Archive | March, 2013

WatchGuard Security Week in Review: Episode 57 – 300Gb DDoS

POS Trojans, Android Spear Phishing, and Record DDoS

Extra, Extra, the Internet almost broke (no it didn’t). Read… View all about it!

Too much security news, and too little time? Let me summarize the highlights for you in my weekly InfoSec recap video. This week I cover two trojans targeting point-of-sale (POS) computers, a few software updates, a targeted spear phishing campaign spreading Android malware, and the record-breaking SpamHaus DDoS attack, which didn’t really break the Internet despite some reports. Click play for the details

There were also a ton of other interesting Infosec tidbits this week, beyond what’s in the video. If you’re interested, check out the Reference section below. Stay frosty out there, and have a Happy Easter weekend.

(Episode Runtime: 9:47)

Direct YouTube Link:

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Cisco Patch Day: Multiple DoS Flaws in IOS

As part of their semiannual patch day, Cisco released seven security advisories describing different Denial of Service (DoS) vulnerabilities affecting the IOS software that primarily ships with their routers. The seven flaws differ technically, and lie within various IOS components, including NAT, IKE, RSVP, etc. However, most of them share the same essential scope and impact. If a remote, unauthenticated attacker can send specially crafted packets to your IOS device, he can exploit many of these flaws to cause the device to fill up memory, or crash and restart. Attackers can repeatedly leverage these flaws to knock your router offline for as long as they can carry out the attack.

DoS vulnerabilities in your gateway router pose a fairly significant risk, since attackers can leverage them to essentially knock you offline. Right now, DoS attacks are in vogue among Hacktivists and other attackers. Over the past week, Spamhaus has suffered the largest DDoS attacks in recorded cyber history, and big banks have suffered from politically motivated DDoS attacks for months now. Though today’s IOS DoS flaws are not likely what contribute to these huge DDoS attacks, they could make a DDoS attackers life even easier. If you manage any Cisco IOS gear, I highly recommend you check out today’s Cisco IOS alerts and apply the corresponding updates and workarounds. — Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 56 – ICS Honeypot

Jailed Hackers, ICS Honeypots, and Krebs SWATing

Currently, I’m attending a security expo in Helsinki, Finland, so I had to produce this week’s episode quickly, while on the road. Nonetheless, it’s still been a busy security week so far, and there’s a lot of InfoSec news to cover

Today’s episode includes two unrelated stories that share a cyber-law theme, some interesting research about an ICS/SCADA honeypot that attracted a lot of attention from nation-state cyber attackers, and a story about a popular security journalist being targeted by a SWAT attack. Watch the video below for the full scoop, and check out the Reference section below if you’d like more details (and links to some extra InfoSec stories I didn’t have time to cover).

(Episode Runtime: 9:46)

Direct YouTube Link:

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Make Sure to Update Your Apple Devices

If you follow my weekly security video, WatchGuard Security Week in Review, you probably already know that Apple released both an OS X and Safari security update last week. Hopefully, you’ve already applied those two updates, but if not I highly recommend you do so immediately. Among other things, the OS X update includes a Java related security fix. Lately, cyber criminals have really targeted Java in attacks against both Macs and PCs, so it’s important you apply all Java related updates as quickly as you can.

This week, Apple also released iOS and Apple TV security updates. These updates fix a number of security issues in these popular products. High on the list of fixed issues was a very highly publicized lock screen bypass flaw in iOS, which an attacker could exploit to gain access to the data on your phone when lost or stolen. iOS 6.1.3 fixes that particular lock screen issues, and a few other vulnerabilities. However, later in the week news emerged of another lockscreen flaw that affects iPhone 4s. So it looks like Apple will have some more lock screen related updates in their future.

In any case, if you use Apple devices, you’re probably affected by at least one of these issues. So I recommend you go get the corresponding updates, or let Apple’s automatic update mechanisms do their job. — Corey Nachreiner, CISSP (@SecAdept)

Cisco Cooks Up Bad Passwords by Forgetting to Salt Their Hashes

Earlier this week, Cisco released a security alert describing a weakness in one of the password encryption algorithms they use on certain Cisco IOS and IOS XE devices.

Devices that store user credentials tend to use hash algorithms to encrypt plaintext passwords, making it more difficult for attackers to recover those passwords if they somehow gain access t0 the hashed credentials. However, attackers can still launch brute-force attacks against hash databases. The increase in computing power has made it fairly practical for attackers to crack short hashed passwords (8 characters or less) fairly easily, and distributed computing exacerbates this issue. Furthermore, lately attackers have started generating rainbow tables [video]—essentially precomputed tables of cracked hashes—for the most popular hash algorithms. These rainbow tables make it even easier for attackers to crack certain weak hash databases very quickly.

To combat rainbow tables, smarter hash algorithms add a salt to mix. A salt is basically a random element added to standard hash function, which makes it more unique. Salting a hash prevents attackers from using rainbow tables to quickly crack the well-know hash algorithms. That said, it doesn’t prevent the attacker from brute-forcing from scratch, it only ensures that the attacker can’t use the rainbow table to crack passwords really quickly.

In any case, Cisco recently released a new hash algorithm called Type 4 to improve the security of their password hashes. Their previous hash algorithms, Type 5 and Type 7, suffered from various weaknesses (such as relying on the outdated MD5 algorithm). However, in designing the Type 4 algorithm Cisco forgot to salt this new hash. As a result the Type 4 algoritm is actually weaker than the Type 5 algorithm it was intended to replace.

According to Cisco’s alert, if you are running a Cisco IOS or IOS XE device, and you are using the Type 4 algorithm for passwords, you suffer a higher risk from brute-force attacks (assuming an attacker can get ahold of your device’s hash database). Unfortunately, Cisco doesn’t have a complete fix for this problem yet. Though they plan on depreciating the current Type 4 hash algorithm, and replacing it with a proper implementation of the algorithm (which salts the hash), they haven’t done so yet. In the meantime, they recommend you stop using the Type 4 algorithm and use the legacy Type 5 one until they fix the issue.

Personally, I don’t think this is a overly severe security risk. In order for anyone to leverage the weakness in this Type 4 algorithm, they’d first have to gain access to your Cisco device’s password database, and if they can do that you already have a big problem. Nonetheless, if you manage Cisco IOS or IOS XE devices, I recommend you follow the directions in Cisco’s alert to see whether your devices uses Type 4 passwords, and if so, how to replace those passwords with Type 5 ones instead. — Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 55 – SSL/TLS Weakness

Lots of Patches, Celebrity Hacks, and a SSL/TLS Weakness

If you’re anything like the average IT professional, you’re probably too busy putting out proverbial IT helpdesk fires, and installing new business IT solutions to spend much time each week staying on top of the latest security news and threats. That’s where we come in! For a quick recap of the biggest information and network security news from the week, check out the YouTube video below.

In this episode, I cover a ton of software updates from the week (it was Patch Day after all), the latest celebrity hack incident, an ironic breach of a security organization’s web site, and yet another weakness in the SSL/TLS encryption protocol. I even share a tip on how webmasters can learn to recover from web site hacks.

Enjoy the episode, and share your thoughts, suggestions, and questions in the comment section below. You can also find more details about these stories in the Reference section. Thanks for watching, and enjoy your St. Patty’s Day weekend.

(Episode Runtime: 11:00)

Direct YouTube Link:

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Announces Fireware XTM and WSM 11.7.2 with Support for New Wireless Access Point Products

Available for All XTM Appliances (Except XTM 21/22/23)

WatchGuard is pleased to announce the release of Fireware XTM v11.7.2 and WatchGuard System Manager v11.7.2, which includes support for the new WatchGuard AP family of wireless access points. Using the latest generation of wireless hardware, the WatchGuard AP extends best in class UTM security to your wireless network and provides seamless roaming for up to 16 SSIDs. Best of all, you can set up and manage your WatchGuard AP devices from a single console, using your current Fireware XTM management tools (Policy Manager or the Fireware XTM Web UI). We recommend that you review the new WatchGuard AP Deployment Guide, or the Fireware XTM Help, for information on how to get started with a new WatchGuard AP100 or AP200 wireless access point.

In addition to this major product enhancement, we are pleased to release a  large number of bug fixes and smaller enhancements, including hotspot support for wired networks, and a significant update to the spam detection engine used in our spamBlocker service. This release also corrects a few security vulnerabilities in our Quarantine Portal. We’d like to thank Wayne Murphy and Ben Burns of Sec-1 for helping us improve the security of our product.

For more information about enhancements and the issues fixed in Fireware XTM v11.7.2, see the Release Notes or What’s New in Fireware XTM v11.7.2 [PPT file].

Does This Release Pertain to Me?

Along with support for the wireless access points, Fireware XTM 11.7.2 also includes many other improvements and fixes. If you have a XTM 25/25-W/26/26-W, 3 Series, 5 Series, 8 Series, 800 Series, 1500 Series, 2500 Series, 1050 or 2050 device and wish to add new wireless access points or take advantage of the updates mentioned in the Release Notes, you should consider upgrading to version 11.7.2. Please read the Release Notes before you upgrade, to understand what’s involved.

Note: This update does not apply to XTM 21/22/23 appliance owners, or Firebox X e-Series owners. However, we will release new versions of 11.6.x and 11.3.x shortly for those devices as well. 

How Do I Get the Release?

XTM appliances owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Support section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article” and “Known Issue” search options, and press the Go button.

You can install Fireware XTM 11.7.2 on XTM 25/25-W/26/26-W, 3 Series, 5 Series, 8 Series, 800 Series, 1500 Series, 2500 Series, 1050 and 2050 devices. It does not support the wired or wireless versions of XTM 21/22/23. An 11.6.5 maintenance update for these products will follow shortly. If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

Don’t have an active LiveSecurity subscription for your XTM appliance? It’s easy to renew. Contact your WatchGuard reseller today. Find a reseller »

Adobe Plugs Four Flash Security Holes on Patch Day


  • This vulnerability affects: Adobe Flash Player  11.6.602.171 and earlier, running on all platforms
  • How an attacker exploits it: By enticing users to visit a website containing malicious Flash content
  • Impact: In the worst case, an attacker can execute code on the user’s computer, potentially gaining control of it
  • What to do: Download and install the latest version of Adobe Flash Player (version 11.6.602.180 for PC and Mac)


Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

In a security bulletin released yesterday, Adobe announced a patch that fixes four critical vulnerabilities in their popular Flash Player. Though the flaws differ technically, they all consist of memory corruption issues, including a buffer overflow flaw, a  use after free issue, an integer overflow and so on. The issues share the same general impact. If an attacker can entice one of your users to visit a malicious website, or into handling specially crafted Flash (SWF of FLV) content, he could exploit these flaws to execute code on that user’s computer, with that user’s privileges. If your users have administrator privileges, the attacker could gain full control of their computers.

The good news is, unlike the emergency Flash update two weeks ago, attackers don’t seem to be exploiting these flaws in the wild right now. Nonetheless, Adobe rates the update as a “Priority 1” for Windows users, and recommends you apply the it as soon as possible (within 72 hours). We have noticed that attackers and researchers seem to be finding holes in Flash as often as they are Java. Whatever platform you run it on, we highly recommend you keep Flash up to date.

Solution Path

Adobe has released new versions of Flash Player (11.6.602.180 for PC and Mac) to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately. If you’ve enabled Flash Player’s recent “silent update” option, you will receive this update automatically.

  • Download Flash Player for your computer:
Also, we believe attackers and researchers have been focusing on exploit Flash lately (like they have focused on Java). Flash is used on many web sites, so it may be difficult to make your users remove it. However, there are script limiting plugins, such as NoScript and NotScripts, which prevents Flash, and other languages  from running by default on web sites. This allows your users to create a whitelist of trusted sites, and only run Flash when absolutely necessary. In doing so, you can prevent many drive-by download attacks that might leverage these sorts of Flash flaws.
NOTE: Chrome ships with its own version of Flash, built-in. If you use Chrome as you web browser, you will also have to update it separately, though Chrome often receive its updates automatically.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Flash content. Keep in mind, doing so blocks all Flash content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extensionMIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify various Flash files:

File Extension:

  • .swf – Shockwave
  • .flv –  Adobe Flash file (file typically used on websites)
  • .fla – Flash movie file
  • .f4v – Flash video file
  • .f4p – Protected Flash video file
  • .f4a – Flash audio file
  • .f4b – Flash audiobook file

MIME types:

  • video/x-flv
  • application/x-shockwave-flash
  • application/x-shockwave-flash2-preview
  • application/futuresplash
  • image/vnd.rn-realflash reported Magic Byte Pattern:

  • Hex SWF: 46 57 53

(Keep in mind, not all the Hex and ASCII patterns shared here are appropriate for content blocking. If the pattern is too short, or not unique enough, blocking with them could result in many false positives) 

If you decide you want to block Flash files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.


Adobe has released updates to fix these Flash vulnerabilities.


This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Silverlight and Windows Kernel-Mode Driver Patches

Severity: High


  • These vulnerabilities affect: Most current versions of Windows and Silverlight 5 (For PC and Mac)
  • How an attacker exploits them: Multiple vectors of attack, including luring users to malicious web content or running specially crafted programs
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer.
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.


Today, Microsoft released two security bulletins that describe four vulnerabilities in Windows and the Silverlight component, which is commonly installed with it. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these updates – especially the critical one – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-022.NET Framework and Silverlight Code Execution Flaw

Silverlight is a cross-platform and cross-browser software framework used by developers to create rich media web applications. It suffers from something experts call a double dereference vulnerability involving how Silverlight handles specially crafted HTML objects. If an attacker can lure one of your Silverlight users to a malicious web site (or a legitimate site booby-trapped with malicious code), he can exploit this flaw to execute code on that user’s computer, with the user’s privileges. As usual, if you are a  local administrator, the attacker could exploit this to gain full control of your machine.

Microsoft rating: Critical

  • MS13-027 :  Three Kernel-Mode Driver Elevation of Privilege Flaws

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from three local elevation of privilege flaws having to do with how it improperly handles objects in memory. By running a specially crafted program, a local attacker could leverage these flaws to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker would first need to gain local access to your Windows computer or trick you into running it yourself, which significantly lessens the severity of this vulnerability.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows and Silverlight patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Attackers can exploit some of these flaws locally. Since your gateway XTM appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.


Microsoft has released patches correcting these issues.


This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at

Four Office-related Updates Fix Productivity Software Vulnerabilities

Severity: High


  • These vulnerabilities affect: Microsoft Visio Viewer 2010, SharePoint Server 2010, OneNote 2010, and Outlook for Mac
  • How an attacker exploits them: Multiple vectors of attack, including luring your users into opening malicious Office documents, or into visiting malicious URLs
  • Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Microsoft updates as soon as you can, or let Windows Update do it for you.


Today, Microsoft released four security bulletins describing vulnerabilities in some of their Office-related productivity packages,  including Visio Viewer, SharePoint, OneNote, and Outlook for Mac. We summarize the four security bulletins below, in order of severity:

  • MS13-023: Visio Viewer Code Execution Vulnerability

Microsoft Visio is a popular diagramming program, which many network administrators use to create network diagrams. Visio Viewer is a free program that anyone can use to view those diagrams. Visio Viewer suffers from a memory-related code execution vulnerability, having to do with the way it handles specially crafted Visio diagrams. If an attacker can entice one of your users into downloading and opening a maliciously crafted Visio document, he can exploit this vulnerability to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. This flaw only affects the 2010 version of Visio Viewer.

Microsoft rating: Critical

  • MS13-024: Various SharePoint Vulnerabilities

SharePoint and SharePoint Foundation are Microsoft’s web and document collaboration and management platforms. They suffer from four different security issues, including a few elevation of privilege flaws, a Cross-Site Scripting vulnerability (XSS), and a Denial of Service (DoS) issue. By either enticing one of your users into clicking a malicious URL, or by inputting a specially crafted URL into a vulnerable SharePoint server, an attacker could exploit the worst of these flaws to gain elevated access to your SharePoint server, allowing him to view or change the documents your user could. These flaws only affect the latest 2010 version of SharePoint.

Microsoft rating: Critical.

  • MS13-025: OneNote 2010 Information Disclosure Flaw

Microsoft OneNote is a digital notebook that provides you a place to easily take notes on your digital device. It ships with most recent versions of Office. OneNote suffers from an information disclosure flaw. If an attacker can entice one of your users into downloading and opening a maliciously crafted OneNote (.ONE) file, she can leverage this flaw to read arbitrary data from your computer’s memory. Depending on what you are doing on your computer at the time, this flaw could allow the attacker to gain access to some of your sensitive information, including usernames and passwords. The issue only affects the 2010 version of OneNote.

Microsoft rating: Important

  • MS13-026: Outlook for Mac Information Disclosure Flaw

Outlook for Mac (the Apple OS X version of Microsoft’s email client) suffers from a relatively minor information disclosure vulnerability having to do with how it previews certain HTML email messages. If an attacker can lure you into opening a specially crafted HTML email, they can verify your email address is accurate and confirm you previewed the message. At best, this vulnerability may help attackers enumerate valid email addresses for later use in their spam and phishing attacks. However, it does not give attackers any further access to your email messages or computer. For that reason, we believe it poses a fairly low risk.

Microsoft rating: Important

Solution Path

Microsoft has released updates that correct these vulnerabilities. You should download, test, and deploy the appropriate patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

For All WatchGuard Users:

Attackers can exploit these vulnerabilities using diverse methods. Though you can configure WatchGuard appliances to block some of the Office documents related to a few of these attacks, and you can leverage our security services to mitigate the risk of malware delivered via these attacks, we cannot protect you against all of them; especially the local ones. We recommend you apply Microsoft’s patches to best protect your network.

That said, our IPS signature team has developed new signatures that can detect and block some of the SharePoint attacks:

  • WEB Microsoft SharePoint Server Callback Function Vulnerability (CVE-2013-0080)
  • WEB Microsoft SharePoint XSS Vulnerability (CVE-2013-0083)
  • WEB Microsoft Share Point Directory Traversal Vulnerability -1 (CVE-2013-0084)
  • WEB Microsoft Share Point Directory Traversal Vulnerability -2 (CVE-2013-0084)
  • WEB Microsoft Share Point Directory Traversal Vulnerability -3 (CVE-2013-0084)


Microsoft has released updates to fix these vulnerabilities.


This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

%d bloggers like this: