Category Archives: Best Practices

Adobe Releases Emergency Patch For Cold Fusion

Adobe seems to have trouble catching a break sometimes,

Today they released an emergency patch for a vulnerability in the Cold Fusion application that Adobe bought in 2005.

The bug allows an attacker to bypass the file upload restrictions, allowing an attacker to upload a malicious executable and then get the target system to execute it, allowing the attacker total control over the infected system.

All Cold Fusion versions for all platforms are affected .

While Adobe quickly released a patch, as we saw with the Equifax breach, releasing a patch is slightly different than getting users to install it.

Many times users do not even know what the base platform that an application uses – the so called bill of  materials.

Sometimes systems were developed years ago.  The people who developed them are long gone and the people left don’t know much about them.

The end result, like at Equifax, doesn’t always turn out well.

Whether your systems and applications were internally developed, purchased from a third party or open sourced, if they are based on Cold Fusion they are vulnerable.

If history is any indicator, there will be vulnerable systems out there for years.

If you have Cold Fusion in your environment, now would be a good time to install the patch.

Information for this post came from Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

This is Why I am So Adamant About the Importance of Patching

Just ONE day after the announcement of the NINETEEN YEAR OLD bug in the very popular WinRAR utility, Checkpoint Software found examples of it being exploited in the wild.  Given that the vast majority of the 500 million copies  will likely NEVER be patched and the fact that the bug allows the hacker to take over full control of the system, this is a bit problematic.  The good news is that it is possible that certain parts of the attack will be blocked (today, in this version) if the user is not a local admin.

In a somewhat entertaining turn of events, the WinRAR folks can’t find the source code necessary to fix the nineteen year old bug, so the opted to just remove the infected feature completely.  Likely the loss of this feature will not be noticed by most users.

And this situation is not unusual.

Also this week, the developers at Drupal patched a critical flaw that would allow hackers to take over your web site.  It is more likely that this bug will be patched than the WinRAR bug, but I am sure that there are many web sites that will never be patched.

Drupal is open source and WinRAR is closed source, pointing out that all software is buggy and open source software is not statistically any less buggy than close source software.

So what should you be doing?

If you do not already have a complete inventory of all software installed on all user devices and all servers, that is the place to start.  This inventory needs to be updated frequently.

Once you have this inventory, you need to come up with a plan monitor all of these applications for available patches and available bugs so that you can patch these bugs quickly once patches are available and so that you can place the findings in your cyber risk register if either there is no patch or if you are making a decision not to install the patches now (or possibly ever).

Creating this protocol is important since the ONE DAY WINDOW BETWEEN THE ANNOUNCEMENT OF THE WINRAR PATCH AND THE EXPLOIT BEING FOUND IN THE WILD IS NOT ALL THAT UNUSUAL.

As a side note,  if you choose not to follow my advice and later have a breach attributed to a missing patch (think of the Equifax breach as an example of the problem missing patches cause), make sure your lawyers are all paid up because you will be sued.

Source; The Hacker News.

Facebooktwitterredditlinkedinmailby feather

Linkedin Messaging Used to Target Businesses

Many employees are at least curious about their next job.  That is the basis for this attack.

The attacker sends Linkedin direct messages from a  legitimate Linkedin account.

If that doesn’t appeal  to the target, the attacker sends emails to the targets business email address suggesting a job offer.

The links in the email points to web page that looks like the home page of a legitimate recruiter’s web site.

That web page will automatically download an infected Microsoft Office document.  The Office document has malicious macros in it and it will try to get the target to enable macros.

Assuming the target enabled the macros, the attacker downloaded the last stage of the attack, a piece of backdoor software called More_eggs which allowed the attacker to control the infected computer.  Forever!

Once they have control of the machine they can download whatever other payloads they want to in order to further the attack – or attack other systems.

While this attack has a lot of vectors to get the victim  to download the infected Word document, it ultimately boils down convincing the user to enable macros.

If the user won’t click on the enable macro button, the entire scheme fails.

Through simulated phishing attacks and other training, we have tried valiantly to stop users from clicking on links like the one that says enabling macros is dangerous;  only do it if you trust the sender.  And people click on them anyway.

Judging by articles I found, this attack has been working since at least 2017.  Apparently well enough for attackers to continue using it.

Users are almost always the weakest link in the security chain.  This attack is no different.

Source: Bleeping Computer.

 

Facebooktwitterredditlinkedinmailby feather

Not a Great Day for One Law Firm, Its Vendor and its Clients

I wrote a while back about hackers that had compromised a law firm and its customer Hiscox insurance – or said differently Hiscox and its vendor.  The law firm was handling claims related to 9/11 (almost 20 years later and still litigating!).

A lot of law firms (certainly not all) have not figured out that they are a high value target for hackers because of all of the customer data that they have.

The hackers broke into the law firm and stole tens of thousands of claims documents and emails.  Stuff that Hiscox’s clients probably did not want to be public.

Then the hackers tried to extort Hiscox and the law firm.

Apparently that didn’t work.

The hackers had distributed three encrypted blobs after the extortion became public a couple of months ago.

Now the hackers have released another encryption key.  This time it exposed about 8,000 emails – about 5 gigabytes of stuff.  That means a lot of attachments, otherwise 8,000 emails would be a lot smaller.

Since  the hackers are dribbling out these encryption keys they may be still trying to extort the law firm and Hiscox, but each one of these data dumps makes things worse for them.

Hiscox’s story was “it wasn’t us” meaning that the hackers didn’t break into the insurance carrier, but, you know what, when it comes to lawsuits, Hiscox’s customers are going to say that they gave the documents to Hiscox;  if they gave it to someone else, that is Hiscox’ problem, not theirs.  And, I think, the courts are likely to agree.

And, Hiscox added, once they learned about the breach, they informed the policy holders.

I’m guessing that the insureds are going to say that Hiscox had a fiduciary responsibility to protect the data that they shared and that responsibility can’t be waived.

Given that this is 18 years after 9/11, those suits still being litigated are probably big dollar claims.  I hope Hiscox has a lot of insurance because I can’t imagine they are not going to be sued.

Okay, so what is the implication to you?

At all levels here, we are talking about a vendor cyber risk management (VCRM).  Between Hiscox’s clients and Hiscox and between Hiscox and its vendors.  There will be lawsuits over that.

The second issue is the security at the law firm.  Apparently not so good.  How good is the security at the law firm that you use?  Even though you might be able to sue them after a breach, that doesn’t really solve the problem.  

Now there is a big mess.  Who gets to pay for the cleanup?  Look at the agreements that everyone signed.  My guess is that the law firm wrote something in the contract that said they were not responsible.  Assuming Hiscox accepted such language. 

Did the law firm have cyber risk insurance?  If not, can they write a check for $10 or $100 million out of their checking account?  If not, they file for BK and walk away, leaving the customer holding the bag.

YOU, as the customer, need to make sure that everyone has their ducks in a row.  To quote a sign I saw yesterday:

     I don’t have ducks
     I don’t have a row
     I have squirrels
    And they are drunk

BE PREPARED!

Information for this post came from Motherboard.

 

 

Facebooktwitterredditlinkedinmailby feather

When Will Web Developers Learn

Stanford University is considered is fairly good college.  They have some well known grads such as Sergey Brin and Larry Page (Google founders), Herbert Hoover, Peter Thiel (Paypal founder), John Steinbeck and Sandra Day O’Connor.

But apparently when it comes to software, they, themselves, are not so good.

A little over a year ago they exposed the personal details of thousands of students and non-teaching staff.

Now another bug allowed students to access the data of other students.  This one is neither a hack nor a bug, but rather crappy software design that we see frequently.  Perhaps they should take a class in secure software development practices.

What did they do?

They put parameters on the address line something like

www.standford.edu/GetPrivateData?UserIdNumber=432643

While this is a bit of a simplification, if a user changed the number at the end, they could see other students information.

I remember eliminating this programming practice decades ago as not secure.  But not at Stanford.

They say that this is part of vendor provided software (where is their Vendor Cyber Risk Management Program?), so I hope their contract with the vendor says that the vendor is liable for breaches.  Probably not.  What do your vendor contracts say?

To add insult to it, the vendor is longer selling or supporting the software (kind of like those of you still running Windows XP).

Stanford’s disabled the software and told students to visit the registrar’s office in person if they need the information.  How 1960’s.

Long term, they will replace the software,

Does any of the software that you use pass parameters on the command line?

If so, you could be the next Stanford.

Not necessarily a “rep” that you want.

Information for this post came from Security Info Watch.

 

 

Facebooktwitterredditlinkedinmailby feather

Hacker Selling Almost a Billion Hacked User Records

A Pakistani hacker who last week put up 600 million hacked accounts has added another hundred million records plus to the pie.

The first batch included 617 million records from 16 hacked sites —

  • Dubsmash – 162 million accounts
  • My FitnessPal – 151 million accounts
  • MyHeritage – 92 million
  • ShareThis – 41 million
  • HauteLook – 28 million
  • Animoto – 25 million
  • EyeEm – 22 million
  • 8Fit – 20 million
  • WhitePages – 18 million
  • Fotolog – 16 million
  • 500px – 15 million
  • Armor Games – 11 million
  • Bookmate – 8 million
  • CoffeeMeetsBagel – 6 million
  • Artsy – 1 million
  • DataCamp – 700 thousand

Several of these sites have admitted they were hacked;  none has denied it.

The 600 million record package is selling for about $20,000.

The new batch of 127 million records includes

  • Houzz – 57 million
  • YouNow – 40 million
  • Ixigo – 18 million
  • Stronghold Kingdom – 5 million
  • Roll20.net – 4 milion
  • Ge.tt – 1.83 million
  • Petflow and Bbulletin forum – 1.5 million
  • Coinmama – 420 thousand

Only Houzz on this second has has confirmed they were hacked.

So what does this mean for you?

First of, if you are using the same password on multiple sites, you should stop that practice right away.  It is just too dangerous.

Second, if you are not using two factor authentication, you just need to suck it up and get over it.

The days of passwords alone as a reasonable login authentication means are over and will likely never return.

And, obviously, if you have accounts, even little used accounts, on any of these sites, change your passwords there immediately.  IF YOU USED THE PASSWORD ON ANY OF THESE SITES ELSEWHERE, YOU HAVE TO CHANGE THOSE PASSWORDS TOO.

And, if you are a web site operator and you are storing passwords, consider your security.  If you have not had an expert try to hack your site recently (as in, say, the last 6 months), you probably need to do that.

The brand damage to these sites will be big.

Information for this post came from The Hacker News.

 

 

Facebooktwitterredditlinkedinmailby feather