Tag Archives: Patching

News Bites for the Week Ending November 16, 2018

DEA and ICE buying Surveillance Cameras Hidden in Streetlights

I am not particularly surprised and it certainly is not illegal  in any way, but apparently DEA and ICE have purchased $50,000 of security cameras that record video and sound, hidden in streetlights.

If $50,000 is what they spent, it would cover a small number of cameras, so this is not “mass surveillance”.

DEA issued another solicitation for concealments to house a pan-tilt-zoom camera, cellular modem and video compression technology.  Again, not a big surprise.

Overall, this is just the government using tech that is out there and other governments, both friendly and not so friendly, have been doing this for years (think Britain and China, for example).

On the other hand, if you are planning on committing a crime – SMILE, you may be on candid camera.  Source: Quartz .

 

The Gov is Sharing (Some) of the Malware it Finds

In what most people would agree is something long overdue, Cyber Command is going to start sharing unclassified malware that it finds with the tech community.  It is going to upload those samples to Virus Total, the shared virus repository that the tech community uses, and tweet about it each time they do.  Some malware, of course, they won’t share, but this allows the anti virus vendors to make sure that they can detect these new malware samples.  Source: ZDNet.

 

HSBC Discloses Data Breach but Few Details

Megabank HSBC said that less than 1% of US customer account data was compromised, but didn’t say what the number is.  Information taken includes name, address, bank account information, transaction history and more.  As global privacy rules become more intense, getting away with “some bad guys got away with some stuff” will be harder for businesses to use as an acceptable disclosure.  Likely the bank is still trying to understand the scope of the breach.   *IF* EU customers were affected, then this would be a post-GDPR breach as well.

It appears that this may have been a situation where the bank’s employees were not protecting their passwords well enough.  We don’t know if the credentials taken were for an administrator or not.

This is why the *LAW* in states like New York require financial institution administrators to use two factor authentication.  Source BBC .

 

U.S. Aligns with Russia, China and North Korea by Not Signing the Paris Call for Trust and Security in Cyberspace

It is not often that the U.S. interests align with countries like North Korea, but when it comes to hacking in cyberspace, it apparently does.  The U.S. did not sign the Paris Call non-binding agreement this past weekend when over 50 other countries and hundreds of businesses signed it. Companies like Facebook, Google and Microsoft, who did sign the agreement, have a vested financial interest in having their customers think the Internet is safe and the companies actively support that.  The U.S. government has less direct incentives although most of the large Internet content companies are U.S. based.  It could be that countries like North Korea, China and the U.S. don’t want to be limited in who they hack and how.  In any case, it just shows that Cyberspace is still a bit of the wild west when it comes to security and, like in the old west, you better bring your cyber-gun to the party to protect yourself.  Source: Washington Post.

 

Google Outage Caused by Traffic “Accidentally” Being Routed Through China

Interesting timing.  Following on from my wild, wild west comment above —

BGP hijacking has become a well honed art form by China (and others).  BGP, the preferred routing protocol of all ISPs and many large companies, has no security in it and anyone can”advertise” that they own an IP address block with no current way to stop them.  After the fact – when the owner is down – it can recover from it.  If the attacker is stealthy, they capture the traffic and, after a really small delay, send it on its way.  They now own a copy of the traffic which they can try and decrypt at their leisure.  China is likely very good at decrypting traffic.

In this case, however, parts of Google went dark when some of their traffic was hijacked in a BGP attack and some users were down.   Google says this was an accident, which is possible.  Also possible is that it was made to look like an accident.

Curiously, this “error” started with a small ISP in Nigeria.  How hard would it be for China to compromise a small African ISP or even pay them to accidentally make a mistake?

Data compromised includes data from Google’s VPN service and their corporate backbone.  Again, a coincidence?

The Internet Engineering Task Force is working on securing BGP, but it will be years before that happens on any large scale.

What is for certain is that China now has a lot of data to decrypt.  Source: Ars Technica.

 

This is Getting Old – Patch Now!

IF you haven’t gotten patching religion yet, here are, quickly, some more reasons JUST from today. —

ZERO DAY exploits (previously unknown) found in the iPhone X, Samsung Galaxy S9 and Xiaomi Mi6 – details here.

As people start looking at the magic that allows computers to go fast, they are discovering that speed kills, figuratively speaking.  SO, we have *SEVEN*, yes seven new Meltdown and Spectre bugs that affect Intel, AMD and ARM chips – details here.  Some of these are mitigated by existing fixes but others are not.

*63* new Windows bugs, twelve of which are critical and some of which are zero days are patched this month – see details.  ONE OF THREE ZERO DAYS IS ALREADY BEING EXPLOITED IN THE WILD BY HACKERS.

And finally, a Facebook attack which allows an attacker to steal data from your Facebook search results, in the background, invisible to you.  Through the magic of the cloud, Facebook has already patched this, so you don’t need to do anything to fix it – details here.

Facebooktwitterredditlinkedinmailby feather

Patching is Critical

Three news items today – different platforms, but one common message.

#1 – A new iPhone passcode bypass was found within hours of the release of iOS 12.1.  This follows on from the passcode bypass fixed in 12.0 and another iPhone passcode bypass in 12.0.1.  As iOS becomes more bloated (or feature rich, depending on your perspective), more bugs are likely to appear (source: The Hacker News).

#2 -Microsoft quietly patched a bug in Windows 10 that allowed certain Universal Windows Platform applications that had certain permissions to access user’s files without their knowledge.    The update changed the default for the “Broad FileSystemAccess” permission to OFF by default.  Up until now, it was ON by default.  Users may need to selectively turn that on now if the user feels that is safe (Source: The Hacker News).

#3 – Researchers tattled on Microsoft regarding a bug or feature in Word 2016 and earlier versions that allow a hacker to abuse Word’s (bloated?) feature that allow you to embed online videos.

Since a Word file is really a zip file, all a hacker has to do is embed a video link, such as to YouTube and then open the zip file separately outside of Word.  The zip file contains an XML configuration file that contains the embed code.  A hacker could edit that code and put in any link or javascript that the hacker wanted and that code would be silently executed when you open the document and click on the video.

The researchers gave Microsoft 90 days to fix the bug.  Microsoft says that they think it is a feature.  It likely is a feature, but a really poorly designed one.

Enterprise admins should update their anti-malware software to BLOCK any Office documents that contain the embedHTML tag.

Unfortunately, now that the cat is out of the digital bag, hackers will be looking at other similar ways to infect your user’s computers (Source: The Hacker News ).

So what is a user – or system admin – to do?

The first thing to do is to make sure that your patch management process is working.  That does not just mean your operating system patches, but also every single application installed on every computer.   Office is high up on that food chain, but things like Acrobat are targets too.  Adobe released 47 patches to Acrobat this last month that they rated CRITICAL,  46 of them allowed for REMOTELY executing arbitrary code if you use Acrobat to open PDFs in your browser.  FoxIt, an Acrobat replacement, released 116 patches this month.  The numbers are insane. 

If you look at all of your computers, you are running way more applications than you think you are – likely hundreds – probably many hundreds.  And it does not matter if you are using the apps.  In fact, unused apps are worse, because you are less likely to patch them.

IN FACT, YOU SHOULD MAKE IT A PRACTICE TO UNINSTALL ANY APPS THAT YOU DON’T NEED.

The second thing to do, and it can be time consuming, is read security intelligence alerts such as this blog and our separate client alerts.  You have to know at least as much as the bad guys.

Sorry there is no easy fix!

Facebooktwitterredditlinkedinmailby feather

NSA Offers Gift That Keeps on Giving

Sometimes the gift that keeps on giving is good.  Other times, it is not so good.

In this case, it is not so good.

You may remember the Wannacry ransomware attack last year.  That virus, which took many organizations back to the stone age of computing (i.e., a pencil and paper), infected and took down organizations like the UK’s National Health Service, parts of Fedex, Hitachi, Honda and hundreds if not thousands of other organizations, many unknown, was enabled by a gift written by the NSA called ETERNAL BLUE.  Eternal Blue was designed to be a gift given to our enemies, but managed to get out in the wild and be used by the bad guys to infect hundreds of thousands of computers in at least 150 countries and cost companies billions of dollars to fix.

If it weren’t for Eternal Blue, this attack would not have worked.  Funny thing is that, like the Equifax breach, the vendor (in this case Microsoft) had released a patch months before the attack.

Of course, some people are good about applying patches while others are not so good.

A year later, the NSA gift called Eternal Blue is still giving.  There are still at least a million computers that are not patched and hackers are using Eternal Blue to launch a new attack.  After all, why bother to use new, unknown attacks and risk them being discovered, when the same old attacks as last year still work.

Right now, today, the attackers are using this attack to mine crypto currency on the infected computers.  However, if that stops being profitable.  ENOUGH profitable.  Well then, these computers are already zombies, so the zombie controller could just turn this into a massive denial of service attack or a massive ransomware attack.  Or whatever.  Or more than one thing.

The simple thing is that there are Windows patches available to be installed.  Also, you can disable the protocol that the attack uses.

Either way, there is no reason why this attack should still work.

But, since people aren’t really diligent about patches and especially patches on phones, tablets and IoT devices, the hackers will continue to have a field day and businesses will lose millions.  Some are already going out of business due to ransomware attacks.  

Just think about that for a minute.

Information for this post came from ZDNet.

Facebooktwitterredditlinkedinmailby feather

DHS Says Federal Networks Susceptible to Attack

DHS released a report this week regarding BOD 16-02.  A BOD or Binding Operational Directive is DHS’s way of telling executive branch agencies that they have to do something.  Like really.

In this case the issue is that hackers were abusing bugs in Internet routers, specifically Cisco routers.  Why Cisco?  Because they are the biggest gorilla in the game.  If you can successfully attack Cisco, the world is your oyster.

The report dates back to 2016, but it wasn’t released until this week.  The bugs date back to 2014 and 2016.  Cisco has patched the bugs.  Many agencies had not applied the patches.  Hence the BOD.  Get off your butts and apply the patches.

OK, so what does this  mean to you?

In general, your Internet gateway is the drawbridge to your medieval castle.  Leave the drawbridge down and the bad guys can get across the moat.

Even in medieval days, the drawbridge was only one defense.  Today, the firewall is also only one layer of defense.  Still, it is an important layer.

For many businesses (and especially consumers), patching their Internet gateway (router or firewall) and patching their WiFi router (sometimes the same device but sometimes different devices) is not something they do, and if they do, they don’t do it regularly.

All patching is important, but patching any Internet facing device is critical because the attacker doesn’t need to get inside your network before launching the attack.  They start from outside and they work their way in.

One important thing to know.  At least with Cisco, and probably some other vendors, if you are not paying for an annual support contract, they will not give you the security patches that they have released to fix the bugs that should not have been there in the first place.  My answer to that?  Pick a different vendor – there are lots.  Juniper, Sonicwall, Ubiquiti, Fortinet, Baarracuda, Palo Alto, pfSense.  Different vendors make sense for different users, but there are lots of choices.

So what is an Internet facing device?

Firewalls.

Routers.

WiFi Access Points.

Webcams that can be accessed from the Internet.

And likely other devices inside your home or business,

Start out by doing a careful inventory of anything that has a network cable or is connected to your WiFi.  Then see which ones of these devices can connect to the Internet.  Those are the high priorities.

There is one thing that you can do, going forward.  Buy devices that automatically update themselves.

Like the Ring Video Doorbell.  There was a vulnerability discovered recently (like in the last 6 months or so).  Ring fixed and patched every doorbell ever sold in roughly 48 hours. 

The Google Home Wifi controller is another example.

Do your research BEFORE you buy.  Ask questions.  And, if you don’t get the right answers, move on.  Vote with your wallet.  Eventually, that will get manufacturer’s attention.

Information for this post came from Federal Computer Weekly.

Facebooktwitterredditlinkedinmailby feather

Security News: Apple, Microsoft and Lastpass

A few short items today.

First, Lastpass, one of the two password managers that I like (the other is Keepass) has been hit with three different security bugs in the last couple of weeks.  This is due to the fact that Google Project Zero security researcher Tavis Ormandy has put Lastpass in his sights.  The first two bugs were each patched within a day of Tavis’ disclosure to Lastpass, which compared to many other companies, is pretty amazing.  The third one has not been fixed yet and Tavis says that is a fundamental architectural issue and cautioned Lastpass to take some time and fix it right.  Lastpass automatically updates it’s software, so as soon as the patches are available, they will be installed across the entire user base.

These bugs highlight the conflict between security and convenience.  All of the bugs are related to integrating Lastpass into the browser so that users can have it automatically push userids and passwords to a website’s login page.   If you did not do the browser integration, then none of these compromises would work.  Keepass does not have any browser integration so it is not susceptible to these types of attacks.  The downside of not integrating it is that users have to look up and type or copy/paste the passwords manually, which, of course, is not so convenient.

I absolutely still recommend password managers and if you are on the overly paranoid side, disable Lastpass’s browser integration until these issues are resolved.

On the Microsoft front, they run a web site called Docs.com, which they bill as a way to showcase your documents.  While no bugs were found, by default, documents uploaded to Docs.com, but not those created in Office 365, DEFAULTED to public viewing.  With this setting search engines indexed the files  and a number (like thousands) of very sensitive documents like passports, password lists, medical records and other documents were exposed.

After this was publicly revealed Microsoft made a change to the site.  While uploaded documents are still public by default, you get a huge warning telling you that and it pushes you down on the page where you can easily change that setting – but only for that document.

This means that the user needs to pay attention and make sure that the permissions on documents are what they want them to be.  Why the permissions on Office 365 documents are different than on uploaded documents is still a mystery to me.  Seems like you should set it to default to private and make people intentionally share it if that is there intention, but that is not what Microsoft is doing right now.

This is a reminder to all users of cloud storage systems such as Box, Dropbox, Google Drive and others to make sure that the privacy settings on documents are what they expect.  In many cases, if you send someone a link to a document, then anyone who has access to the link can open the document.

Finally, Apple just released IOS 10.3.  To dispel the myth that Apple is a superhero, the list of bugs is pretty long.  Apple, while very security conscious, still uses human beings to program their software (as far as I know) and humans make mistakes.  If you have not installed the  new version, you should as attackers use these announcements to exploit vulnerabilities in non-updated software.  A partial list of the count of bugs fixed by category includes:

  • Accounts -1
  • Audio -1
  • Carbon -1
  • CoreGraphics – 2
  • CoreText –  3
  • Data Access -1
  • Font Parser – 3
  • HomeKit – 1
  • Http Protocol -1
  • ImageIO – 4
  • iTunes Store – 1
  • Kernel – 8
  • Keyboards – 1
  • Safari -4
  • Safari Reader – 1
  • Safari View Controller – 1
  • Security – 4
  • Webkit – 17 (this is the basis of Safari)

And a bunch of others.

As you can see, this fixes bugs all over the operating system, not just in one area.

This is not a dig at Apple , just a reminder that you really do need to make sure that your Apple (and other) devices stay updated.

Information for this post came from Steve Gibson at Gibson Research.  If you are not familiar with Steve’s security podcast, I highly recommend it, but it is a bit geeky.

Facebooktwitterredditlinkedinmailby feather

Follow On To Last Week’s Posts On Patching And CERT Alert

As a follow on to last week’s posts on why patching is critical and the CERT alert on The Shadow Broker’s release of a whole raft of firewall hacks, this week Cisco is announcing that their software is vulnerable to attack, there is no workaround and they are working on patches.  BUT, there is a silver lining.

First, the problem.  There is a bug in their implementation of the IKE key exchange protocol that is used by their VPN access routines.

Now the good news.

  • The bug affects IOS XR versions 4.3.x to 5.2.x, but releases 5.3 x and newer are not affected
  • The bug also affects PIX firewalls version 6.x and prior, but versions 7.0 and later are not affected.

IOS XR 5.3 was released last January.

Cisco PIX has reached end of life status and is not supported anymore.

So first, we are already seeing fallout from the Shadow Broker release and Cisco, at least, is starting to issue patches.

Second, if you are being good about patches and not running obsolete software,  at least in this case, you would not be vulnerable to this particular exploit.

This just reinforces my comment from last week to be religious about patching.  It is critical.

Information for this post came from Network World.

For a complete list of all software affected, read the Cisco announcement here.

 

Facebooktwitterredditlinkedinmailby feather