Archive | November, 2013

Avoid the Top Five Holiday Shopping Cyber Threats

To rephrase the ominous premonition of the Stark family, “The winter sales are coming!”

Perhaps you’re the type of person who gathers all the ads on Thanksgiving morning, planning how your family can synchronously hit three different stores to reap all their door-buster deals. Maybe you’re that guy who scours the Internet for early leaked copies of Monday’s sales, programming your scripts to ensure you’re the first to click buy. Or perchance—like me—you’d rather sleep in with a full belly and let others battle it out. Whichever profile fits you, Black Friday and Cyber Monday are coming, launching us into the busiest shopping season of the year… and bringing the cyber criminals scurrying out of the cracks in droves.

Criminal hackers follow the money. They track big trends and know when the biggest shopping seasons occur. Plus, like all good social engineers, they’re masters of human psychology, preying on our behavioral weaknesses to get what they want. You can bet criminal hackers are just as excited about the holiday sales season as the discount-seeking shoppers. For that reason, it’s important you enter this period with a little awareness and your eyes wide open. To help with the former, here are the top five cyber threats to watch out for during the shopping season:

  1. Seasonal email phishing scams – Attackers know you have your eye out for emails containing the latest sales and discounts and that you may have packages in transit from recent purchases. This makes it a great time for them to leverage some seasonal phishing scams to try and lure you to malicious sites or malware. Some of the most common malicious emails during the holidays are fake UPS, FedEx, or DHL messages claiming a delivery failed, bogus flight notices, and even phony secret Santa messages. All of these seasonal scams prey on common trends for the season, such as holiday vacations and trips, and people ordering more stuff online. To give you a specific example, right now a nasty new ransomware variant called Cryptolocker is spreading using the fake FedEx or UPS trick, and has cost many victims a lot of money. Avoid clicking links and attachments in unsolicited emails.
  2. Fake product giveaways – Every year the holiday shopping bonanza brings us at least one or two “must-have” items for the holiday season, whether they be Tickle-Me Elmo dolls or the latest gaming console. Cyber criminals always seem to recognize these popular consumer items early, and use them to lure unsuspecting victims to their trap. This year, two such items are the latest video game consoles—the PlayStation 4 and Xbox One. We’ve already seen phishers trying to steal personal information from victims by tricking them into filling out details to win one of these next-generation consoles. While some of these giveaways might be legit, you should be careful where you share your information, and what type of information you’re willing to give up.
  3. Dastardly Digital Downloads – During any special event or holiday, malicious hackers often pull out old reliable tricks of the trade. One such trick is the free screensaver, ringtone, or e-card offer. The attackers can easily theme their free download offers from whatever holiday or pop culture event they want, be it Thanksgiving, Christmas, or whatnot. If it sounds too good to be free, it probably is. As always, be careful what you download.
  4. Fraudulent e-commerce sites – The bad guys are great at faking web sites. They can fake your banking site, your favorite social network, and even online shopping sites that have suspiciously good deals for that one hot ticket item you’re looking for during the upcoming sales.  Of course, if they can lure you to their replica sites, they can leverage your trust in them to steal your personal information, swipe your credit card number, or force you into a drive-by download malware infection. Pay close attention to the domain names you visit, and vet your online retailers before ordering from them.
  5. Booby-trapped Ads and Blackhat SEO – Bad guys are always looking for new ways to attract you to their fake or malicious web sites. Phishing emails, instant messages, and social network posts with appealing links work, but they always experiment with new lures. Two popular new techniques are malicious online advertisements and evil search engine optimization (SEO) tricks. By either buying online ad space, or hacking online ad systems, hackers can inject fake advertisements into legitimate web sites, which redirect back to malicious sites. They can also leverage various SEO tricks to get their web sites to show up in the top results for popular searches. Are you searching for Lululemon yoga pants sales for your girlfriend this holiday? If criminals think that’s a popular gift, they can poison search results and hijack ads to use your interest against you. As you consider clicking ad links or following search results, be aware of the domains and URLs you click on.

