#OpKKK – WSWiR Episode 130

Emergency Windows Patch, Malware Vs. Passwords, and #OpKKK

Nowadays, researchers, hackers, and the media bombard us with tons of information security (InfoSec) news each week. There’s so much, it’s hard to keep upespecially when it’s not your primary job. However, I believe everyone needs to be aware of the latest InfoSec threats. If you want to protect your network, follow our weekly video so I can quickly get you up to speed every Friday.

Today’s episode covers a critical out-of-cycle Microsoft patch, talks about the latest updates to a nasty piece of mobile malware, and explores the ethical issues surrounding a recent Anonymous attack campaign, Operation KKK. Press play for the details, and see the references below for more stories.

As an aside, after shooting this week’s video, I learned attackers may have stolen a bunch of passwords from many popular online services. It may be a hoax, but if you use Windows Live, PSN, or 2K Games, you should probably change you password… just to be safe. Have a great weekend!

(Episode Runtime: 10:44)

Direct YouTube Link: https://www.youtube.com/watch?v=XUsqxsHvVZc

EPISODE REFERENCES:

EXTRAS:

— Corey Nachreiner, CISSP (@SecAdept)

Latest Dimension 1.3 Update Improves Performance and Security

WatchGuard Dimension™ has been gaining rapid market adoption since it was first launched in late 2013. Customers have used the network security visibility tool to monitor and to gain critical and timely insights about network security threats, bandwidth and Internet usage as well as related traffic trends. The latest release of WatchGuard Dimension, Version 1.3 Update 1, is available now.

Release Highlights
Version 1.3 Update 1 includes SSL vulnerability mitigation (in response to the recent POODLE vulnerability), critical bug fixes, and minor feature enhancements that improve the efficiency, performance, and reliability of Dimension. For more information, please see the Enhancements and Resolved Issues section in the Release Notes.

Additional details about this release, including instructions for upgrade from previous versions of Dimension, can be found in Release Notes. Please review carefully before installing and trying out the new features.

If you are interested in installing Dimension in the Amazon Cloud, please contact WatchGuard Technical Support by logging in to http://www.watchguard.com/support and opening a technical support case.

Does This Release Pertain to Me?
This release applies to all Dimension users. Before you upgrade, read the Release Notes carefully to understand what’s involved, and pay special attention to the upgrade section.

How Do I Get this Release?
WatchGuard appliance owners with LiveSecurity can download the latest version of Dimension here, or by visiting software.watchguard.com and selecting Dimension from the first drop down menu. Remember to read the Release Notes for installation instructions.

If you need support, create a support case online or call our support staff directly. When you contact Technical Support, be sure to have your registered Product Serial Number or Partner ID available.

  • Authorized WatchGuard Resellers: +1.206.521.8375

Grab Microsoft’s Out-of-Cycle Kerberos Patch

During last week’s Microsoft Patch Day, I pointed out that Microsoft had delayed two of the expected bulletins. This week, they released one of those delayed updates, and rate it as a Critical issue.

According to the MS14-068 Security Bulletin, Kerberos suffers from a local privilege elevation flaw that could allow attackers to gain full control of your entire domain. Kerberos is one of the authentication protocols used by Windows Servers. Kerberos Key Distribution Center (KDC) is the network service that supplies kerberos “tickets.” Unfortunately, Windows Servers suffers from a KDC vulnerability that allows local users to gain full domain administrator privileges simply by sending maliciously forged tickets to your KDC server. The good news is, an attacker needs valid domain login credentials, and local network access to leverage this flaw. The bad news is, if they can exploit the flaw, they basically gain access to ALL your Windows machines easily. This is a great flaw for advanced attackers. If they can pwn even one of your least privileged users, they can leverage it to gain full control of Windows networks, and easily move laterally throughout your network. I consider this a pretty serious issue.

I recommend you patch your Windows Servers, especially your Active Directory controller, as soon as possible. Check out the Affected Software section of Microsoft’s bulletin for patch details. Though I recommend you update quickly, your Authentication server is a critical network component. I highly recommend you test this update on a non-production server first, to make sure it doesn’t cause and unexpected problems. — Corey Nachreiner, CISSP (@SecAdept)

Four Tips to Fight Malware on Black Friday and Cyber Monday

13904995945_7612901f95_z

Black Friday and Cyber Monday continue to be spectacles. Brick and mortar stores are now opening on Thanksgiving Day, and Cyber Monday deals are extending through the following week. Amazon.com is getting into the game even earlier, declaring November 1 as the new official start of the holiday shopping season. As these holiday shopping deals begin to appear, more and more workers are shopping online while connected to corporate networks. This puts them at risk to find more than just holiday deals on the web – many will fall victim to holiday malware.

It’s no secret that malware is a growing concern for corporate networks, and increased non-business traffic during the holiday shopping season compounds the issue – especially as major deals and discounts become competitive. The result creates an ideal environment for email and web-based phishing attacks that lead directly to malware.

A prime example is a rise in FedEx and UPS email phishing attempts during the holiday season. We’ve all seen the emails. “Your package has shipped. Click here to for tracking information.” Only, the link doesn’t lead to FedEx or UPS – it leads to malicious malware. These email phishing attempts are prevalent enough that FedEx and UPS both now offers samples of the latest attacks for consumer awareness.

Screen Shot 2014-11-03 at 2.13.19 PM

It’s no surprise that security threats increase dramatically during the holiday season and are planned to coincide with Black Friday ads and Cyber Monday shopping. Will your security controls and protocols be ready? To help prepare, keep these four tips in mind:

1 – Signature-Based Antimalware May Not Be Enough

Attackers today morph their malware regularly to allow the same threat to repeatedly get past signature-based antivirus and antimalware solutions. WatchGuard still recommends you use antivirus and antimalware as a layer of defense against high-threshold malware. But, you also need modern antimalware solutions that can catch botnets, Trojans and worms that have never been seen before (without waiting for new signatures). Consider sandbox or payload analysis solutions like WatchGuard’s APT Blocker.

2 – Change Control Lockdown

Many organizations are locking down their change controls even further during Black Friday, Cyber Monday and throughout the holiday season. Some even hold out until February 14 and the Valentine’s Day rush. Reviewing your configuration and making necessary changes now can put you in a better position to handle any malware issues – or even prevent them from happening in the first place.

3 – Block Malware Control Connections

Even if you have great technical defenses, advanced threats can find a way to walk right through them. You need security solutions that can detect malware that has breached your perimeter – tools that can monitor outgoing traffic for malware connections to command and control channels. WatchGuard’s WebBlocker, for example, can prevent advanced malware, botnets, Trojans and worms from reaching their control servers. The result can defang these potentially dangerous threats even after they’ve reached your organization’s computers and network.

Also be sure to review your firewall security policies to find any unexpected traffic leaking through policies. PolicyMap in WatchGuard Dimension provides a quick and easy visual of policy use (and effectiveness) on your network.

4 – Stay Up-to-Date

Review and update your security policies frequently. Security threats appear and evolve rapidly, and malware is particularly slippery during the holiday season. You need to stay up-to-date on the latest leaks, fixes and patches. We provide a weekly overview on our blog. Subscribe to receive email updates and you’ll receive each update in your inbox.

Make sure your workforce can make the most out of Black Friday and Cyber Monday without jeopardizing critical network systems and data. Malware is a gift that no one should receive.

DarkHotel & iOS Masque – WSWiR Episode 129

MS Patch Day, DarkHotel, and iOS Masque

Too much Information Security (InfoSec) news, too little time? I sometimes feel the same way. If you don’t have time to keep up yourself, why not watch our weekly InfoSec video to catch the highlights.

This week, I share the highlights from Microsoft Patch Day, talk about a targeted attack preying on executives in hotels, and warn of a new vulnerability that affects anyone with an iPhone or iPad. Click play below to learn all about it, and check out other stories from the week in the Extras section below.

Stay vigilant online and enjoy your weekend!

(Episode Runtime: 12:39)

Direct YouTube Link: https://www.youtube.com/watch?v=MwxEksw3j-Q

EPISODE REFERENCES:

EXTRAS:

— Corey Nachreiner, CISSP (@SecAdept)

Latest Flash Update Plugs 18 Security Holes

Do you watch a lot of online video or play interactive web games? Perhaps your organization uses rich, interactive web-based business applications? In either case, you’ve probably installed Adobe Flash, along with the  500 million other device holders who use it. In this case, you better update Flash as soon as you can.

During Microsoft Patch day, Adobe released a security bulletin describing 18 vulnerabilities in the popular rich media web plug-in. There’s no point in covering the flaws individually, as the majority of them share the same scope and impact. In short, most of the flaws involve memory corruption issues that a smart attacker could leverage to execute code on your PC. The attacker would only have to entice you to a web site containing malicious code. In other words, most of them help attackers setup drive-by download attacks.

Though it doesn’t appear attackers are exploiting any of these flaws in the wild yet, Adobe rates there severity a “Priority 1″ for Windows and Mac users. This means you should patch within 72 hours. If you use Flash, go get the latest version, and check out Adobe’s security bulletin if you’d like more details. — Corey Nachreiner, CISSP (@SecAdept)

Fujitsu Fsas Selects WatchGuard Appliances for its Managed Security Services in Japan

WatchGuard Technologies continues to add key partnership across the globe, including the most recent announcement that Fujitsu Fsas, the leading IT and technical support services provider in Japan, is now integrating WatchGuard NGFW/UTM appliances into its managed security services.

Managed security solutions are gaining popularity as the volume and complexity of security threats continue to grow – especially among small-to-midsized and distributed enterprise environments. According to Shirou Ohtsubo, senior vice president of Fijitsu Fsas’ Service Business Unit, the rising popularity of managed security services has a lot to do with the realities of increased cloud adoption and multiple network access points.

“IT systems are transitioning to the cloud, intensifying the need for network access from a variety of applications and locations,” explained Ohtsubo-san. “At the same time, advanced persistent threats are causing increased damage. It’s vital that companies prevent these types of intrusions and threats across their network access points and inbound traffic.”

Integrating WatchGuard’s NGFW/UTM appliances with Fujitsu Fsas services strengthens the security gateway with the latest security technology and features, including advanced threat protection and network segmentation. It also allows Fujitsu Fsas to use WatchGuard System Manager to seamlessly manage its customer deployments.

“Our alliance with WatchGuard provides security appliances and operation management software that protects against these intrusions and threats,” continued Ohtsubo-san. “Their products complement our services and enable us to provide more granular and powerful security solutions to our customers.”

WatchGuard will continue to grow its partnership with Fujitsu Fsas and maximize customer value for deeper levels of network security. Appliances are now available as part of Fujitsu Fsas services, and the company will soon be selling standalone WatchGuard NGFW/UTM appliances.

Microsoft Delivers a Pile of Security Updates – Patch Day Nov. 2014

Microsoft’s monthly Patch Day went live on Tuesday, delivering a substantial pile of security updates to Microsoft administrators. As mentioned in last week’s video, we expected 16 security bulletins. However, Microsoft held back two for unspecified reasons. Even without those missing bulletins, this is a pretty big Patch Day. If you manage Microsoft networks, you’ll want to apply these updates as soon as you can. I’ll summarize some Patch Day highlights below, but you should visit Microsoft’s November Patch Day Summary page for more details

By the Numbers:

On Tuesday, Microsoft released 14 security bulletins, fixing a total of 33 security vulnerabilities in many of their products. The affected products include:

  • all current versions of Windows,
  • Internet Explorer (IE),
  • Office,
  • the .NET Framework,
  • and SharePoint Server.

They rate four bulletins as Critical, eight as Important, and two as Moderate.

Patch Day Highlights:

You should definitely patch the critical flaws first. The OLE, IE, SChannel, and XML vulnerabilities are all pretty serious; you should install the updates immediately if you can. The overall theme here seems to be web-based threats. Though many of these vulnerabilities affect components you may not relate to web browsing, attackers can leverage many of them by enticing you to a web page hosting malicious code. Drive-by downloads have become one of the primary ways attackers silently deliver malware to your endusers, so you should patch any flaws that help support drive-by downloads as quickly as you can. Also note, the OLE update poses a particularly high risk as attackers have already been exploiting it in the wild (related to SandWorm). The SChannel vulnerability, which some are calling “WinShock,” is also pretty concerning, and might expose any Microsoft servers you expose to the internet (primarily web and email servers). Patch the OLE and SChannel flaws first, and follow quickly with the IE one.

As an aside, Enhanced Mitigation Experience Toolkit (EMET) is a package that makes it much harder for bad guys to exploit memory-based vulnerabilities. Microsoft released a new version (5.1) of EMET in Monday. If you don’t use EMET yet, consider it; and if you do, update.

Quick Bulletin Summary:

We summarize November’s security bulletins below in order of severity. We recommend you apply the updates in the same order of priority, assuming you use the affected products.

  • MS14-064 – Critical – Windows OLE Remote Code Execution Flaw – Windows’ Object Linking and Embedding (OLE) suffers from two flaws that attackers could exploit to execute code on user’s computers, if those user’s interact with malicious documents, or visit websites containing embedded malicious documents. Attackers have been exploiting these zero day flaws in the wild.
  • MS14-066 – Critical – Schannel Remote Code Execution Vulnerability – Secure Channel (Schannel), a security package that ships with Windows, suffers from a remote code execution flaw that attackers can exploit simply by sending specially crafted packets to your computer.
  • MS14-065 – Critical – Cumulative Internet Explorer update fixes 17 vulnerabilities – This update fixes remote code execution (RCE), elevation of privilege (EoP), information disclosure, and security bypass vulnerabilities. The RCE flaws pose the most risk as attackers often leverage them in drive-by download attacks, where simply visiting the wrong website could result in malware silently downloading and installing on your computer.
  • MS14-067 – Critical – XML Core Service Remote Code Execution Flaw – If attackers can entice you to a malicious website, or to a booby-trapped legitimate website, they can exploit this Microsoft XML Core Services (MSXML) vulnerability to silently install malware on your computer.
  • MS14-069 – Important – Pair of Office Code Execution Flaws - Office, specifically Word, suffers from a pair of code execution vulnerabilities attackers could exploit by getting you to interact with malicious documents.
  • MS14-070 – Important – Windows TCP/IP Elevation of Privilege Flaw - The Windows TCP/IP stack suffers from an EoP vulnerability. Despite the fact the flaw affects a network component, attackers can only exploit it locally by running a malicious program, which significantly lessens its severity.
  • MS14-071 – Important – Windows Audio Service Elevation of Privilege Flaw - This flaw has the same scope and impact as the local EoP flaw above, only it affects Windows’ Audio Service.
  • MS14-072 – Important – .NET Framework Elevation of Privilege Flaw - The .NET Remoting functionality of the .NET Framework suffers from a remote EoP vulnerability. By sending specially crafted data to a server that uses the .NET Remoting feature, and attacker could gain full control of that server. The good news is, according to Microsoft, .NET Remoting is not widely used.
  • MS14-073 – Important – SharePoint Foundation Elevation of Privilege Flaw - Though Microsoft doesn’t describe it this way, this vulnerability sounds like a cross-site scripting (XSS) flaw. If an attacker can lure you to a website with malicious code, or get you to click a link, he do things on your SharePoint server as though he were you.
  • MS14-076 – Important – IIS Security Bypass - Microsoft’s web server, IIS, has a feature that allows administrators to restrict access to web resources by IP address. Unfortunately, it suffers a flaw that attackers can leverage to bypass this access restriction. The flaw only affects you if you use this feature.
  • MS14-074 – Important – Remote Desktop Protocol Security Bypass - In short, the Remote Desktop Protocol (RDP) doesn’t properly log failed login attempts, meaning you may not notice when attackers repeatedly guess passwords.
  • MS14-077 – Important – ADFS Information Disclosure Flaw Active Directory Federation Services (AD FS) doesn’t fully log off users. If a new users logs on, she might have access to application info from the previous user.
  • MS14-078 – Moderate – Japanese IME Elevation of Privilege Flaw - If you use a Windows system that supports Japanese character input, and an attacker can get you to open a malicious file, the attacker can run code with your privileges. This flaw only affects systems with the Japanese character support install, but it has been exploited in the wild in limited attacks.
  • MS14-079 – Moderate – Kernel-mode Drive DoS flaw - The Kernel-mode driver suffers from a Denial of Server (DoS) having to do with how it handles Truetype fonts. If an attacker can get you to view a malicious font, perhaps by getting you to visit a website, he can exploit this to cause your system to crash or stop responding.

Solution Path:

If you use any of the software mentioned above, you should apply the corresponding updates as soon as you can. I recommend you apply the Critical updates immediately, try to get to the Important ones as a soon as possible, and leave the moderate ones for last.

You can get the updates three ways:

  1. Let Windows Automatic Update do it for you – While patches sometimes introduce new problems, these occasional issues don’t seem to affect clients as often as they do servers. To keep your network secure, I recommend you set Windows clients to update automatically so they get patches as soon as possible.
  2. Manually download and install patches – That said, most businesses strongly rely on production servers and server software. For that reason, I recommend you always test new server updates before applying them manually to production servers. Virtualization can help you build a test environment that mimics your production one for testing.  You can find links to download the various updates in the individual bulletins I’ve linked above.
  3. Download November’s full Security Update ISO –  Finally, Microsoft eventually posts an ISO image that consolidates all the security updates. This ISO conveniently packages the updates in one place for administrators. You’ll eventually find a link to the monthly security ISOs here, but Microsoft may not post it until a few days after Patch Day

For WatchGuard Customers:

Good News! WatchGuard’s Gateway Antivirus (GAV), Intrusion Prevention (IPS), and APT Blocker services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the attacks described in Microsoft’s alerts:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6353)
  • EXPLOIT Windows OLE Remote Code Execution Vulnerability (CVE-2014-6352)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6351)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6348)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6347)
  • WEB-CLIENT Microsoft Internet Explorer Cross-domain Information Disclosure Vulnerability (CVE-2014-6346)
  • WEB-CLIENT Microsoft Internet Explorer Cross-domain Information Disclosure Vulnerability (CVE-2014-6345)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6342)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6341)
  • WEB-ACTIVEX Microsoft Internet Explorer Cross-domain Information Disclosure Vulnerability (CVE-2014-6340)
  • WEB-CLIENT Microsoft Internet Explorer ASLR Bypass Vulnerability (CVE-2014-6339)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6337)
  • WEB Exchange URL Redirection Vulnerability (CVE-2014-6336)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4143)
  • WEB-CLIENT Microsoft Internet Explorer Clipboard Information Disclosure Vulnerability (CVE-2014-6323)
  • WEB-CLIENT Microsoft Windows OLE Automation Array Remote Code Execution Vulnerability (CVE-2014-6332)
  • FILE Microsoft Office Double Delete Remote Code Execution Vulnerability (CVE-2014-6333)
  • FILE Microsoft Office Bad Index Remote Code Execution Vulnerability (CVE-2014-6334)
  • FILE Microsoft Office Invalid Pointer Remote Code Execution Vulnerability (CVE-2014-6335)

Your Firebox or XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws. — Corey Nachreiner, CISSP (@SecAdept)

 

Fujitsu Fsas Selects WatchGuard Appliances for its Managed Security Services in Japan

WatchGuard Technologies continues to add key partnership across the globe, including the most recent announcement that Fujitsu Fsas, the leading IT and technical support services provider in Japan, is now integrating WatchGuard NGFW/UTM appliances into its managed security services.

Managed security solutions are gaining popularity as the volume and complexity of security threats continue to grow – especially among small-to-midsized and distributed enterprise environments. According to Shirou Ohtsubo, senior vice president of Fijitsu Fsas’ Service Business Unit, the rising popularity of managed security services has a lot to do with the realities of increased cloud adoption and multiple network access points.

“IT systems are transitioning to the cloud, intensifying the need for network access from a variety of applications and locations,” explained Ohtsubo-san. “At the same time, advanced persistent threats are causing increased damage. It’s vital that companies prevent these types of intrusions and threats across their network access points and inbound traffic.”

Integrating WatchGuard’s NGFW/UTM appliances with Fujitsu Fsas services strengthens the security gateway with the latest security technology and features, including advanced threat protection and network segmentation. It also allows Fujitsu Fsas to use WatchGuard System Manager to seamlessly manage its customer deployments.

“Our alliance with WatchGuard provides security appliances and operation management software that protects against these intrusions and threats,” continued Ohtsubo-san. “Their products complement our services and enable us to provide more granular and powerful security solutions to our customers.”

WatchGuard will continue to grow its partnership with Fujitsu Fsas and maximize customer value for deeper levels of network security. Appliances are now available as part of Fujitsu Fsas services, and the company will soon be selling standalone WatchGuard NGFW/UTM appliances.

WireLurker – WSWiR Episode 128

Mega Patch Day, Password Hijack, and WireLurker

What new security updates do I need? Are attackers exploiting new zero day attacks that affect me? Should I be concerned with any new attack campaigns? What can I learn from the latest network breaches? If you’ve asked yourself these questions, but don’t have time to find the answers, this is the weekly video for you. In it, I summarize the biggest security news from the week and explore what we might learn from it.

Today’s episode talks about the upcoming humongous Microsoft Patch day, explores a password hijack that succeeded despite good security practices, and covers two major threats that affect Apple’s OS X and iOS devices. Watch the video for details, and check out the links below for other interesting stories.

Have a safe and fun weekend!

(Episode Runtime: 11:20)

Direct YouTube Link: https://www.youtube.com/watch?v=PXJ1t23K5hY

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Follow

Get every new post delivered to your Inbox.