Radio Free Security: March 2012 Episode

Securing Mobile Devices in a BYOD World

Have you noticed more and more employees walking around with iPhones, Droids, and iPads? If so, you’re not alone, and this month’s Radio Free Security episode might help you learn how to mitigate this BYOD security problem.

If you’ve never heard of Radio Free Security (RFS), it’s a monthly podcast dedicated to spreading knowledge about network and information security, and to keeping busy IT administrators apprised of the latest security threats they face online.

In this episode, we return to our regular format of one general security segment followed by the “Security Story of the Month.”

During the first segment, I interview Dean Colpitts, a longtime WatchGuard partner from Canada’s beautiful Atlantic Coast. We discuss the potential perils of employees bringing their own mobile devices to work, and propose some solutions IT administrators can leverage to securely manage these devices.

Next up, Tim, Richard, and I come to a consensus on the Security Story of the Month. We discuss hacktivist arrests, a major RDP vulnerability, and a drama-filled hacking contest that could change the way researchers share their discoveries.  So, grab a hot beverage, get comfy, and check out this month’s show.

You can listen to the episode using the player below, or by subscribing to our iTunes podcast:

[runtime: 1:07:13]

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 11

Highlights Include: IOS Updates, Botnet Takedowns, and Mac Word Malware

Ready to finish off your week with a quick summary of the week’s security news? If so WatchGuard Security Week in Review is for you. In this episode, you’ll learn about important security updates, some big botnet takedowns, and a nasty piece of Mac malware that hides in malicious Word documents. I even share a tip about a nice OS X security tool along the way. Grab your beverage of choice and check out the short video below.

Like always, if you’d prefer to read rather than watch or listen, the Episode Reference guide below includes links to articles about all these stories. I’ve even thrown in a few extra links, for those with an insatiable appetite for security news (maybe that’s just me).

I hope to hear your feedback or suggestions in the comments section of this post, and if you like the show, please tell your friends. For those of you waiting for a shorter intro for these videos, it’s only a few episodes away.  (Episode Runtime: 7:03)

Direct YouTube Link: http://www.youtube.com/watch?v=1ovLb7TKOi4

Episode References:

• Software and Hardware Security Updates:
  • Cisco biannual IOS patch day – WatchGuard Security Center
  • Abode Flash Player update  – Adobe Security Updates
  • Chrome 18 fixes nine flaws –  Threat Post
• Botnet Takedowns
  
  • Microsoft shutsdown Zeus C&Cs – CNET
  • Kaspersky sinkholes Kelihos – Kaspersky Blog
• Mac Word document Remote Access Trojan (RAT) – Alienvault Labs
• EXTRA: Lulzsec is back with MilitarySingles.com breach – eWeek
• EXTRA: Blackhole kit targets recent Java vulnerability – Krebs on Security
• EXTRA: Little Snitch is a great OS X host-based firewall.

— Corey Nachreiner, CISSP (@SecAdept)

Biannual Cisco Patch Day: IOS Security Updates Patch Many DoS Flaws

Summary:

• These vulnerabilities affect: Many devices running Cisco IOS
• How an attacker exploits them: Multiple vectors of attack; including sending specially crafted network packets
• Impact: In the most common case, an attacker can cause your IOS device to reload, and can repeatedly exploit these flaws to cause a Denial of Service (DoS) condition
• What to do: Administrators who manage Cisco IOS devices should download, test, and deploy the appropriate Cisco updates as soon as possible

Exposure:

Over a year ago, Cisco implemented a twice-yearly patch cycle that falls on the fourth Wednesday of March and September. During today’s biannual patch day, Cisco released nine security advisories that affect devices running Cisco’s Internetwork Operating System (IOS) software. IOS is the operating system that runs on most Cisco routers and switches.

Though Cisco’s nine IOS advisories differ technically, and affect different IOS components, most of them share the same general scope and impact. By sending specially crafted network traffic to (or through) your IOS device, an attacker can exploit most of these issues to cause that device to reload. By repeatedly exploiting these vulnerabilities, an attacker could cause a Denial of Service (DoS) condition on your router or switch.

For a complete list of today’s IOS alerts, check out Cisco’s Security Advisories and Responses page. However, we summarize three of the IOS advisories below to give you a general idea of the impact of these flaws:

Advisory ID cisco-sa-20120328-ssh: Reverse SSH DoS Vulnerability

Cisco’s Secure Shell (SSH) component suffers from a DoS vulnerability involving how it handles reverse SSH connections. By attempting a reverse SSH login using a specially crafted username, an unauthenticated attacker can exploit this flaw to cause your IOS device to reload. By repeatedly exploiting this issue, an attacker could knock your IOS device (such as your gateway router) offline.
Base CVSS Score: 7.8 (10 being the most severe)

Advisory ID cisco-sa-20120328-nat: NAT DoS Vulnerability

Cisco IOS’s Network Address Translation (NAT) component suffers from a vulnerability involving how it handles Session Initiation Protocol (SIP) traffic. By sending specially crafted SIP traffic through your IOS device, an attacker could exploit this vulnerability to exhaust memory on your IOS device, potentially forcing it to reload. If you use a Cisco IOS router to get to the Internet, an attacker could repeatedly exploit this vulnerability to knock your network off the Internet.
Average CVSS Score: 7.8

Advisory ID cisco-sa-20120328-ike: IKE DoS Vulnerability

Internet Key Exchange (IKE) is a protocol developed to negotiate the cryptographic attributes needed to build IPSec VPN tunnels. Cisco IOS’s IKE component suffers from an unspecified vulnerability, which an attacker can leverage to force your IOS device to reload. By sending specially crafted IKE traffic to an IOS device, and attacker could repeatedly exploit this flaw to cause a DoS condition.
Base CVSS Score: 7.8

Many of the remaining IOS advisories also fix DoS flaws just as severe as the ones described above. One also fixes a command authorization bypass vulnerability. If you’d like more details on these individual advisories, refer to the links in the References section of this alert.

Solution Path:

Cisco has released patches to fix these vulnerabilities. If you manage a Cisco device running IOS software, you should consult the “Software Versions and Fixes” and “Obtaining Fixed Software” sections in each of Cisco’s advisories to learn which fixes apply to your devices, and how to obtain them. You will find links to each individual advisory in the Reference section below.

For All Users:

Since these vulnerabilities can affect your router, which is typically in front of your firewall, you should apply the Cisco updates as soon as possible.

Status:

Cisco has made fixes available.

References:

• Cisco Security Advisories and Responses page
  • Cisco IOS Reverse SSH DoS Vulnerability
  • Cisco IOS RSVP DoS Vulnerability
  • Cisco IOS DoS Vulnerabilities in Traffic Optimization Components
  • Cisco IOS MSDP DoS Vulnerability
  • Cisco IOS NAT DoS Vulnerability
  • Cisco IOS IKE DoS Vulnerability
  • Cisco IOS Smart Install DoS Vulnerability
  • Cisco IOS Command Authorization Bypass Flaw
  • Cisco IOS Zone-Based Firewall Vulnerabilities

This alert was researched and written by Corey Nachreiner, CISSP.

WatchGuard Announces Fireware XTM 11.5.2 Update 1

For Original XTM 2 Series Appliance Models Only

WatchGuard has released an important update for the original XTM 2 Series appliance models (XTM 21/22/23 and the wireless models). This update corrects certain conditions that cause instability for some customers on these platforms. More specifically, this update is for appliance software only. It resolves a file system writing issue and reduces memory use during Gateway AV signature updates. If you are running one of the original XTM 2 Series appliances and are experiencing the following issues on XTM 11.5.1 or 11.5.2, we recommend applying this patch:

• Appliance passes traffic normally but cannot be managed via WSM or Web UI
• Appliance gradually stops passing traffic, cured by a reboot.

The update also resolves many other minor bugs. You can find more information about this update, and the issues it corrects, in the Release Notes.

Does This Release Pertain to Me?

Fireware XTM 11.5.2 Update 1 is an enhancement release designed to correct a few stability issues that may affect some original 2 Series model customers. If you manage an XTM 21, 22, or 23 appliance, and are experiencing the symptoms described above, you should download and install XTM 11.5.2 Update 1. However, if you manage a newer XTM 25 or 26 appliance, or any other XTM Series platform, you do not need this update. Please read the Release Notes before you upgrade, to understand what’s involved.

How Do I Get the Release?

XTM 2 Series owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Support section of WatchGuard’s Support Center, which also includes clear installation instructions. Fireware XTM 11.5.2 Update 1 is only for the original 2 Series appliance models (XTM 21/22/23 and wireless models). As always, if you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

• U.S. End Users: 877.232.3531
• International End Users: +1.206.613.0456
• Authorized WatchGuard Resellers: +1.206.521.8375

WatchGuard Security Week in Review: Episode 10

Georgian Botnets, Mac Trojans, and Carberp… Oh My.

I saw so many interesting security stories this week that it was hard to decide which ones to choose for the episode, while still keeping it short. So instead, I concentrated on two themes: interesting new malware and positive security stories. If you’d like to hear about botnets that steal RDP configs, sneaky Mac malware, cybercriminal arrests, and more, check out WatchGuard Security Week in Review below.

If you’d prefer to read rather than watch or listen, the Episode Reference guide at the bottom of this post links to articles on these stories.

With such a security news-filled week, today’s episode was at risk of running long. So I had to whack a few stories. However, I did want to share a free security tool recommendation (since some viewers liked this idea). If you’d like to hear about a free tool that will help keep your PC up to date, be sure to keep watching after the credits. (Core Episode Runtime: 9:52. Optional 2 minute extra at the end)

Direct YouTube Link: http://www.youtube.com/watch?v=F0zd3WYTjws

Episode References:

• Malware highlights from the week:
  • Securelist blog post on “fileless” malware – Securelist
  • ESET blog post on Georbot – ESET Blog
  • Imuler variant masquerades as supermodel picture – The Mac Security Blog
  • Mass Effect 3 alternate ending phishing scam – GFI Labs Blog
• Russian Carberp malware gang arrested – Help Net Security
• FCC gets ISP to commit to protecting security – Infoworld Security Central
• EXTRA: I recommend you try Secunia’s free security tool, PSI.

— Corey Nachreiner, CISSP (@SecAdept)

Tweet, Like and Poke Your Network into Disaster: The Dangers of Web 2.0 Apps

Besides writing security articles and making videos, I also present a lot for WatchGuard. Over the past few years, I’ve traveled all over the place giving talks on various security topics, both in person and virtually. Between researching the topics, writing the presentations, and then delivering them over and over again, I often feel like I’ve already “covered” a particular topic and told “everyone” about it. Yet today I realized the obvious. I haven’t really shared much of my presentation content with the WatchGuard Security Center readers.

Shame on me. Today, I’ll begin rectifying that.

Last week, I did a webinar at BrightTalk, describing some of the dangers posed by social networks and Web 2.0 applications. That webinar shares the same title as this post. I wrote this social network presentation awhile ago, but it is still quite relevant today. Luckily, BrightTalk records these webinars, so I can share it with you.

If you’re interested in learning why I believe Social Networks — especially Facebook — will be one of the largest targets for malware over the next few years, check out my webinar. Of course, I also share tips on protecting yourself from social network threats (both user- and business-focused tips).

Do note, if you’ve never used BrightTalk before you will have to register the first time you view a presentation. So far the audience has rated my presentation positively, so I’d like to hope that the information I share is worth the slight irritation of another registration. Also, if you have any comments or questions on the presentation, feel free to ask me in the comments section below. — Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 9

Lots of Software Updates, a Few Breaches, and One Anonymous Story

Missed this week’s security news? No problem. WatchGuard’s Security Week in Review video will fill you in. This week I talk about all the Microsoft Patch Day updates, a few significant network attacks, and a booby-trapped Anonymous Linux distribution. Watch below to learn more.

By the way, in the video I talk about a serious Windows RDP flaw, and the rumor that someone had released a  public exploit targeting this flaw. This morning, right after I produced this week’s video, I learned that the exploit has indeed gone public. So far, the researcher has only released a “proof-of-concept” exploit, which will crash the RDP service. No one has released a “weaponized” exploit yet. However, with this code available it’s only a matter of time. While I’ve said this quite a few times this week, I highly suggest you apply Microsoft’s RDP patch now!

As always, I include an Episode Reference guide below, where you can read more about each of these stories. As an aside, thanks for your comments and suggestions last week — keep them coming. I have noted that many people would like a shorter intro to the video. I wasn’t able to change it this week, but I will soon. (Video Runtime: 7:46)

Episode References:

• Updates and Patches:
  • Microsoft Patch Day summary – WatchGuard Security Center
  • Windows updates – WatchGuard Security Center
  • Visual and Expression Studio – WatchGuard Security Center
  • ColdFusion security update – WatchGuard Security Center
  • Safari patches 83 vulnerabilities – MSN
• Cyber attacks and breaches:
  • BBC cyber attack – BBC
  • XSS flaw on PayPal – E Hacking News
  • Ancestry.com breach – MSN
    • Teamhavok PasteBin dump
• AnonymousOS pulled due to trojans

— Corey Nachreiner, CISSP (@SecAdept)

ColdFusion Security Update: Minor to Me, Perhaps Major to You

By now, I should be used to the fact that Adobe Patch Day falls on the same Tuesday as Microsoft Patch Day, and yet Adobe still seems to sneak a few by me.

During the rigmarole of Microsoft Patch Day last Tuesday, Adobe released a security advisory describing an update that fixes a security flaw in the ColdFusion web application server. For those that don’t know, ColdFusion, or CFML, is a web application language, which you can use to tie your web site to a database back-end. Adobe’s ColdFusion is a product for creating CFML applications, and it even comes with a built-in web server (thought not one intended for production use). According to Adobe’s advisory, ColdFusion suffers from a Denial of Service (DoS) vulnerability involving hash algorithm collisions. This flaw’s not a huge threat, but if you have ColdFusion you should patch.

If I’m being honest, my first response to seeing this advisory was, “who cares.” While I don’t know the official numbers, I’m fairly sure that few web sites actually leverage ColdFusion for their web applications today. They use PHP and .ASP instead. However, an audience member from a presentation I gave yesterday reminded me that one man’s lame app might be another man’s favorite program.

The IT Professional in question was telling me about a client who had a network breach. An attacker had gained access to the client’s SQL database via their web site, and stole and deleted lots of data. What was the ultimate culprit? An older, unpatched version of ColdFusion. Well. I’ll be. Here I was callously ignoring a product that I felt was not worthy of attention, meanwhile attackers are targeting it.

Yes. I’m being a little over dramatic to illustrate a point. Yet, this conversation reminded me that vulnerabilities in less popular products can still greatly affect some people. In fact, sometime we even forget about some of the less popular products we have on our computers since we never use them. If we’ve forgotten about them, we’re probably not updating them. Luckily, there are tools that can help you with this problem.

At home, I’ve installed the free personal version of Secunia’s PSI (it stands for Personal Software Inspector). It checks your computer for every software package you install, and tries to tell you the ones that haven’t been updated. I especially like that it doesn’t only tie to the Windows “install/uninstall” component, but instead scans your computer for executables. Sometimes we install products on our computers that the Windows uninstaller doesn’t “see,” but PSI will still find and recognize these programs. Since many less popular products don’t have automatic update mechanisms, PSI is a great tool to proactively find what software you should patch. I recommend you check it out. — Corey Nachreiner, CISSP (@SecAdept)

WatchGuard XCS 9.2 Update 2 Now Available:

Notification Message Variables, Plus Security, and Functionality Fixes

15 March 2012

As part of our ongoing efforts to improve the effectiveness of WatchGuard XCS appliances, which protect against data loss, viruses, and malware, WatchGuard is pleased to announce the availability of XCS 9.2 Update 2.

Highlights of this maintenance release include:

• Variables are now supported in notifications with configurable subject headers. System variables can now be used in notification messages that use configurable subject headers.
• A new %Subject% system variable is implemented.  System variables are system and message settings that are automatically substituted at the time a notification message is sent. A new %SUBJECT% variable is available that allows you to insert the subject field of the original message in message notifications.
• FreeBSD security advisory FreeBSD-SA-11:06.bind has been resolved. A vulnerability in an open source component of XCS, which could permit denial-of-service (DoS) attacks on the name service functionality, has been addressed.
• A vulnerability (CVE-2011-3389) with SSLv3/TLSv1 ciphers has been resolved. An issue in the open source SSL/TLS component of XCS that could allow attackers to craft specially formatted request to allow the decryption of secure web and email traffic has been mitigated. (Note that this issue did not affect the email encryption add-on capability.)
• Over 40 additional bug fixes and minor enhancements have been included. For more details, see the Release Notes.

Does This Release Pertain to Me?

XCS 9.2 Update 2 is a maintenance release that contains a number of enhancements and bug fixes, including security fixes. Because of the security updates, it is strongly advised that users install the software update. Please read the Release Notes before you upgrade, to understand what is involved.

How Do I Get the Release?

Your XCS appliance will automatically download the XCS 9.2 Update 2 software. However, it will NOT automatically install the update. You must manually install software updates by going to Administration > Software Updates > Updates. You can also manually download the update from the Articles and Support section of WatchGuard’s Support Center. We highly recommend you thoroughly review the Installation Instructions section of the Release Notes before applying this update.

For a more detailed description of this update, please visit the WatchGuard Support Center at http://www.watchguard.com/support/.

If you need support, please enter a support incident online or call our support staff directly. When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.

• U.S. End Users: 877.232.3531
• International End Users: +1.206.613.0456
• Authorized WatchGuard Resellers: +1.206.521.8375

Microsoft Visual and Expression Studio; Patch ‘Em If You Have ‘Em

On Tuesday, I sent alerts about Microsoft Patch Day and their more severe Windows bulletins. If you haven’t jumped on those Windows updates yet, I recommend you do so — especially the RDP one. However, Microsoft also released two other less severe bulletins this week, fixing security flaws in Visual Studio and Expression Studio as well. I suspect fewer people use these specialized products. Nonetheless, if you are someone who does, you should definitely apply these patches, too.

I quickly summarize the two remaining March Microsoft bulletins below:

• MS12-021: Visual Studio Elevation of Privilege Vulnerability

Visual Studio is Microsoft’s popular software development environment. If you have any Windows developers in your organization, you likely have it. Visual Studio suffers from a security issue involving the way it loads add-ins. If an attacker can physically gain access to a computer with Visual Studio, and can place a specially crafted add-in file into a specific directory, she could gain full administrator access to that computer. However, if attackers already have log-in credentials, and access to your computer’s file system, you have bigger fish to fry. This issue primarily poses an insider threat.

 Microsoft rating: Important

• MS12-022: Expression Design Code Execution Vulnerability

Expression Design is a vector-based graphic illustration program. It suffers from a Dynamic Link Library (DLL) loading class of vulnerability that we’ve described in many previous Microsoft alerts. In a nutshell, this class of flaw involves an attacker enticing one of your users into opening some sort of booby-trapped file from the same location as a specially crafted, malicious DLL file. If you do open the booby-trapped file, it will execute code in the malicious DLL file with your privileges. If you have local administrative privileges, the attacker could exploit this type of issue to gain complete control of your computer. In this particular case, the vulnerability is triggered by .xpr and .DESIGN files for Expression Studio.

Microsoft rating: Important

Though I don’t feel these flaws are as severe as the Windows ones I described earlier this week, they do still pose some risk to users who have these applications. I suggest you patch them at your earliest convenience. — Corey Nachreiner, CISSP (@SecAdept)