Tag Archives: patches

Think the Cloud’s Not Secure? On-Prem Probably Worse

Security company Imperva says that almost all companies have internal databases with known vulnerabilities.

The average vulnerable database has 26 publicly disclosed flaws.

More than half of them are rated Critical or high severity.

They collected this data over the past FIVE YEARS.

While being internal does make it slightly harder for the hackers to get to it, all that means is that there needs to be one infected computer somewhere on the network and poof.

They say that many of the unpatched bugs are more than three years old.

Once the hackers are able to detect that a database is vulnerable, there are many ways to get free code to exploit it.

Different countries deal with this differently. France won the gold medal for most vulnerabilities, with 84% of their databases having at least one vulnerability and the average vulnerable database having 72 bugs. The US did better. Only – repeat only – 39% of the databases had at least one vulnerability and the average was 25 bugs.

Better check your patching protocol. Credit: Dark Reading

Security News for the Week Ending December 21, 2018

Patches This Week

Microsoft issued an emergency out of band patch for an Internet Explorer zero day bug that affects IE 9, 10 and 11 on Windows 7,8,10 and the related server versions.  The bug allows a hacker to remotely execute code by getting a victim to view a web page, HTML document, PDF or other file that is rendered by IE’s scripting engine.  See details here.

The developers of the most popular database in the world based on the number of installations, SQLite, released a patch that fixes a bug that affects millions of distinct apps and billions of installations, including the Chrome browser on Windows, Macs, iPhones and Android devices.  Read the details here.


Taylor Swift Spies on Her Fans

In the turnabout is fair play department, Taylor Swift’s security team used facial recognition technology at (at least) one of her recent concerts to sniff out stalkers.  Using a kiosk of rehearsal videos with a spy cam embedded in it, Swift’s team took photos of everyone who watched the video and compared it to a database of suspected stalkers.  They did not report if they found any or what they did with the images after the concert. Since a concert is likely considered a public venue, customers probably have no expectation of privacy, so Swift would not need to disclose that she was using video surveillance.  Source: The Register.


Marriott Breach Traced to China

What do the Office of Personnel Management breach and the Anthem breaches have in common with the Marriott breach?  According to some sources, they are all traced back to China.  The Marriott breach is now being traced to China’s Ministry of State Security, China’s civilian spy agency.

Their objective is to build up massive dossiers on hundreds of millions of Americans to use in future attacks.  Like OPM, like Anthem, much of the Marriott data – like when you traveled, where you traveled, how long you stayed, who was at a particular hotel at the same time (mistresses, spies, information leakers and otherwise), all ages quite well.

All of this in spite of pressure being exerted by the Trump administration on China to stop hacking us.  Is the pressure just making them hack us even more?  Not clear, but it doesn’t seem to be helping much. (Source: the New York Times).


Muslim-American U.S. Citizen is Suing U.S. Government for Detaining Him at the Airport

A Muslim-American traveler was  detained at the Los Angeles airport (LAX) while trying to board a flight to the Middle East.  Customs asked him a bunch of questions, searched his luggage and wanted him to unlock his phone, which he initially refused.  He was handcuffed and detained for four hours and missed his flight.  When he asked if he was under arrest and needed a lawyer and was told no.  Eventually, after many hours, he relented and unlocked his phone.  CBP examined the phone and possibly imaged the phone.

Since he is a natural born U.S. citizen there are limits to what CBP can do, but it is interesting that he was leaving the U.S. and not entering it when he was detained,

He is now suing the U.S. government.  That is always a dicey deal, so I would doubt that this is going to go very far, but it is interesting.  Source: The Register.


Facebook Shared Your Data with 150 Partners Without Telling You

The Times is reporting that Facebook was sharing your messages, contact information and friends with around 150 vendors including Netflix, Spotify, Microsoft, the Royal Bank of Canada and many others.  Facebook says that they didn’t do that without users permission, but if they did ask for permission, it was not in a way that anyone was aware that they were granting it.  Facebook says they only did that to improve your Facebook experience (i.e. sell more ads) and that most of these programs have been terminated (since it was completely above board – not).  Facebook says this did not violate their 2012 consent decree with the FTC, but likely the FTC will decide whether that is true on their own.  Facebook did admit that this raises user trust issues.  Likely true.  Source: HuffPo.

News Bites for the Week Ending December 14, 2018

Patches This Week

Adobe’s December patch list fixed 87 separate bugs in Acrobat and Acrobat Reader.  39 of these are rated critical.  Last week they patched a critical zero day in Flash (Details here).



More Spy Cams

The other day I reported the the DEA was buying spy camera enclosures to hide inside of street lights (here), well that is not the only place they are hiding them.

Again, Assuming they follow the rules, there is nothing illegal about these efforts.  The Register is reporting that the DEA is buying high end spy cams built into seemingly ordinary shop vacs.  While we don’t know the brand of shop vac, we do know that the camera is a Cannon M50B, a high end camera that does remote pan, tilt and zoom.

The camera/shop vac could we just left around or it could come attached to a government agent/janitor.

Whatever it takes to catch a crook.


O2 and its Partners Take Cell Service Down Because They Forgot to Update an Encryption Certificate

Last week millions of European and Asian cell phone users – customers of O2 and its partners – went without cell service and Internet for around 24 hours because someone forgot to renew an encryption certificate.  He is probably looking for a new job right now.

The network equipment was made by telecom giant Ericsson, so you can’t blame the problem on lack or resources or not having the expertise.  Details at ZDNet.

Bottom line here is that managing the details of any operational system is critical, especially if your mistakes will be publicly visible.


Kay Jewelers and Jared Jewelers fix Data Leak

Sometimes the bad guys don’t need to break in to steal information; sometimes companies leave out a welcome mat.

In this case, these two jewelers, both owned by Signet Jewelers, sent confirmation emails that allowed anyone to change the link in a confirmation email to see another customer’s order information – name, address, what they orders, how much they paid and the last four of their card number.

I have seen this many times before and it is an easy problem to avoid if your developers are trained to look for these kind of issues.

While not the worst data leak in the world, not a good thing.  They have since fixed the problem.  Source: Brian Krebs.


Google + To Shut Down Even Earlier After New Breach

Sometimes even the great Google can’t catch a break.

After an API flaw in October exposed data on 500,000 users, Google fixed it but announced plans to shut down the struggling social network In August 2019.

But now Google announced another flaw that affects over 50 million users and Google has changed it’s mind and will shut down Google + in April instead of August.  The information visible includes name, email, occupation and age and possibly other information, but Google says that it doesn’t think anyone exploited this new bug, which was created when they fixed the old bug.  Source: The Hacker News.

House Oversight and Government Reform Committee Says Equifax Responsible for Breach

A House committee spent 14 months and an unknown amount of money telling us what we already knew:  The Equifax breach was totally preventable and that CEO Richard Smith (who walked away from the breach with a $90 million golden parachute) had a growth strategy that lacked a clear IT management structure, used outdated technology and was not prepared to respond to the breach.   The Democrats say that there was a  missed opportunity to recommend concrete reforms and Equifax says that while they agree with the report, there are lots of factual errors in .  Our government at work.  Source:  The Hill.

Microsoft June Patches – Critical, Critical and More Critical

For many people, they have their Windows desktops and laptops set to automatically install Microsoft’s monthly updates.  For businesses, that is not usually the case.  They need to make sure that the updates don’t break things and often, as a result, it takes a while for businesses to get the updates installed.

In addition, for many businesses, they have employees who are not directly connected to the company network, so it becomes difficult to force the patches to install.

But, whether you are a consumer or a business, here is why getting the patches installed quickly is important.

First, as soon as the patches are released, the hackers look at those patches and reverse engineer them to see how hard it is for them to exploit unpatched systems.

The hackers also start working on the easiest, least intrusive way to detect if the patches have not been installed, so they can easily catalog of the systems that they control, which can be hacked with the newly learned vulnerability.

Let’s look at June’s patches –

  1. MS16-063 – Internet Explorer: The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer with the same rights as the user.  If the user is a local or network admin, jackpot.
  2. MS16-068 – Microsoft Edge: The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge with the same rights as the user.   If the user is a local or network admin, jackpot.
  3. MS16-069 – JScript and VBScript: The vulnerabilities could allow remote code execution if a user visits a specially crafted website with the same rights as the user.  If the user is logged on with administrative rights, an attacker could take control of an affected system, install programs; view, change, or delete data; or create new accounts with full user rights.
  4. MS16-070 – Microsoft Office: The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker could run arbitrary code as the current user.  If the user was an admin, then the damage could be worse.
  5. MS16-071 – DNS: The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a DNS server.

This only accounts for 5 of the 16 patches that they released this month – the ones that allow an attacker to take over a computer remotely and execute arbitrary code.

Two tips on dealing with this:

A.  Make sure that you are aggressive at patching quickly.  The window between the patch being released and the patch being exploited in the wild is pretty short.

B. Do not allow users to run as local or network administrators unless they need to AT THAT MOMENT.  Best practices say to create a separate administrative userid and only  use it to perform administrative functions.  To discourage users from using, make sure that the administrative user cannot access email or the Internet if at all possible.  This dramatically reduces the potential for someone to fall for a phishing attack.


Why Patching Software Is So Important

Last week Adobe release a set of patches fixing 78 vulnerabilities.  At the same time, Microsoft released patches for 71 vulnerabilities – three-quarters of which Microsoft rated as CRITICAL.

Two vendors, one month, 149 bugs patched.

Think about the amount of software that is out there.  If every other product is as reliable as Microsoft’s and Adobe’s software, that means that there should be millions of patches released every month.

Of course, some vendors (Oracle for example) don’t release patches every month.  Oracle releases their patches quarterly and typically there are one- to two-hundred bugs fixed in each Oracle patch release.

Other vendors don’t release patches at all.  For example, if you have an old iPhone or Android phone – more than say two or three releases of the software old – the vendors don’t issue patches for them.  Many people continue to use old phones oblivious to the fact that the software is no longer being patched.

In the case of this month’s Microsoft patch fest, while some of the patches affect Windows, many of them affect Internet Explorer (30 of them) and Microsoft’s new browser Edge (15 bugs).  The fact that IE or Edge is installed on your computer is enough to likely make the computer vulnerable.

The challenge for users and businesses alike is that they must know each piece of software installed on each computer – desktop, laptop, server, phone, tablet, router, firewall – you name it.  Then they have to figure out how to check for new patches.

After you find out that there are new patches, you have to decide whether to install the patches now or wait.  Why wait?  In this month’s Microsoft patch fest are some patches that affect Microsoft Outlook.  Some users are reporting that Outlook has stopped working after they installed the patches.  Why not wait?  Because as soon as the patches are released, hackers start examining those patches to see what has been fixed – so that they can attack users who have not yet installed those patches.  In many organizations, some patches never get installed.

If you are able to find out that there are patches and that you want to install them, you have to figure out HOW to install them.  Sometimes that is not easy.

When was the last time you patched your internet gateway (modem or router?

If you have a WiFi access point, when was the last time you patched that device?

Do you even know HOW to do that?

You get the idea.

I don’t have a great answer, but even though it has downsides, I recommend that most users let programs check for patches and install them automatically.

The problem is, for example, if you don’t  use a program but it is installed on your computer, that program can’t check for patches.  Some programs install a small task that runs in the background that only checks for new patches and warns you.  Not all programs do this,  If the program is installed but not patched, the bugs are often still a valid attack vector.  Not always, but usually.

Some programs don’t automatically check for updates and others do not check for patches even when you first start them.

What this means is that the onus is on users.  Many users install software because it seems cool.  Then they don’t like it.  But they don’t uninstall it.  That software is highly unlikely to be patched.

I wish I had a better answer, but I don’t.  Until software makers get their collective acts together, caveat emptor.  The ball is  in your court.


Information for this post came from Krebs On Security.

Software Testing – The Art of Proving The Presence Of Bugs, Not the Absence

Microsoft just published a critical patch for a 19 year old bug that dates back to Windows 95 and Internet Explorer 3.0.

First the obvious – since it was still there after 19 years, all the testing that Microsoft and users have done on every version of windows back to and including Windows 95 did not detect this bug – hence the title of the post.

But you might ask WHY was this bug not detected and Network World published an item that discussed that, but here are a couple of reasons –

  • The person that wrote that hunk of code is no longer with the project or company and no one else understands it, so lets leave it alone.  It ain’t broke
  • Supposedly, it is a subtle bug and hard to exploit, so you might have to look real hard to find it (not any more, of course)
  • Didn’t all that old code base go away with Vista/Win7/Win8?  It was 16 bit code and we moved to a 32 bit code base?  Nope, it wasn’t broke, so we just recompiled it.

The article gives some other reasons too, but this doesn’t mean that you should not test.  In fact, if anything, you need to expend more resources, automate the testing, pay bug bounties, etc.  It just means that testing is hard.

What this also means is that since this bug is now in the wild and Microsoft did not issue a patch for Windows XP, if you are still running XP, here is another reason to migrate – the bad guyss now have bug, they know what Microsoft did to fix it in newer OSes and all they need to do is figure out a way to exploit it in XP.

Mitch Tanenbaum