Archive | April, 2011

Microsoft Black Tuesday: Major flaws in IE, SMB, and Windows DNS client

April’s humongous Microsoft Patch Day is live.

As expected, Microsoft released a record-breaking 17 security bulletins today, fixing  nine Critical and eight Important flaws in Internet Explorer (IE), Windows, Office, and some development packages.

Some highlights from the bulletins include:

  • Updates for Windows’ SMB client and server. Trojans, bots, and worms tend to leverage these type of SMB flaws to self propagate, so I consider the SMB updates a high-priority.
  • A Windows DNS client vulnerability. An attacker on your network could send specially crafted DNS responses that allow him to gain control of your computer.
  • A GDI+ patch. A malicious image could allow an attacker to take control of your computer due to a flaw in a Windows image handling component.
  • And many more…

With so many Critical updates, it’s hard to say which to install first. I recommend you follow the priority recommended in Microsoft’s summary bulletin.

We’ll post more detailed alerts about these flaws, and how to fix them, shortly.  Corey Nachreiner, CISSP

The “Privacy Bill of Rights” – A WatchGuard Perspective

“Whenever industry fails to self-regulate, government will fill the void with legislation.” You can quote me on that.

Currently, the security industry fights a war on many fronts. On one end of the spectrum, we have industry regulations, such as PCI DSS, which helps mandate how credit card/payment card information is secured. On the other end, we have government regulations, such as CIPA (Children’s Internet Protection Act) or HIPAA (Health Insurance Portability and Accounting Act), which regulate data protection for schools, libraries and health care providers.

Now, we face one of the largest government acts of its kind, the “KerryDraft – Privacy Bill of Rights.” Although it is not law now, should it become law, businesses and consumers will see broad and sweeping changes to how consumer data is managed and protected.

Here are the key tenets of the Privacy Bill of Rights:

• Right to Security and Accountability
• Right to Notice and Individual Participation
• Right to Purpose Specification; Data Minimization; Constraints on Distribution; Data Integrity
• Voluntary Enforceable Codes of Conduct Safe Harbor Programs
• Co-Regulatory Safe Harbor Programs
• Application with other Federal Laws
• Development of Commerce Data Privacy Policy in the Department of Commerce

Obviously, this is a lot to digest for businesses and consumers. Here, I will break these points out in greater detail and provide in-depth analysis and commentary so that you can better understand the impact of this Act.

A year ago, Senators Kerry and McCain would have faced an uphill battle in pushing this legislation forward, but given the latest high-profile security fumbles (need I say Epsilon?), it follows that this Act may very well become the next big regulatory change for the industry. Stay tuned!

Prepare for a Record Breaking Microsoft Patch Day Tomorrow

I don’t know about you, but I really don’t like hearing “record breaking” and “Microsoft Patch Day” in the same sentence. Unfortunately, April’s Black Tuesday will be just that — a record breaking patch day.

According to their Advanced Notification page, Microsoft plans to release an unprecedented 17 Security Bulletins tomorrow. The bulletins will fix security flaws in Windows, Office, and Internet Explorer (IE), as well as some issues in some of Microsoft’s Server and Developer software. Microsoft rates more than half the bulletins (nine) as Critical, which typically means attackers can leverage them to execute code on your computer, and gain control of it.

The quicker you can apply Microsoft’s patches the better. Attackers often take advantage of the “vulnerability window,” which is the period of time between when an attacker learns about a vulnerability and when you patch that vulnerability. Often, attackers and security researchers will reverse engineer Microsoft’s patches to learn more about the underlying vulnerabilities they fix. In fact, it’s not uncommon for exploit code to surface shortly after patch day. For this reason, I recommend you prepare your staff for a deluge of patches tomorrow, and try your best to test and apply them quickly, despite their great number.

I’ll know more about these bulletins tomorrow, and will publish alerts about them here. — Corey Nachreiner, CISSP

Richard Stiennon Interviews WatchGuard’s Aarrestad

Richard Stiennon, chief research analyst with IT-Harvest and industry luminary, talks with WatchGuard VP, Eric Aarrestad about the latest trends in IT security, UTMs, web-based threats, Application Control and more…


Interview with Eric Aarrestad, VP Marketing, WatchGuard from Richard Stiennon on Vimeo.

If you ever wanted to get an in-depth perspective on WatchGuard or wondered what industry analysts are asking about the company and its products, then this is a video for you.

Around the 11:00 minute mark, Richard asks Eric about WatchGuard’s platform – and one thing that Eric hits upon is how the company leverages the latest and greatest from Intel.  Unlike other vendors who use old, proprietary chipsets, or “you-buy-cheap” silicon, WatchGuard values the solid reliability, consistency and enterprise-class performance gained by using Intel-based processors in its security appliances.

This is something that WatchGuard doesn’t make a lot of noise about, but it’s a great example of the little things that WatchGuard does right in moving security forward.

Security and Voice over IP

Today, WatchGuard announce that it was teaming up with Mitel to provide voice over IP (VoIP) protection for Mitel’s unified communications (UC) solutions.  So, why does this matter?

Expectations are that half of small-to-medium sized businesses and two-thirds of all enterprise organizations are using VoIP.  Because of its ubiquity, VoIP has emerged as a substantive threat vector to businesses large and small worldwide.

The following are the leading threats to VoIP/UC networks:

  • Denial of Service (DoS) – Similar to DoS attacks on data networks, VoIP DoS attacks leverage the same tactic of running multiple packet streams, such as call requests and registrations, to the point where VoIP services fail. These types of attack often target SIP (Session Initiation Protocol) extensions that ultimately exhaust VoIP server resources, which cause busy signals or disconnects.
  • Spam over Internet Telephony (SPIT) – Much like the majority of e-mail spam, SPIT can be generated in a similar way with botnets that target millions of VoIP users from compromised systems. Like junk mail, SPIT messages can slow system performance, clog voicemail boxes and inhibit user productivity.
  • Voice Service Theft – VoIP service theft can happen when an unauthorized user gains access to a VoIP network, usually by way of a valid user name and password, or gains physical access to a VoIP device, and initiates outbound calls. Often, these are international phone calls to take advantage of VoIP’s toll by-pass capabilities.
  • Registration Hijacking – A SIP registration hijack works by a hacker disabling a valid user’s SIP registration, and replacing it with the hacker’s IP address instead. This allows the hacker to then intercept incoming calls and reroute, replay or terminate calls as they wish.
  • Eavesdropping – Like data packets, voice packets are subject to man-in-the-middle attacks where a hacker spoofs the MAC address of two parties, and forces VoIP packets to flow through the hacker’s system. By doing so, the hacker can then reassemble voice packets and literally listen in to real-time conversations. From this type of attack, hackers can also purloin all sorts of sensitive data and information, such as user names, passwords, and VoIP system information.
  • Directory Harvesting – VoIP directory harvesting attacks occur when attackers attempt to find valid VoIP addresses by conducting “brute force” attacks on a network. When a hacker sends thousands of VoIP addresses to a particular VoIP domain, most of the VoIP addresses will “bounce back” as invalid, but from those that are not returned, the hacker can identify valid VoIP addresses. By harvesting the VoIP user directory, the hacker now gains a new list of VoIP subscribers that can be new targets to other VoIP threats, such as SPIT or vishing attacks.
  • Vishing (Voice Phishing) – Vishing mimics traditional forms of phishing – attempts to get users to divulge personal and sensitive information, such as user names, account numbers and passwords. The trick works by spamming or “spitting” users and luring them to call their bank or service provider to verify account information. Once valid user information is given, criminals are free to sell this data to others, or in many cases, directly siphon funds from credit cards or bank accounts.

Why WatchGuard for VoIP and UC protection?

Easy.  WatchGuard was the first UTM vendor to seamlessly integrate SIP and H.323 proxy technologies into its firewalls.  This means IP voice packets can be just as secure as everything else on the network, which explains why Mitel and other VoIP and UC vendors trust WatchGuard to protect their systems.


Get every new post delivered to your Inbox.

Join 8,250 other followers

%d bloggers like this: