Tag Archives: Patching

NSA Offers Gift That Keeps on Giving

Sometimes the gift that keeps on giving is good.  Other times, it is not so good.

In this case, it is not so good.

You may remember the Wannacry ransomware attack last year.  That virus, which took many organizations back to the stone age of computing (i.e., a pencil and paper), infected and took down organizations like the UK’s National Health Service, parts of Fedex, Hitachi, Honda and hundreds if not thousands of other organizations, many unknown, was enabled by a gift written by the NSA called ETERNAL BLUE.  Eternal Blue was designed to be a gift given to our enemies, but managed to get out in the wild and be used by the bad guys to infect hundreds of thousands of computers in at least 150 countries and cost companies billions of dollars to fix.

If it weren’t for Eternal Blue, this attack would not have worked.  Funny thing is that, like the Equifax breach, the vendor (in this case Microsoft) had released a patch months before the attack.

Of course, some people are good about applying patches while others are not so good.

A year later, the NSA gift called Eternal Blue is still giving.  There are still at least a million computers that are not patched and hackers are using Eternal Blue to launch a new attack.  After all, why bother to use new, unknown attacks and risk them being discovered, when the same old attacks as last year still work.

Right now, today, the attackers are using this attack to mine crypto currency on the infected computers.  However, if that stops being profitable.  ENOUGH profitable.  Well then, these computers are already zombies, so the zombie controller could just turn this into a massive denial of service attack or a massive ransomware attack.  Or whatever.  Or more than one thing.

The simple thing is that there are Windows patches available to be installed.  Also, you can disable the protocol that the attack uses.

Either way, there is no reason why this attack should still work.

But, since people aren’t really diligent about patches and especially patches on phones, tablets and IoT devices, the hackers will continue to have a field day and businesses will lose millions.  Some are already going out of business due to ransomware attacks.  

Just think about that for a minute.

Information for this post came from ZDNet.

Facebooktwitterredditlinkedinmailby feather

DHS Says Federal Networks Susceptible to Attack

DHS released a report this week regarding BOD 16-02.  A BOD or Binding Operational Directive is DHS’s way of telling executive branch agencies that they have to do something.  Like really.

In this case the issue is that hackers were abusing bugs in Internet routers, specifically Cisco routers.  Why Cisco?  Because they are the biggest gorilla in the game.  If you can successfully attack Cisco, the world is your oyster.

The report dates back to 2016, but it wasn’t released until this week.  The bugs date back to 2014 and 2016.  Cisco has patched the bugs.  Many agencies had not applied the patches.  Hence the BOD.  Get off your butts and apply the patches.

OK, so what does this  mean to you?

In general, your Internet gateway is the drawbridge to your medieval castle.  Leave the drawbridge down and the bad guys can get across the moat.

Even in medieval days, the drawbridge was only one defense.  Today, the firewall is also only one layer of defense.  Still, it is an important layer.

For many businesses (and especially consumers), patching their Internet gateway (router or firewall) and patching their WiFi router (sometimes the same device but sometimes different devices) is not something they do, and if they do, they don’t do it regularly.

All patching is important, but patching any Internet facing device is critical because the attacker doesn’t need to get inside your network before launching the attack.  They start from outside and they work their way in.

One important thing to know.  At least with Cisco, and probably some other vendors, if you are not paying for an annual support contract, they will not give you the security patches that they have released to fix the bugs that should not have been there in the first place.  My answer to that?  Pick a different vendor – there are lots.  Juniper, Sonicwall, Ubiquiti, Fortinet, Baarracuda, Palo Alto, pfSense.  Different vendors make sense for different users, but there are lots of choices.

So what is an Internet facing device?

Firewalls.

Routers.

WiFi Access Points.

Webcams that can be accessed from the Internet.

And likely other devices inside your home or business,

Start out by doing a careful inventory of anything that has a network cable or is connected to your WiFi.  Then see which ones of these devices can connect to the Internet.  Those are the high priorities.

There is one thing that you can do, going forward.  Buy devices that automatically update themselves.

Like the Ring Video Doorbell.  There was a vulnerability discovered recently (like in the last 6 months or so).  Ring fixed and patched every doorbell ever sold in roughly 48 hours. 

The Google Home Wifi controller is another example.

Do your research BEFORE you buy.  Ask questions.  And, if you don’t get the right answers, move on.  Vote with your wallet.  Eventually, that will get manufacturer’s attention.

Information for this post came from Federal Computer Weekly.

Facebooktwitterredditlinkedinmailby feather

Security News: Apple, Microsoft and Lastpass

A few short items today.

First, Lastpass, one of the two password managers that I like (the other is Keepass) has been hit with three different security bugs in the last couple of weeks.  This is due to the fact that Google Project Zero security researcher Tavis Ormandy has put Lastpass in his sights.  The first two bugs were each patched within a day of Tavis’ disclosure to Lastpass, which compared to many other companies, is pretty amazing.  The third one has not been fixed yet and Tavis says that is a fundamental architectural issue and cautioned Lastpass to take some time and fix it right.  Lastpass automatically updates it’s software, so as soon as the patches are available, they will be installed across the entire user base.

These bugs highlight the conflict between security and convenience.  All of the bugs are related to integrating Lastpass into the browser so that users can have it automatically push userids and passwords to a website’s login page.   If you did not do the browser integration, then none of these compromises would work.  Keepass does not have any browser integration so it is not susceptible to these types of attacks.  The downside of not integrating it is that users have to look up and type or copy/paste the passwords manually, which, of course, is not so convenient.

I absolutely still recommend password managers and if you are on the overly paranoid side, disable Lastpass’s browser integration until these issues are resolved.

On the Microsoft front, they run a web site called Docs.com, which they bill as a way to showcase your documents.  While no bugs were found, by default, documents uploaded to Docs.com, but not those created in Office 365, DEFAULTED to public viewing.  With this setting search engines indexed the files  and a number (like thousands) of very sensitive documents like passports, password lists, medical records and other documents were exposed.

After this was publicly revealed Microsoft made a change to the site.  While uploaded documents are still public by default, you get a huge warning telling you that and it pushes you down on the page where you can easily change that setting – but only for that document.

This means that the user needs to pay attention and make sure that the permissions on documents are what they want them to be.  Why the permissions on Office 365 documents are different than on uploaded documents is still a mystery to me.  Seems like you should set it to default to private and make people intentionally share it if that is there intention, but that is not what Microsoft is doing right now.

This is a reminder to all users of cloud storage systems such as Box, Dropbox, Google Drive and others to make sure that the privacy settings on documents are what they expect.  In many cases, if you send someone a link to a document, then anyone who has access to the link can open the document.

Finally, Apple just released IOS 10.3.  To dispel the myth that Apple is a superhero, the list of bugs is pretty long.  Apple, while very security conscious, still uses human beings to program their software (as far as I know) and humans make mistakes.  If you have not installed the  new version, you should as attackers use these announcements to exploit vulnerabilities in non-updated software.  A partial list of the count of bugs fixed by category includes:

  • Accounts -1
  • Audio -1
  • Carbon -1
  • CoreGraphics – 2
  • CoreText –  3
  • Data Access -1
  • Font Parser – 3
  • HomeKit – 1
  • Http Protocol -1
  • ImageIO – 4
  • iTunes Store – 1
  • Kernel – 8
  • Keyboards – 1
  • Safari -4
  • Safari Reader – 1
  • Safari View Controller – 1
  • Security – 4
  • Webkit – 17 (this is the basis of Safari)

And a bunch of others.

As you can see, this fixes bugs all over the operating system, not just in one area.

This is not a dig at Apple , just a reminder that you really do need to make sure that your Apple (and other) devices stay updated.

Information for this post came from Steve Gibson at Gibson Research.  If you are not familiar with Steve’s security podcast, I highly recommend it, but it is a bit geeky.

Facebooktwitterredditlinkedinmailby feather

Follow On To Last Week’s Posts On Patching And CERT Alert

As a follow on to last week’s posts on why patching is critical and the CERT alert on The Shadow Broker’s release of a whole raft of firewall hacks, this week Cisco is announcing that their software is vulnerable to attack, there is no workaround and they are working on patches.  BUT, there is a silver lining.

First, the problem.  There is a bug in their implementation of the IKE key exchange protocol that is used by their VPN access routines.

Now the good news.

  • The bug affects IOS XR versions 4.3.x to 5.2.x, but releases 5.3 x and newer are not affected
  • The bug also affects PIX firewalls version 6.x and prior, but versions 7.0 and later are not affected.

IOS XR 5.3 was released last January.

Cisco PIX has reached end of life status and is not supported anymore.

So first, we are already seeing fallout from the Shadow Broker release and Cisco, at least, is starting to issue patches.

Second, if you are being good about patches and not running obsolete software,  at least in this case, you would not be vulnerable to this particular exploit.

This just reinforces my comment from last week to be religious about patching.  It is critical.

Information for this post came from Network World.

For a complete list of all software affected, read the Cisco announcement here.

 

Facebooktwitterredditlinkedinmailby feather

It’s Patch Day

Yesterday was Patch Tuesday.  Microsoft had 14 bulletins, 5 of which they deemed critical, covering 59 vulnerabilities.

Oracle released patches covering 193 vulnerabilities, including 25 Java patches, one of which is already being exploited in the wild.    44 of these vulnerabilities came from third party components.  Of the 25 Java vulnerabilities fixed, 23 of them can be exploited remotely without authentication.

One of the Microsoft patches, MS15-077, fixes a zero day in the Windows Adobe Type Manager Font Driver, for which there was a proof of concept disclosed in the Hacking Team data dump.  This is a very speedy response time for Microsoft.  The bug affects Windows Server 2003, 2008 and 2012, all desktop OSs since Windows Vista and Windows RT.  It would allow hackers to install programs, view, change or delete data and create new accounts – in other words, do pretty much anything the hacker might ever want to do.

Microsoft released 28 patches for Internet Explorer, 20 of which are critical and one of which, CVE-201-2045, fixes another zero day flaw exposed in the Hacking Team dump.

Adobe released patches for two more zero day exploits that were exposed by the Hacking Team data dump and which I wrote about the other day.  Those were the ones that caused Mozilla to completely block Flash inside Firefox.

Given all this data, let’s ponder a few things:

  • Thank you Hacking Team for getting hacked – there are a number of things that got cleaned up as a result
  • Vendors – Microsoft and Adobe in this case – can move VERY quickly when their tush is on fire because someone released exploits of their systems with “easy to follow instructions” on how to use them
  • Third party – i.e. the software supply chain – affected 44 of the patches that Oracle released.  Software supply chain is a killer.
  • But the most important issue here is that this week a couple of vendors released patches covering almost 300 bugs. How on earth is a user or company supposed to absorb that many patches, figure out where the affected systems live, test the patches to make sure they don’t break anything and get them deployed to the users in a timely fashion?  
  • And, don’t forget, this is just three vendors of maybe hundreds that are used by any one organization.

Software governance, part of the overall corporate governance, risk and compliance (GRC) activity, is a challenge for companies, both big and small.  Big companies are challenged because they have so many devices scattered to the winds.  Small companies are challenged because they don’t have the resources and expertise to analyze and deploy the patches.

And, as more and more things contain software – you may remember that the Maytag repairman (actually Whirlpool) had to patch my dishwasher last week in order to complete an unrelated service call, this is not likely to get any better any time soon.

In fact, the bigger question is this – if we found and patched 300 bugs this week, how many more are out there unpatched and exploited – either accidentally or on purpose?

Information for this post came from Tech Target and Computerworld.

Facebooktwitterredditlinkedinmailby feather

Why Patching Doesn’t Work – Using Apple As An Example

Apple released patches to fix a family of security flaws called Masque the other day in iOS release 8.4 .  Researchers then came up with a new variant of the flaw that the patch doesn’t fix.  Apple had fixed earlier variants of the Masque attack in iOS 8.1.3 , Anyone see a theme here.  Unfortunately, in today’s world, putting yellow duct tape on top of green duct tape on top of silver duct tape is what we do.

For years, people thought Apple was immune to hackers.  In reality, while Apple’s software is good, it is not perfect.  Hackers considered Apple to be a niche player and instead focused their efforts on Windows users.  Now that Apple is considered a mainstream product, hackers are focusing some energy on it and finding holes.

Apple, in turn, is doing the only thing they really can do in the short term and that is buying cases of duct tape.  Unfortunately, as Microsoft figured out years ago, duct tape is neither elegant nor does it provide a lasting solution.

Bill Gates wrote has famous Trustworthy Computing memo in 2002 that started a culture change at Microsoft that is still unfolding today.  In the battle between security and features, features usually win.  In both Microsoft’s and Apple’s cases, real security means a lot of time, people and money to re-architect their products.  It is very rare that you see that in the commercial software world.  Usually it takes some sort of catastrophic failure like a nuclear reactor meltdown.  We did see major changes in the chemical process industry after the Union Carbide chemical plant disaster in Bhopal, India that killed or injured hundreds of thousands.

In the software world, vendors are not responsible if you are hacked and lose all your money, intellectual property or your nude pictures are published on the Internet for the world to see.  Until that changes, expect duct tape to be a hot commodity.

A few details about the problem.

In Apple’s case, the Masque flaws involve impersonating existing apps and getting users to install hacked versions, typically though Apple’s enterprise provisioning system which allows companies to use apps that are not published on the app store.

The fixes that Apple made last November in iOS 8.1.3 fixed the URL Masque and Plug-in Masque variants.

FireEye, the company that found these bugs, disclosed two more variants, called Manifest Masque and Extension Masque after Apple partially fixed them in iOS 8.4 .  Expect more variants to follow.

Based on traffic to high profile web sites, a third of Apple iOS users are using versions of iOS earlier than 8.1.3.  Unless a user downloaded 8.4 this week, all users are using a version older than 8.4 .

Older iPhones may not even be able to upgraded to 8.4 due to compatibility issues, so they will be vulnerable until they are crushed and recycled.

There is no easy answer and this is certainly not just an Apple problem.  As software becomes more sophisticated, the problem multiplies.  And, worse yet, all vendors, including Apple, abandon old versions of hardware.  Try getting updates for an iPad 1, for example.  However, the fact that the vendor doesn’t update does not mean that people don’t use them.

I do not think there will be a solution any time soon.  Both the U.S. and British government still have tens of thousands of PCs running Windows XP.  The U.S. Navy agreed to pay Microsoft for private support for a few of these.  The British government, which did pay Microsoft millions last year for that service opted to let it expire this year.  That does not mean those computers are not being used – just not being updated.

No. Easy. Answers.   Soooooooorry!

Source material for this article came from PC World (see article).

Facebooktwitterredditlinkedinmailby feather