July, 2018:

Microsoft Edge is offerning support for the new W3C “Web Authentication” as an alternative to password in its latest “beta” build.

https://redmondmag.com/articles/2018/07/30/microsoft-edge-web-authentication-support.aspx

https://blogs.windows.com/msedgedev/2018/07/30/introducing-web-authentication-microsoft-edge/#IXHA8Dz2fQTPPh0O.97

Microsoft announced on Monday that its Microsoft Edge browser now supports the Web Authentication spec at the preview stage, enabling the testing of an alternative means of carrying out user authentications besides passwords.

The Web Authentication spec is a standard for the use of public key cryptography in credentials being developed by the Fast IDentity Online (FIDO) Alliance industry coalition and the Worldwide Web Consortium (W3C) organization. Currently, the Web Authentication spec is at the W3C’s “Candidate Recommendation” stage, meaning that it’s considered stable and is one step away from being a W3C “Recommendation” and ready for implementation.

The aim of the spec is to move away from using passwords for user authentications, which is conceived as problematic because passwords are subject to information disclosure and phishing attacks. Instead, user identities get verified by a fingerprint reader, a face scan or a personal ID number. A so-called FIDO 2.0 “companion device” may be used in the process, such as a wristband with near-field communication capabilities, a card swipe or a USB drive.

While printing may not seem like a major security risk, there have been occasional past vulnerabilities & malware exploits.  As the “Internet of Things” further develops printers are adding more “smart” device capabilities to phone home to vendor or corporate ADMIN team when needs surface.  HP is offering up to $10,000 to researchers who can find vulnerabilities & disclose them privately — to further improve printer security controls.

https://www.cnet.com/news/hp-will-pay-hackers-up-to-10000-to-break-their-printers/

HP  isn’t asking people to smash its printers to pieces, but the company is willing to pay people to break its software apart. On Tuesday, HP announced its first bug bounty program that specifically targets its printers, offering as much as $10,000 to hackers who can find vulnerabilities on its machines.

Bug bounties are a common way for companies to find security flaws, with payouts as high as $100,000 for serious vulnerabilities. Hackers have been able to make a full-time job breaking software and reporting bugs before the vulnerabilities are used maliciously. Companies such as  Google  and Facebook have turned to bug bounties as a way to bolster their security.

HP quietly started its program in May with 34 researchers signing up. It has already paid $10,000 to a hacker who found a serious flaw with its printers, Shivaun Albright, the company’s chief technologist for printer security, said in an interview last week.  The company is focused on printer security because of the vulnerabilities of internet of things devices, she said. While there’s a heavy focus on connected devices and their security flaws, it’s often on web cameras, smart televisions or lightbulbs, not printers, Albright said.

The W3C standards committee has developed a new Web Authentication alternative to passwords where users are pre-registered & later verified using FIDO approved devices such as biometrics, one-time PIN from smartphone, etc.

Web Authentication — API for accessing Public Key Credentials

https://w3c.github.io/webauthn/

This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more public key credentials, each scoped to a given WebAuthn Relying Party, are created and stored on an authenticator by the user agent in conjunction with the web application. The user agent mediates access to public key credentials in order to preserve user privacy. Authenticators are responsible for ensuring that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to Relying Parties via attestation. This specification also describes the functional model for WebAuthn conformant authenticators, including their signature and attestation functionality.

Relying Parties employ the Web Authentication API during two distinct, but related, ceremonies involving a user. The first is Registration, where a public key credential is created on an authenticator, and associated by a Relying Party with the present user’s account (the account MAY already exist or MAY be created at this time). The second is Authentication, where the Relying Party is presented with an Authentication Assertion proving the presence and consent of the user who registered the public key credential. Functionally, the Web Authentication API comprises a PublicKeyCredential which extends the Credential Management API [CREDENTIAL-MANAGEMENT-1], and infrastructure which allows those credentials to be used with navigator.credentials.create() and navigator.credentials.get(). The former is used during Registration, and the latter during Authentication.

The John Maxwell leadership training center shares value of adding an ROI to their leadership development programs to further enhance the future health of their organizations.

http://johnmaxwellcompany.com/blog/driving-key-performance-outcomes-through-high-roi-leadership-development

Every successful business trains its employees. But how is this leadership development measured? Is it measured at all? Attaching an ROI to leadership development is critical to building better teams, enhancing effectiveness, and boosting the bottom line.  Our Organizational Effectiveness Survey (OES) asks pointed, pre-engagement questions that uncover key data insights related to:

1. Overall Health of Culture: Does your company have a leadership culture focused on change, improvement and optimization?

2. Willingness to Change and Improve: Are your leaders transforming skilled people into engaged employees; are these employees willing to follow your leaders?

3. Employee Engagement: Are your employees committed to their work and organization in a way that drives consistent productivity?

4. Customer Satisfaction: How important is customer care and the customer experience to your organization’s leadership team?

WHY MEASURE LEADERSHIP EFFECTIVENESS? — Executive coaching is an impactful way to assess and improve the effectiveness of an organization. According to a study published by the Center for Creative Leadership, 95 percent of people polled stated that executive coaching was worth the time and effort.  The OES identifies 28 behavioral and business practice competencies within 4 functions of the organization: Leadership, People, Strategy and Performance.

THE LEADERSHIP RELAY — According to Deloitte Human Capital Trends, 56 percent of executives report their companies are not ready to meet leadership needs. High-ROI leadership development will be key in securing seamless transitions in management that will occur over the next decade. It’s time for companies to look forward, constantly assessing and encouraging the leadership qualities of their younger, or perhaps, newer employees.

THE INTANGIBLE ASPECTS OF COMPANY CULTURE — While benefits and workplace flexibility are frequently discussed topics of company culture and work happiness, the intangible aspects of company culture are far more important to worker loyalty and productivity. What are these intangible aspects? Companies that foster collaboration (when possible) and a team mentality through inclusive leadership perform better. Strong leadership qualities of communication, empathy, and service translate into a respectful, engaging, and exciting workplace.

INVESTING IN THE FUTURE — A successful model of leadership promotes personal growth. Measurable mentorship programs and professional development opportunities in the form of continuing education, advanced certification, and taking on new roles or additional responsibilities that are then recognized by management are crucial to your employees feeling encouraged to set and pursue goals and develop skills.

The John Maxwell leadership training center shares value of adding a “business coach” as a mentor for your own career development:

http://johnmaxwellcompany.com/blog/personal-trainer-but-no-business-coach

There are professionals and programs available to help people achieve all types of goals — people hire coaches to help them lose weight, get fit, get sober, improve their finances and their relationships.  You should think of a business coach or leadership program as a personal trainer for your professional “fitness.”   We all set professional goals. But ask yourself this: What active steps am I taking to achieve them. Below are advantages for adding a mentor to help build improved leadership skills for the future:

1. The Power of Accountability — One of the most significant reasons successful people meet or exceed their goals — both personal and professional — is accountability. Accountability can mean the difference of staying on track and making progress towards a goal.

2. Taking Professional “Me Time” — Utilizing a business coach or professional network is a great way to focus on your own professional development.

3. Designing Your Own Motivation  — A good source of external accountability will also guarantee that you will focus on your goals more often. Setting a routine of professional development — checking in on your own progress, setting and meeting smaller, benchmark goals — is essential to building momentum.

Microsoft Azure is introducing a new “beta” version of a Firewall facility designed to protect cloud based applications.  In it’s 1st iteration it is mainly designed to protect OUTBOUND traffic initially, as described below:

What is Azure Firewall?

https://docs.microsoft.com/en-gb/azure/firewall/overview

In this post, I will explain what the new Azure Firewall, recently launched in preview, can do and what it cannot at this time.  There is no shortage of firewall options in Azure for network security at the transport (Layer-4) and application (Layer-7) layers of the network stack.  The features today are:

***  High availability (HA): You do not need to deploy multiple instances for high availability as you do with NVAs. The appliance has built-in HA.
***  Cloud scalability: Another reason for scaling out the number of NVAs and load balancing them is to increase the scale of throughput. The Azure Firewall will scale to handle your throughput and bandwidth requirements.
***  FQDN filtering: You define a whitelist of fully qualified domain names (you can use wildcards) of external URLs that can be reached from your network. This approach will limit data leakage and prevent remote control by malware. This is the set of “where to rules”.
***  Network filtering rules: Rules based on source, destination, protocol, and port will limit what kinds of traffic can leave your virtual network. This is the set of “what rules”.
***  Outbound SNAT support: The Azure firewall is deployed with a standard-tier public IP address. All traffic leaving the virtual network is identified to the Internet using this address.
***  Azure Monitor: All events can be traced in the Azure Monitor, and archived to a storage account, event hub (external systems), or Log Analytics (OMS).

What Azure Firewall Cannot Do — What I first heard of Azure Firewall I thought it would replace NVAs. As it turns out, based on what the Azure Firewall is today in its preview release, it won’t. But the current preview release is a very early one, and I think Microsoft is slowly developing Azure Firewall to get it right, instead of rashly rolling out a bunch of unready features. So, I kind of understand what they are doing.  Today the Azure Firewall is not a solution for protecting a network against inbound threats. You cannot set up NAT rules for inbound traffic. It does not have rules or filters for publishing internal applications either. Today, Azure Firewall only cares about outbound traffic.

Black Hills Information Security has introduced an open source security vulnerability analysis tool called RITA (Real Intelligence Threat Analytics) as described below

https://isc.sans.edu/forums/diary/Using+RITA+for+Threat+Analysis/23926/

https://www.blackhillsinfosec.com/

I installed and tested this open source framework called Real Intelligence Threat Analytics (RITA) that was recently updated against my BRO logs.  “This open source project, born from Black Hills Information Security, is now developed, funded and supported by Active CounterMeasures”. A full description of RITA’s capabilities and the code is available here.  I used the automated script (install.sh) with CentOS 7 which I download from here. The installation is straight forward and it verified my setup to make sure everything is installed on my box. It supports some interesting features such as:

1. Beaconing Detection
2. DNS Tunneling Detection
3. Blacklist Checking
4. URL Length Analysis
5. Scanning Detection

Microsoft removed the .NET Framework security updates from the JULY 2018 Patch Tuesday updates after some corporate users were impacted by server application issues.  Replacement security patches will likely be introduced in future, after further testing & refinement to ensure issues don’t materialize again.

https://redmondmag.com/articles/2018/07/23/microsoft-pulls-july-net-patches.aspx

https://blogs.msdn.microsoft.com/dotnet/2018/07/20/advisory-on-july-2018-net-framework-updates/

Microsoft’s Friday announcement specifically pointed to an “Important” security patch to the .NET Framework (CVE-2018-8356). It contains a flaw that affects applications that “initialize a COM component and run with restricted permissions,” according to the announcement. Specifically, it can affect users of SharePoint, BizTalk Server Administration Console and Internet Information Services (IIS) with “classic” ASP, as well as other .NET applications that use “COM and impersonation.”

In response to the problems, Microsoft has stopped distributing the July .NET Framework patches from its Windows Update service and is working on correcting and reshipping the July patch releases. Organizations should apply this reshipped July patch, when it arrives, even if they weren’t affected initially.  “If you installed the July 2018 update and have not yet seen any negative behavior, we recommend that you leave your systems as-is but closely monitor them and ensure that you apply upcoming .NET Framework updates,” the announcement explained.

US CERT, SANS Internet Storm center, and other security firms are sharing awareness of increased malicious spam (malspam) featuring Emotet malware. As noted in these warnings, Emotet continues to evolve with new capabilities:

https://www.us-cert.gov/ncas/alerts/TA18-201A

https://isc.sans.edu/forums/diary/Recent+Emotet+activity/23908/

Overview — Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans.  Emotet continues to be among the most costly and destructive malware affecting SLTT governments. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.

Description — Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.

Emotet is disseminated through malspam (emails containing malicious attachments or links) that uses branding familiar to the recipient; it has even been spread using the MS-ISAC name. As of July 2018, the most recent campaigns imitate PayPal receipts, shipping notifications, or “past-due” invoices purportedly from MS-ISAC. Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macro-enabled Microsoft Word document included in the malspam. Once downloaded, Emotet establishes persistence and attempts to propagate the local networks through incorporated spreader modules.

The recent JULY 2018 Oracle security patch CVE-2018-2893 for the Weblogic development suite is being exploited in-the-wild & all applicable corporate users should expediently patch for safety reasons

https://isc.sans.edu/forums/diary/Weblogic+Exploit+Code+Made+Public+CVE20182893/23896/

On 18-JUL-2018 Oracle released a Critical Patch Update. Yesterday exploit targeting CVE-2018-2893 impacting Oracle Weblogic Server appeared publicly. We do see first exploit attempts. The exploit attempts to download additional code from a malicious server. We are still looking at details, but it looks like the code attempts to install a backdoor. Scanning activity targeting port 7001 peaked in May of 2018 when another Weblogic vulnerability went public, unsurprisingly it was used to install crypto-miners