Serious NTPd vulnerabilities Patched; XTM Not Affected

Today, CERT and NTP.org warned the world about some serious vulnerabilities in a very popular network time server called ntpd. If you use Linux systems, or any number of network appliances, chances are you’re using ntpd somewhere in your organization, and should apply the 4.2.8 update (tarball) as soon as possible.

Network Time Protocol (NTP) is a standard for updating and synchronizing your computer’s clock over a network. Ntpd is one of the most popular NTP services that ships with the Linux and Unix operating system, and is also used by many Linux-based network and hardware appliances (perhaps even some Internet of Things devices). According to CERT’s advisory, ntpd suffers from four new security vulnerabilities. I won’t explain them all in detail, but the worst are buffer overflow vulnerabilities in a number of ntpd functions. In short, by sending specially crafted packets, a remote and unauthenticated attacker can exploit these buffer overflow flaws to execute arbitrary code on any system running ntpd. The malicious code would run with the same privileges as the ntpd process (ntpd privilege vary from system to system).

These buffer overflow flaws are very serious, as any remote attacker can exploit them without authentication, as long as she has network access to your ntpd service. CERT assigned the flaws a 7.5 (out of 10) CVSS rating, which is pretty high. I highly recommend you update ntpd on all your *nix servers immediately.

Also, throughout the next few weeks we will likely learn of many other Linux-based products that are affected by this ntpd flaw. Be sure to watch CERT’s alert for these updates, and upgrade the firmware of any affected devices when it’s available. To learn more about these issues, check out CERT and NTP.org‘s advisories (Note: At the time of writing, NTP’s advisory was experiencing occasional downtime).

Are WatchGuard Products Affected?

Finally, astute customers might wonder if any WatchGuard products are affected by these flaw, since they are Linux-based. The good news is our flagship XTM products are not affected. However, our XCS mail security appliances are. More details below:

  • XTM and Firebox appliances: Our XTM appliances use openntpd for NTP communications, rather than ntpd. They are NOT VULNERABLE to the ntpd flaws.
  • WatchGuard Wireless Acces Points (AP): Our wireless APs only use ntpclient for time synchronization, and are NOT VULNERABLE to the ntpd issues.
  • XCS appliances: Our XCS appliance do use ntpd, and are VULNERABLE to these flaw. However, you can easily mitigate the risk of these ntpd vulnerabilities. Most administrators have a firewall in front of their XCS appliance. We recommend you prevent external NTP traffic (UDP 123) from reaching your XCS appliance. Rather, setup an internal NTP server (make sure to update ntpd if you use it) and get network time synchronization from that internal server instead.

Update on Dec 29th 2014:

  • XCS Hotfix: XCS 10.0 NTP Hotfix was published on Dec 26th to patch ntpd. WatchGuard XCS 10.0 Update 2 must be installed before installing this hotfix release.
  • WatchGuard Dimension: Although not technically exposed, Dimension includes an affected version of ntpd. A patch for Linux in Dimension was made available on Dec 23rd. Dimension automatically downloads security updates for its Linux components when they become available. Just make sure that you don’t have any upstream firewall that blocks access to security.ubuntu.com and archive.ubuntu.com.

— Corey Nachreiner, CISSP (@SecAdept), Brendan Patterson, CISSP

ICANN Breach & More Sony – WSWiR Episode 133

Wow! This week’s been such a busy news week that the information security (InfoSec) stories kept pouring in, long after I finished this week’s video. The latest? CERT just warned about some critical vulnerabilities in NTPd, a popular network time protocol (NTP) service that many network devices and software uses. If you use NTPd, look into it (and I’ll post more soon). In the meantime, if you can’t keep up with the weekly deluge of security news, let our video summarize the important stuff for you.

Today’s episode covers a website hijacking campaign targeting WordPress plugins, a new SOHO router vulnerability called Misfortune Cookie, and a noteworthy breach affecting ICANN (the folks who manage domain names). I even throw in the latest Sony updates for good measure. Press play to learn more about those stories, but don’t forget to check out the References section too. It covers other interesting news, such as the last-minute, breaking NTPd issue.

Quick show note: I’m taking some time of for the Holidays, so I won’t be posting a video for two weeks. Have a happy holiday yourself, and I’ll see you next year.

(Episode Runtime: 12:47)

Direct YouTube Link: https://www.youtube.com/watch?v=T-gdqsB5Qiw

EPISODE REFERENCES:

EXTRAS:

— Corey Nachreiner, CISSP (@SecAdept)

The Disturbing Reality of Guest Network Security

The Disturbing Reality of Guest Network Security

New WatchGuard functionality enhances security and convenience to better protect guest network users across hotel, restaurant and other hospitality organizations

Life on the road no longer means losing touch. Today’s global travelers rely on Internet access for both work and pleasure, whether it’s responding to business email, planning vacation activities or staying connected with loved ones still at home. In fact, a recent study found that free Wi-Fi is now the most important in-room hotel amenity – even higher than a bathroom with shower and daily housekeeping.[i]

Luckily, travelers today have Internet access while on the go with hotels, restaurants, coffee shops and many other hospitality locations that offer free Wi-Fi guest network access. But, are users getting more than they bargained for?

hospitality

WatchGuard recently surveyed hospitality organizations across the globe to map out the most common guest network security controls and protocols. Surprisingly, 71 percent do not provide unique temporary user passwords for guest Wi-Fi networks.[ii] That’s alarming since universal password protection (or worse, no password protection) invites unwelcome guests that have anything but hospitality on their minds.

The survey goes deeper, finding that 51 percent of global hospitality organizations do not monitor guest networks for suspect applications, malware or malicious activities; 62 percent do not monitor guest activity to limit bandwidth-intensive applications; and 48 percent do not use policy mapping or data visualization tools to monitor performance.[iii]

These statistics show a complete lapse in standard security protocols that could very easily compromise guest network user security (not to mention connected corporate networks). Lacking visibility and monitoring also impacts overall guest network performance and user experience on top of the growing security risks.

Security threats are growing in complexity with many of the latest major breaches initiating via hotel or other guest networks. The DarkHotel threat targets hotel guests and has already been downloaded more than 30,000 times in a few short months. Plus, the Sony hack is reported to have originated via a hotel network.

The good news is that hospitality organizations now have options to quickly and easily strengthen guest network security. WatchGuard today announced functionality to better protect guest network users across hotel, restaurant and other hospitality organizations. These new features allow hospitality organizations to:

  • Provide custom, branded hotspot splash pages
  • Provide flexible account options, such as:
    • Configurable time limits
    • Batch-generated usernames and passwords
    • Password-only voucher options
  • Minimize liability with custom terms and conditions.
  • Allow guest administrator roles for non-IT staff to generate accounts

Click here to learn more about the technical specifications of today’s hospitality guest network announcement.

[i] Hotels.com: http://press.hotels.com/en-us/news-releases/travelers-rank-complimentary-breakfast-and-free-wi-fi-as-the-most-valuable-hotel-amenities-in-global-survey/

[ii] WatchGuard Technologies 2014 Global Hospitality Wireless Network Survey

[iii] IBID

2015 InfoSec Trends You Should and Shouldn’t Worry About

2015 Security PredictionsWe’re rushing headlong into the end of the year, which means it’s that time againtime to pull out my crystal ball for WatchGuard’s annual security predictions.

We actually already released next year’s security predictions last week. You can read our press release about them (which includes a shortened version of the predictions) or check out this cool and succinct infographic. In fact, you can even watch a recording of my one-hour prediction presentation. However, for the folks who prefer to read, I’ve gone ahead and posted the longer version of my predictions below.

Also, we decided to do things a bit differently this year. As security professionals we spend a lot of our time looking for trouble and expecting the worse. And in 2014, there were lots of vulnerabilities and threats to be found such as Heartbleed, Regin and Operation Cleaver. However, rather than just focusing on which threat trends you should worry about the most, we thought it might be useful to also share some over-hyped trends, which may not affect you. Hence, five predictions you need to prepare for in 2015, and five you don’t.

Top Five Things NOT to Worry About:

  1. The Internet of Everything Will NOT Bring a Rise of Machines:  Lately, information security (infosec) pundits, myself included, have warned the world about the dangers posed by the thousands of embedded computing devices popping up in stores, which we call the Internet of Things (IoT) or the Internet of Everything (IoE). Things like watches, cameras, Smart TVs, and much more, don’t look like computers, but they are, and we connect them to the same networks as our computers.

As a result, these devices can have the same potential security flaws as traditional computers, and we will see researchers find and demonstrate these flaws. That said, we won’t see malicious cyber criminals hacking these IoT devices at a large scale in 2015. Today’s cyber criminals typically don’t just hack for the heck of it—they need motive. There’s not much value to having control of your Smart watch or TV, so we won’t see hackers targeting them directly… yet. However, these IoT devices do increase the amount of ways we share data with the cloud. Though attackers probably won’t target the IoT next year, they will go after all the personally identifying information (PII) that our computing devices spew into the cloud.

  1. Cloud Adoption Will NOT Continue its Stratospheric Climb in 2015: Security pundits have always been a bit suspicious and slow to adopt certain cloud services, especially when the service requires you to share sensitive data with an external cloud vendor, or give up some control. Despite this, businesses have quickly and widely adopted many cloud services, presumable because they offer so much business advantage. For instance, web hosting and email have become services many companies choose to host elsewhere.

However, this cloud adoption will slow and plateau in 2015. Snowden has made the world aware that nation states intercept information from cloud services, and incidents like “The fappening” prove that the things we share with “the cloud” can leak. Between the “Snowden effect” and a number of popular cloud services leaking data, organizations will be more concerned with where they put certain sensitive information.  This doesn’t mean businesses will stop using the cloud where it makes sense. It just proves that we can’t put everything in the cloud. Administrators should consider security controls that help in this hybrid environment; controls that help them manage their network perimeter alongside of their cloud resources.

  1. Passwords Will NOT Die in 2015, or 2016, or 2017…: Over the past few years, the industry has suffered a number of password-related security incidents; both attackers stealing them en masse, and hackers hijacking high profile accounts. These incidents often illustrate that common folk still use bad passwords and that our reset mechanisms are weak. As a result, many in the industry have predicted passwords will die.

There’re two faults with this logic; first, they overlook the core cause of the issue and, second, we haven’t found a viable alternative. When bulk password thefts happen, the passwords aren’t at fault; rather the fault lies with that lack of security of the organization maintaining them. Furthermore, we haven’t found a perfect replacement for passwords. Biometrics are neat, but fingerprints can get stolen too, and once they are, you can’t ever change them. A better prediction for next year is two factor authentication will become ubiquitous online, and passwords will remain as one of the two factors.

  1. Secure Design Will NOT Win over Innovation: It’s easy to love new technology and gadgets and the innovations they introduce to our lives, making things easier and more delightful. However, humanity’s known for notoriously diving head first into innovation technology without considering the potential consequences. More specifically, security is usually the last thing on our minds when we innovate. This means the newest, most innovative technologies often arrive rife with vulnerability.

This won’t change in 2015. In order to invent, and push boundaries, we must take risks. That means security will continue to take a back seat to innovation. That doesn’t mean innovation is a bad thing. We should welcome technologies that make our lives easier. However, it does mean that you, as a security professional, have the tough job of weighing the operational benefits of new technologies against their potential security risks. While infosec professionals cannot afford to become a roadblock against innovation, we also can’t let insecurity creep into our networks under the guise of “good” business.

  1. SDN Will Have Security Implications, But NOT For Years: If you follow technology analysts or keep up with bleeding edge networking, you’ve probably heard all the excitement around the next great networking innovation—Software Defined Networking (SDN). Without going into detail, SDN basically does for networking what hypervisors did for computing… it virtualizes it. At the highest level, SDN is a new network architecture paradigm where the control plane is decoupled from the data place. Rather than letting proprietary networking hardware making fairly static traffic routing decisions that apply equally for all traffic, SDN allows controllers to make dynamic routing decisions that can differ based on the applications sending the traffic, the location of the device, and many other things. SDN will help networking catch up with the dynamic, mobile, cloudy world we live in.

SDN totally changes how we build and control networks, which means it will also completely changes network security. For instance, in an SDN world, network security controls don’t have to be inline. The SDN controller can forward certain traffic to the relevant security controls when necessary—no matter where that security control happens to be on the network. This could make mobile security much easier, but also places much of the network security onus on the SDN controller and proper policy.

Having said all that, our prediction is you won’t have to worry about SDN security next year, or anytime soon! Despite all the hyperbole and excitement from forward-leaning technologists, SDN is quite a ways from primetime adoption. While ISP and cloud providers might start experimenting with it, the average organization is nowhere near changing their network architecture to support it. Think of it like IPv6. We’ve been predicting IPv6 has been coming for years, and one day everyone will have to start using it, yet most organizations still haven’t adopted it. SDN is the next IPv6, so don’t lose sleep over securing it yet.

Top Five Things To Worry About:

  1. Nation States Lock ‘n Load for Cyber Cold War: All significant nations have long started developing their red team and blue team cyber defense and attack capabilities. Between incidents in Estonia and Georgia, Snowden’s revelations, Stuxnet, Regin, and many other incidents, we’ve already learned that nation states are quietly launching espionage campaigns against one another, and even stealing industrial intellectual property.

I expect to see many more nation state cyber espionage incidents next year and suspect we are already in the middle of a cyber cold war, where nation states quietly “demonstrate” their cyber capabilities. While this cyber posturing doesn’t directly affect the average citizen or business, the techniques nation states use are more sophisticated. Whenever these new campaigns surface (and they do), criminal hackers learn quite a bit from them. You should expect the nation state cyber attacks to ”raise the tide for all boats” and elevate the complexity of criminal attacks as well.

  1. Malware Jumps Platforms from Desktop to Mobile Devices – And Bites Hard: More and more malware has been designed to infect multiple systems. Traditionally, we’ve seen small samples of Java attacks and malware that infect both Windows and OSX computers, but an even better combination is malware that jumps from traditional operating systems to mobile platforms, or vice versa. In 2015, WatchGuard expects to see more malware samples like WireLurker, which infects your normal computer before jumping to the mobile devices that you plug into it. The cross-platform malware families could be in a better position to steal banking credentials, especially as more users adopt two-factor authentication with SMS messages to a mobile.

On top of that, attackers will find many new ways to monetize mobile infections, so expect mobile malware to have more teeth in 2015. For instance, after its success on traditional computers, expect to see customized mobile ransomware, designed to make you mobile unusable until you pay up. With the adoption of Apple Pay, we also expect to see more attackers targeting mobile wallets and NFC. You don’t want to shirk on mobile security in 2015.

  1. Encryption Skyrockets – As Do Government Attempts to Break It: Security pros have always recommended encryption to protect data. However, both users and the industry have historically been slow to adopt encryption on a wide scale—likely due to its complexity and resource expense. That is changing. Between Snowden’s revelations and an increase in breaches, we realize “bad actors” are snooping on our communications, and our privacy is at risk.

As a result, our use of encryption, especially HTTPS, has skyrocketed in 2014 and will continue to grow quickly in 2015. Meanwhile, government actors, like the director of the FBI, are petitioning for ways to break our encryption for “law enforcement use.” As an industry, security pros must do three things; continue to leverage encryption whenever possible; fight for the right to retain private, unbreakable encryption; and make sure to build networks that can support heavy use of encryption without slowing bandwidth and adversely affecting business.

In a related aside, attackers will also leverage encryption more in 2015, to help their attacks evade our detection. While there is no perfect way to defend against custom encryption, you should consider security technologies that can recognize attacks in HTTPS traffic, and can keep with up with the new volume of encrypted traffic on our networks.

  1. Business Verticals Become New Battleground for Targeted Attacks: There’s always been a mild debate between opportunistic and targeted attacks, and whether one or the other poses the bigger threat. One might say opportunistic attacks are more threatening because they affect everyone and happen at a large scale, whereas another points out targeted attacks tend to be more sophisticated and result in more damaging losses. While both threats pose risk, and can affect everyone, some new trends will tip the favor toward targeted threats next year, while also expanding the affected target base.

Targeted attacks have increased and become more sophisticated largely due to the fact that cyber criminals have matured. They realize writing malware costs something and that they need a return in that investment. They’ve also learned three, sometimes-competing, lessons:

  • The more widespread your attack, the quicker it gets detected.
  • It’s easier to monetize certain stolen data, so the type of victim matters
  • The more victims you can attack at once, the larger your return in investment.

How does a cyber criminal retain the benefits of a stealthy targeted attack, while still pursuing big victim-pools to make lots of money? They do so by targeting business verticals rather than individual organizations. We’ve already seen this begin to happen, with criminals targeting retailers, hotel chains, or game companies as verticals. They’ve even designed custom malware for some verticals (e.g. point-of-sale malware). This trend will continue into 2015, with attackers targeting other verticals, such as financial services, and healthcare. You also won’t have to be a Fortune 500 to become a target. Modern cyber criminals will target businesses of every size, as long as they are part of an interesting, profitable business vertical.

  1. Understanding Hacker Motives Key to Defending: Information security is a relatively new field and is evolving quickly. Until now, security pros have focused mostly on the “how” and “what” aspects of the cyber threat. For instance, we previously paid most attention to the technical ins and outs of how bad guys attacked our networks, or how their malware mechanically worked, and we created our defenses based on those technical understandings.

However, as our field matures we’re learning how important it is to understand the “who” part of the equation as well. The threat actors menacing us have changed greatly in the past decade. They’ve gone from curious and mischievous kids exploring, to cyber activists pushing a message, to organized criminals stealing billions in digital assets, to nation states launching long-term espionage campaigns. Each of these threat actors has different goals, different tactics, and different targets, and there’s even significant nuance among like groups of threat actors.

As defenders, we’re starting to realize that our adversaries’ motives matter greatly in how we defend ourselves. Few organizations have the resources to defend against every possible threat. However, knowing the motives and tactics of various actors helps us understand which ones threaten our organization the most, and how they prefer to attack. In 2015, smart organizations will use threat intelligence and adversary motive to better customize defenses for the type of threat actor most likely to target their organization. For instance, if you work for a restaurant chain, you’re probably most concerned with organized cyber criminals, and might want to tailor your defenses to the attack techniques and PoS malware used by Russian and Ukrainian cyber gangs.

I hope you’ve enjoyed and learned something from this year’s InfoSec predictions. If you want to learn more, download the infographic or watch my 2015 Security Predictions presentation— Corey Nachreiner, CISSP (@SecAdept)

 

 

 

 

Poodle’s Back – WSWiR Episode 132

Another week, another batch of information security (infosec) news. Would you like a quick summary, rather than hunting it down yourself? No problem! Just check out our weekly video every Friday.

Today’s episode covers the Patch Day bonanza, lots of updates on the Sony Pictures breach, and a new twist on the “Poodle” SSL/TLS vulnerability. Press play for the scoop, and check our the References and Extras section for more stories and details.

(Episode Runtime: 7:13)

Direct YouTube Link: https://www.youtube.com/watch?v=WbbZjRtyODA

EPISODE REFERENCES:

EXTRAS:

— Corey Nachreiner, CISSP (@SecAdept)

The Pirate Bay Raided; Watch Out for Torrent Scams

I’m fascinated with how well criminal hackers consistently take advantage of pop culture events or breaking news to further their malicious campaigns.

Yesterday, news broke that the Swedish authorities raided the company that hosted The Pirate Bay, a popular torrent tracking site that is known primarily for spreading illegal copies of software and other media. The raid seemed to also include other popular, piracy-related trackers as well.

The raid itself is kind of inconsequential to my post. I don’t care much that some piracy sites are down, and you probably don’t either since piracy is illegal. However, I am interested in how malicious actors seem to quickly take advantage of these sorts of situations.

On sites like Reddit, the community quickly started discussing this big newsworthy take down, and many started asking where else to go to for their favorite torrents now that The Pirate Bay is (at least temporarily) down. This is where the evil fun begins. It wasn’t long until some anonymous users starting posting “recommendations” that linked to shady places. It never ceases to amaze me how quickly bad actors recognize big cultural events, and take advantage of them to lure victims to malware. I suspect bot herders will use the topic of “new torrents trackers” to lure ex-Pirate Bay users for weeks. So be careful what you click.

My take away here is two-fold. First, anytime there is big news, remember black hats will try to use your curiosity against you. If you do use torrents (there are legal ones too after all), you might want to remain suspicious of links to new sites. My second point is more a security aside about piracy. Obviously it’s illegal, but don’t forget that it’s also a malware magnet. Few things in the world are free. One of the reasons others “willing” share pirated software is because it’s a great way for them to include malware to tag along. — Corey Nachreiner, CISSP (@SecAdept)

Microsoft’s Last Patch Day Until 2015; Three Critical Patches

It’s that time of the month again; Microsoft Patch Day. Yesterday, Microsoft posted their regular batch of security updates, so it’s time you patch your Windows systems. I’ll summarize some Patch Day highlights below, but you should visit Microsoft’s December Patch Day Summary page for more details

By the Numbers:

On Tuesday, Microsoft released seven security bulletins, fixing a total of 25 security vulnerabilities in many of their products. The affected products include:

  • all current versions of Windows,
  • Internet Explorer (IE),
  • Office,
  • and Exchange Server.

