Security Protection – Harry Waldron MVP Rotating Header Image

Firefox – Latest Version fixes Pwn2Own and other security issues

The latest Firefox updates fix Pwn2Own and other recently discovered security issues

https://www.mozilla.org/en-US/firefox/36.0.4/releasenotes/

* 36.0.4: Security fixes for issues disclosed at HP Zero Day Initiative’s Pwn2Own contest
* No longer accept insecure RC4 ciphers whenever possible
* Phasing out Certificates with 1024-bit RSA Keys
* 36.0.3: Security fixes for issues disclosed at HP Zero Day Initiative’s Pwn2Own contest

EMAIL SPAM – Added text used to bypass spam filtering

The Internet Storm Center shares interesting and humorous design found in recent mass mailing to bypass SPAM filters where a salad recipe was also present within the spammed email message itself.

https://isc.sans.edu/forums/diary/Interesting+Home+Depot+Spam/19499/

At first glance it looks like yet another run of Home Depot Spam. It isn’t very sophisticated and isn’t likely to fool many.  The usual spelling mistakes and broken English. They didn’t even bother to link in Home Depot’s logo. By the time I received it both of the URLs in the message were dead, so I wasn’t able to measure what its intent was.  What makes it interesting then? If you look very carefully in the orange bar there is text.  That text and the contents of the message contain what seems to be a rather good recipe for lettuce salad:

***********************************
* 1 tablespoons olive oil
* 1 12 tablespoons fresh lemon juice
* 1 tablespoon red wine vinegar
* 2 garlic cloves, minced
* 1 teaspoon dried oregano (Mediterranean is best)

Security Testing – 2015 Pwn2Own Hacking Competition

All browsers were compromised by expert security testers as documented below and users should be lookout for updates in coming weeks as vendors patch these vulnerablities

http://thehackernews.com/2015/03/browser-hacked-pwn2own.html

The Annual Pwn2Own Hacking Competition 2015 held in Vancouver is over and participants from all over the world nabbed $557,500 in bug bounties for 21 critical bugs in top four web browsers as well as Windows OS, Adobe Reader and Adobe Flash. The star of the show was South Korean security researcher Jung Hoon Lee, nicknamed “lokihardt,” who worked alone and nabbed the single highest payout of the competition in the Pwn2Own history, an amazing bounty of $110,000 in just two minutes.

During the second and final day of this year’s hacking contest, the latest version of all the four major browsers including Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari, were compromised by the two security researchers.  Sponsored by HP’s Zero Day Initiative program, the Pwn2Own Hacking Competition ran two days at a security conference in Vancouver, Canada. The final highlights for Pwn2Own 2015 are quite impressive:

* 5 bugs in the Windows operating system
* 4 bugs in Internet Explorer 11
* 3 bugs in Mozilla Firefox
* 3 bugs in Adobe Reader
* 3 bugs in Adobe Flash
* 2 bugs in Apple Safari
* 1 bug in Google Chrome
* $557,500 USD bounty paid out to researchers

POS Malware – PoSeidon exports credit card data externally to attackers

This new malware attack is starting to circulate.  It features a new capability to export data externally, so that attackers no longer need to log in locally to retrieve compromised credit card details

http://blogs.cisco.com/security/talos/POSeidon

http://www.computerworld.com/article/2900310/new-malware-program-poseidon-targets-pointofsale-systems.html

Retailers beware: A new Trojan program targets point-of-sale (PoS) terminals, stealing payment card data that can then be abused by cybercriminals.  The new malware program has been dubbed PoSeidon by researchers from Cisco’s Security Solutions (CSS) team and, like most point-of-sale Trojans, it scans the RAM of infected terminals for unencrypted strings that match credit card information — a technique known as memory scraping.

This sensitive information is available in plain text in the memory of a PoS system while it’s being processed by the specialized merchant software running on the terminal. Security experts have long called for the use of end-to-end encryption technology to protect payment card data from the card reader all the way to the payment service provider, but the number of systems with this capability remains low.

Unlike other PoS memory scrapers that store captured payment card data locally until attackers log in to download it, PoSeidon communicates directly with external servers and can update itself automatically. It also has defenses against reverse engineering. “PoSeidon is another in the growing number of Point-of-Sale malware targeting PoS systems that demonstrate the sophisticated techniques and approaches of malware authors,” the CSS researchers said. “As long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families.”

Smart Device Security – March 2015 Symantec research study

In an evaluation of 50 smart home based devices, this Symantec research report reveals a number of gaps in security that must be improved upon in future.

http://www.symantec.com/connect/blogs/iot-smart-home-giving-away-keys-your-kingdom

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/insecurity-in-the-internet-of-things.pdf

The Internet of Things (IoT) market has begun to take off. Consumers can buy connected versions of nearly every household appliance available. However, despite its increasing acceptance by consumers, recent studies of IoT devices seem to agree that “security” is not a word that gets associated with this category of devices, leaving consumers potentially exposed.

To find out for ourselves how IoT devices fare when it comes to security, we analyzed 50 smart home devices that are available today. We found that none of the devices enforced strong passwords, used mutual authentication, or protected accounts against brute-force attacks. Almost two out of ten of the mobile apps used to control the tested IoT devices did not use Secure Sockets Layer (SSL) to encrypt communications to the cloud. The tested IoT technology also contained many common vulnerabilities.

All of the potential weaknesses that could afflict IoT systems, such as authentication and traffic encryption, are already well known to the security industry, but despite this, known mitigation techniques are often neglected on these devices. IoT vendors need to do a better job on security before their devices become ubiquitous in every home, leaving millions of people at risk of cyberattacks.

 

HIGH-LEVEL SUMMARY OF KEY FINDINGS

1. Weak authentication –  None of the devices used mutual authentication or enforced strong passwords

2. Web vulnerabilities – We found and reported ten vulnerabilities related to path traversal, unrestricted file uploading (remote code execution), remote file inclusion (RFI), and SQL injection.

3. Local attack vulnerabilities – Attackers who have gained access to the home network, for example by breaking into a Wi-Fi network, have further attack vectors at their disposal. We looked at devices that locally transmit passwords in clear text or don’t use any authentication at all. The use of unsigned firmware updates is also a common trait among IoT devices.

4. Potential for future attacks — Currently, most proposed IoT attacks are proof-of-concepts and have yet to generate any profit for attackers. This doesn’t mean that attackers won’t target IoT devices in the future when the technology becomes more mainstream.

Windows XP – Migration Considerations for Windows 7 or 8

Both Windows 7 and 8 provide advantages in terms of support, reliability, performance and improved security as noted below:

http://images.globalknowledge.com/wwwimages/whitepaperpdf/WP_MS_WhichWindows.pdf

This “Crossroads for Windows XP Users: Windows 7 or Windows 8?” white paper is sponsored by Global Knowledge.  It explores the pros and cons of each option – including your options for staying with XP.  The choices are basically to gut it out with XP for some period of time; transition to Windows 7 with the plan of skipping Windows 8; or transition to Windows 8 and wait and see what Windows 10 brings

Penetration Testing – Wi-Fi security strength assessment tools

This article shares Penetration Testing techniques and tools for Wi-Fi networks to assess security controls for the router and wireless protocols being used.

http://www.pcmag.com/article2/0,2817,2477437,00.asp

How to Hack Wi-Fi PasswordsYour intensions when cracking a Wi-Fi password are no doubt noble—we trust you—so here’s how to do it    Once you’re asked for a username/password, what do you do? Check your manual. Which you probably lost or threw away. So instead, go to RouterPasswords.com. The site exists for one reason: to tell people the default username/password on just about every router ever created.

Or, create a system just for this kind of thing, maybe dual-boot into a separate operating system that can do what’s called “penetration testing”—a form of offensive approach security, where you examine a network for any and all possible paths of breach.  Kali Linux is a Linux distribution built for just that purpose. You can run Kali Linux off a CD or USB key without even installing it to the hard drive.

Aircrack has been around for years.  It goes back to when Wi-Fi security was only based on WEP (Wired Equivalent Privacy).  WEP was weak even back in the day, and was supplanted in 2004 by WPA (Wi-Fi Protected Access).  The latest Aircrack-ng 1.2—labeled as a “set of tools for auditing wireless networks,” so it should be part of any network admin’s toolkit—will take on cracking WEP and WPA-PSK keys.

Cracking stronger WPA/WPA2 passwords and passphrases is the real trick these days. Reaver is the one tool that looks to be up to the task (and it’s part of the BackTrack Linux distro). You’ll need that command-line comfort again to work with it, or you’ll have to spend $65 for Reaver Pro, a hardware device that works with Windows and Mac. After two to 10 hours of trying brute force attacks, Reaver should be able to reveal a password… but it’s only going to work if the router you’re going after has both a strong signal and WPS (Wi-Fi Protected Setup) turned on.

Network Security – ISC and Microsoft document PtH attacks

The Internet Storm Center features a well-written awareness document for PtH attacks. Microsoft also has a centralized high-level resource that shares awareness & mitigating controls for this popular hacking attack to gain unauthorized access into vulnerable systems.

https://isc.sans.edu/forums/diary/Pass+the+hash/19479/

http://www.microsoft.com/pth

Passing the hash is a form of login credential theft that is quite prevalent. In it, an attacker captures the encoded session password (the “hash”) from one computer, and then re-uses it to illicitly access another computer. On (most configurations of) the Microsoft Windows operating system, this “hash” can be used as an equivalent stand-in for the original password, hence if an attacker obtains the “hash” of a privileged account, this has the exact same immediate consequences as when the attacker had gotten his hands on the password of same account.

One pre-requisite for PtH to work is that the attacker must obtain local administrator privileges on at least one computer in your organization. So, if you are still generously letting your users work and surf the web as “admin”, here’s one more reason to stop that. Another particularity of PtH is that whenever a higher privileged administrator logs on to a lower privileged device, he/she creates a privilege escalation opportunity for whoever controls that lower device. If you have some type of admin privileges in your windows AD domain, think about when you “RDP” into other devices to “check something out” or “fix something”. Doing so places your “hash” onto that device, and the hash can be harvested by someone with admin rights on that device, and re-used to impersonate you for as long as you do not change your associated password.

Sounds bad? Yup. Potentially, it is. Because what seems to be happening quite frequently is that attackers breach one single user workstation (through malware in drive-by web or email based attacks). Then, the attackers try to get admin privileges on that workstation. If the user already has local admin privs, they won, if not, they need to find some local exploit (missing patch, weak password, etc).  Once they ARE local admin, they extract all “hashes” that they can find locally on that workstation. With a bit of luck, some IT Helpdesk person who has admin privileges across ALL workstations in the firm had recently connected to that particular PC, and “left the hash” behind. Thus, the attacker ends up with admin privs across all workstations. Next step, find the workstation of a server or domain administrator, and hope to locate an even more privileged hash on there. If found: game over.  All of this can be and has been automated, and can happen in a matter of minutes.

Leadership – Importance of Effective Communications

This excellent leadership article from John Maxwell shares some of his favorite quotes regarding the importance of communications

http://www.johnmaxwell.com/blog/good-words-on-communication

One subject where I have literally dozens of wonderful quotes is communication. It’s one of my passions, so I pay close attention to what great communicators have to say on the subject. Here are just a few of my favorite quotes on communication. I hope they inspire and encourage you if you’re trying to develop in that area.

Secretary of State EMAIL security weaknesses cited

As documented below, a few security concerns have surfaced regarding the special private email server solution.  These findings document the need for robust encryption and email server best practices that are beneficial in protecting sensitive information.  However some basic protection was in place, and so far no security breaches have been reported with this special arrangement.

http://www.eweek.com/security/hillary-clintons-private-email-use-and-the-state-of-ssltls-security.html

Venafi’s analysis shows the certificates to all be domain-validated, as opposed to the more rigorously audited Extended Validation (EV-SSL) certificates that can also be used to secure servers. Looking at the underlying technology for the server, Bocek said that Clintonemail.com is running Microsoft’s Internet Information Server (IIS) 7 Web server for Web services. The server is not leveraging Perfect Forward Secrecy (PFS), which is an SSL/TLS server deployment option that provides new encryption keys for every connection session. After revelations of U.S government snooping, multiple large Web properties, including Twitter, began to deploy Perfect Forward Secrecy in 2013 in an effort to harden security. Though Clinton’s server wasn’t using the most advanced forms of cryptographic protections for her email, at this time, there is no indication of current certificate misuse, Bocek said.

http://hotair.com/archives/2015/03/04/great-news-hillarys-e-mail-server-had-a-misconfigured-encryption-system/

However, when digital security consultant Alex McGeorge examined Clinton’s e-mail set-up this week he found it used a default encryption “certificate,” instead of one purchased specifically for Clinton’s service. Encryption certificates are like digital security badges, which websites use to signal to incoming browsers that they are legitimate. “It’s bewildering to me,” he said. “We should have a much better standard of security for the secretary of state.”.

Using a scanning tool called Fierce that he developed, Robert Hansen, a web-application security specialist, found what he said were the addresses for Microsoft Outlook Web access server used by Clinton’s e-mail service, and the virtual private network used to download e-mail over an encrypted connection. If hackers located those links, they could search for weaknesses and intercept traffic, according to security experts.  Those defaults would normally be replaced by a unique certificate purchased for a few hundred dollars. By not taking that step, the system was vulnerable to hacking.

That’s a little like buying software that comes with a default security password of “password” and then never changing it. This isn’t the first time this week that an expert’s claimed that Hillary’s e-mail set-up was insecure either. MKH noted last night that an IT person at the State Department had warned Hillary’s team that a private server wasn’t as secure as federal servers were.