The top five threats above all have consumers in mind, but let me share one last holiday cyber threat that merchants need too look out for; Distributed Denial of Service (DDoS) attacks. Cyber criminals realize the holidays are a very important seasons for online retailers—especially days like Cyber Monday. They know that even an hour of downtime can translate into millions in lost sales for big retailers, and they want to steal a piece of your pie. Expect to see some DDoS attacks targeting online store during the holidays, followed by extortion letters asking for money to stop the attack.

One of the best defenses to cyber attacks is a bit of awareness and vigilance. Now that you know what types of threats and scams to expect this holiday season, you can look out for them, and avoid becoming a patsy. While I shared a few security tips already, let me summarize a few other steps you can take to make your holidays hacker free.

  • Patch your software – If you let Microsoft, Apple, and Adobe (and other products) automatic software updates patch your machine regularly, you will remain safe from most cyber criminal’s technical attacks.
  • Don’t click on unsolicited links or attachments – Enough said.
  • Look for the padlock while shopping online – Though it’s no a guarantee you’re on the right site, do not share your personal or financial info with an online retailer unless you see a green padlock in your web browsers URL dialog (the icon’s appearance may differ slightly depending on your browser).
  • Use password best practices on shopping sites – You should use different, strong (i.e. long) passwords on every site you visit. If you are not familiar with password security, this post has some good advice.
  • Vet online merchants before clicking buy – A little online research can go a long way. Do Internet searches on a merchant before buying from them, paying close attention to customer reviews. When people get scammed they tend to share, so a little research can help you identify fakes retailers.

The holidays should be about family and fun. Keep your eye out for these five top threats and follow my basic security tips and you’ll surely enjoy a happy holiday season, and hopefully nab a cool treat for you and your family during this shopping season. — Corey Nachreiner, CISSP (@SecAdept)

How Good Visibility Can Help Guide Security Policy

You can’t protect what you don’t know needs to be protected.

This may sound painfully obvious, but based on recent research, information security professionals don’t have nearly enough visibility into the information they are tasked with securing. We know this because we worked directly with Frost & Sullivan researchers to determine the level of insight security professionals have into their data systems.

I recently did a webinar with Frost & Sullivan Principal Consultant Jarad Carleton, during which he shared some of this research. I also demonstrated WatchGuard’s new visibility solution, and showed how you might use it to recognize important events in your network, such as a Cryptolocker infection. You can view the full webinar now to get the details on just how important visibility is to defending your data.

[youtube http://www.youtube.com/watch?v=uDz1Sl64_xY]

(Webinar runtime: 50:26)

Direct YouTube Link: http://www.youtube.com/watch?v=uDz1Sl64_xY

We invite you to watch the recorded webinar now and learn how greater network visibility will enable you to protect your users and your data better. And, if you’re ready to try out WatchGuard Dimension, let us know now. — Corey Nachreiner, CISSP (@SecAdept)

BGP Man in the Middle Attacks – WSWiR Episode 86

Stuxnet Update, I2P Botnet, and BGP Hacking

Do you have too much to do to follow information security news? Or maybe you feel overwhelmed by so much security news (I sure do) that you don’t know which news is most important. In either case, I’m here to summarize the important stuff for you in my weekly Infosec summary video.

Today’s show talks about a sneaky new botnet and its C&C channel, the latest Stuxnet research, a few important credential breaches, and an Internet-wide man-in-the-middle (MitM) attack that leveraged BGP issues. Watch the episode below for all the details… and if you are hungry for more security news, be sure to check out the other stories in the Reference section.

Show note: We will be skipping next week’s episode due to the US holiday weekend. Have a great Thanksgiving, and don’t get trampled on Black Friday!

