Archive | Security Updates RSS feed for this section

Dimension’s User Anonymization makes Data Protection Easy

Data privacy and protection is a BIG deal, and many countries are setting new regulatory standards for how to move, store, view, and report on data containing users’ personally identifiable information, or PII.

The European Union (EU) in particular is setting precedents with some of the most stringent data and privacy protection controls in the world. In April 2016, the EU Parliament officially adopted the General Data Protection Regulation framework, or GDPR, scheduled for full enforcement in two years. Obligations coming as part of the GDPR are significant, and accountability – especially regarding a business’s workforce – is an important component of compliancy. Malicious insider activities are a major source of data abuse and breaches. “Encrypt everything” is a great start, but it’s just a band-aid solution for meeting compliance obligations.

Among a new set of requirements, EU businesses will be required to demonstrate compliance with GDPR measures that include:

  • Appointing a Data Protection Officer, or DPO
  • Ensuring the pseudonymization of personal data – PII is anonymized to the extent that it cannot be attributable to its owner during any stage of processing.

WatchGuard’s Dimension™ visibility platform delivers a new User Anonymization feature that takes an organization’s ability to comply with the GDPR framework to the next level. The feature works very simply, is easily accessible and configurable, and was designed with GDPR compliance and the reality of insider threats in mind.

The best way to understand the new feature is to look at the screenshot below:


When enabled, User Anonymization works by dynamically replacing all PII – user names, IP addresses, host names, and mobile devices – in Dimension’s reports, dashboards, and summary pages with hashed placeholder text.

The Anonymization Officer, a new role available in Dimension to support GDPR compliance, was inspired by the Data Protection Officer (DPO) role introduced in the GDPR framework. The Anonymization Officer role was created in such a way that a technical or non-technical person can hold it, and it fulfills the “four-eyes” or two-logins approach to role-based access. For example, when an IT admin needs to de-anonymize Dimension, the admin would need approval from the Anonymization Officer. This avoids situations where a single person holds all the access to PII without any accountability or external verification.

Does your current solution provide such a comprehensive yet simple approach to data privacy protection? To find out more about WatchGuard’s solution, check out our User Anonymization Tech Brief. Also feel free to check out our Dimension demos – one with Anonymized Mode off and the other with it enabled. (They share the same login credentials.)

Note: WatchGuard Dimension is included at no charge with all Firebox and XTMv models.

WatchGuard Product Releases

WatchGuard recently announced the General Availability of major new releases of both the Fireware operating system and WatchGuard Dimension, both of which are now available to download at the software center. These releases provide increased visibility across the entire network for distributed enterprises and small and midsize businesses (SMBs). I was in Europe last week at a number of WatchGuard events and I heard a lot of positive reaction firsthand. Many partners and end users are already quite familiar with the new capabilities because we conducted extensive beta testing for these new releases over the last two months. The Beta participation numbers are impressive:

  • 640 users logged into our Beta portal from 45 different countries
  • Over 220 unique pieces of feedback were submitted, including bugs and suggestions for product improvement
  • 176 users filled out a survey sharing their thoughts on the Beta and the new software

So what is everyone excited about? Key highlights in the new releases are:

Fireware 11.11:

  • Network Discovery: a subscription service that generates a visual map of every connected device, providing Firebox administrators total visibility into all assets on their network. Included in all UTM Security Suites on Firebox and XTMv models.
  • Botnet Detection:integrated into the Reputation Enabled Defense service. Customers gain real-time visibility into infected clients and command and control communication is immediately blocked. This feature is available on all XTM and Firebox appliances for any customer with a license for Reputation Enabled Defense (which is included in the UTM security suite).
  • Mobile Security:allows Firebox administrators to enforce access controls and only allow mobile devices that adhere to current corporate policies, and are free of malware. Available as an optional subscription service on all Firebox and XTMv models.

Dimension 2.1:

  • Subscription Services Dashboard: a reporting interface that gives businesses a comprehensive performance summary with statistics to show what has been scanned by a Firebox and attacks or malware that have been prevented.
  • Policy Usage Report: a new report that provides valuable insight into how frequently policies are used, thereby enabling IT teams to keep firewall policies current and eliminate unnecessary or unused policies.
  • User Anonymization: an innovative feature that enables businesses to conform to data privacy regulations, such as the European Union’s General Data Protection Regulation framework.

There are hundreds of more features than what we can cover in a short blog post. Check out the What’s new in Fireware 11.11 and What’s new in Dimension 2.1 presentations to find out full details, including screenshots. Also, watch for more posts on this blog over the next few weeks that go into depth for some of these features.


