WindowSecurity.com - Monthly Newsletter - December 2014

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, Enterprise Security MVP), Technical Services Director for Celestix Networks. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.


Editor's Corner

The end of 2014 is upon us, which is always a good time to take a look back and reflect on the year that was and the events that shaped the security landscape. In 2014 there were a variety of serious security vulnerabilities, mostly affecting open source platforms but certainly Microsoft was affected as well. 2014 marked the year that support for Windows XP finally ended. As always, the year included its share of data breaches too. Let's have a quick review at some of the more significant security related stories of the last year.

--Rich

A Look Back at Security in 2014

2014 was an eventful year with regard to Windows security, and security in general. As the year started out, the major concern centered on the impending end of support for Windows XP. As you recall, many were predicting the apocalypse following the first update Tuesday after the April 2014 retirement date. I'll be the first to admit, I had serious concerns about this as well. It appears, however, that those fears haven't been realized, at least to the point where it has been a major detriment to the public at large. No doubt there will be unpatched vulnerabilities on many XP systems worldwide that will be exploited by cybercriminals, but the ever-shrinking footprint of Windows XP is helping to mitigate those concerns. I still cringe though when I walk into a doctor's office or a retailer and they are still using XP every day.

It wasn't a very memorable year for the open source community, as two very serious vulnerabilities were discovered in 2014. The first serious vulnerability disclosed was "Heartbleed", a bug in the popular and widely deployed OpenSSL library. OpenSSL provides SSL and TLS cryptographic services for a wide variety of Linux distributions. The bug allowed an attacker to read data from memory on the server running the vulnerable code. With the popularity of open source web server platforms, a large portion of the Internet was affected. After patching, organizations were forced to re-key and reissue their SSL certificates. Many chose to take the opportunity to also upgrade cipher suites for the SSL configuration and choose stronger keys and signing algorithms, which posed some challenges for older clients. The dust appears to mostly have settled now though, and ultimately some good may actually have come out of all of this in the form of improved awareness of SSL/TLS configuration.

Another serious security vulnerability affecting many open source platforms in 2014 was "Shellshock". This was a bug in the Bash shell, commonly included with Linux distributions. This vulnerability was potentially more serious than Heartbleed, as it affected any Linux server that used the Bash shell, as opposed to a Linux server supporting web services using OpenSSL. The attack surface was certainly much greater, although the exposure was probably more limited as fewer of these systems were exposed to untrusted networks.

Microsoft was not entirely immune from serious vulnerabilities this year. Just last month Microsoft released MS14-068, a security update that addressed a serious vulnerability in Kerberos that could allow privilege escalation. The flaw affected Windows domain controllers and allow any authenticated user to elevate their privileges. This is a gold mine for an attacker, as it would allow them to gain full administrative privileges on the domain after successfully compromising even a single, non-privileged account.

Also, in late 2014 security researches from Google disclosed a vulnerability in the SSL 3.0 protocol that left implementations open to man-in-the-middle attacks. Since this was a protocol vulnerability, all platforms running SSL 3.0 were affected, including Microsoft. Microsoft and others made a strong push to disable the use of SSL 3.0, which was essentially already deprecated and existed largely for legacy client support. Microsoft published guidelines for disabling SSL 3.0, and moved quickly to disable SSL 3.0 across all of its cloud service offerings, including Office 365 and Azure.

2014 had its share of serious, large-scale data breaches as well. Topping the list this year were Sony, Target, Home Depot, and JP Morgan Chase. Also hit were Kmart, Michaels, Dairy Queen, Living Social, eBay, American Express, P.F. Chang's, Jimmy John's Gourmet Sandwiches, Goodwill Industries, Bebe Stores, and probably many more, I'm sure.

Bulletproof SSL and TLS

With recent revelations of wide spread surveillance by government agencies, a strong push is on to encrypt all types of communication regardless of sensitivity. With the popularity and ubiquity of web-based communication, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) have quickly become essential tools to provide the highest level of security and protection for network communication. 

Ivan Ristic, one of the foremost experts in the field of SSL and TLS, recently released a comprehensive guide for deploying secure web servers and applications using SSL and TLS. The book provides a valuable overview of the SSL and TLS protocols along with PKI, and also includes detailed, prescriptive guidance for configuring and deploying systems using SSL and TLS, both Windows and open source.

Order your copy of Bulletproof SSL and TLS today!

Image

Click here to order your copy today!


Microsoft Security Bulletins for December 2014

For the month of December, Microsoft released 7 security bulletins to address 24 individual CVEs. 3 of them are rated critical, and 4 are rated important. Affected software includes Windows, Office, Exchange, and Internet Explorer. For more information about December's security bulletins click here.

Microsoft Security Advisories for December 2014

Microsoft issued no new security advisories for December 2014. However, they did update security advisory 2755801, an update for vulnerabilities in Adobe Flash Player in Internet Explorer.


Security Articles of Interest

  1. The vast majority of attacks are carried out in similar fashion, often using the same techniques and tactics regardless of the target. Recently Microsoft published a high level overview of these common themes, outlining 7 precautions that can be taken to protect against attacks.
    http://blogs.microsoft.com/cybertrust/2014/11/18/precautions-protecting-v-perps/

  2. The old saying goes "Why do people rob banks? Because that's where the money is". Unsurprisingly, cybercriminals who can game the stock market can potentially make quite a bit of money. Recently the folks at FireEye disclosed information about attackers stealing sensitive information from corporations and using that inside information for financial gain on the stock market.
      http://www.reuters.com/article/2014/12/01/us-cybersecurity-wall-street-idUSKCN0JF29420141201

  3. BitLocker is a powerful tool that, when implemented and managed correctly, can greatly improve your organization's security posture. With BitLocker installed it is possible to prevent root kits from operating, and protect against a variety of other attacks as well. Choosing the right countermeasure for various attack scenarios can be challenging. Here, Microsoft provides essential guidance on that topic.
    http://technet.microsoft.com/library/dn632181.aspx

  4. Speaking of BitLocker, did you know that BitLocker passwords should be less than 100 characters in length? Typically BitLocker passwords are managed programmatically, but if done manually there can be issues if the password is more than 100 characters. Additional information here.
    http://social.technet.microsoft.com/wiki/contents/articles/11520.bitlocker-passwords-should-be-less-than-100-characters-in-length.aspx

  5. Microsoft is doing some interesting things with their data analytics and malware analysis telemetry. Microsoft tracks IP addresses associated with malware infected devices in an effort to eradicate malware and to disrupt and destroy botnets. This information is also extended to their cloud service offerings to provide customers with information regarding logins to online services from potentially infected devices.
    http://blogs.microsoft.com/cybertrust/2014/11/26/from-the-cloud-security-alliance-congress-emea-how-ip-addresses-associated-with-malware-infected-devices-help-protect-microsoft-cloud-customers/

  6. Along those same lines, Microsoft recently issued a whitepaper that outlines how organizations are using "big data" to improve security. The report sheds light on the challenges and difficulties associated with data analytics, including cost and complexity of implementing such a solution. It also includes important highlights on the tradeoffs between security and privacy.
    http://blogs.microsoft.com/cybertrust/2014/11/19/new-report-enhancing-cybersecurity-with-big-data/

  7. IPv6 is coming, no doubt about it. As organizations begin to deploy IPv6 services and networks, security considerations for these solutions should be at the top of the list. IPv6, with its vast address space, allows for the unique addressing of all hosts, eliminating the need for NAT. Using globally unique addresses is not without some security challenges. IPv6 expert Enno Rey provides some valuable information on the security implications of using globally unique IPv6 addresses only.
    http://www.insinuator.net/2014/12/security-implications-of-using-ipv6-guas-only/

  8. The recently disclosed POODLE attack, which leverages a vulnerability in the SSL 3.0 protocol, may also affect some TLS implementations. Specifically, it appears that TLS in popular load balancing solutions from F5 and A10 networks may be vulnerable. At this time it does not appear that the Microsoft TLS stack is exposed. The Qualys SSL Labs Server Test site has been updated to detect this vulnerability.
    http://blog.ivanristic.com/2014/12/poodle-bites-tls.html

    http://www.networkworld.com/article/2857053/the-poodle-flaw-returns-this-time-hitting-tls-security-protocol.html

WindowSecurity.com Articles of Interest

  1. Cisco ASA 5505-X Series voted WindowSecurity.com Readers' Choice Award Winner – VPN Solution
  2. Secure Sharing: Collaboration without Compromise – Part 3
  3. Windows 10 Privacy and Security Features at a Glance – Part 1

Windows Security Tip of the Month

The Microsoft BinScope Analyzer is a powerful free tool used to detect potential vulnerabilities in binary files. It examines application files to identify potential vulnerabilities or attack vectors. Microsoft recently released an update for the tool, which includes improved diagnostic messages, a new minimum compiler and minimum linker version switch, increased performance, and more. The BinScope analyzer is an essential component of the Security Development Lifecycle (SDL) and should be used by anyone developing applications. You can download the latest version here.