Category Archives: Constant Alertness

We are putting millions of dollars of library materials into the hands of people trained to believe that MP3s and everything else should be free. We give them all the late hours unsupervised. What is wrong with this picture?

Your Think Your Computer System is Safe?

Backing up is important, and they were. It still took several months to get back up…and, they were lucky at that. If one of the sites hadn’t been out with a power outage, they possible would never gotten back up. Lesson: The basic data of all the central routers also needs to be backed up.

They were using old versions of an OS…there are many reasons companies do this, usually because a piece of software hasn’t been written for updated versions of the OS…

 

Your Think Your Computer System is Safe?

Backing up is important, and they were. It still took several months to get back up…and, they were lucky at that. If one of the sites hadn’t been out with a power outage, they possible would never gotten back up. Lesson: The basic data of all the central routers also needs to be backed up.

They were using old versions of an OS…there are many reasons companies do this, usually because a piece of software hasn’t been written for updated versions of the OS…

 

Krack’d WPA2…and now, ROCA

The above video shows how a Man in the Middle attack is easily mounted against a user connected to the system, intercepting the data flow as if it weren’t encrypted. Although a properly set up website with https (SSL) encryption will still hide a users data, an improperly set up site will not protect the user.

It is possible that a user will go to a site, see that it is protected by the classic lock symbol appearing on the URL line of the browser, then get hacked while thinking they are securely passing credit cards, email addresses, password and other information. The video shows Match.co.uk being broken.

The discoverer of the attack says in his paper that the problem is a weakness in the WiFi standard itself, not any particular product. See: Breaking WPA2 by forcing nonce reuse

Updates will be required on all devices; routers, phones, portable computers, whether Android or Apple or Samsung or Cisco or Belkin or Linksys or Debian or Ubuntu or any of the suppliers of chips like Broadcom or …well, everyone. There is a site tracking information on these companies: https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/

Other articles:

https://www.wordfence.com/blog/2017/10/krack-and-roca/?utm_source=list&utm_medium=email&utm_campaign=101617

https://www.schneier.com/blog/archives/2017/10/new_krack_attac.html

What is the good news? First, trusting a wifi network has always been hit or miss. A poorly set up system would allow me to break into your computer on the other side of the room…or at least have a chance of it. So, now more people will be wary.

Another good point is that equipment which does not get patches out quickly – I’m thinking 3rd party Android phones from smaller suppliers for example, they are going to be known for the bad actors that they are. 

Finally, I suppose it will get more of us onto VPN, where a good tunnel still works. Yahoo! more things to know…

=-=-=

There is another crack that just hit the public as well, this one called ROCA. It has to do with a horror for the many who have used a particular bed of generator numbers to fulfill the promise of randomness when generating public keys.

We all know public key encryption, yes? The attack is on public key encryption. Too detailed to make a simple summary article. But it is a condemnation of keeping things hidden as a method for security – what’s called “Security Through Obsurity”.  When it is open and public, we can all see if there are hooks for the bad guys or the government (redundant?), or just plain errors a lot sooner. Here’s is the detailed Technica article about it:

Millions of high-security crypto keys crippled by newly discovered flaw

Krack’d WPA2…and now, ROCA

The above video shows how a Man in the Middle attack is easily mounted against a user connected to the system, intercepting the data flow as if it weren’t encrypted. Although a properly set up website with https (SSL) encryption will still hide a users data, an improperly set up site will not protect the user.

It is possible that a user will go to a site, see that it is protected by the classic lock symbol appearing on the URL line of the browser, then get hacked while thinking they are securely passing credit cards, email addresses, password and other information. The video shows Match.co.uk being broken.

The discoverer of the attack says in his paper that the problem is a weakness in the WiFi standard itself, not any particular product. See: Breaking WPA2 by forcing nonce reuse

Updates will be required on all devices; routers, phones, portable computers, whether Android or Apple or Samsung or Cisco or Belkin or Linksys or Debian or Ubuntu or any of the suppliers of chips like Broadcom or …well, everyone. There is a site tracking information on these companies: https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/

Other articles:

https://www.wordfence.com/blog/2017/10/krack-and-roca/?utm_source=list&utm_medium=email&utm_campaign=101617

https://www.schneier.com/blog/archives/2017/10/new_krack_attac.html

What is the good news? First, trusting a wifi network has always been hit or miss. A poorly set up system would allow me to break into your computer on the other side of the room…or at least have a chance of it. So, now more people will be wary.

Another good point is that equipment which does not get patches out quickly – I’m thinking 3rd party Android phones from smaller suppliers for example, they are going to be known for the bad actors that they are. 

Finally, I suppose it will get more of us onto VPN, where a good tunnel still works. Yahoo! more things to know…

=-=-=

There is another crack that just hit the public as well, this one called ROCA. It has to do with a horror for the many who have used a particular bed of generator numbers to fulfill the promise of randomness when generating public keys.

We all know public key encryption, yes? The attack is on public key encryption. Too detailed to make a simple summary article. But it is a condemnation of keeping things hidden as a method for security – what’s called “Security Through Obsurity”.  When it is open and public, we can all see if there are hooks for the bad guys or the government (redundant?), or just plain errors a lot sooner. Here’s is the detailed Technica article about it:

Millions of high-security crypto keys crippled by newly discovered flaw

Autopsy of RSA Attack

From the Security Site at ITPRO

The RSA hack was months ago now, but the file and email which helped compromised the security giant has just been found.

By Tom Brewster, 26 Aug 2011 at 15:36

F-Secure believes it has discovered the file and the email which helped crack EMC’s security arm RSA, in what became one of the most famous hacks in history earlier this year.

 

Timo Hirvonen, an F-Secure analyst, doggedly pursued the XLS file used to hack RSA even after others had given up the chase. Hirvonen created a tool to analyse samples for a Flash object, which was used to exploit the target’s system.

“The new tool located several relevant samples. However, one of them was not an Excel file. It was an Outlook message file (MSG),” an F-Secure blog read.

“When Timo opened it up, he knew he was onto something. The message file turned out to be the original email that was sent to RSA on 3 March, complete with the attachment 2011 Recruitment plan.xls. After five months, we finally had the file. And not only that, we had the original email.”

The email which was sent to a single EMC employee, with two others CC’d in, was made to look like it came from Beyond.com, a career network.

The subject line read “2011 Recruitment plan” and the body copy contained just one line: “I forward this file to you for review. Please open and view it.”

Once the file was opened the Flash object was executed by Excel, using a vulnerability to write code on the victim’s machine and then drop a Poison Ivy backdoor to the system. Excel is then closed automatically and the infection is done.

What we think…

It’s clear the email which duped EMC was pretty simple. Certainly it would be unadvisable to trust an email which contains just a single line.

This only emphasises the need for further education amongst workforces about spear phishing. It seems even workers at security firms aren’t getting the message, which would be laughable if the connotations of the RSA hack weren’t so serious.

Tom Brewster, Senior Staff Writer

“After this, Poison Ivy connects back to it’s server at good.mincesur.com. The domain mincesur.com has been used in similar espionage attacks over an extended period of time,” F-Secure said.

“Once the connection is made, the attacker has full remote access to the infected workstation. Even worse, it has full access to network drives that the user can access. Apparently the attackers were able to leverage this vector further until they gained access to the critical SecurID data they were looking for.”

As F-Secure noted, the attack itself did not appear to be hugely sophisticated, although as the vulnerability was a zero-day there was no way RSA could have protected itself by patching.

“Was this an advanced attack? The email wasn’t advanced. The backdoor they dropped wasn’t advanced. But the exploit was advanced,” F-Secure added.

“And the ultimate target of the attacker was advanced. If somebody hacks a security vendor just to gain access to their customers systems, we’d say the attack is advanced, even if some of the interim steps weren’t very complicated.”

The hackers who went after RSA wanted the company’s SecureID information so they could hit US Government contractors, including Lockheed Martin.

Following the Lockheed attacks, RSA offered token replacement for customers “with concentrated user bases typically focused on protecting intellectual property and corporate networks.”

Remote Access VPN Appliances Buyer’s Guide

 

To map your requirements to individual product capabilities and features, a VPN features guide can help. For example, see SP 800-113 Guide to SSL VPNs, published by the National Institute of Standards and Technology (NIST). Those seeking VPN appliances that also speak IPsec should also consult the older SP 800-77 Guide to IPsec VPNs. Below is a summary of the VPN features you’ll find covered in these guides.

  • Authentication: VPN security is based upon authentication — preferably mutual. SSL VPNs usually support many user authentication methods, including password, smart card, two-factor token, and certificate. Many IPsec VPNs use IKEv2 to support any method conveyed by the Extensible Authentication Protocol (EAP). Choose an appliance that supports your required authentication method(s) and integrates with your user database (e.g., Active Directory). Less common features to look for include single sign-on and roaming without re-authentication.
  • Encryption and integrity protection: Secure tunneling protocols like SSL, TLS, DTLS, and IPsec all use cryptography for message encryption, integrity, replay protection, and (sometimes) source authentication. The IPsec Encapsulating Security Protocol (ESP) is applied at Layer 3 to protect the entire IP packet; the others may be applied at Layer 3 or 4. Choose an appliance that satisfies your in-transit data protection policies, including cipher, certification, and interoperability requirements.
  • Access controls: Early VPN appliances tunneled all traffic from user to gateway or only traffic destined for private subnets (i.e., split tunneling). With SSL VPNs came increased granularity, including access to specified applications, URLs, or even actions (e.g., file read but not write). This continues to be an area of innovation; look for new features such as policies that transparently adapt for each user, based upon endpoint risk, compliance, or location, and group/role-based access controls.
  • Endpoint security controls: Varying access based on risk requires recognizing the endpoint, assessing its health, evaluating its compliance, or a combination thereof. For example, if access is attempted from a managed notebook, a “checker” may verify the endpoint has required OS patches and anti-malware. If access is attempted from a smartphone, these may not be possible — but the VPN can still look for an IT-installed “watermark.” This is another area of rapid innovation, both in OS breadth and depth of controls. For notebooks, consider advanced features such as data vaults. For mobile devices, look for server-side aids like fingerprinting.
  • Intrusion prevention: Pre-connect checks are helpful, but may not be enough. To reduce risk, VPNs can grant narrow access to riskier endpoints — or apply ongoing intrusion prevention to stop malware from riding secure tunnels. This is another area of differentiation between VPN products, as vendors scramble to integrate security offerings and drill deeper — especially into port 80 traffic to enforce per-application policies and block malicious activity. Features here run the gamut from mobile security agents to reputation-based web defenses, but beware of a la carte feature licenses that inflate TCO.
  • Manageability: This is an important characteristic for any product, but especially for remote access VPNs. Factors like purchase price, maintenance fees, installation effort, policy tuning, and routine maintenance all impact total cost of ownership (TCO), but enterprises with large workforces often cite managing users as their single-highest VPN cost.
  • High availability and scalability: Enterprise-class remote access VPN products offer high-availability and scalability options, such as hot-synced active/active load balanced gateways. Look not only at scalability and survivability, but also at licensing. For example, those deploying remote access VPN for disaster planning may want “burstable” or pay-as-you-go licenses.
  • Customization: Remote access VPNs often benefit from customization. This can range from organizing resource links on per-user/group portal pages to adding proxy VPN translations for proprietary applications. Especially for small mobile devices, look for aids like auto-display-adaptation and bookmarks to improve usability.

Product roll call

These are just some of the many features and capabilities found in contemporary remote access VPN appliances. Vendors in this market include Cisco Systems, Citrix Systems, Check Point, F5 Networks, Juniper Networks, and SonicWall (to name just a few).