Data from LinkedIn breach used in targeted e-mail attack

Recently Corey Nachreiner discussed the LinkedIn breach in a Daily Security Byte. CERT-Bund, the federal computer emergency response team of Germany, now published a warning about targeted e-mails with attached malicious Word documents (faked invoice including Trojan code). The e-mails are personalized using real name and position of a recipient and exactly match information on LinkedIn public profiles, which lead to an assumed connection to the data breach.

Not opening attachments from unknown senders is a good general advise, but as the e-mails are targeted and well written this warning is likely not enough. Having a multi- layered gateway security system like WatchGuard Firebox, allowing in depth scanning of incoming e-mail with AntiSpam, Gateway AntiVirus and Sandbox based analysis using APT Blocker, will further reduce the risk. In addition Fireware Version 11.11 supports blocking Word documents with Macro code – another helpful option in regards to this targeted e-mail attack.

— Jonas Spieckermann



Blackhat Search Engine Optimization (SEO) Injection

Today my boss couldn’t get to a website. Turns out, our WebBlocker service classified it as a Compromised Website. Great! Our WatchGuard Firebox was doing a good job. However, my boss knew the site, and the people behind it, so he wanted to know what was wrong with it.

A quick check on our Security Portal confirmed the classification, and provided the reason: Injection.Black_SEO.Web.RTSS.

I’ve seen this before, so I knew what to expect. I created a WebBlocker exception for myself, allowing me to get to the site for a little research. It didn’t take too much time to find what I was looking for:


Viewing the HTML source code on the site’s home page, I quickly found some additional code that the site owners probably aren’t aware of. The injected code is designed to “invisibly” open certain links without visually displaying much to a visitor. The goal of this type of attack is to falsely improve these links’ search engine results, since every user visiting this site will unknowingly open these injected links as well. This attack technique is some times called blackhat search engine optimization (SEO).

While this is a relatively harmless example of HTML injection (since it’s not trying to execute code on a victim’s computer), the presence of the unwanted code certainly means that someone has unauthorized access to this site. Unfortunately, until the site owners clean up this injected code, WebBlocker will continue to prevent users from visiting it. You could create an exception to allow the site, but I don’t recommend it.  While the attackers have only exploited this site for SEO Injection today, tomorrow they could use it to redirect visitors to a drive-by-download, maybe even leveraging underground toolkits like the Angler Exploit Kit.

Without knowing exactly how the attackers injected this code, I can’t give web masters specific secure development tips (other than visit for general web development best practices). However, I can share one universal tip. Don’t consider your web site “build and forget.” You need to at least control access to your site’s code, and regularly monitor it for code changes so you can identify this sort of malicious injection quickly.

Rob Collins 

Locky Vigilante

Recently, while working with LastLine (our APT Blocker provider) on what I thought was a low score for a ransomware file, I uncovered something unusual. A lot of ransomware is currently being sent as a JavaScript (.js) attachment in emails. JavaScript on its own is relatively harmless, but it can be used to download and run more harmful files. In this instance, the JavaScript indeed downloaded an executable file from a compromised WordPress site (hxxp://, which obviously seemed suspicious, and led me to believe that it was a malicious file. However, our advanced threat prevention system only gave the file a score of 0/100, suggesting it was benign. What was going on?

Initially, I thought our system missed a threat. Turns out, that despite being called “89h766b.exe”, it was in fact a harmless text file containing the text “STUPID LOCKY”.

Stupid Locky

So why did this seemingly malicious email campaign only spread a harmless text message complaining about Locky? My best guess is that some well-intentioned vigilante gained access to the command and control infrastructure attackers use to deliver their malicious executables. It looks like this vigilante replaced the harmful ransomware file with an innocuous text file, thus preventing the evil email campaign from working. While we thank the vigilante for their efforts, we recommend customers do not allow emails with .js attachments and use APT Blocker. Rob Collins

Short-Lived Crypto-Ransomware

Last week, researchers found a new crypto-ransomware variant that gave its encrypted files a .locked extension, which seems similar to the Locky ransomware. For a short time, this caused some to assume that this was a new Locky variant, and for reasons I’ll get to later, it gave them hope that we might be able to decrypt Locky files. Since I recently shared my own experiences with Locky, and how well WatchGuard appliances stop it, I was interested in this new variant and wanted to dispel any false impressions.

Unfortunately, those hopeful people’s first impressions proved wrong. This new sample is not connected to Locky. Nevertheless, it’s a great illustration that not every piece of ransomware succeeds. This sample didn’t survive long enough to get a widely known name, although it infected around 700 victims in one day.

Like other crypto-ransomware, this sample encodes files using AES encryption, and as I mentioned before, adds the .locked extension, which is likely why people confused it with Locky. However, remember that Locky uses the .locky extensions, not .locked.