They rate three bulletins as Critical, four as Important.

Patch Day Highlights:

The Exchange update is the most interesting one, but lets start with what you should patch first. I’d start with the Internet Explorer (IE) update, as it closes a bunch of holes bad guys can use for drive-by download attacks. Next, even though Microsoft doesn’t rate it as Critical, the Exchange update fixes a few flaws attackers could leverage to access your users’ email (if they can get those users to click links). Since email is so important, I’d take care of that next. Then move on to the various Office updates, to make sure your users aren’t affected by malicious Office documents. Finally, even though it poses minimal risk, finish with the Graphics component update.

Quick Bulletin Summary:

We summarize December’s security bulletins below in order of severity. We recommend you apply the updates in the same order of priority, assuming you use the affected products.

  • MS14-080 – Critical – Cumulative Internet Explorer update fixes 14 vulnerabilities – The Internet Explorer (IE) update primarily fixes a bunch of memory corruption flaws remote attackers could leverage to execute code. These are the types of flaws typically used in drive-by download attacks. If an attacker can get you to visit a site with malicious code, he could exploit these flaws to run code on your machine. If you have local administrator privileges, the attacker gains full control of your PC.
  • MS14-075 – Important- Four Exchange Server Vulnerabilities – Microsoft’s email server, Exchange, suffers from four security flaws. The worst are a pair of cross-site scripting (XSS) flaws. If an attacker can trick you into clicking a specially crafted link on a system you use for OWA, he could exploit these flaws to gain access to your email as you. The remaining flaws allow attackers to spoof emails to appear to come from someone else, or to spoof links that appear to link to somewhere else.
  • MS14-081 – Critical – Two Word Remote Code Execution Flaws – Word suffers from two flaws involving how it handles specially crafted Office files. In short, if an attacker can get you to open a malicious Office file, she can exploit these flaws to execute code on your computer.
  • MS14-082 – Important – Office Code Execution Flaw – Word, an Office component, suffers from yet another code execution vulnerability, similar to the two described above. I’m not sure why Microsoft included this is a separate bulletin, with a lower severity, since it seems to have a similar impact and mitigating factors as the flaws above.
  • MS14-083 – Important – Two Excel Code Execution Flaws - Excel suffers from a pair of code execution vulnerabilities attackers could exploit by getting you to interact with malicious spreadsheets.
  • MS14-084 – Important – Windows VBScript Memory Corruption Flaw - The Windows VBScript component suffers from a memory corruption flaw that attackers could leverage through your browser. If an attacker can lure you to a website with malicious code, he could exploit this flaw to execute code with your privileges.
  • MS14-085 – Important – Windows Graphic Component Information Disclosure Flaw - The Graphics component of Windows suffers from a minor flaw that attackers could leverage to learn about the current memory state of your computer. This flaw serves little purpose alone, but could help attackers exploit other memory corruption vulnerabilities easier.

Solution Path:

If you use any of the software mentioned above, you should apply the corresponding updates as soon as you can. I recommend you apply the Critical updates immediately, try to get to the Important ones as a soon as possible, and leave the moderate ones for last.

You can get the updates three ways:

  1. Let Windows Automatic Update do it for you – While patches sometimes introduce new problems, these occasional issues don’t seem to affect clients as often as they do servers. To keep your network secure, I recommend you set Windows clients to update automatically so they get patches as soon as possible.
  2. Manually download and install patches – That said, most businesses strongly rely on production servers and server software. For that reason, I recommend you always test new server updates before applying them manually to production servers. Virtualization can help you build a test environment that mimics your production one for testing.  You can find links to download the various updates in the individual bulletins I’ve linked above.
  3. Download December’s full Security Update ISO –  Finally, Microsoft eventually posts an ISO image that consolidates all the security updates. This ISO conveniently packages the updates in one place for administrators. You’ll eventually find a link to the monthly security ISOs here, but Microsoft may not post it until a few days after Patch Day

For WatchGuard Customers:

Good News! WatchGuard’s Gateway Antivirus (GAV), Intrusion Prevention (IPS), and APT Blocker services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the attacks described in Microsoft’s alerts:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-8966)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6376)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6375)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6374)
  • WEB Microsoft Graphics Component Information Disclosure Vulnerability (CVE-2014-6355)
  • FILE Microsoft Word Remote Code Execution Vulnerability (CVE-2014-6357)
  • FILE Microsoft Excel Global Free Remote Code Execution Vulnerability (CVE-2014-6360)
  • WEB-CLIENT Microsoft Internet Explorer ASLR Bypass Vulnerability (CVE-2014-6368)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6369)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6373)
  • EXPLOIT Adobe Flash Player Memory Corruption (CVE-2014-0574)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6327)
  • WEB MIcrosoft Internet Explorer XSS Filter Bypass Vulnerability (CVE-2014-6328)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6329)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6330)
  • FILE Microsoft Excel Invalid Pointer Remote Code Execution Vulnerability  (CVE-2014-6361)
  • WEB-CLIENT Microsoft VBScript Memory Corruption Vulnerability (CVE-2014-6363)
  • WEB-CLIENT Microsoft VBScript Memory Corruption Vulnerability (CVE-2014-6366)
  • FILE Adobe Flash Player opcode pushwith Memory Corruption Vulnerability (CVE-2014-0586)
  • FILE Adobe Flash Player opcode pushscope Memory Corruption Vulnerability (CVE-2014-0585)

Your Firebox or XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nevertheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws. — Corey Nachreiner, CISSP (@SecAdept)

 

Sony Breach & More – WSWiR Episode 131

Operation Cleaver, FIN4, Regin, and Sony Breach

Now that cyber attacks have gone primetime, every week is filled with new information security (infosec) news, leaving administrators little time to catch up. If you’re falling behind, let our weekly video summarize the biggest security news for you.

No vacation goes unpunished.

Unfortunately, skipping last week’s video due to holidays resulted in missing a week of pretty important security news, and those revelations continued this week. In result, this weeks video covers four security stories, and is much longer than normal. The theme for the week—advanced attack campaigns and breaches.

To make thing easier, I share specific video links to each individual story below. If you don’t want to watch the whole thing at once, use the links to skip to the topics you care about. Otherwise, click play below to catch up on two weeks of infosec news, and check out the Extras section for links to many other stories.

(Episode Runtime: 22:20)

Direct YouTube Link: https://www.youtube.com/watch?v=NX4fvTqJHWE

EPISODE REFERENCES:

EXTRAS:

— Corey Nachreiner, CISSP (@SecAdept)

New Releases: Fireware XTM 11.9.4 and WSM 11.9.4

Fireware OS 11.9.4 and WSM 11.9.4 are now available. This maintenance release includes many bug fixes and several new enhancements. The Release Notes list all resolved issues and new enhancements in the software.

Key Highlights:

  • New Guest Services capability enables the creation of temporary accounts for hotspot access. Ideal for hotels and retail stores to provide internet access for their visitors and customers. A new guest administrator role and user interface enable front line staff to manage and create the accounts.
  • Selective inspection or bypass of encrypted web traffic (HTTPS DPI) via domain name or web category. Administrators now have more flexibility, allowing them to bypass DPI inspection of known good sites that need to remain private, such as online banking or financial applications.
  • Diagnostic report output of Branch Office VPN configurations helps with quick troubleshooting and repair of any tunnel issues.
  • SSLv3 is disabled by default to protect against man in the middle attacks that could exploit the Poodle vulnerability (CVE-2014-3566).
  • Many bug fixes to improve the scalability and reliability of Single Sign-On.
  • Support for /31 and /32 subnets on external interfaces, which are commonly used in regions with shortages of IPv4 IP addresses.
  • WSM support for the new Firebox M400 and M500 models.

Full details of all changes including screenshots of new user interface are provided in the What’s New in 11.9.4 presentation [PPT].

Does this Release Pertain to Me?

This release applies to all Firebox and XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W appliances.

New Software Download Center!

Firebox and XTM appliance owners can obtain this update without additional charge by downloading the applicable packages from the new and improved WatchGuard Software Download Center. No login is required to download the software, but you must have active LiveSecurity on the appliance to apply the upgrade. Please read the Release Notes before you upgrade, to understand what’s involved. Known issues are now listed in the Knowledge Base when accessed through the WatchGuard Portal. You must log in to see Known Issues.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • Authorized WatchGuard Resellers: 206.521.8375
  • International End Users: +1.206.613.0456

Is Data Encryption Compromising Network Performance? Not with WatchGuard.

New WatchGuard Firebox M400 and M500 NGFW and UTM appliances outperform the competition by 61 percent, delivering uncompromised security to meet the rise of encrypted traffic head-on.

Rising Network Traffic Leads to Compromised Security

Encrypted network traffic growth is exploding! Enterprises and service providers are adopting data encryption as a security precaution – especially as the fallout from the “Snowden effect” continues.

Encrypted data use in the U.S. doubled last year alone.[i] This number is not surprising since cloud services across Google, Dropbox, Yahoo and others are now using encryption as a default setting. Unfortunately, that encrypted data can do more to harm security than maintain it.

According to a Gartner report entitled Security Leaders Must Address Threats from Rising SSL Traffic: “With more and more encrypted traffic, this trend is likely to expand rapidly. Gartner believes that, in 2017, more than half of the network attacks targeting enterprises will use encrypted traffic to bypass controls, up from less than five percent today. [ii]

Encrypted data must be monitored and secured. But, unencrypting and re-encrypting data at the firewall level reduces performance by as much as 80 percent.[iii] This performance hit is compounded with each UTM security layer added – and even further compounded by surging network performance demands resulting from increased data consumption.

snowden

Rising data encryption and the “Snowden effect” can open the door for malware. Photo Source: AK Rockefeller

Each year, Internet traffic grows 21 percent.[iv] The result has pushed average data consumption to 52 GB per person per month.[v] Network performance is increasing to keep pace (42 percent each year[vi]) to enable our growing data addiction.

This exploding network traffic and performance allows more-and-more applications on corporate networks, boosting employee capabilities and productivity. Unfortunately, it also increases risk. More data and traffic on the network means more high-value targets for the Internet’s dark side.

The compromise between network security and network performance is placing many companies in a lose-lose situation – forced to make a difficult decision with very real consequences.

Rising Network Traffic Leads to Compromised Security

Compromise rarely leads to victory with network security. The new WatchGuard Firebox M400 and M500 next-generation firewall (NGFW) and unified threat management (UTM) appliances deliver leading performance to ensure you never have to compromise security for performance.

The WatchGuard Firebox M400 and M500 appliances are 61 percent faster than competing NGFW and UTM appliances with all layers of our award winning defense-in-depth solutions turned on, and 149 percent faster when performing HTTPs inspection.[vii]

M500r_large

WatchGuard M400 and M500 NGFW/UTM appliances outperform competing solutions by 61 percent and are 149 percent faster when performing HTTPS inspection.

The Firebox M400 and M500 appliances run WatchGuard’s Fireware OS, which is built on the latest Intel® Pentium™ and Intel® Celeron™ Processors, allowing performance to continually scale. Customers can now run WatchGuard security appliances with all security layers enabled without sacrificing performance.

Our customers deserve uncompromised security. The WatchGuard Firebox M400 and M500 NGFW/UTM appliances deliver. Click here to learn more.

[i] Sandvine Global Internet Phenomena: https://www.sandvine.com/downloads/general/global-internet-phenomena/2014/1h-2014-global-internet-phenomena-report.pdf

[ii] Gartner, Inc. “Security Leaders Must Address Threats from Rising SSL Traffic” by Jeremy D’Hoinne and Adam Hils, December 9, 2013 Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

[iii] J. W. Pirc, “SSL Performance Problems: Significant SSL Performance Loss Leaves Much Room for Improvement,” NSS Labs, June 2013.

[iv] Akamai state of the internet report 2014

[v] Sandvine Global Internet Phenomena: https://www.sandvine.com/downloads/general/global-internet-phenomena/2014/1h-2014-global-internet-phenomena-report.pdf

[vi] Cisco Global IP network forecast: http://www.cisco.com/c/en/us/solutions/collateral/service-provider/ip-ngn-ip-next-generation-network/white_paper_c11-481360.html

[vii] Miercom Performance Report: http://www.watchguard.com/docs/analysis/miercom_report_112014.pdf

Follow

Get every new post delivered to your Inbox.