PoS Fail and Browser Side-Channel – WSWiR Episode 149

As if every week wasn’t busy enough with new information security (InfoSec) news, this week was the RSA Conference, which brings with it a whole new batch of security news. If you find yourself struggling to keep up, follow my daily or weekly videos to get a quick summary of the latest relevant news.

This week, I was too busy at the RSA Conference to post my daily videos, but you can still catch some of the week’s news in today’s summary episode. In it, I cover the latest updates about the White House breach, I share some interesting tidbits from an RSA PoS security presentation, and I point out some great new research highlighting a side-channel attack that affect most web browsers. Watch the video for the details, and check out the references for more stories.

As an aside, I will be attending another industry conference next week as well, so I may not be able to post my regular Daily Security Byte. However, I’ll still post a weekly video at the very least. I’ll continue with the Daily Bytes the week following next. Have a great weekend, and stay safe out there.

(Episode Runtime: 7:20)

Direct YouTube Link: https://www.youtube.com/watch?v=gGqDplwMJA4

EPISODE REFERENCES:

EXTRAS:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Fireware OS Update Targets ‘Time Crime’

Up to 80 percent of employees’ time on the Internet each day has nothing to do with work. It’s unrealistic to completely cut it out – we all know breaks are necessary to recharge our battery. But, how much is too much?

Today, we announced the newest version of the WatchGuard Fireware® OS (11.10), which makes it easy to control the amount of data and time employees spend surfing the web. After all, we want our employees to be productive (and happy). It also allows IT pros to set website policies using names not numbers – 216.176.177.72 is now http://icanhas.cheezburger.com/. More so, the new “wildcard” function enables network admins to cover multiple domains with one policy, in turn making your team more efficient.

The new Fireware OS is available for all WatchGuard XTM and Firebox appliances, and is available starting in April 2015. For complete feature information please click here.

Below is a fun infographic that highlights some of the cyberloafing your employees are doing. Control it now with Fireware OS 11.10.

Cyberloafing_1

Patches, APT Gangs, and Sony Wikileaks- WSWiR Episode 148

Want to know what went on this week in the InfoSec world? Well then, check out my weekly security news recap video. This week I cover a ton of software security patches, news of China’s DDoS and man-in-the-middle tool, and the latest drama in the Sony breach saga. Press play to learn more, and enjoy your weekend.

(Episode Runtime: 13:25)

Direct YouTube Link: https://www.youtube.com/watch?v=uBeOUz40tws

EPISODE REFERENCES:

 

EXTRAS:

— Corey Nachreiner, CISSP (@SecAdept)

Match.com InfoSec Fail – Daily Security Byte EP.69

Match.com is inadvertently exposing its user’s passwords to snooping hackers. Learn what they did wrong, and how you can avoid it in today’s Daily Security Byte video.

 

(Episode Runtime: 2:26)

Direct YouTube Link: https://www.youtube.com/watch?v=2tAfNx47AMo

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Wikileaks Spread Sony Dirt – Daily Security Byte EP.68

Sony Pictures is in the headlines again, this time because Wikileaks decided to air their dirt. While there are cases where information disclosure is good, I think this Wikileaks stunt is horrible. Watch the video to remind yourself why it’s so important to protect your confidential data.

 

(Episode Runtime: 2:51)

Direct YouTube Link: https://www.youtube.com/watch?v=ZNeAaqLjHCY

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

APT Spy vs. Spy – Daily Security Byte EP.67

Kaspersky researchers have found two advanced threat actor groups trying to hack one another. Today’s video talks about this spy vs spy phish off, and shares what we can learn from it. Watch the video, but be sure to check out Kaspersky report for all the interesting technical details.

 

(Episode Runtime: 3:12)

Direct YouTube Link: https://www.youtube.com/watch?v=4qTo3gB89GU

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Prakash Panjwani Named New WatchGuard CEO

Today, WatchGuard welcomes its new CEO, Prakash Panjwani. The company also announced that both he and interim CEO, Mike Kohlsdorf, have joined WatchGuard’s Board of Directors.

CEO pic

Panjwani has spent the last 12 years turning SafeNet into the global leader in data protection. While at SafeNet, he led the strategic acquisition of 12 companies including Aladdin Knowledge Systems and Cryptocard. He also refocused the company’s data protection product portfolio on three rapidly growing markets – crypto management, data encryption, and authentication. His leadership ultimately led to the wildly successful acquisition of SafeNet by Gemalto (Euronext: GTO) for $890 million, a transaction that closed in January 2015.

“Threat management and network security continues to be top of mind for companies of all sizes. WatchGuard has built a great reputation in the industry as a leading provider of solutions in this space, bringing new products to market and receiving a tremendous amount of industry recognition in the process,” said Panjwani. “I couldn’t be more enthusiastic to take what Mike Kohlsdorf and his team have built over the last year. I am excited to build on that success, working with a talented WatchGuard team and established channel partner base, to deliver best-in-class security solutions to customers worldwide.”

Patches, Patches Everywhere – Daily Security Byte EP.66

I thought I’d only have to cover Microsoft Patch Day today, but Adobe, Oracle, and Google also came along for the ride. Patching is one of the easiest and most practical ways you can improve your network’s security. Watch today’s video to learn of all the products you should update.

 

(Episode Runtime: 2:18)

Direct YouTube Link: https://www.youtube.com/watch?v=8mWnk6OKDl0

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Microsoft Rains April Patch Showers

While not quite as bad as last month’s 14 security bulletins, April’s Patch Day is bursting with updates. According to their summary, Microsoft released 11 security bulletins, some fixing serious issues. Windows administrators should put their heads down, dive in, and get patching.

By the Numbers:

February Microsoft Patch DayToday, Microsoft released 11 security bulletins, fixing a total of 26 security vulnerabilities in many of their products. The affected products include:

  • all current versions of Windows,
  • Internet Explorer (IE),
  • Office,
  • SharePoint Server,
  • the .NET Framework,
  • XML Core Services,
  • and Hyper-V.

They rate four bulletins as Critical and the rest as Important.

Patch Day Highlights:

In my opinion, the HTTP.sys vulnerability is the biggest deal this month. While it doesn’t say so directly, this flaw affects all Microsoft’s IIS web servers. Simply by sending a specially crafted web request, an attacker can take over your web server. I would patch all your public Windows-based IIS servers immediately. WatchGuard’s IPS service has a signature for this attack, which should help mitigate its risk until then.

Besides that, you should also apply all of Microsoft’s Critical updates as quickly as you can. The Internet Explorer vulnerabilities also pose a high risk since attackers can use in drive-by download attacks, which are quite popular today.

Quick Bulletin Summary:

We summarize the April security bulletins below in order of severity. We recommend you apply the updates in the same order of priority, assuming you use the affected products.

  • MS15-032 – Critical – IE Memory Corruptions Flaws – You can pretty much count on Microsoft releasing a cumulative Internet Explorer (IE) update that fixes a bunch of memory corruption flaws every month, and this month is no different. These are the types of flaws remote attackers use to execute code, and that are typically used in drive-by download attacks. If an attacker can get you to visit a site with malicious code, he could exploit these flaws to run code on your machine. If you have local administrator privileges, the attacker gains full control of your PC. As an aside, the update also fixes an Address Space Layout Randomization (ASLR) bypass flaw that makes it easier for bad guys to exploit memory corruption issues.
  • MS15-033 – Critical- Multiple Office Flaws – Office, and the components that ship with it (such as Word, Excel, etc.), suffer from five vulnerabilities. The worst are four memory-related code execution flaws that black hats can exploit by luring you into opening malicious office documents. If you open such a document, the attacker can execute code on your computer, with your privileges. Finally, the Mac version of Outlook also suffers from a cross-site scripting (XSS) vulnerability as well.
  • MS15-034 – Critical – Windows HTTP Stack Code Execution – HTTP.sys is Windows’ HTTP stack; the component it uses to process HTTP protocol requests. It suffers from an unspecified remote code execution vulnerability. By sending a specially crafted HTTP request, an attacker could exploit this flaw to gain complete control of your computer (code executes with SYSTEM privileges). However, you must be running some web service that uses HTTP.sys (such as IIS) to be vulnerable to the flaw. This is a serious flaw that affects IIS servers.
  • MS15-035 – Critical – EMF Image Code Execution Flaw – The graphics component Windows uses to handle images suffers from a flaw involving the way it parses Enhanced MetaFile (EMF) images. In short, if a bad guy can get you to view such an image—whether on a web site, in an email, and so forth—he can exploit this flaw to run code on your computer with your privileges.
  • MS15-036 – Critical – SharePoint Server XSS flaws – SharePoint suffers from two cross-site scripting vulnerabilities (XSS) that could allow an attacker to elevate his privileges. By enticing one of your users to click a specially crafted link, an attacker could exploit this flaw to gain that user’s privilege on your SharePoint server. This means the attacker could view or change all the documents which that user could.
  • MS15-037 – Important – Task Scheduler EoP Vulnerability – The Windows Task Scheduler suffers from an elevation of privilege flaw. If an attacker can log onto your Windows system with valid credentials (even underprivileged ones), she can run a program that exploits this flaw to gain complete control of the computer.
  • MS15-038 – Important – Two Windows EoP Vulnerabilities – Two other Windows components suffer from flaws like the Task Scheduler one above. Though they differ technically, an attack exploiting them has the same scope and impact. If an attacker can login and run a program, they can gain full SYSTEM privileges in Windows.
  • MS15-040 – Important – AD FS Information Disclosure – Active Directory Federation Services (AD FS) doesn’t fully log off users. If a new users logs on, she might have access to application info from the previous user (similar to a flaw last year)
  • MS15-041 – Important – .NET Framework Information Disclosure Flaw – The .NET Framework suffers from a flaw that could unintentionally allow attackers to view some of your web applications configuration information. However, you’re only exposed if you configure detailed error messages on your web application (which you shouldn’t do on publicly exposed web applications).
  • MS15-042 – Important – Hyper-V DDoS Flaw – Hyper-V, Microsoft’s virtualization component, suffers from a denial of service (DoS) vulnerability. If an attacker can log into one of your virtual machines (VM) using legitimate credentials, he can run a malicious program that will cause all the VMs on the server to stop responding. Of course the attacker needs valid credentials, and access to the VM, in order to launch the attack.

Solution Path:

If you use any of the software mentioned above, you should apply the corresponding updates as soon as you can. I recommend you apply the Critical updates immediately, try to get to the Important ones as a soon as possible, and leave the moderate ones for last.

You can get the updates three ways:

  1. Let Windows Automatic Update do it for you – While patches sometimes introduce new problems, these occasional issues don’t seem to affect clients as often as they do servers. To keep your network secure, I recommend you set Windows clients to update automatically so they get patches as soon as possible.
  2. Manually download and install patches – That said, most businesses strongly rely on production servers and server software. For that reason, I recommend you always test new server updates before applying them manually to production servers. Virtualization can help you build a test environment that mimics your production one for testing.  You can find links to download the various updates in the individual bulletins I’ve linked above.
  3. Download February’s full Security Update ISO –  Finally, Microsoft eventually posts an ISO image that consolidates all the security updates. This ISO conveniently packages the updates in one place for administrators. You’ll eventually find a link to the monthly security ISOs here, but Microsoft may not post it until a few days after Patch Day

For WatchGuard Customers:

Good News! WatchGuard’s Gateway Antivirus (GAV), Intrusion Prevention (IPS), and APT Blocker services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the attacks described in Microsoft’s alerts:

  • WEB Microsoft IIS HTTP.sys Remote Code Execution Vulnerability (CVE-2015-1635)
  • FILE Microsoft Windows Graphics EMF Processing Remote Code Execution Vulnerability (CVE-2015-1645)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1652)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1668)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1667)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1666)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1665)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1662)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1661)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1660)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1659)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1657)
  • FILE Microsoft Office Memory Corruption Vulnerability (CVE-2015-1641)
  • FILE Microsoft Office Memory Corruption Vulnerability (CVE-2015-1650)
  • WEB Microsoft ASP.NET Information Disclosure Vulnerability (CVE-2015-1648)

Your Firebox or XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nevertheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

As an aside, Microsoft also released two new security advisories today, if you are interested in how Microsoft is improving their Public Key cryptography, or in learning about an SSL 3.0 issue, be sure to check their advisory page for those new updates. — Corey Nachreiner, CISSP (@SecAdept)

 

China’s Great Cannon – Daily Security Byte EP.65

Two weeks ago experts blamed China for a DDoS attack against Github. This week, researchers describe the Great Cannon tool that China allegedly uses for these sorts of attacks. Press play to learn more, and to hear how I think we should combat this threat.

 

(Episode Runtime: 2:30)

Direct YouTube Link: https://www.youtube.com/watch?v=stx9IRTcUBo

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Follow

Get every new post delivered to your Inbox.

Join 7,897 other followers