April 2016 News and Updates
What’s New
- Disable Windows 10 Notification – Our policy regarding Operating System (or any other major) upgrade has always been to proceed with caution and upgrade when a) you have a need to, b) your environment (hardware, software, etc.) supports it and c) it’s stable. Microsoft has been pushing Windows 10 since it’s release and has gotten more and more aggressive with the rollout with each monthly update cycle. Our policy is still, if you are currently on Windows 7 and have no business requirement to upgrade, stay with Windows 7. If you have Windows 8.x, Windows 10 is a slight upgrade but Windows 7 is battle tested, well supported by third parties and is scheduled to be supported by Microsoft until January of 2020. All of that said, Steve Gibson has written a small utility called Never10 that we posted about on our Facebook page back on 30 March of this year. We noted in that post that we would test it out for any ill effects and, thus far, I’m happy to say that it seems to work with no ill effects. If you’re tired of the constant nagging to upgrade to Windows 10, you can download this small utility and click the ‘Disable Windows 10 Upgrade’ button and be left alone. If at some point you change your mind, run it again and re-enable it, it really is just that simple.
- Hacker Playdate – Mark your calendar, the Hacker Playdate v4.0 Business Edition is next Saturday. We’ve picked up a few new sponsors including a new location at the Bartow County Library. We’ll have 2 presentations as well as a number of hands-on villages and are focusing on some of the issues that we’re seeing with Small to Medium Business this year. Additional details are available here.
- Ransomware & Rogue Tech – We continue to see computers that are infected with ransomware that encrypts the data and demands a ransom (generally payable by Bitcoin) and rogue tech support calls. Backup your data. Don’t let strangers onto your computer. That is all (for now) 🙂
Updates
Executive Summary – The spotlight this month is shared between Microsoft (with 13 bulletins again this month) and Ransomware. If you follow our sister company Piratica, you’re well aware of the havoc that ransomeware has been wreaking in the medical field lately and it’s rapid evolution (the latest evolution being the so-called Cryptoworm).
Microsoft – Microsoft released 13 bulletins this month (MS16-037 through MS16-050, MS16-036 was released 10 March 2016 and addressed a critical vulnerability in Adobe Flash Player [similar to MS16-022]). Six of the bulletins are rated critical (by Microsoft) and all address vulnerabilities that could allow remote code execution. The remaining six are rated important (by Microsoft, including the much ballyhooed MS16-047 Badlock update) and range from denial of service to remote code execution. The ratings between Microsoft and SANS were pretty consistent this month but one thing of note is that, per SANS, there are known exploits in the wild for the vulnerabilities addressed in MS16-039 and CVE-2016-0165 and CVE-2016-0167 have an exploitability index of zero. There are also a number of CVEs with exploitability ratings of one but no known exploits as of the time of this article.
One other thing that’s worth noting is more of a pet peeve than anything else. MS16-050 addresses a vulnerability in the Adobe Flash Player and applies to, in addition to other products, Windows Server 2012 R2. I know that it happens but installing ‘userland’ tools like Adobe Flash on a server is just not a good idea. (end rant)
Microsoft releases regular updates the second Tuesday of each month, often referred to as ‘Patch Tuesday’. These updates are catagorized as Low, Moderate, Important or Critical. Details on the categories are available here. The updates can include any supported Microsoft product from Windows to Office to Internet Explorer and server products like Exchange and SQL Server. If you have one or more of these products installed, especially if the update is listed as Important or Critial, it’s important that the updates are installed.
Additional details are available Microsoft Here, Here (SANS) and here (Threatpost).
Adobe – Adobe has been in the news a good bit this month with emergency updates. As of the time of this writing, the most recent updates from Adobe include APSA16-01 (Flash Player), APSB16-10 (Flash Player), APSB16-11 (Creative Cloud) and APSP16-12 (Robo Helper). All users are encouraged to, if they have not already, either remove completely or update to the latest version of Adobe Flash Player. It has come to our attention that a number of enterprise applications, some dealing with ePHI, are still requiring significantly outdated versions of Adobe Flash Player to use their product. We have reached out to the software manufacturers to discuss options and try to determine when an update (to allow secure versions of Adobe Flash Player to be used) but, as yet, have gotten no usable response. In these cases, we have been able to mitigate most of the risk with other options (at the gateway and / or proxy) successfully.
Like Microsoft, Adobe now releases updates to their products on the second Tuesday of each month. Adobe will also release ‘out of band’ updates if necessary to address critical vulnerabilities in their products. Adobe products include Adobe Reader (for viewing PDF files), Adobe Flash Player (often used to watch videos, for interactive content like games, etc.), Adobe Shockwave and the Adobe Creative Suite (Photoshop, Illustrator, Acrobat, Lightroom, etc.).
Additional details are available from Adobe Here including links to download the update(s) and instructions for installation.
Java – It’s been quite a while since Java really made headlines but late last month, it happened. Researchers found that a vulnerability that was thought to have been resolved in 2013 was still available and ‘trivially exploitable’. To their credit, Oracle released an update very quickly. The latest version of Java is currently 8 update 77. If you have additional (older) versions of Java installed, you should remove them. In Windows, you can check this by going to Add / Remove Programs and looking for older versions.
Java is a tool that’s widely used by banks, online service providers and even security companies for SSL VPN connections. Java’s ‘official’ release cycle is approximately quarterly but Java updates have been ‘fast and furious’ in recent months. It’s worth noting again that, if you don’t absolutely need Java on your computer, it’s not a bad idea to remove it altogether.
Additional details are available from Oracle here.
Security News, Sponsored by Piratica – Phishing continues to dominate the attack landscape and, as a result, phishing campaigns continue to be one of the most frequently requested services. We are also seeing an increasing number of small to medium businesses interested in vulnerability assessment and penetration testing, which is certainly a good thing. The idea of offensive security (i.e., hiring someone to break in and find vulnerabilities for you rather than waiting until an attacker / threat actor did it) has traditionally not been on the radar for small to medium business. Recent events like the rash of malware attacks on medical businesses, a rise in the number of attacks on law firms combined with increasing regulatory requirements (HIPAA-HITECH, PCI-DSS, etc.) and demands from trade partners seem to be catalyzing the sector into considering a more proactive approach.
We launched the new https://piratica.us website last month and, with it, a weekly opt-in mailing list that was basically a summary of the news that we posted to the site. The feedback that we’ve received from both the site and the mailing list has been phenomenal, far better than we could have expected. We’re excited that people are not only reading the news (on the site and via the emails) but forwarding them along to friends, co-workers and business associates as well and giving feedback on what additional types of information they would like to see. If you haven’t checked out the site or signed up for the mailing list already, definitely do so and let us know what you think.
Piratica is a risk management firm and we work with client organizations to help them identify and understand the risks to their organizations from cyber criminals.. We believe that the first step in any solution is to correctly and completely identify the problem. Additional information is available on our website, Facebook and Twitter.
These updates will be automatically reviewed, approved and installed for MyIT Customers. If you would like more information about the Cyber Tech Cafe MyIT services for your business, please let us know. The Cyber Tech Cafe MyIT services are availalbe in three different levels (Bronze, Silver and Gold) and can provide updates only (Bronze), updates and proactive network auditing and monitoring (Silver) or updates, proactive auditing and monitoring and up to 10 hours of priority support at a significantly discounted rate (Gold). Pricing is based on the number of physical locations, servers and workstations that you have.