Feed aggregator

Government Demands for Verizon Customer Data Drop

Threatpost for B2B - Thu, 01/15/2015 - 09:15
The number of subpoenas, total orders and warrants that the United States government delivered to Verizon all dropped in the second half of 2014, according to the company’s latest transparency report. The giant telecom provider released data on Thursday that showed a decrease in subpoenas of about 10 percent from the first half of last […]

Microsoft Security Updates January 2015

Secure List feed for B2B - Wed, 01/14/2015 - 19:34

Microsoft's security team begins 2015 with a minimal set of Security Bulletins, MS15-001 through MS15-008. The set included one critical vulnerability in a service that probably shouldn't be shipped any longer (telnet), and seven bulletins rated "Important" patches for elevation of privilege, DoS, and security bypass issues.

The critical Bulletin effects the telnet service. The telnet service is an ancient piece of software that provides shell access to a system, mostly available on router installations. Only it's over unencrypted, plain text communications, and should not be used. It was also a bit of a bear to configure and make useful, but may have been useful in development and IT environments. Luckily, this service is not enabled by default on supported windows systems (but it is installed by default on Windows Server 2003). A quick search in shodan shows a pretty reduced set of users, and its presence in our Ksn data is very limited. And, on the public internet, the number of Windows telnet servers listening on port 23 and providing a related banner is only a couple hundred. So, this patch effects very few customers.

But, if someone didn't install an alternative like OpenSSH, uses the PowerShell facility, WinSCP, RDP, or other facilities, and oddly installed this service, they may be running a server vulnerable to remote malformed packet delivery leading to remote code execution. Meaning it's a severe issue that really "shouldn't" effect many users. And it appears to not be exploited on our user base. When installed and enabled, Microsoft's telnet server runs as "Tlntsess.exe" on all Windows systems since Windows Server 2003. And on a somewhat related note, Ksn shows infected Tlntsess.exe files on new customer systems running a first scan or enabling a scan after running infected code:
Virus.Win32.Virut.ce
Worm.Win32.Mabezat.b
Virus.Win32.Sality.gen
Virus.Win32.Parite.b
Virus.Win32.Nimnul.a
Virus.Win32.Tenga.a
Virus.Win32.Expiro.w
Virus.Win32.Slugin.a

It's always surprising to still see the viral stuff, but it's certainly more prevalent than telnet service exploitation at this point.

The other Security Bulletins are rated "Important", and the escalation of privilege issues are somewhat interesting and the kind of thing businesses should be aware of - they are frequently used as a part of target attack activity.

One of these EoP vulnerabilities was reported privately and exposed publicly by Google's Project Zero two days prior to the scheduled and known patch release. The project maintains a database of exploitable vulnerabilities, each of which has a deadline of 90 days from reporting before the bug goes public: "Deadline exceeded - automatically derestricting". This EoP was fixed and the fix released by Microsoft as MS015-003 on its scheduled "patch tuesday" release, two days after Google exposed their bug issue publicly. It's strange that Google would do such a thing, it's not as if Microsoft doesn't commit to reasonable time frames for fixes and proper testing anymore. Microsoft responded with a lengthy writeup on responsible disclosure and cooperation within the industry, and mentioned Google's approach in particular.

The flawed code has yet to be seen as abused in the wild, but it will likely happen. You can find a set of executive summaries for the Bulletins here.

And one last note, the Advanced Notification Service is coming to an end. Microsoft ended their practice of broadcasting advance notice of security updates to all customers, and offers it only to paying Premiere-level customers. For the most part, it seems that this works out just fine and possibly frustrates people less with security maintenance. However, I think that it would be useful for Microsoft to pre-release forecasted download file sizes and reboot requirements for the updates, along with their ratings of critical or not, etc. For example, knowing that I will have to download over 200mb of critical software updates requiring system reboots would be helpful. That information would be useful to their customers both large and small. Time will tell if they bring it back, but likely, they will not need to.

Skeleton Key Malware Opens Door to Espionage

Threatpost for B2B - Wed, 01/14/2015 - 16:00
The Skeleton Key malware bypasses single-factor authentication on Active Directory domain controllers and paves the way to stealthy cyberespionage.

Phony Oracle Patches Making the Rounds

Threatpost for B2B - Wed, 01/14/2015 - 11:42
Attackers are circulating fake fixes for Oracle error messages and the company is warning users not to download any patches that don’t come directly from Oracle.

New Strain of Crowti Ransomware Moving in I2P Network

Threatpost for B2B - Wed, 01/14/2015 - 11:35
A new strain of the Crowti ransomware, also dubbed Cryptowall 3.0, is moving on the I2P anonymity network.

NSA Official: Support for Compromised Dual EC Algorithm Was ‘Regrettable’

Threatpost for B2B - Wed, 01/14/2015 - 11:29
In a new article in an academic math journal, the NSA’s director of research says that the agency’s decision not to withdraw its support of the Dual EC_DRBG random number generator after security researchers found weaknesses in it and questioned its provenance was a “regrettable” choice. Michael Wertheimer, the director of researcher at the National […]

GE Ethernet Switches Have Hard-Coded SSL Key

Threatpost for B2B - Wed, 01/14/2015 - 09:24
There is a hard-coded private SSL key present in a number of hardened, managed Ethernet switches made by GE and designed for use in industrial and transportation systems. Researchers discovered that an attacker could extract the key from the firmware remotely. The vulnerability exists in a number of GE Ethernet switches, including the GE Multilink […]

Microsoft Patches Vulnerability Under Attack and Google-Disclosed Zero Day

Threatpost for B2B - Tue, 01/13/2015 - 14:41
Microsoft issued eight Patch Tuesday security bulletins, including a fix for a vulnerability disclosed by Google and another under active attack.

Report: DHS Not Addressing Cyber Threats to Building Access Control Systems

Threatpost for B2B - Tue, 01/13/2015 - 14:00
The Department of Homeland Security is doing an inadequate job assessing and addressing the risk posed by cyber threats to access control systems at federal facilities.

Adobe Patches Nine Vulnerabilities in Flash

Threatpost for B2B - Tue, 01/13/2015 - 13:45
Adobe patched Flash Player , addressing nine vulnerabilities in the software including critical bugs that could allow an attacker to take control of an affected system.

Gitrob Combs Github Repositories for Secret Company Data

Threatpost for B2B - Tue, 01/13/2015 - 12:55
Gitrob, an open source intelligence tool, helps security analysts search Github organization repositories for files not meant for public consumption.

Encryption is Not the Enemy

Threatpost for B2B - Tue, 01/13/2015 - 11:30
David Cameron, speaking in the wake of the terror attack in Paris last week, said at an event Monday that the UK government can't allow any form of communication that can't be read.

How a $10 USB Charger Can Record Your Keystrokes Over the Air

Threatpost for B2B - Tue, 01/13/2015 - 07:03
Hardware hacker and security researcher Samy Kamkar has released a slick new device that masquerades as a typical USB wall charger but in fact houses a keylogger capable of recording keystrokes from nearby wireless keyboards.

President Proposes National Breach Notification Standard

Threatpost for B2B - Mon, 01/12/2015 - 13:55
President Obama today announced plans to propose a national data breach notification standard, a consumer privacy bill of rights, and privacy protection for students using electronic learning materials.

Microsoft Censures Google For Publishing Windows Vulnerability

Threatpost for B2B - Mon, 01/12/2015 - 13:46
Microsoft called Google out over the weekend for publicly disclosing the details of a Windows privilege elevation vulnerability just a week before the company's patch Tuesday release.
Syndicate content