(Episode Runtime: 9:40)

Direct YouTube Link: http://www.youtube.com/watch?v=hKegyeVs0cQ

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

APT Exploits IE 0day – WSWiR Episode 85

Forum Hijacks, Singapore Hacking, and IE 0day

Happy Friday, everyone! The weekend is hours away; but before running off to finish of the last of your work week tasks, why not sit down with a hot cup of joe and catch up on what happened in security news this week?

In this episode, I talk about security patches for Microsoft, Adobe, and OpenSSH, cover some interesting web site hijacks, warn you of a new APT attack that leverages an IE zero day flaw, and mention an interesting hacking arrest in Singapore. Click the big red YouTube play button to learn more, and don’t forget to peek at the Reference section for links to other InfoSec news from the week.

Have fun this weekend!

[youtube http://www.youtube.com/watch?v=VU_7KkQY1m4]

(Episode Runtime: 8:52)

Direct YouTube Link: http://www.youtube.com/watch?v=VU_7KkQY1m4

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Adobe Patch Day: Zero Day ColdFusion Patch & Flash Update

Severity: High

Summary:

  • These vulnerabilities affect: Adobe Flash Player and ColdFusion
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or into visiting specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released two security bulletins describing vulnerabilities in Flash Player and ColdFusion. A remote attacker could exploit the worst of these flaws to gain complete control of your computer. The summary below details some of the vulnerabilities in these popular software packages.

Adobe Patch Day: November 2013

  • APSB13-26: Four Flash Player Memory Corruption Flaws

Adobe Flash Player displays interactive, animated web content called Flash. Many users install Flash, so it’s likely present on many of your Windows and Mac computers.

Adobe’s bulletin describes two unspecified memory corruption vulnerabilities in Flash Player running on all platforms. Though the flaws presumably differ technically, they share the same scope and impact. If an attacker can lure you to a web site, or get you to open a document containing specially crafted Flash content, he could exploit these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

Adobe assigned these flaws their highest severity rating for Windows and Mac computers, but a lesser severity for Linux machines.

Adobe Priority Rating: 1 for Windows and Mac (Patch within 72 hours)

Adobe ColdFusion is an application server that allows you to develop and deploy web applications. It suffers from two security vulnerabilities, which Adobe does not describe in much technical detail; a reflected cross site scripting (XSS) vulnerability (CVE-2013-5326), and an unauthorized remote read access flaw  (CVE-2013-5328).  Other than that, the bulletin shares very little about the scope or impact of these flaws, so we’re unsure how easy or hard it is for attackers to leverage them. Presumably, if an attacker could trick someone in clicking a specially crafted link, he could leverage the XSS flaw to do anything on your web site that the user could. We also assume an attacker could exploit the remote read flaw to potentially gain access to files on your server, such as its web application source code. In any case, they rate the vulnerabilities as Priority 1 issues for version 10, which is their high severity rating.

As an aside, Adobe’s own network was recently breached via a zero day flaw in ColdFusion. Adobe claims these ColdFusion issues are not associated with their network breach. However, the discoverer of one of the issues, Alex Holden, was actually one of the researchers who uncovered Adobe’s data breach, and he claims one of the flaws has been used by attackers this year to break into other companies. In other words, you should apply these updates immediately if you use ColdFusion

Adobe Priority Rating: 1 for version 10 (Patch within 72 hours)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you:

Keep in mind, if you use Google Chrome you’ll have to update it separately.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. However, WatchGuard’s XTM appliances can help in many ways. First, our IPS and AV services are often capable of detecting the malicious Flash or Shockwave files attackers are actually using in the wild. If you’d like, you can also configure our proxies to block Shockwave or Flash content. This, however, blocks both legitimate and malicious content. If you do want to block this Flash or Shockwave via the Web or email, see our manual for more details on how to configure our proxy policies’ content-filtering.

Status:

Adobe  has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Office Updates Mend Word and Outlook Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including Word and Outlook
  • How an attacker exploits them: Typically by enticing users to open or interact with maliciously crafted Office documents or email
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released two security bulletins that fix four vulnerabilities in Word and Outlook. We summarize the bulletins below, in order from highest to lowest severity.

  • MS13-091: Multiple Word Memory Corruption Vulnerabilities

Word is the popular word processor that ships with Office.  It suffers from three memory corruption vulnerabilities having to do with how it handles malformed Word and WordPerfect files. They all differ technically, but share the same scope and impact. By luring one of your users into downloading and opening a malicious Word or WordPerfect document, an attacker can exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. If your users have local administrator privileges, the attacker gains complete control of their PCs. These flaws affect all versions of Word except for Word for Mac.

Microsoft rating: Important

  • MS13-094:  Outlook S/MIME Information Disclosure Flaw

Outlook is the popular Windows email client that ships with Office. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for encrypting MIME data, or put more simply, it allows you to encrypt email. Outlook suffers from an information disclosure vulnerability involving the way it handles specially crafted S/MIME certificates. By convincing one of your users to open or preview a malicious email with a specially crafted S/MIME certification, an attacker could exploit this flaw to learn a bit about the victim system, including its IP address and the ports it listens on. However, the attacker could not leverage the flaw to compromise the victim system.

Microsoft rating: Important

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

One of Windows’ Five Updates Fixes a Zero Day Flaw

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows
  • How an attacker exploits them: Multiple vectors of attack, including luring users to malicious web sites or into opening malicious files
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released five security bulletins describing a like number of vulnerabilities in Windows and its components. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-090ActivX Control Code Execution Vulnerability

ActiveX controls are essentially small programs, often shared between applications, that work behind the scenes performing minor tasks on Windows-based computers. They are kind of like Microsoft-only Java applets. Many Microsoft products, including Windows, ship with many different ActiveX controls for performing various tasks.

Unfortunately, a particular Windows ActiveX control (InformationCardSigninHelper) that Internet Explorer (IE) uses suffers from a remote code execution vulnerability. If an attacker can entice one of your users into visiting a maliciously crafted web page, he can exploit this flaw to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Researchers first discovered attackers exploiting this flaw in the wild. They’re currently exploiting it in advanced, targeted attacks. For that reason, we recommend you apply this patch as quickly as you can.

Microsoft rating: Critical

  • MS13-089:  GDI Integer Overflow Vulnerability

The Graphics Device Interface (GDI) is one of the Windows components that helps applications output graphics to your display or printer. GDI suffers from an integer overflow vulnerability involving its inability to properly handle specially malformed Windows Write (.wri) files. By luring one of your users into opening a Write file in WordPad, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker gains full control of their computer.

Microsoft rating: Critical

  • MS13-092: Hyper-V Elevation of Privilege Vulnerability

Hyper-V is Microsoft’s virtualization platform, which ships with the latest versions of Windows Server. It suffers from an elevation of privilege vulnerability having to do with how it handles specially crafted hypercalls. If an attacker has administrative privileges on a guest virtual machine (VM) running on your Windows Hyper-V server, she can exploit this flaw to either crash the Hyper-V host and all your VMs, or to execute arbitrary code on one of the other guest VMs running on the same physical server. This flaw only affects Windows 8 x64 Edition and Windows Server 2012.

Microsoft rating: Important

  • MS13-093:  AFD Information Disclosure Flaw

The Ancillary Function Driver (AFD) is a Windows component that helps manage Winsock TCP/IP communications. It suffers from a vulnerability involving the data it copies from kernel memory to user memory. In a nutshell, if a local attacker can log into one of your Windows computers and run a custom program, he could leverage this flaw to gain access to information in kernel space that he shouldn’t have access to. However, the attacker would need valid credentials on the target system, and could not leverage the flaw to elevate his privileges. This flaw only poses a minor risk.