Ransomware Letter

An example of this sample’s ransom note.

So why were people hopeful that we might decrypt Locky files? A few hours after the first infections, a person named Utku Sen published the decryption keys for the affected victims. How was this possible?

It turns out Sen is a researcher who developed a proof-of-concept (PoC) file-encryption project called EDA2. This new ransomware’s authors used code from the EDA2 project to encrypt their victims’ files. Fortunately for the victims, Sen built a backdoor into EDA2 to avoid malicious actors from abusing his encryption project for nefarious purposes. He simply used his backdoor to provide the decryption keys to all the victims. A few hours later, the Command & Control (C&C) servers for this crypto ransomware disappeared, probably because the attackers accepted their defeat.

Ransomware isn’t always devastating. In this case, quick help was made available to recover the victims’ files. However, not all cases are this easy. Other variants like Locky, Cryptowall, and newer TeslaCrypt variants use well-crafted encryption mechanisms, which are near impossible to crack on today’s computers in a reasonable amount of time. This is why you should keep your shields up, and use a combination of security services that offer layered protection against today’s even evolving threats.

Additionally, I  highly recommend you create regular backups of your data, and keep them in a safe and unconnected place. That way you can still restore your important data in worst case. One note; you may also want to backup any files that might get encrypted by ransomware. There’s no guarantee, but we have seen decryption tools for other crypto-malware variants published months after the first infections (e.g. Tesla Crypt 2). — Jonas Spieckermann

Locky – New Crypto Ransomware in the Wild

Last week,  a new ransomware variant called Locky began spreading in the wild.

Locky encrypts data on an infected system using AES encryption, and then leaves a blackmail letter (which is localized in several languages) asking for half a bitcoin to get your data back. More disturbingly, it also searches for any network share (not just mapped shares), and encrypts data on those remote shares as well. If you leverage cloud storage solutions, your backup may get infected as well when it synchronizes the encrypted files. Currently, researchers have not found a way to decrypt files Locky has locked.


Locky ransom warining

Figure 1: Example of Locky’s ransom warning.

Kevin Beaumont, one of the security researchers studying this ransomware, managed to intercept some of the domains Locky uses for its Command & Control (C&C) channel. This allowed him to estimate infection rates, and he found Locky seems to infect over 100,000 victims per day. Infection rates varied by country, lead by Germany with around 5000 new infections per hour at its peak.

In most cases, Locky arrives in an email that includes an Office document with a malicious macro. If you open the document, it tries to infect you with the ransomware. Other variants sometimes arrive as a .zip file, which contains some malicious Javascript. The emails are mainly fake invoices.

Last Thursday, I personally received a variant of Locky in an attachment called “Rechnung-263-0779.xls” (which is German for “invoice”) in a Spam inbox. I decided to use this file to analyze all the ways WatchGuard’s unified threat management (UTM) appliances could stop this brand new ransomware.

To start, I uploaded the infected file to to see which antivirus (AV) vendors had a signature available. As the email was already in my inbox for over 24 hours, 26 out of 55 AV scanners were able to detect it. AVG—the AV engine WatchGuard uses for Gateway AntiVirus (GAV)—was on that list. So right away, WatchGuard’s GAV service can block this particular variant from reaching our customers.

VirusTotal Results

Figure 2: VirusTotal results for my Locky variant

Nowadays, malware changes and evolves quickly, which is why signature-based AV often can’t keep up with the latest threats. To combat this problem, WatchGuard offers another layer of protection to detect brand new, never before seen malware files. We call this solution APT Blocker. I also ran this ransomware variant through our next-gen sandbox, to see whether or not APT Blocker detected the file’s bad behavior. It did! The malicious “invoice” file received a score of 99/100 which represents a high risk. It’s particularly important to understand the added benefit of the APT blocker solution. Even if the file used to deliver Locky changes, its behaviors won’t. That’s why this solution can catch new things signatures might miss.

APT Blocker

Figure 3: APT Blocker sandbox detects Locky


Another question came to my mind: What happens if the ransomware is already in place, or reaches the system from another source (e.g. USB drive)?

As I mentioned earlier, Kevin Beaumont managed to identify some of the domains Locky uses for its for C&C connections. WebBlocker, the URL categorization service in WatchGuard Fireware, treats them as subcategories of  “Security” or “Extended Protection”.  If you block these categories with WebBlocker, it prevents Locky from calling home, and also helps you identify systems that have gotten infected. To verify this, I entered one of Locky’s known C&C domains into our online tool to confirm that we indeed list it as a known bot network channel.


Figure 4: WatchGuard WebBlocker recognizes Locky domain as malicious

Once I verified that many of our UTM’s security services could detect Locky, I ran through one last test… I personally tried to download the malicious file “Rechnung-263-0779.xls” from my webmail.

