Are you talking to me? (again)
Another vague scare story. No reference to the risk factors. Is it a browser, os, java vulnerability. Hence do I have to take it seriously or not?
Researcher James Blasco is warning the auto and aerospace industries against engineering software that's been compromised by keystroke-logging and reconnaissance malware. Blasco says an un-named provider of such software was compromised after a staffer visited a watering hole website that was established specifically to lure …
From the link in the article:
"The attackers were able to compromise the website and include code that loaded a malicious Javascript file from a remote server. This Javascript file is a framework for reconnaissance that the attackers call "Scanbox" and includes some of the techniques we described in a previous blog post: Attackers abusing Internet Explorer to enumerate software and detect security products"
Perhaps the bigger news was the compromising of the engineering software companies web site in the first place. But they fail to say *who* that was, which might help other folk know if they might be exposed or not.
"Perhaps the bigger news was the compromising of the engineering software companies web site in the first place. But they fail to say *who* that was, which might help other folk know if they might be exposed or not."
How does it help the intended victims? OK they avoid software company X (possibly to the extent of that company going out of business), but the real issue is that the target companies themselves are operating vulnerable software that they need to address. The bag guys can easily move on to another industry specific watering hole, so avoiding the original launch site achieves nothing. Indeed, if the attackers are taking a strategic approach they're sitting on a catalogue of vulnerabilities to use when the current crop are patched, they'd have future watering hole sites already identified, and duplicate C&C servers in reserve against a takedown.
What troubles me is that the auto and aerospace sectors are dominated by big, technologically advanced companies, with plenty of IP to protect. They have small armies of people like the target demographic of the Reg to look after IT security. Which means that either the crooks will find the drawbridge is already up and castle defended, OR these IT security professionals (us) continue to run hideously vulnerable crudware in the first place (like Java, Flash, Acrobat Reader), and the installations are presumably unpatched as well.
I'm inclined to the latter view, but I'd welcome the view of people more directly involved.
"How does it help the intended victims? OK they avoid software company X (possibly to the extent of that company going out of business), but the real issue"
That is not what I meant as quite certainly company X has already cleaned its servers up.
The point is if you have been on company X's site then you might want to look more carefully at your own security!
If Paul were to work for an antivirus company, he would identify the specifics of the 2 000 000 windows viri variants and create a very specific definition for each.
To the techy, it does not matter who, it is the how that matters. I agree that for law enforcement, the who is equally as important as the how.
I would take it even further, imagine it were some girl called Peppa Pig who managed to 0wn a web server running IIS 7.2.0.1.30.24.55 (version number completely made up, of course), you are probably gonna sigh in relief, since you have IIS version 7.2.0.1.31.48.89 ... but Peppa is a bright girl, she managed to 0wn a few other websites running on IIS 8 and apache. I guess you say: Let's switch to nginx and hope Peppa does not have a vuln up her sleave for that.
Yes, it is important to patch your servers, of course, but when it comes to network security, you need not focus solely on versions of software, but also on techniques. Here they do warn to watch out for mail.webmailgoogle.com etc, etc ... but somebody else will come along with webmailhotmail.com or whatever ... who says they are not using a wide array of servers ?