Microsoft rating: Important

  • MS13-095:  Digital Signature Handling DoS Flaw

Windows ships with various components that allow it to handle the digital certificates and signatures used to establish secure communications. Unfortunately, Windows does not properly handle malformed X.509 certificates. By sending a specially crafted X.509 certificate to a Windows web server, an attacker could can a denial of service (DoS) condition, preventing the web server from responding future requests.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (such as allowing you to block .wri files, or enabling GAV or IPS services to detect attacks and the malware they distribute), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Latest IE Update Remedies Ten More Vulnerabilities

Summary:

  • This vulnerability affects: All current versions of Internet Explorer, running on all current versions of Windows (except for IE 11 on Windows 7)
  • How an attacker exploits it: Usually, by enticing one of your users to visit a malicious web page
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released today as part of Patch Day, Microsoft describes ten new vulnerabilities that affect all current versions of Internet Explorer (IE) running on all current versions of Windows (except for IE 11 running on Windows 7 and 2008). Microsoft rates the aggregate severity of these new flaws as Critical.

The ten vulnerabilities differ technically, but  the eight most serious ones share the same general scope and impact, and involve various memory corruption flaws having to do with how IE handles certain HTML objects. If an attacker can lure one of your users to a web page containing malicious web code, he could exploit any one of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could exploit these flaws to gain complete control of the victim’s computer.

The remaining two vulnerabilities are Information Disclosure issues.

Keep in mind, today’s attackers often hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and XSS attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way.

If you’d like to know more about the technical differences between these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Technical differences aside, the memory corruption flaws in IE pose significant risk. You should download and install the IE cumulative patch immediately.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s November IE security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. Make sure to use our security services, and keep they’re signatures up to date. Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: Updates Correct One of Two Zero day

Today’s the second Tuesday of the month, which means it’s Microsoft (and Adobe) Patch Day. One of Microsoft updates fixes a zero day vulnerability, so we recommend you install at least that one as quickly as possible.

According to their summary post for November 2013, Microsoft released eight security bulletins today, fixing 18 security flaws in products like Internet Explorer (IE), Windows, Office products, and Hyper-V. They rate three of the bulletins as Critical.

The most critical update is the ActiveX one, since it fixes a zero day flaw. A few days ago, researchers at FireEye reported that advanced attackers were exploiting a previously unknown IE flaw in targeted attacks. Microsoft quickly confirmed the flaw was due to a particular ActiveX control, and promised to fix it today. Since attackers are exploiting this particular ActiveX control in the wild, you should apply the ActiveX “killbit” patch first. The IE and GDI updates also fix some pretty serious issues, so I would apply those patches quickly as well.

For those wondering, Microsoft hasn’t yet released a patch for the previously reported zero day TIFF vulnerability. If you haven’t installed the FixIt I recommended last week, be sure to do that too.

In a nutshell, check out Microsoft’s summary and try to install all the updates at your earliest convenience. Microsoft’s Auto Update can make the process easier, but I still recommend you test server-related updates before applying them.

I’ll post more detailed alerts about Microsoft updates throughout the day, so stay tuned. As an aside, it’s also Adobe patch day. I’ll eventually post an alert for that too, but you can get a preview here.  — Corey Nachreiner, CISSP (@SecAdept)

Bitcoin Weakness & Hack – WSWiR Episode 84

Microsoft Zero Day, PCI-DSS Update, and Bitcoin Attacks

Ingest this week’s biggest security news in one, easy to watch video with WatchGuard Security Week in Review. I consolidate the latest Infosec news in one place, so you don’t have to. 

Today’s episode covers the week’s security-related software updates, a zero day flaw in Windows and Office, the latest update to PCI-DSS, and some security problems with Bitcoin. Watch the video for the details, and check out the Reference section for a whole bunch of other interesting stories.

Thanks for watching, and have a great weekend!

(Episode Runtime: 9:28)

Direct YouTube Link: http://www.youtube.com/watch?v=l-yxD12gSbY

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

%d bloggers like this: