microsoft said Google's disclosure has potentially placed customers at risk, adding that the company believes in coordinated vulnerability disclosure.

"We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk," a Microsoft spokesperson said in a statement. "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."

Microsoft has not provided any details as to when the company will roll out a fix for the flaw.

This is not the very first time thatGoogle and Microsofthave been at odds over vulnerability disclosure. Microsoft has a long history of bungling patches, so the move could eventually lead the company into quickly rolling out an update.

Meanwhile, users are advised to update their Flash software now and apply Windows patches as soon as they become available.

Threats and vulnerabilities

Source:

http://thehackernews.com/2016/10/google- windows-zero-day.html

Our perspective

We recommend that organisations consider the risks and vulnerabilities in their specific environment and create a patching strategy for all Windows systems to apply updates as soon as they become available.

Threats and

vulnerabilities Cyber attack Top story

(3)

Critical vulnerabilities affecting the MySQL,

MariaDB and PerconaDB can lead fully compromise of servers. The flaws could be exploited by attackers to arbitrary code execution, root privilege escalation and, of course, server compromise.

Dawid Golunski(@dawid_golunski) fromLegal Hackershas disclosed this week details about the vulnerabilities, including the proof-of-concept exploits for two flaws.

Both vulnerabilities affect MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier, they also affect MySQL database forks, including Percona Server and MariaDB.

The first vulnerability tracked as CVE-2016-6663 is aprivilege escalation/race conditionflaw, a local attacker could exploit it to escalate his privileges and execute arbitrary code.

“The vulnerability can allow a local system user with access to the affected database in the context of a low-privileged account (CREATE/INSERT/SELECT grants) to escalate their privileges and execute arbitrary code as the database system user (typically

‘mysql‘).” states thesecurity advisorypublished on legalhackers.com. “Successful exploitation would allow an attacker to gain access to all of the databases stored on the affected database server.”

Golunski noticed that an attacker could fully compromise the target server by chaining the flaw with the other privilege escalation vulnerabilities (CVE-2016-6662and CVE-2016-6664) he has discovered in September.

The second vulnerability discovered by Golunski is aroot privilege escalationflaw, tracked as tracked as CVE-2016-6663, that can be exploited along with the race condition bug.

“MySQL-based databases including MySQL, MariaDB and PerconaDB are affected by a privilege escalation vulnerability which can let attackers who have gained access to mysql system user to further escalate their privileges to root user allowing them to fully compromise the system. The vulnerability stems from unsafe file handling of error logs and other files.” reads thesecurity advisory.

Critical MySQL flaws can allow attackers to hack into your server

The flaw resides in the way error logs and other files are managed, the error.log file performs unsafe file operations that can be exploited by attackers to be replaced with an arbitrary system file.

The video PoC will be published soon at the following link:

https://legalhackers.com/videos/MySQL-MariaDB- PerconaDB-PrivEsc-Race-CVE-2016-6663-5616- 6664-5617-Exploits.html

Source:

http://securityaffairs.co/wordpress/53016/

hacking/mysql-hack.html

Our perspective

We strongly recommend that administrators assess the risk of vulnerabilities and apply patches as soon as possible in order to protect themselves from hackers seeking to exploit the vulnerabilities. As a temporary measure, they should disable symbolic link support to this setting within the database server configuration—my.cnf to symbolic links = 0—

in an attempt to avoid a cyberattack.

Threats and

vulnerabilities

Cyberattack Top story

(4)

Cyberattack

An unprecedented cyber attack has knocked Liberia's internet offline, as hackers targeted the nation's infrastructure using the same method that shut down hundreds of the world's most popular websites at the end of last month.

The attack, which is the same used to shut off sites including Netflix, eBay and Reddit, fuels fears that cyber criminals are practicing ways to sabotage the US' internet when the country heads to the polls on November 8.

Multiple attacks against Liberia's rudimentary internet infrastructure have intermittently taken the country's websites offline over the course of a week.

Although it isn't clear who was behind either attack, experts said the method used was simple enough to have been launched by a lone actor and that it appeared to have come from the same source.

The attacks on Liberia and Dyn, the domain name server provider responsible for hundreds of popular websites, used a weapon called the Mirai botnet, which is an army of infected webcams, DVD players and other internet-connected devices, to send an overwhelming amount of traffic to the target in order to knock it offline.

In a similar way that ticketing websites crash when a popular event goes on sale, the attackers are able to disable whole computer networks and websites using Mirai to launch a distributed denial of service assault.

Traditionally the weapon of mischievous teenagers, the Liberia attack is the first time that a DDoS has been used to bring down a whole country's network.

It did so by targeting the two companies that co- own the fibre internet cables into the country with unprecedented amounts of traffic.

"Over the past week we've seen continued short duration attacks on infrastructure in the nation of Liberia," said Kevin Beaumont, a computer security expert. "The attacks are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state."

No one has yet claimed responsibility for the Liberia attack or the one against Dyn, but they are very similar in nature, according to experts.

"Given the volume of traffic, it appears to be owned by the actor which attacked Dyn," said Beaumont The source code, or instructions for how to use, the Mirai botnet was released online earlier this year and is free to use for anyone with the technical understanding. Security and technology experts have warned that the recent DDoS attacks could be a trial run for hackers looking to interfere with the US election.

"Good chance of major internet attack November 8.

Many groups have the ability and incentive. Maps outage alone could easily skew the election," said Adam D’Angelo, chief executive of Quora and former chief technology officer at Facebook. "Last Friday’s attack should be enough evidence. Print out directions so you can vote/campaign without internet.“ In the worst case scenario, the Mirai botnet could be used to shut down sites providing voters with information and maps websites that are key to helping people find their polling station.

"The effect of these scenarios is further

compounded by a lack of enthusiasm among voters, which is particularly high in this election," said Imperva. "A DDoS attack inconveniencing voters may be all that is needed to cause them to stay at home." It could also be used to target the five states that have electronic voting and knock out the communications systems that relay results to the public. "A DDoS attack on the AP’s election night system could result in a delayed tally," said Sean Sullivan, a researcher at F-Secure who

demonstrated how hackers could tamper with the AP. "In the current political environment, delayed results will spread suspicions of voter fraud."

Unprecedented cyber attack takes Liberia’s entire internet down

Source:

http://www.telegraph.co.uk/technology/20 16/11/04/unprecedented-cyber-attack- takes-liberias-entire-internet-down Threats and

vulnerabilities

Threats and

vulnerabilities Top story

(5)

Hackers unleashed a complex attack on the internet through common devices like webcams and digital recorders and cut access to some of the world's best known websites on Friday, a stunning breach of global internet stability.

The attacks struck Twitter, Paypal, Spotify and other customers of an infrastructure company in New Hampshire called Dyn, which acts as a switchboard for internet traffic.

The attackers used hundreds of thousands of internet-connected devices that had previously been infected with a malicious code that allowed them to cause outages that began in the Eastern United States and then spread to other parts of the country and Europe. “The complexity of the attacks is what's making it very challenging for us,” said Dyn's chief strategy officer, Kyle York. The U.S. Department of Homeland Security and the Federal Bureau of Investigation said they were investigating.

The disruptions come at a time of unprecedented fears about the cyber threat in the United States, where hackers have breached political organisations and election agencies.

Friday's outages were intermittent and varied by geography. Users complained they could not reach dozens of internet destinations including Mashable, CNN, the New York Times, the Wall Street Journal, Yelp and some businesses hosted by Amazon.com Inc.

Dyn said attacks were coming from millions of internet addresses, making it one of the largest attacks ever seen. Security experts said it was an especially potent type of distributed denial-of- service attack, or DDoS, in which attackers flood the targets with so much junk traffic that they freeze up.

Vulnerabilities exploited

Dyn said that at least some of the malicious traffic was coming from connected devices, including webcams and digital video recorders, that had been infected with control software named Mirai. Security researchers have previously raised concerns that such connected devices, sometimes referred to as the Internet of Things, lack proper security.

Cyber attacks disrupt PayPal, Twitter, other sites

The Mirai code was dumped on the internet about a month ago, and criminal groups are now charging to employ it in cyber attacks, said Allison Nixon, director of security research at Flashpoint, which was helping Dyn analyse the attack.

Dale Drew, chief security officer at communications provider Level 3, said that other networks of compromised machines were also used in Friday's attack, suggesting that the perpetrator had rented access to several so-called botnets.

The attackers took advantage of traffic-routing services such as those offered by Alphabet Inc's Google and Cisco Systems Inc's OpenDNS to make it difficult for Dyn to root out bad traffic without also interfering with legitimate inquiries, Drew said.

“Dyn can't simply block the (Internet Protocol) addresses they are seeing, because that would be blocking Google or OpenDNS,” said Matthew Prince, CEO of security and content delivery firm CloudFlare. “These are nasty attacks, some of the hardest to protect against.”

Government warned of attacks

Drew and Nixon both said that the makers of connected devices needed to do far more to make sure that the gadgets can be updated after security flaws are discovered.

Big businesses should also have multiple vendors for core services like routing internet traffic, and security experts said those Dyn customers with backup domain name service providers would have stayed reachable.

The Department of Homeland Security last week issued a warning about attacks from the Internet of Things, following the release of the code for Mirai.

Attacking a large domain name service provider like Dyn can create massive disruptions because such firms are responsible for forwarding large volumes of internet traffic.

Threats and

vulnerabilities Cyberattack

Top

story

(6)

Top

story

Dyn said it had resolved one morning attack, which disrupted operations for about two hours, but disclosed a second a few hours later that was causing further disruptions. By Friday evening it was fighting a third.

Amazon's web services division, one of the world's biggest cloud computing companies, reported that the issue temporarily affected users in Western Europe. Twitter and some news sites could not be accessed by some users in London late on Friday evening.

PayPal Holdings Inc said that the outage prevented some customers in “certain regions” from making payments. It apologized for the inconvenience and said that its networks had not been hacked.

A month ago, security guru Bruce Schneier wrote that someone, probably a country, had been testing increasing levels of denial-of-service attacks against unnamed core internet infrastructure providers in what seemed like a test of capability.

Nixon said there was no reason to think a national government was behind Friday's assaults, but attacks carried out on a for-hire basis are famously difficult to attribute.

Cyber attacks disrupt PayPal, Twitter, other sites

Source:

http://www.thehindubusinessline.com/info -tech/article9255008.ece

Threats and

vulnerabilities Cyberattack

(7)

About PwC

At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 223,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com.

In India, PwC has offices in these cities: Ahmedabad, Bangalore, Chennai, Delhi NCR, Hyderabad, Kolkata, Mumbai and Pune. For more information about PwC India's service offerings, visit www.pwc.com/in PwC refers to the PwC International network and/or one or more of its member firms, each of which is a separate, independent and distinct legal entity. Please see www.pwc.com/structure for further details.

For any queries, please contact:

Sivarama Krishnan

[email protected] Amol Bhat

[email protected]

All images in this presentation are protected by copyright, trademark, patent, trade secret and other intellectual property laws and treaties. Any unauthorised use of these images may violate such laws and shall be punishable under appropriate laws. Our sharing of this presentation along with such protected images with you does not authorise you to copy, republish, frame, link to, download, transmit, modify, adapt, create derivative works based on, rent, lease, loan, sell, assign, distribute, display, perform, license, sub-license or reverse engineer the images. In addition, you should desist from employing any data mining, robots or similar data and/or image gathering and extraction methods in connection with the presentation.

PricewaterhouseCoopers Private Limited (a limited liability company in India having Corporate Identity Number or CIN : U74140WB1983PTC036093), which is a member firm of PricewaterhouseCoopers International Limited (PwCIL), each member firm of which is a separate legal entity.

MB/November2016-8004