January 2016 News and Updates
What’s New
- Hacker Playdate – The Q1 2016 Hacker Playdate is right around the corner and we’re starting to get excited. We’re doing this one a little different and are specifically targeting the presentations and the villages toward business owners, managers and IT professionals. One of the new things that we’re trying this time is a CTF village with multiple vulnerable machines and several ‘attack’ laptops setup to give attendees an opportunity to try the tools and tactics that attackers are using in the wild (and we’ll have solutions available for those who just want to get to the end). As always, it’s free and open to anyone. We will be in the meeting room at Primo’s Mexican Cocina from 12:00pm EST to 5:00pm EST on Saturday, 23 January 2016. More information is available at http://www.hackerplaydate.org.
- Windows 10 – We are seeing a LOT of folks who are installing Windows 10 ‘accidentally’. Two very important things to note on this are that you have 30 days from the time you do the upgrade to revert back to the previous version of Windows and that Windows 7 will still be supported until 14 January 2020. That said, unless you *need* to upgrade to Windows 10 (your software / hardware vendors require it), we recommend sticking with Windows 7 until a specific need to upgrade arises for production environments.
Updates
Executive Summary – Microsoft has definitely taken the spotlight this month with a total of nine bulletins released, six of which are rated as critical and the top two affecting the web browser (the third affects a scripting engine and could be leveraged via the web browser). It seems that, if combined with the escallation of privilege vulnerability (MS16-008, rated as ‘important’), an attacker could gain elevated permissions on a target system through the web browser.
Microsoft – Microsoft released 9 bulletins this month (MS16-001 through MS16-010, yes, we noticed it too and will comment momentarily). Six of the bulletins are rated as critical and address vulnerabilities that could lead to remote code execution. The remaining 3 are rated as important and address issues with remote code execution, privilege escallation and spoofing. The summary from SANS has 7 of the bulletins listed as critical (rather than 6) but does not note that exploits are available for any of the vulnerabilities as of the time of this email. Several of the updates will require a reboot to complete the update.
Some of you may have noticed the funny math on this or noticed that MS16-009 is missing. No word on what happened to MS16-009 but recent update hiccups (MS15-058 was also mysteriously missing and KB3097877 was published and a replacement re-published under the same name).
Microsoft releases regular updates the second Tuesday of each month, often referred to as ‘Patch Tuesday’. These updates are catagorized as Low, Moderate, Important or Critical. Details on the categories are available here. The updates can include any supported Microsoft product from Windows to Office to Internet Explorer and server products like Exchange and SQL Server. If you have one or more of these products installed, especially if the update is listed as Important or Critial, it’s important that the updates are installed.
Additional details are available Microsoft Here, Here (SANS) and Here (Threatpost).
Adobe – To start the new year, Adobe has released APSB16-02 which addresses a critical vulnerability Adobe Reader XI, Adobe Acrobat XI, Adobe Reader DC and Adobe Acrobat DC. Basically, if you’re running a version of the Adobe PDF software that wasn’t vulnerable yesterday (and you still haven’t patched it), it is now. If you’re running a version that was vulnerable yesterday, you’re still vulnerable today.
Like Microsoft, Adobe now releases updates to their products on the second Tuesday of each month. Adobe will also release ‘out of band’ updates if necessary to address critical vulnerabilities in their products. Adobe products include Adobe Reader (for viewing PDF files), Adobe Flash Player (often used to watch videos, for interactive content like games, etc.), Adobe Shockwave and the Adobe Creative Suite (Photoshop, Illustrator, Acrobat, Lightroom, etc.).
Additional details are available from Adobe Here including links to download the update(s) and instructions for installation.
Java – Java is holding fast at version 8 update 66, nothing new to report here. In Windows, you can check this by going to Add / Remove Programs and looking for older versions.
Java is a tool that’s widely used by banks, online service providers and even security companies for SSL VPN connections. Java’s ‘official’ release cycle is approximately quarterly but Java updates have been ‘fast and furious’ in recent months. It’s worth noting again that, if you don’t absolutely need Java on your computer, it’s not a bad idea to remove it altogether.
Additional details are available from Oracle here.
Security News, Sponsored by Piratica – The holiday shopping season is behind us and it seems that we have avoided any massive breaches on the retail front so far (hopefully) and it’s time to start getting ready for the new year. We are continuing to see improvements when it comes to securing the perimeter (where they still exist) but we are still seeing those perimeters easily breached with social engineering and client side attacks. Even with a fully patched OS, up-to-date antivirus and locked down policies, an untrained (or malicious) user can give a skilled attacker enough wiggle room through social engineering and client side attacks to completely bypass almost any defenses. One example that just seems to be screaming from this latest batch of updates from Microsoft would be to launch a phishing campaign that leveraged the vulnerabilities in Internet Explorer or Edge to get a foothold on a target. Once on target, elevate privilege (thank you MS16-008) and grab some hashes and dig around until you find what you need. From there, a golden ticket and you own the organization. Somewhat oversimplified but think about your organization as a whole. Is there *anyone* that you can think of that may be enticed to click on a well designed phishing email? Perhaps an emergency message from a friend (with details gleaned from social media)? Perhaps a very important email from their boss with a last minute update to a presentation while he / she was out of town (Is the boss attending a conference or perhaps going on vacation? Did they announce it via social media or an autoresponder to their email or perhaps on their voicemail?). Perhaps an email that was ‘accidentally’ forwarded to them with sensitive information about necessary layoffs due to yet undisclosed budget cuts for the upcoming fiscal year? If you thought of *anyone* that may fall for such a scheme, you’ve found the way that an attacker could bypass all of those shiny boxes with blinky lights to breach your organization and the scenario probably doesn’t seem so far fetched anymore.
Piratica is an operational security company that works with client organizations to identify potential security vulnerabilities through vulnerability assessments, penetration tests and red / blue team exercises. We believe that the first step in any solution is to correctly and completely identify the problem. Additional information is available on the website, Facebook and Twitter.
These updates will be automatically reviewed, approved and installed for MyIT Customers. If you would like more information about the Cyber Tech Cafe MyIT services for your business, please let us know. The Cyber Tech Cafe MyIT services are availalbe in three different levels (Bronze, Silver and Gold) and can provide updates only (Bronze), updates and proactive network auditing and monitoring (Silver) or updates, proactive auditing and monitoring and up to 10 hours of priority support at a significantly discounted rate (Gold). Pricing is based on the number of physical locations, servers and workstations that you have.