I’ve configured my WatchGuard Firebox with HTTPS Deep Inspection. This feature allows WatchGuard’s security services, such as GAV and Intrusion Prevention Service (IPS), to run security scans even on encrypted web traffic, like the webmail I was using to download this ransomware. Despite the encrypted webmail connection, our Firebox detected and blocked the Locky invoice file with the GAV service. It was unable to reach my workstation.

As you can see, WatchGuard XTM and Firebox appliances have several features that can help prevent ransomware like Locky. However, these protections only work if you turn them on and configure them properly. If you want to keep Locky off your network , I highly recommend you read the Knowledgebase Article “How to prevent ransomware and other malicious malware with your Firebox” — Jonas Spieckermann


Reference Section:


Dimension™ 2.0.1 Update 1 Fixes OpenSSL Flaw

Early this month, I reported a new OpenSSL vulnerability in one of my Daily Security Byte videos. At a high-level, vulnerable OpenSSL servers configured to negotiate Diffie-Hellman keys in a particular way were vulnerable to a “key recovery” attack. By sending many specially crafted connections to a vulnerable server, an attacker could exploit this flaw to recover the server’s private key, and decrypt its communications.

Many of WatchGuard products weren’t vulnerable to this flaw since we don’t configure OpenSSL in the way necessary to expose the issue. However, our log collecter, which is present in both WatchGuard System Manager (WSM) and Dimension™, was vulnerable to the flaw.

Dimension 2.0.1 Update 1 fixes this OpenSSL vulnerability (CVE-2016-0701). If you use Dimension™especially if you expose its logging service publiclyyou should download and install this Dimension™ update as soon as you can. Check the Release Notes for more details on what the update fixes, and how to install it.

Finally, you can learn more about this vulnerability, and how it affects our products, in the Knowledge Base article dedicated to the flaw.— Corey Nachreiner, CISSP (@SecAdept)

Rapid Setup in Remote Locations

I stopped to have a sandwich in an airport recently, and it brought a smile to my face to see a familiar WatchGuard red appliance behind the counter just below the cash register. Worldwide regulations like the Payment Card Industry Data Security Standard (PCI-DSS) have increased the demand for security appliances in even the smallest retail locations, including kiosks in shopping malls, small hotels, and franchise restaurants. Additionally, Healthcare and privacy regulations like the Health Insurance Portability and Accountability Act (HIPAA) in the United States and the data privacy directive in the European Union have driven the need for security. Seeing the red box, I knew that my credit card information was in good hands.

WatchGuard appliances are now running in places like dentists, doctors’ offices, and small clinics. Although these are wildly different industry environments, one thing these locations all have in common is that they don’t have dedicated IT staff on site. Security and network configuration is provided by a Managed Security Service Provider (MSSP) or the central IT staff for the distributed enterprise, clinic group or retail chain.

At WatchGuard, our mission is to provide solutions that are easy to deploy, easy to manage, and generally accessible to companies of all sizes. To succeed in these environments, we need to provide solutions that can be setup securely without sending a technician out every time, especially for companies that are managing hundreds of locations. All of WatchGuard’s Unified Threat Management (UTM) appliances, including our new WatchGuard Firebox T30 and T50 models include access to the company’s unique RapidDeploy feature that enables centralized IT teams to pre-configure appliances for quick and non-technical installation at distributed remote sites.

Here’s a common challenge we see. When installing a new appliance in a remote location, someone needs to unpack and set up the IT equipment. This will often be the store manager or an employee who may lack technical skills. They may have a computer at home, but no technical responsibilities in the workplace. They do not know much about IT other than how to start their laptop, browse the Internet, watch Netflix, and use Microsoft Word, etc. Therefore, no matter how clear the corporate instructions are, they still seem like a foreign language.

With Rapid Deploy, the local staff just needs to plug in the Firebox’s power and Internet cables. It then establishes a connection, and pulls the appropriate configuration file from either the WatchGuard cloud or the central management server. This even works in cases where the IP address is assigned statically and not via DHCP. It also works in environments where the local site needs to connect back to the corporate management server through a third party device with NAT implemented. Such scenarios are common in shopping malls, airports, and healthcare campuses.

Does this sound like a challenge you’ve been facing? Find out more about how WatchGuard can help, here.


iOS KeyRaider – Daily Security Byte EP.135

The bad news is a new iOS malware variant has stolen the iCloud credentials of 225,000 users. The good news is it only affects jailbroken iOS users. Watch today’s video to learn more about this new threat, and how to avoid it.

(Episode Runtime: 2:07)

Direct YouTube Link:


— Corey Nachreiner, CISSP (@SecAdept)

%d bloggers like this: