WindowSecurity.com - Monthly Newsletter - February 2015

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, Enterprise Security MVP), Technical Services Director for Celestix Networks. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.


1. Editor's Corner

Passwords. Yes, once again we’re going to talk about passwords. I realize that anyone even remotely familiar with information security would understand the challenges we face with passwords. However, this month new information confirmed that we still don’t seem to be making any progress on making them any better! Why is that? We understand the problem, and we have solutions to mitigate some of the common challenges. I’m guessing it will take more time to bring systems and applications up to speed. Let’s hope so, because the current state of affairs is pretty sad.

--Rich

On the Perils of Passwords

Passwords are the bane of every security administrator on the face of the earth. In fact, they cause a sufficient amount of pain for ordinary users too. Clearly so, because they continually choose passwords that are, and I’m putting this nicely, “less than adequate”. Ok, many are simply atrocious, I’ll admit.

Illuminating this fact is the ongoing research that comes from data breaches where usernames and passwords are compromised and published on the public Internet. If there’s any positive outcome from these security events it is that we get a better understanding of just how bad the state of passwords really is. In a recent article I read that outlined the most common passwords, “123456” still tops the list! That really surprised me because I was sure it would simply be “password”, which sadly ranked second. Rounding out the top 5 were variations of the number sequence, including “12345678” and “qwerty”. Facepalm!

I don’t place all of the blame for poor passwords on users, however. Users are, like you and me, creatures of habit and typically tend to follow the path of least resistance. More to blame here is really the applications that accept weak passwords. I applaud those applications and sites that enforce strong password policies (but I do get upset when they won’t let me use really long complex passwords, especially on banking sites!). Obviously more has to be done here.

In addition to developers building logic into their front ends to ensure sufficient password strength (and hey, how about downloading these common password lists and blacklisting them!), we as security professionals need to evangelize and promote good password selection to anyone and everyone who will listen. Sure, complex passwords carry their own challenges, the most common complaint being that they are difficult to remember. I’ll give you that, but there are tools and services that can help overcome this challenge. There are numerous password database utilities and online services that can be leveraged. I prefer the former, but for many the online options are probably best. Using a mnemonic can be an excellent way to create long, complex, difficult to guess but easy to remember passwords. In fact, the folks over at XKCD have a particularly poignant infographic that explains password strength clearly.

Finally, no discussion about passwords would be complete without mentioning strong, multifactor authentication. Yes, multifactor authentication is typically cumbersome. I’m personally guilty of not leveraging it everywhere it is offered. However, for the services I consider most important, I’ll take multifactor authentication options every time. Most important on this list is email. Remember, if your email is compromised, everything else is right behind it, as an attacker can simply initiate password resets for various targets they wish to obtain access to. 

2. Bulletproof SSL and TLS

With recent revelations of widespread surveillance by government agencies, a strong push is on to encrypt all types of communication regardless of sensitivity. With the popularity and ubiquity of web-based communication, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) have quickly become essential tools to provide the highest level of security and protection for network communication. 

Ivan Ristic, one of the foremost experts in the field of SSL and TLS, recently released a comprehensive guide for deploying secure web servers and applications using SSL and TLS. The book provides a valuable overview of the SSL and TLS protocols along with PKI, and also includes detailed, prescriptive guidance for configuring and deploying systems using SSL and TLS, both Windows and open source.

Order your copy of Bulletproof SSL and TLS today!

Image

Click here to order your copy today!


3. Microsoft Security Bulletins for February 2015

For the month of February Microsoft released 9 security bulletins; 3 critical and 6 important. Updates for this month address vulnerabilities in all supported versions of Windows, as well as Office, Internet Explorer, and Virtual Machine Manager (VMM). Also, please note that Microsoft re-released security update MS14-083, which addressed a vulnerability in Excel that could allow remote code execution. For more information about February’s security bulletins click here

4. Microsoft Security Advisories for February 2015

Microsoft released one security advisory for the month of February 2015. Security advisory 3004375 outlines new capabilities for Windows command line auditing in Windows 7 and 8, along with Windows Server 2008R2 and Windows Server 2012. The advisory provides information about expanded auditing for process creation by including command line information passed to every process. This feature exists today in Windows 8.1 and Windows Server 2012 R2. In addition, Microsoft revised security advisory 3009008 to note that SSL 3.0 fallback attempts are being disabled by default in Internet Explorer 11.


5. Security Articles of Interest

  1. As I discussed earlier, passwords continue to be a thorn in the side of security administrators everywhere. The latest data shows that progress is slow in making passwords better, as demonstrated by the fact that passwords like “123456” and the venerable “password” continue to be the most common passwords used by many. If you’re reading this, you probably aren’t guilty. Someone you know most likely is.
    http://www.engadget.com/2015/01/20/splashdata-worst-passwords/

  2. Microsoft has proposed a framework of security norms that are designed to reduce conflict in cyberspace. The new whitepaper includes several tenets that are designed to improve the overall security of online transactions on the Internet.
    http://blogs.microsoft.com/cybertrust/2015/01/20/six-proposed-norms/

  3. Once again, the folks over at Google have, in my opinion, done a great disservice to the Internet at large by publicly disclosing vulnerabilities in the Microsoft operating system prior to a security update being made available. As I mentioned last month, this does nothing to improve the situation for anyone and only puts innocent people at risk.
    http://arstechnica.com/information-technology/2015/01/google-drops-more-windows-0-days-somethings-gotta-give/

  4. Any organization of reasonable size has likely been, or at the moment is, affected by Distributed Denial of Service (DDoS) attacks. Often the best remedy is to engage one of the popular cloud services that specialize in defending against these attacks. Ironically, the source of many DDoS attacks is these same service providers, who often provide hosting services for various attack services.
    http://krebsonsecurity.com/2015/01/spreading-the-disease-and-selling-the-cure/

  5. Another serious security vulnerability has been discovered in many popular Linux distributions. The “Ghost” vulnerability allows attackers to execute malicious code on servers that leverage the GNU C Library (glibc), which is one of the most common libraries used on Linux systems today.
    http://arstechnica.com/security/2015/01/highly-critical-ghost-allowing-code-execution-affects-most-linux-systems/

  6. As the world continues to move toward IPv6, security administrators are challenged not only with understanding this new protocol, but also with understanding the security risks associated with it. As with any new technology, IPv6 will require rethinking traditional security enforcement. For example, IPv6 extension headers and fragmentation can be used in some scenarios to evade access control lists (ACLs) in popular networking gear.
    http://www.insinuator.net/2015/01/evaluation-of-ipv6-capabilities-of-commercial-ipam-solutions/

  7. Earlier this month, Scott Charney, Microsoft Corporate Vice President for Trustworthy Computing, testified before the U.S. Senate Committee on Homeland Security and Governmental Affairs about protecting America from cyberattacks. His talk focused primarily on the importance of information sharing and you can find his key points along with a link to his full testimony here.
    http://blogs.microsoft.com/cybertrust/2015/01/29/info-sharing-testimony/

  8. In an effort to mitigate Pass-the-Hash (PtH) and other types of credential theft, Microsoft released a script that allows administrators to reset the KRBTGT account password. The KRBTGT account is vitally important to the Kerberos authentication system, and an attacker who gains access to this account can easily access sensitive data in the organization.
    http://blogs.microsoft.com/cybertrust/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/

  9. To reduce malware detection false positives, Microsoft has partnered with VirusTotal, a popular online database used by antimalware and security researchers, to introduce a feature called “Trusted Source”. This feature identifies files that are known to be produced by a particular software vendor. If a file is uploaded to VirusTotal and it is a known Microsoft file, the report will now indicate this fact clearly.
    http://blogs.technet.com/b/mmpc/archive/2015/02/11/microsoft-steps-up-in-industry-efforts-on-mitigating-false-positives.aspx


6. WindowSecurity.com Articles of Interest

  1. Security: A Shared Responsibility – Part 1
  2. RSA SecurID – Voted WindowSecurity.com Reader’s Choice Award Winner – Authentication/Smart Cards
  3. Product Review – GFI WebMonitor 2015
  4. Security: A Shared Responsibility – Part 2
  5. Video: Configuring, Verifying, and Removing Active Directory Delegations (Part 3)

7. Windows Security Tip of the Month

The best way to improve password security is to enforce multifactor authentication (MFA). There are myriad solutions available to do this, including those that use hardware tokens or smartphone applications to generate a security token. One of my favorite MFA solutions is the Microsoft Azure Multi-Factor Authentication service. This cloud-based service allows you to integrate MFA in to your applications quickly and easily. I like Azure MFA because it requires no software at all. Once it is configured, MFA users will receive a call on their phone (smart or otherwise!) after they log in to confirm their identity. Azure MFA also integrates with on-premises security devices like VPNs with the use of a software agent that runs on an internal Windows server. If you have a remote access solution and you’re not using MFA, be sure to have a look at Azure MFA soon.