To more fully illustrate this category, EnterpriseNetworkingPlanet will profile several remote access VPN lines, including SonicWall’s Aventail E-Class SRA appliances, Cisco’s ASA 5500 Series appliances, and Juniper’s MAG Series JunOS Pulse Gateways. Stay tuned …

Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed and tested network security products for nearly a decade.

Russian Scriptor Targeting Macs?

 

A new crimeware kit for sale on the criminal underground makes it a simple point-and-click exercise to develop malicious software designed to turn Mac OSX computers into remotely controllable zombie bots. According to the vendor of this kit, it is somewhat interchangeable with existing crimeware kits made to attack Windows-based PCs.

One might point out that these web-injects have supposedly been available for several months but they really haven’t been reported in the wild. 

Where to turn if one decides to go for a Mac Anti-Virus system. Being not ready to spend money on a yearly the subscription that many packages charge, here are a few ‘free’ packages.

The Open Source choice is ClamXav. This package is maintained by long time stalwart Mark Allan who would appreciate a donation. The package will handle individual files, whole computers and networks. Comprehensive means large and possibly sometimes slow. But it isn’t pro-active – it only looks when you hit scan.

Another well regarded package Free Antivirus for Mac – Sophos Anti-Virus for Mac Home Edition. Smaller, faster, yet the home version will not cover networks.

PCTools | iAntivirus – This small package actively monitors for Mac malware, but that may be fine. I run PC AV software on my PC partitions.

That’s the end of free. None are bad; all are different, though both free products from commercial companies can be upgraded to pay-for packages.

VirusBarrier X6 for Mac OS X

Articles:

Antivirus Software On Your Mac: Yes or No?: Apple News, Tips and Reviews «

Mac Security: Antivirus | Security | Macworld

PC Tools iAntiVirus 1.0 Antivirus & Security Software Review | Macworld

Best AntiVirus Software Review 2011 | AntiVirus Software Learning Center – TopTenREVIEWS

Update Everything Month~! Software Vulnerability Records

Just glancing through the update literature we see that Windows had started the trend with a record number of patches, then Adobe got into the competition with several programs getting the ‘record number’ treatment. Opera thought that was good publicity and topped the 50 fixes line, then Java gave everyone a good run at the records. All in all, there have been other “Update Everything” months, but nothing like this last two weeks of October 2010.

Set aside the time, and if required, the task force to make certain that every computer in your operation that could ever be connected to any of your digital cinema systems, whether by USB key (moving a security key), or by network, has every piece of software checked for updates. Start with the major ones, especially those listed in this article: Ongoing Security–It’s “Update Everything Month”

Current Security Updates – 09/09

  • Critical: Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.
  • High: Vulnerability can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.
  • Moderate: Vulnerabilities that would otherwise be High or Critical except they only work in uncommon non-default configurations or require the user to perform complicated and/or unlikely steps.
  • Low: Minor security vulnerabilities such as Denial of Service attacks, minor data leaks, or spoofs. (Undetectable spoofs of SSL indicia would have “High” impact because those are generally used to steal sensitive data intended for other sites.)

Fixed in Firefox 3.5.3
Critical: MFSA 2009-51 Chrome privilege escalation with FeedWriter
MFSA 2009-50 Location bar spoofing via tall line-height Unicode characters
Critical: MFSA 2009-49 TreeColumns dangling pointer vulnerability
Critical: MFSA 2009-47 Crashes with evidence of memory corruption (rv:1.9.1.3/1.9.0.14)

Fixed in Firefox 3.5.2
Critical: MFSA 2009-46 Chrome privilege escalation due to incorrectly cached wrapper
Critical: MFSA 2009-45 Crashes with evidence of memory corruption (rv:1.9.1.2/1.9.0.13)
MFSA 2009-44 Location bar and SSL indicator spoofing via window.open() on invalid URL
MFSA 2009-38 Data corruption with SOCKS5 reply containing DNS name longer than 15 characters

Fixed in Firefox 3.5.1
Critical: MFSA 2009-41 Corrupt JIT state after deep return from native function
Critical: MFSA 2009-35 Crash and remote code execution during Flash player unloading

Fixed in Firefox 3.5
Critical: MFSA 2009-43 Heap overflow in certificate regexp parsing
Critical: MFSA 2009-42 Compromise of SSL-protected communication
MFSA 2009-40 Multiple cross origin wrapper bypasses
Critical: MFSA 2009-39 setTimeout loses XPCNativeWrappers
Critical: MFSA 2009-37 Crash and remote code execution using watch and __defineSetter__ on SVG element
Critical: MFSA 2009-36 Heap/integer overflows in font glyph rendering libraries
Critical: MFSA 2009-34 Crashes with evidence of memory corruption (rv:1.9.1/1.9.0.12)

That’s a heap of Critical – Message is: Stay on top of Firefox. Stay on top of every freakin’ piece of software you have, for certainly, the blackhats are.


Nine patches for Microsoft’s next Patch Tuesday | IT PRO By Nicole Kobie, 7 Aug 2009 at 10:26

 

Microsoft will issue nine security patches next Tuesday, as part of its monthly patching cycle.

The majority affect various versions of Windows. Five are seen as critical by Microsoft, with the other three rated important. One critical patch also affects Client for Mac, while one of the important patches is for the .NET Framework.

The last bulletin is for a flaw in Microsoft Office’s Web Components, which was reported last month. The critical patch affects Microsoft Office, Visual Studio, ISA Server and BizTalk.

Paul Henry, security and forensic analyst at Lumension, said: “After a summer of heavier-than-normal Patch Tuesdays, the last thing IT workers need next Tuesday is yet another large batch of patches from Microsoft.”

He warned that anyone using Microsoft’s ISA server should pay attention to this patch. “One of Microsoft’s security products, Internet Security and Acceleration (ISA) server, appears to have a hole that’s critical on all versions,” he said.

“Therefore, companies that are actively using this product as part of their security infrastructure will need to patch this vulnerability immediately.”

The patch will be delivered by autoupdate or be available to download on 11 August.

Microsoft issued a pair of out-of-band patches last week, to fix flaws in Internet Explorer and Visual Studio.

Apple updates Mac OS | IT PRO By Nicole Kobie, 6 Aug 2009 at 11:07

Apple has released the Mac OS X 10.5.8 update, patching a few issues in its Leopard operating system,  one month before the new 10.6 Snow is expected to be released.

Aside from general stability issues, the update fixes problems with joining AirPort networks, monitor resolution settings and Bluetooth reliability with peripheral devices like printers. The update also fixes an error which slowed startup time and another which affected imports of large movie or photo files.

The Mac OS X 10.5.8 update includes the latest version of Safari and all recent security patches.

 

GarageBand 5.1 puts lid back on cookie jar – News – The H Security: News and features 6 August 2009

Apple has released an update for its GarageBand application, addressing a security issue that could allow third parties or advertisers to track a user’s web activity. When a user opens the GarageBand application, it automatically changes Safari’s security preferences to always accept cookies, rather than the default setting of “Only from sites I visit”.

The change means that users may no longer be blocking any third-party cookies which advertisers can use to track their online activity.     [Read more data at H Security source material above.]

Naming trick opens mail servers – News – The H Security: News and features 6 August 2009

A number of Vietnamese spam sources are currently attracting attention because the spammers have equipped the relevant hosts with DNS pointer records called “localhost”. As a result, IP addresses like 123.27.3.81, 222.252.80.188 or 123.16.13.188 produce this name when a reverse look-up occurs. The problem is caused by badly configured Domain Name Systems, as “localhost” should generally translate to a single IP address – 127.0.0.1 …

Mail server operators must make sure they avoid falling victim to this trick. For example, they can make relays only available from local IP addresses and not identify clients by reverse look-up DNS names. Normal open relay tests don’t produce an alert in this case, because the test client usually isn’t called “localhost”. Several vulnerable mail servers have already been added to the iX blacklist. In addition to blacklisting, the operators of open relays potentially face having to pay damages to spam or malware recipients. [Read more data at H Security source material above.]

Firefox patches Black Hat SSL encryption vulnerability | IT PRO By Asavin Wattanajantra, 4 Aug 2009 at 11:23

Firefox has released version 3.5.2, a patch closing four critical vulnerabilities – one of which was a serious SSL encryption flaw discovered at the recent Black Hat conference in Las Vegas

The flaw is described in more detail here, but as Mozilla said in an advisory, it basically meant that attackers could have obtained certificates that could intercept and alter encrypted information between client and server, such as bank account transactions.

The other three vulnerabilities were also critical. This meant that attackers could have taken advantage by running code and installing software on a user’s computer even if they were just browsing normally.

[Story is severely edited…see the original.]

Latest Videos in Security

Video: Mobile security threats and Mac complacency Play Video: Mobile security threats and Mac complacency Play

Part two: Eugene Kaspersky, chief executive and founder of Kaspersky Lab, talks about the increasing security threats mobile users are facing.

Deadly pings for Cisco routers and switches

From a story at H Security: Deadly pings for Cisco routers and switches – News – The H Security: News and features

The command show np 2 stats can be used to determine whether the problem has previously occurred. If it has the error message “ERROR: np_logger_query request for FP Stats failed” is returned. The vendor does not suggest a workaround, but has made updated versions of the FWSM software available in which the problem does not occur.

Notice in the comments:

Ok, this is just plain inaccurate.

I’m not sure who read the Cisco advisory because they did a pretty bad job at the interpretation:

1) First off, this isn’t a bug that “disables Cisco routers and switches”. This is specifically about the FIREWALL MODULE that can be installed on a 6500-switch or a 7600-series router. Just because the  module is installed on the switch/router does not mean that the entire platform is affected/disabled. Please read up on modular switches/routers to understand what that means.

2) The vendor DOES suggest a workaround (albeit not to be carried out on the FWSM itself); it may not be the most elegant, but the
workaround is to filter ICMP packets before they get to the FWSM. The
edge router would be the most suitable candidate for that and applying this filter would prevent the malicious ICMP traffic in question from reaching the vulnerable FWSM.

See also:

[Editor] And now an update: 9 September – It seems there is a problem, and now a fix:

Cisco TCP stack vulnerable to DoS attacks – News – The H Security: News and features

9 September 2009, 12:52

Cisco TCP stack vulnerable to DoS attacks

Cisco has released a software update to fix a DoS vulnerability in a number of its products. An attacker can manipulate the state of an open TCP connection so that it never times out and remains connected indefinitely. According to Cisco, such connections hang in the FINWAIT1 state.

If an attacker can achieve this with a large number of connections, they will consume sufficient resources to prevent further connections to the system being established. A reboot is required to resolve the problem. Crashes may also occur.

Cisco IOS, IOS-XE, CatOS, ASA, PIX, NX-OS and Linksys products are all affected. Precise details of which systems are affected and which are not, can be found in the vendor’s own security advisory.

The problem is not new, but has been smouldering in the TCP stacks of a number of vendors for a while and is actually a bug in the TCP protocol itself. The problem was first reported by Robert E. Lee and Jack C. Louis from Outpost24 back in October. They used a special tool to demonstrate that a low bandwidth internet connection was able to knock a broadband server off the web. Vendors have been scrabbling around for a solution ever since.

Yesterday, Microsoft too released a patch to fix this problem. Checkpoint, Juniper and other vendors have also now reacted. The Finnish CERT has now finally released details of the problem and of the Sockstress tool used, and distributed to vendors, to test the issue.