What’s New
- Hacker Playdate – The Q1 2016 Hacker Playdate, despite some weather concerns, was a huge success. Many thanks again to our sponsors and participants
- Cisco ASA Vulnerabilit – A vulnerability in Cisco ASAs (firewalls) was disclosed last week that could allow a remote attacker full access to an affected Cisco ASA. Scans for vulnerable devices have been very aggressive since the disclosure Cisco, to my knowledge, has not released an update to patch the hole. Some sites have reportedly disabled host-to-site IPSec VPNs as a result. Additional information is available at SANS here.
- DMA Locker – We have reported on ransomeware (I believe that this was our first article on it back in 2013) and it looks like the genre has experienced another evolution. This latest variant encrypts everything except files that have been whitelisted (the previous version encrypted specific file types) and can infect unmapped network shares. Basically, any file that you have access to edit (intentionally or otherwise), DMA Locker can encrypt. In addition to the new teeth, the DMA Locker ransom is 4 bitcoin (~$1,500 US). Now would not only be a good time to confirm your backups but would also be a good time for SysAdmins / NetAdmins to confirm a minimal rights possible approach at the NTFS level for network shares.
- Windows 10 – We are seeing a LOT of folks who are installing Windows 10 ‘accidentally’. Two very important things to note on this are that you have 30 days from the time you do the upgrade to revert back to the previous version of Windows and that Windows 7 will still be supported until 14 January 2020. That said, unless you *need* to upgrade to Windows 10 (your software / hardware vendors require it), we recommend sticking with Windows 7 until a specific need to upgrade arises for production environments.
Updates
Executive Summary – The spotlight can be shared this month between Microsoft (with 13 bulletins), Cisco (with a massive, remotely exploitable bug in an extremely popular piece of network security gear) and the newest evolution of ransomware.
Microsoft – Microsoft released 12 bulletins this month (MS16-009 through MS16-021,minus MS16-010 that was released last month). Six of the bulletins are rated critical and most have exploitability ratings of one (exploitation more likely). I think that it’s also interesting that two of the bulletins (MS16-009 and MS16-011) are for Internet Explorer and Edge respectively (MS Edge was supposed to be a ‘complete rewrite’ of Internet Explorer with security ‘baked in’ but they seem to get updated at about the same time with similar updates addressing similar issues). All of the remaining updates are rated Important with exploitability ratings between 1 and 3 affecting a range of products including the Windows PDF Library, Office, Windows, Remote Desktop, etc.
Microsoft releases regular updates the second Tuesday of each month, often referred to as ‘Patch Tuesday’. These updates are catagorized as Low, Moderate, Important or Critical. Details on the categories are available here. The updates can include any supported Microsoft product from Windows to Office to Internet Explorer and server products like Exchange and SQL Server. If you have one or more of these products installed, especially if the update is listed as Important or Critial, it’s important that the updates are installed.
Additional details are available Microsoft Here and Here (SANS).
Adobe – Adobe has released bulletins APSB16-07 (Adobe Connect), APSB16-05 (Adobe Experience Manager), APSB16-04 (Adobe Flash Player) and APSB16-03 (Adobe Photoshop CC and Bridge CC). Details on each are available on the Adobe Security Advisories page (link below) but the one [most] relevant to most of our users is APSB16-04, which addresses a critical vulnerability in the Adobe Flash Player that could allow an attacker full control of affected computers.
Like Microsoft, Adobe now releases updates to their products on the second Tuesday of each month. Adobe will also release ‘out of band’ updates if necessary to address critical vulnerabilities in their products. Adobe products include Adobe Reader (for viewing PDF files), Adobe Flash Player (often used to watch videos, for interactive content like games, etc.), Adobe Shockwave and the Adobe Creative Suite (Photoshop, Illustrator, Acrobat, Lightroom, etc.).
Additional details are available from Adobe Here including links to download the update(s) and instructions for installation.
Java – Oracle released Java 8 update 73 on 5 February 2016. In Windows, you can check this by going to Add / Remove Programs and looking for older versions.
Java is a tool that’s widely used by banks, online service providers and even security companies for SSL VPN connections. Java’s ‘official’ release cycle is approximately quarterly but Java updates have been ‘fast and furious’ in recent months. It’s worth noting again that, if you don’t absolutely need Java on your computer, it’s not a bad idea to remove it altogether.
Additional details are available from Oracle here.
Security News, Sponsored by Piratica – The ancient Spartan males were literally born for battle and, as a result, they were incredibly good at it (as long as you fought their fight). The Persians learned this the hard way in 480BC at Thermopylae. The Spartans engineered the battle so that the Persians would attack at Thermopylae through a choke point that gave the smaller Spartan force an advantage. The Spartans held off the much larger Persian force for seven days until a Greek named Ephialtes revealed to the Persians a backdoor that could be used to bypass the Spartan phalanx and open the door to Greece for the Persians (ultimately, this didn’t go well for the Persians). How does this pertain to modern day networking and InfoSec? Time and again we find clients that have defenses setup where they think that they’re vulnerable (firewalls on their Internet connection) or where they expect an attack. All too often though, they have left the back door standing wide open (poorly trained users, poorly designed, communicated and / or enforced acceptable use policies, overly relaxed security policies) with no guards or ineffective guards posted (no egress filtering) and no reporting (either no logs or no one actually monitoring the logs) to record what may have come in or gone out via the back door. The result is that the defenders, like the Spartans, get attacked where they’re weak and lose the battle (network). The battle is lost not because the defenders are bad at their job but because they didn’t understand the threat. During the reporting phase of our engagements we always try to explain to the client how we got in and what could have been done to stop it. We also work with the on-site blue team if there is one there to try to help them better understand the landscape from a red team perspective.
Piratica is an operational security company that works with client organizations to identify potential security vulnerabilities through vulnerability assessments, penetration tests and red / blue team exercises. We believe that the first step in any solution is to correctly and completely identify the problem. Additional information is available on the website, Facebook and Twitter.
These updates will be automatically reviewed, approved and installed for MyIT Customers. If you would like more information about the Cyber Tech Cafe MyIT services for your business, please let us know. The Cyber Tech Cafe MyIT services are availalbe in three different levels (Bronze, Silver and Gold) and can provide updates only (Bronze), updates and proactive network auditing and monitoring (Silver) or updates, proactive auditing and monitoring and up to 10 hours of priority support at a significantly discounted rate (Gold). Pricing is based on the number of physical locations, servers and workstations that you have.